April 2019 - Linux-stable-mirror

by Nathan Chancellor

Hi Greg and Sasha, Please apply the following mbox files to their respective trees. They contain upstream patches that allow a tip of tree LLD to link an x86 kernel image as well as a patch to avoid using $(LD) to check for the location of binutils, which won't always be accurate when linking with LLD. This was tested with both the upstream defconfig and Android's x86_64_cuttlefish_defconfig in their respective trees (building/linking with both Clang/LLD and GCC/ld.bfd then booting in QEMU). For 5.0, a simple cherry-pick of commit ad15006cc784 ("kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD") will do. Greg, the merge into kernel/common will result in two conflicts: * Makefile: Make the diff match upstream commit ad15006cc784 ("kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD") * arch/x86/entry/vdso/Makefile: Take the right hand side, effectively replacing common commit 35b779802c2e ("x86: vdso: Fix leaky vdso linker with CC=clang.") with the proper upstream commit 379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link") Also, while you are at it, would you mind picking up upstream commit 5f074f3e192f ("lib/string.c: implement a basic bcmp")? It is cc'd for stable but it's worth mentioning now so we can stop carrying it out of tree :) Let me know if there are any issues, comments, or concerns, Nathan

5 years, 8 months

3
6
0 0

1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")

by Zubin Mithra

Hello, Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace. Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc8/0x129 lib/dump_stack.c:113 print_address_description+0x67/0x230 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x24e/0x28c mm/kasan/report.c:412 get_link fs/namei.c:1152 [inline] trailing_symlink+0x593/0x677 fs/namei.c:2326 path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382 filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411 filename_lookup fs/namei.c:2405 [inline] user_path_at_empty+0x59/0x6c fs/namei.c:2677 user_path include/linux/namei.h:62 [inline] do_mount+0x15c/0x17a4 fs/namespace.c:2773 ksys_mount+0x98/0xcc fs/namespace.c:3052 __do_sys_mount fs/namespace.c:3066 [inline] __se_sys_mount fs/namespace.c:3063 [inline] __x64_sys_mount+0xd0/0xdb fs/namespace.c:3063 do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x49/0xbe Allocated by task 8112: set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553 slab_post_alloc_hook+0x31/0x55 mm/slab.h:444 slab_alloc_node mm/slub.c:2706 [inline] slab_alloc mm/slub.c:2714 [inline] __kmalloc_track_caller+0x100/0x148 mm/slub.c:4290 kstrdup+0x39/0x63 mm/util.c:56 bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356 vfs_symlink2+0xfc/0x12b fs/namei.c:4238 do_symlinkat+0x14a/0x1d5 fs/namei.c:4271 do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8116: set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521 slab_free_hook mm/slub.c:1371 [inline] slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398 slab_free mm/slub.c:2953 [inline] kfree+0x177/0x212 mm/slub.c:3906 bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565 evict+0x30b/0x4ce fs/inode.c:558 iput_final fs/inode.c:1550 [inline] iput+0x541/0x551 fs/inode.c:1576 do_unlinkat+0x2fc/0x403 fs/namei.c:4180 do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x49/0xbe Could the following patch be applied to 4.19.y? 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") Tests run: * Chrome OS tryjobs * Syzkaller reproducer Thanks, - Zubin

5 years, 8 months

3
2
0 0

[PATCH 4.19 000/101] 4.19.35-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.35 release. There are 101 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Apr 17 18:36:40 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.35-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.35-rc1 Marc Orr <marcorr(a)google.com> KVM: x86: nVMX: fix x2APIC VTPR read intercept Marc Orr <marcorr(a)google.com> KVM: x86: nVMX: close leak of L0's x2APIC MSRs (CVE-2019-3887) Erik Schmauss <erik.schmauss(a)intel.com> ACPICA: AML interpreter: add region addresses in global list during initialization Tomohiro Mayama <parly-gh(a)iris.mystia.org> arm64: dts: rockchip: Fix vcc_host1_5v GPIO polarity on rk3328-rock64 Katsuhiro Suzuki <katsuhiro(a)katsuster.net> arm64: dts: rockchip: fix vcc_host1_5v pin assign on rk3328-rock64 Mikulas Patocka <mpatocka(a)redhat.com> dm integrity: fix deadlock with overlapping I/O Ilya Dryomov <idryomov(a)gmail.com> dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors Mikulas Patocka <mpatocka(a)redhat.com> dm: revert 8f50e358153d ("dm: limit the max bio size as BIO_MAX_PAGES * PAGE_SIZE") Mikulas Patocka <mpatocka(a)redhat.com> dm integrity: change memcmp to strncmp in dm_integrity_ctr Sergey Miroshnichenko <s.miroshnichenko(a)yadro.com> PCI: pciehp: Ignore Link State Changes after powering off a slot Andre Przywara <andre.przywara(a)arm.com> PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller Lendacky, Thomas <Thomas.Lendacky(a)amd.com> x86/perf/amd: Remove need to check "running" bit in NMI handler Lendacky, Thomas <Thomas.Lendacky(a)amd.com> x86/perf/amd: Resolve NMI latency issues for active PMCs Lendacky, Thomas <Thomas.Lendacky(a)amd.com> x86/perf/amd: Resolve race condition when disabling PMC Alexander Potapenko <glider(a)google.com> x86/asm: Use stricter assembly constraints in bitops Rasmus Villemoes <linux(a)rasmusvillemoes.dk> x86/asm: Remove dead __GNUC__ conditionals Max Filippov <jcmvbkbc(a)gmail.com> xtensa: fix return_address Mel Gorman <mgorman(a)techsingularity.net> sched/fair: Do not re-read ->h_load_next during hierarchical load calculation Dan Carpenter <dan.carpenter(a)oracle.com> xen: Prevent buffer overflow in privcmd ioctl Will Deacon <will.deacon(a)arm.com> arm64: backtrace: Don't bother trying to unwind the userspace stack Peter Geis <pgwipeout(a)gmail.com> arm64: dts: rockchip: fix rk3328 rgmii high tx error rate Will Deacon <will.deacon(a)arm.com> arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value David Engraf <david.engraf(a)sysgo.com> ARM: dts: at91: Fix typo in ISC_D0 on PC9 Peter Ujfalusi <peter.ujfalusi(a)ti.com> ARM: dts: am335x-evm: Correct the regulators for the audio codec Peter Ujfalusi <peter.ujfalusi(a)ti.com> ARM: dts: am335x-evmsk: Correct the regulators for the audio codec Jonas Karlman <jonas(a)kwiboo.se> ARM: dts: rockchip: fix rk3288 cpu opp node reference Cornelia Huck <cohuck(a)redhat.com> virtio: Honour 'may_reduce_num' in vring_create_virtqueue Kefeng Wang <wangkefeng.wang(a)huawei.com> genirq: Initialize request_mutex if CONFIG_SPARSE_IRQ=n Stephen Boyd <swboyd(a)chromium.org> genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() Jason Yan <yanaijie(a)huawei.com> block: fix the return errno for direct IO Jérôme Glisse <jglisse(a)redhat.com> block: do not leak memory in bio_copy_user_iov() Dmitry V. Levin <ldv(a)altlinux.org> riscv: Fix syscall_get_arguments() and syscall_set_arguments() Anand Jain <anand.jain(a)oracle.com> btrfs: prop: fix vanished compression property after failed set Anand Jain <anand.jain(a)oracle.com> btrfs: prop: fix zstd compression parameter validation Filipe Manana <fdmanana(a)suse.com> Btrfs: do not allow trimming when a fs is mounted with the nologreplay option S.j. Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_esai: fix channel swap issue when stream starts Guenter Roeck <linux(a)roeck-us.net> ASoC: intel: Fix crash at suspend/resume after failed codec registration Greg Thelen <gthelen(a)google.com> mm: writeback: use exact memcg dirty counts Arnd Bergmann <arnd(a)arndb.de> include/linux/bitrev.h: fix constant bitrev David Rientjes <rientjes(a)google.com> kvm: svm: fix potential get_num_contig_pages overflow Dave Airlie <airlied(a)redhat.com> drm/udl: add a release method and delay modeset teardown Yan Zhao <yan.y.zhao(a)intel.com> drm/i915/gvt: do not deliver a workload if its creation fails Andrei Vagin <avagin(a)gmail.com> alarmtimer: Return correct remaining time Sven Schnelle <svens(a)stackframe.org> parisc: also set iaoq_b in instruction_pointer_set() Sven Schnelle <svens(a)stackframe.org> parisc: regs_return_value() should return gpr28 Helge Deller <deller(a)gmx.de> parisc: Detect QEMU earlier in boot process Peter Geis <pgwipeout(a)gmail.com> arm64: dts: rockchip: fix rk3328 sdmmc0 write errors Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd() Hui Wang <hui.wang(a)canonical.com> ALSA: hda - Add two more machines to the power_save_blacklist Richard Sailer <rs(a)tuxedocomputers.com> ALSA: hda/realtek - Add quirk for Tuxedo XC 1509 Jian-Hong Pan <jian-hong(a)endlessm.com> ALSA: hda/realtek: Enable headset MIC of Acer TravelMate B114-21 with ALC233 Zubin Mithra <zsm(a)chromium.org> ALSA: seq: Fix OOB-reads from strlcpy Erik Schmauss <erik.schmauss(a)intel.com> ACPICA: Namespace: remove address node from global list after method termination Furquan Shaikh <furquan(a)google.com> ACPICA: Clear status of GPEs before enabling them Axel Lin <axel.lin(a)ingics.com> hwmon: (w83773g) Select REGMAP_I2C to fix build error Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> tty: ldisc: add sysctl to prevent autoloading of ldiscs Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> tty: mark Siemens R3964 line discipline as BROKEN Yueyi Li <liyueyi(a)live.com> arm64: kaslr: Reserve size of ARM64_MEMSTART_ALIGN in linear region Florian Westphal <fw(a)strlen.de> netfilter: nfnetlink_cttimeout: fetch timeouts for udplite and gre, too Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nfnetlink_cttimeout: pass default timeout policy to obj_to_nlattr Neil Armstrong <narmstrong(a)baylibre.com> Revert "clk: meson: clean-up clock registration" Nick Desaulniers <ndesaulniers(a)google.com> lib/string.c: implement a basic bcmp Nick Desaulniers <ndesaulniers(a)google.com> x86/vdso: Drop implicit common-page-size linker flag Nick Desaulniers <ndesaulniers(a)google.com> kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD Masahiro Yamada <yamada.masahiro(a)socionext.com> kbuild: deb-pkg: fix bindeb-pkg breakage when O= is used Huy Nguyen <huyn(a)mellanox.com> net/mlx5e: Update xon formula Huy Nguyen <huyn(a)mellanox.com> net/mlx5e: Update xoff formula Aditya Pakki <pakki001(a)umn.edu> net: mlx5: Add a missing check on idr_find, free buf Heiner Kallweit <hkallweit1(a)gmail.com> r8169: disable default rx interrupt coalescing on RTL8168 Alexander Lobakin <alobakin(a)dlink.ru> net: core: netif_receive_skb_list: unlist skb before passing to pt->func Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com> net: ip6_gre: fix possible use-after-free in ip6erspan_rcv Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com> net: ip_gre: fix possible use-after-free in erspan_rcv Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Reset device on RX buffer errors. Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Improve RX consumer index validity check. Jakub Kicinski <jakub.kicinski(a)netronome.com> nfp: disable netpoll on representors Jakub Kicinski <jakub.kicinski(a)netronome.com> nfp: validate the return code from dev_queue_xmit() Yuval Avnery <yuvalav(a)mellanox.com> net/mlx5e: Add a lock on tir list Gavi Teitz <gavi(a)mellanox.com> net/mlx5e: Fix error handling when refreshing TIRs Stephen Suryaputra <ssuryaextr(a)gmail.com> vrf: check accept_source_route on the original netdevice Dust Li <dust.li(a)linux.alibaba.com> tcp: fix a potential NULL pointer dereference in tcp_sk_exit Koen De Schepper <koen.de_schepper(a)nokia-bell-labs.com> tcp: Ensure DCTCP reacts to losses Xin Long <lucien.xin(a)gmail.com> sctp: initialize _pad of sockaddr_in before copying to user memory Heiner Kallweit <hkallweit1(a)gmail.com> r8169: disable ASPM again Bjørn Mork <bjorn(a)mork.no> qmi_wwan: add Olicard 600 Andrea Righi <andrea.righi(a)canonical.com> openvswitch: fix flow actions reallocation Nicolas Dichtel <nicolas.dichtel(a)6wind.com> net/sched: fix ->get helper of the matchall cls Davide Caratti <dcaratti(a)redhat.com> net/sched: act_sample: fix divide by zero in the traffic path Mao Wenan <maowenan(a)huawei.com> net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock(). Eric Dumazet <edumazet(a)google.com> netns: provide pure entropy for net_hash_mix() Artemy Kovalyov <artemyko(a)mellanox.com> net/mlx5: Decrease default mr cache size Steffen Klassert <steffen.klassert(a)secunet.com> net-gro: Fix GRO flush when receiving a GSO packet. Li RongQing <lirongqing(a)baidu.com> net: ethtool: not call vzalloc for zero sized memory request Jiri Slaby <jslaby(a)suse.cz> kcm: switch order of device registration to fix a crash Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com> ipv6: sit: reset ip header pointer in ipip6_rcv Junwei Hu <hujunwei4(a)huawei.com> ipv6: Fix dangling pointer when ipv6 fragment Sheena Mira-ato <sheena.mira-ato(a)alliedtelesis.co.nz> ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type Thomas Falcon <tlfalcon(a)linux.ibm.com> ibmvnic: Fix completion structure initialization Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix unwanted wakeup after tx_disable Breno Leitao <leitao(a)debian.org> powerpc/tm: Limit TM code inside PPC_TRANSACTIONAL_MEM Yan Zhao <yan.y.zhao(a)intel.com> drm/i915/gvt: do not let pin count of shadow mm go negative Jim Mattson <jmattson(a)google.com> kvm: nVMX: NMI-window and interrupt-window exiting should wake L2 from HLT ------------- Diffstat: Makefile | 6 +- arch/arm/boot/dts/am335x-evm.dts | 26 +++- arch/arm/boot/dts/am335x-evmsk.dts | 26 +++- arch/arm/boot/dts/rk3288.dtsi | 6 +- arch/arm/boot/dts/sama5d2-pinfunc.h | 2 +- arch/arm64/boot/dts/rockchip/rk3328-rock64.dts | 5 +- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 58 ++++----- arch/arm64/include/asm/futex.h | 16 +-- arch/arm64/kernel/traps.c | 15 ++- arch/arm64/mm/init.c | 2 +- arch/parisc/include/asm/ptrace.h | 5 +- arch/parisc/kernel/process.c | 6 - arch/parisc/kernel/setup.c | 3 + arch/powerpc/kernel/signal_64.c | 23 +++- arch/riscv/include/asm/syscall.h | 12 +- arch/x86/entry/vdso/Makefile | 4 +- arch/x86/events/amd/core.c | 140 ++++++++++++++++++++- arch/x86/events/core.c | 13 +- arch/x86/include/asm/bitops.h | 47 +++---- arch/x86/include/asm/string_32.h | 20 --- arch/x86/include/asm/string_64.h | 15 --- arch/x86/include/asm/xen/hypercall.h | 3 + arch/x86/kvm/svm.c | 10 +- arch/x86/kvm/vmx.c | 84 ++++++++----- arch/xtensa/kernel/stacktrace.c | 6 +- block/bio.c | 5 +- drivers/acpi/acpica/dsopcode.c | 4 + drivers/acpi/acpica/evgpe.c | 6 +- drivers/acpi/acpica/nsobject.c | 4 + drivers/char/Kconfig | 2 +- drivers/clk/meson/meson-aoclk.c | 15 +-- drivers/gpu/drm/i915/gvt/gtt.c | 2 +- drivers/gpu/drm/i915/gvt/scheduler.c | 5 +- drivers/gpu/drm/udl/udl_drv.c | 1 + drivers/gpu/drm/udl/udl_drv.h | 1 + drivers/gpu/drm/udl/udl_main.c | 8 +- drivers/hwmon/Kconfig | 1 + drivers/md/dm-integrity.c | 12 +- drivers/md/dm-table.c | 39 ++++++ drivers/md/dm.c | 10 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 16 ++- drivers/net/ethernet/ibm/ibmvnic.c | 5 +- .../ethernet/mellanox/mlx5/core/en/port_buffer.c | 39 +++--- .../net/ethernet/mellanox/mlx5/core/en_common.c | 13 +- drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 14 ++- drivers/net/ethernet/mellanox/mlx5/core/main.c | 20 --- drivers/net/ethernet/netronome/nfp/nfp_net_repr.c | 4 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/hyperv/hyperv_net.h | 1 + drivers/net/hyperv/netvsc.c | 6 +- drivers/net/hyperv/netvsc_drv.c | 32 ++++- drivers/net/usb/qmi_wwan.c | 1 + drivers/pci/hotplug/pciehp_ctrl.c | 4 + drivers/pci/quirks.c | 2 + drivers/tty/Kconfig | 24 ++++ drivers/tty/tty_io.c | 3 + drivers/tty/tty_ldisc.c | 47 +++++++ drivers/virtio/virtio_ring.c | 2 + fs/block_dev.c | 8 +- fs/btrfs/ioctl.c | 10 ++ fs/btrfs/props.c | 8 +- include/linux/bitrev.h | 46 +++---- include/linux/memcontrol.h | 5 +- include/linux/mlx5/driver.h | 2 + include/linux/netfilter/nf_conntrack_proto_gre.h | 13 ++ include/linux/string.h | 3 + include/linux/virtio_ring.h | 2 +- include/net/ip.h | 2 +- include/net/net_namespace.h | 1 + include/net/netns/hash.h | 10 +- kernel/irq/chip.c | 4 + kernel/irq/irqdesc.c | 1 + kernel/sched/fair.c | 6 +- kernel/time/alarmtimer.c | 2 +- lib/string.c | 20 +++ mm/huge_memory.c | 36 ++++++ mm/memcontrol.c | 20 ++- net/core/dev.c | 4 +- net/core/ethtool.c | 46 ++++--- net/core/net_namespace.c | 1 + net/core/skbuff.c | 2 +- net/ipv4/ip_gre.c | 15 ++- net/ipv4/ip_input.c | 7 +- net/ipv4/ip_options.c | 4 +- net/ipv4/tcp_dctcp.c | 36 +++--- net/ipv4/tcp_ipv4.c | 3 +- net/ipv6/ip6_gre.c | 21 ++-- net/ipv6/ip6_output.c | 4 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/sit.c | 4 + net/kcm/kcmsock.c | 16 +-- net/netfilter/nf_conntrack_proto_gre.c | 14 +-- net/netfilter/nfnetlink_cttimeout.c | 57 ++++++++- net/openvswitch/flow_netlink.c | 4 +- net/rds/tcp.c | 2 +- net/sched/act_sample.c | 10 +- net/sched/cls_matchall.c | 5 + net/sctp/protocol.c | 1 + scripts/package/builddeb | 2 +- sound/core/seq/seq_clientmgr.c | 6 +- sound/pci/hda/hda_intel.c | 4 + sound/pci/hda/patch_realtek.c | 31 +++-- sound/soc/fsl/fsl_esai.c | 47 +++++-- sound/soc/intel/atom/sst-mfld-platform-pcm.c | 8 ++ .../tc-testing/tc-tests/actions/sample.json | 24 ++++ 105 files changed, 1040 insertions(+), 450 deletions(-)

5 years, 8 months

7
110
0 0

FAILED: patch "[PATCH] dm: disable CRYPTO_TFM_REQ_MAY_SLEEP to fix a GFP_KERNEL" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 432061b3da64e488be3403124a72a9250bbe96d4 Mon Sep 17 00:00:00 2001 From: Mikulas Patocka <mpatocka(a)redhat.com> Date: Wed, 5 Sep 2018 09:17:45 -0400 Subject: [PATCH] dm: disable CRYPTO_TFM_REQ_MAY_SLEEP to fix a GFP_KERNEL recursion deadlock There's a XFS on dm-crypt deadlock, recursing back to itself due to the crypto subsystems use of GFP_KERNEL, reported here: https://bugzilla.kernel.org/show_bug.cgi?id=200835 * dm-crypt calls crypt_convert in xts mode * init_crypt from xts.c calls kmalloc(GFP_KERNEL) * kmalloc(GFP_KERNEL) recurses into the XFS filesystem, the filesystem tries to submit some bios and wait for them, causing a deadlock Fix this by updating both the DM crypt and integrity targets to no longer use the CRYPTO_TFM_REQ_MAY_SLEEP flag, which will change the crypto allocations from GFP_KERNEL to GFP_ATOMIC, therefore they can't recurse into a filesystem. A GFP_ATOMIC allocation can fail, but init_crypt() in xts.c handles the allocation failure gracefully - it will fall back to preallocated buffer if the allocation fails. The crypto API maintainer says that the crypto API only needs to allocate memory when dealing with unaligned buffers and therefore turning CRYPTO_TFM_REQ_MAY_SLEEP off is safe (see this discussion: https://www.redhat.com/archives/dm-devel/2018-August/msg00195.html ) Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index f266c81f396f..0481223b1deb 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -332,7 +332,7 @@ static int crypt_iv_essiv_init(struct crypt_config *cc) int err; desc->tfm = essiv->hash_tfm; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + desc->flags = 0; err = crypto_shash_digest(desc, cc->key, cc->key_size, essiv->salt); shash_desc_zero(desc); @@ -606,7 +606,7 @@ static int crypt_iv_lmk_one(struct crypt_config *cc, u8 *iv, int i, r; desc->tfm = lmk->hash_tfm; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + desc->flags = 0; r = crypto_shash_init(desc); if (r) @@ -768,7 +768,7 @@ static int crypt_iv_tcw_whitening(struct crypt_config *cc, /* calculate crc32 for every 32bit part and xor it */ desc->tfm = tcw->crc32_tfm; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + desc->flags = 0; for (i = 0; i < 4; i++) { r = crypto_shash_init(desc); if (r) @@ -1251,7 +1251,7 @@ static void crypt_alloc_req_skcipher(struct crypt_config *cc, * requests if driver request queue is full. */ skcipher_request_set_callback(ctx->r.req, - CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, + CRYPTO_TFM_REQ_MAY_BACKLOG, kcryptd_async_done, dmreq_of_req(cc, ctx->r.req)); } @@ -1268,7 +1268,7 @@ static void crypt_alloc_req_aead(struct crypt_config *cc, * requests if driver request queue is full. */ aead_request_set_callback(ctx->r.req_aead, - CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, + CRYPTO_TFM_REQ_MAY_BACKLOG, kcryptd_async_done, dmreq_of_req(cc, ctx->r.req_aead)); } diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c index 378878599466..89ccb64342de 100644 --- a/drivers/md/dm-integrity.c +++ b/drivers/md/dm-integrity.c @@ -532,7 +532,7 @@ static void section_mac(struct dm_integrity_c *ic, unsigned section, __u8 result unsigned j, size; desc->tfm = ic->journal_mac; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + desc->flags = 0; r = crypto_shash_init(desc); if (unlikely(r)) { @@ -676,7 +676,7 @@ static void complete_journal_encrypt(struct crypto_async_request *req, int err) static bool do_crypt(bool encrypt, struct skcipher_request *req, struct journal_completion *comp) { int r; - skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP, + skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, complete_journal_encrypt, comp); if (likely(encrypt)) r = crypto_skcipher_encrypt(req);

5 years, 8 months

3
2
0 0

[PATCH] tpm/tpm_crb: Avoid unaligned reads in crb_recv()

by Jarkko Sakkinen

commit 3d7a850fdc1a2e4d2adbc95cc0fc962974725e88 upstream The current approach to read first 6 bytes from the response and then tail of the response, can cause the 2nd memcpy_fromio() to do an unaligned read (e.g. read 32-bit word from address aligned to a 16-bits), depending on how memcpy_fromio() is implemented. If this happens, the read will fail and the memory controller will fill the read with 1's. This was triggered by 170d13ca3a2f, which should be probably refined to check and react to the address alignment. Before that commit, on x86 memcpy_fromio() turned out to be memcpy(). By a luck GCC has done the right thing (from tpm_crb's perspective) for us so far, but we should not rely on that. Thus, it makes sense to fix this also in tpm_crb, not least because the fix can be then backported to stable kernels and make them more robust when compiled in differing environments. Cc: stable(a)vger.kernel.org Cc: James Morris <jmorris(a)namei.org> Cc: Tomas Winkler <tomas.winkler(a)intel.com> Cc: Jerry Snitselaar <jsnitsel(a)redhat.com> Fixes: 30fc8d138e91 ("tpm: TPM 2.0 CRB Interface") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> Reviewed-by: Jerry Snitselaar <jsnitsel(a)redhat.com> Acked-by: Tomas Winkler <tomas.winkler(a)intel.com> --- backport v4.9.99 drivers/char/tpm/tpm_crb.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c index fa0f66809503..d29f78441cdb 100644 --- a/drivers/char/tpm/tpm_crb.c +++ b/drivers/char/tpm/tpm_crb.c @@ -102,19 +102,29 @@ static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count) struct crb_priv *priv = dev_get_drvdata(&chip->dev); unsigned int expected; - /* sanity check */ - if (count < 6) + /* A sanity check that the upper layer wants to get at least the header + * as that is the minimum size for any TPM response. + */ + if (count < TPM_HEADER_SIZE) return -EIO; + /* If this bit is set, according to the spec, the TPM is in + * unrecoverable condition. + */ if (ioread32(&priv->cca->sts) & CRB_CTRL_STS_ERROR) return -EIO; - memcpy_fromio(buf, priv->rsp, 6); - expected = be32_to_cpup((__be32 *) &buf[2]); - if (expected > count || expected < 6) + /* Read the first 8 bytes in order to get the length of the response. + * We read exactly a quad word in order to make sure that the remaining + * reads will be aligned. + */ + memcpy_fromio(buf, priv->rsp, 8); + + expected = be32_to_cpup((__be32 *)&buf[2]); + if (expected > count || expected < TPM_HEADER_SIZE) return -EIO; - memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6); + memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8); return expected; } -- 2.19.1

5 years, 8 months

2
1
0 0

the patch "vt: perform safe console erase" introduces a bug

by Mikulas Patocka

Hi The patch a6dbe442755999960ca54a9b8ecfd9606be0ea75 ("vt: perform safe console erase in the right order") introduces a bug. In order to reproduce the bug - use framebuffer console with the AMDGPU driver - type "links" to start the console www browser - press 'q' and space to exit links --- now, the cursor line will be permanently visible in the center of the screen. It will stay there until something overwrites it. Before the patch, there was a call to do_update_region, the patch changes it to update_region - and this seems to cause the bug with the cursor. The bug goes away if we change update_region back to do_update_region. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Cc: stable(a)vger.kernel.org Fixes: a6dbe4427559 ("vt: perform safe console erase in the right order") --- drivers/tty/vt/vt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: linux-5.0.5/drivers/tty/vt/vt.c =================================================================== --- linux-5.0.5.orig/drivers/tty/vt/vt.c 2019-03-30 19:29:26.000000000 +0100 +++ linux-5.0.5/drivers/tty/vt/vt.c 2019-03-30 19:30:50.000000000 +0100 @@ -1518,7 +1518,7 @@ static void csi_J(struct vc_data *vc, in return; } scr_memsetw(start, vc->vc_video_erase_char, 2 * count); - update_region(vc, (unsigned long) start, count); + do_update_region(vc, (unsigned long) start, count); vc->vc_need_wrap = 0; }

5 years, 8 months

3
5
0 0

stable/linux-5.0.y boot: 45 boots: 0 failed, 44 passed with 1 untried/unknown (v5.0.8)

by kernelci.org bot

stable/linux-5.0.y boot: 45 boots: 0 failed, 44 passed with 1 untried/unknown (v5.0.8) Full Boot Summary: https://kernelci.org/boot/all/job/stable/branch/linux-5.0.y/kernel/v5.0.8/ Full Build Summary: https://kernelci.org/build/stable/branch/linux-5.0.y/kernel/v5.0.8/ Tree: stable Branch: linux-5.0.y Git Describe: v5.0.8 Git Commit: 0b9132ee742999aee13e6b22ef7723b6d4a0eaca Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git Tested: 29 unique boards, 15 SoC families, 9 builds out of 208 --- For more info write to <info(a)kernelci.org>

5 years, 8 months

1
0
0 0

[PATCH] TTY: serial_core, add ->install

by Jiri Slaby

We need to compute the uart state only on the first open. This is usually what is done in the ->install hook. serial_core used to do this in ->open on every open. So move it to ->install. As a side effect, it ensures the state is set properly in the window after tty_init_dev is called, but before uart_open. This fixes a bunch of races between tty_open and flush_to_ldisc we were dealing with recently. One of such bugs was attempted to fix in commit fedb5760648a (serial: fix race between flush_to_ldisc and tty_open), but it only took care of a couple of functions (uart_start and uart_unthrottle). I was able to reproduce the crash on a SLE system, but in uart_write_room which is also called from flush_to_ldisc via process_echoes. I was *unable* to reproduce the bug locally. It is due to having this patch in my queue since 2012! general protection fault: 0000 [#1] SMP KASAN PTI CPU: 1 PID: 5 Comm: kworker/u4:0 Tainted: G L 4.12.14-396-default #1 SLE15-SP1 (unreleased) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c89-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound flush_to_ldisc task: ffff8800427d8040 task.stack: ffff8800427f0000 RIP: 0010:uart_write_room+0xc4/0x590 RSP: 0018:ffff8800427f7088 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 000000000000002f RSI: 00000000000000ee RDI: ffff88003888bd90 RBP: ffffffffb9545850 R08: 0000000000000001 R09: 0000000000000400 R10: ffff8800427d825c R11: 000000000000006e R12: 1ffff100084fee12 R13: ffffc900004c5000 R14: ffff88003888bb28 R15: 0000000000000178 FS: 0000000000000000(0000) GS:ffff880043300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561da0794148 CR3: 000000000ebf4000 CR4: 00000000000006e0 Call Trace: tty_write_room+0x6d/0xc0 __process_echoes+0x55/0x870 n_tty_receive_buf_common+0x105e/0x26d0 tty_ldisc_receive_buf+0xb7/0x1c0 tty_port_default_receive_buf+0x107/0x180 flush_to_ldisc+0x35d/0x5c0 ... 0 in rbx means tty->driver_data is NULL in uart_write_room. 0x178 is tried to be dereferenced (0x178 >> 3 is 0x2f in rdx) at uart_write_room+0xc4. 0x178 is exactly (struct uart_state *)NULL->refcount used in uart_port_lock from uart_write_room. So revert the upstream commit here as my local patch should fix the whole family. Signed-off-by: Jiri Slaby <jslaby(a)suse.cz> Cc: Li RongQing <lirongqing(a)baidu.com> Cc: Wang Li <wangli39(a)baidu.com> Cc: Zhang Yu <zhangyu31(a)baidu.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: stable <stable(a)vger.kernel.org> --- ============================= NOTE ============================= Could you test your use-case at Baidu, guys, please? drivers/tty/serial/serial_core.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 7c787e517fa5..33319544d9d2 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -130,9 +130,6 @@ static void uart_start(struct tty_struct *tty) struct uart_port *port; unsigned long flags; - if (!state) - return; - port = uart_port_lock(state, flags); __uart_start(tty); uart_port_unlock(port, flags); @@ -730,9 +727,6 @@ static void uart_unthrottle(struct tty_struct *tty) upstat_t mask = UPSTAT_SYNC_FIFO; struct uart_port *port; - if (!state) - return; - port = uart_port_ref(state); if (!port) return; @@ -1732,6 +1726,16 @@ static void uart_dtr_rts(struct tty_port *port, int raise) uart_port_deref(uport); } +static int uart_install(struct tty_driver *driver, struct tty_struct *tty) +{ + struct uart_driver *drv = driver->driver_state; + struct uart_state *state = drv->state + tty->index; + + tty->driver_data = state; + + return tty_standard_install(driver, tty); +} + /* * Calls to uart_open are serialised by the tty_lock in * drivers/tty/tty_io.c:tty_open() @@ -1744,11 +1748,8 @@ static void uart_dtr_rts(struct tty_port *port, int raise) */ static int uart_open(struct tty_struct *tty, struct file *filp) { - struct uart_driver *drv = tty->driver->driver_state; - int retval, line = tty->index; - struct uart_state *state = drv->state + line; - - tty->driver_data = state; + struct uart_state *state = tty->driver_data; + int retval; retval = tty_port_open(&state->port, tty, filp); if (retval > 0) @@ -2433,6 +2434,7 @@ static void uart_poll_put_char(struct tty_driver *driver, int line, char ch) #endif static const struct tty_operations uart_ops = { + .install = uart_install, .open = uart_open, .close = uart_close, .write = uart_write, -- 2.21.0

5 years, 8 months

2
1
0 0

[PATCH V6 3/9] blk-mq: free hw queue's resource in hctx's release handler

by Ming Lei

Once blk_cleanup_queue() returns, tags shouldn't be used any more, because blk_mq_free_tag_set() may be called. Commit 45a9c9d909b2 ("blk-mq: Fix a use-after-free") fixes this issue exactly. However, that commit introduces another issue. Before 45a9c9d909b2, we are allowed to run queue during cleaning up queue if the queue's kobj refcount is held. After that commit, queue can't be run during queue cleaning up, otherwise oops can be triggered easily because some fields of hctx are freed by blk_mq_free_queue() in blk_cleanup_queue(). We have invented ways for addressing this kind of issue before, such as: 8dc765d438f1 ("SCSI: fix queue cleanup race before queue initialization is done") c2856ae2f315 ("blk-mq: quiesce queue before freeing queue") But still can't cover all cases, recently James reports another such kind of issue: https://marc.info/?l=linux-scsi&m=155389088124782&w=2 This issue can be quite hard to address by previous way, given scsi_run_queue() may run requeues for other LUNs. Fixes the above issue by freeing hctx's resources in its release handler, and this way is safe becasue tags isn't needed for freeing such hctx resource. This approach follows typical design pattern wrt. kobject's release handler. Cc: Dongli Zhang <dongli.zhang(a)oracle.com> Cc: James Smart <james.smart(a)broadcom.com> Cc: Bart Van Assche <bart.vanassche(a)wdc.com> Cc: linux-scsi(a)vger.kernel.org, Cc: Martin K . Petersen <martin.petersen(a)oracle.com>, Cc: Christoph Hellwig <hch(a)lst.de>, Cc: James E . J . Bottomley <jejb(a)linux.vnet.ibm.com>, Cc: jianchao wang <jianchao.w.wang(a)oracle.com> Reported-by: James Smart <james.smart(a)broadcom.com> Fixes: 45a9c9d909b2 ("blk-mq: Fix a use-after-free") Cc: stable(a)vger.kernel.org Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- block/blk-core.c | 2 +- block/blk-mq-sysfs.c | 6 ++++++ block/blk-mq.c | 8 ++------ block/blk-mq.h | 2 +- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/block/blk-core.c b/block/blk-core.c index 93dc588fabe2..2dd94b3e9ece 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -374,7 +374,7 @@ void blk_cleanup_queue(struct request_queue *q) blk_exit_queue(q); if (queue_is_mq(q)) - blk_mq_free_queue(q); + blk_mq_exit_queue(q); percpu_ref_exit(&q->q_usage_counter); diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c index 3f9c3f4ac44c..4040e62c3737 100644 --- a/block/blk-mq-sysfs.c +++ b/block/blk-mq-sysfs.c @@ -10,6 +10,7 @@ #include <linux/smp.h> #include <linux/blk-mq.h> +#include "blk.h" #include "blk-mq.h" #include "blk-mq-tag.h" @@ -33,6 +34,11 @@ static void blk_mq_hw_sysfs_release(struct kobject *kobj) { struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx, kobj); + + if (hctx->flags & BLK_MQ_F_BLOCKING) + cleanup_srcu_struct(hctx->srcu); + blk_free_flush_queue(hctx->fq); + sbitmap_free(&hctx->ctx_map); free_cpumask_var(hctx->cpumask); kfree(hctx->ctxs); kfree(hctx); diff --git a/block/blk-mq.c b/block/blk-mq.c index 55776a6e2586..239b404b9e6c 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -2273,12 +2273,7 @@ static void blk_mq_exit_hctx(struct request_queue *q, if (set->ops->exit_hctx) set->ops->exit_hctx(hctx, hctx_idx); - if (hctx->flags & BLK_MQ_F_BLOCKING) - cleanup_srcu_struct(hctx->srcu); - blk_mq_remove_cpuhp(hctx); - blk_free_flush_queue(hctx->fq); - sbitmap_free(&hctx->ctx_map); } static void blk_mq_exit_hw_queues(struct request_queue *q, @@ -2913,7 +2908,8 @@ struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, } EXPORT_SYMBOL(blk_mq_init_allocated_queue); -void blk_mq_free_queue(struct request_queue *q) +/* tags can _not_ be used after returning from blk_mq_exit_queue */ +void blk_mq_exit_queue(struct request_queue *q) { struct blk_mq_tag_set *set = q->tag_set; diff --git a/block/blk-mq.h b/block/blk-mq.h index 423ea88ab6fb..633a5a77ee8b 100644 --- a/block/blk-mq.h +++ b/block/blk-mq.h @@ -37,7 +37,7 @@ struct blk_mq_ctx { struct kobject kobj; } ____cacheline_aligned_in_smp; -void blk_mq_free_queue(struct request_queue *q); +void blk_mq_exit_queue(struct request_queue *q); int blk_mq_update_nr_requests(struct request_queue *q, unsigned int nr); void blk_mq_wake_waiters(struct request_queue *q); bool blk_mq_dispatch_rq_list(struct request_queue *, struct list_head *, bool); -- 2.9.5

5 years, 8 months

2
1
0 0

[PATCH] block: bio_map_user_iov should not be limited to BIO_MAX_PAGES

by Paolo Bonzini

Because bio_kmalloc uses inline iovecs, the limit on the number of entries is not BIO_MAX_PAGES but rather UIO_MAX_IOV, which indeed is already checked in bio_kmalloc. This could cause SG_IO requests to be truncated and the HBA to report a DMA overrun. Note that if the argument to iov_iter_npages were changed to UIO_MAX_IOV, we would still truncate SG_IO requests beyond UIO_MAX_IOV pages. Changing it to UIO_MAX_IOV + 1 instead ensures that bio_kmalloc notices that the request is too big and blocks it. Cc: stable(a)vger.kernel.org Cc: Al Viro <viro(a)zeniv.linux.org.uk> Fixes: b282cc766958 ("bio_map_user_iov(): get rid of the iov_for_each()", 2017-10-11) Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> --- block/bio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/bio.c b/block/bio.c index 4db1008309ed..cc1195f5af7a 100644 --- a/block/bio.c +++ b/block/bio.c @@ -1299,7 +1299,7 @@ struct bio *bio_map_user_iov(struct request_queue *q, if (!iov_iter_count(iter)) return ERR_PTR(-EINVAL); - bio = bio_kmalloc(gfp_mask, iov_iter_npages(iter, BIO_MAX_PAGES)); + bio = bio_kmalloc(gfp_mask, iov_iter_npages(iter, UIO_MAX_IOV + 1)); if (!bio) return ERR_PTR(-ENOMEM); -- 2.21.0

5 years, 8 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2019