May 2019 - Linux-stable-mirror

stable-rc/linux-5.0.y boot: 139 boots: 0 failed, 135 passed with 1 offline, 2 untried/unknown, 1 conflict (v5.0.16-105-gcedd923508e9)

by kernelci.org bot

stable-rc/linux-5.0.y boot: 139 boots: 0 failed, 135 passed with 1 offline, 2 untried/unknown, 1 conflict (v5.0.16-105-gcedd923508e9) Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-5.0.y/kernel/v5.0.… Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-5.0.y/kernel/v5.0.16-105-… Tree: stable-rc Branch: linux-5.0.y Git Describe: v5.0.16-105-gcedd923508e9 Git Commit: cedd923508e9e753fdc8b237f2344eea4a84fb57 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 74 unique boards, 23 SoC families, 14 builds out of 208 Boot Regressions Detected: arm: multi_v7_defconfig: gcc-8: omap4-panda: lab-baylibre: new failure (last pass: v5.0.15-106-gfaddc6604ec4) Offline Platforms: arm: multi_v7_defconfig: gcc-8 stih410-b2120: 1 offline lab Conflicting Boot Failure Detected: (These likely are not failures as other labs are reporting PASS. Needs review.) arm: multi_v7_defconfig: omap4-panda: lab-baylibre: FAIL (gcc-8) lab-baylibre-seattle: PASS (gcc-8) --- For more info write to <info(a)kernelci.org>

5 years, 9 months

1
0
0 0

[PATCH 1/9] ARC: mm: SIGSEGV userspace trying to access kernel virtual memory

by Vineet Gupta

From: Eugeniy Paltsev <Eugeniy.Paltsev(a)synopsys.com> As of today if userspace process tries to access a kernel virtual addres (0x7000_0000 to 0x7ffff_ffff) such that a legit kernel mapping already exists, that process hangs instead of being killed with SIGSEGV Fix that by ensuring that do_page_fault() handles kenrel vaddr only if in kernel mode. And given this, we can also simplify the code a bit. Now a vmalloc fault implies kernel mode so its failure (for some reason) can reuse the @no_context label and we can remove @bad_area_nosemaphore. Reproduce user test for original problem: ------------------------>8----------------- #include <stdlib.h> #include <stdint.h> int main(int argc, char *argv[]) { volatile uint32_t temp; temp = *(uint32_t *)(0x70000000); } ------------------------>8----------------- Cc: <stable(a)vger.kernel.org> Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev(a)synopsys.com> Signed-off-by: Vineet Gupta <vgupta(a)synopsys.com> --- arch/arc/mm/fault.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/arch/arc/mm/fault.c b/arch/arc/mm/fault.c index 8df1638259f3..6836095251ed 100644 --- a/arch/arc/mm/fault.c +++ b/arch/arc/mm/fault.c @@ -66,7 +66,7 @@ void do_page_fault(unsigned long address, struct pt_regs *regs) struct vm_area_struct *vma = NULL; struct task_struct *tsk = current; struct mm_struct *mm = tsk->mm; - int si_code = 0; + int si_code = SEGV_MAPERR; int ret; vm_fault_t fault; int write = regs->ecr_cause & ECR_C_PROTV_STORE; /* ST/EX */ @@ -81,16 +81,14 @@ void do_page_fault(unsigned long address, struct pt_regs *regs) * only copy the information from the master page table, * nothing more. */ - if (address >= VMALLOC_START) { + if (address >= VMALLOC_START && !user_mode(regs)) { ret = handle_kernel_vaddr_fault(address); if (unlikely(ret)) - goto bad_area_nosemaphore; + goto no_context; else return; } - si_code = SEGV_MAPERR; - /* * If we're in an interrupt or have no user * context, we must not take the fault.. @@ -198,7 +196,6 @@ void do_page_fault(unsigned long address, struct pt_regs *regs) bad_area: up_read(&mm->mmap_sem); -bad_area_nosemaphore: /* User mode accesses just cause a SIGSEGV */ if (user_mode(regs)) { tsk->thread.fault_address = address; -- 2.7.4

5 years, 9 months

1
0
0 0

stable-rc/linux-4.14.y boot: 127 boots: 1 failed, 119 passed with 5 offline, 2 conflicts (v4.14.119-98-g8d3df192fd69)

by kernelci.org bot

stable-rc/linux-4.14.y boot: 127 boots: 1 failed, 119 passed with 5 offline, 2 conflicts (v4.14.119-98-g8d3df192fd69) Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.14.y/kernel/v4.1… Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.14.y/kernel/v4.14.119-9… Tree: stable-rc Branch: linux-4.14.y Git Describe: v4.14.119-98-g8d3df192fd69 Git Commit: 8d3df192fd693f418413a618e212fdda602f473f Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 64 unique boards, 23 SoC families, 14 builds out of 201 Boot Regressions Detected: arm: omap2plus_defconfig: gcc-8: omap4-panda: lab-baylibre: failing since 3 days (last pass: v4.14.117-43-gfd7dbc6d8090 - first fail: v4.14.118) Boot Failure Detected: arm64: defconfig: gcc-8: rk3399-firefly: 1 failed lab Offline Platforms: arm: tegra_defconfig: gcc-8 tegra20-iris-512: 1 offline lab exynos_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab multi_v7_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab stih410-b2120: 1 offline lab tegra20-iris-512: 1 offline lab Conflicting Boot Failures Detected: (These likely are not failures as other labs are reporting PASS. Needs review.) arm: omap2plus_defconfig: omap4-panda: lab-baylibre: FAIL (gcc-8) lab-baylibre-seattle: PASS (gcc-8) davinci_all_defconfig: da850-lcdk: lab-baylibre: PASS (gcc-8) lab-baylibre-seattle: FAIL (gcc-8) --- For more info write to <info(a)kernelci.org>

5 years, 9 months

1
0
0 0

stable/linux-5.0.y boot: 68 boots: 1 failed, 67 passed (v5.0.16)

by kernelci.org bot

stable/linux-5.0.y boot: 68 boots: 1 failed, 67 passed (v5.0.16) Full Boot Summary: https://kernelci.org/boot/all/job/stable/branch/linux-5.0.y/kernel/v5.0.16/ Full Build Summary: https://kernelci.org/build/stable/branch/linux-5.0.y/kernel/v5.0.16/ Tree: stable Branch: linux-5.0.y Git Describe: v5.0.16 Git Commit: 89e11ec0280be9132b81e4cba5ea6c10a8012038 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git Tested: 35 unique boards, 15 SoC families, 11 builds out of 208 Boot Regressions Detected: arm: omap2plus_defconfig: gcc-8: omap4-panda: lab-baylibre: failing since 3 days (last pass: v5.0.14 - first fail: v5.0.15) Boot Failure Detected: arm: omap2plus_defconfig: gcc-8: omap4-panda: 1 failed lab --- For more info write to <info(a)kernelci.org>

5 years, 9 months

1
0
0 0

stable/linux-4.19.y boot: 66 boots: 2 failed, 64 passed (v4.19.43)

by kernelci.org bot

stable/linux-4.19.y boot: 66 boots: 2 failed, 64 passed (v4.19.43) Full Boot Summary: https://kernelci.org/boot/all/job/stable/branch/linux-4.19.y/kernel/v4.19.4… Full Build Summary: https://kernelci.org/build/stable/branch/linux-4.19.y/kernel/v4.19.43/ Tree: stable Branch: linux-4.19.y Git Describe: v4.19.43 Git Commit: 3351e9d39947881910230a73be77e6f29ab8b72e Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git Tested: 34 unique boards, 15 SoC families, 11 builds out of 206 Boot Regressions Detected: arm: multi_v7_defconfig: gcc-8: omap3-beagle-xm: lab-baylibre: new failure (last pass: v4.19.42) omap4-panda: lab-baylibre: failing since 3 days (last pass: v4.19.41 - first fail: v4.19.42) Boot Failures Detected: arm: multi_v7_defconfig: gcc-8: omap3-beagle-xm: 1 failed lab omap4-panda: 1 failed lab --- For more info write to <info(a)kernelci.org>

5 years, 9 months

1
0
0 0

stable/linux-4.14.y boot: 62 boots: 1 failed, 59 passed with 2 untried/unknown (v4.14.119)

by kernelci.org bot

stable/linux-4.14.y boot: 62 boots: 1 failed, 59 passed with 2 untried/unknown (v4.14.119) Full Boot Summary: https://kernelci.org/boot/all/job/stable/branch/linux-4.14.y/kernel/v4.14.1… Full Build Summary: https://kernelci.org/build/stable/branch/linux-4.14.y/kernel/v4.14.119/ Tree: stable Branch: linux-4.14.y Git Describe: v4.14.119 Git Commit: 2af67d29b6fec54b86bcdb3e0a616640eeea5302 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git Tested: 30 unique boards, 15 SoC families, 11 builds out of 201 Boot Regressions Detected: arm: multi_v7_defconfig: gcc-8: omap4-panda: lab-baylibre: new failure (last pass: v4.14.118) Boot Failure Detected: arm: multi_v7_defconfig: gcc-8: omap4-panda: 1 failed lab --- For more info write to <info(a)kernelci.org>

5 years, 9 months

1
0
0 0

[patch 122/126] drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl

by akpm＠linux-foundation.org

From: Dan Carpenter <dan.carpenter(a)oracle.com> Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl The "param.count" value is a u64 thatcomes from the user. The code later in the function assumes that param.count is at least one and if it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR. Also the addition can have an integer overflow which would lead us to allocate a smaller "pages" array than required. I can't immediately tell what the possible run times implications are, but it's safest to prevent the overflow. Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Timur Tabi <timur(a)freescale.com> Cc: Mihai Caraman <mihai.caraman(a)freescale.com> Cc: Kumar Gala <galak(a)kernel.crashing.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/virt/fsl_hypervisor.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/virt/fsl_hypervisor.c~fsl_hypervisor-prevent-integer-overflow-in-ioctl +++ a/drivers/virt/fsl_hypervisor.c @@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i * hypervisor. */ lb_offset = param.local_vaddr & (PAGE_SIZE - 1); + if (param.count == 0 || + param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) + return -EINVAL; num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT; /* Allocate the buffers we need */ _

5 years, 9 months

1
0
0 0

[patch 121/126] drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl

by akpm＠linux-foundation.org

From: Dan Carpenter <dan.carpenter(a)oracle.com> Subject: drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl strndup_user() returns error pointers on error, and then in the error handling we pass the error pointers to kfree(). It will cause an Oops. Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Timur Tabi <timur(a)freescale.com> Cc: Mihai Caraman <mihai.caraman(a)freescale.com> Cc: Kumar Gala <galak(a)kernel.crashing.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/virt/fsl_hypervisor.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) --- a/drivers/virt/fsl_hypervisor.c~fsl_hypervisor-dereferencing-error-pointers-in-ioctl +++ a/drivers/virt/fsl_hypervisor.c @@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_i struct fsl_hv_ioctl_prop param; char __user *upath, *upropname; void __user *upropval; - char *path = NULL, *propname = NULL; - void *propval = NULL; + char *path, *propname; + void *propval; int ret = 0; /* Get the parameters from the user. */ @@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_i upropval = (void __user *)(uintptr_t)param.propval; path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN); - if (IS_ERR(path)) { - ret = PTR_ERR(path); - goto out; - } + if (IS_ERR(path)) + return PTR_ERR(path); propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN); if (IS_ERR(propname)) { ret = PTR_ERR(propname); - goto out; + goto err_free_path; } if (param.proplen > FH_DTPROP_MAX_PROPLEN) { ret = -EINVAL; - goto out; + goto err_free_propname; } propval = kmalloc(param.proplen, GFP_KERNEL); if (!propval) { ret = -ENOMEM; - goto out; + goto err_free_propname; } if (set) { if (copy_from_user(propval, upropval, param.proplen)) { ret = -EFAULT; - goto out; + goto err_free_propval; } param.ret = fh_partition_set_dtprop(param.handle, @@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_i if (copy_to_user(upropval, propval, param.proplen) || put_user(param.proplen, &p->proplen)) { ret = -EFAULT; - goto out; + goto err_free_propval; } } } @@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_i if (put_user(param.ret, &p->ret)) ret = -EFAULT; -out: - kfree(path); +err_free_propval: kfree(propval); +err_free_propname: kfree(propname); +err_free_path: + kfree(path); return ret; } _

5 years, 9 months

1
0
0 0

stable-rc/linux-4.19.y boot: 131 boots: 0 failed, 127 passed with 2 offline, 1 untried/unknown, 1 conflict (v4.19.43)

by kernelci.org bot

stable-rc/linux-4.19.y boot: 131 boots: 0 failed, 127 passed with 2 offline, 1 untried/unknown, 1 conflict (v4.19.43) Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.19.y/kernel/v4.1… Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.19.y/kernel/v4.19.43/ Tree: stable-rc Branch: linux-4.19.y Git Describe: v4.19.43 Git Commit: 3351e9d39947881910230a73be77e6f29ab8b72e Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Tested: 68 unique boards, 23 SoC families, 14 builds out of 206 Boot Regressions Detected: arm: omap2plus_defconfig: gcc-8: omap4-panda: lab-baylibre: new failure (last pass: v4.19.42-86-gc8e3be30c4b6) Offline Platforms: arm: exynos_defconfig: gcc-8 exynos5800-peach-pi: 1 offline lab multi_v7_defconfig: gcc-8 stih410-b2120: 1 offline lab Conflicting Boot Failure Detected: (These likely are not failures as other labs are reporting PASS. Needs review.) arm: omap2plus_defconfig: omap4-panda: lab-baylibre: FAIL (gcc-8) lab-baylibre-seattle: PASS (gcc-8) --- For more info write to <info(a)kernelci.org>

5 years, 9 months

1
0
0 0

[patch 002/126] userfaultfd: use RCU to free the task struct when fork fails

by akpm＠linux-foundation.org

From: Andrea Arcangeli <aarcange(a)redhat.com> Subject: userfaultfd: use RCU to free the task struct when fork fails The task structure is freed while get_mem_cgroup_from_mm() holds rcu_read_lock() and dereferences mm->owner. get_mem_cgroup_from_mm() failing fork() ---- --- task = mm->owner mm->owner = NULL; free(task) if (task) *task; /* use after free */ The fix consists in freeing the task with RCU also in the fork failure case, exactly like it always happens for the regular exit(2) path. That is enough to make the rcu_read_lock hold in get_mem_cgroup_from_mm() (left side above) effective to avoid a use after free when dereferencing the task structure. An alternate possible fix would be to defer the delivery of the userfaultfd contexts to the monitor until after fork() is guaranteed to succeed. Such a change would require more changes because it would create a strict ordering dependency where the uffd methods would need to be called beyond the last potentially failing branch in order to be safe. This solution as opposed only adds the dependency to common code to set mm->owner to NULL and to free the task struct that was pointed by mm->owner with RCU, if fork ends up failing. The userfaultfd methods can still be called anywhere during the fork runtime and the monitor will keep discarding orphaned "mm" coming from failed forks in userland. This race condition couldn't trigger if CONFIG_MEMCG was set =n at build time. [aarcange(a)redhat.com: improve changelog, reduce #ifdefs per Michal] Link: http://lkml.kernel.org/r/20190429035752.4508-1-aarcange@redhat.com Link: http://lkml.kernel.org/r/20190325225636.11635-2-aarcange@redhat.com Fixes: 893e26e61d04 ("userfaultfd: non-cooperative: Add fork() event") Signed-off-by: Andrea Arcangeli <aarcange(a)redhat.com> Tested-by: zhong jiang <zhongjiang(a)huawei.com> Reported-by: syzbot+cbb52e396df3e565ab02(a)syzkaller.appspotmail.com Cc: Oleg Nesterov <oleg(a)redhat.com> Cc: Jann Horn <jannh(a)google.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Mike Rapoport <rppt(a)linux.vnet.ibm.com> Cc: Mike Kravetz <mike.kravetz(a)oracle.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)mellanox.com> Cc: "Kirill A . Shutemov" <kirill.shutemov(a)linux.intel.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: zhong jiang <zhongjiang(a)huawei.com> Cc: syzbot+cbb52e396df3e565ab02(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/fork.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) --- a/kernel/fork.c~userfaultfd-use-rcu-to-free-the-task-struct-when-fork-fails +++ a/kernel/fork.c @@ -955,6 +955,15 @@ static void mm_init_aio(struct mm_struct #endif } +static __always_inline void mm_clear_owner(struct mm_struct *mm, + struct task_struct *p) +{ +#ifdef CONFIG_MEMCG + if (mm->owner == p) + WRITE_ONCE(mm->owner, NULL); +#endif +} + static void mm_init_owner(struct mm_struct *mm, struct task_struct *p) { #ifdef CONFIG_MEMCG @@ -1343,6 +1352,7 @@ static struct mm_struct *dup_mm(struct t free_pt: /* don't put binfmt in mmput, we haven't got module yet */ mm->binfmt = NULL; + mm_init_owner(mm, NULL); mmput(mm); fail_nomem: @@ -1726,6 +1736,21 @@ static int pidfd_create(struct pid *pid) return fd; } +static void __delayed_free_task(struct rcu_head *rhp) +{ + struct task_struct *tsk = container_of(rhp, struct task_struct, rcu); + + free_task(tsk); +} + +static __always_inline void delayed_free_task(struct task_struct *tsk) +{ + if (IS_ENABLED(CONFIG_MEMCG)) + call_rcu(&tsk->rcu, __delayed_free_task); + else + free_task(tsk); +} + /* * This creates a new process as a copy of the old one, * but does not actually start it yet. @@ -2233,8 +2258,10 @@ bad_fork_cleanup_io: bad_fork_cleanup_namespaces: exit_task_namespaces(p); bad_fork_cleanup_mm: - if (p->mm) + if (p->mm) { + mm_clear_owner(p->mm, p); mmput(p->mm); + } bad_fork_cleanup_signal: if (!(clone_flags & CLONE_THREAD)) free_signal_struct(p->signal); @@ -2265,7 +2292,7 @@ bad_fork_cleanup_count: bad_fork_free: p->state = TASK_DEAD; put_task_stack(p); - free_task(p); + delayed_free_task(p); fork_out: spin_lock_irq(&current->sighand->siglock); hlist_del_init(&delayed.node); _

5 years, 9 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2019