--- /dev/null
+From 8dd601fa8317243be887458c49f6c29c2f3d719f Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Thu, 15 Feb 2018 20:00:15 +1100
+Subject: dm: correctly handle chained bios in dec_pending()
+
+From: NeilBrown <neilb@suse.com>
+
+commit 8dd601fa8317243be887458c49f6c29c2f3d719f upstream.
+
+dec_pending() is given an error status (possibly 0) to be recorded
+against a bio. It can be called several times on the one 'struct
+dm_io', and it is careful to only assign a non-zero error to
+io->status. However when it then assigned io->status to bio->bi_status,
+it is not careful and could overwrite a genuine error status with 0.
+
+This can happen when chained bios are in use. If a bio is chained
+beneath the bio that this dm_io is handling, the child bio might
+complete and set bio->bi_status before the dm_io completes.
+
+This has been possible since chained bios were introduced in 3.14, and
+has become a lot easier to trigger with commit 18a25da84354 ("dm: ensure
+bio submission follows a depth-first tree walk") as that commit caused
+dm to start using chained bios itself.
+
+A particular failure mode is that if a bio spans an 'error' target and a
+working target, the 'error' fragment will complete instantly and set the
+->bi_status, and the other fragment will normally complete a little
+later, and will clear ->bi_status.
+
+The fix is simply to only assign io_error to bio->bi_status when
+io_error is not zero.
+
+Reported-and-tested-by: Milan Broz <gmazyland@gmail.com>
+Cc: stable@vger.kernel.org (v3.14+)
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/md/dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -809,7 +809,8 @@ static void dec_pending(struct dm_io *io
+ } else {
+ /* done with normal IO or empty flush */
+ trace_block_bio_complete(md->queue, bio, io_error);
+- bio->bi_error = io_error;
++ if (io_error)
++ bio->bi_error = io_error;
+ bio_endio(bio);
+ }
+ }
alsa-seq-fix-racy-pool-initializations.patch
mvpp2-fix-multicast-address-filter.patch
usb-move-usb_uhci_big_endian_-out-of-usb_support.patch
+dm-correctly-handle-chained-bios-in-dec_pending.patch
powerpc-fix-build-errors-in-stable-tree.patch
ib-qib-fix-comparison-error-with-qperf-compare-swap-test.patch
ib-mlx4-fix-incorrectly-releasing-steerable-ud-qps-when-have-only-eth-ports.patch
x86-cpu-rename-cpu_data.x86_mask-to-cpu_data.x86_stepping.patch
x86-spectre-fix-an-error-message.patch
x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch
+x86-fix-build-warnign-with-32-bit-pae.patch
+vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch
--- /dev/null
+From c0eb027e5aef70b71e5a38ee3e264dc0b497f343 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 2 Apr 2017 17:10:08 -0700
+Subject: vfs: don't do RCU lookup of empty pathnames
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit c0eb027e5aef70b71e5a38ee3e264dc0b497f343 upstream.
+
+Normal pathname lookup doesn't allow empty pathnames, but using
+AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you
+can trigger an empty pathname lookup.
+
+And not only is the RCU lookup in that case entirely unnecessary
+(because we'll obviously immediately finalize the end result), it is
+actively wrong.
+
+Why? An empth path is a special case that will return the original
+'dirfd' dentry - and that dentry may not actually be RCU-free'd,
+resulting in a potential use-after-free if we were to initialize the
+path lazily under the RCU read lock and depend on complete_walk()
+finalizing the dentry.
+
+Found by syzkaller and KASAN.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -2138,6 +2138,9 @@ static const char *path_init(struct name
+ int retval = 0;
+ const char *s = nd->name->name;
+
++ if (!*s)
++ flags &= ~LOOKUP_RCU;
++
+ nd->last_type = LAST_ROOT; /* if there are only slashes... */
+ nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
+ nd->depth = 0;
--- /dev/null
+From arnd@arndb.de Wed Feb 21 10:34:37 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 15 Feb 2018 16:16:57 +0100
+Subject: x86: fix build warnign with 32-bit PAE
+To: stable@vger.kernel.org
+Cc: x86@kernel.org, Dave Hansen <dave.hansen@linux.intel.com>, Ben Hutchings <ben.hutchings@codethink.co.uk>, Arnd Bergmann <arnd@arndb.de>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Hugh Dickins <hughd@google.com>, Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
+Message-ID: <20180215151710.1473117-2-arnd@arndb.de>
+
+
+I ran into a 4.9 build warning in randconfig testing, starting with the
+KAISER patches:
+
+arch/x86/kernel/ldt.c: In function 'alloc_ldt_struct':
+arch/x86/include/asm/pgtable_types.h:208:24: error: large integer implicitly truncated to unsigned type [-Werror=overflow]
+ #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
+ ^
+arch/x86/kernel/ldt.c:81:6: note: in expansion of macro '__PAGE_KERNEL'
+ __PAGE_KERNEL);
+ ^~~~~~~~~~~~~
+
+I originally ran into this last year when the patches were part of linux-next,
+and tried to work around it by using the proper 'pteval_t' types consistently,
+but that caused additional problems.
+
+This takes a much simpler approach, and makes the argument type of the dummy
+helper always 64-bit, which is wide enough for any page table layout and
+won't hurt since this call is just an empty stub anyway.
+
+Fixes: 8f0baadf2bea ("kaiser: merged update")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Kees Cook <keescook@chromium.org>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kaiser.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/kaiser.h
++++ b/include/linux/kaiser.h
+@@ -32,7 +32,7 @@ static inline void kaiser_init(void)
+ {
+ }
+ static inline int kaiser_add_mapping(unsigned long addr,
+- unsigned long size, unsigned long flags)
++ unsigned long size, u64 flags)
+ {
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
