- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] Patch "afs: Connect up the CB.ProbeUuid" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled afs: Connect up the CB.ProbeUuid to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: afs-connect-up-the-cb.probeuuid.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: David Howells <dhowells(a)redhat.com> Date: Thu, 2 Nov 2017 15:27:48 +0000 Subject: afs: Connect up the CB.ProbeUuid From: David Howells <dhowells(a)redhat.com> [ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ] The handler for the CB.ProbeUuid operation in the cache manager is implemented, but isn't listed in the switch-statement of operation selection, so won't be used. Fix this by adding it. Signed-off-by: David Howells <dhowells(a)redhat.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/afs/cmservice.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/afs/cmservice.c +++ b/fs/afs/cmservice.c @@ -115,6 +115,9 @@ bool afs_cm_incoming_call(struct afs_cal case CBProbe: call->type = &afs_SRXCBProbe; return true; + case CBProbeUuid: + call->type = &afs_SRXCBProbeUuid; + return true; case CBTellMeAboutYourself: call->type = &afs_SRXCBTellMeAboutYourself; return true; Patches currently in stable-queue which might be from dhowells(a)redhat.com are queue-3.18/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-3.18/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-3.18/keys-add-missing-permission-check-for-request_key-destination.patch queue-3.18/afs-connect-up-the-cb.probeuuid.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 4.4 00/27] 4.4.104-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.104 release. There are 27 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Dec 6 15:59:33 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.104-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.104-rc1 Trond Myklebust <trond.myklebust(a)primarydata.com> nfsd: Fix another OPEN stateid race Trond Myklebust <trond.myklebust(a)primarydata.com> nfsd: Fix stateid races between OPEN and CLOSE Oleg Drokin <green(a)linuxhacker.ru> nfsd: Make init_open_stateid() a bit more whole Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Prevent zero length "index" write Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Don't try indexed reads to alternate slave addresses NeilBrown <neilb(a)suse.com> NFS: revalidate "." etc correctly on "open". Brent Taylor <motobud(a)gmail.com> mtd: nand: Fix writing mtdoops to nand flash. Jonathan Liu <net147(a)gmail.com> drm/panel: simple: Add missing panel_simple_unprepare() calls Roman Kapl <rka(a)sysgo.com> drm/radeon: fix atombios on big endian Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/radeon: dont switch vt on suspend" Huacai Chen <chenhc(a)lemote.com> bcache: Fix building error on MIPS Heiner Kallweit <hkallweit1(a)gmail.com> eeprom: at24: check at24_read/write arguments Adrian Hunter <adrian.hunter(a)intel.com> mmc: core: Do not leave the block driver in a suspended state Paolo Bonzini <pbonzini(a)redhat.com> KVM: x86: inject exceptions produced by x86_decode_insn Liran Alon <liran.alon(a)oracle.com> KVM: x86: Exit to user-mode on #UD intercept when emulator requires Liran Alon <liran.alon(a)oracle.com> KVM: x86: pvclock: Handle first-time write to pvclock-page contains random junk Josef Bacik <jbacik(a)fb.com> btrfs: clear space cache inode generation always chenjie <chenjie6(a)huawei.com> mm/madvise.c: fix madvise() infinite loop under special circumstances Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() Matt Fleming <matt(a)codeblueprint.co.uk> x86/efi-bgrt: Replace early_memremap() with memremap() Sai Praneeth <sai.praneeth.prakhya(a)intel.com> x86/efi-bgrt: Fix kernel panic when mapping BGRT data Adam Ford <aford173(a)gmail.com> ARM: dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio Matt Fleming <matt(a)codeblueprint.co.uk> x86/efi: Build our own page table structures Matt Fleming <matt(a)codeblueprint.co.uk> x86/efi: Hoist page table switching code into efi_call_virt() Matt Fleming <matt(a)codeblueprint.co.uk> x86/mm/pat: Ensure cpa->pfn only contains page frame numbers Herbert Xu <herbert(a)gondor.apana.org.au> ipsec: Fix aborted xfrm policy dump crash Tom Herbert <tom(a)herbertland.com> netlink: add a start callback for starting a netlink dump ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/logicpd-torpedo-37xx-devkit.dts | 2 +- arch/x86/include/asm/efi.h | 26 ++++ arch/x86/kvm/svm.c | 2 + arch/x86/kvm/vmx.c | 2 + arch/x86/kvm/x86.c | 5 + arch/x86/mm/pageattr.c | 17 +-- arch/x86/platform/efi/efi-bgrt.c | 39 +++--- arch/x86/platform/efi/efi.c | 39 +++--- arch/x86/platform/efi/efi_32.c | 5 + arch/x86/platform/efi/efi_64.c | 137 ++++++++++++++++------ arch/x86/platform/efi/efi_stub_64.S | 43 ------- drivers/firmware/efi/efi.c | 32 ----- drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 38 +++--- drivers/gpu/drm/i915/intel_i2c.c | 4 +- drivers/gpu/drm/panel/panel-simple.c | 2 + drivers/gpu/drm/radeon/atombios_dp.c | 38 +++--- drivers/gpu/drm/radeon/radeon_fb.c | 1 - drivers/md/bcache/alloc.c | 2 +- drivers/md/bcache/extents.c | 2 +- drivers/md/bcache/journal.c | 2 +- drivers/misc/eeprom/at24.c | 6 + drivers/mmc/core/bus.c | 3 + drivers/mtd/nand/nand_base.c | 9 +- fs/btrfs/extent-tree.c | 14 +-- fs/nfs/dir.c | 3 +- fs/nfsd/nfs4state.c | 114 ++++++++++++------ include/linux/netlink.h | 2 + include/net/genetlink.h | 2 + include/uapi/linux/bcache.h | 2 +- mm/huge_memory.c | 14 +-- mm/madvise.c | 4 +- net/netlink/af_netlink.c | 4 + net/netlink/genetlink.c | 16 +++ net/xfrm/xfrm_user.c | 25 ++-- 35 files changed, 373 insertions(+), 287 deletions(-)

7 years, 9 months

7
29
0 0

[Linux-stable-mirror] Patch "Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers"" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:26:14 CET 2017 From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Date: Thu, 14 Dec 2017 21:25:00 +0100 Subject: Revert "x86/mm/pat: Ensure cpa->pfn only contains page frame numbers" From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> This reverts commit 87e2bd898d3a79a8c609f183180adac47879a2a4 which is commit edc3b9129cecd0f0857112136f5b8b1bc1d45918 upstream. Turns there was too many other issues with this patch to make it viable for the stable tree. Reported-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Cc: Matt Fleming <matt(a)codeblueprint.co.uk> Cc: Borislav Petkov <bp(a)suse.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Andy Lutomirski <luto(a)amacapital.net> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Dave Jones <davej(a)codemonkey.org.uk> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya(a)intel.com> Cc: Stephen Smalley <sds(a)tycho.nsa.gov> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Toshi Kani <toshi.kani(a)hp.com> Cc: linux-efi(a)vger.kernel.org Cc: Ingo Molnar <mingo(a)kernel.org> Cc: "Ghannam, Yazen" <Yazen.Ghannam(a)amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/mm/pageattr.c | 17 +++++++++++------ arch/x86/platform/efi/efi_64.c | 16 ++++++---------- 2 files changed, 17 insertions(+), 16 deletions(-) --- a/arch/x86/mm/pageattr.c +++ b/arch/x86/mm/pageattr.c @@ -911,10 +911,15 @@ static void populate_pte(struct cpa_data pte = pte_offset_kernel(pmd, start); while (num_pages-- && start < end) { - set_pte(pte, pfn_pte(cpa->pfn, pgprot)); + + /* deal with the NX bit */ + if (!(pgprot_val(pgprot) & _PAGE_NX)) + cpa->pfn &= ~_PAGE_NX; + + set_pte(pte, pfn_pte(cpa->pfn >> PAGE_SHIFT, pgprot)); start += PAGE_SIZE; - cpa->pfn++; + cpa->pfn += PAGE_SIZE; pte++; } } @@ -970,11 +975,11 @@ static int populate_pmd(struct cpa_data pmd = pmd_offset(pud, start); - set_pmd(pmd, __pmd(cpa->pfn << PAGE_SHIFT | _PAGE_PSE | + set_pmd(pmd, __pmd(cpa->pfn | _PAGE_PSE | massage_pgprot(pmd_pgprot))); start += PMD_SIZE; - cpa->pfn += PMD_SIZE >> PAGE_SHIFT; + cpa->pfn += PMD_SIZE; cur_pages += PMD_SIZE >> PAGE_SHIFT; } @@ -1043,11 +1048,11 @@ static int populate_pud(struct cpa_data * Map everything starting from the Gb boundary, possibly with 1G pages */ while (end - start >= PUD_SIZE) { - set_pud(pud, __pud(cpa->pfn << PAGE_SHIFT | _PAGE_PSE | + set_pud(pud, __pud(cpa->pfn | _PAGE_PSE | massage_pgprot(pud_pgprot))); start += PUD_SIZE; - cpa->pfn += PUD_SIZE >> PAGE_SHIFT; + cpa->pfn += PUD_SIZE; cur_pages += PUD_SIZE >> PAGE_SHIFT; pud++; } --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -143,7 +143,7 @@ void efi_sync_low_kernel_mappings(void) int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) { - unsigned long pfn, text; + unsigned long text; struct page *page; unsigned npages; pgd_t *pgd; @@ -160,8 +160,7 @@ int __init efi_setup_page_tables(unsigne * and ident-map those pages containing the map before calling * phys_efi_set_virtual_address_map(). */ - pfn = pa_memmap >> PAGE_SHIFT; - if (kernel_map_pages_in_pgd(pgd, pfn, pa_memmap, num_pages, _PAGE_NX)) { + if (kernel_map_pages_in_pgd(pgd, pa_memmap, pa_memmap, num_pages, _PAGE_NX)) { pr_err("Error ident-mapping new memmap (0x%lx)!\n", pa_memmap); return 1; } @@ -186,9 +185,8 @@ int __init efi_setup_page_tables(unsigne npages = (_end - _text) >> PAGE_SHIFT; text = __pa(_text); - pfn = text >> PAGE_SHIFT; - if (kernel_map_pages_in_pgd(pgd, pfn, text, npages, 0)) { + if (kernel_map_pages_in_pgd(pgd, text >> PAGE_SHIFT, text, npages, 0)) { pr_err("Failed to map kernel text 1:1\n"); return 1; } @@ -206,14 +204,12 @@ void __init efi_cleanup_page_tables(unsi static void __init __map_region(efi_memory_desc_t *md, u64 va) { pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); - unsigned long flags = 0; - unsigned long pfn; + unsigned long pf = 0; if (!(md->attribute & EFI_MEMORY_WB)) - flags |= _PAGE_PCD; + pf |= _PAGE_PCD; - pfn = md->phys_addr >> PAGE_SHIFT; - if (kernel_map_pages_in_pgd(pgd, pfn, va, md->num_pages, flags)) + if (kernel_map_pages_in_pgd(pgd, md->phys_addr, va, md->num_pages, pf)) pr_warn("Error mapping PA 0x%llx -> VA 0x%llx!\n", md->phys_addr, va); } Patches currently in stable-queue which might be from gregkh(a)linuxfoundation.org are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch queue-4.4/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch queue-4.4/atm-horizon-fix-irq-release-error.patch queue-4.4/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-4.4/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch queue-4.4/ipvlan-fix-ipv6-outbound-device.patch queue-4.4/arm-omap2-release-device-node-after-it-is-no-longer-needed.patch queue-4.4/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch queue-4.4/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-4.4/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/s390-always-save-and-restore-all-registers-on-context-switch.patch queue-4.4/alsa-seq-remove-spurious-warn_on-at-timer-check.patch queue-4.4/revert-x86-efi-build-our-own-page-table-structures.patch queue-4.4/more-bio_map_user_iov-leak-fixes.patch queue-4.4/hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch queue-4.4/s390-fix-compat-system-call-table.patch queue-4.4/netfilter-don-t-track-fragmented-packets.patch queue-4.4/block-wake-up-all-tasks-blocked-in-get_request.patch queue-4.4/kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch queue-4.4/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.4/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch queue-4.4/arm-omap2-fix-device-node-reference-counts.patch queue-4.4/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch queue-4.4/iommu-vt-d-fix-scatterlist-offset-handling.patch queue-4.4/mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch queue-4.4/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.4/drm-extra-printk-wrapper-macros.patch queue-4.4/mm-drop-unused-pmdp_huge_get_and_clear_notify.patch queue-4.4/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch queue-4.4/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch queue-4.4/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch queue-4.4/axonram-fix-gendisk-handling.patch queue-4.4/alsa-usb-audio-add-check-return-value-for-usb_string.patch queue-4.4/revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch queue-4.4/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch queue-4.4/powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch queue-4.4/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch queue-4.4/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch queue-4.4/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch queue-4.4/thp-fix-madv_dontneed-vs.-numa-balancing-race.patch queue-4.4/bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch queue-4.4/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch queue-4.4/sunrpc-fix-rpc_task_begin-trace-point.patch queue-4.4/arm-kvm-survive-unknown-traps-from-guests.patch queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch queue-4.4/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-4.4/gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch queue-4.4/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch queue-4.4/arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch queue-4.4/thp-reduce-indentation-level-in-change_huge_pmd.patch queue-4.4/revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch queue-4.4/afs-connect-up-the-cb.probeuuid.patch queue-4.4/drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch queue-4.4/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.4/sit-update-frag_off-info.patch queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch queue-4.4/module-set-__jump_table-alignment-to-8.patch queue-4.4/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch queue-4.4/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch queue-4.4/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-4.4/virtio-release-virtio-index-when-fail-to-device_register.patch queue-4.4/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch queue-4.4/nfs-fix-a-typo-in-nfs_rename.patch queue-4.4/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.4/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch queue-4.4/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch queue-4.4/route-also-update-fnhe_genid-when-updating-a-route-cache.patch queue-4.4/selftest-powerpc-fix-false-failures-for-skipped-tests.patch queue-4.4/revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch queue-4.4/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch queue-4.4/scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch queue-4.4/arm-avoid-faulting-on-qemu.patch queue-4.4/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch queue-4.4/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch queue-4.4/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-4.4/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch queue-4.4/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-4.4/ipmi-stop-timers-before-cleaning-up-the-module.patch queue-4.4/bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch queue-4.4/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch queue-4.4/drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch queue-4.4/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch queue-4.4/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch queue-4.4/alsa-usb-audio-fix-out-of-bound-error.patch queue-4.4/arm64-kvm-survive-unknown-traps-from-guests.patch queue-4.4/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch queue-4.4/arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch queue-4.4/i2c-riic-fix-restart-condition.patch queue-4.4/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch queue-4.4/usb-gadget-configs-plug-memory-leak.patch queue-4.4/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch queue-4.4/revert-drm-armada-fix-compile-fail.patch queue-4.4/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch queue-4.4/kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "Revert "x86/efi: Hoist page table switching code into efi_call_virt()"" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Revert "x86/efi: Hoist page table switching code into efi_call_virt()" to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:26:14 CET 2017 From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Date: Thu, 14 Dec 2017 21:23:48 +0100 Subject: Revert "x86/efi: Hoist page table switching code into efi_call_virt()" From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> This reverts commit b73adb60852034d84092d123b323196ca42529cd which is commit c9f2a9a65e4855b74d92cdad688f6ee4a1a323ff upstream. Turns there was too many other issues with this patch to make it viable for the stable tree. Reported-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Cc: Matt Fleming <matt(a)codeblueprint.co.uk> Cc: Borislav Petkov <bp(a)suse.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Andy Lutomirski <luto(a)amacapital.net> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Dave Jones <davej(a)codemonkey.org.uk> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya(a)intel.com> Cc: Stephen Smalley <sds(a)tycho.nsa.gov> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Toshi Kani <toshi.kani(a)hp.com> Cc: linux-efi(a)vger.kernel.org Cc: Ingo Molnar <mingo(a)kernel.org> Cc: "Ghannam, Yazen" <Yazen.Ghannam(a)amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/efi.h | 25 -------------------- arch/x86/platform/efi/efi_64.c | 24 ++++++++++---------- arch/x86/platform/efi/efi_stub_64.S | 43 ++++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 36 deletions(-) --- a/arch/x86/include/asm/efi.h +++ b/arch/x86/include/asm/efi.h @@ -3,7 +3,6 @@ #include <asm/fpu/api.h> #include <asm/pgtable.h> -#include <asm/tlb.h> /* * We map the EFI regions needed for runtime services non-contiguously, @@ -65,17 +64,6 @@ extern u64 asmlinkage efi_call(void *fp, #define efi_call_phys(f, args...) efi_call((f), args) -/* - * Scratch space used for switching the pagetable in the EFI stub - */ -struct efi_scratch { - u64 r15; - u64 prev_cr3; - pgd_t *efi_pgt; - bool use_pgd; - u64 phys_stack; -} __packed; - #define efi_call_virt(f, ...) \ ({ \ efi_status_t __s; \ @@ -83,20 +71,7 @@ struct efi_scratch { efi_sync_low_kernel_mappings(); \ preempt_disable(); \ __kernel_fpu_begin(); \ - \ - if (efi_scratch.use_pgd) { \ - efi_scratch.prev_cr3 = read_cr3(); \ - write_cr3((unsigned long)efi_scratch.efi_pgt); \ - __flush_tlb_all(); \ - } \ - \ __s = efi_call((void *)efi.systab->runtime->f, __VA_ARGS__); \ - \ - if (efi_scratch.use_pgd) { \ - write_cr3(efi_scratch.prev_cr3); \ - __flush_tlb_all(); \ - } \ - \ __kernel_fpu_end(); \ preempt_enable(); \ __s; \ --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -47,7 +47,16 @@ */ static u64 efi_va = EFI_VA_START; -struct efi_scratch efi_scratch; +/* + * Scratch space used for switching the pagetable in the EFI stub + */ +struct efi_scratch { + u64 r15; + u64 prev_cr3; + pgd_t *efi_pgt; + bool use_pgd; + u64 phys_stack; +} __packed; static void __init early_code_mapping_set_exec(int executable) { @@ -74,11 +83,8 @@ pgd_t * __init efi_call_phys_prolog(void int pgd; int n_pgds; - if (!efi_enabled(EFI_OLD_MEMMAP)) { - save_pgd = (pgd_t *)read_cr3(); - write_cr3((unsigned long)efi_scratch.efi_pgt); - goto out; - } + if (!efi_enabled(EFI_OLD_MEMMAP)) + return NULL; early_code_mapping_set_exec(1); @@ -90,7 +96,6 @@ pgd_t * __init efi_call_phys_prolog(void vaddress = (unsigned long)__va(pgd * PGDIR_SIZE); set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress)); } -out: __flush_tlb_all(); return save_pgd; @@ -104,11 +109,8 @@ void __init efi_call_phys_epilog(pgd_t * int pgd_idx; int nr_pgds; - if (!efi_enabled(EFI_OLD_MEMMAP)) { - write_cr3((unsigned long)save_pgd); - __flush_tlb_all(); + if (!save_pgd) return; - } nr_pgds = DIV_ROUND_UP((max_pfn << PAGE_SHIFT) , PGDIR_SIZE); --- a/arch/x86/platform/efi/efi_stub_64.S +++ b/arch/x86/platform/efi/efi_stub_64.S @@ -38,6 +38,41 @@ mov %rsi, %cr0; \ mov (%rsp), %rsp + /* stolen from gcc */ + .macro FLUSH_TLB_ALL + movq %r15, efi_scratch(%rip) + movq %r14, efi_scratch+8(%rip) + movq %cr4, %r15 + movq %r15, %r14 + andb $0x7f, %r14b + movq %r14, %cr4 + movq %r15, %cr4 + movq efi_scratch+8(%rip), %r14 + movq efi_scratch(%rip), %r15 + .endm + + .macro SWITCH_PGT + cmpb $0, efi_scratch+24(%rip) + je 1f + movq %r15, efi_scratch(%rip) # r15 + # save previous CR3 + movq %cr3, %r15 + movq %r15, efi_scratch+8(%rip) # prev_cr3 + movq efi_scratch+16(%rip), %r15 # EFI pgt + movq %r15, %cr3 + 1: + .endm + + .macro RESTORE_PGT + cmpb $0, efi_scratch+24(%rip) + je 2f + movq efi_scratch+8(%rip), %r15 + movq %r15, %cr3 + movq efi_scratch(%rip), %r15 + FLUSH_TLB_ALL + 2: + .endm + ENTRY(efi_call) SAVE_XMM mov (%rsp), %rax @@ -48,8 +83,16 @@ ENTRY(efi_call) mov %r8, %r9 mov %rcx, %r8 mov %rsi, %rcx + SWITCH_PGT call *%rdi + RESTORE_PGT addq $48, %rsp RESTORE_XMM ret ENDPROC(efi_call) + + .data +ENTRY(efi_scratch) + .fill 3,8,0 + .byte 0 + .quad 0 Patches currently in stable-queue which might be from gregkh(a)linuxfoundation.org are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch queue-4.4/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch queue-4.4/atm-horizon-fix-irq-release-error.patch queue-4.4/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-4.4/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch queue-4.4/ipvlan-fix-ipv6-outbound-device.patch queue-4.4/arm-omap2-release-device-node-after-it-is-no-longer-needed.patch queue-4.4/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch queue-4.4/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-4.4/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/s390-always-save-and-restore-all-registers-on-context-switch.patch queue-4.4/alsa-seq-remove-spurious-warn_on-at-timer-check.patch queue-4.4/revert-x86-efi-build-our-own-page-table-structures.patch queue-4.4/more-bio_map_user_iov-leak-fixes.patch queue-4.4/hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch queue-4.4/s390-fix-compat-system-call-table.patch queue-4.4/netfilter-don-t-track-fragmented-packets.patch queue-4.4/block-wake-up-all-tasks-blocked-in-get_request.patch queue-4.4/kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch queue-4.4/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.4/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch queue-4.4/arm-omap2-fix-device-node-reference-counts.patch queue-4.4/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch queue-4.4/iommu-vt-d-fix-scatterlist-offset-handling.patch queue-4.4/mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch queue-4.4/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.4/drm-extra-printk-wrapper-macros.patch queue-4.4/mm-drop-unused-pmdp_huge_get_and_clear_notify.patch queue-4.4/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch queue-4.4/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch queue-4.4/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch queue-4.4/axonram-fix-gendisk-handling.patch queue-4.4/alsa-usb-audio-add-check-return-value-for-usb_string.patch queue-4.4/revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch queue-4.4/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch queue-4.4/powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch queue-4.4/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch queue-4.4/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch queue-4.4/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch queue-4.4/thp-fix-madv_dontneed-vs.-numa-balancing-race.patch queue-4.4/bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch queue-4.4/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch queue-4.4/sunrpc-fix-rpc_task_begin-trace-point.patch queue-4.4/arm-kvm-survive-unknown-traps-from-guests.patch queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch queue-4.4/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-4.4/gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch queue-4.4/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch queue-4.4/arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch queue-4.4/thp-reduce-indentation-level-in-change_huge_pmd.patch queue-4.4/revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch queue-4.4/afs-connect-up-the-cb.probeuuid.patch queue-4.4/drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch queue-4.4/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.4/sit-update-frag_off-info.patch queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch queue-4.4/module-set-__jump_table-alignment-to-8.patch queue-4.4/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch queue-4.4/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch queue-4.4/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-4.4/virtio-release-virtio-index-when-fail-to-device_register.patch queue-4.4/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch queue-4.4/nfs-fix-a-typo-in-nfs_rename.patch queue-4.4/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.4/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch queue-4.4/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch queue-4.4/route-also-update-fnhe_genid-when-updating-a-route-cache.patch queue-4.4/selftest-powerpc-fix-false-failures-for-skipped-tests.patch queue-4.4/revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch queue-4.4/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch queue-4.4/scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch queue-4.4/arm-avoid-faulting-on-qemu.patch queue-4.4/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch queue-4.4/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch queue-4.4/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-4.4/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch queue-4.4/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-4.4/ipmi-stop-timers-before-cleaning-up-the-module.patch queue-4.4/bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch queue-4.4/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch queue-4.4/drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch queue-4.4/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch queue-4.4/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch queue-4.4/alsa-usb-audio-fix-out-of-bound-error.patch queue-4.4/arm64-kvm-survive-unknown-traps-from-guests.patch queue-4.4/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch queue-4.4/arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch queue-4.4/i2c-riic-fix-restart-condition.patch queue-4.4/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch queue-4.4/usb-gadget-configs-plug-memory-leak.patch queue-4.4/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch queue-4.4/revert-drm-armada-fix-compile-fail.patch queue-4.4/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch queue-4.4/kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "Revert "x86/efi: Build our own page table structures"" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Revert "x86/efi: Build our own page table structures" to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: revert-x86-efi-build-our-own-page-table-structures.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:26:14 CET 2017 From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Date: Thu, 14 Dec 2017 21:21:50 +0100 Subject: Revert "x86/efi: Build our own page table structures" From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> This reverts commit 36e0f05afd4e1d09fd47936761a502aedbc50649 which is commit 67a9108ed4313b85a9c53406d80dc1ae3f8c3e36 upstream. Turns there was too many other issues with this patch to make it viable for the stable tree. Reported-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Cc: Matt Fleming <matt(a)codeblueprint.co.uk> Cc: Borislav Petkov <bp(a)suse.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Andy Lutomirski <luto(a)amacapital.net> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Cc: Borislav Petkov <bp(a)alien8.de> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Dave Jones <davej(a)codemonkey.org.uk> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya(a)intel.com> Cc: Stephen Smalley <sds(a)tycho.nsa.gov> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Toshi Kani <toshi.kani(a)hp.com> Cc: linux-efi(a)vger.kernel.org Cc: Ingo Molnar <mingo(a)kernel.org> Cc: "Ghannam, Yazen" <Yazen.Ghannam(a)amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/include/asm/efi.h | 1 arch/x86/platform/efi/efi.c | 39 ++++++++++------ arch/x86/platform/efi/efi_32.c | 5 -- arch/x86/platform/efi/efi_64.c | 97 ++++++----------------------------------- 4 files changed, 40 insertions(+), 102 deletions(-) --- a/arch/x86/include/asm/efi.h +++ b/arch/x86/include/asm/efi.h @@ -136,7 +136,6 @@ extern void __init efi_memory_uc(u64 add extern void __init efi_map_region(efi_memory_desc_t *md); extern void __init efi_map_region_fixed(efi_memory_desc_t *md); extern void efi_sync_low_kernel_mappings(void); -extern int __init efi_alloc_page_tables(void); extern int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages); extern void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages); extern void __init old_map_region(efi_memory_desc_t *md); --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c @@ -869,7 +869,7 @@ static void __init kexec_enter_virtual_m * This function will switch the EFI runtime services to virtual mode. * Essentially, we look through the EFI memmap and map every region that * has the runtime attribute bit set in its memory descriptor into the - * efi_pgd page table. + * ->trampoline_pgd page table using a top-down VA allocation scheme. * * The old method which used to update that memory descriptor with the * virtual address obtained from ioremap() is still supported when the @@ -879,8 +879,8 @@ static void __init kexec_enter_virtual_m * * The new method does a pagetable switch in a preemption-safe manner * so that we're in a different address space when calling a runtime - * function. For function arguments passing we do copy the PUDs of the - * kernel page table into efi_pgd prior to each call. + * function. For function arguments passing we do copy the PGDs of the + * kernel page table into ->trampoline_pgd prior to each call. * * Specially for kexec boot, efi runtime maps in previous kernel should * be passed in via setup_data. In that case runtime ranges will be mapped @@ -895,12 +895,6 @@ static void __init __efi_enter_virtual_m efi.systab = NULL; - if (efi_alloc_page_tables()) { - pr_err("Failed to allocate EFI page tables\n"); - clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); - return; - } - efi_merge_regions(); new_memmap = efi_map_regions(&count, &pg_shift); if (!new_memmap) { @@ -960,11 +954,28 @@ static void __init __efi_enter_virtual_m efi_runtime_mkexec(); /* - * We mapped the descriptor array into the EFI pagetable above - * but we're not unmapping it here because if we're running in - * EFI mixed mode we need all of memory to be accessible when - * we pass parameters to the EFI runtime services in the - * thunking code. + * We mapped the descriptor array into the EFI pagetable above but we're + * not unmapping it here. Here's why: + * + * We're copying select PGDs from the kernel page table to the EFI page + * table and when we do so and make changes to those PGDs like unmapping + * stuff from them, those changes appear in the kernel page table and we + * go boom. + * + * From setup_real_mode(): + * + * ... + * trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd; + * + * In this particular case, our allocation is in PGD 0 of the EFI page + * table but we've copied that PGD from PGD[272] of the EFI page table: + * + * pgd_index(__PAGE_OFFSET = 0xffff880000000000) = 272 + * + * where the direct memory mapping in kernel space is. + * + * new_memmap's VA comes from that direct mapping and thus clearing it, + * it would get cleared in the kernel page table too. * * efi_cleanup_page_tables(__pa(new_memmap), 1 << pg_shift); */ --- a/arch/x86/platform/efi/efi_32.c +++ b/arch/x86/platform/efi/efi_32.c @@ -38,11 +38,6 @@ * say 0 - 3G. */ -int __init efi_alloc_page_tables(void) -{ - return 0; -} - void efi_sync_low_kernel_mappings(void) {} void __init efi_dump_pagetable(void) {} int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -40,7 +40,6 @@ #include <asm/fixmap.h> #include <asm/realmode.h> #include <asm/time.h> -#include <asm/pgalloc.h> /* * We allocate runtime services regions bottom-up, starting from -4G, i.e. @@ -122,92 +121,22 @@ void __init efi_call_phys_epilog(pgd_t * early_code_mapping_set_exec(0); } -static pgd_t *efi_pgd; - -/* - * We need our own copy of the higher levels of the page tables - * because we want to avoid inserting EFI region mappings (EFI_VA_END - * to EFI_VA_START) into the standard kernel page tables. Everything - * else can be shared, see efi_sync_low_kernel_mappings(). - */ -int __init efi_alloc_page_tables(void) -{ - pgd_t *pgd; - pud_t *pud; - gfp_t gfp_mask; - - if (efi_enabled(EFI_OLD_MEMMAP)) - return 0; - - gfp_mask = GFP_KERNEL | __GFP_NOTRACK | __GFP_REPEAT | __GFP_ZERO; - efi_pgd = (pgd_t *)__get_free_page(gfp_mask); - if (!efi_pgd) - return -ENOMEM; - - pgd = efi_pgd + pgd_index(EFI_VA_END); - - pud = pud_alloc_one(NULL, 0); - if (!pud) { - free_page((unsigned long)efi_pgd); - return -ENOMEM; - } - - pgd_populate(NULL, pgd, pud); - - return 0; -} - /* * Add low kernel mappings for passing arguments to EFI functions. */ void efi_sync_low_kernel_mappings(void) { - unsigned num_entries; - pgd_t *pgd_k, *pgd_efi; - pud_t *pud_k, *pud_efi; + unsigned num_pgds; + pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); if (efi_enabled(EFI_OLD_MEMMAP)) return; - /* - * We can share all PGD entries apart from the one entry that - * covers the EFI runtime mapping space. - * - * Make sure the EFI runtime region mappings are guaranteed to - * only span a single PGD entry and that the entry also maps - * other important kernel regions. - */ - BUILD_BUG_ON(pgd_index(EFI_VA_END) != pgd_index(MODULES_END)); - BUILD_BUG_ON((EFI_VA_START & PGDIR_MASK) != - (EFI_VA_END & PGDIR_MASK)); - - pgd_efi = efi_pgd + pgd_index(PAGE_OFFSET); - pgd_k = pgd_offset_k(PAGE_OFFSET); - - num_entries = pgd_index(EFI_VA_END) - pgd_index(PAGE_OFFSET); - memcpy(pgd_efi, pgd_k, sizeof(pgd_t) * num_entries); - - /* - * We share all the PUD entries apart from those that map the - * EFI regions. Copy around them. - */ - BUILD_BUG_ON((EFI_VA_START & ~PUD_MASK) != 0); - BUILD_BUG_ON((EFI_VA_END & ~PUD_MASK) != 0); - - pgd_efi = efi_pgd + pgd_index(EFI_VA_END); - pud_efi = pud_offset(pgd_efi, 0); - - pgd_k = pgd_offset_k(EFI_VA_END); - pud_k = pud_offset(pgd_k, 0); - - num_entries = pud_index(EFI_VA_END); - memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries); + num_pgds = pgd_index(MODULES_END - 1) - pgd_index(PAGE_OFFSET); - pud_efi = pud_offset(pgd_efi, EFI_VA_START); - pud_k = pud_offset(pgd_k, EFI_VA_START); - - num_entries = PTRS_PER_PUD - pud_index(EFI_VA_START); - memcpy(pud_efi, pud_k, sizeof(pud_t) * num_entries); + memcpy(pgd + pgd_index(PAGE_OFFSET), + init_mm.pgd + pgd_index(PAGE_OFFSET), + sizeof(pgd_t) * num_pgds); } int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) @@ -220,8 +149,8 @@ int __init efi_setup_page_tables(unsigne if (efi_enabled(EFI_OLD_MEMMAP)) return 0; - efi_scratch.efi_pgt = (pgd_t *)__pa(efi_pgd); - pgd = efi_pgd; + efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd; + pgd = __va(efi_scratch.efi_pgt); /* * It can happen that the physical address of new_memmap lands in memory @@ -267,14 +196,16 @@ int __init efi_setup_page_tables(unsigne void __init efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages) { - kernel_unmap_pages_in_pgd(efi_pgd, pa_memmap, num_pages); + pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); + + kernel_unmap_pages_in_pgd(pgd, pa_memmap, num_pages); } static void __init __map_region(efi_memory_desc_t *md, u64 va) { + pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); unsigned long flags = 0; unsigned long pfn; - pgd_t *pgd = efi_pgd; if (!(md->attribute & EFI_MEMORY_WB)) flags |= _PAGE_PCD; @@ -383,7 +314,9 @@ void __init efi_runtime_mkexec(void) void __init efi_dump_pagetable(void) { #ifdef CONFIG_EFI_PGT_DUMP - ptdump_walk_pgd_level(NULL, efi_pgd); + pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); + + ptdump_walk_pgd_level(NULL, pgd); #endif } Patches currently in stable-queue which might be from gregkh(a)linuxfoundation.org are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch queue-4.4/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch queue-4.4/atm-horizon-fix-irq-release-error.patch queue-4.4/x.509-reject-invalid-bit-string-for-subjectpublickey.patch queue-4.4/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch queue-4.4/ipvlan-fix-ipv6-outbound-device.patch queue-4.4/arm-omap2-release-device-node-after-it-is-no-longer-needed.patch queue-4.4/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch queue-4.4/asn.1-check-for-error-from-asn1_op_end__act-actions.patch queue-4.4/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/s390-always-save-and-restore-all-registers-on-context-switch.patch queue-4.4/alsa-seq-remove-spurious-warn_on-at-timer-check.patch queue-4.4/revert-x86-efi-build-our-own-page-table-structures.patch queue-4.4/more-bio_map_user_iov-leak-fixes.patch queue-4.4/hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch queue-4.4/s390-fix-compat-system-call-table.patch queue-4.4/netfilter-don-t-track-fragmented-packets.patch queue-4.4/block-wake-up-all-tasks-blocked-in-get_request.patch queue-4.4/kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch queue-4.4/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.4/scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch queue-4.4/arm-omap2-fix-device-node-reference-counts.patch queue-4.4/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch queue-4.4/iommu-vt-d-fix-scatterlist-offset-handling.patch queue-4.4/mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch queue-4.4/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.4/drm-extra-printk-wrapper-macros.patch queue-4.4/mm-drop-unused-pmdp_huge_get_and_clear_notify.patch queue-4.4/alsa-pcm-prevent-uaf-in-snd_pcm_info.patch queue-4.4/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch queue-4.4/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.4/isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch queue-4.4/axonram-fix-gendisk-handling.patch queue-4.4/alsa-usb-audio-add-check-return-value-for-usb_string.patch queue-4.4/revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch queue-4.4/scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch queue-4.4/powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch queue-4.4/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch queue-4.4/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch queue-4.4/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch queue-4.4/thp-fix-madv_dontneed-vs.-numa-balancing-race.patch queue-4.4/bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch queue-4.4/kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch queue-4.4/sunrpc-fix-rpc_task_begin-trace-point.patch queue-4.4/arm-kvm-survive-unknown-traps-from-guests.patch queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch queue-4.4/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-4.4/gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch queue-4.4/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch queue-4.4/arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch queue-4.4/thp-reduce-indentation-level-in-change_huge_pmd.patch queue-4.4/revert-x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-numbers.patch queue-4.4/afs-connect-up-the-cb.probeuuid.patch queue-4.4/drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch queue-4.4/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.4/sit-update-frag_off-info.patch queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch queue-4.4/module-set-__jump_table-alignment-to-8.patch queue-4.4/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch queue-4.4/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch queue-4.4/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-4.4/virtio-release-virtio-index-when-fail-to-device_register.patch queue-4.4/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch queue-4.4/nfs-fix-a-typo-in-nfs_rename.patch queue-4.4/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.4/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch queue-4.4/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch queue-4.4/route-also-update-fnhe_genid-when-updating-a-route-cache.patch queue-4.4/selftest-powerpc-fix-false-failures-for-skipped-tests.patch queue-4.4/revert-x86-efi-hoist-page-table-switching-code-into-efi_call_virt.patch queue-4.4/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch queue-4.4/scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch queue-4.4/arm-avoid-faulting-on-qemu.patch queue-4.4/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch queue-4.4/scsi-storvsc-workaround-for-virtual-dvd-scsi-version.patch queue-4.4/arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch queue-4.4/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch queue-4.4/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-4.4/ipmi-stop-timers-before-cleaning-up-the-module.patch queue-4.4/bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch queue-4.4/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch queue-4.4/drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch queue-4.4/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch queue-4.4/arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch queue-4.4/alsa-usb-audio-fix-out-of-bound-error.patch queue-4.4/arm64-kvm-survive-unknown-traps-from-guests.patch queue-4.4/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch queue-4.4/arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch queue-4.4/i2c-riic-fix-restart-condition.patch queue-4.4/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch queue-4.4/usb-gadget-configs-plug-memory-leak.patch queue-4.4/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch queue-4.4/revert-drm-armada-fix-compile-fail.patch queue-4.4/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch queue-4.4/kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] stable-request: bpf 2017-12-12

by Daniel Borkmann

Hi Greg, It would be great if you could cherry-pick the following BPF related commit into stable trees: c131187db2d3 ("bpf: fix branch pruning logic") - up to 4.9 Instructions for 4.14: There's a minor conflict in verifier.c, just take the 'env->insn_aux_data[insn_idx].seen = true;' part from the patch. Instructions for 4.9: Needs 8041902dae52 ("bpf: adjust insn_aux_data when patching insns") as prerequisite. Same minor conflict in verifier.c as with 4.14 described above. The minor one in bpf_verifier.h for struct bpf_insn_aux_data should be resolved by having 'ptr_type' and 'seen' as final members of the struct. Thanks a lot!

7 years, 9 months

2
2
0 0

[Linux-stable-mirror] Patch "sit: update frag_off info" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled sit: update frag_off info to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: sit-update-frag_off-info.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:58:21 CET 2017 From: Hangbin Liu <liuhangbin(a)gmail.com> Date: Thu, 30 Nov 2017 10:41:14 +0800 Subject: sit: update frag_off info From: Hangbin Liu <liuhangbin(a)gmail.com> [ Upstream commit f859b4af1c52493ec21173ccc73d0b60029b5b88 ] After parsing the sit netlink change info, we forget to update frag_off in ipip6_tunnel_update(). Fix it by assigning frag_off with new value. Reported-by: Jianlin Shi <jishi(a)redhat.com> Signed-off-by: Hangbin Liu <liuhangbin(a)gmail.com> Acked-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/ipv6/sit.c | 1 + 1 file changed, 1 insertion(+) --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -1093,6 +1093,7 @@ static void ipip6_tunnel_update(struct i ipip6_tunnel_link(sitn, t); t->parms.iph.ttl = p->iph.ttl; t->parms.iph.tos = p->iph.tos; + t->parms.iph.frag_off = p->iph.frag_off; if (t->parms.link != p->link) { t->parms.link = p->link; ipip6_tunnel_bind_dev(t->dev); Patches currently in stable-queue which might be from liuhangbin(a)gmail.com are queue-3.18/sit-update-frag_off-info.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "rds: Fix NULL pointer dereference in __rds_rdma_map" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled rds: Fix NULL pointer dereference in __rds_rdma_map to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:58:21 CET 2017 From: Håkon Bugge <Haakon.Bugge(a)oracle.com> Date: Wed, 6 Dec 2017 17:18:28 +0100 Subject: rds: Fix NULL pointer dereference in __rds_rdma_map From: Håkon Bugge <Haakon.Bugge(a)oracle.com> [ Upstream commit f3069c6d33f6ae63a1668737bc78aaaa51bff7ca ] This is a fix for syzkaller719569, where memory registration was attempted without any underlying transport being loaded. Analysis of the case reveals that it is the setsockopt() RDS_GET_MR (2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable. Here is an example stack trace when the bug is hit: BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0 IP: __rds_rdma_map+0x36/0x440 [rds] PGD 2f93d03067 P4D 2f93d03067 PUD 2f93d02067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: bridge stp llc tun rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache rds binfmt_misc sb_edac intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul c rc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd glue_helper cryptd iTCO_wdt mei_me sg iTCO_vendor_support ipmi_si mei ipmi_devintf nfsd shpchp pcspkr i2c_i801 ioatd ma ipmi_msghandler wmi lpc_ich mfd_core auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 mgag200 i2c_algo_bit drm_kms_helper ixgbe syscopyarea ahci sysfillrect sysimgblt libahci mdio fb_sys_fops ttm ptp libata sd_mod mlx4_core drm crc32c_intel pps_core megaraid_sas i2c_core dca dm_mirror dm_region_hash dm_log dm_mod CPU: 48 PID: 45787 Comm: repro_set2 Not tainted 4.14.2-3.el7uek.x86_64 #2 Hardware name: Oracle Corporation ORACLE SERVER X5-2L/ASM,MOBO TRAY,2U, BIOS 31110000 03/03/2017 task: ffff882f9190db00 task.stack: ffffc9002b994000 RIP: 0010:__rds_rdma_map+0x36/0x440 [rds] RSP: 0018:ffffc9002b997df0 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff882fa2182580 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc9002b997e40 RDI: ffff882fa2182580 RBP: ffffc9002b997e30 R08: 0000000000000000 R09: 0000000000000002 R10: ffff885fb29e3838 R11: 0000000000000000 R12: ffff882fa2182580 R13: ffff882fa2182580 R14: 0000000000000002 R15: 0000000020000ffc FS: 00007fbffa20b700(0000) GS:ffff882fbfb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 0000002f98a66006 CR4: 00000000001606e0 Call Trace: rds_get_mr+0x56/0x80 [rds] rds_setsockopt+0x172/0x340 [rds] ? __fget_light+0x25/0x60 ? __fdget+0x13/0x20 SyS_setsockopt+0x80/0xe0 do_syscall_64+0x67/0x1b0 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x7fbff9b117f9 RSP: 002b:00007fbffa20aed8 EFLAGS: 00000293 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00000000000c84a4 RCX: 00007fbff9b117f9 RDX: 0000000000000002 RSI: 0000400000000114 RDI: 000000000000109b RBP: 00007fbffa20af10 R08: 0000000000000020 R09: 00007fbff9dd7860 R10: 0000000020000ffc R11: 0000000000000293 R12: 0000000000000000 R13: 00007fbffa20b9c0 R14: 00007fbffa20b700 R15: 0000000000000021 Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 18 8b 87 f0 02 00 00 48 89 55 d0 48 89 4d c8 85 c0 0f 84 2d 03 00 00 48 8b 87 00 03 00 00 <48> 83 b8 c0 00 00 00 00 0f 84 25 03 00 0 0 48 8b 06 48 8b 56 08 The fix is to check the existence of an underlying transport in __rds_rdma_map(). Signed-off-by: HÃ¥kon Bugge <haakon.bugge(a)oracle.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Acked-by: Santosh Shilimkar <santosh.shilimkar(a)oracle.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/rds/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -184,7 +184,7 @@ static int __rds_rdma_map(struct rds_soc long i; int ret; - if (rs->rs_bound_addr == 0) { + if (rs->rs_bound_addr == 0 || !rs->rs_transport) { ret = -ENOTCONN; /* XXX not a great errno */ goto out; } Patches currently in stable-queue which might be from Haakon.Bugge(a)oracle.com are queue-3.18/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "net/packet: fix a race in packet_bind() and packet_notifier()" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled net/packet: fix a race in packet_bind() and packet_notifier() to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:58:21 CET 2017 From: Eric Dumazet <edumazet(a)google.com> Date: Tue, 28 Nov 2017 08:03:30 -0800 Subject: net/packet: fix a race in packet_bind() and packet_notifier() From: Eric Dumazet <edumazet(a)google.com> [ Upstream commit 15fe076edea787807a7cdc168df832544b58eba6 ] syzbot reported crashes [1] and provided a C repro easing bug hunting. When/if packet_do_bind() calls __unregister_prot_hook() and releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This calls register_prot_hook() and hooks again the socket right before first thread is able to grab again po->bind_lock. Fixes this issue by temporarily setting po->num to 0, as suggested by David Miller. [1] dev_remove_pack: ffff8801bf16fa80 not found ------------[ cut here ]------------ kernel BUG at net/core/dev.c:7945! ( BUG_ON(!list_empty(&dev->ptype_all)); ) invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: device syz0 entered promiscuous mode CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801cc57a500 task.stack: ffff8801cc588000 RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945 RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293 RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2 RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810 device syz0 entered promiscuous mode RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8 R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0 FS: 0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106 tun_detach drivers/net/tun.c:670 [inline] tun_chr_close+0x49/0x60 drivers/net/tun.c:2845 __fput+0x333/0x7f0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ae0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 SYSC_exit_group kernel/exit.c:979 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:977 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x44ad19 Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Cc: Francesco Ruggeri <fruggeri(a)aristanetworks.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/packet/af_packet.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2704,6 +2704,10 @@ static int packet_do_bind(struct sock *s if (need_rehook) { if (po->running) { rcu_read_unlock(); + /* prevents packet_notifier() from calling + * register_prot_hook() + */ + po->num = 0; __unregister_prot_hook(sk, true); rcu_read_lock(); dev_curr = po->prot_hook.dev; @@ -2712,6 +2716,7 @@ static int packet_do_bind(struct sock *s dev->ifindex); } + BUG_ON(po->running); po->num = proto; po->prot_hook.type = proto; Patches currently in stable-queue which might be from edumazet(a)google.com are queue-3.18/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "tipc: fix memory leak in tipc_accept_from_sock()" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled tipc: fix memory leak in tipc_accept_from_sock() to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: tipc-fix-memory-leak-in-tipc_accept_from_sock.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:55:00 CET 2017 From: Jon Maloy <jon.maloy(a)ericsson.com> Date: Mon, 4 Dec 2017 22:00:20 +0100 Subject: tipc: fix memory leak in tipc_accept_from_sock() From: Jon Maloy <jon.maloy(a)ericsson.com> [ Upstream commit a7d5f107b4978e08eeab599ee7449af34d034053 ] When the function tipc_accept_from_sock() fails to create an instance of struct tipc_subscriber it omits to free the already created instance of struct tipc_conn instance before it returns. We fix that with this commit. Reported-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Jon Maloy <jon.maloy(a)ericsson.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/tipc/server.c | 1 + 1 file changed, 1 insertion(+) --- a/net/tipc/server.c +++ b/net/tipc/server.c @@ -311,6 +311,7 @@ static int tipc_accept_from_sock(struct newcon->usr_data = s->tipc_conn_new(newcon->conid); if (!newcon->usr_data) { sock_release(newsock); + conn_put(newcon); return -ENOMEM; } Patches currently in stable-queue which might be from jon.maloy(a)ericsson.com are queue-4.4/tipc-fix-memory-leak-in-tipc_accept_from_sock.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "rds: Fix NULL pointer dereference in __rds_rdma_map" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled rds: Fix NULL pointer dereference in __rds_rdma_map to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:55:00 CET 2017 From: Håkon Bugge <Haakon.Bugge(a)oracle.com> Date: Wed, 6 Dec 2017 17:18:28 +0100 Subject: rds: Fix NULL pointer dereference in __rds_rdma_map From: Håkon Bugge <Haakon.Bugge(a)oracle.com> [ Upstream commit f3069c6d33f6ae63a1668737bc78aaaa51bff7ca ] This is a fix for syzkaller719569, where memory registration was attempted without any underlying transport being loaded. Analysis of the case reveals that it is the setsockopt() RDS_GET_MR (2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable. Here is an example stack trace when the bug is hit: BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0 IP: __rds_rdma_map+0x36/0x440 [rds] PGD 2f93d03067 P4D 2f93d03067 PUD 2f93d02067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: bridge stp llc tun rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache rds binfmt_misc sb_edac intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul c rc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd glue_helper cryptd iTCO_wdt mei_me sg iTCO_vendor_support ipmi_si mei ipmi_devintf nfsd shpchp pcspkr i2c_i801 ioatd ma ipmi_msghandler wmi lpc_ich mfd_core auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 mgag200 i2c_algo_bit drm_kms_helper ixgbe syscopyarea ahci sysfillrect sysimgblt libahci mdio fb_sys_fops ttm ptp libata sd_mod mlx4_core drm crc32c_intel pps_core megaraid_sas i2c_core dca dm_mirror dm_region_hash dm_log dm_mod CPU: 48 PID: 45787 Comm: repro_set2 Not tainted 4.14.2-3.el7uek.x86_64 #2 Hardware name: Oracle Corporation ORACLE SERVER X5-2L/ASM,MOBO TRAY,2U, BIOS 31110000 03/03/2017 task: ffff882f9190db00 task.stack: ffffc9002b994000 RIP: 0010:__rds_rdma_map+0x36/0x440 [rds] RSP: 0018:ffffc9002b997df0 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff882fa2182580 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc9002b997e40 RDI: ffff882fa2182580 RBP: ffffc9002b997e30 R08: 0000000000000000 R09: 0000000000000002 R10: ffff885fb29e3838 R11: 0000000000000000 R12: ffff882fa2182580 R13: ffff882fa2182580 R14: 0000000000000002 R15: 0000000020000ffc FS: 00007fbffa20b700(0000) GS:ffff882fbfb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 0000002f98a66006 CR4: 00000000001606e0 Call Trace: rds_get_mr+0x56/0x80 [rds] rds_setsockopt+0x172/0x340 [rds] ? __fget_light+0x25/0x60 ? __fdget+0x13/0x20 SyS_setsockopt+0x80/0xe0 do_syscall_64+0x67/0x1b0 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x7fbff9b117f9 RSP: 002b:00007fbffa20aed8 EFLAGS: 00000293 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00000000000c84a4 RCX: 00007fbff9b117f9 RDX: 0000000000000002 RSI: 0000400000000114 RDI: 000000000000109b RBP: 00007fbffa20af10 R08: 0000000000000020 R09: 00007fbff9dd7860 R10: 0000000020000ffc R11: 0000000000000293 R12: 0000000000000000 R13: 00007fbffa20b9c0 R14: 00007fbffa20b700 R15: 0000000000000021 Code: 41 56 41 55 49 89 fd 41 54 53 48 83 ec 18 8b 87 f0 02 00 00 48 89 55 d0 48 89 4d c8 85 c0 0f 84 2d 03 00 00 48 8b 87 00 03 00 00 <48> 83 b8 c0 00 00 00 00 0f 84 25 03 00 0 0 48 8b 06 48 8b 56 08 The fix is to check the existence of an underlying transport in __rds_rdma_map(). Signed-off-by: HÃ¥kon Bugge <haakon.bugge(a)oracle.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Acked-by: Santosh Shilimkar <santosh.shilimkar(a)oracle.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/rds/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -184,7 +184,7 @@ static int __rds_rdma_map(struct rds_soc long i; int ret; - if (rs->rs_bound_addr == 0) { + if (rs->rs_bound_addr == 0 || !rs->rs_transport) { ret = -ENOTCONN; /* XXX not a great errno */ goto out; } Patches currently in stable-queue which might be from Haakon.Bugge(a)oracle.com are queue-4.4/rds-fix-null-pointer-dereference-in-__rds_rdma_map.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "sit: update frag_off info" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled sit: update frag_off info to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: sit-update-frag_off-info.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:55:00 CET 2017 From: Hangbin Liu <liuhangbin(a)gmail.com> Date: Thu, 30 Nov 2017 10:41:14 +0800 Subject: sit: update frag_off info From: Hangbin Liu <liuhangbin(a)gmail.com> [ Upstream commit f859b4af1c52493ec21173ccc73d0b60029b5b88 ] After parsing the sit netlink change info, we forget to update frag_off in ipip6_tunnel_update(). Fix it by assigning frag_off with new value. Reported-by: Jianlin Shi <jishi(a)redhat.com> Signed-off-by: Hangbin Liu <liuhangbin(a)gmail.com> Acked-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/ipv6/sit.c | 1 + 1 file changed, 1 insertion(+) --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -1093,6 +1093,7 @@ static void ipip6_tunnel_update(struct i ipip6_tunnel_link(sitn, t); t->parms.iph.ttl = p->iph.ttl; t->parms.iph.tos = p->iph.tos; + t->parms.iph.frag_off = p->iph.frag_off; if (t->parms.link != p->link) { t->parms.link = p->link; ipip6_tunnel_bind_dev(t->dev); Patches currently in stable-queue which might be from liuhangbin(a)gmail.com are queue-4.4/sit-update-frag_off-info.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "net/packet: fix a race in packet_bind() and packet_notifier()" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled net/packet: fix a race in packet_bind() and packet_notifier() to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:55:00 CET 2017 From: Eric Dumazet <edumazet(a)google.com> Date: Tue, 28 Nov 2017 08:03:30 -0800 Subject: net/packet: fix a race in packet_bind() and packet_notifier() From: Eric Dumazet <edumazet(a)google.com> [ Upstream commit 15fe076edea787807a7cdc168df832544b58eba6 ] syzbot reported crashes [1] and provided a C repro easing bug hunting. When/if packet_do_bind() calls __unregister_prot_hook() and releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This calls register_prot_hook() and hooks again the socket right before first thread is able to grab again po->bind_lock. Fixes this issue by temporarily setting po->num to 0, as suggested by David Miller. [1] dev_remove_pack: ffff8801bf16fa80 not found ------------[ cut here ]------------ kernel BUG at net/core/dev.c:7945! ( BUG_ON(!list_empty(&dev->ptype_all)); ) invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: device syz0 entered promiscuous mode CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801cc57a500 task.stack: ffff8801cc588000 RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945 RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293 RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2 RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810 device syz0 entered promiscuous mode RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8 R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0 FS: 0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106 tun_detach drivers/net/tun.c:670 [inline] tun_chr_close+0x49/0x60 drivers/net/tun.c:2845 __fput+0x333/0x7f0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ae0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 SYSC_exit_group kernel/exit.c:979 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:977 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x44ad19 Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Cc: Francesco Ruggeri <fruggeri(a)aristanetworks.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/packet/af_packet.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2976,6 +2976,10 @@ static int packet_do_bind(struct sock *s if (need_rehook) { if (po->running) { rcu_read_unlock(); + /* prevents packet_notifier() from calling + * register_prot_hook() + */ + po->num = 0; __unregister_prot_hook(sk, true); rcu_read_lock(); dev_curr = po->prot_hook.dev; @@ -2984,6 +2988,7 @@ static int packet_do_bind(struct sock *s dev->ifindex); } + BUG_ON(po->running); po->num = proto; po->prot_hook.type = proto; Patches currently in stable-queue which might be from edumazet(a)google.com are queue-4.4/net-packet-fix-a-race-in-packet_bind-and-packet_notifier.patch queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "packet: fix crash in fanout_demux_rollover()" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled packet: fix crash in fanout_demux_rollover() to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: packet-fix-crash-in-fanout_demux_rollover.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 18:55:00 CET 2017 From: Mike Maloney <maloney(a)google.com> Date: Tue, 28 Nov 2017 10:44:29 -0500 Subject: packet: fix crash in fanout_demux_rollover() From: Mike Maloney <maloney(a)google.com> syzkaller found a race condition fanout_demux_rollover() while removing a packet socket from a fanout group. po->rollover is read and operated on during packet_rcv_fanout(), via fanout_demux_rollover(), but the pointer is currently cleared before the synchronization in packet_release(). It is safer to delay the cleanup until after synchronize_net() has been called, ensuring all calls to packet_rcv_fanout() for this socket have finished. To further simplify synchronization around the rollover structure, set po->rollover in fanout_add() only if there are no errors. This removes the need for rcu in the struct and in the call to packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...). Crashing stack trace: fanout_demux_rollover+0xb6/0x4d0 net/packet/af_packet.c:1392 packet_rcv_fanout+0x649/0x7c8 net/packet/af_packet.c:1487 dev_queue_xmit_nit+0x835/0xc10 net/core/dev.c:1953 xmit_one net/core/dev.c:2975 [inline] dev_hard_start_xmit+0x16b/0xac0 net/core/dev.c:2995 __dev_queue_xmit+0x17a4/0x2050 net/core/dev.c:3476 dev_queue_xmit+0x17/0x20 net/core/dev.c:3509 neigh_connected_output+0x489/0x720 net/core/neighbour.c:1379 neigh_output include/net/neighbour.h:482 [inline] ip6_finish_output2+0xad1/0x22a0 net/ipv6/ip6_output.c:120 ip6_finish_output+0x2f9/0x920 net/ipv6/ip6_output.c:146 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1f4/0x850 net/ipv6/ip6_output.c:163 dst_output include/net/dst.h:459 [inline] NF_HOOK.constprop.35+0xff/0x630 include/linux/netfilter.h:250 mld_sendpack+0x6a8/0xcc0 net/ipv6/mcast.c:1660 mld_send_initial_cr.part.24+0x103/0x150 net/ipv6/mcast.c:2072 mld_send_initial_cr net/ipv6/mcast.c:2056 [inline] ipv6_mc_dad_complete+0x99/0x130 net/ipv6/mcast.c:2079 addrconf_dad_completed+0x595/0x970 net/ipv6/addrconf.c:4039 addrconf_dad_work+0xac9/0x1160 net/ipv6/addrconf.c:3971 process_one_work+0xbf0/0x1bc0 kernel/workqueue.c:2113 worker_thread+0x223/0x1990 kernel/workqueue.c:2247 kthread+0x35e/0x430 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432 Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state") Fixes: 509c7a1ecc860 ("packet: avoid panic in packet_getsockopt()") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Mike Maloney <maloney(a)google.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/packet/af_packet.c | 32 ++++++++++---------------------- net/packet/internal.h | 1 - 2 files changed, 10 insertions(+), 23 deletions(-) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1665,7 +1665,6 @@ static int fanout_add(struct sock *sk, u atomic_long_set(&rollover->num, 0); atomic_long_set(&rollover->num_huge, 0); atomic_long_set(&rollover->num_failed, 0); - po->rollover = rollover; } match = NULL; @@ -1710,6 +1709,8 @@ static int fanout_add(struct sock *sk, u if (atomic_read(&match->sk_ref) < PACKET_FANOUT_MAX) { __dev_remove_pack(&po->prot_hook); po->fanout = match; + po->rollover = rollover; + rollover = NULL; atomic_inc(&match->sk_ref); __fanout_link(sk, po); err = 0; @@ -1723,10 +1724,7 @@ static int fanout_add(struct sock *sk, u } out: - if (err && rollover) { - kfree_rcu(rollover, rcu); - po->rollover = NULL; - } + kfree(rollover); mutex_unlock(&fanout_mutex); return err; } @@ -1750,11 +1748,6 @@ static struct packet_fanout *fanout_rele list_del(&f->list); else f = NULL; - - if (po->rollover) { - kfree_rcu(po->rollover, rcu); - po->rollover = NULL; - } } mutex_unlock(&fanout_mutex); @@ -2914,6 +2907,7 @@ static int packet_release(struct socket synchronize_net(); if (f) { + kfree(po->rollover); fanout_release_data(f); kfree(f); } @@ -3771,7 +3765,6 @@ static int packet_getsockopt(struct sock void *data = &val; union tpacket_stats_u st; struct tpacket_rollover_stats rstats; - struct packet_rollover *rollover; if (level != SOL_PACKET) return -ENOPROTOOPT; @@ -3850,18 +3843,13 @@ static int packet_getsockopt(struct sock 0); break; case PACKET_ROLLOVER_STATS: - rcu_read_lock(); - rollover = rcu_dereference(po->rollover); - if (rollover) { - rstats.tp_all = atomic_long_read(&rollover->num); - rstats.tp_huge = atomic_long_read(&rollover->num_huge); - rstats.tp_failed = atomic_long_read(&rollover->num_failed); - data = &rstats; - lv = sizeof(rstats); - } - rcu_read_unlock(); - if (!rollover) + if (!po->rollover) return -EINVAL; + rstats.tp_all = atomic_long_read(&po->rollover->num); + rstats.tp_huge = atomic_long_read(&po->rollover->num_huge); + rstats.tp_failed = atomic_long_read(&po->rollover->num_failed); + data = &rstats; + lv = sizeof(rstats); break; case PACKET_TX_HAS_OFF: val = po->tp_tx_has_off; --- a/net/packet/internal.h +++ b/net/packet/internal.h @@ -92,7 +92,6 @@ struct packet_fanout { struct packet_rollover { int sock; - struct rcu_head rcu; atomic_long_t num; atomic_long_t num_huge; atomic_long_t num_failed; Patches currently in stable-queue which might be from maloney(a)google.com are queue-4.4/packet-fix-crash-in-fanout_demux_rollover.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCHES] Networking

by David Miller

Please queue up the following networking bug fixes for v4.9 and v4.14 -stable, respectively. Thank you!

7 years, 9 months

2
1
0 0

[Linux-stable-mirror] Patch "usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-gadget-ffs-forbid-usb_ep_alloc_request-from-sleeping.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba Mon Sep 17 00:00:00 2001 From: Vincent Pelletier <plr.vincent(a)gmail.com> Date: Sun, 26 Nov 2017 06:52:53 +0000 Subject: usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping From: Vincent Pelletier <plr.vincent(a)gmail.com> commit 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba upstream. Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation: [ 100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421 [ 100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python [ 100.867954] 2 locks held by python/1880: [ 100.867961] #0: (&epfile->mutex){....}, at: [<f8188627>] ffs_mutex_lock+0x27/0x30 [usb_f_fs] [ 100.868020] #1: (&(&ffs->eps_lock)->rlock){....}, at: [<f818ad4b>] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs] [ 100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118 [ 100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 [ 100.868093] Call Trace: [ 100.868122] dump_stack+0x47/0x62 [ 100.868156] ___might_sleep+0xfd/0x110 [ 100.868182] __might_sleep+0x68/0x70 [ 100.868217] kmem_cache_alloc_trace+0x4b/0x200 [ 100.868248] ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868302] dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868343] usb_ep_alloc_request+0x16/0xc0 [udc_core] [ 100.868386] ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs] [ 100.868424] ? _raw_spin_unlock_irqrestore+0x27/0x40 [ 100.868457] ? kiocb_set_cancel_fn+0x57/0x60 [ 100.868477] ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs] [ 100.868512] ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs] [ 100.868551] ? security_file_permission+0x9c/0xd0 [ 100.868587] ? rw_verify_area+0xac/0x120 [ 100.868633] aio_read+0x9d/0x100 [ 100.868692] ? __fget+0xa2/0xd0 [ 100.868727] ? __might_sleep+0x68/0x70 [ 100.868763] SyS_io_submit+0x471/0x680 [ 100.868878] do_int80_syscall_32+0x4e/0xd0 [ 100.868921] entry_INT80_32+0x2a/0x2a [ 100.868932] EIP: 0xb7fbb676 [ 100.868941] EFLAGS: 00000292 CPU: 1 [ 100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368 [ 100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638 [ 100.868973] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b Signed-off-by: Vincent Pelletier <plr.vincent(a)gmail.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1015,7 +1015,7 @@ static ssize_t ffs_epfile_io(struct file else ret = ep->status; goto error_mutex; - } else if (!(req = usb_ep_alloc_request(ep->ep, GFP_KERNEL))) { + } else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) { ret = -ENOMEM; } else { req->buf = data; Patches currently in stable-queue which might be from plr.vincent(a)gmail.com are queue-4.9/usb-gadget-ffs-forbid-usb_ep_alloc_request-from-sleeping.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "s390: always save and restore all registers on context switch" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled s390: always save and restore all registers on context switch to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: s390-always-save-and-restore-all-registers-on-context-switch.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From fbbd7f1a51965b50dd12924841da0d478f3da71b Mon Sep 17 00:00:00 2001 From: Heiko Carstens <heiko.carstens(a)de.ibm.com> Date: Mon, 20 Nov 2017 12:38:44 +0100 Subject: s390: always save and restore all registers on context switch From: Heiko Carstens <heiko.carstens(a)de.ibm.com> commit fbbd7f1a51965b50dd12924841da0d478f3da71b upstream. The switch_to() macro has an optimization to avoid saving and restoring register contents that aren't needed for kernel threads. There is however the possibility that a kernel thread execve's a user space program. In such a case the execve'd process can partially see the contents of the previous process, which shouldn't be allowed. To avoid this, simply always save and restore register contents on context switch. Fixes: fdb6d070effba ("switch_to: dont restore/save access & fpu regs for kernel threads") Signed-off-by: Heiko Carstens <heiko.carstens(a)de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/s390/include/asm/switch_to.h | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) --- a/arch/s390/include/asm/switch_to.h +++ b/arch/s390/include/asm/switch_to.h @@ -29,17 +29,16 @@ static inline void restore_access_regs(u } #define switch_to(prev,next,last) do { \ - if (prev->mm) { \ - save_fpu_regs(); \ - save_access_regs(&prev->thread.acrs[0]); \ - save_ri_cb(prev->thread.ri_cb); \ - } \ + /* save_fpu_regs() sets the CIF_FPU flag, which enforces \ + * a restore of the floating point / vector registers as \ + * soon as the next task returns to user space \ + */ \ + save_fpu_regs(); \ + save_access_regs(&prev->thread.acrs[0]); \ + save_ri_cb(prev->thread.ri_cb); \ update_cr_regs(next); \ - if (next->mm) { \ - set_cpu_flag(CIF_FPU); \ - restore_access_regs(&next->thread.acrs[0]); \ - restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb); \ - } \ + restore_access_regs(&next->thread.acrs[0]); \ + restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb); \ prev = __switch_to(prev,next); \ } while (0) Patches currently in stable-queue which might be from heiko.carstens(a)de.ibm.com are queue-4.9/s390-always-save-and-restore-all-registers-on-context-switch.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "s390: always save and restore all registers on context switch" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled s390: always save and restore all registers on context switch to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: s390-always-save-and-restore-all-registers-on-context-switch.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From fbbd7f1a51965b50dd12924841da0d478f3da71b Mon Sep 17 00:00:00 2001 From: Heiko Carstens <heiko.carstens(a)de.ibm.com> Date: Mon, 20 Nov 2017 12:38:44 +0100 Subject: s390: always save and restore all registers on context switch From: Heiko Carstens <heiko.carstens(a)de.ibm.com> commit fbbd7f1a51965b50dd12924841da0d478f3da71b upstream. The switch_to() macro has an optimization to avoid saving and restoring register contents that aren't needed for kernel threads. There is however the possibility that a kernel thread execve's a user space program. In such a case the execve'd process can partially see the contents of the previous process, which shouldn't be allowed. To avoid this, simply always save and restore register contents on context switch. Cc: <stable(a)vger.kernel.org> # v2.6.37+ Fixes: fdb6d070effba ("switch_to: dont restore/save access & fpu regs for kernel threads") Signed-off-by: Heiko Carstens <heiko.carstens(a)de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/s390/include/asm/switch_to.h | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) --- a/arch/s390/include/asm/switch_to.h +++ b/arch/s390/include/asm/switch_to.h @@ -29,17 +29,16 @@ static inline void restore_access_regs(u } #define switch_to(prev,next,last) do { \ - if (prev->mm) { \ - save_fpu_regs(); \ - save_access_regs(&prev->thread.acrs[0]); \ - save_ri_cb(prev->thread.ri_cb); \ - } \ + /* save_fpu_regs() sets the CIF_FPU flag, which enforces \ + * a restore of the floating point / vector registers as \ + * soon as the next task returns to user space \ + */ \ + save_fpu_regs(); \ + save_access_regs(&prev->thread.acrs[0]); \ + save_ri_cb(prev->thread.ri_cb); \ update_cr_regs(next); \ - if (next->mm) { \ - set_cpu_flag(CIF_FPU); \ - restore_access_regs(&next->thread.acrs[0]); \ - restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb); \ - } \ + restore_access_regs(&next->thread.acrs[0]); \ + restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb); \ prev = __switch_to(prev,next); \ } while (0) Patches currently in stable-queue which might be from heiko.carstens(a)de.ibm.com are queue-4.4/s390-always-save-and-restore-all-registers-on-context-switch.patch queue-4.4/s390-fix-compat-system-call-table.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "more bio_map_user_iov() leak fixes" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled more bio_map_user_iov() leak fixes to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: more-bio_map_user_iov-leak-fixes.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 Mon Sep 17 00:00:00 2001 From: Al Viro <viro(a)zeniv.linux.org.uk> Date: Sat, 23 Sep 2017 15:51:23 -0400 Subject: more bio_map_user_iov() leak fixes From: Al Viro <viro(a)zeniv.linux.org.uk> commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream. we need to take care of failure exit as well - pages already in bio should be dropped by analogue of bio_unmap_pages(), since their refcounts had been bumped only once per reference in bio. Cc: stable(a)vger.kernel.org Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- Fixed conflicts. Intended for v4.4.y. Does not apply to v3.18.y or older kernels. block/bio.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) --- a/block/bio.c +++ b/block/bio.c @@ -1268,6 +1268,7 @@ struct bio *bio_map_user_iov(struct requ int ret, offset; struct iov_iter i; struct iovec iov; + struct bio_vec *bvec; iov_for_each(iov, i, *iter) { unsigned long uaddr = (unsigned long) iov.iov_base; @@ -1312,7 +1313,12 @@ struct bio *bio_map_user_iov(struct requ ret = get_user_pages_fast(uaddr, local_nr_pages, (iter->type & WRITE) != WRITE, &pages[cur_page]); - if (ret < local_nr_pages) { + if (unlikely(ret < local_nr_pages)) { + for (j = cur_page; j < page_limit; j++) { + if (!pages[j]) + break; + put_page(pages[j]); + } ret = -EFAULT; goto out_unmap; } @@ -1374,10 +1380,8 @@ struct bio *bio_map_user_iov(struct requ return bio; out_unmap: - for (j = 0; j < nr_pages; j++) { - if (!pages[j]) - break; - page_cache_release(pages[j]); + bio_for_each_segment_all(bvec, bio, j) { + put_page(bvec->bv_page); } out: kfree(pages); Patches currently in stable-queue which might be from viro(a)zeniv.linux.org.uk are queue-4.4/more-bio_map_user_iov-leak-fixes.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "ipmi: Stop timers before cleaning up the module" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ipmi: Stop timers before cleaning up the module to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ipmi-stop-timers-before-cleaning-up-the-module.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 4f7f5551a760eb0124267be65763008169db7087 Mon Sep 17 00:00:00 2001 From: Masamitsu Yamazaki <m-yamazaki(a)ah.jp.nec.com> Date: Wed, 15 Nov 2017 07:33:14 +0000 Subject: ipmi: Stop timers before cleaning up the module From: Masamitsu Yamazaki <m-yamazaki(a)ah.jp.nec.com> commit 4f7f5551a760eb0124267be65763008169db7087 upstream. System may crash after unloading ipmi_si.ko module because a timer may remain and fire after the module cleaned up resources. cleanup_one_si() contains the following processing. /* * Make sure that interrupts, the timer and the thread are * stopped and will not run again. */ if (to_clean->irq_cleanup) to_clean->irq_cleanup(to_clean); wait_for_timer_and_thread(to_clean); /* * Timeouts are stopped, now make sure the interrupts are off * in the BMC. Note that timers and CPU interrupts are off, * so no need for locks. */ while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) { poll(to_clean); schedule_timeout_uninterruptible(1); } si_state changes as following in the while loop calling poll(to_clean). SI_GETTING_MESSAGES => SI_CHECKING_ENABLES => SI_SETTING_ENABLES => SI_GETTING_EVENTS => SI_NORMAL As written in the code comments above, timers are expected to stop before the polling loop and not to run again. But the timer is set again in the following process when si_state becomes SI_SETTING_ENABLES. => poll => smi_event_handler => handle_transaction_done // smi_info->si_state == SI_SETTING_ENABLES => start_getting_events => start_new_msg => smi_mod_timer => mod_timer As a result, before the timer set in start_new_msg() expires, the polling loop may see si_state becoming SI_NORMAL and the module clean-up finishes. For example, hard LOCKUP and panic occurred as following. smi_timeout was called after smi_event_handler, kcs_event and hangs at port_inb() trying to access I/O port after release. [exception RIP: port_inb+19] RIP: ffffffffc0473053 RSP: ffff88069fdc3d80 RFLAGS: 00000006 RAX: ffff8806800f8e00 RBX: ffff880682bd9400 RCX: 0000000000000000 RDX: 0000000000000ca3 RSI: 0000000000000ca3 RDI: ffff8806800f8e40 RBP: ffff88069fdc3d80 R8: ffffffff81d86dfc R9: ffffffff81e36426 R10: 00000000000509f0 R11: 0000000000100000 R12: 0000000000]:000000 R13: 0000000000000000 R14: 0000000000000246 R15: ffff8806800f8e00 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0000 --- <NMI exception stack> --- To fix the problem I defined a flag, timer_can_start, as member of struct smi_info. The flag is enabled immediately after initializing the timer and disabled immediately before waiting for timer deletion. Fixes: 0cfec916e86d ("ipmi: Start the timer and thread on internal msgs") Signed-off-by: Yamazaki Masamitsu <m-yamazaki(a)ah.jp.nec.com> [Adjusted for recent changes in the driver.] [Some fairly major changes went into the IPMI driver in 4.15, so this required a backport as the code had changed and moved to a different file. The 4.14 version of this patch moved some code under an if statement and there was an API change causing it to not apply to 4.4-4.6.] Signed-off-by: Corey Minyard <cminyard(a)mvista.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- This is for kernel version 4.4-4.6 only. Code and API changes required backporting. There is another version for 4.7-4.13 and another for 4.14 coming, too. Bug was introduced in 4.4. drivers/char/ipmi/ipmi_si_intf.c | 44 ++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 21 deletions(-) --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -239,6 +239,9 @@ struct smi_info { /* The timer for this si. */ struct timer_list si_timer; + /* This flag is set, if the timer can be set */ + bool timer_can_start; + /* This flag is set, if the timer is running (timer_pending() isn't enough) */ bool timer_running; @@ -414,6 +417,8 @@ static enum si_sm_result start_next_msg( static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val) { + if (!smi_info->timer_can_start) + return; smi_info->last_timeout_jiffies = jiffies; mod_timer(&smi_info->si_timer, new_val); smi_info->timer_running = true; @@ -433,21 +438,18 @@ static void start_new_msg(struct smi_inf smi_info->handlers->start_transaction(smi_info->si_sm, msg, size); } -static void start_check_enables(struct smi_info *smi_info, bool start_timer) +static void start_check_enables(struct smi_info *smi_info) { unsigned char msg[2]; msg[0] = (IPMI_NETFN_APP_REQUEST << 2); msg[1] = IPMI_GET_BMC_GLOBAL_ENABLES_CMD; - if (start_timer) - start_new_msg(smi_info, msg, 2); - else - smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2); + start_new_msg(smi_info, msg, 2); smi_info->si_state = SI_CHECKING_ENABLES; } -static void start_clear_flags(struct smi_info *smi_info, bool start_timer) +static void start_clear_flags(struct smi_info *smi_info) { unsigned char msg[3]; @@ -456,10 +458,7 @@ static void start_clear_flags(struct smi msg[1] = IPMI_CLEAR_MSG_FLAGS_CMD; msg[2] = WDT_PRE_TIMEOUT_INT; - if (start_timer) - start_new_msg(smi_info, msg, 3); - else - smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3); + start_new_msg(smi_info, msg, 3); smi_info->si_state = SI_CLEARING_FLAGS; } @@ -494,11 +493,11 @@ static void start_getting_events(struct * Note that we cannot just use disable_irq(), since the interrupt may * be shared. */ -static inline bool disable_si_irq(struct smi_info *smi_info, bool start_timer) +static inline bool disable_si_irq(struct smi_info *smi_info) { if ((smi_info->irq) && (!smi_info->interrupt_disabled)) { smi_info->interrupt_disabled = true; - start_check_enables(smi_info, start_timer); + start_check_enables(smi_info); return true; } return false; @@ -508,7 +507,7 @@ static inline bool enable_si_irq(struct { if ((smi_info->irq) && (smi_info->interrupt_disabled)) { smi_info->interrupt_disabled = false; - start_check_enables(smi_info, true); + start_check_enables(smi_info); return true; } return false; @@ -526,7 +525,7 @@ static struct ipmi_smi_msg *alloc_msg_ha msg = ipmi_alloc_smi_msg(); if (!msg) { - if (!disable_si_irq(smi_info, true)) + if (!disable_si_irq(smi_info)) smi_info->si_state = SI_NORMAL; } else if (enable_si_irq(smi_info)) { ipmi_free_smi_msg(msg); @@ -542,7 +541,7 @@ static void handle_flags(struct smi_info /* Watchdog pre-timeout */ smi_inc_stat(smi_info, watchdog_pretimeouts); - start_clear_flags(smi_info, true); + start_clear_flags(smi_info); smi_info->msg_flags &= ~WDT_PRE_TIMEOUT_INT; if (smi_info->intf) ipmi_smi_watchdog_pretimeout(smi_info->intf); @@ -925,7 +924,7 @@ static enum si_sm_result smi_event_handl * disable and messages disabled. */ if (smi_info->supports_event_msg_buff || smi_info->irq) { - start_check_enables(smi_info, true); + start_check_enables(smi_info); } else { smi_info->curr_msg = alloc_msg_handle_irq(smi_info); if (!smi_info->curr_msg) @@ -1232,6 +1231,7 @@ static int smi_start_processing(void /* Set up the timer that drives the interface. */ setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi); + new_smi->timer_can_start = true; smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES); /* Try to claim any interrupts. */ @@ -3434,10 +3434,12 @@ static void check_for_broken_irqs(struct check_set_rcv_irq(smi_info); } -static inline void wait_for_timer_and_thread(struct smi_info *smi_info) +static inline void stop_timer_and_thread(struct smi_info *smi_info) { if (smi_info->thread != NULL) kthread_stop(smi_info->thread); + + smi_info->timer_can_start = false; if (smi_info->timer_running) del_timer_sync(&smi_info->si_timer); } @@ -3635,7 +3637,7 @@ static int try_smi_init(struct smi_info * Start clearing the flags before we enable interrupts or the * timer to avoid racing with the timer. */ - start_clear_flags(new_smi, false); + start_clear_flags(new_smi); /* * IRQ is defined to be set when non-zero. req_events will @@ -3713,7 +3715,7 @@ static int try_smi_init(struct smi_info return 0; out_err_stop_timer: - wait_for_timer_and_thread(new_smi); + stop_timer_and_thread(new_smi); out_err: new_smi->interrupt_disabled = true; @@ -3919,7 +3921,7 @@ static void cleanup_one_si(struct smi_in */ if (to_clean->irq_cleanup) to_clean->irq_cleanup(to_clean); - wait_for_timer_and_thread(to_clean); + stop_timer_and_thread(to_clean); /* * Timeouts are stopped, now make sure the interrupts are off @@ -3930,7 +3932,7 @@ static void cleanup_one_si(struct smi_in poll(to_clean); schedule_timeout_uninterruptible(1); } - disable_si_irq(to_clean, false); + disable_si_irq(to_clean); while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) { poll(to_clean); schedule_timeout_uninterruptible(1); Patches currently in stable-queue which might be from m-yamazaki(a)ah.jp.nec.com are queue-4.4/ipmi-stop-timers-before-cleaning-up-the-module.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-gadget-ffs-forbid-usb_ep_alloc_request-from-sleeping.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba Mon Sep 17 00:00:00 2001 From: Vincent Pelletier <plr.vincent(a)gmail.com> Date: Sun, 26 Nov 2017 06:52:53 +0000 Subject: usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping From: Vincent Pelletier <plr.vincent(a)gmail.com> commit 30bf90ccdec1da9c8198b161ecbff39ce4e5a9ba upstream. Found using DEBUG_ATOMIC_SLEEP while submitting an AIO read operation: [ 100.853642] BUG: sleeping function called from invalid context at mm/slab.h:421 [ 100.861148] in_atomic(): 1, irqs_disabled(): 1, pid: 1880, name: python [ 100.867954] 2 locks held by python/1880: [ 100.867961] #0: (&epfile->mutex){....}, at: [<f8188627>] ffs_mutex_lock+0x27/0x30 [usb_f_fs] [ 100.868020] #1: (&(&ffs->eps_lock)->rlock){....}, at: [<f818ad4b>] ffs_epfile_io.isra.17+0x24b/0x590 [usb_f_fs] [ 100.868076] CPU: 1 PID: 1880 Comm: python Not tainted 4.14.0-edison+ #118 [ 100.868085] Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 [ 100.868093] Call Trace: [ 100.868122] dump_stack+0x47/0x62 [ 100.868156] ___might_sleep+0xfd/0x110 [ 100.868182] __might_sleep+0x68/0x70 [ 100.868217] kmem_cache_alloc_trace+0x4b/0x200 [ 100.868248] ? dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868302] dwc3_gadget_ep_alloc_request+0x24/0xe0 [dwc3] [ 100.868343] usb_ep_alloc_request+0x16/0xc0 [udc_core] [ 100.868386] ffs_epfile_io.isra.17+0x444/0x590 [usb_f_fs] [ 100.868424] ? _raw_spin_unlock_irqrestore+0x27/0x40 [ 100.868457] ? kiocb_set_cancel_fn+0x57/0x60 [ 100.868477] ? ffs_ep0_poll+0xc0/0xc0 [usb_f_fs] [ 100.868512] ffs_epfile_read_iter+0xfe/0x157 [usb_f_fs] [ 100.868551] ? security_file_permission+0x9c/0xd0 [ 100.868587] ? rw_verify_area+0xac/0x120 [ 100.868633] aio_read+0x9d/0x100 [ 100.868692] ? __fget+0xa2/0xd0 [ 100.868727] ? __might_sleep+0x68/0x70 [ 100.868763] SyS_io_submit+0x471/0x680 [ 100.868878] do_int80_syscall_32+0x4e/0xd0 [ 100.868921] entry_INT80_32+0x2a/0x2a [ 100.868932] EIP: 0xb7fbb676 [ 100.868941] EFLAGS: 00000292 CPU: 1 [ 100.868951] EAX: ffffffda EBX: b7aa2000 ECX: 00000002 EDX: b7af8368 [ 100.868961] ESI: b7fbb660 EDI: b7aab000 EBP: bfb6c658 ESP: bfb6c638 [ 100.868973] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b Signed-off-by: Vincent Pelletier <plr.vincent(a)gmail.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1016,7 +1016,7 @@ static ssize_t ffs_epfile_io(struct file else ret = ep->status; goto error_mutex; - } else if (!(req = usb_ep_alloc_request(ep->ep, GFP_KERNEL))) { + } else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) { ret = -ENOMEM; } else { req->buf = data; Patches currently in stable-queue which might be from plr.vincent(a)gmail.com are queue-4.14/usb-gadget-ffs-forbid-usb_ep_alloc_request-from-sleeping.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "ipmi: Stop timers before cleaning up the module" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ipmi: Stop timers before cleaning up the module to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ipmi-stop-timers-before-cleaning-up-the-module.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 4f7f5551a760eb0124267be65763008169db7087 Mon Sep 17 00:00:00 2001 From: Masamitsu Yamazaki <m-yamazaki(a)ah.jp.nec.com> Date: Wed, 15 Nov 2017 07:33:14 +0000 Subject: ipmi: Stop timers before cleaning up the module From: Masamitsu Yamazaki <m-yamazaki(a)ah.jp.nec.com> commit 4f7f5551a760eb0124267be65763008169db7087 upstream. System may crash after unloading ipmi_si.ko module because a timer may remain and fire after the module cleaned up resources. cleanup_one_si() contains the following processing. /* * Make sure that interrupts, the timer and the thread are * stopped and will not run again. */ if (to_clean->irq_cleanup) to_clean->irq_cleanup(to_clean); wait_for_timer_and_thread(to_clean); /* * Timeouts are stopped, now make sure the interrupts are off * in the BMC. Note that timers and CPU interrupts are off, * so no need for locks. */ while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) { poll(to_clean); schedule_timeout_uninterruptible(1); } si_state changes as following in the while loop calling poll(to_clean). SI_GETTING_MESSAGES => SI_CHECKING_ENABLES => SI_SETTING_ENABLES => SI_GETTING_EVENTS => SI_NORMAL As written in the code comments above, timers are expected to stop before the polling loop and not to run again. But the timer is set again in the following process when si_state becomes SI_SETTING_ENABLES. => poll => smi_event_handler => handle_transaction_done // smi_info->si_state == SI_SETTING_ENABLES => start_getting_events => start_new_msg => smi_mod_timer => mod_timer As a result, before the timer set in start_new_msg() expires, the polling loop may see si_state becoming SI_NORMAL and the module clean-up finishes. For example, hard LOCKUP and panic occurred as following. smi_timeout was called after smi_event_handler, kcs_event and hangs at port_inb() trying to access I/O port after release. [exception RIP: port_inb+19] RIP: ffffffffc0473053 RSP: ffff88069fdc3d80 RFLAGS: 00000006 RAX: ffff8806800f8e00 RBX: ffff880682bd9400 RCX: 0000000000000000 RDX: 0000000000000ca3 RSI: 0000000000000ca3 RDI: ffff8806800f8e40 RBP: ffff88069fdc3d80 R8: ffffffff81d86dfc R9: ffffffff81e36426 R10: 00000000000509f0 R11: 0000000000100000 R12: 0000000000]:000000 R13: 0000000000000000 R14: 0000000000000246 R15: ffff8806800f8e00 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0000 --- <NMI exception stack> --- To fix the problem I defined a flag, timer_can_start, as member of struct smi_info. The flag is enabled immediately after initializing the timer and disabled immediately before waiting for timer deletion. Fixes: 0cfec916e86d ("ipmi: Start the timer and thread on internal msgs") Signed-off-by: Yamazaki Masamitsu <m-yamazaki(a)ah.jp.nec.com> [Some fairly major changes went into the IPMI driver in 4.15, so this required a backport as the code had changed and moved to a different file.] Signed-off-by: Corey Minyard <cminyard(a)mvista.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/char/ipmi/ipmi_si_intf.c | 44 ++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 21 deletions(-) --- a/drivers/char/ipmi/ipmi_si_intf.c +++ b/drivers/char/ipmi/ipmi_si_intf.c @@ -242,6 +242,9 @@ struct smi_info { /* The timer for this si. */ struct timer_list si_timer; + /* This flag is set, if the timer can be set */ + bool timer_can_start; + /* This flag is set, if the timer is running (timer_pending() isn't enough) */ bool timer_running; @@ -417,6 +420,8 @@ out: static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val) { + if (!smi_info->timer_can_start) + return; smi_info->last_timeout_jiffies = jiffies; mod_timer(&smi_info->si_timer, new_val); smi_info->timer_running = true; @@ -436,21 +441,18 @@ static void start_new_msg(struct smi_inf smi_info->handlers->start_transaction(smi_info->si_sm, msg, size); } -static void start_check_enables(struct smi_info *smi_info, bool start_timer) +static void start_check_enables(struct smi_info *smi_info) { unsigned char msg[2]; msg[0] = (IPMI_NETFN_APP_REQUEST << 2); msg[1] = IPMI_GET_BMC_GLOBAL_ENABLES_CMD; - if (start_timer) - start_new_msg(smi_info, msg, 2); - else - smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2); + start_new_msg(smi_info, msg, 2); smi_info->si_state = SI_CHECKING_ENABLES; } -static void start_clear_flags(struct smi_info *smi_info, bool start_timer) +static void start_clear_flags(struct smi_info *smi_info) { unsigned char msg[3]; @@ -459,10 +461,7 @@ static void start_clear_flags(struct smi msg[1] = IPMI_CLEAR_MSG_FLAGS_CMD; msg[2] = WDT_PRE_TIMEOUT_INT; - if (start_timer) - start_new_msg(smi_info, msg, 3); - else - smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3); + start_new_msg(smi_info, msg, 3); smi_info->si_state = SI_CLEARING_FLAGS; } @@ -497,11 +496,11 @@ static void start_getting_events(struct * Note that we cannot just use disable_irq(), since the interrupt may * be shared. */ -static inline bool disable_si_irq(struct smi_info *smi_info, bool start_timer) +static inline bool disable_si_irq(struct smi_info *smi_info) { if ((smi_info->irq) && (!smi_info->interrupt_disabled)) { smi_info->interrupt_disabled = true; - start_check_enables(smi_info, start_timer); + start_check_enables(smi_info); return true; } return false; @@ -511,7 +510,7 @@ static inline bool enable_si_irq(struct { if ((smi_info->irq) && (smi_info->interrupt_disabled)) { smi_info->interrupt_disabled = false; - start_check_enables(smi_info, true); + start_check_enables(smi_info); return true; } return false; @@ -529,7 +528,7 @@ static struct ipmi_smi_msg *alloc_msg_ha msg = ipmi_alloc_smi_msg(); if (!msg) { - if (!disable_si_irq(smi_info, true)) + if (!disable_si_irq(smi_info)) smi_info->si_state = SI_NORMAL; } else if (enable_si_irq(smi_info)) { ipmi_free_smi_msg(msg); @@ -545,7 +544,7 @@ retry: /* Watchdog pre-timeout */ smi_inc_stat(smi_info, watchdog_pretimeouts); - start_clear_flags(smi_info, true); + start_clear_flags(smi_info); smi_info->msg_flags &= ~WDT_PRE_TIMEOUT_INT; if (smi_info->intf) ipmi_smi_watchdog_pretimeout(smi_info->intf); @@ -928,7 +927,7 @@ restart: * disable and messages disabled. */ if (smi_info->supports_event_msg_buff || smi_info->irq) { - start_check_enables(smi_info, true); + start_check_enables(smi_info); } else { smi_info->curr_msg = alloc_msg_handle_irq(smi_info); if (!smi_info->curr_msg) @@ -1235,6 +1234,7 @@ static int smi_start_processing(void /* Set up the timer that drives the interface. */ setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi); + new_smi->timer_can_start = true; smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES); /* Try to claim any interrupts. */ @@ -3416,10 +3416,12 @@ static void check_for_broken_irqs(struct check_set_rcv_irq(smi_info); } -static inline void wait_for_timer_and_thread(struct smi_info *smi_info) +static inline void stop_timer_and_thread(struct smi_info *smi_info) { if (smi_info->thread != NULL) kthread_stop(smi_info->thread); + + smi_info->timer_can_start = false; if (smi_info->timer_running) del_timer_sync(&smi_info->si_timer); } @@ -3605,7 +3607,7 @@ static int try_smi_init(struct smi_info * Start clearing the flags before we enable interrupts or the * timer to avoid racing with the timer. */ - start_clear_flags(new_smi, false); + start_clear_flags(new_smi); /* * IRQ is defined to be set when non-zero. req_events will @@ -3674,7 +3676,7 @@ static int try_smi_init(struct smi_info return 0; out_err_stop_timer: - wait_for_timer_and_thread(new_smi); + stop_timer_and_thread(new_smi); out_err: new_smi->interrupt_disabled = true; @@ -3866,7 +3868,7 @@ static void cleanup_one_si(struct smi_in */ if (to_clean->irq_cleanup) to_clean->irq_cleanup(to_clean); - wait_for_timer_and_thread(to_clean); + stop_timer_and_thread(to_clean); /* * Timeouts are stopped, now make sure the interrupts are off @@ -3878,7 +3880,7 @@ static void cleanup_one_si(struct smi_in schedule_timeout_uninterruptible(1); } if (to_clean->handlers) - disable_si_irq(to_clean, false); + disable_si_irq(to_clean); while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) { poll(to_clean); schedule_timeout_uninterruptible(1); Patches currently in stable-queue which might be from m-yamazaki(a)ah.jp.nec.com are queue-4.14/ipmi-stop-timers-before-cleaning-up-the-module.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "fcntl: don't cap l_start and l_end values for F_GETLK64 in compat syscall" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled fcntl: don't cap l_start and l_end values for F_GETLK64 in compat syscall to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: fcntl-don-t-cap-l_start-and-l_end-values-for-f_getlk64-in-compat-syscall.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 4d2dc2cc766c3b51929658cacbc6e34fc8e242fb Mon Sep 17 00:00:00 2001 From: Jeff Layton <jlayton(a)redhat.com> Date: Tue, 14 Nov 2017 14:42:57 -0500 Subject: fcntl: don't cap l_start and l_end values for F_GETLK64 in compat syscall From: Jeff Layton <jlayton(a)redhat.com> commit 4d2dc2cc766c3b51929658cacbc6e34fc8e242fb upstream. Currently, we're capping the values too low in the F_GETLK64 case. The fields in that structure are 64-bit values, so we shouldn't need to do any sort of fixup there. Make sure we check that assumption at build time in the future however by ensuring that the sizes we're copying will fit. With this, we no longer need COMPAT_LOFF_T_MAX either, so remove it. Fixes: 94073ad77fff2 (fs/locks: don't mess with the address limit in compat_fcntl64) Reported-by: Vitaly Lipatov <lav(a)etersoft.ru> Signed-off-by: Jeff Layton <jlayton(a)redhat.com> Reviewed-by: David Howells <dhowells(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/arm64/include/asm/compat.h | 1 - arch/mips/include/asm/compat.h | 1 - arch/parisc/include/asm/compat.h | 1 - arch/powerpc/include/asm/compat.h | 1 - arch/s390/include/asm/compat.h | 1 - arch/sparc/include/asm/compat.h | 1 - arch/tile/include/asm/compat.h | 1 - arch/x86/include/asm/compat.h | 1 - fs/fcntl.c | 11 +++++------ 9 files changed, 5 insertions(+), 14 deletions(-) --- a/arch/arm64/include/asm/compat.h +++ b/arch/arm64/include/asm/compat.h @@ -215,7 +215,6 @@ typedef struct compat_siginfo { } compat_siginfo_t; #define COMPAT_OFF_T_MAX 0x7fffffff -#define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL /* * A pointer passed in from user mode. This should not --- a/arch/mips/include/asm/compat.h +++ b/arch/mips/include/asm/compat.h @@ -200,7 +200,6 @@ typedef struct compat_siginfo { } compat_siginfo_t; #define COMPAT_OFF_T_MAX 0x7fffffff -#define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL /* * A pointer passed in from user mode. This should not --- a/arch/parisc/include/asm/compat.h +++ b/arch/parisc/include/asm/compat.h @@ -195,7 +195,6 @@ typedef struct compat_siginfo { } compat_siginfo_t; #define COMPAT_OFF_T_MAX 0x7fffffff -#define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL struct compat_ipc64_perm { compat_key_t key; --- a/arch/powerpc/include/asm/compat.h +++ b/arch/powerpc/include/asm/compat.h @@ -185,7 +185,6 @@ typedef struct compat_siginfo { } compat_siginfo_t; #define COMPAT_OFF_T_MAX 0x7fffffff -#define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL /* * A pointer passed in from user mode. This should not --- a/arch/s390/include/asm/compat.h +++ b/arch/s390/include/asm/compat.h @@ -263,7 +263,6 @@ typedef struct compat_siginfo { #define si_overrun _sifields._timer._overrun #define COMPAT_OFF_T_MAX 0x7fffffff -#define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL /* * A pointer passed in from user mode. This should not --- a/arch/sparc/include/asm/compat.h +++ b/arch/sparc/include/asm/compat.h @@ -209,7 +209,6 @@ typedef struct compat_siginfo { } compat_siginfo_t; #define COMPAT_OFF_T_MAX 0x7fffffff -#define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL /* * A pointer passed in from user mode. This should not --- a/arch/tile/include/asm/compat.h +++ b/arch/tile/include/asm/compat.h @@ -173,7 +173,6 @@ typedef struct compat_siginfo { } compat_siginfo_t; #define COMPAT_OFF_T_MAX 0x7fffffff -#define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL struct compat_ipc64_perm { compat_key_t key; --- a/arch/x86/include/asm/compat.h +++ b/arch/x86/include/asm/compat.h @@ -209,7 +209,6 @@ typedef struct compat_siginfo { } compat_siginfo_t; #define COMPAT_OFF_T_MAX 0x7fffffff -#define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL struct compat_ipc64_perm { compat_key_t key; --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -563,6 +563,9 @@ static int put_compat_flock64(const stru { struct compat_flock64 fl; + BUILD_BUG_ON(sizeof(kfl->l_start) > sizeof(ufl->l_start)); + BUILD_BUG_ON(sizeof(kfl->l_len) > sizeof(ufl->l_len)); + memset(&fl, 0, sizeof(struct compat_flock64)); copy_flock_fields(&fl, kfl); if (copy_to_user(ufl, &fl, sizeof(struct compat_flock64))) @@ -641,12 +644,8 @@ COMPAT_SYSCALL_DEFINE3(fcntl64, unsigned if (err) break; err = fcntl_getlk(f.file, convert_fcntl_cmd(cmd), &flock); - if (err) - break; - err = fixup_compat_flock(&flock); - if (err) - return err; - err = put_compat_flock64(&flock, compat_ptr(arg)); + if (!err) + err = put_compat_flock64(&flock, compat_ptr(arg)); break; case F_SETLK: case F_SETLKW: Patches currently in stable-queue which might be from jlayton(a)redhat.com are queue-4.14/fcntl-don-t-cap-l_start-and-l_end-values-for-f_getlk64-in-compat-syscall.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] please pick 4d2dc2cc766c for v4.14 stable series

by Jeff Layton

Hi! I neglected to mark this patch for stable when I merged it, and it probably should have been, as Vitaly points out that locking for 32-bit apps running on a 64-bit kernel is broken. Can you pick this for v4.14 stable? commit: 4d2dc2cc766c3b51929658cacbc6e34fc8e242fb subject: fcntl: don't cap l_start and l_end values for F_GETLK64 in compat syscall Thanks! -- Jeff Layton <jlayton(a)kernel.org>

7 years, 9 months

2
1
0 0

[Linux-stable-mirror] [PATCH v4.4] more bio_map_user_iov() leak fixes

by Guenter Roeck

From: Al Viro <viro(a)zeniv.linux.org.uk> commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream. we need to take care of failure exit as well - pages already in bio should be dropped by analogue of bio_unmap_pages(), since their refcounts had been bumped only once per reference in bio. Cc: stable(a)vger.kernel.org Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> --- Fixed conflicts. Intended for v4.4.y. Does not apply to v3.18.y or older kernels. block/bio.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/block/bio.c b/block/bio.c index 68bbc835bacc..63363a689922 100644 --- a/block/bio.c +++ b/block/bio.c @@ -1268,6 +1268,7 @@ struct bio *bio_map_user_iov(struct request_queue *q, int ret, offset; struct iov_iter i; struct iovec iov; + struct bio_vec *bvec; iov_for_each(iov, i, *iter) { unsigned long uaddr = (unsigned long) iov.iov_base; @@ -1312,7 +1313,12 @@ struct bio *bio_map_user_iov(struct request_queue *q, ret = get_user_pages_fast(uaddr, local_nr_pages, (iter->type & WRITE) != WRITE, &pages[cur_page]); - if (ret < local_nr_pages) { + if (unlikely(ret < local_nr_pages)) { + for (j = cur_page; j < page_limit; j++) { + if (!pages[j]) + break; + put_page(pages[j]); + } ret = -EFAULT; goto out_unmap; } @@ -1374,10 +1380,8 @@ struct bio *bio_map_user_iov(struct request_queue *q, return bio; out_unmap: - for (j = 0; j < nr_pages; j++) { - if (!pages[j]) - break; - page_cache_release(pages[j]); + bio_for_each_segment_all(bvec, bio, j) { + put_page(bvec->bv_page); } out: kfree(pages); -- 2.7.4

7 years, 9 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror