1. 25 8月, 2017 2 次提交
    • S
      md/raid5: release/flush io in raid5_do_work() · 9c72a18e
      Song Liu 提交于
      In raid5, there are scenarios where some ios are deferred to a later
      time, and some IO need a flush to complete. To make sure we make
      progress with these IOs, we need to call the following functions:
      
          flush_deferred_bios(conf);
          r5l_flush_stripe_to_raid(conf->log);
      
      Both of these functions are called in raid5d(), but missing in
      raid5_do_work(). As a result, these functions are not called
      when multi-threading (group_thread_cnt > 0) is enabled. This patch
      adds calls to these function to raid5_do_work().
      
      Note for stable branches:
      
        r5l_flush_stripe_to_raid(conf->log) is need for 4.4+
        flush_deferred_bios(conf) is only needed for 4.11+
      
      Cc: stable@vger.kernel.org (4.4+)
      Signed-off-by: NSong Liu <songliubraving@fb.com>
      Signed-off-by: NShaohua Li <shli@fb.com>
      9c72a18e
    • S
      md/bitmap: copy correct data for bitmap super · 8031c3dd
      Shaohua Li 提交于
      raid5 cache could write bitmap superblock before bitmap superblock is
      initialized. The bitmap superblock is less than 512B. The current code will
      only copy the superblock to a new page and write the whole 512B, which will
      zero the the data after the superblock. Unfortunately the data could include
      bitmap, which we should preserve. The patch will make superblock read do 4k
      chunk and we always copy the 4k data to new page, so the superblock write will
      old data to disk and we don't change the bitmap.
      Reported-by: NSong Liu <songliubraving@fb.com>
      Reviewed-by: NSong Liu <songliubraving@fb.com>
      Cc: stable@vger.kernel.org (4.10+)
      Signed-off-by: NShaohua Li <shli@fb.com>
      8031c3dd
  2. 24 8月, 2017 1 次提交
    • L
      Revert "pty: fix the cached path of the pty slave file descriptor in the master" · 143c97cc
      Linus Torvalds 提交于
      This reverts commit c8c03f18.
      
      It turns out that while fixing the ptmx file descriptor to have the
      correct 'struct path' to the associated slave pty is a really good
      thing, it breaks some user space tools for a very annoying reason.
      
      The problem is that /dev/ptmx and its associated slave pty (/dev/pts/X)
      are on different mounts.  That was what caused us to have the wrong path
      in the first place (we would mix up the vfsmount of the 'ptmx' node,
      with the dentry of the pty slave node), but it also means that now while
      we use the right vfsmount, having the pty master open also keeps the pts
      mount busy.
      
      And it turn sout that that makes 'pbuilder' very unhappy, as noted by
      Stefan Lippers-Hollmann:
      
       "This patch introduces a regression for me when using pbuilder
        0.228.7[2] (a helper to build Debian packages in a chroot and to
        create and update its chroots) when trying to umount /dev/ptmx (inside
        the chroot) on Debian/ unstable (full log and pbuilder configuration
        file[3] attached).
      
        [...]
        Setting up build-essential (12.3) ...
        Processing triggers for libc-bin (2.24-15) ...
        I: unmounting dev/ptmx filesystem
        W: Could not unmount dev/ptmx: umount: /var/cache/pbuilder/build/1340/dev/ptmx: target is busy
                (In some cases useful info about processes that
                 use the device is found by lsof(8) or fuser(1).)"
      
      apparently pbuilder tries to unmount the /dev/pts filesystem while still
      holding at least one master node open, which is arguably not very nice,
      but we don't break user space even when fixing other bugs.
      
      So this commit has to be reverted.
      
      I'll try to figure out a way to avoid caching the path to the slave pty
      in the master pty.  The only thing that actually wants that slave pty
      path is the "TIOCGPTPEER" ioctl, and I think we could just recreate the
      path at that time.
      Reported-by: NStefan Lippers-Hollmann <s.l-h@gmx.de>
      Cc: Eric W Biederman <ebiederm@xmission.com>
      Cc: Christian Brauner <christian.brauner@canonical.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      143c97cc
  3. 22 8月, 2017 1 次提交
  4. 21 8月, 2017 1 次提交
  5. 19 8月, 2017 5 次提交
    • H
      net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled · ca3d89a3
      Huy Nguyen 提交于
      enable_4k_uar module parameter was added in patch cited below to
      address the backward compatibility issue in SRIOV when the VM has
      system's PAGE_SIZE uar implementation and the Hypervisor has 4k uar
      implementation.
      
      The above compatibility issue does not exist in the non SRIOV case.
      In this patch, we always enable 4k uar implementation if SRIOV
      is not enabled on mlx4's supported cards.
      
      Fixes: 76e39ccf ("net/mlx4_core: Fix backward compatibility on VFs")
      Signed-off-by: NHuy Nguyen <huyn@mellanox.com>
      Reviewed-by: NDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: NSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ca3d89a3
    • T
      PCI: Allow PCI express root ports to find themselves · b6f6d56c
      Thierry Reding 提交于
      If the pci_find_pcie_root_port() function is called on a root port
      itself, return the root port rather than NULL.
      
      This effectively reverts commit 0e405232 ("PCI: fix oops when
      try to find Root Port for a PCI device") which added an extra check
      that would now be redundant.
      
      Fixes: a99b646a ("PCI: Disable PCIe Relaxed Ordering if unsupported")
      Fixes: c56d4450 ("PCI: Turn off Request Attributes to avoid Chelsio T5 Completion erratum")
      Signed-off-by: NThierry Reding <treding@nvidia.com>
      Acked-by: NBjorn Helgaas <bhelgaas@google.com>
      Tested-by: NShawn Lin <shawn.lin@rock-chips.com>
      Tested-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6f6d56c
    • E
      tun: handle register_netdevice() failures properly · ff244c6b
      Eric Dumazet 提交于
      syzkaller reported a double free [1], caused by the fact
      that tun driver was not updated properly when priv_destructor
      was added.
      
      When/if register_netdevice() fails, priv_destructor() must have been
      called already.
      
      [1]
      BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x15/0x20 security/selinux/hooks.c:5023
      
      CPU: 0 PID: 2919 Comm: syzkaller227220 Not tainted 4.13.0-rc4+ #23
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:16 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:52
       print_address_description+0x7f/0x260 mm/kasan/report.c:252
       kasan_report_double_free+0x55/0x80 mm/kasan/report.c:333
       kasan_slab_free+0xa0/0xc0 mm/kasan/kasan.c:514
       __cache_free mm/slab.c:3503 [inline]
       kfree+0xd3/0x260 mm/slab.c:3820
       selinux_tun_dev_free_security+0x15/0x20 security/selinux/hooks.c:5023
       security_tun_dev_free_security+0x48/0x80 security/security.c:1512
       tun_set_iff drivers/net/tun.c:1884 [inline]
       __tun_chr_ioctl+0x2ce6/0x3d50 drivers/net/tun.c:2064
       tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2309
       vfs_ioctl fs/ioctl.c:45 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685
       SYSC_ioctl fs/ioctl.c:700 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      RIP: 0033:0x443ff9
      RSP: 002b:00007ffc34271f68 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443ff9
      RDX: 0000000020533000 RSI: 00000000400454ca RDI: 0000000000000003
      RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401ce0
      R13: 0000000000401d70 R14: 0000000000000000 R15: 0000000000000000
      
      Allocated by task 2919:
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
       save_stack+0x43/0xd0 mm/kasan/kasan.c:447
       set_track mm/kasan/kasan.c:459 [inline]
       kasan_kmalloc+0xaa/0xd0 mm/kasan/kasan.c:551
       kmem_cache_alloc_trace+0x101/0x6f0 mm/slab.c:3627
       kmalloc include/linux/slab.h:493 [inline]
       kzalloc include/linux/slab.h:666 [inline]
       selinux_tun_dev_alloc_security+0x49/0x170 security/selinux/hooks.c:5012
       security_tun_dev_alloc_security+0x6d/0xa0 security/security.c:1506
       tun_set_iff drivers/net/tun.c:1839 [inline]
       __tun_chr_ioctl+0x1730/0x3d50 drivers/net/tun.c:2064
       tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2309
       vfs_ioctl fs/ioctl.c:45 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685
       SYSC_ioctl fs/ioctl.c:700 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      
      Freed by task 2919:
       save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
       save_stack+0x43/0xd0 mm/kasan/kasan.c:447
       set_track mm/kasan/kasan.c:459 [inline]
       kasan_slab_free+0x6e/0xc0 mm/kasan/kasan.c:524
       __cache_free mm/slab.c:3503 [inline]
       kfree+0xd3/0x260 mm/slab.c:3820
       selinux_tun_dev_free_security+0x15/0x20 security/selinux/hooks.c:5023
       security_tun_dev_free_security+0x48/0x80 security/security.c:1512
       tun_free_netdev+0x13b/0x1b0 drivers/net/tun.c:1563
       register_netdevice+0x8d0/0xee0 net/core/dev.c:7605
       tun_set_iff drivers/net/tun.c:1859 [inline]
       __tun_chr_ioctl+0x1caf/0x3d50 drivers/net/tun.c:2064
       tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2309
       vfs_ioctl fs/ioctl.c:45 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:685
       SYSC_ioctl fs/ioctl.c:700 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
       entry_SYSCALL_64_fastpath+0x1f/0xbe
      
      The buggy address belongs to the object at ffff8801d2843b40
       which belongs to the cache kmalloc-32 of size 32
      The buggy address is located 0 bytes inside of
       32-byte region [ffff8801d2843b40, ffff8801d2843b60)
      The buggy address belongs to the page:
      page:ffffea000660cea8 count:1 mapcount:0 mapping:ffff8801d2843000 index:0xffff8801d2843fc1
      flags: 0x200000000000100(slab)
      raw: 0200000000000100 ffff8801d2843000 ffff8801d2843fc1 000000010000003f
      raw: ffffea0006626a40 ffffea00066141a0 ffff8801dbc00100
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8801d2843a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
       ffff8801d2843a80: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
      >ffff8801d2843b00: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc
                                                 ^
       ffff8801d2843b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
       ffff8801d2843c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
      
      ==================================================================
      
      Fixes: cf124db5 ("net: Fix inconsistent teardown and release of private netdev state.")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      ff244c6b
    • C
      netxen: fix incorrect loop counter decrement · a120d9ab
      Colin Ian King 提交于
      The loop counter k is currently being decremented from zero which
      is incorrect. Fix this by incrementing k instead
      
      Detected by CoverityScan, CID#401847 ("Infinite loop")
      
      Fixes: 83f18a55 ("netxen_nic: fw dump support")
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a120d9ab
    • C
      nfp: fix infinite loop on umapping cleanup · eac2c68d
      Colin Ian King 提交于
      The while loop that performs the dma page unmapping never decrements
      index counter f and hence loops forever. Fix this with a pre-decrement
      on f.
      
      Detected by CoverityScan, CID#1357309 ("Infinite loop")
      
      Fixes: 4c352362 ("net: add driver for Netronome NFP4000/NFP6000 NIC VFs")
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Acked-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eac2c68d
  6. 18 8月, 2017 4 次提交
    • D
      soc: ti: ti_sci_pm_domains: Populate name for genpd · 4dd6a997
      Dave Gerlach 提交于
      Commit b6a1d093 ("PM / Domains: Extend generic power domain
      debugfs") now creates a debugfs directory for each genpd based on the
      name of the genpd. Currently no name is given to the genpd created by
      ti_sci_pm_domains driver so because of this we see a NULL pointer
      dereferences when it is accessed on boot when the debugfs entry creation
      is attempted.
      
      Give the genpd a name before registering it to avoid this.
      
      Fixes: 52835d59 ("soc: ti: Add ti_sci_pm_domains driver")
      Signed-off-by: NDave Gerlach <d-gerlach@ti.com>
      Signed-off-by: NSantosh Shilimkar <ssantosh@kernel.org>
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      4dd6a997
    • K
      nvme-pci: set cqe_seen on polled completions · e9d8a0fd
      Keith Busch 提交于
      Fixes: 920d13a8 ("nvme-pci: factor out the cqe reading mechanics from __nvme_process_cq")
      Reported-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NKeith Busch <keith.busch@intel.com>
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      e9d8a0fd
    • C
      nvme-fabrics: fix reporting of unrecognized options · 81a0b8d7
      Christoph Hellwig 提交于
      Only print the specified options that are not recognized, instead
      of the whole list of options.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Reviewed-by: NMax Gurtovoy <maxg@mellanox.com>
      81a0b8d7
    • L
      pty: fix the cached path of the pty slave file descriptor in the master · c8c03f18
      Linus Torvalds 提交于
      Christian Brauner reported that if you use the TIOCGPTPEER ioctl() to
      get a slave pty file descriptor, the resulting file descriptor doesn't
      look right in /proc/<pid>/fd/<fd>.  In particular, he wanted to use
      readlink() on /proc/self/fd/<fd> to get the pathname of the slave pty
      (basically implementing "ptsname{_r}()").
      
      The reason for that was that we had generated the wrong 'struct path'
      when we create the pty in ptmx_open().
      
      In particular, the dentry was correct, but the vfsmount pointed to the
      mount of the ptmx node. That _can_ be correct - in case you use
      "/dev/pts/ptmx" to open the master - but usually is not.  The normal
      case is to use /dev/ptmx, which then looks up the pts/ directory, and
      then the vfsmount of the ptmx node is obviously the /dev directory, not
      the /dev/pts/ directory.
      
      We actually did have the right vfsmount available, but in the wrong
      place (it gets looked up in 'devpts_acquire()' when we get a reference
      to the pts filesystem), and so ptmx_open() used the wrong mnt pointer.
      
      The end result of this confusion was that the pty worked fine, but when
      if you did TIOCGPTPEER to get the slave side of the pty, end end result
      would also work, but have that dodgy 'struct path'.
      
      And then when doing "d_path()" on to get the pathname, the vfsmount
      would not match the root of the pts directory, and d_path() would return
      an empty pathname thinking that the entry had escaped a bind mount into
      another mount.
      
      This fixes the problem by making devpts_acquire() return the vfsmount
      for the pts filesystem, allowing ptmx_open() to trivially just use the
      right mount for the pts dentry, and create the proper 'struct path'.
      Reported-by: NChristian Brauner <christian.brauner@ubuntu.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Acked-by: NEric Biederman <ebiederm@xmission.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c8c03f18
  7. 17 8月, 2017 9 次提交
  8. 16 8月, 2017 15 次提交
  9. 15 8月, 2017 2 次提交
    • M
      xen-blkfront: use a right index when checking requests · b15bd8cb
      Munehisa Kamata 提交于
      Since commit d05d7f40 ("Merge branch 'for-4.8/core' of
      git://git.kernel.dk/linux-block") and 3fc9d690 ("Merge branch
      'for-4.8/drivers' of git://git.kernel.dk/linux-block"), blkfront_resume()
      has been using an index for iterating ring_info to check request when
      iterating blk_shadow in an inner loop. This seems to have been
      accidentally introduced during the massive rewrite of the block layer
      macros in the commits.
      
      This may cause crash like this:
      
      [11798.057074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
      [11798.058832] IP: [<ffffffff814411fa>] blkfront_resume+0x10a/0x610
      ....
      [11798.061063] Call Trace:
      [11798.061063]  [<ffffffff8139ce93>] xenbus_dev_resume+0x53/0x140
      [11798.061063]  [<ffffffff8139ce40>] ? xenbus_dev_probe+0x150/0x150
      [11798.061063]  [<ffffffff813f359e>] dpm_run_callback+0x3e/0x110
      [11798.061063]  [<ffffffff813f3a08>] device_resume+0x88/0x190
      [11798.061063]  [<ffffffff813f4cc0>] dpm_resume+0x100/0x2d0
      [11798.061063]  [<ffffffff813f5221>] dpm_resume_end+0x11/0x20
      [11798.061063]  [<ffffffff813950a8>] do_suspend+0xe8/0x1a0
      [11798.061063]  [<ffffffff813954bd>] shutdown_handler+0xfd/0x130
      [11798.061063]  [<ffffffff8139aba0>] ? split+0x110/0x110
      [11798.061063]  [<ffffffff8139ac26>] xenwatch_thread+0x86/0x120
      [11798.061063]  [<ffffffff810b4570>] ? prepare_to_wait_event+0x110/0x110
      [11798.061063]  [<ffffffff8108fe57>] kthread+0xd7/0xf0
      [11798.061063]  [<ffffffff811da811>] ? kfree+0x121/0x170
      [11798.061063]  [<ffffffff8108fd80>] ? kthread_park+0x60/0x60
      [11798.061063]  [<ffffffff810863b0>] ?  call_usermodehelper_exec_work+0xb0/0xb0
      [11798.061063]  [<ffffffff810864ea>] ?  call_usermodehelper_exec_async+0x13a/0x140
      [11798.061063]  [<ffffffff81534a45>] ret_from_fork+0x25/0x30
      
      Use the right index in the inner loop.
      
      Fixes: d05d7f40 ("Merge branch 'for-4.8/core' of git://git.kernel.dk/linux-block")
      Fixes: 3fc9d690 ("Merge branch 'for-4.8/drivers' of git://git.kernel.dk/linux-block")
      Signed-off-by: NMunehisa Kamata <kamatam@amazon.com>
      Reviewed-by: NThomas Friebel <friebelt@amazon.de>
      Reviewed-by: NEduardo Valentin <eduval@amazon.com>
      Reviewed-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: NRoger Pau Monne <roger.pau@citrix.com>
      Cc: xen-devel@lists.xenproject.org
      Cc: stable@vger.kernel.org
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      b15bd8cb
    • R
      xen: fix bio vec merging · 462cdace
      Roger Pau Monne 提交于
      The current test for bio vec merging is not fully accurate and can be
      tricked into merging bios when certain grant combinations are used.
      The result of these malicious bio merges is a bio that extends past
      the memory page used by any of the originating bios.
      
      Take into account the following scenario, where a guest creates two
      grant references that point to the same mfn, ie: grant 1 -> mfn A,
      grant 2 -> mfn A.
      
      These references are then used in a PV block request, and mapped by
      the backend domain, thus obtaining two different pfns that point to
      the same mfn, pfn B -> mfn A, pfn C -> mfn A.
      
      If those grants happen to be used in two consecutive sectors of a disk
      IO operation becoming two different bios in the backend domain, the
      checks in xen_biovec_phys_mergeable will succeed, because bfn1 == bfn2
      (they both point to the same mfn). However due to the bio merging,
      the backend domain will end up with a bio that expands past mfn A into
      mfn A + 1.
      
      Fix this by making sure the check in xen_biovec_phys_mergeable takes
      into account the offset and the length of the bio, this basically
      replicates whats done in __BIOVEC_PHYS_MERGEABLE using mfns (bus
      addresses). While there also remove the usage of
      __BIOVEC_PHYS_MERGEABLE, since that's already checked by the callers
      of xen_biovec_phys_mergeable.
      
      CC: stable@vger.kernel.org
      Reported-by: N"Jan H. Schönherr" <jschoenh@amazon.de>
      Signed-off-by: NRoger Pau Monné <roger.pau@citrix.com>
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      462cdace