Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.39 2019-03-23T19:09:42+00:00 2019-03-23T19:09:42+00:00 Stefan Haberland sth@linux.ibm.com 2018-11-21T11:39:47+00:00 urn:sha1:98a137cd0484efc07318d6710e1990c939c78af6 [ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ] Dan Carpenter reported the following: The patch 52898025cf7d: "[S390] dasd: security and PSF update patch for EMC CKD ioctl" from Mar 8, 2010, leads to the following static checker warning: drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io() error: using offset into zero size array 'psf_data[]' drivers/s390/block/dasd_eckd.c 4458 /* Copy parms from caller */ 4459 rc = -EFAULT; 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm))) ^^^^^^^ The user can specify any "usrparm.psf_data_len". They choose zero by mistake. 4461 goto out; 4462 if (is_compat_task()) { 4463 /* Make sure pointers are sane even on 31 bit. */ 4464 rc = -EINVAL; 4465 if ((usrparm.psf_data >> 32) != 0) 4466 goto out; 4467 if ((usrparm.rssd_result >> 32) != 0) 4468 goto out; 4469 usrparm.psf_data &= 0x7fffffffULL; 4470 usrparm.rssd_result &= 0x7fffffffULL; 4471 } 4472 /* alloc I/O data area */ 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA); 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA); 4475 if (!psf_data || !rssd_result) { kzalloc() returns a ZERO_SIZE_PTR (0x16). 4476 rc = -ENOMEM; 4477 goto out_free; 4478 } 4479 4480 /* get syscall header from user space */ 4481 rc = -EFAULT; 4482 if (copy_from_user(psf_data, 4483 (void __user *)(unsigned long) usrparm.psf_data, 4484 usrparm.psf_data_len)) That all works great. 4485 goto out_free; 4486 psf0 = psf_data[0]; 4487 psf1 = psf_data[1]; But now we're assuming that "->psf_data_len" was at least 2 bytes. Fix this by checking the user specified length psf_data_len. Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Stefan Haberland <sth@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2018-08-26T01:13:10+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-08-26T01:13:10+00:00 urn:sha1:828bf6e904eb8fc8969333568802689fbbf07a40 Pull libnvdimm updates from Dave Jiang: "Collection of misc libnvdimm patches for 4.19 submission: - Adding support to read locked nvdimm capacity. - Change test code to make DSM failure code injection an override. - Add support for calculate maximum contiguous area for namespace. - Add support for queueing a short ARS when there is on going ARS for nvdimm. - Allow NULL to be passed in to ->direct_access() for kaddr and pfn params. - Improve smart injection support for nvdimm emulation testing. - Fix test code that supports for emulating controller temperature. - Fix hang on error before devm_memremap_pages() - Fix a bug that causes user memory corruption when data returned to user for ars_status. - Maintainer updates for Ross Zwisler emails and adding Jan Kara to fsdax" * tag 'libnvdimm-for-4.19_misc' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm: libnvdimm: fix ars_status output length calculation device-dax: avoid hang on error before devm_memremap_pages() tools/testing/nvdimm: improve emulation of smart injection filesystem-dax: Do not request kaddr and pfn when not required md/dm-writecache: Don't request pointer dummy_addr when not required dax/super: Do not request a pointer kaddr when not required tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access() s390, dcssblk: kaddr and pfn can be NULL to ->direct_access() libnvdimm, pmem: kaddr and pfn can be NULL to ->direct_access() acpi/nfit: queue issuing of ars when an uc error notification comes in libnvdimm: Export max available extent libnvdimm: Use max contiguous area for namespace size MAINTAINERS: Add Jan Kara for filesystem DAX MAINTAINERS: update Ross Zwisler's email address tools/testing/nvdimm: Fix support for emulating controller temperature tools/testing/nvdimm: Make DSM failure code injection an override acpi, nfit: Prefer _DSM over _LSR for namespace label reads libnvdimm: Introduce locked DIMM capacity support 2018-08-14T02:07:17+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-08-14T02:07:17+00:00 urn:sha1:85a0b791bc17f7a49280b33e2905d109c062a47b Pull s390 updates from Heiko Carstens: "Since Martin is on vacation you get the s390 pull request from me: - Host large page support for KVM guests. As the patches have large impact on arch/s390/mm/ this series goes out via both the KVM and the s390 tree. - Add an option for no compression to the "Kernel compression mode" menu, this will come in handy with the rework of the early boot code. - A large rework of the early boot code that will make life easier for KASAN and KASLR. With the rework the bootable uncompressed image is not generated anymore, only the bzImage is available. For debuggung purposes the new "no compression" option is used. - Re-enable the gcc plugins as the issue with the latent entropy plugin is solved with the early boot code rework. - More spectre relates changes: + Detect the etoken facility and remove expolines automatically. + Add expolines to a few more indirect branches. - A rewrite of the common I/O layer trace points to make them consumable by 'perf stat'. - Add support for format-3 PCI function measurement blocks. - Changes for the zcrypt driver: + Add attributes to indicate the load of cards and queues. + Restructure some code for the upcoming AP device support in KVM. - Build flags improvements in various Makefiles. - A few fixes for the kdump support. - A couple of patches for gcc 8 compile warning cleanup. - Cleanup s390 specific proc handlers. - Add s390 support to the restartable sequence self tests. - Some PTR_RET vs PTR_ERR_OR_ZERO cleanup. - Lots of bug fixes" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: (107 commits) s390/dasd: fix hanging offline processing due to canceled worker s390/dasd: fix panic for failed online processing s390/mm: fix addressing exception after suspend/resume rseq/selftests: add s390 support s390: fix br_r1_trampoline for machines without exrl s390/lib: use expoline for all bcr instructions s390/numa: move initial setup of node_to_cpumask_map s390/kdump: Fix elfcorehdr size calculation s390/cpum_sf: save TOD clock base in SDBs for time conversion KVM: s390: Add huge page enablement control s390/mm: Add huge page gmap linking support s390/mm: hugetlb pages within a gmap can not be freed KVM: s390: Add skey emulation fault handling s390/mm: Add huge pmd storage key handling s390/mm: Clear skeys for newly mapped huge guest pmds s390/mm: Clear huge page storage keys on enable_skey s390/mm: Add huge page dirty sync support s390/mm: Add gmap pmd invalidation and clearing s390/mm: Add gmap pmd notification bit setting s390/mm: Add gmap pmd linking ... 2018-08-09T10:49:32+00:00 Stefan Haberland sth@linux.ibm.com 2018-07-25T12:00:47+00:00 urn:sha1:669f3765b755fd8739ab46ce3a9c6292ce8b3d2a During offline processing two worker threads are canceled without freeing the device reference which leads to a hanging offline process. Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com> Signed-off-by: Stefan Haberland <sth@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> 2018-08-09T10:49:30+00:00 Stefan Haberland sth@linux.ibm.com 2018-07-25T11:27:10+00:00 urn:sha1:7c6553d4db03350dad0110c3224194c19df76a8f Fix a panic that occurs for a device that got an error in dasd_eckd_check_characteristics() during online processing. For example the read configuration data command may have failed. If this error occurs the device is not being set online and the earlier invoked steps during online processing are rolled back. Therefore dasd_eckd_uncheck_device() is called which needs a valid private structure. But this pointer is not valid if dasd_eckd_check_characteristics() has failed. Check for a valid device->private pointer to prevent a panic. Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com> Signed-off-by: Stefan Haberland <sth@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> 2018-07-30T16:33:03+00:00 Huaisheng Ye yehs1@lenovo.com 2018-07-30T07:15:44+00:00 urn:sha1:036a82ca90328960d66b7a5c0e1908475d534d62 dcssblk_direct_access() needs to check the validity of pointers kaddr and pfn for NULL assignment. If anyone equals to NULL, it doesn't need to calculate the value. If either of them is equal to NULL, that is to say callers may have no need for kaddr or pfn, so this patch is prepared for allowing them to pass in NULL instead of having to pass in a pointer or local variable that they then just throw away. Signed-off-by: Huaisheng Ye <yehs1@lenovo.com> Reviewed-by: Ross Zwisler <ross.zwisler@linux.intel.com> Acked-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Dave Jiang <dave.jianig@intel.com> 2018-07-19T14:37:34+00:00 Gustavo A. R. Silva gustavo@embeddedor.com 2018-07-19T04:50:50+00:00 urn:sha1:757853ea19755c24609e122268145527b541a4d4 PTR_RET is deprecated, use PTR_ERR_OR_ZERO instead. Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> 2018-07-04T06:35:59+00:00 Sebastian Ott sebott@linux.ibm.com 2018-07-03T11:06:45+00:00 urn:sha1:d2f2df69885d0548ed5c0ba8fa2751497ba62352 Change the tasklets parameter type to fix W=1 warnings when building with gcc 8 like below: drivers/s390/block/dasd.c: In function 'dasd_alloc_device': drivers/s390/block/dasd.c:129:8: warning: cast between incompatible function types from 'void (*)(struct dasd_device *)' to 'void (*)(long unsigned int)' [-Wcast-function-type] (void (*)(unsigned long)) dasd_device_tasklet, ^ Signed-off-by: Sebastian Ott <sebott@linux.ibm.com> Acked-by: Jan Höppner <hoeppner@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> 2018-07-02T09:24:53+00:00 Vasily Gorbik gor@linux.ibm.com 2018-06-17T10:18:56+00:00 urn:sha1:4e0f5e916f7f4623b312e4fcf9f9fe45c4bea290 drivers/s390/block/dasd_alias.c:711:2: warning: 'strncpy' output truncated before terminating nul copying 4 bytes from a string of the same length [-Wstringop-truncation] strncpy((char *) &cqr->magic, "ECKD", 4); Replace strncpy to int as a buffer with memcpy. Acked-by: Stefan Haberland <sth@linux.ibm.com> Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> 2018-07-02T09:24:52+00:00 Vasily Gorbik gor@linux.ibm.com 2018-06-17T09:56:17+00:00 urn:sha1:c6756b7d0c5d57233c985dd1e50ce7b33a15ce6b ccw "busid" should always be NUL-terminated, as evident from e.g. get_ccwdev_by_busid doing "return (strcmp(bus_id, dev_name(dev)) == 0)". Replace all strncpy initializing busid with strlcpy. This fixes the following gcc 8 warnings: drivers/s390/scsi/zfcp_aux.c:104:2: warning: 'strncpy' specified bound 20 equals destination size [-Wstringop-truncation] strncpy(busid, token, ZFCP_BUS_ID_SIZE); drivers/s390/block/dasd_eer.c:316:2: warning: 'strncpy' specified bound 10 equals destination size [-Wstringop-truncation] strncpy(header.busid, dev_name(&device->cdev->dev), DASD_EER_BUSID_SIZE); drivers/s390/block/dasd_eer.c:359:2: warning: 'strncpy' specified bound 10 equals destination size [-Wstringop-truncation] strncpy(header.busid, dev_name(&device->cdev->dev), DASD_EER_BUSID_SIZE); drivers/s390/block/dasd_devmap.c:429:3: warning: 'strncpy' specified bound 20 equals destination size [-Wstringop-truncation] strncpy(new->bus_id, bus_id, DASD_BUS_ID_SIZE); Acked-by: Stefan Haberland <sth@linux.ibm.com> Acked-by: Steffen Maier <maier@linux.ibm.com> Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>