1. 01 Sep, 2016 10 commits
  2. 31 Aug, 2016 2 commits
  3. 30 Aug, 2016 10 commits
    • Linus Torvalds's avatar
      Merge tag 'seccomp-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 61b5ebd6
      Linus Torvalds authored
      Pull seccomp fix from Kees Cook:
       "Fix fatal signal delivery after ptrace reordering"
      
      * tag 'seccomp-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        seccomp: Fix tracer exit notifications during fatal signals
      61b5ebd6
    • Kees Cook's avatar
      seccomp: Fix tracer exit notifications during fatal signals · 485a252a
      Kees Cook authored
      This fixes a ptrace vs fatal pending signals bug as manifested in
      seccomp now that seccomp was reordered to happen after ptrace. The
      short version is that seccomp should not attempt to call do_exit()
      while fatal signals are pending under a tracer. The existing code was
      trying to be as defensively paranoid as possible, but it now ends up
      confusing ptrace. Instead, the syscall can just be skipped (which solves
      the original concern that the do_exit() was addressing) and normal signal
      handling, tracer notification, and process death can happen.
      
      Paraphrasing from the original bug report:
      
      If a tracee task is in a PTRACE_EVENT_SECCOMP trap, or has been resumed
      after such a trap but not yet been scheduled, and another task in the
      thread-group calls exit_group(), then the tracee task exits without the
      ptracer receiving a PTRACE_EVENT_EXIT notification. Test case here:
      https://gist.github.com/khuey/3c43ac247c72cef8c956ca73281c9be7
      
      The bug happens because when __seccomp_filter() detects
      fatal_signal_pending(), it calls do_exit() without dequeuing the fatal
      signal. When do_exit() sends the PTRACE_EVENT_EXIT notification and
      that task is descheduled, __schedule() notices that there is a fatal
      signal pending and changes its state from TASK_TRACED to TASK_RUNNING.
      That prevents the ptracer's waitpid() from returning the ptrace event.
      A more detailed analysis is here:
      https://github.com/mozilla/rr/issues/1762#issuecomment-237396255.
      Reported-by: default avatarRobert O'Callahan <robert@ocallahan.org>
      Reported-by: default avatarKyle Huey <khuey@kylehuey.com>
      Tested-by: default avatarKyle Huey <khuey@kylehuey.com>
      Fixes: 93e35efb ("x86/ptrace: run seccomp after ptrace")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Acked-by: default avatarJames Morris <james.l.morris@oracle.com>
      485a252a
    • Linus Torvalds's avatar
      Merge tag 'md/4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md · 86a16798
      Linus Torvalds authored
      Pull MD fixes from Shaohua Li:
       "This includes several bug fixes:
      
         - Alexey Obitotskiy fixed a hang for faulty raid5 array with external
           management
      
         - Song Liu fixed two raid5 journal related bugs
      
         - Tomasz Majchrzak fixed a bad block recording issue and an
           accounting issue for raid10
      
         - ZhengYuan Liu fixed an accounting issue for raid5
      
         - I fixed a potential race condition and memory leak with DIF/DIX
           enabled
      
         - other trival fixes"
      
      * tag 'md/4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
        raid5: avoid unnecessary bio data set
        raid5: fix memory leak of bio integrity data
        raid10: record correct address of bad block
        md-cluster: fix error return code in join()
        r5cache: set MD_JOURNAL_CLEAN correctly
        md: don't print the same repeated messages about delayed sync operation
        md: remove obsolete ret in md_start_sync
        md: do not count journal as spare in GET_ARRAY_INFO
        md: Prevent IO hold during accessing to faulty raid5 array
        MD: hold mddev lock to change bitmap location
        raid5: fix incorrectly counter of conf->empty_inactive_list_nr
        raid10: increment write counter after bio is split
      86a16798
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.8-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 0cf21c66
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
       "Highlights include:
      
        Stable patches:
         - Fix a refcount leak in nfs_callback_up_net
         - Fix an Oopsable condition when the flexfile pNFS driver connection
           to the DS fails
         - Fix an Oopsable condition in NFSv4.1 server callback races
         - Ensure pNFS clients stop doing I/O to the DS if their lease has
           expired, as required by the NFSv4.1 protocol
      
        Bugfixes:
         - Fix potential looping in the NFSv4.x migration code
         - Patch series to close callback races for OPEN, LAYOUTGET and
           LAYOUTRETURN
         - Silence WARN_ON when NFSv4.1 over RDMA is in use
         - Fix a LAYOUTCOMMIT race in the pNFS/blocks client
         - Fix pNFS timeout issues when the DS fails"
      
      * tag 'nfs-for-4.8-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFSv4.x: Fix a refcount leak in nfs_callback_up_net
        NFS4: Avoid migration loops
        pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails
        NFSv4.1: Remove obsolete and incorrrect assignment in nfs4_callback_sequence
        NFSv4.1: Close callback races for OPEN, LAYOUTGET and LAYOUTRETURN
        NFSv4.1: Defer bumping the slot sequence number until we free the slot
        NFSv4.1: Delay callback processing when there are referring triples
        NFSv4.1: Fix Oopsable condition in server callback races
        SUNRPC: Silence WARN_ON when NFSv4.1 over RDMA is in use
        pnfs/blocklayout: update last_write_offset atomically with extents
        pNFS: The client must not do I/O to the DS if it's lease has expired
        pNFS: Handle NFS4ERR_OLD_STATEID correctly in LAYOUTSTAT calls
        pNFS/flexfiles: Set reasonable default retrans values for the data channel
        NFS: Allow the mount option retrans=0
        pNFS/flexfiles: Fix layoutstat periodic reporting
      0cf21c66
    • Josh Poimboeuf's avatar
      mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS · 0d025d27
      Josh Poimboeuf authored
      There are three usercopy warnings which are currently being silenced for
      gcc 4.6 and newer:
      
      1) "copy_from_user() buffer size is too small" compile warning/error
      
         This is a static warning which happens when object size and copy size
         are both const, and copy size > object size.  I didn't see any false
         positives for this one.  So the function warning attribute seems to
         be working fine here.
      
         Note this scenario is always a bug and so I think it should be
         changed to *always* be an error, regardless of
         CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
      
      2) "copy_from_user() buffer size is not provably correct" compile warning
      
         This is another static warning which happens when I enable
         __compiletime_object_size() for new compilers (and
         CONFIG_DEBUG_STRICT_USER_COPY_CHECKS).  It happens when object size
         is const, but copy size is *not*.  In this case there's no way to
         compare the two at build time, so it gives the warning.  (Note the
         warning is a byproduct of the fact that gcc has no way of knowing
         whether the overflow function will be called, so the call isn't dead
         code and the warning attribute is activated.)
      
         So this warning seems to only indicate "this is an unusual pattern,
         maybe you should check it out" rather than "this is a bug".
      
         I get 102(!) of these warnings with allyesconfig and the
         __compiletime_object_size() gcc check removed.  I don't know if there
         are any real bugs hiding in there, but from looking at a small
         sample, I didn't see any.  According to Kees, it does sometimes find
         real bugs.  But the false positive rate seems high.
      
      3) "Buffer overflow detected" runtime warning
      
         This is a runtime warning where object size is const, and copy size >
         object size.
      
      All three warnings (both static and runtime) were completely disabled
      for gcc 4.6 with the following commit:
      
        2fb0815c ("gcc4: disable __compiletime_object_size for GCC 4.6+")
      
      That commit mistakenly assumed that the false positives were caused by a
      gcc bug in __compiletime_object_size().  But in fact,
      __compiletime_object_size() seems to be working fine.  The false
      positives were instead triggered by #2 above.  (Though I don't have an
      explanation for why the warnings supposedly only started showing up in
      gcc 4.6.)
      
      So remove warning #2 to get rid of all the false positives, and re-enable
      warnings #1 and #3 by reverting the above commit.
      
      Furthermore, since #1 is a real bug which is detected at compile time,
      upgrade it to always be an error.
      
      Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
      needed.
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: "H . Peter Anvin" <hpa@zytor.com>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Cc: Byungchul Park <byungchul.park@lge.com>
      Cc: Nilay Vaish <nilayvaish@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      0d025d27
    • Linus Torvalds's avatar
      Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · d8dc020c
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
       "Two libata driver specific fixes for v4.8-rc4.  Nothing too scary"
      
      * 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        pata_ninja32: Avoid corrupting status flags
        ahci: disable correct irq for dummy ports
      d8dc020c
    • Linus Torvalds's avatar
      Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 748e7fc2
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
       "Two fixes for cgroup.
      
         - There still was a hole in enforcing cpuset rules, fixed by Li.
      
         - The recent switch to global percpu_rwseom for threadgroup locking
           revealed a couple issues in how percpu_rwsem is implemented and
           used by cgroup.  Balbir found that the read locking section was too
           wide unnecessarily including operations which can often depend on
           IOs.  With percpu_rwsem updates (coming through a different tree)
           and reduction of read locking section, all the reported locking
           latency issues, including the android one, are resolved.
      
        It looks like we can keep global percpu_rwsem locking for now.  If
        there actually are cases which can't be resolved, we can go back to
        more complex per-signal_struct locking"
      
      * 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork
        cpuset: make sure new tasks conform to the current config of the cpuset
      748e7fc2
    • Alan Cox's avatar
      pata_ninja32: Avoid corrupting status flags · 9ebae9e4
      Alan Cox authored
      Ninja32 needs to set some flags to indicate it does 32bit IO. However it currently assigns this which
      loses the initializing flag and causes a warning spew. Fix it to use a logical or as is intended.
      Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
      Tested-by: default avatarEllmar Stelnberger <estellnb@elstel.org>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      9ebae9e4
    • Trond Myklebust's avatar
      NFSv4.x: Fix a refcount leak in nfs_callback_up_net · 98b0f80c
      Trond Myklebust authored
      On error, the callers expect us to return without bumping
      nn->cb_users[].
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Cc: stable@vger.kernel.org # v3.7+
      98b0f80c
    • Benjamin Coddington's avatar
      NFS4: Avoid migration loops · 52442f9b
      Benjamin Coddington authored
      If a server returns itself as a location while migrating, the client may
      end up getting stuck attempting to migrate twice to the same server.  Catch
      this by checking if the nfs_client found is the same as the existing
      client.  For the other two callers to nfs4_set_client, the nfs_client will
      always be ERR_PTR(-EINVAL).
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      52442f9b
  4. 29 Aug, 2016 7 commits
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-linus-v4.8-rc5' of... · e4e98c46
      Linus Torvalds authored
      Merge tag 'hwmon-for-linus-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fix from Guenter Roeck:
       "Add missing sysfs attribute group terminator to it87 driver"
      
      * tag 'hwmon-for-linus-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (it87) Add missing sysfs attribute group terminator
      e4e98c46
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · b8927721
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Fix bugs that could cause kernel deadlocks or file system corruption
        while moving xattrs to expand the extended inode.
      
        Also add some sanity checks to the block group descriptors to make
        sure we don't end up overwriting the superblock"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: avoid deadlock when expanding inode size
        ext4: properly align shifted xattrs when expanding inodes
        ext4: fix xattr shifting when expanding inodes part 2
        ext4: fix xattr shifting when expanding inodes
        ext4: validate that metadata blocks do not overlap superblock
        ext4: reserve xattr index for the Hurd
      b8927721
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 1f6a563e
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Segregate namespaces properly in conntrack dumps, from Liping Zhang.
      
       2) tcp listener refcount fix in netfilter tproxy, from Eric Dumazet.
      
       3) Fix timeouts in qed driver due to xmit_more, from Yuval Mintz.
      
       4) Fix use-after-free in tcp_xmit_retransmit_queue().
      
       5) Userspace header fixups (use of __u32, missing includes, etc.) from
          Mikko Rapeli.
      
       6) Further refinements to fragmentation wrt gso and tunnels, from
          Shmulik Ladkani.
      
       7) Trigger poll correctly for zero length UDP packets, from Eric
          Dumazet.
      
       8) TCP window scaling fix, also from Eric Dumazet.
      
       9) SLAB_DESTROY_BY_RCU is not relevant any more for UDP sockets.
      
      10) Module refcount leak in qdisc_create_dflt(), from Eric Dumazet.
      
      11) Fix deadlock in cp_rx_poll() of 8139cp driver, from Gao Feng.
      
      12) Memory leak in rhashtable's alloc_bucket_locks(), from Eric Dumazet.
      
      13) Add new device ID to alx driver, from Owen Lin.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (83 commits)
        Add Killer E2500 device ID in alx driver.
        net: smc91x: fix SMC accesses
        Documentation: networking: dsa: Remove platform device TODO
        net/mlx5: Increase number of ethtool steering priorities
        net/mlx5: Add error prints when validate ETS failed
        net/mlx5e: Fix memory leak if refreshing TIRs fails
        net/mlx5e: Add ethtool counter for TX xmit_more
        net/mlx5e: Fix ethtool -g/G rx ring parameter report with striding RQ
        net/mlx5e: Don't wait for SQ completions on close
        net/mlx5e: Don't post fragmented MPWQE when RQ is disabled
        net/mlx5e: Don't wait for RQ completions on close
        net/mlx5e: Limit UMR length to the device's limitation
        rhashtable: fix a memory leak in alloc_bucket_locks()
        sfc: fix potential stack corruption from running past stat bitmask
        team: loadbalance: push lacpdus to exact delivery
        net: hns: dereference ppe_cb->ppe_common_cb if it is non-null
        8139cp: Fix one possible deadloop in cp_rx_poll
        i40e: Change some init flow for the client
        Revert "phy: IRQ cannot be shared"
        net: dsa: bcm_sf2: Fix race condition while unmasking interrupts
        ...
      1f6a563e
    • Trond Myklebust's avatar
      pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails · 3dc14735
      Trond Myklebust authored
      If the attempt to connect to a DS fails inside ff_layout_pg_init_read or
      ff_layout_pg_init_write, then we currently end up clearing the layout
      segment carried by the struct nfs_pageio_descriptor, causing an Oops
      when we later call into ff_layout_read_pagelist/ff_layout_write_pagelist.
      
      The fix is to ensure we return the layout and then retry.
      
      Fixes: 446ca219 ("pNFS/flexfiles: When initing reads or writes, we...")
      Cc: stable@vger.kernel.org # v4.7+
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      3dc14735
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.8-4' of... · cf4d3779
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v4.8-4' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86
      
      Pull x86 platform driver fixes from Darren Hart:
       "Remove module related code from two drivers that are only configurable
        as built-in: intel_pmic_gpio and platform/olpc"
      
      * tag 'platform-drivers-x86-v4.8-4' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86:
        intel_pmic_gpio: Make explicitly non-modular
        platform/olpc: Make ec explicitly non-modular
      cf4d3779
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 2a90309e
      Linus Torvalds authored
      Pull powerpc fixes from Ben Herrenschmidt:
       "This was meant to be sent early last week, but I has a change pending
        on one of the fixes and other things made me forget all about.  Ugh.
      
        We have some misc fixes for powerpc 4.8.  Some trivial bits and some
        regressions, and a trivial cleanup or two that I saw no point in
        letting rot in patchwork"
      
      * tag 'powerpc-4.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc: signals: Discard transaction state from signal frames
        powerpc/powernv : Drop reference added by kset_find_obj()
        powerpc/tm: do not use r13 for tabort_syscall
        powerpc: move hmi.c to arch/powerpc/kvm/
        powerpc: sysdev: cpm: fix gpio save_regs functions
        powerpc/pseries: PACA save area fix for MCE vs MCE
        powerpc/pseries: PACA save area fix for general exception vs MCE
        powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support
        powerpc, hotplug: Avoid to touch non-existent cpumasks.
        powerpc: migrate exception table users off module.h and onto extable.h
        powerpc/powernv/pci: fix iterator signedness
        powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)
        cxl: use pcibios_free_controller_deferred() when removing vPHBs
        powerpc: mpc8349emitx: Delete unnecessary assignment for the field "owner"
        powerpc/512x: Delete unnecessary assignment for the field "owner"
        drivers/macintosh: Delete owner assignment
        powerpc: cputhreads: Add missing include file
      2a90309e
    • Jean Delvare's avatar
      hwmon: (it87) Add missing sysfs attribute group terminator · 3c329263
      Jean Delvare authored
      Attribute array it87_attributes_in lacks its NULL terminator,
      causing random behavior when operating on the attribute group.
      
      Fixes: 52929715 ("hwmon: (it87) Use is_visible for voltage sensors")
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      3c329263
  5. 28 Aug, 2016 11 commits