- Linux-stable-mirror - lists.linaro.org

Patch "net/smc: fix NULL pointer dereference on sock_create_kern() error path" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled net/smc: fix NULL pointer dereference on sock_create_kern() error path to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: net-smc-fix-null-pointer-dereference-on-sock_create_kern-error-path.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From a5dcb73b96a9d21431048bdaac02d9e96f386da3 Mon Sep 17 00:00:00 2001 From: Davide Caratti <dcaratti(a)redhat.com> Date: Wed, 28 Feb 2018 12:44:09 +0100 Subject: net/smc: fix NULL pointer dereference on sock_create_kern() error path From: Davide Caratti <dcaratti(a)redhat.com> commit a5dcb73b96a9d21431048bdaac02d9e96f386da3 upstream. when sock_create_kern(..., a) returns an error, 'a' might not be a valid pointer, so it shouldn't be dereferenced to read a->sk->sk_sndbuf and and a->sk->sk_rcvbuf; not doing that caused the following crash: general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4254 Comm: syzkaller919713 Not tainted 4.16.0-rc1+ #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_create+0x14e/0x300 net/smc/af_smc.c:1410 RSP: 0018:ffff8801b06afbc8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff8801b63457c0 RCX: ffffffff85a3e746 RDX: 0000000000000004 RSI: 00000000ffffffff RDI: 0000000000000020 RBP: ffff8801b06afbf0 R08: 00000000000007c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8801b6345c08 R14: 00000000ffffffe9 R15: ffffffff8695ced0 FS: 0000000001afb880(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000040 CR3: 00000001b0721004 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __sock_create+0x4d4/0x850 net/socket.c:1285 sock_create net/socket.c:1325 [inline] SYSC_socketpair net/socket.c:1409 [inline] SyS_socketpair+0x1c0/0x6f0 net/socket.c:1366 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x4404b9 RSP: 002b:00007fff44ab6908 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004404b9 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000002b RBP: 00007fff44ab6910 R08: 0000000000000002 R09: 00007fff44003031 R10: 0000000020000040 R11: 0000000000000246 R12: ffffffffffffffff R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000 Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 01 00 00 4c 8b a3 48 04 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 20 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 82 01 00 00 4d 8b 7c 24 20 48 b8 00 00 00 00 RIP: smc_create+0x14e/0x300 net/smc/af_smc.c:1410 RSP: ffff8801b06afbc8 Fixes: cd6851f30386 smc: remote memory buffers (RMBs) Reported-and-tested-by: syzbot+aa0227369be2dcc26ebe(a)syzkaller.appspotmail.com Signed-off-by: Davide Caratti <dcaratti(a)redhat.com> Signed-off-by: Ursula Braun <ubraun(a)linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/smc/af_smc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -1351,8 +1351,10 @@ static int smc_create(struct net *net, s smc->use_fallback = false; /* assume rdma capability first */ rc = sock_create_kern(net, PF_INET, SOCK_STREAM, IPPROTO_TCP, &smc->clcsock); - if (rc) + if (rc) { sk_common_release(sk); + goto out; + } smc->sk.sk_sndbuf = max(smc->clcsock->sk->sk_sndbuf, SMC_BUF_MIN_SIZE); smc->sk.sk_rcvbuf = max(smc->clcsock->sk->sk_rcvbuf, SMC_BUF_MIN_SIZE); Patches currently in stable-queue which might be from dcaratti(a)redhat.com are queue-4.14/net-smc-fix-null-pointer-dereference-on-sock_create_kern-error-path.patch

7 years, 3 months

1
0
0 0

Patch "IB/uverbs: Improve lockdep_check" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled IB/uverbs: Improve lockdep_check to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ib-uverbs-improve-lockdep_check.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 104f268d439b3c21c83708e52946a4d8d37f3d0f Mon Sep 17 00:00:00 2001 From: Jason Gunthorpe <jgg(a)mellanox.com> Date: Tue, 13 Feb 2018 12:18:38 +0200 Subject: IB/uverbs: Improve lockdep_check From: Jason Gunthorpe <jgg(a)mellanox.com> commit 104f268d439b3c21c83708e52946a4d8d37f3d0f upstream. This is really being used as an assert that the expected usecnt is being held and implicitly that the usecnt is valid. Rename it to assert_uverbs_usecnt and tighten the checks to only accept valid values of usecnt (eg 0 and < -1 are invalid). The tigher checkes make the assertion cover more cases and is more likely to find bugs via syzkaller/etc. Fixes: 3832125624b7 ("IB/core: Add support for idr types") Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/infiniband/core/rdma_core.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/drivers/infiniband/core/rdma_core.c +++ b/drivers/infiniband/core/rdma_core.c @@ -407,13 +407,13 @@ static int __must_check remove_commit_fd return ret; } -static void lockdep_check(struct ib_uobject *uobj, bool exclusive) +static void assert_uverbs_usecnt(struct ib_uobject *uobj, bool exclusive) { #ifdef CONFIG_LOCKDEP if (exclusive) - WARN_ON(atomic_read(&uobj->usecnt) > 0); + WARN_ON(atomic_read(&uobj->usecnt) != -1); else - WARN_ON(atomic_read(&uobj->usecnt) == -1); + WARN_ON(atomic_read(&uobj->usecnt) <= 0); #endif } @@ -452,7 +452,7 @@ int __must_check rdma_remove_commit_uobj WARN(true, "ib_uverbs: Cleanup is running while removing an uobject\n"); return 0; } - lockdep_check(uobj, true); + assert_uverbs_usecnt(uobj, true); ret = _rdma_remove_commit_uobject(uobj, RDMA_REMOVE_DESTROY); up_read(&ucontext->cleanup_rwsem); @@ -482,7 +482,7 @@ int rdma_explicit_destroy(struct ib_uobj WARN(true, "ib_uverbs: Cleanup is running while removing an uobject\n"); return 0; } - lockdep_check(uobject, true); + assert_uverbs_usecnt(uobject, true); ret = uobject->type->type_class->remove_commit(uobject, RDMA_REMOVE_DESTROY); if (ret) @@ -569,7 +569,7 @@ static void lookup_put_fd_uobject(struct void rdma_lookup_put_uobject(struct ib_uobject *uobj, bool exclusive) { - lockdep_check(uobj, exclusive); + assert_uverbs_usecnt(uobj, exclusive); uobj->type->type_class->lookup_put(uobj, exclusive); /* * In order to unlock an object, either decrease its usecnt for Patches currently in stable-queue which might be from jgg(a)mellanox.com are queue-4.14/ib-uverbs-improve-lockdep_check.patch

7 years, 3 months

1
0
0 0

Patch "RDMA/mlx5: Fix integer overflow while resizing CQ" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled RDMA/mlx5: Fix integer overflow while resizing CQ to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 28e9091e3119933c38933cb8fc48d5618eb784c8 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky <leonro(a)mellanox.com> Date: Wed, 7 Mar 2018 15:29:09 +0200 Subject: RDMA/mlx5: Fix integer overflow while resizing CQ From: Leon Romanovsky <leonro(a)mellanox.com> commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream. The user can provide very large cqe_size which will cause to integer overflow as it can be seen in the following UBSAN warning: ======================================================================= UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53 signed integer overflow: 64870 * 65536 cannot be represented in type 'int' CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 Call Trace: dump_stack+0xde/0x164 ? dma_virt_map_sg+0x22c/0x22c ubsan_epilogue+0xe/0x81 handle_overflow+0x1f3/0x251 ? __ubsan_handle_negate_overflow+0x19b/0x19b ? lock_acquire+0x440/0x440 mlx5_ib_resize_cq+0x17e7/0x1e40 ? cyc2ns_read_end+0x10/0x10 ? native_read_msr_safe+0x6c/0x9b ? cyc2ns_read_end+0x10/0x10 ? mlx5_ib_modify_cq+0x220/0x220 ? sched_clock_cpu+0x18/0x200 ? lookup_get_idr_uobject+0x200/0x200 ? rdma_lookup_get_uobject+0x145/0x2f0 ib_uverbs_resize_cq+0x207/0x3e0 ? ib_uverbs_ex_create_cq+0x250/0x250 ib_uverbs_write+0x7f9/0xef0 ? cyc2ns_read_end+0x10/0x10 ? print_irqtrace_events+0x280/0x280 ? ib_uverbs_ex_create_cq+0x250/0x250 ? uverbs_devnode+0x110/0x110 ? sched_clock_cpu+0x18/0x200 ? do_raw_spin_trylock+0x100/0x100 ? __lru_cache_add+0x16e/0x290 __vfs_write+0x10d/0x700 ? uverbs_devnode+0x110/0x110 ? kernel_read+0x170/0x170 ? sched_clock_cpu+0x18/0x200 ? security_file_permission+0x93/0x260 vfs_write+0x1b0/0x550 SyS_write+0xc7/0x1a0 ? SyS_read+0x1a0/0x1a0 ? trace_hardirqs_on_thunk+0x1a/0x1c entry_SYSCALL_64_fastpath+0x1e/0x8b RIP: 0033:0x433549 RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217 ======================================================================= Cc: syzkaller <syzkaller(a)googlegroups.com> Cc: <stable(a)vger.kernel.org> # 3.13 Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ") Reported-by: Noa Osherovich <noaos(a)mellanox.com> Reviewed-by: Yishai Hadas <yishaih(a)mellanox.com> Signed-off-by: Leon Romanovsky <leonro(a)mellanox.com> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c index b5cfdaa9c7c8..15457c9569a7 100644 --- a/drivers/infiniband/hw/mlx5/cq.c +++ b/drivers/infiniband/hw/mlx5/cq.c @@ -1178,7 +1178,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq, if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL; - umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem); Patches currently in stable-queue which might be from leonro(a)mellanox.com are queue-4.14/rdma-ucma-limit-possible-option-size.patch queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch

7 years, 3 months

1
0
0 0

Patch "RDMA/ucma: Check that user doesn't overflow QP state" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled RDMA/ucma: Check that user doesn't overflow QP state to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From a5880b84430316e3e1c1f5d23aa32ec6000cc717 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky <leonro(a)mellanox.com> Date: Wed, 7 Mar 2018 18:49:16 +0200 Subject: RDMA/ucma: Check that user doesn't overflow QP state From: Leon Romanovsky <leonro(a)mellanox.com> commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream. The QP state is limited and declared in enum ib_qp_state, but ucma user was able to supply any possible (u32) value. Reported-by: syzbot+0df1ab766f8924b1edba(a)syzkaller.appspotmail.com Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") Signed-off-by: Leon Romanovsky <leonro(a)mellanox.com> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1148,6 +1148,9 @@ static ssize_t ucma_init_qp_attr(struct if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT; + if (cmd.qp_state > IB_QPS_ERR) + return -EINVAL; + ctx = ucma_get_ctx(file, cmd.id); if (IS_ERR(ctx)) return PTR_ERR(ctx); Patches currently in stable-queue which might be from leonro(a)mellanox.com are queue-4.14/rdma-ucma-limit-possible-option-size.patch queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch

7 years, 3 months

1
0
0 0

Patch "RDMA/ucma: Limit possible option size" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled RDMA/ucma: Limit possible option size to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: rdma-ucma-limit-possible-option-size.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c Mon Sep 17 00:00:00 2001 From: Leon Romanovsky <leonro(a)mellanox.com> Date: Wed, 7 Mar 2018 14:49:09 +0200 Subject: RDMA/ucma: Limit possible option size From: Leon Romanovsky <leonro(a)mellanox.com> commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream. Users of ucma are supposed to provide size of option level, in most paths it is supposed to be equal to u8 or u16, but it is not the case for the IB path record, where it can be multiple of struct ib_path_rec_data. This patch takes simplest possible approach and prevents providing values more than possible to allocate. Reported-by: syzbot+a38b0e9f694c379ca7ce(a)syzkaller.appspotmail.com Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") Signed-off-by: Leon Romanovsky <leonro(a)mellanox.com> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1293,6 +1293,9 @@ static ssize_t ucma_set_option(struct uc if (IS_ERR(ctx)) return PTR_ERR(ctx); + if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) + return -EINVAL; + optval = memdup_user((void __user *) (unsigned long) cmd.optval, cmd.optlen); if (IS_ERR(optval)) { Patches currently in stable-queue which might be from leonro(a)mellanox.com are queue-4.14/rdma-ucma-limit-possible-option-size.patch queue-4.14/rdma-ucma-check-that-user-doesn-t-overflow-qp-state.patch queue-4.14/rdma-mlx5-fix-integer-overflow-while-resizing-cq.patch

7 years, 3 months

1
0
0 0

Re: [PATCH 3.18 00/21] 3.18.99-stable review

by Greg Kroah-Hartman

On Sat, Mar 10, 2018 at 03:51:27PM +0000, Harsh Shandilya wrote: > On Sat, 10 Mar, 2018, 5:48 AM Greg Kroah-Hartman, < > gregkh(a)linuxfoundation.org> wrote: > > > This is the start of the stable review cycle for the 3.18.99 release. > > There are 21 patches in this series, all will be posted as a response > > to this one. If anyone has any issues with these being applied, please > > let me know. > > > > Responses should be made by Mon Mar 12 00:17:44 UTC 2018. > > Anything received after that time might be too late. > > > > The whole patch series can be found in one patch at: > > > > https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.99-rc… > > or in the git tree and branch at: > > git:// > > git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git > > linux-3.18.y > > and the diffstat can be found below. > > > > No issues on the OnePlus 3T, clean merge into the CAF msm-3.18 tree. Great, thanks for testing and letting me know. greg k-h

7 years, 3 months

1
0
0 0

[PATCH 3.18 00/21] 3.18.99-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 3.18.99 release. There are 21 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon Mar 12 00:17:44 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.99-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 3.18.99-rc1 Mike Snitzer <snitzer(a)redhat.com> dm io: fix duplicate bio completion due to missing ref count Stefano Brivio <sbrivio(a)redhat.com> fib_semantics: Don't match route with mismatching tclassid Sabrina Dubroca <sd(a)queasysnail.net> net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 Alexey Kodanev <alexey.kodanev(a)oracle.com> sctp: verify size of a new chunk in _sctp_make_chunk() Julian Wiedmann <jwi(a)linux.vnet.ibm.com> s390/qeth: fix IPA command submission race Julian Wiedmann <jwi(a)linux.vnet.ibm.com> s390/qeth: fix SETIP command handling Alexey Kodanev <alexey.kodanev(a)oracle.com> sctp: fix dst refcnt leak in sctp_v6_get_dst() Alexey Kodanev <alexey.kodanev(a)oracle.com> udplite: fix partial checksum initialization Guillaume Nault <g.nault(a)alphalink.fr> ppp: prevent unregistered channels from connecting to PPP units Nicolas Dichtel <nicolas.dichtel(a)6wind.com> netlink: ensure to loop over all netns in genlmsg_multicast_allns() Jakub Kicinski <jakub.kicinski(a)netronome.com> net: fix race on decreasing number of TX queues Arnd Bergmann <arnd(a)arndb.de> ipv6 sit: work around bogus gcc-8 -Wrestrict warning Denis Du <dudenis2000(a)yahoo.ca> hdlc_ppp: carrier detect ok, don't turn off negotiation Xin Long <lucien.xin(a)gmail.com> bridge: check brport attr show in brport_show Nathan Sullivan <nathan.sullivan(a)ni.com> leds: do not overflow sysfs buffer in led_trigger_show Lucas Stach <l.stach(a)pengutronix.de> net: fec: introduce fec_ptp_stop and use in probe fail path Ulf Magnusson <ulfalizer(a)gmail.com> ARM: mvebu: Fix broken PL310_ERRATA_753970 selects Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() Erik Veijola <erik.veijola(a)gmail.com> ALSA: usb-audio: Add a quirck for B&W PX headphones Jeremy Boone <jeremy.boone(a)nccgroup.trust> tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus Jeremy Boone <jeremy.boone(a)nccgroup.trust> tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus ------------- Diffstat: Makefile | 4 +-- arch/arm/mach-mvebu/Kconfig | 4 +-- drivers/char/tpm/tpm_i2c_infineon.c | 5 ++-- drivers/char/tpm/tpm_i2c_nuvoton.c | 8 ++++-- drivers/cpufreq/s3c24xx-cpufreq.c | 8 +++++- drivers/leds/led-triggers.c | 12 ++++---- drivers/md/dm-io.c | 1 + drivers/net/ethernet/freescale/fec.h | 1 + drivers/net/ethernet/freescale/fec_main.c | 5 ++-- drivers/net/ethernet/freescale/fec_ptp.c | 10 +++++++ drivers/net/ppp/ppp_generic.c | 9 ++++++ drivers/net/wan/hdlc_ppp.c | 5 +++- drivers/s390/net/qeth_core.h | 5 ++++ drivers/s390/net/qeth_core_main.c | 33 ++++++++++++---------- include/net/udplite.h | 1 + net/bridge/br_sysfs_if.c | 3 ++ net/core/dev.c | 11 ++++++-- net/ipv4/fib_semantics.c | 5 ++++ net/ipv4/route.c | 7 +++-- net/ipv4/udp.c | 5 ++++ net/ipv6/ip6_checksum.c | 5 ++++ net/ipv6/sit.c | 2 +- net/netlink/genetlink.c | 12 ++++++-- net/sctp/ipv6.c | 10 +++++-- net/sctp/sm_make_chunk.c | 8 ++++-- sound/usb/quirks-table.h | 47 +++++++++++++++++++++++++++++++ 26 files changed, 181 insertions(+), 45 deletions(-)

7 years, 3 months

3
23
0 0

[PATCH 4.14, 4.15 1/2] scsi: mpt3sas: fix oops in error handlers after shutdown/unload

by Mauricio Faria de Oliveira

commit 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 upstream. This patch adds checks for 'ioc->remove_host' in the SCSI error handlers, so not to access pointers/resources potentially freed in the PCI shutdown/module unload path. The error handlers may be invoked after shutdown/unload, depending on other components. This problem was observed with kexec on a system with a mpt3sas based adapter and an infiniband adapter which takes long enough to shutdown: The mpt3sas driver finished shutting down / disabled interrupt handling, thus some commands have not finished and timed out. Since the system was still running (waiting for the infiniband adapter to shutdown), the scsi error handler for task abort of mpt3sas was invoked, and hit an oops -- either in scsih_abort() because 'ioc->scsi_lookup' was NULL without commit dbec4c9040ed ("scsi: mpt3sas: lockless command submission"), or later up in scsih_host_reset() (with or without that commit), because it eventually called mpt3sas_base_get_iocstate(). After the above commit, the oops in scsih_abort() does not occur anymore (_scsih_scsi_lookup_find_by_scmd() is no longer called), but that commit is too big and out of the scope of linux-stable, where this patch might help, so still go for the changes. Also, this might help to prevent similar errors in the future, in case code changes and possibly tries to access freed stuff. Note the fix in scsih_host_reset() is still important anyway. Signed-off-by: Mauricio Faria de Oliveira <mauricfo(a)linux.vnet.ibm.com> Acked-by: Sreekanth Reddy <Sreekanth.Reddy(a)broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> --- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c index b258f21..4adc7c7 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c +++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c @@ -2998,7 +2998,8 @@ int mpt3sas_scsih_issue_locked_tm(struct MPT3SAS_ADAPTER *ioc, u16 handle, _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { sdev_printk(KERN_INFO, scmd->device, "device been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3060,7 +3061,8 @@ int mpt3sas_scsih_issue_locked_tm(struct MPT3SAS_ADAPTER *ioc, u16 handle, _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { sdev_printk(KERN_INFO, scmd->device, "device been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3122,7 +3124,8 @@ int mpt3sas_scsih_issue_locked_tm(struct MPT3SAS_ADAPTER *ioc, u16 handle, _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { starget_printk(KERN_INFO, starget, "target been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3179,7 +3182,7 @@ int mpt3sas_scsih_issue_locked_tm(struct MPT3SAS_ADAPTER *ioc, u16 handle, ioc->name, scmd); scsi_print_command(scmd); - if (ioc->is_driver_loading) { + if (ioc->is_driver_loading || ioc->remove_host) { pr_info(MPT3SAS_FMT "Blocking the host reset\n", ioc->name); r = FAILED; -- 1.8.3.1

7 years, 3 months

2
4
0 0

+ hugetlbfs-check-for-pgoff-value-overflow.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: hugetlbfs: check for pgoff value overflow has been added to the -mm tree. Its filename is hugetlbfs-check-for-pgoff-value-overflow.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/hugetlbfs-check-for-pgoff-value-ov… and later at http://ozlabs.org/~akpm/mmotm/broken-out/hugetlbfs-check-for-pgoff-value-ov… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Mike Kravetz <mike.kravetz(a)oracle.com> Subject: hugetlbfs: check for pgoff value overflow A vma with vm_pgoff large enough to overflow a loff_t type when converted to a byte offset can be passed via the remap_file_pages system call. The hugetlbfs mmap routine uses the byte offset to calculate reservations and file size. A sequence such as: mmap(0x20a00000, 0x600000, 0, 0x66033, -1, 0); remap_file_pages(0x20a00000, 0x600000, 0, 0x20000000000000, 0); will result in the following when task exits/file closed, kernel BUG at mm/hugetlb.c:749! Call Trace: hugetlbfs_evict_inode+0x2f/0x40 evict+0xcb/0x190 __dentry_kill+0xcb/0x150 __fput+0x164/0x1e0 task_work_run+0x84/0xa0 exit_to_usermode_loop+0x7d/0x80 do_syscall_64+0x18b/0x190 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 The overflowed pgoff value causes hugetlbfs to try to set up a mapping with a negative range (end < start) that leaves invalid state which causes the BUG. The previous overflow fix to this code was incomplete and did not take the remap_file_pages system call into account. Link: http://lkml.kernel.org/r/20180308210502.15952-1-mike.kravetz@oracle.com Fixes: 045c7a3f53d9 ("hugetlbfs: fix offset overflow in hugetlbfs mmap") Signed-off-by: Mike Kravetz <mike.kravetz(a)oracle.com> Reported-by: Nic Losby <blurbdust(a)gmail.com> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: "Kirill A . Shutemov" <kirill.shutemov(a)linux.intel.com> Cc: Yisheng Xie <xieyisheng1(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- diff -puN fs/hugetlbfs/inode.c~hugetlbfs-check-for-pgoff-value-overflow fs/hugetlbfs/inode.c --- a/fs/hugetlbfs/inode.c~hugetlbfs-check-for-pgoff-value-overflow +++ a/fs/hugetlbfs/inode.c @@ -111,6 +111,7 @@ static void huge_pagevec_release(struct static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma) { struct inode *inode = file_inode(file); + unsigned long ovfl_mask; loff_t len, vma_len; int ret; struct hstate *h = hstate_file(file); @@ -127,12 +128,16 @@ static int hugetlbfs_file_mmap(struct fi vma->vm_ops = &hugetlb_vm_ops; /* - * Offset passed to mmap (before page shift) could have been - * negative when represented as a (l)off_t. + * page based offset in vm_pgoff could be sufficiently large to + * overflow a (l)off_t when converted to byte offset. */ - if (((loff_t)vma->vm_pgoff << PAGE_SHIFT) < 0) + ovfl_mask = (1UL << (PAGE_SHIFT + 1)) - 1; + ovfl_mask <<= ((sizeof(unsigned long) * BITS_PER_BYTE) - + (PAGE_SHIFT + 1)); + if (vma->vm_pgoff & ovfl_mask) return -EINVAL; + /* must be huge page aligned */ if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT)) return -EINVAL; diff -puN mm/hugetlb.c~hugetlbfs-check-for-pgoff-value-overflow mm/hugetlb.c --- a/mm/hugetlb.c~hugetlbfs-check-for-pgoff-value-overflow +++ a/mm/hugetlb.c @@ -4374,6 +4374,12 @@ int hugetlb_reserve_pages(struct inode * struct resv_map *resv_map; long gbl_reserve; + /* This should never happen */ + if (from > to) { + VM_WARN(1, "%s called with a negative range\n", __func__); + return -EINVAL; + } + /* * Only apply hugepage reservation if asked. At fault time, an * attempt will be made for VM_NORESERVE to allocate a page _ Patches currently in -mm which might be from mike.kravetz(a)oracle.com are hugetlbfs-check-for-pgoff-value-overflow.patch hugetlbfs-check-for-pgoff-value-overflow-v3.patch mm-hugetlbfs-move-hugetlbfs_i-outside-ifdef-config_hugetlbfs.patch mm-memfd-split-out-memfd-for-use-by-multiple-filesystems.patch mm-memfd-remove-memfd-code-from-shmem-files-and-use-new-memfd-files.patch

7 years, 3 months

1
0
0 0

[Linux-stable-mirror] [PATCH] Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version

by Hans de Goede

Commit 7d06d5895c15 ("Revert "Bluetooth: btusb: fix QCA...suspend/resume"") removed the setting of the BTUSB_RESET_RESUME quirk for QCA Rome devices, instead favoring adding USB_QUIRK_RESET_RESUME quirks in usb/core/quirks.c. This was done because the DIY BTUSB_RESET_RESUME reset-resume handling has several issues (see the original commit message). An added advantage of moving over to the USB-core reset-resume handling is that it also disables autosuspend for these devices, which is similarly broken on these. But there are 2 issues with this approach: 1) It leaves the broken DIY BTUSB_RESET_RESUME code in place for Realtek devices. 2) Sofar only 2 of the 10 QCA devices known to the btusb code have been added to usb/core/quirks.c and if we fix the Realtek case the same way we need to add an additional 14 entries. So in essence we need to duplicate a large part of the usb_device_id table in btusb.c in usb/core/quirks.c and manually keep them in sync. This commit instead restores setting a reset-resume quirk for QCA devices in the btusb.c code, avoiding the duplicate usb_device_id table problem. This commit avoids the problems with the original DIY BTUSB_RESET_RESUME code by simply setting the USB_QUIRK_RESET_RESUME quirk directly on the usb_device. This commit also moves the BTUSB_REALTEK case over to directly setting the USB_QUIRK_RESET_RESUME on the usb_device and removes the now unused BTUSB_RESET_RESUME code. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1514836 Fixes: 7d06d5895c15 ("Revert "Bluetooth: btusb: fix QCA...suspend/resume"") Cc: stable(a)vger.kernel.org Cc: Leif Liddy <leif.linux(a)gmail.com> Cc: Matthias Kaehlcke <mka(a)chromium.org> Cc: Brian Norris <briannorris(a)chromium.org> Cc: Daniel Drake <drake(a)endlessm.com> Cc: Kai-Heng Feng <kai.heng.feng(a)canonical.com> Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- Note: 1) Once this has been merged, the 2 commits adding QCA device entries to drivers/usb/core/quirks.c should be reverted or dropped from bluetooth-next. 2) I don't have any of the affected devices, please test --- drivers/bluetooth/btusb.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 4764100a5888..c4689f03220f 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -23,6 +23,7 @@ #include <linux/module.h> #include <linux/usb.h> +#include <linux/usb/quirks.h> #include <linux/firmware.h> #include <linux/of_device.h> #include <linux/of_irq.h> @@ -388,9 +389,8 @@ static const struct usb_device_id blacklist_table[] = { #define BTUSB_FIRMWARE_LOADED 7 #define BTUSB_FIRMWARE_FAILED 8 #define BTUSB_BOOTING 9 -#define BTUSB_RESET_RESUME 10 -#define BTUSB_DIAG_RUNNING 11 -#define BTUSB_OOB_WAKE_ENABLED 12 +#define BTUSB_DIAG_RUNNING 10 +#define BTUSB_OOB_WAKE_ENABLED 11 struct btusb_data { struct hci_dev *hdev; @@ -3118,6 +3118,12 @@ static int btusb_probe(struct usb_interface *intf, if (id->driver_info & BTUSB_QCA_ROME) { data->setup_on_usb = btusb_setup_qca; hdev->set_bdaddr = btusb_set_bdaddr_ath3012; + + /* QCA Rome devices lose their updated firmware over suspend, + * but the USB hub doesn't notice any status change. + * explicitly request a device reset on resume. + */ + interface_to_usbdev(intf)->quirks |= USB_QUIRK_RESET_RESUME; } #ifdef CONFIG_BT_HCIBTUSB_RTL @@ -3128,7 +3134,7 @@ static int btusb_probe(struct usb_interface *intf, * but the USB hub doesn't notice any status change. * Explicitly request a device reset on resume. */ - set_bit(BTUSB_RESET_RESUME, &data->flags); + interface_to_usbdev(intf)->quirks |= USB_QUIRK_RESET_RESUME; } #endif @@ -3297,14 +3303,6 @@ static int btusb_suspend(struct usb_interface *intf, pm_message_t message) enable_irq(data->oob_wake_irq); } - /* Optionally request a device reset on resume, but only when - * wakeups are disabled. If wakeups are enabled we assume the - * device will stay powered up throughout suspend. - */ - if (test_bit(BTUSB_RESET_RESUME, &data->flags) && - !device_may_wakeup(&data->udev->dev)) - data->udev->reset_resume = 1; - return 0; } -- 2.14.3

7 years, 3 months

6
24
0 0

[PATCH 0/2] Backport IBPB on context switch to non-dumpable process

by Tim Chen

Greg, I will like to propose backporting "x86/speculation: Use Indirect Branch Prediction Barrier on context switch" from commit 18bf3c3e in upstream to 4.9 and 4.4 stable. The patch has already been ported to 4.14 and 4.15 stable. The patch needs mm context id that Andy added in commit f39681ed. I have lifted the mm context id change from Andy's upstream patch and included it here. Thanks. Tim Tim Chen (2): x86/mm: Give each mm a unique ID x86/speculation: Use Indirect Branch Prediction Barrier in context switch arch/x86/include/asm/mmu.h | 15 +++++++++++++-- arch/x86/include/asm/mmu_context.h | 5 +++++ arch/x86/include/asm/tlbflush.h | 2 ++ arch/x86/mm/tlb.c | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 53 insertions(+), 2 deletions(-) -- 2.9.4

7 years, 3 months

2
8
0 0

[patch 5/8] mm/memblock.c: hardcode the end_pfn being -1

by akpm＠linux-foundation.org

From: Daniel Vacek <neelx(a)redhat.com> Subject: mm/memblock.c: hardcode the end_pfn being -1 This is just a cleanup. It aids handling the special end case in the next commit. [akpm(a)linux-foundation.org: make it work against current -linus, not against -mm] [akpm(a)linux-foundation.org: make it work against current -linus, not against -mm some more] Link: http://lkml.kernel.org/r/1ca478d4269125a99bcfb1ca04d7b88ac1aee924.152001194… Signed-off-by: Daniel Vacek <neelx(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Pavel Tatashin <pasha.tatashin(a)oracle.com> Cc: Paul Burton <paul.burton(a)imgtec.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memblock.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff -puN mm/memblock.c~mm-memblock-hardcode-the-end_pfn-being-1 mm/memblock.c --- a/mm/memblock.c~mm-memblock-hardcode-the-end_pfn-being-1 +++ a/mm/memblock.c @@ -1107,7 +1107,7 @@ unsigned long __init_memblock memblock_n struct memblock_type *type = &memblock.memory; unsigned int right = type->cnt; unsigned int mid, left = 0; - phys_addr_t addr = PFN_PHYS(pfn + 1); + phys_addr_t addr = PFN_PHYS(++pfn); do { mid = (right + left) / 2; @@ -1118,15 +1118,15 @@ unsigned long __init_memblock memblock_n type->regions[mid].size)) left = mid + 1; else { - /* addr is within the region, so pfn + 1 is valid */ - return min(pfn + 1, max_pfn); + /* addr is within the region, so pfn is valid */ + return pfn; } } while (left < right); if (right == type->cnt) - return max_pfn; + return -1UL; else - return min(PHYS_PFN(type->regions[right].base), max_pfn); + return PHYS_PFN(type->regions[right].base); } /** _

7 years, 3 months

2
1
0 0

[folded-merged] mm-memblock-hardcode-the-end_pfn-being-1-fix.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm-memblock-hardcode-the-end_pfn-being-1-fix has been removed from the -mm tree. Its filename was mm-memblock-hardcode-the-end_pfn-being-1-fix.patch This patch was dropped because it was folded into mm-memblock-hardcode-the-end_pfn-being-1.patch ------------------------------------------------------ From: Andrew Morton <akpm(a)linux-foundation.org> Subject: mm-memblock-hardcode-the-end_pfn-being-1-fix make it work against current -linus, not against -mm Cc: Daniel Vacek <neelx(a)redhat.com> Cc: <stable(a)vger.kernel.org> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Paul Burton <paul.burton(a)imgtec.com> Cc: Pavel Tatashin <pasha.tatashin(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN mm/page_alloc.c~mm-memblock-hardcode-the-end_pfn-being-1-fix mm/page_alloc.c --- a/mm/page_alloc.c~mm-memblock-hardcode-the-end_pfn-being-1-fix +++ a/mm/page_alloc.c @@ -5361,7 +5361,7 @@ void __meminit memmap_init_zone(unsigned * end_pfn), such that we hit a valid pfn (or end_pfn) * on our next iteration of the loop. */ - pfn = memblock_next_valid_pfn(pfn) - 1; + pfn = memblock_next_valid_pfn(pfn, end_pfn) - 1; #endif continue; } _ Patches currently in -mm which might be from akpm(a)linux-foundation.org are i-need-old-gcc.patch mm-memblock-hardcode-the-end_pfn-being-1.patch mm-memblock-hardcode-the-end_pfn-being-1-fix-fix.patch mm-mempolicy-avoid-use-uninitialized-preferred_node-fix.patch arm-arch-arm-include-asm-pageh-needs-personalityh.patch ocfs2-without-quota-support-try-to-avoid-calling-quota-recovery-checkpatch-fixes.patch mm.patch mm-initialize-pages-on-demand-during-boot-fix-4-fix.patch mm-initialize-pages-on-demand-during-boot-v5-fix.patch mm-page_alloc-skip-over-regions-of-invalid-pfns-on-uma-fix.patch direct-io-minor-cleanups-in-do_blockdev_direct_io-fix.patch mm-fix-races-between-swapoff-and-flush-dcache-fix.patch list_lru-prefetch-neighboring-list-entries-before-acquiring-lock-fix.patch mm-oom-cgroup-aware-oom-killer-fix.patch mm-oom-docs-describe-the-cgroup-aware-oom-killer-fix-2-fix.patch proc-add-seq_put_decimal_ull_width-to-speed-up-proc-pid-smaps-fix.patch linux-next-rejects.patch linux-next-fixup.patch fs-fsnotify-account-fsnotify-metadata-to-kmemcg-fix.patch headers-untangle-kmemleakh-from-mmh-fix.patch kernel-forkc-export-kernel_thread-to-modules.patch slab-leaks3-default-y.patch

7 years, 3 months

2
1
0 0

Patch "btrfs: preserve i_mode if __btrfs_set_acl() fails" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled btrfs: preserve i_mode if __btrfs_set_acl() fails to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From d7d824966530acfe32b94d1ed672e6fe1638cd68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?= <ernesto.mnd.fernandez(a)gmail.com> Date: Wed, 2 Aug 2017 03:18:27 -0300 Subject: btrfs: preserve i_mode if __btrfs_set_acl() fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Ernesto A. Fernández <ernesto.mnd.fernandez(a)gmail.com> commit d7d824966530acfe32b94d1ed672e6fe1638cd68 upstream. When changing a file's acl mask, btrfs_set_acl() will first set the group bits of i_mode to the value of the mask, and only then set the actual extended attribute representing the new acl. If the second part fails (due to lack of space, for example) and the file had no acl attribute to begin with, the system will from now on assume that the mask permission bits are actual group permission bits, potentially granting access to the wrong users. Prevent this by restoring the original mode bits if __btrfs_set_acl fails. Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez(a)gmail.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Nikolay Borisov <nborisov(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/btrfs/acl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/fs/btrfs/acl.c +++ b/fs/btrfs/acl.c @@ -114,13 +114,17 @@ out: int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) { int ret; + umode_t old_mode = inode->i_mode; if (type == ACL_TYPE_ACCESS && acl) { ret = posix_acl_update_mode(inode, &inode->i_mode, &acl); if (ret) return ret; } - return __btrfs_set_acl(NULL, inode, acl, type); + ret = __btrfs_set_acl(NULL, inode, acl, type); + if (ret) + inode->i_mode = old_mode; + return ret; } /* Patches currently in stable-queue which might be from ernesto.mnd.fernandez(a)gmail.com are queue-4.9/btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch

7 years, 3 months

1
0
0 0

Patch "btrfs: preserve i_mode if __btrfs_set_acl() fails" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled btrfs: preserve i_mode if __btrfs_set_acl() fails to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From d7d824966530acfe32b94d1ed672e6fe1638cd68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?= <ernesto.mnd.fernandez(a)gmail.com> Date: Wed, 2 Aug 2017 03:18:27 -0300 Subject: btrfs: preserve i_mode if __btrfs_set_acl() fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Ernesto A. Fernández <ernesto.mnd.fernandez(a)gmail.com> commit d7d824966530acfe32b94d1ed672e6fe1638cd68 upstream. When changing a file's acl mask, btrfs_set_acl() will first set the group bits of i_mode to the value of the mask, and only then set the actual extended attribute representing the new acl. If the second part fails (due to lack of space, for example) and the file had no acl attribute to begin with, the system will from now on assume that the mask permission bits are actual group permission bits, potentially granting access to the wrong users. Prevent this by restoring the original mode bits if __btrfs_set_acl fails. Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez(a)gmail.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Nikolay Borisov <nborisov(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/btrfs/acl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/fs/btrfs/acl.c +++ b/fs/btrfs/acl.c @@ -118,13 +118,17 @@ out: int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) { int ret; + umode_t old_mode = inode->i_mode; if (type == ACL_TYPE_ACCESS && acl) { ret = posix_acl_update_mode(inode, &inode->i_mode, &acl); if (ret) return ret; } - return __btrfs_set_acl(NULL, inode, acl, type); + ret = __btrfs_set_acl(NULL, inode, acl, type); + if (ret) + inode->i_mode = old_mode; + return ret; } /* Patches currently in stable-queue which might be from ernesto.mnd.fernandez(a)gmail.com are queue-4.4/btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch

7 years, 3 months

1
0
0 0

Patch "scsi: mpt3sas: wait for and flush running commands on shutdown/unload" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled scsi: mpt3sas: wait for and flush running commands on shutdown/unload to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: scsi-mpt3sas-wait-for-and-flush-running-commands-on-shutdown-unload.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From c666d3be99c000bb889a33353e9be0fa5808d3de Mon Sep 17 00:00:00 2001 From: Sreekanth Reddy <sreekanth.reddy(a)broadcom.com> Date: Fri, 16 Feb 2018 20:39:58 -0200 Subject: scsi: mpt3sas: wait for and flush running commands on shutdown/unload From: Sreekanth Reddy <sreekanth.reddy(a)broadcom.com> commit c666d3be99c000bb889a33353e9be0fa5808d3de upstream. This patch finishes all outstanding SCSI IO commands (but not other commands, e.g., task management) in the shutdown and unload paths. It first waits for the commands to complete (this is done after setting 'ioc->remove_host = 1 ', which prevents new commands to be queued) then it flushes commands that might still be running. This avoids triggering error handling (e.g., abort command) for all commands possibly completed by the adapter after interrupts disabled. [mauricfo: introduced something in commit message.] Signed-off-by: Sreekanth Reddy <sreekanth.reddy(a)broadcom.com> Tested-by: Mauricio Faria de Oliveira <mauricfo(a)linux.vnet.ibm.com> Signed-off-by: Mauricio Faria de Oliveira <mauricfo(a)linux.vnet.ibm.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> [mauricfo: backport to linux-4.15.y (a few updates to context lines)] Signed-off-by: Mauricio Faria de Oliveira <mauricfo(a)linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/scsi/mpt3sas/mpt3sas_base.c | 8 ++++---- drivers/scsi/mpt3sas/mpt3sas_base.h | 3 +++ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 10 +++++++++- 3 files changed, 16 insertions(+), 5 deletions(-) --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -6289,14 +6289,14 @@ _base_reset_handler(struct MPT3SAS_ADAPT } /** - * _wait_for_commands_to_complete - reset controller + * mpt3sas_wait_for_commands_to_complete - reset controller * @ioc: Pointer to MPT_ADAPTER structure * * This function waiting(3s) for all pending commands to complete * prior to putting controller in reset. */ -static void -_wait_for_commands_to_complete(struct MPT3SAS_ADAPTER *ioc) +void +mpt3sas_wait_for_commands_to_complete(struct MPT3SAS_ADAPTER *ioc) { u32 ioc_state; unsigned long flags; @@ -6375,7 +6375,7 @@ mpt3sas_base_hard_reset_handler(struct M is_fault = 1; } _base_reset_handler(ioc, MPT3_IOC_PRE_RESET); - _wait_for_commands_to_complete(ioc); + mpt3sas_wait_for_commands_to_complete(ioc); _base_mask_interrupts(ioc); r = _base_make_ioc_ready(ioc, type); if (r) --- a/drivers/scsi/mpt3sas/mpt3sas_base.h +++ b/drivers/scsi/mpt3sas/mpt3sas_base.h @@ -1435,6 +1435,9 @@ void mpt3sas_base_update_missing_delay(s int mpt3sas_port_enable(struct MPT3SAS_ADAPTER *ioc); +void +mpt3sas_wait_for_commands_to_complete(struct MPT3SAS_ADAPTER *ioc); + /* scsih shared API */ u8 mpt3sas_scsih_event_callback(struct MPT3SAS_ADAPTER *ioc, u8 msix_index, --- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c +++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c @@ -4614,7 +4614,7 @@ _scsih_flush_running_cmds(struct MPT3SAS _scsih_set_satl_pending(scmd, false); mpt3sas_base_free_smid(ioc, smid); scsi_dma_unmap(scmd); - if (ioc->pci_error_recovery) + if (ioc->pci_error_recovery || ioc->remove_host) scmd->result = DID_NO_CONNECT << 16; else scmd->result = DID_RESET << 16; @@ -9904,6 +9904,10 @@ static void scsih_remove(struct pci_dev unsigned long flags; ioc->remove_host = 1; + + mpt3sas_wait_for_commands_to_complete(ioc); + _scsih_flush_running_cmds(ioc); + _scsih_fw_event_cleanup_queue(ioc); spin_lock_irqsave(&ioc->fw_event_lock, flags); @@ -9980,6 +9984,10 @@ scsih_shutdown(struct pci_dev *pdev) unsigned long flags; ioc->remove_host = 1; + + mpt3sas_wait_for_commands_to_complete(ioc); + _scsih_flush_running_cmds(ioc); + _scsih_fw_event_cleanup_queue(ioc); spin_lock_irqsave(&ioc->fw_event_lock, flags); Patches currently in stable-queue which might be from sreekanth.reddy(a)broadcom.com are queue-4.15/scsi-mpt3sas-wait-for-and-flush-running-commands-on-shutdown-unload.patch

7 years, 3 months

1
0
0 0

Patch "scsi: mpt3sas: fix oops in error handlers after shutdown/unload" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled scsi: mpt3sas: fix oops in error handlers after shutdown/unload to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: scsi-mpt3sas-fix-oops-in-error-handlers-after-shutdown-unload.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 Mon Sep 17 00:00:00 2001 From: Mauricio Faria de Oliveira <mauricfo(a)linux.vnet.ibm.com> Date: Fri, 16 Feb 2018 20:39:57 -0200 Subject: scsi: mpt3sas: fix oops in error handlers after shutdown/unload From: Mauricio Faria de Oliveira <mauricfo(a)linux.vnet.ibm.com> commit 9ff549ffb4fb4cc9a4b24d1de9dc3e68287797c4 upstream. This patch adds checks for 'ioc->remove_host' in the SCSI error handlers, so not to access pointers/resources potentially freed in the PCI shutdown/module unload path. The error handlers may be invoked after shutdown/unload, depending on other components. This problem was observed with kexec on a system with a mpt3sas based adapter and an infiniband adapter which takes long enough to shutdown: The mpt3sas driver finished shutting down / disabled interrupt handling, thus some commands have not finished and timed out. Since the system was still running (waiting for the infiniband adapter to shutdown), the scsi error handler for task abort of mpt3sas was invoked, and hit an oops -- either in scsih_abort() because 'ioc->scsi_lookup' was NULL without commit dbec4c9040ed ("scsi: mpt3sas: lockless command submission"), or later up in scsih_host_reset() (with or without that commit), because it eventually called mpt3sas_base_get_iocstate(). After the above commit, the oops in scsih_abort() does not occur anymore (_scsih_scsi_lookup_find_by_scmd() is no longer called), but that commit is too big and out of the scope of linux-stable, where this patch might help, so still go for the changes. Also, this might help to prevent similar errors in the future, in case code changes and possibly tries to access freed stuff. Note the fix in scsih_host_reset() is still important anyway. Signed-off-by: Mauricio Faria de Oliveira <mauricfo(a)linux.vnet.ibm.com> Acked-by: Sreekanth Reddy <Sreekanth.Reddy(a)broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c +++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c @@ -2998,7 +2998,8 @@ scsih_abort(struct scsi_cmnd *scmd) _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { sdev_printk(KERN_INFO, scmd->device, "device been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3060,7 +3061,8 @@ scsih_dev_reset(struct scsi_cmnd *scmd) _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { sdev_printk(KERN_INFO, scmd->device, "device been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3122,7 +3124,8 @@ scsih_target_reset(struct scsi_cmnd *scm _scsih_tm_display_info(ioc, scmd); sas_device_priv_data = scmd->device->hostdata; - if (!sas_device_priv_data || !sas_device_priv_data->sas_target) { + if (!sas_device_priv_data || !sas_device_priv_data->sas_target || + ioc->remove_host) { starget_printk(KERN_INFO, starget, "target been deleted! scmd(%p)\n", scmd); scmd->result = DID_NO_CONNECT << 16; @@ -3179,7 +3182,7 @@ scsih_host_reset(struct scsi_cmnd *scmd) ioc->name, scmd); scsi_print_command(scmd); - if (ioc->is_driver_loading) { + if (ioc->is_driver_loading || ioc->remove_host) { pr_info(MPT3SAS_FMT "Blocking the host reset\n", ioc->name); r = FAILED; Patches currently in stable-queue which might be from mauricfo(a)linux.vnet.ibm.com are queue-4.15/scsi-mpt3sas-wait-for-and-flush-running-commands-on-shutdown-unload.patch queue-4.15/scsi-mpt3sas-fix-oops-in-error-handlers-after-shutdown-unload.patch

7 years, 3 months

1
0
0 0

Patch "KVM: x86: fix backward migration with async_PF" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled KVM: x86: fix backward migration with async_PF to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: kvm-x86-fix-backward-migration-with-async_pf.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From fe2a3027e74e40a3ece3a4c1e4e51403090a907a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar(a)redhat.com> Date: Thu, 1 Feb 2018 22:16:21 +0100 Subject: KVM: x86: fix backward migration with async_PF MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Radim Krčmář <rkrcmar(a)redhat.com> commit fe2a3027e74e40a3ece3a4c1e4e51403090a907a upstream. Guests on new hypersiors might set KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT bit when enabling async_PF, but this bit is reserved on old hypervisors, which results in a failure upon migration. To avoid breaking different cases, we are checking for CPUID feature bit before enabling the feature and nothing else. Fixes: 52a5c155cf79 ("KVM: async_pf: Let guest support delivery of async_pf from guest mode") Cc: <stable(a)vger.kernel.org> Reviewed-by: Wanpeng Li <wanpengli(a)tencent.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Radim Krčmář <rkrcmar(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> [jwang: port to 4.14] Signed-off-by: Jack Wang <jinpu.wang(a)profitbricks.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- Documentation/virtual/kvm/cpuid.txt | 4 ++++ Documentation/virtual/kvm/msr.txt | 3 ++- arch/x86/include/uapi/asm/kvm_para.h | 1 + arch/x86/kernel/kvm.c | 8 ++++---- arch/x86/kvm/cpuid.c | 3 ++- 5 files changed, 13 insertions(+), 6 deletions(-) --- a/Documentation/virtual/kvm/cpuid.txt +++ b/Documentation/virtual/kvm/cpuid.txt @@ -54,6 +54,10 @@ KVM_FEATURE_PV_UNHALT || || || before enabling paravirtualized || || spinlock support. ------------------------------------------------------------------------------ +KVM_FEATURE_ASYNC_PF_VMEXIT || 10 || paravirtualized async PF VM exit + || || can be enabled by setting bit 2 + || || when writing to msr 0x4b564d02 +------------------------------------------------------------------------------ KVM_FEATURE_CLOCKSOURCE_STABLE_BIT || 24 || host will warn if no guest-side || || per-cpu warps are expected in || || kvmclock. --- a/Documentation/virtual/kvm/msr.txt +++ b/Documentation/virtual/kvm/msr.txt @@ -170,7 +170,8 @@ MSR_KVM_ASYNC_PF_EN: 0x4b564d02 when asynchronous page faults are enabled on the vcpu 0 when disabled. Bit 1 is 1 if asynchronous page faults can be injected when vcpu is in cpl == 0. Bit 2 is 1 if asynchronous page faults - are delivered to L1 as #PF vmexits. + are delivered to L1 as #PF vmexits. Bit 2 can be set only if + KVM_FEATURE_ASYNC_PF_VMEXIT is present in CPUID. First 4 byte of 64 byte memory location will be written to by the hypervisor at the time of asynchronous page fault (APF) --- a/arch/x86/include/uapi/asm/kvm_para.h +++ b/arch/x86/include/uapi/asm/kvm_para.h @@ -25,6 +25,7 @@ #define KVM_FEATURE_STEAL_TIME 5 #define KVM_FEATURE_PV_EOI 6 #define KVM_FEATURE_PV_UNHALT 7 +#define KVM_FEATURE_ASYNC_PF_VMEXIT 10 /* The last 8 bits are used to indicate how to interpret the flags field * in pvclock structure. If no bits are set, all flags are ignored. --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -341,10 +341,10 @@ static void kvm_guest_cpu_init(void) #endif pa |= KVM_ASYNC_PF_ENABLED; - /* Async page fault support for L1 hypervisor is optional */ - if (wrmsr_safe(MSR_KVM_ASYNC_PF_EN, - (pa | KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT) & 0xffffffff, pa >> 32) < 0) - wrmsrl(MSR_KVM_ASYNC_PF_EN, pa); + if (kvm_para_has_feature(KVM_FEATURE_ASYNC_PF_VMEXIT)) + pa |= KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT; + + wrmsrl(MSR_KVM_ASYNC_PF_EN, pa); __this_cpu_write(apf_reason.enabled, 1); printk(KERN_INFO"KVM setup async PF for cpu %d\n", smp_processor_id()); --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -597,7 +597,8 @@ static inline int __do_cpuid_ent(struct (1 << KVM_FEATURE_ASYNC_PF) | (1 << KVM_FEATURE_PV_EOI) | (1 << KVM_FEATURE_CLOCKSOURCE_STABLE_BIT) | - (1 << KVM_FEATURE_PV_UNHALT); + (1 << KVM_FEATURE_PV_UNHALT) | + (1 << KVM_FEATURE_ASYNC_PF_VMEXIT); if (sched_info_on()) entry->eax |= (1 << KVM_FEATURE_STEAL_TIME); Patches currently in stable-queue which might be from rkrcmar(a)redhat.com are queue-4.15/kvm-x86-fix-backward-migration-with-async_pf.patch

7 years, 3 months

1
0
0 0

Patch "KVM: x86: fix backward migration with async_PF" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled KVM: x86: fix backward migration with async_PF to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: kvm-x86-fix-backward-migration-with-async_pf.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From fe2a3027e74e40a3ece3a4c1e4e51403090a907a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar(a)redhat.com> Date: Thu, 1 Feb 2018 22:16:21 +0100 Subject: KVM: x86: fix backward migration with async_PF MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Radim Krčmář <rkrcmar(a)redhat.com> commit fe2a3027e74e40a3ece3a4c1e4e51403090a907a upstream. Guests on new hypersiors might set KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT bit when enabling async_PF, but this bit is reserved on old hypervisors, which results in a failure upon migration. To avoid breaking different cases, we are checking for CPUID feature bit before enabling the feature and nothing else. Fixes: 52a5c155cf79 ("KVM: async_pf: Let guest support delivery of async_pf from guest mode") Cc: <stable(a)vger.kernel.org> Reviewed-by: Wanpeng Li <wanpengli(a)tencent.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Radim Krčmář <rkrcmar(a)redhat.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> [jwang: port to 4.14] Signed-off-by: Jack Wang <jinpu.wang(a)profitbricks.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- Documentation/virtual/kvm/cpuid.txt | 4 ++++ Documentation/virtual/kvm/msr.txt | 3 ++- arch/x86/include/uapi/asm/kvm_para.h | 1 + arch/x86/kernel/kvm.c | 8 ++++---- arch/x86/kvm/cpuid.c | 3 ++- 5 files changed, 13 insertions(+), 6 deletions(-) --- a/Documentation/virtual/kvm/cpuid.txt +++ b/Documentation/virtual/kvm/cpuid.txt @@ -54,6 +54,10 @@ KVM_FEATURE_PV_UNHALT || || || before enabling paravirtualized || || spinlock support. ------------------------------------------------------------------------------ +KVM_FEATURE_ASYNC_PF_VMEXIT || 10 || paravirtualized async PF VM exit + || || can be enabled by setting bit 2 + || || when writing to msr 0x4b564d02 +------------------------------------------------------------------------------ KVM_FEATURE_CLOCKSOURCE_STABLE_BIT || 24 || host will warn if no guest-side || || per-cpu warps are expected in || || kvmclock. --- a/Documentation/virtual/kvm/msr.txt +++ b/Documentation/virtual/kvm/msr.txt @@ -170,7 +170,8 @@ MSR_KVM_ASYNC_PF_EN: 0x4b564d02 when asynchronous page faults are enabled on the vcpu 0 when disabled. Bit 1 is 1 if asynchronous page faults can be injected when vcpu is in cpl == 0. Bit 2 is 1 if asynchronous page faults - are delivered to L1 as #PF vmexits. + are delivered to L1 as #PF vmexits. Bit 2 can be set only if + KVM_FEATURE_ASYNC_PF_VMEXIT is present in CPUID. First 4 byte of 64 byte memory location will be written to by the hypervisor at the time of asynchronous page fault (APF) --- a/arch/x86/include/uapi/asm/kvm_para.h +++ b/arch/x86/include/uapi/asm/kvm_para.h @@ -25,6 +25,7 @@ #define KVM_FEATURE_STEAL_TIME 5 #define KVM_FEATURE_PV_EOI 6 #define KVM_FEATURE_PV_UNHALT 7 +#define KVM_FEATURE_ASYNC_PF_VMEXIT 10 /* The last 8 bits are used to indicate how to interpret the flags field * in pvclock structure. If no bits are set, all flags are ignored. --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -341,10 +341,10 @@ static void kvm_guest_cpu_init(void) #endif pa |= KVM_ASYNC_PF_ENABLED; - /* Async page fault support for L1 hypervisor is optional */ - if (wrmsr_safe(MSR_KVM_ASYNC_PF_EN, - (pa | KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT) & 0xffffffff, pa >> 32) < 0) - wrmsrl(MSR_KVM_ASYNC_PF_EN, pa); + if (kvm_para_has_feature(KVM_FEATURE_ASYNC_PF_VMEXIT)) + pa |= KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT; + + wrmsrl(MSR_KVM_ASYNC_PF_EN, pa); __this_cpu_write(apf_reason.enabled, 1); printk(KERN_INFO"KVM setup async PF for cpu %d\n", smp_processor_id()); --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -597,7 +597,8 @@ static inline int __do_cpuid_ent(struct (1 << KVM_FEATURE_ASYNC_PF) | (1 << KVM_FEATURE_PV_EOI) | (1 << KVM_FEATURE_CLOCKSOURCE_STABLE_BIT) | - (1 << KVM_FEATURE_PV_UNHALT); + (1 << KVM_FEATURE_PV_UNHALT) | + (1 << KVM_FEATURE_ASYNC_PF_VMEXIT); if (sched_info_on()) entry->eax |= (1 << KVM_FEATURE_STEAL_TIME); Patches currently in stable-queue which might be from rkrcmar(a)redhat.com are queue-4.14/kvm-x86-fix-backward-migration-with-async_pf.patch

7 years, 3 months

1
0
0 0

[PATCH 4.4 1/2] btrfs: Don't clear SGID when inheriting ACLs

by Nikolay Borisov

From: Jan Kara <jack(a)suse.cz> When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit set, DIR1 is expected to have SGID bit set (and owning group equal to the owning group of 'DIR0'). However when 'DIR0' also has some default ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on 'DIR1' to get cleared if user is not member of the owning group. Fix the problem by moving posix_acl_update_mode() out of __btrfs_set_acl() into btrfs_set_acl(). That way the function will not be called when inheriting ACLs which is what we want as it prevents SGID bit clearing and the mode has been properly set by posix_acl_create() anyway. Fixes: 073931017b49d9458aa351605b43a7e34598caef CC: stable(a)vger.kernel.org CC: linux-btrfs(a)vger.kernel.org CC: David Sterba <dsterba(a)suse.com> Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Nikolay Borisov <nborisov(a)suse.com> --- fs/btrfs/acl.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c index fb3e64d37cb4..233bbc8789e0 100644 --- a/fs/btrfs/acl.c +++ b/fs/btrfs/acl.c @@ -82,12 +82,6 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans, switch (type) { case ACL_TYPE_ACCESS: name = POSIX_ACL_XATTR_ACCESS; - if (acl) { - ret = posix_acl_update_mode(inode, &inode->i_mode, &acl); - if (ret) - return ret; - } - ret = 0; break; case ACL_TYPE_DEFAULT: if (!S_ISDIR(inode->i_mode)) @@ -123,6 +117,13 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans, int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) { + int ret; + + if (type == ACL_TYPE_ACCESS && acl) { + ret = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (ret) + return ret; + } return __btrfs_set_acl(NULL, inode, acl, type); } -- 2.7.4

7 years, 3 months

2
6
0 0

[PATCH stable 4.9 0/6] BPF stable patches

by Daniel Borkmann

All for 4.9 backported and tested. Thanks! Daniel Borkmann (5): bpf: fix wrong exposure of map_flags into fdinfo for lpm bpf: fix mlock precharge on arraymaps bpf, x64: implement retpoline for tail call bpf, arm64: fix out of bounds access in tail call bpf, ppc64: fix out of bounds access in tail call Eric Dumazet (1): bpf: add schedule points in percpu arrays management arch/arm64/net/bpf_jit_comp.c | 5 +++-- arch/powerpc/net/bpf_jit_comp64.c | 1 + arch/x86/include/asm/nospec-branch.h | 37 ++++++++++++++++++++++++++++++++++++ arch/x86/net/bpf_jit_comp.c | 9 +++++---- kernel/bpf/arraymap.c | 35 ++++++++++++++++++++++------------ kernel/bpf/stackmap.c | 1 + 6 files changed, 70 insertions(+), 18 deletions(-) -- 2.9.5

7 years, 3 months

3
16
0 0

[patch 3/8] lib/bug.c: exclude non-BUG/WARN exceptions from report_bug()

by akpm＠linux-foundation.org

From: Kees Cook <keescook(a)chromium.org> Subject: lib/bug.c: exclude non-BUG/WARN exceptions from report_bug() b8347c219649 ("x86/debug: Handle warnings before the notifier chain, to fix KGDB crash") changed the ordering of fixups, and did not take into account the case of x86 processing non-WARN() and non-BUG() exceptions. This would lead to output of a false BUG line with no other information. In the case of a refcount exception, it would be immediately followed by the refcount WARN(), producing very strange double-"cut here": lkdtm: attempting bad refcount_inc() overflow ------------[ cut here ]------------ Kernel BUG at 0000000065f29de5 [verbose debug info unavailable] ------------[ cut here ]------------ refcount_t overflow at lkdtm_REFCOUNT_INC_OVERFLOW+0x6b/0x90 in cat[3065], uid/euid: 0/0 WARNING: CPU: 0 PID: 3065 at kernel/panic.c:657 refcount_error_report+0x9a/0xa4 ... In the prior ordering, exceptions were searched first: do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str, ... if (fixup_exception(regs, trapnr)) return 0; - if (fixup_bug(regs, trapnr)) - return 0; - As a result, fixup_bugs()'s is_valid_bugaddr() didn't take into account needing to search the exception list first, since that had already happened. So, instead of searching the exception list twice (once in is_valid_bugaddr() and then again in fixup_exception()), just add a simple sanity check to report_bug() that will immediately bail out if a BUG() (or WARN()) entry is not found. Link: http://lkml.kernel.org/r/20180301225934.GA34350@beast Fixes: b8347c219649 ("x86/debug: Handle warnings before the notifier chain, to fix KGDB crash") Signed-off-by: Kees Cook <keescook(a)chromium.org> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Richard Weinberger <richard.weinberger(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/bug.c | 2 ++ 1 file changed, 2 insertions(+) diff -puN lib/bug.c~bug-exclude-non-bug-warn-exceptions-from-report_bug lib/bug.c --- a/lib/bug.c~bug-exclude-non-bug-warn-exceptions-from-report_bug +++ a/lib/bug.c @@ -150,6 +150,8 @@ enum bug_trap_type report_bug(unsigned l return BUG_TRAP_TYPE_NONE; bug = find_bug(bugaddr); + if (!bug) + return BUG_TRAP_TYPE_NONE; file = NULL; line = 0; _

7 years, 3 months

1
0
0 0

[patch 2/8] bug: use %pB in BUG and stack protector failure

by akpm＠linux-foundation.org

From: Kees Cook <keescook(a)chromium.org> Subject: bug: use %pB in BUG and stack protector failure The BUG and stack protector reports were still using a raw %p. This changes it to %pB for more meaningful output. Link: http://lkml.kernel.org/r/20180301225704.GA34198@beast Fixes: ad67b74d2469 ("printk: hash addresses printed with %p") Signed-off-by: Kees Cook <keescook(a)chromium.org> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Richard Weinberger <richard.weinberger(a)gmail.com>, Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/panic.c | 2 +- lib/bug.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff -puN kernel/panic.c~bug-use-%pb-in-bug-and-stack-protector-failure kernel/panic.c --- a/kernel/panic.c~bug-use-%pb-in-bug-and-stack-protector-failure +++ a/kernel/panic.c @@ -640,7 +640,7 @@ device_initcall(register_warn_debugfs); */ __visible void __stack_chk_fail(void) { - panic("stack-protector: Kernel stack is corrupted in: %p\n", + panic("stack-protector: Kernel stack is corrupted in: %pB\n", __builtin_return_address(0)); } EXPORT_SYMBOL(__stack_chk_fail); diff -puN lib/bug.c~bug-use-%pb-in-bug-and-stack-protector-failure lib/bug.c --- a/lib/bug.c~bug-use-%pb-in-bug-and-stack-protector-failure +++ a/lib/bug.c @@ -191,7 +191,7 @@ enum bug_trap_type report_bug(unsigned l if (file) pr_crit("kernel BUG at %s:%u!\n", file, line); else - pr_crit("Kernel BUG at %p [verbose debug info unavailable]\n", + pr_crit("Kernel BUG at %pB [verbose debug info unavailable]\n", (void *)bugaddr); return BUG_TRAP_TYPE_BUG; _

7 years, 3 months

1
0
0 0

v4.14.25 build: 0 failures 2 warnings (v4.14.25)

by Build bot for Mark Brown

Tree/Branch: v4.14.25 Git describe: v4.14.25 Commit: 8773f9bfa9 Linux 4.14.25 Build Time: 99 min 58 sec Passed: 11 / 11 (100.00 %) Failed: 0 / 11 ( 0.00 %) Errors: 0 Warnings: 2 Section Mismatches: 0 ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): 1 warnings 0 mismatches : arm64-allmodconfig 1 warnings 0 mismatches : x86_64-allmodconfig ------------------------------------------------------------------------------- Warnings Summary: 2 1 drivers/target/iscsi/.tmp_iscsi_target.o: warning: objtool: iscsit_handle_task_mgt_cmd()+0x78f: sibling call from callable instruction with modified stack frame 1 ../include/linux/sched/mm.h:188:56: warning: 'noio_flag' may be used uninitialized in this function [-Wmaybe-uninitialized] =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- arm64-allmodconfig : PASS, 0 errors, 1 warnings, 0 section mismatches Warnings: ../include/linux/sched/mm.h:188:56: warning: 'noio_flag' may be used uninitialized in this function [-Wmaybe-uninitialized] ------------------------------------------------------------------------------- x86_64-allmodconfig : PASS, 0 errors, 1 warnings, 0 section mismatches Warnings: drivers/target/iscsi/.tmp_iscsi_target.o: warning: objtool: iscsit_handle_task_mgt_cmd()+0x78f: sibling call from callable instruction with modified stack frame ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: arm64-allnoconfig arm-multi_v5_defconfig arm-multi_v7_defconfig x86_64-defconfig arm-allmodconfig arm-allnoconfig x86_64-allnoconfig arm-multi_v4t_defconfig arm64-defconfig close failed in file object destructor: sys.excepthook is missing lost sys.stderr

7 years, 3 months

1
0
0 0

[PATCH stable 4.14 0/8] BPF stable patches

by Daniel Borkmann

All for 4.14 backported and tested. Thanks! Daniel Borkmann (5): bpf: fix mlock precharge on arraymaps bpf, x64: implement retpoline for tail call bpf, arm64: fix out of bounds access in tail call bpf: allow xadd only on aligned memory bpf, ppc64: fix out of bounds access in tail call Eric Dumazet (1): bpf: add schedule points in percpu arrays management Yonghong Song (2): bpf: fix memory leak in lpm_trie map_free callback function bpf: fix rcu lockdep warning for lpm_trie map_free callback arch/arm64/net/bpf_jit_comp.c | 5 +- arch/powerpc/net/bpf_jit_comp64.c | 1 + arch/x86/include/asm/nospec-branch.h | 37 +++++++++++++ arch/x86/net/bpf_jit_comp.c | 9 ++-- kernel/bpf/arraymap.c | 33 +++++++----- kernel/bpf/lpm_trie.c | 14 ++--- kernel/bpf/verifier.c | 42 +++++++++------ tools/testing/selftests/bpf/test_verifier.c | 84 +++++++++++++++++++++++++++++ 8 files changed, 184 insertions(+), 41 deletions(-) -- 2.9.5

7 years, 3 months

3
17
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror