Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.19 2018-10-08T18:09:34Z 2018-10-08T18:09:34Z Kees Cook keescook@chromium.org 2018-10-08T15:46:51Z urn:sha1:ff5d1a42096cd96e70546c97d92f01d10cbddc2d In the quest to remove all stack VLA usage from the kernel[1], this moves the math for cookies calculation into macros and allocates a fixed size array for the maximum number of cookies and adds a runtime sanity check. (Note that the size was always fixed, but just hidden from the compiler.) [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Cc: Jens Axboe <axboe@kernel.dk> Cc: linux-block@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-09-29T21:52:14Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-09-29T21:52:14Z urn:sha1:291d0e5d81e101392379217b06251fe8c27f1f80 Jens writes: "Block fixes for 4.19-rc6 A set of fixes that should go into this release. This pull request contains: - A fix (hopefully) for the persistent grants for xen-blkfront. A previous fix from this series wasn't complete, hence reverted, and this one should hopefully be it. (Boris Ostrovsky) - Fix for an elevator drain warning with SMR devices, which is triggered when you switch schedulers (Damien) - bcache deadlock fix (Guoju Fang) - Fix for the block unplug tracepoint, which has had the timer/explicit flag reverted since 4.11 (Ilya) - Fix a regression in this series where the blk-mq timeout hook is invoked with the RCU read lock held, hence preventing it from blocking (Keith) - NVMe pull from Christoph, with a single multipath fix (Susobhan Dey)" * tag 'for-linus-20180929' of git://git.kernel.dk/linux-block: xen/blkfront: correct purging of persistent grants Revert "xen/blkfront: When purging persistent grants, keep them in the buffer" blk-mq: I/O and timer unplugs are inverted in blktrace bcache: add separate workqueue for journal_write to avoid deadlock xen/blkfront: When purging persistent grants, keep them in the buffer block: fix deadline elevator drain for zoned block devices blk-mq: Allow blocking queue tag iter callbacks nvme: properly propagate errors in nvme_mpath_init 2018-09-28T15:40:39Z Juergen Gross jgross@suse.com 2018-09-28T07:28:27Z urn:sha1:6c7678674014b4552caf0e5aa0ca34078a377482 Commit a46b53672b2c2e3770b38a4abf90d16364d2584b ("xen/blkfront: cleanup stale persistent grants") introduced a regression as purged persistent grants were not pu into the list of free grants again. Correct that. Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2018-09-28T15:40:17Z Jens Axboe axboe@kernel.dk 2018-09-28T15:40:17Z urn:sha1:15c206887603a452f13fbfde2db0f8830d37028c Fix didn't work for all cases, reverting to add a (hopefully) better fix. This reverts commit f151ba989d149bbdfc90e5405724bbea094f9b17. Signed-off-by: Jens Axboe <axboe@kernel.dk> 2018-09-27T14:26:38Z Boris Ostrovsky boris.ostrovsky@oracle.com 2018-09-22T19:55:49Z urn:sha1:f151ba989d149bbdfc90e5405724bbea094f9b17 Commit a46b53672b2c ("xen/blkfront: cleanup stale persistent grants") added support for purging persistent grants when they are not in use. As part of the purge, the grants were removed from the grant buffer, This eventually causes the buffer to become empty, with BUG_ON triggered in get_free_grant(). This can be observed even on an idle system, within 20-30 minutes. We should keep the grants in the buffer when purging, and only free the grant ref. Fixes: a46b53672b2c ("xen/blkfront: cleanup stale persistent grants") Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2018-09-21T07:41:05Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-09-21T07:41:05Z urn:sha1:211b100a5ceda9d1856a3f84334f9ca5f680b638 Jens writes: "Storage fixes for 4.19-rc5 - Fix for leaking kernel pointer in floppy ioctl (Andy Whitcroft) - NVMe pull request from Christoph, and a single ANA log page fix (Hannes) - Regression fix for libata qd32 support, where we trigger an illegal active command transition. This fixes a CD-ROM detection issue that was reported, but could also trigger premature completion of the internal tag (me)" * tag 'for-linus-20180920' of git://git.kernel.dk/linux-block: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl libata: mask swap internal and hardware tag nvme: count all ANA groups for ANA Log page 2018-09-20T15:09:48Z Andy Whitcroft apw@canonical.com 2018-09-20T15:09:48Z urn:sha1:65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e The final field of a floppy_struct is the field "name", which is a pointer to a string in kernel memory. The kernel pointer should not be copied to user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, including this "name" field. This pointer cannot be used by the user and it will leak a kernel address to user-space, which will reveal the location of kernel code and data and undermine KASLR protection. Model this code after the compat ioctl which copies the returned data to a previously cleared temporary structure on the stack (excluding the name pointer) and copy out to userspace from there. As we already have an inparam union with an appropriate member and that memory is already cleared even for read only calls make use of that as a temporary store. Based on an initial patch by Brian Belleville. CVE-2018-7755 Signed-off-by: Andy Whitcroft <apw@canonical.com> Broke up long line. Signed-off-by: Jens Axboe <axboe@kernel.dk> 2018-09-14T05:16:11Z Linus Torvalds torvalds@linux-foundation.org 2018-09-14T05:16:11Z urn:sha1:4d8d9f540b780f7a3688a72275aecd8fd99c99e5 Pull block fixes from Jens Axboe: "Three fixes that should go into this series. This contains: - Increase number of policies supported by blk-cgroup. With blk-iolatency, we now have four in kernel, but we had a hard limit of three... - Fix regression in null_blk, where the zoned supported broke queue_mode=0 (bio based). - NVMe pull request, with a single fix for an issue in the rdma code" * tag 'for-linus-20180913' of git://git.kernel.dk/linux-block: null_blk: fix zoned support for non-rq based operation blk-cgroup: increase number of supported policies nvmet-rdma: fix possible bogus dereference under heavy load 2018-09-13T00:21:11Z Jens Axboe axboe@kernel.dk 2018-09-13T00:21:11Z urn:sha1:b228ba1cb95afbaeeb86cf06cd9fd6f6369c3b14 The supported added for zones in null_blk seem to assume that only rq based operation is possible. But this depends on the queue_mode setting, if this is set to 0, then cmd->bio is what we need to be operating on. Right now any attempt to load null_blk with queue_mode=0 will insta-crash, since cmd->rq is NULL and null_handle_cmd() assumes it to always be set. Make the zoned code deal with bio's instead, or pass in the appropriate sector/nr_sectors instead. Fixes: ca4b2a011948 ("null_blk: add zone support") Tested-by: Omar Sandoval <osandov@fb.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2018-09-07T17:57:59Z Linus Torvalds torvalds@linux-foundation.org 2018-09-07T17:57:59Z urn:sha1:a12ed06ba2d3fa60e08e7449fe0c1715de401395 Pull ceph fixes from Ilya Dryomov: "Two rbd patches to complete support for images within namespaces that went into -rc1 and a use-after-free fix. The rbd changes have been sitting in a branch for quite a while but couldn't be included into the -rc1 pull request because of a pending wire protocol backwards compatibility fixup that only got committed early this week" * tag 'ceph-for-4.19-rc3' of https://github.com/ceph/ceph-client: rbd: support cloning across namespaces rbd: factor out get_parent_info() ceph: avoid a use-after-free in ceph_destroy_options()