1. 18 5月, 2018 1 次提交
  2. 12 2月, 2018 1 次提交
    • L
      vfs: do bulk POLL* -> EPOLL* replacement · a9a08845
      Linus Torvalds 提交于
      This is the mindless scripted replacement of kernel use of POLL*
      variables as described by Al, done by this script:
      
          for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
              L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
              for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
          done
      
      with de-mangling cleanups yet to come.
      
      NOTE! On almost all architectures, the EPOLL* constants have the same
      values as the POLL* constants do.  But they keyword here is "almost".
      For various bad reasons they aren't the same, and epoll() doesn't
      actually work quite correctly in some cases due to this on Sparc et al.
      
      The next patch from Al will sort out the final differences, and we
      should be all done.
      Scripted-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a9a08845
  3. 29 11月, 2017 2 次提交
  4. 11 11月, 2017 1 次提交
  5. 18 10月, 2017 1 次提交
  6. 16 9月, 2017 2 次提交
  7. 26 8月, 2017 1 次提交
  8. 25 8月, 2017 2 次提交
  9. 23 8月, 2017 1 次提交
  10. 27 7月, 2017 1 次提交
  11. 18 7月, 2017 1 次提交
  12. 13 7月, 2017 1 次提交
  13. 21 6月, 2017 1 次提交
    • B
      block: Make most scsi_req_init() calls implicit · ca18d6f7
      Bart Van Assche 提交于
      Instead of explicitly calling scsi_req_init() after blk_get_request(),
      call that function from inside blk_get_request(). Add an
      .initialize_rq_fn() callback function to the block drivers that need
      it. Merge the IDE .init_rq_fn() function into .initialize_rq_fn()
      because it is too small to keep it as a separate function. Keep the
      scsi_req_init() call in ide_prep_sense() because it follows a
      blk_rq_init() call.
      
      References: commit 82ed4db4 ("block: split scsi_request out of struct request")
      Signed-off-by: NBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Omar Sandoval <osandov@fb.com>
      Cc: Nicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      ca18d6f7
  14. 09 6月, 2017 1 次提交
    • C
      block: introduce new block status code type · 2a842aca
      Christoph Hellwig 提交于
      Currently we use nornal Linux errno values in the block layer, and while
      we accept any error a few have overloaded magic meanings.  This patch
      instead introduces a new  blk_status_t value that holds block layer specific
      status codes and explicitly explains their meaning.  Helpers to convert from
      and to the previous special meanings are provided for now, but I suspect
      we want to get rid of them in the long run - those drivers that have a
      errno input (e.g. networking) usually get errnos that don't know about
      the special block layer overloads, and similarly returning them to userspace
      will usually return somethings that strictly speaking isn't correct
      for file system operations, but that's left as an exercise for later.
      
      For now the set of errors is a very limited set that closely corresponds
      to the previous overloaded errno values, but there is some low hanging
      fruite to improve it.
      
      blk_status_t (ab)uses the sparse __bitwise annotations to allow for sparse
      typechecking, so that we can easily catch places passing the wrong values.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NJens Axboe <axboe@fb.com>
      2a842aca
  15. 12 5月, 2017 1 次提交
  16. 25 4月, 2017 1 次提交
  17. 21 4月, 2017 1 次提交
  18. 12 4月, 2017 6 次提交
  19. 06 4月, 2017 1 次提交
  20. 29 3月, 2017 1 次提交
  21. 17 3月, 2017 1 次提交
  22. 25 2月, 2017 1 次提交
  23. 20 2月, 2017 1 次提交
  24. 01 2月, 2017 1 次提交
    • C
      block: fold cmd_type into the REQ_OP_ space · aebf526b
      Christoph Hellwig 提交于
      Instead of keeping two levels of indirection for requests types, fold it
      all into the operations.  The little caveat here is that previously
      cmd_type only applied to struct request, while the request and bio op
      fields were set to plain REQ_OP_READ/WRITE even for passthrough
      operations.
      
      Instead this patch adds new REQ_OP_* for SCSI passthrough and driver
      private requests, althought it has to add two for each so that we
      can communicate the data in/out nature of the request.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NJens Axboe <axboe@fb.com>
      aebf526b
  25. 28 1月, 2017 1 次提交
  26. 23 12月, 2016 1 次提交
  27. 31 8月, 2016 2 次提交
    • P
      scsi: sg: Use mult_frac, drop MULDIV macro · f8630bd7
      Paul Burton 提交于
      The MULDIV macro is essentially a duplicate of the more standard
      mult_frac macro. Replace use of MULDIV with mult_frac & drop the
      duplication.
      Signed-off-by: NPaul Burton <paul.burton@imgtec.com>
      Acked-by: NDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      f8630bd7
    • P
      scsi: sg: Avoid overflow when USER_HZ > HZ · b9b6e80a
      Paul Burton 提交于
      Calculating the maximum timeout that a user can set via the
      SG_SET_TIMEOUT ioctl involves multiplying INT_MAX by USER_HZ/HZ. If
      USER_HZ is larger than HZ then this results in an overflow when
      performed as a 32 bit integer calculation, resulting in compiler
      warnings such as the following:
      
        drivers/scsi/sg.c: In function 'sg_ioctl':
        drivers/scsi/sg.c:91:67: warning: integer overflow in expression [-Woverflow]
         #define MULDIV(X,MUL,DIV) ((((X % DIV) * MUL) / DIV) + ((X / DIV) * MUL))
                                                                           ^
        drivers/scsi/sg.c:887:14: note: in expansion of macro 'MULDIV'
           if (val >= MULDIV (INT_MAX, USER_HZ, HZ))
                      ^
        drivers/scsi/sg.c:91:67: warning: integer overflow in expression [-Woverflow]
         #define MULDIV(X,MUL,DIV) ((((X % DIV) * MUL) / DIV) + ((X / DIV) * MUL))
                                                                           ^
        drivers/scsi/sg.c:888:13: note: in expansion of macro 'MULDIV'
               val = MULDIV (INT_MAX, USER_HZ, HZ);
                     ^
      
      Avoid this overflow by performing the (constant) arithmetic on 64 bit
      integers, which ensures that overflow from multiplying the 32 bit values
      cannot occur. When converting the result back to a 32 bit integer use
      min_t to ensure that we don't simply truncate a value beyond INT_MAX to
      a 32 bit integer, but instead use INT_MAX where the result was larger
      than it. As the values are all compile time constant the 64 bit
      arithmetic should have no runtime cost.
      Signed-off-by: NPaul Burton <paul.burton@imgtec.com>
      Acked-by: NDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      b9b6e80a
  28. 15 3月, 2016 1 次提交
    • D
      sg: fix dxferp in from_to case · f6a695cf
      Douglas Gilbert 提交于
      One of the strange things that the original sg driver did was let the
      user provide both a data-out buffer (it followed the sg_header+cdb)
      _and_ specify a reply length greater than zero. What happened was that
      the user data-out buffer was copied into some kernel buffers and then
      the mid level was told a read type operation would take place with the
      data from the device overwriting the same kernel buffers. The user would
      then read those kernel buffers back into the user space.
      
      From what I can tell, the above action was broken by commit fad7f01e
      ("sg: set dxferp to NULL for READ with the older SG interface") in 2008
      and syzkaller found that out recently.
      
      Make sure that a user space pointer is passed through when data follows
      the sg_header structure and command.  Fix the abnormal case when a
      non-zero reply_len is also given.
      
      Fixes: fad7f01e
      Cc: <stable@vger.kernel.org> #v2.6.28+
      Signed-off-by: NDouglas Gilbert <dgilbert@interlog.com>
      Reviewed-by: NEwan Milne <emilne@redhat.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      f6a695cf
  29. 10 3月, 2016 1 次提交
    • D
      sg: fix dxferp in from_to case · 5ecee0a3
      Douglas Gilbert 提交于
      One of the strange things that the original sg driver did was let the
      user provide both a data-out buffer (it followed the sg_header+cdb)
      _and_ specify a reply length greater than zero. What happened was that
      the user data-out buffer was copied into some kernel buffers and then
      the mid level was told a read type operation would take place with the
      data from the device overwriting the same kernel buffers. The user would
      then read those kernel buffers back into the user space.
      
      From what I can tell, the above action was broken by commit fad7f01e
      ("sg: set dxferp to NULL for READ with the older SG interface") in 2008
      and syzkaller found that out recently.
      
      Make sure that a user space pointer is passed through when data follows
      the sg_header structure and command.  Fix the abnormal case when a
      non-zero reply_len is also given.
      
      Fixes: fad7f01e
      Cc: <stable@vger.kernel.org> #v2.6.28+
      Signed-off-by: NDouglas Gilbert <dgilbert@interlog.com>
      Reviewed-by: NEwan Milne <emilne@redhat.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      5ecee0a3
  30. 04 2月, 2016 1 次提交
    • K
      drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration · 461c7fa1
      Kirill A. Shutemov 提交于
      Reduced testcase:
      
          #include <fcntl.h>
          #include <unistd.h>
          #include <sys/mman.h>
          #include <numaif.h>
      
          #define SIZE 0x2000
      
          int main()
          {
              int fd;
              void *p;
      
              fd = open("/dev/sg0", O_RDWR);
              p = mmap(NULL, SIZE, PROT_EXEC, MAP_PRIVATE | MAP_LOCKED, fd, 0);
              mbind(p, SIZE, 0, NULL, 0, MPOL_MF_MOVE);
              return 0;
          }
      
      We shouldn't try to migrate pages in sg VMA as we don't have a way to
      update Sg_scatter_hold::pages accordingly from mm core.
      
      Let's mark the VMA as VM_IO to indicate to mm core that the VMA is not
      migratable.
      Signed-off-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Acked-by: NVlastimil Babka <vbabka@suse.cz>
      Cc: Doug Gilbert <dgilbert@interlog.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Shiraz Hashim <shashim@codeaurora.org>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Cc: syzkaller <syzkaller@googlegroups.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      461c7fa1
  31. 03 11月, 2015 1 次提交
    • C
      sg: Fix double-free when drives detach during SG_IO · f3951a37
      Calvin Owens 提交于
      In sg_common_write(), we free the block request and return -ENODEV if
      the device is detached in the middle of the SG_IO ioctl().
      
      Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
      end up freeing rq->cmd in the already free rq object, and then free
      the object itself out from under the current user.
      
      This ends up corrupting random memory via the list_head on the rq
      object. The most common crash trace I saw is this:
      
        ------------[ cut here ]------------
        kernel BUG at block/blk-core.c:1420!
        Call Trace:
        [<ffffffff81281eab>] blk_put_request+0x5b/0x80
        [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
        [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
        [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
        [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
        [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
        [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
        [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
        [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
        [<ffffffff81602afb>] tracesys+0xdd/0xe2
          RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
      
      The solution is straightforward: just set srp->rq to NULL in the
      failure branch so that sg_finish_rem_req() doesn't attempt to re-free
      it.
      
      Additionally, since sg_rq_end_io() will never be called on the object
      when this happens, we need to free memory backing ->cmd if it isn't
      embedded in the object itself.
      
      KASAN was extremely helpful in finding the root cause of this bug.
      Signed-off-by: NCalvin Owens <calvinowens@fb.com>
      Acked-by: NDouglas Gilbert <dgilbert@interlog.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      f3951a37