4.4-stable patches

added patches:
	s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch
	selinux-fix-memory-leak-in-policydb_init.patch
	xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch

diff --git a/queue-4.4/s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch b/queue-4.4/s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch
new file mode 100644 (file)
index 0000000..9d100f7
--- /dev/null
+++ b/queue-4.4/s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch
@@ -0,0 +1,73 @@
+From 41995342b40c418a47603e1321256d2c4a2ed0fb Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Thu, 1 Aug 2019 13:06:30 +0200
+Subject: s390/dasd: fix endless loop after read unit address configuration
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+commit 41995342b40c418a47603e1321256d2c4a2ed0fb upstream.
+
+After getting a storage server event that causes the DASD device driver
+to update its unit address configuration during a device shutdown there is
+the possibility of an endless loop in the device driver.
+
+In the system log there will be ongoing DASD error messages with RC: -19.
+
+The reason is that the loop starting the ruac request only terminates when
+the retry counter is decreased to 0. But in the sleep_on function there are
+early exit paths that do not decrease the retry counter.
+
+Prevent an endless loop by handling those cases separately.
+
+Remove the unnecessary do..while loop since the sleep_on function takes
+care of retries by itself.
+
+Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1")
+Cc: stable@vger.kernel.org # 2.6.25+
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/block/dasd_alias.c |   22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/s390/block/dasd_alias.c
++++ b/drivers/s390/block/dasd_alias.c
+@@ -396,6 +396,20 @@ suborder_not_supported(struct dasd_ccw_r
+       char msg_format;
+       char msg_no;
+ 
++      /*
++       * intrc values ENODEV, ENOLINK and EPERM
++       * will be optained from sleep_on to indicate that no
++       * IO operation can be started
++       */
++      if (cqr->intrc == -ENODEV)
++              return 1;
++
++      if (cqr->intrc == -ENOLINK)
++              return 1;
++
++      if (cqr->intrc == -EPERM)
++              return 1;
++
+       sense = dasd_get_sense(&cqr->irb);
+       if (!sense)
+               return 0;
+@@ -460,12 +474,8 @@ static int read_unit_address_configurati
+       lcu->flags &= ~NEED_UAC_UPDATE;
+       spin_unlock_irqrestore(&lcu->lock, flags);
+ 
+-      do {
+-              rc = dasd_sleep_on(cqr);
+-              if (rc && suborder_not_supported(cqr))
+-                      return -EOPNOTSUPP;
+-      } while (rc && (cqr->retries > 0));
+-      if (rc) {
++      rc = dasd_sleep_on(cqr);
++      if (rc && !suborder_not_supported(cqr)) {
+               spin_lock_irqsave(&lcu->lock, flags);
+               lcu->flags |= NEED_UAC_UPDATE;
+               spin_unlock_irqrestore(&lcu->lock, flags);

diff --git a/queue-4.4/selinux-fix-memory-leak-in-policydb_init.patch b/queue-4.4/selinux-fix-memory-leak-in-policydb_init.patch
new file mode 100644 (file)
index 0000000..3fb4ad1
--- /dev/null
+++ b/queue-4.4/selinux-fix-memory-leak-in-policydb_init.patch
@@ -0,0 +1,47 @@
+From 45385237f65aeee73641f1ef737d7273905a233f Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 25 Jul 2019 12:52:43 +0200
+Subject: selinux: fix memory leak in policydb_init()
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit 45385237f65aeee73641f1ef737d7273905a233f upstream.
+
+Since roles_init() adds some entries to the role hash table, we need to
+destroy also its keys/values on error, otherwise we get a memory leak in
+the error path.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+fee3a14d4cdf92646287@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/policydb.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -266,6 +266,8 @@ static int rangetr_cmp(struct hashtab *h
+       return v;
+ }
+ 
++static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap);
++
+ /*
+  * Initialize a policy database structure.
+  */
+@@ -313,8 +315,10 @@ static int policydb_init(struct policydb
+ out:
+       hashtab_destroy(p->filename_trans);
+       hashtab_destroy(p->range_tr);
+-      for (i = 0; i < SYM_NUM; i++)
++      for (i = 0; i < SYM_NUM; i++) {
++              hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
+               hashtab_destroy(p->symtab[i].table);
++      }
+       return rc;
+ }
+ 

diff --git a/queue-4.4/series b/queue-4.4/series
index 005c5641bd31cb368626445a683259f33d858d62..80fad8527fc31b5e7a4ce391642621ff9816cba2 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -17,3 +17,6 @@ coda-fix-build-using-bare-metal-toolchain.patch
 uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch
 ipc-mqueue.c-only-perform-resource-calculation-if-us.patch
 x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch
+selinux-fix-memory-leak-in-policydb_init.patch
+s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch
+xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch

diff --git a/queue-4.4/xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch b/queue-4.4/xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch
new file mode 100644 (file)
index 0000000..ab0ba7c
--- /dev/null
+++ b/queue-4.4/xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch
@@ -0,0 +1,44 @@
+From 50f6393f9654c561df4cdcf8e6cfba7260143601 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 14 Jun 2019 07:46:02 +0200
+Subject: xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 50f6393f9654c561df4cdcf8e6cfba7260143601 upstream.
+
+The condition in xen_swiotlb_free_coherent() for deciding whether to
+call xen_destroy_contiguous_region() is wrong: in case the region to
+be freed is not contiguous calling xen_destroy_contiguous_region() is
+the wrong thing to do: it would result in inconsistent mappings of
+multiple PFNs to the same MFN. This will lead to various strange
+crashes or data corruption.
+
+Instead of calling xen_destroy_contiguous_region() in that case a
+warning should be issued as that situation should never occur.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/swiotlb-xen.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -365,8 +365,8 @@ xen_swiotlb_free_coherent(struct device
+       /* Convert the size to actually allocated. */
+       size = 1UL << (order + XEN_PAGE_SHIFT);
+ 
+-      if (((dev_addr + size - 1 <= dma_mask)) ||
+-          range_straddles_page_boundary(phys, size))
++      if (!WARN_ON((dev_addr + size - 1 > dma_mask) ||
++                   range_straddles_page_boundary(phys, size)))
+               xen_destroy_contiguous_region(phys, order);
+ 
+       xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs);