<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git, branch v3.10.99</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Linux 3.10.99</title>
<updated>2016-03-03T23:07:51+00:00</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@linuxfoundation.org</email>
</author>
<published>2016-03-03T23:07:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e39c17904aadf3a107b2bc292c03bfd9f850fd08'/>
<id>e39c17904aadf3a107b2bc292c03bfd9f850fd08</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted.</title>
<updated>2016-03-03T23:06:25+00:00</updated>
<author>
<name>Konrad Rzeszutek Wilk</name>
<email>konrad.wilk@oracle.com</email>
</author>
<published>2016-02-11T21:10:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d012f71377e1dad1165a0926c2920043e4047438'/>
<id>d012f71377e1dad1165a0926c2920043e4047438</id>
<content type='text'>
commit 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e upstream.

Occasionaly PV guests would crash with:

pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16
BUG: unable to handle kernel paging request at 0000000d1a8c0be0
.. snip..
  &lt;ffffffff8139ce1b&gt;] find_next_bit+0xb/0x10
  [&lt;ffffffff81387f22&gt;] cpumask_next_and+0x22/0x40
  [&lt;ffffffff813c1ef8&gt;] pci_device_probe+0xb8/0x120
  [&lt;ffffffff81529097&gt;] ? driver_sysfs_add+0x77/0xa0
  [&lt;ffffffff815293e4&gt;] driver_probe_device+0x1a4/0x2d0
  [&lt;ffffffff813c1ddd&gt;] ? pci_match_device+0xdd/0x110
  [&lt;ffffffff81529657&gt;] __device_attach_driver+0xa7/0xb0
  [&lt;ffffffff815295b0&gt;] ? __driver_attach+0xa0/0xa0
  [&lt;ffffffff81527622&gt;] bus_for_each_drv+0x62/0x90
  [&lt;ffffffff8152978d&gt;] __device_attach+0xbd/0x110
  [&lt;ffffffff815297fb&gt;] device_attach+0xb/0x10
  [&lt;ffffffff813b75ac&gt;] pci_bus_add_device+0x3c/0x70
  [&lt;ffffffff813b7618&gt;] pci_bus_add_devices+0x38/0x80
  [&lt;ffffffff813dc34e&gt;] pcifront_scan_root+0x13e/0x1a0
  [&lt;ffffffff817a0692&gt;] pcifront_backend_changed+0x262/0x60b
  [&lt;ffffffff814644c6&gt;] ? xenbus_gather+0xd6/0x160
  [&lt;ffffffff8120900f&gt;] ? put_object+0x2f/0x50
  [&lt;ffffffff81465c1d&gt;] xenbus_otherend_changed+0x9d/0xa0
  [&lt;ffffffff814678ee&gt;] backend_changed+0xe/0x10
  [&lt;ffffffff81463a28&gt;] xenwatch_thread+0xc8/0x190
  [&lt;ffffffff810f22f0&gt;] ? woken_wake_function+0x10/0x10

which was the result of two things:

When we call pci_scan_root_bus we would pass in 'sd' (sysdata)
pointer which was an 'pcifront_sd' structure. However in the
pci_device_add it expects that the 'sd' is 'struct sysdata' and
sets the dev-&gt;node to what is in sd-&gt;node (offset 4):

set_dev_node(&amp;dev-&gt;dev, pcibus_to_node(bus));

 __pcibus_to_node(const struct pci_bus *bus)
{
        const struct pci_sysdata *sd = bus-&gt;sysdata;

        return sd-&gt;node;
}

However our structure was pcifront_sd which had nothing at that
offset:

struct pcifront_sd {
        int                        domain;    /*     0     4 */
        /* XXX 4 bytes hole, try to pack */
        struct pcifront_device *   pdev;      /*     8     8 */
}

That is an hole - filled with garbage as we used kmalloc instead of
kzalloc (the second problem).

This patch fixes the issue by:
 1) Use kzalloc to initialize to a well known state.
 2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That
    way access to the 'node' will access the right offset.

Signed-off-by: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Reviewed-by: Boris Ostrovsky &lt;boris.ostrovsky@oracle.com&gt;
Signed-off-by: David Vrabel &lt;david.vrabel@citrix.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e upstream.

Occasionaly PV guests would crash with:

pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16
BUG: unable to handle kernel paging request at 0000000d1a8c0be0
.. snip..
  &lt;ffffffff8139ce1b&gt;] find_next_bit+0xb/0x10
  [&lt;ffffffff81387f22&gt;] cpumask_next_and+0x22/0x40
  [&lt;ffffffff813c1ef8&gt;] pci_device_probe+0xb8/0x120
  [&lt;ffffffff81529097&gt;] ? driver_sysfs_add+0x77/0xa0
  [&lt;ffffffff815293e4&gt;] driver_probe_device+0x1a4/0x2d0
  [&lt;ffffffff813c1ddd&gt;] ? pci_match_device+0xdd/0x110
  [&lt;ffffffff81529657&gt;] __device_attach_driver+0xa7/0xb0
  [&lt;ffffffff815295b0&gt;] ? __driver_attach+0xa0/0xa0
  [&lt;ffffffff81527622&gt;] bus_for_each_drv+0x62/0x90
  [&lt;ffffffff8152978d&gt;] __device_attach+0xbd/0x110
  [&lt;ffffffff815297fb&gt;] device_attach+0xb/0x10
  [&lt;ffffffff813b75ac&gt;] pci_bus_add_device+0x3c/0x70
  [&lt;ffffffff813b7618&gt;] pci_bus_add_devices+0x38/0x80
  [&lt;ffffffff813dc34e&gt;] pcifront_scan_root+0x13e/0x1a0
  [&lt;ffffffff817a0692&gt;] pcifront_backend_changed+0x262/0x60b
  [&lt;ffffffff814644c6&gt;] ? xenbus_gather+0xd6/0x160
  [&lt;ffffffff8120900f&gt;] ? put_object+0x2f/0x50
  [&lt;ffffffff81465c1d&gt;] xenbus_otherend_changed+0x9d/0xa0
  [&lt;ffffffff814678ee&gt;] backend_changed+0xe/0x10
  [&lt;ffffffff81463a28&gt;] xenwatch_thread+0xc8/0x190
  [&lt;ffffffff810f22f0&gt;] ? woken_wake_function+0x10/0x10

which was the result of two things:

When we call pci_scan_root_bus we would pass in 'sd' (sysdata)
pointer which was an 'pcifront_sd' structure. However in the
pci_device_add it expects that the 'sd' is 'struct sysdata' and
sets the dev-&gt;node to what is in sd-&gt;node (offset 4):

set_dev_node(&amp;dev-&gt;dev, pcibus_to_node(bus));

 __pcibus_to_node(const struct pci_bus *bus)
{
        const struct pci_sysdata *sd = bus-&gt;sysdata;

        return sd-&gt;node;
}

However our structure was pcifront_sd which had nothing at that
offset:

struct pcifront_sd {
        int                        domain;    /*     0     4 */
        /* XXX 4 bytes hole, try to pack */
        struct pcifront_device *   pdev;      /*     8     8 */
}

That is an hole - filled with garbage as we used kmalloc instead of
kzalloc (the second problem).

This patch fixes the issue by:
 1) Use kzalloc to initialize to a well known state.
 2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That
    way access to the 'node' will access the right offset.

Signed-off-by: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Reviewed-by: Boris Ostrovsky &lt;boris.ostrovsky@oracle.com&gt;
Signed-off-by: David Vrabel &lt;david.vrabel@citrix.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>do_last(): don't let a bogus return value from -&gt;open() et.al. to confuse us</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2016-02-28T00:17:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1b153db5ac6c1598022b2b11ffb3be1303e3bffb'/>
<id>1b153db5ac6c1598022b2b11ffb3be1303e3bffb</id>
<content type='text'>
commit c80567c82ae4814a41287618e315a60ecf513be6 upstream.

... into returning a positive to path_openat(), which would interpret that
as "symlink had been encountered" and proceed to corrupt memory, etc.
It can only happen due to a bug in some -&gt;open() instance or in some LSM
hook, etc., so we report any such event *and* make sure it doesn't trick
us into further unpleasantness.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c80567c82ae4814a41287618e315a60ecf513be6 upstream.

... into returning a positive to path_openat(), which would interpret that
as "symlink had been encountered" and proceed to corrupt memory, etc.
It can only happen due to a bug in some -&gt;open() instance or in some LSM
hook, etc., so we report any such event *and* make sure it doesn't trick
us into further unpleasantness.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>kernel/resource.c: fix muxed resource handling in __request_region()</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Simon Guinot</name>
<email>simon.guinot@sequanux.org</email>
</author>
<published>2015-09-09T22:15:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b19e7a870c21104186d5834d469b6e4a60d5cc6a'/>
<id>b19e7a870c21104186d5834d469b6e4a60d5cc6a</id>
<content type='text'>
commit 59ceeaaf355fa0fb16558ef7c24413c804932ada upstream.

In __request_region, if a conflict with a BUSY and MUXED resource is
detected, then the caller goes to sleep and waits for the resource to be
released.  A pointer on the conflicting resource is kept.  At wake-up
this pointer is used as a parent to retry to request the region.

A first problem is that this pointer might well be invalid (if for
example the conflicting resource have already been freed).  Another
problem is that the next call to __request_region() fails to detect a
remaining conflict.  The previously conflicting resource is passed as a
parameter and __request_region() will look for a conflict among the
children of this resource and not at the resource itself.  It is likely
to succeed anyway, even if there is still a conflict.

Instead, the parent of the conflicting resource should be passed to
__request_region().

As a fix, this patch doesn't update the parent resource pointer in the
case we have to wait for a muxed region right after.

Reported-and-tested-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Signed-off-by: Simon Guinot &lt;simon.guinot@sequanux.org&gt;
Tested-by: Vincent Donnefort &lt;vdonnefort@gmail.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 59ceeaaf355fa0fb16558ef7c24413c804932ada upstream.

In __request_region, if a conflict with a BUSY and MUXED resource is
detected, then the caller goes to sleep and waits for the resource to be
released.  A pointer on the conflicting resource is kept.  At wake-up
this pointer is used as a parent to retry to request the region.

A first problem is that this pointer might well be invalid (if for
example the conflicting resource have already been freed).  Another
problem is that the next call to __request_region() fails to detect a
remaining conflict.  The previously conflicting resource is passed as a
parameter and __request_region() will look for a conflict among the
children of this resource and not at the resource itself.  It is likely
to succeed anyway, even if there is still a conflict.

Instead, the parent of the conflicting resource should be passed to
__request_region().

As a fix, this patch doesn't update the parent resource pointer in the
case we have to wait for a muxed region right after.

Reported-and-tested-by: Vincent Pelletier &lt;plr.vincent@gmail.com&gt;
Signed-off-by: Simon Guinot &lt;simon.guinot@sequanux.org&gt;
Tested-by: Vincent Donnefort &lt;vdonnefort@gmail.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>sunrpc/cache: fix off-by-one in qword_get()</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Stefan Hajnoczi</name>
<email>stefanha@redhat.com</email>
</author>
<published>2016-02-18T18:55:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a7d9970fb5419b78310fb827615bd14bf7d94963'/>
<id>a7d9970fb5419b78310fb827615bd14bf7d94963</id>
<content type='text'>
commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream.

The qword_get() function NUL-terminates its output buffer.  If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:

  int qword_get(char **bpp, char *dest, int bufsize)
  {
      ...
      while (len &lt; bufsize) {
          ...
          *dest++ = (h &lt;&lt; 4) | l;
          len++;
      }
      ...
      *dest = '\0';
      return len;
  }

This patch ensures the NUL terminator doesn't fall outside the output
buffer.

Signed-off-by: Stefan Hajnoczi &lt;stefanha@redhat.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream.

The qword_get() function NUL-terminates its output buffer.  If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:

  int qword_get(char **bpp, char *dest, int bufsize)
  {
      ...
      while (len &lt; bufsize) {
          ...
          *dest++ = (h &lt;&lt; 4) | l;
          len++;
      }
      ...
      *dest = '\0';
      return len;
  }

This patch ensures the NUL terminator doesn't fall outside the output
buffer.

Signed-off-by: Stefan Hajnoczi &lt;stefanha@redhat.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>tracing: Fix showing function event in available_events</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Steven Rostedt (Red Hat)</name>
<email>rostedt@goodmis.org</email>
</author>
<published>2016-02-24T14:04:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eb63a905ff5f0d258693fd9991a94bc49188dcc3'/>
<id>eb63a905ff5f0d258693fd9991a94bc49188dcc3</id>
<content type='text'>
commit d045437a169f899dfb0f6f7ede24cc042543ced9 upstream.

The ftrace:function event is only displayed for parsing the function tracer
data. It is not used to enable function tracing, and does not include an
"enable" file in its event directory.

Originally, this event was kept separate from other events because it did
not have a -&gt;reg parameter. But perf added a "reg" parameter for its use
which caused issues, because it made the event available to functions where
it was not compatible for.

Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable"
added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event
from being enabled by normal trace events. But this commit missed keeping
the function event from being displayed by the "available_events" directory,
which is used to show what events can be enabled by set_event.

One documented way to enable all events is to:

 cat available_events &gt; set_event

But because the function event is displayed in the available_events, this
now causes an INVALID error:

 cat: write error: Invalid argument

Reported-by: Chunyu Hu &lt;chuhu@redhat.com&gt;
Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable"
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d045437a169f899dfb0f6f7ede24cc042543ced9 upstream.

The ftrace:function event is only displayed for parsing the function tracer
data. It is not used to enable function tracing, and does not include an
"enable" file in its event directory.

Originally, this event was kept separate from other events because it did
not have a -&gt;reg parameter. But perf added a "reg" parameter for its use
which caused issues, because it made the event available to functions where
it was not compatible for.

Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable"
added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event
from being enabled by normal trace events. But this commit missed keeping
the function event from being displayed by the "available_events" directory,
which is used to show what events can be enabled by set_event.

One documented way to enable all events is to:

 cat available_events &gt; set_event

But because the function event is displayed in the available_events, this
now causes an INVALID error:

 cat: write error: Invalid argument

Reported-by: Chunyu Hu &lt;chuhu@redhat.com&gt;
Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable"
Signed-off-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>KVM: async_pf: do not warn on page allocation failures</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Christian Borntraeger</name>
<email>borntraeger@de.ibm.com</email>
</author>
<published>2016-02-19T12:11:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bd54a801362f13ac756b4de4bb65d1a48c7d5fad'/>
<id>bd54a801362f13ac756b4de4bb65d1a48c7d5fad</id>
<content type='text'>
commit d7444794a02ff655eda87e3cc54e86b940e7736f upstream.

In async_pf we try to allocate with NOWAIT to get an element quickly
or fail. This code also handle failures gracefully. Lets silence
potential page allocation failures under load.

qemu-system-s39: page allocation failure: order:0,mode:0x2200000
[...]
Call Trace:
([&lt;00000000001146b8&gt;] show_trace+0xf8/0x148)
[&lt;000000000011476a&gt;] show_stack+0x62/0xe8
[&lt;00000000004a36b8&gt;] dump_stack+0x70/0x98
[&lt;0000000000272c3a&gt;] warn_alloc_failed+0xd2/0x148
[&lt;000000000027709e&gt;] __alloc_pages_nodemask+0x94e/0xb38
[&lt;00000000002cd36a&gt;] new_slab+0x382/0x400
[&lt;00000000002cf7ac&gt;] ___slab_alloc.constprop.30+0x2dc/0x378
[&lt;00000000002d03d0&gt;] kmem_cache_alloc+0x160/0x1d0
[&lt;0000000000133db4&gt;] kvm_setup_async_pf+0x6c/0x198
[&lt;000000000013dee8&gt;] kvm_arch_vcpu_ioctl_run+0xd48/0xd58
[&lt;000000000012fcaa&gt;] kvm_vcpu_ioctl+0x372/0x690
[&lt;00000000002f66f6&gt;] do_vfs_ioctl+0x3be/0x510
[&lt;00000000002f68ec&gt;] SyS_ioctl+0xa4/0xb8
[&lt;0000000000781c5e&gt;] system_call+0xd6/0x264
[&lt;000003ffa24fa06a&gt;] 0x3ffa24fa06a

Signed-off-by: Christian Borntraeger &lt;borntraeger@de.ibm.com&gt;
Reviewed-by: Dominik Dingel &lt;dingel@linux.vnet.ibm.com&gt;
Signed-off-by: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d7444794a02ff655eda87e3cc54e86b940e7736f upstream.

In async_pf we try to allocate with NOWAIT to get an element quickly
or fail. This code also handle failures gracefully. Lets silence
potential page allocation failures under load.

qemu-system-s39: page allocation failure: order:0,mode:0x2200000
[...]
Call Trace:
([&lt;00000000001146b8&gt;] show_trace+0xf8/0x148)
[&lt;000000000011476a&gt;] show_stack+0x62/0xe8
[&lt;00000000004a36b8&gt;] dump_stack+0x70/0x98
[&lt;0000000000272c3a&gt;] warn_alloc_failed+0xd2/0x148
[&lt;000000000027709e&gt;] __alloc_pages_nodemask+0x94e/0xb38
[&lt;00000000002cd36a&gt;] new_slab+0x382/0x400
[&lt;00000000002cf7ac&gt;] ___slab_alloc.constprop.30+0x2dc/0x378
[&lt;00000000002d03d0&gt;] kmem_cache_alloc+0x160/0x1d0
[&lt;0000000000133db4&gt;] kvm_setup_async_pf+0x6c/0x198
[&lt;000000000013dee8&gt;] kvm_arch_vcpu_ioctl_run+0xd48/0xd58
[&lt;000000000012fcaa&gt;] kvm_vcpu_ioctl+0x372/0x690
[&lt;00000000002f66f6&gt;] do_vfs_ioctl+0x3be/0x510
[&lt;00000000002f68ec&gt;] SyS_ioctl+0xa4/0xb8
[&lt;0000000000781c5e&gt;] system_call+0xd6/0x264
[&lt;000003ffa24fa06a&gt;] 0x3ffa24fa06a

Signed-off-by: Christian Borntraeger &lt;borntraeger@de.ibm.com&gt;
Reviewed-by: Dominik Dingel &lt;dingel@linux.vnet.ibm.com&gt;
Signed-off-by: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>nfs: fix nfs_size_to_loff_t</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Christoph Hellwig</name>
<email>hch@lst.de</email>
</author>
<published>2016-02-08T20:11:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9c8e8b9e50d8e19ae8cbc721cd0a4da8af17fa26'/>
<id>9c8e8b9e50d8e19ae8cbc721cd0a4da8af17fa26</id>
<content type='text'>
commit 50ab8ec74a153eb30db26529088bc57dd700b24c upstream.

See http: //www.infradead.org/rpr.html
X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org
Content-Transfer-Encoding: 8bit
Mime-Version: 1.0

We support OFFSET_MAX just fine, so don't round down below it.  Also
switch to using min_t to make the helper more readable.

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()")
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 50ab8ec74a153eb30db26529088bc57dd700b24c upstream.

See http: //www.infradead.org/rpr.html
X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org
Content-Transfer-Encoding: 8bit
Mime-Version: 1.0

We support OFFSET_MAX just fine, so don't round down below it.  Also
switch to using min_t to make the helper more readable.

Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()")
Signed-off-by: Trond Myklebust &lt;trond.myklebust@primarydata.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>PCI/AER: Flush workqueue on device remove to avoid use-after-free</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Sebastian Andrzej Siewior</name>
<email>bigeasy@linutronix.de</email>
</author>
<published>2016-01-25T16:08:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dcc121e02f773b4b8fc88522810214af39ea8313'/>
<id>dcc121e02f773b4b8fc88522810214af39ea8313</id>
<content type='text'>
commit 4ae2182b1e3407de369f8c5d799543b7db74221b upstream.

A Root Port's AER structure (rpc) contains a queue of events.  aer_irq()
enqueues AER status information and schedules aer_isr() to dequeue and
process it.  When we remove a device, aer_remove() waits for the queue to
be empty, then frees the rpc struct.

But aer_isr() references the rpc struct after dequeueing and possibly
emptying the queue, which can cause a use-after-free error as in the
following scenario with two threads, aer_isr() on the left and a
concurrent aer_remove() on the right:

  Thread A                      Thread B
  --------                      --------
  aer_irq():
    rpc-&gt;prod_idx++
                                aer_remove():
                                  wait_event(rpc-&gt;prod_idx == rpc-&gt;cons_idx)
                                  # now blocked until queue becomes empty
  aer_isr():                      # ...
    rpc-&gt;cons_idx++               # unblocked because queue is now empty
    ...                           kfree(rpc)
    mutex_unlock(&amp;rpc-&gt;rpc_mutex)

To prevent this problem, use flush_work() to wait until the last scheduled
instance of aer_isr() has completed before freeing the rpc struct in
aer_remove().

I reproduced this use-after-free by flashing a device FPGA and
re-enumerating the bus to find the new device.  With SLUB debug, this
crashes with 0x6b bytes (POISON_FREE, the use-after-free magic number) in
GPR25:

  pcieport 0000:00:00.0: AER: Multiple Corrected error received: id=0000
  Unable to handle kernel paging request for data at address 0x27ef9e3e
  Workqueue: events aer_isr
  GPR24: dd6aa000 6b6b6b6b 605f8378 605f8360 d99b12c0 604fc674 606b1704 d99b12c0
  NIP [602f5328] pci_walk_bus+0xd4/0x104

[bhelgaas: changelog, stable tag]
Signed-off-by: Sebastian Andrzej Siewior &lt;bigeasy@linutronix.de&gt;
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4ae2182b1e3407de369f8c5d799543b7db74221b upstream.

A Root Port's AER structure (rpc) contains a queue of events.  aer_irq()
enqueues AER status information and schedules aer_isr() to dequeue and
process it.  When we remove a device, aer_remove() waits for the queue to
be empty, then frees the rpc struct.

But aer_isr() references the rpc struct after dequeueing and possibly
emptying the queue, which can cause a use-after-free error as in the
following scenario with two threads, aer_isr() on the left and a
concurrent aer_remove() on the right:

  Thread A                      Thread B
  --------                      --------
  aer_irq():
    rpc-&gt;prod_idx++
                                aer_remove():
                                  wait_event(rpc-&gt;prod_idx == rpc-&gt;cons_idx)
                                  # now blocked until queue becomes empty
  aer_isr():                      # ...
    rpc-&gt;cons_idx++               # unblocked because queue is now empty
    ...                           kfree(rpc)
    mutex_unlock(&amp;rpc-&gt;rpc_mutex)

To prevent this problem, use flush_work() to wait until the last scheduled
instance of aer_isr() has completed before freeing the rpc struct in
aer_remove().

I reproduced this use-after-free by flashing a device FPGA and
re-enumerating the bus to find the new device.  With SLUB debug, this
crashes with 0x6b bytes (POISON_FREE, the use-after-free magic number) in
GPR25:

  pcieport 0000:00:00.0: AER: Multiple Corrected error received: id=0000
  Unable to handle kernel paging request for data at address 0x27ef9e3e
  Workqueue: events aer_isr
  GPR24: dd6aa000 6b6b6b6b 605f8378 605f8360 d99b12c0 604fc674 606b1704 d99b12c0
  NIP [602f5328] pci_walk_bus+0xd4/0x104

[bhelgaas: changelog, stable tag]
Signed-off-by: Sebastian Andrzej Siewior &lt;bigeasy@linutronix.de&gt;
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>libata: fix sff host state machine locking while polling</title>
<updated>2016-03-03T23:06:24+00:00</updated>
<author>
<name>Tejun Heo</name>
<email>tj@kernel.org</email>
</author>
<published>2016-02-01T16:33:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=43a349917d77250e1fb7dbcb44e50a80b8cab026'/>
<id>43a349917d77250e1fb7dbcb44e50a80b8cab026</id>
<content type='text'>
commit 8eee1d3ed5b6fc8e14389567c9a6f53f82bb7224 upstream.

The bulk of ATA host state machine is implemented by
ata_sff_hsm_move().  The function is called from either the interrupt
handler or, if polling, a work item.  Unlike from the interrupt path,
the polling path calls the function without holding the host lock and
ata_sff_hsm_move() selectively grabs the lock.

This is completely broken.  If an IRQ triggers while polling is in
progress, the two can easily race and end up accessing the hardware
and updating state machine state at the same time.  This can put the
state machine in an illegal state and lead to a crash like the
following.

  kernel BUG at drivers/ata/libata-sff.c:1302!
  invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
  Modules linked in:
  CPU: 1 PID: 10679 Comm: syz-executor Not tainted 4.5.0-rc1+ #300
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  task: ffff88002bd00000 ti: ffff88002e048000 task.ti: ffff88002e048000
  RIP: 0010:[&lt;ffffffff83a83409&gt;]  [&lt;ffffffff83a83409&gt;] ata_sff_hsm_move+0x619/0x1c60
  ...
  Call Trace:
   &lt;IRQ&gt;
   [&lt;ffffffff83a84c31&gt;] __ata_sff_port_intr+0x1e1/0x3a0 drivers/ata/libata-sff.c:1584
   [&lt;ffffffff83a85611&gt;] ata_bmdma_port_intr+0x71/0x400 drivers/ata/libata-sff.c:2877
   [&lt;     inline     &gt;] __ata_sff_interrupt drivers/ata/libata-sff.c:1629
   [&lt;ffffffff83a85bf3&gt;] ata_bmdma_interrupt+0x253/0x580 drivers/ata/libata-sff.c:2902
   [&lt;ffffffff81479f98&gt;] handle_irq_event_percpu+0x108/0x7e0 kernel/irq/handle.c:157
   [&lt;ffffffff8147a717&gt;] handle_irq_event+0xa7/0x140 kernel/irq/handle.c:205
   [&lt;ffffffff81484573&gt;] handle_edge_irq+0x1e3/0x8d0 kernel/irq/chip.c:623
   [&lt;     inline     &gt;] generic_handle_irq_desc include/linux/irqdesc.h:146
   [&lt;ffffffff811a92bc&gt;] handle_irq+0x10c/0x2a0 arch/x86/kernel/irq_64.c:78
   [&lt;ffffffff811a7e4d&gt;] do_IRQ+0x7d/0x1a0 arch/x86/kernel/irq.c:240
   [&lt;ffffffff86653d4c&gt;] common_interrupt+0x8c/0x8c arch/x86/entry/entry_64.S:520
   &lt;EOI&gt;
   [&lt;     inline     &gt;] rcu_lock_acquire include/linux/rcupdate.h:490
   [&lt;     inline     &gt;] rcu_read_lock include/linux/rcupdate.h:874
   [&lt;ffffffff8164b4a1&gt;] filemap_map_pages+0x131/0xba0 mm/filemap.c:2145
   [&lt;     inline     &gt;] do_fault_around mm/memory.c:2943
   [&lt;     inline     &gt;] do_read_fault mm/memory.c:2962
   [&lt;     inline     &gt;] do_fault mm/memory.c:3133
   [&lt;     inline     &gt;] handle_pte_fault mm/memory.c:3308
   [&lt;     inline     &gt;] __handle_mm_fault mm/memory.c:3418
   [&lt;ffffffff816efb16&gt;] handle_mm_fault+0x2516/0x49a0 mm/memory.c:3447
   [&lt;ffffffff8127dc16&gt;] __do_page_fault+0x376/0x960 arch/x86/mm/fault.c:1238
   [&lt;ffffffff8127e358&gt;] trace_do_page_fault+0xe8/0x420 arch/x86/mm/fault.c:1331
   [&lt;ffffffff8126f514&gt;] do_async_page_fault+0x14/0xd0 arch/x86/kernel/kvm.c:264
   [&lt;ffffffff86655578&gt;] async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:986

Fix it by ensuring that the polling path is holding the host lock
before entering ata_sff_hsm_move() so that all hardware accesses and
state updates are performed under the host lock.

Signed-off-by: Tejun Heo &lt;tj@kernel.org&gt;
Reported-and-tested-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Link: http://lkml.kernel.org/g/CACT4Y+b_JsOxJu2EZyEf+mOXORc_zid5V1-pLZSroJVxyWdSpw@mail.gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8eee1d3ed5b6fc8e14389567c9a6f53f82bb7224 upstream.

The bulk of ATA host state machine is implemented by
ata_sff_hsm_move().  The function is called from either the interrupt
handler or, if polling, a work item.  Unlike from the interrupt path,
the polling path calls the function without holding the host lock and
ata_sff_hsm_move() selectively grabs the lock.

This is completely broken.  If an IRQ triggers while polling is in
progress, the two can easily race and end up accessing the hardware
and updating state machine state at the same time.  This can put the
state machine in an illegal state and lead to a crash like the
following.

  kernel BUG at drivers/ata/libata-sff.c:1302!
  invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
  Modules linked in:
  CPU: 1 PID: 10679 Comm: syz-executor Not tainted 4.5.0-rc1+ #300
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  task: ffff88002bd00000 ti: ffff88002e048000 task.ti: ffff88002e048000
  RIP: 0010:[&lt;ffffffff83a83409&gt;]  [&lt;ffffffff83a83409&gt;] ata_sff_hsm_move+0x619/0x1c60
  ...
  Call Trace:
   &lt;IRQ&gt;
   [&lt;ffffffff83a84c31&gt;] __ata_sff_port_intr+0x1e1/0x3a0 drivers/ata/libata-sff.c:1584
   [&lt;ffffffff83a85611&gt;] ata_bmdma_port_intr+0x71/0x400 drivers/ata/libata-sff.c:2877
   [&lt;     inline     &gt;] __ata_sff_interrupt drivers/ata/libata-sff.c:1629
   [&lt;ffffffff83a85bf3&gt;] ata_bmdma_interrupt+0x253/0x580 drivers/ata/libata-sff.c:2902
   [&lt;ffffffff81479f98&gt;] handle_irq_event_percpu+0x108/0x7e0 kernel/irq/handle.c:157
   [&lt;ffffffff8147a717&gt;] handle_irq_event+0xa7/0x140 kernel/irq/handle.c:205
   [&lt;ffffffff81484573&gt;] handle_edge_irq+0x1e3/0x8d0 kernel/irq/chip.c:623
   [&lt;     inline     &gt;] generic_handle_irq_desc include/linux/irqdesc.h:146
   [&lt;ffffffff811a92bc&gt;] handle_irq+0x10c/0x2a0 arch/x86/kernel/irq_64.c:78
   [&lt;ffffffff811a7e4d&gt;] do_IRQ+0x7d/0x1a0 arch/x86/kernel/irq.c:240
   [&lt;ffffffff86653d4c&gt;] common_interrupt+0x8c/0x8c arch/x86/entry/entry_64.S:520
   &lt;EOI&gt;
   [&lt;     inline     &gt;] rcu_lock_acquire include/linux/rcupdate.h:490
   [&lt;     inline     &gt;] rcu_read_lock include/linux/rcupdate.h:874
   [&lt;ffffffff8164b4a1&gt;] filemap_map_pages+0x131/0xba0 mm/filemap.c:2145
   [&lt;     inline     &gt;] do_fault_around mm/memory.c:2943
   [&lt;     inline     &gt;] do_read_fault mm/memory.c:2962
   [&lt;     inline     &gt;] do_fault mm/memory.c:3133
   [&lt;     inline     &gt;] handle_pte_fault mm/memory.c:3308
   [&lt;     inline     &gt;] __handle_mm_fault mm/memory.c:3418
   [&lt;ffffffff816efb16&gt;] handle_mm_fault+0x2516/0x49a0 mm/memory.c:3447
   [&lt;ffffffff8127dc16&gt;] __do_page_fault+0x376/0x960 arch/x86/mm/fault.c:1238
   [&lt;ffffffff8127e358&gt;] trace_do_page_fault+0xe8/0x420 arch/x86/mm/fault.c:1331
   [&lt;ffffffff8126f514&gt;] do_async_page_fault+0x14/0xd0 arch/x86/kernel/kvm.c:264
   [&lt;ffffffff86655578&gt;] async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:986

Fix it by ensuring that the polling path is holding the host lock
before entering ata_sff_hsm_move() so that all hardware accesses and
state updates are performed under the host lock.

Signed-off-by: Tejun Heo &lt;tj@kernel.org&gt;
Reported-and-tested-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Link: http://lkml.kernel.org/g/CACT4Y+b_JsOxJu2EZyEf+mOXORc_zid5V1-pLZSroJVxyWdSpw@mail.gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
