--- /dev/null
+From 5ad356eabc47d26a92140a0c4b20eba471c10de3 Mon Sep 17 00:00:00 2001
+From: Greg Hackmann <ghackmann@android.com>
+Date: Wed, 15 Aug 2018 12:51:21 -0700
+Subject: arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
+
+From: Greg Hackmann <ghackmann@android.com>
+
+commit 5ad356eabc47d26a92140a0c4b20eba471c10de3 upstream.
+
+ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input
+before seeing if the PFN is valid. This leads to false positives when
+some of the upper bits are set, but the lower bits match a valid PFN.
+
+For example, the following userspace code looks up a bogus entry in
+/proc/kpageflags:
+
+ int pagemap = open("/proc/self/pagemap", O_RDONLY);
+ int pageflags = open("/proc/kpageflags", O_RDONLY);
+ uint64_t pfn, val;
+
+ lseek64(pagemap, [...], SEEK_SET);
+ read(pagemap, &pfn, sizeof(pfn));
+ if (pfn & (1UL << 63)) { /* valid PFN */
+ pfn &= ((1UL << 55) - 1); /* clear flag bits */
+ pfn |= (1UL << 55);
+ lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET);
+ read(pageflags, &val, sizeof(val));
+ }
+
+On ARM64 this causes the userspace process to crash with SIGSEGV rather
+than reading (1 << KPF_NOPAGE). kpageflags_read() treats the offset as
+valid, and stable_page_flags() will try to access an address between the
+user and kernel address ranges.
+
+Fixes: c1cc1552616d ("arm64: MMU initialisation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/init.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/init.c
++++ b/arch/arm64/mm/init.c
+@@ -147,7 +147,11 @@ static void __init zone_sizes_init(unsig
+ #ifdef CONFIG_HAVE_ARCH_PFN_VALID
+ int pfn_valid(unsigned long pfn)
+ {
+- return memblock_is_map_memory(pfn << PAGE_SHIFT);
++ phys_addr_t addr = pfn << PAGE_SHIFT;
++
++ if ((addr >> PAGE_SHIFT) != pfn)
++ return 0;
++ return memblock_is_map_memory(addr);
+ }
+ EXPORT_SYMBOL(pfn_valid);
+ #endif
+++ /dev/null
-From 4559b0a71749c442d34f7cfb9e72c9e58db83948 Mon Sep 17 00:00:00 2001
-From: Josef Bacik <josef@toxicpanda.com>
-Date: Thu, 19 Jul 2018 10:49:51 -0400
-Subject: btrfs: don't leak ret from do_chunk_alloc
-
-From: Josef Bacik <josef@toxicpanda.com>
-
-commit 4559b0a71749c442d34f7cfb9e72c9e58db83948 upstream.
-
-If we're trying to make a data reservation and we have to allocate a
-data chunk we could leak ret == 1, as do_chunk_alloc() will return 1 if
-it allocated a chunk. Since the end of the function is the success path
-just return 0.
-
-CC: stable@vger.kernel.org # 4.4+
-Signed-off-by: Josef Bacik <josef@toxicpanda.com>
-Reviewed-by: Nikolay Borisov <nborisov@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/btrfs/extent-tree.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/btrfs/extent-tree.c
-+++ b/fs/btrfs/extent-tree.c
-@@ -4258,7 +4258,7 @@ commit_trans:
- data_sinfo->flags, bytes, 1);
- spin_unlock(&data_sinfo->lock);
-
-- return ret;
-+ return 0;
- }
-
- /*
--- /dev/null
+From 7d95178c77014dbd8dce36ee40bbbc5e6c121ff5 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 1 Aug 2018 12:36:52 -0400
+Subject: ext4: check for NUL characters in extended attribute's name
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 7d95178c77014dbd8dce36ee40bbbc5e6c121ff5 upstream.
+
+Extended attribute names are defined to be NUL-terminated, so the name
+must not contain a NUL character. This is important because there are
+places when remove extended attribute, the code uses strlen to
+determine the length of the entry. That should probably be fixed at
+some point, but code is currently really messy, so the simplest fix
+for now is to simply validate that the extended attributes are sane.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200401
+
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/xattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -184,6 +184,8 @@ ext4_xattr_check_names(struct ext4_xattr
+ struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e);
+ if ((void *)next >= end)
+ return -EFSCORRUPTED;
++ if (strnlen(e->e_name, e->e_name_len) != e->e_name_len)
++ return -EFSCORRUPTED;
+ e = next;
+ }
+
--- /dev/null
+From f39b3f45dbcb0343822cce31ea7636ad66e60bc2 Mon Sep 17 00:00:00 2001
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Sun, 29 Jul 2018 17:13:42 -0400
+Subject: ext4: reset error code in ext4_find_entry in fallback
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+commit f39b3f45dbcb0343822cce31ea7636ad66e60bc2 upstream.
+
+When ext4_find_entry() falls back to "searching the old fashioned
+way" due to a corrupt dx dir, it needs to reset the error code
+to NULL so that the nonstandard ERR_BAD_DX_DIR code isn't returned
+to userspace.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=199947
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@yandex.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1415,6 +1415,7 @@ static struct buffer_head * ext4_find_en
+ goto cleanup_and_exit;
+ dxtrace(printk(KERN_DEBUG "ext4_find_entry: dx failed, "
+ "falling back\n"));
++ ret = NULL;
+ }
+ nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb);
+ if (!nblocks) {
--- /dev/null
+From a4d2aadca184ece182418950d45ba4ffc7b652d2 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Sun, 29 Jul 2018 15:48:00 -0400
+Subject: ext4: sysfs: print ext4_super_block fields as little-endian
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit a4d2aadca184ece182418950d45ba4ffc7b652d2 upstream.
+
+While working on extended rand for last_error/first_error timestamps,
+I noticed that the endianess is wrong; we access the little-endian
+fields in struct ext4_super_block as native-endian when we print them.
+
+This adds a special case in ext4_attr_show() and ext4_attr_store()
+to byteswap the superblock fields if needed.
+
+In older kernels, this code was part of super.c, it got moved to
+sysfs.c in linux-4.4.
+
+Cc: stable@vger.kernel.org
+Fixes: 52c198c6820f ("ext4: add sysfs entry showing whether the fs contains errors")
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/sysfs.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/sysfs.c
++++ b/fs/ext4/sysfs.c
+@@ -277,8 +277,12 @@ static ssize_t ext4_attr_show(struct kob
+ case attr_pointer_ui:
+ if (!ptr)
+ return 0;
+- return snprintf(buf, PAGE_SIZE, "%u\n",
+- *((unsigned int *) ptr));
++ if (a->attr_ptr == ptr_ext4_super_block_offset)
++ return snprintf(buf, PAGE_SIZE, "%u\n",
++ le32_to_cpup(ptr));
++ else
++ return snprintf(buf, PAGE_SIZE, "%u\n",
++ *((unsigned int *) ptr));
+ case attr_pointer_atomic:
+ if (!ptr)
+ return 0;
+@@ -311,7 +315,10 @@ static ssize_t ext4_attr_store(struct ko
+ ret = kstrtoul(skip_spaces(buf), 0, &t);
+ if (ret)
+ return ret;
+- *((unsigned int *) ptr) = t;
++ if (a->attr_ptr == ptr_ext4_super_block_offset)
++ *((__le32 *) ptr) = cpu_to_le32(t);
++ else
++ *((unsigned int *) ptr) = t;
+ return len;
+ case attr_inode_readahead:
+ return inode_readahead_blks_store(a, sbi, buf, len);
--- /dev/null
+From 0722867dcbc28cc9b269b57acd847c7c1aa638d6 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sat, 28 Apr 2018 21:38:04 +0900
+Subject: kprobes/arm64: Fix %p uses in error messages
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 0722867dcbc28cc9b269b57acd847c7c1aa638d6 upstream.
+
+Fix %p uses in error messages by removing it because
+those are redundant or meaningless.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
+Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: David Howells <dhowells@redhat.com>
+Cc: David S . Miller <davem@davemloft.net>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Jon Medhurst <tixy@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Thomas Richter <tmricht@linux.ibm.com>
+Cc: Tobin C . Harding <me@tobin.cc>
+Cc: acme@kernel.org
+Cc: akpm@linux-foundation.org
+Cc: brueckner@linux.vnet.ibm.com
+Cc: linux-arch@vger.kernel.org
+Cc: rostedt@goodmis.org
+Cc: schwidefsky@de.ibm.com
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/lkml/152491908405.9916.12425053035317241111.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/probes/kprobes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/probes/kprobes.c
++++ b/arch/arm64/kernel/probes/kprobes.c
+@@ -274,7 +274,7 @@ static int __kprobes reenter_kprobe(stru
+ break;
+ case KPROBE_HIT_SS:
+ case KPROBE_REENTER:
+- pr_warn("Unrecoverable kprobe detected at %p.\n", p->addr);
++ pr_warn("Unrecoverable kprobe detected.\n");
+ dump_kprobe(p);
+ BUG();
+ break;
--- /dev/null
+From 306d6c49ac9ded11114cb53b0925da52f2c2ada1 Mon Sep 17 00:00:00 2001
+From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Date: Mon, 16 Jul 2018 10:38:57 +0200
+Subject: s390/kvm: fix deadlock when killed by oom
+
+From: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+
+commit 306d6c49ac9ded11114cb53b0925da52f2c2ada1 upstream.
+
+When the oom killer kills a userspace process in the page fault handler
+while in guest context, the fault handler fails to release the mm_sem
+if the FAULT_FLAG_RETRY_NOWAIT option is set. This leads to a deadlock
+when tearing down the mm when the process terminates. This bug can only
+happen when pfault is enabled, so only KVM clients are affected.
+
+The problem arises in the rare cases in which handle_mm_fault does not
+release the mm_sem. This patch fixes the issue by manually releasing
+the mm_sem when needed.
+
+Fixes: 24eb3a824c4f3 ("KVM: s390: Add FAULT_FLAG_RETRY_NOWAIT for guest fault")
+Cc: <stable@vger.kernel.org> # 3.15+
+Signed-off-by: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/mm/fault.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/mm/fault.c
++++ b/arch/s390/mm/fault.c
+@@ -462,6 +462,8 @@ retry:
+ /* No reason to continue if interrupted by SIGKILL. */
+ if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current)) {
+ fault = VM_FAULT_SIGNAL;
++ if (flags & FAULT_FLAG_RETRY_NOWAIT)
++ goto out_up;
+ goto out;
+ }
+ if (unlikely(fault & VM_FAULT_ERROR))
smb3-do-not-send-smb3-set_info-if-nothing-changed.patch
smb3-don-t-request-leases-in-symlink-creation-and-query.patch
smb3-fill-in-statfs-fsid-and-correct-namelen.patch
-btrfs-don-t-leak-ret-from-do_chunk_alloc.patch
+kprobes-arm64-fix-p-uses-in-error-messages.patch
+arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch
+s390-kvm-fix-deadlock-when-killed-by-oom.patch
+ext4-check-for-nul-characters-in-extended-attribute-s-name.patch
+ext4-sysfs-print-ext4_super_block-fields-as-little-endian.patch
+ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch
bpf-arm32-fix-stack-var-offset-in-jit.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
