From: Greg Kroah-Hartman Date: Thu, 5 Jul 2018 18:15:35 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.14.54~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d83ce693e5805a76207e5087b9b123a692f31d8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: afs-fix-directory-permissions-check.patch arm-dts-imx6q-use-correct-sdma-script-for-spi5-core.patch atm-zatm-fix-memcmp-casting.patch fs-clear-writeback-errors-in-inode_init_always.patch ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch mtd-rawnand-fix-return-value-check-for-bad-block-status.patch net-dsa-b53-add-bcm5389-support.patch net-qmi_wwan-add-netgear-aircard-779s.patch net-sonic-use-dma_mapping_error.patch netfilter-ebtables-handle-string-from-userspace-with-care.patch netfilter-nft_limit-fix-packet-ratelimiting.patch perf-bpf-fix-null-return-handling-in-bpf__prepare_load.patch perf-test-session-topology-dumps-core-on-s390.patch platform-x86-asus-wmi-fix-null-pointer-dereference.patch s390-dasd-use-blk_mq_rq_from_pdu-for-per-request-data.patch sched-core-fix-rules-for-running-on-online-active-cpus.patch sched-core-require-cpu_active-in-select_task_rq-for-user-tasks.patch xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch --- diff --git a/queue-4.14/afs-fix-directory-permissions-check.patch b/queue-4.14/afs-fix-directory-permissions-check.patch new file mode 100644 index 00000000000..301da2680ec --- /dev/null +++ b/queue-4.14/afs-fix-directory-permissions-check.patch @@ -0,0 +1,69 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: David Howells +Date: Wed, 16 May 2018 21:25:46 +0100 +Subject: afs: Fix directory permissions check + +From: David Howells + +[ Upstream commit 378831e4daec75fbba6d3612bcf3b4dd00ddbf08 ] + +Doing faccessat("/afs/some/directory", 0) triggers a BUG in the permissions +check code. + +Fix this by just removing the BUG section. If no permissions are asked +for, just return okay if the file exists. + +Also: + + (1) Split up the directory check so that it has separate if-statements + rather than if-else-if (e.g. checking for MAY_EXEC shouldn't skip the + check for MAY_READ and MAY_WRITE). + + (2) Check for MAY_CHDIR as MAY_EXEC. + +Without the main fix, the following BUG may occur: + + kernel BUG at fs/afs/security.c:386! + invalid opcode: 0000 [#1] SMP PTI + ... + RIP: 0010:afs_permission+0x19d/0x1a0 [kafs] + ... + Call Trace: + ? inode_permission+0xbe/0x180 + ? do_faccessat+0xdc/0x270 + ? do_syscall_64+0x60/0x1f0 + ? entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 00d3b7a4533e ("[AFS]: Add security support.") +Reported-by: Jonathan Billings +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/security.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/fs/afs/security.c ++++ b/fs/afs/security.c +@@ -323,18 +323,14 @@ int afs_permission(struct inode *inode, + mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file"); + + if (S_ISDIR(inode->i_mode)) { +- if (mask & MAY_EXEC) { ++ if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { + if (!(access & AFS_ACE_LOOKUP)) + goto permission_denied; +- } else if (mask & MAY_READ) { +- if (!(access & AFS_ACE_LOOKUP)) +- goto permission_denied; +- } else if (mask & MAY_WRITE) { ++ } ++ if (mask & MAY_WRITE) { + if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ + AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ + goto permission_denied; +- } else { +- BUG(); + } + } else { + if (!(access & AFS_ACE_LOOKUP)) diff --git a/queue-4.14/arm-dts-imx6q-use-correct-sdma-script-for-spi5-core.patch b/queue-4.14/arm-dts-imx6q-use-correct-sdma-script-for-spi5-core.patch new file mode 100644 index 00000000000..951096f511d --- /dev/null +++ b/queue-4.14/arm-dts-imx6q-use-correct-sdma-script-for-spi5-core.patch @@ -0,0 +1,41 @@ +From df07101e1c4a29e820df02f9989a066988b160e6 Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Tue, 22 May 2018 19:45:09 +0200 +Subject: ARM: dts: imx6q: Use correct SDMA script for SPI5 core + +From: Sean Nyekjaer + +commit df07101e1c4a29e820df02f9989a066988b160e6 upstream. + +According to the reference manual the shp_2_mcu / mcu_2_shp +scripts must be used for devices connected through the SPBA. + +This fixes an issue we saw with DMA transfers. +Sometimes the SPI controller RX FIFO was not empty after a DMA +transfer and the driver got stuck in the next PIO transfer when +it read one word more than expected. + +commit dd4b487b32a35 ("ARM: dts: imx6: Use correct SDMA script +for SPI cores") is fixing the same issue but only for SPI1 - 4. + +Fixes: 677940258dd8e ("ARM: dts: imx6q: enable dma for ecspi5") +Signed-off-by: Sean Nyekjaer +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6q.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6q.dtsi ++++ b/arch/arm/boot/dts/imx6q.dtsi +@@ -96,7 +96,7 @@ + clocks = <&clks IMX6Q_CLK_ECSPI5>, + <&clks IMX6Q_CLK_ECSPI5>; + clock-names = "ipg", "per"; +- dmas = <&sdma 11 7 1>, <&sdma 12 7 2>; ++ dmas = <&sdma 11 8 1>, <&sdma 12 8 2>; + dma-names = "rx", "tx"; + status = "disabled"; + }; diff --git a/queue-4.14/atm-zatm-fix-memcmp-casting.patch b/queue-4.14/atm-zatm-fix-memcmp-casting.patch new file mode 100644 index 00000000000..32872d4647d --- /dev/null +++ b/queue-4.14/atm-zatm-fix-memcmp-casting.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Ivan Bornyakov +Date: Fri, 25 May 2018 20:49:52 +0300 +Subject: atm: zatm: fix memcmp casting + +From: Ivan Bornyakov + +[ Upstream commit f9c6442a8f0b1dde9e755eb4ff6fa22bcce4eabc ] + +memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One +can lose significant bits and get 0 from non-0 value returned by the +memcmp(). + +Signed-off-by: Ivan Bornyakov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/zatm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -1151,8 +1151,8 @@ static void eprom_get_byte(struct zatm_d + } + + +-static unsigned char eprom_try_esi(struct atm_dev *dev, unsigned short cmd, +- int offset, int swap) ++static int eprom_try_esi(struct atm_dev *dev, unsigned short cmd, int offset, ++ int swap) + { + unsigned char buf[ZEPROM_SIZE]; + struct zatm_dev *zatm_dev; diff --git a/queue-4.14/fs-clear-writeback-errors-in-inode_init_always.patch b/queue-4.14/fs-clear-writeback-errors-in-inode_init_always.patch new file mode 100644 index 00000000000..3536079bfa2 --- /dev/null +++ b/queue-4.14/fs-clear-writeback-errors-in-inode_init_always.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: "Darrick J. Wong" +Date: Wed, 30 May 2018 19:43:53 -0700 +Subject: fs: clear writeback errors in inode_init_always + +From: "Darrick J. Wong" + +[ Upstream commit 829bc787c1a0403e4d886296dd4d90c5f9c1744a ] + +In inode_init_always(), we clear the inode mapping flags, which clears +any retained error (AS_EIO, AS_ENOSPC) bits. Unfortunately, we do not +also clear wb_err, which means that old mapping errors can leak through +to new inodes. + +This is crucial for the XFS inode allocation path because we recycle old +in-core inodes and we do not want error state from an old file to leak +into the new file. This bug was discovered by running generic/036 and +generic/047 in a loop and noticing that the EIOs generated by the +collision of direct and buffered writes in generic/036 would survive the +remount between 036 and 047, and get reported to the fsyncs (on +different files!) in generic/047. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Jeff Layton +Reviewed-by: Brian Foster +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -177,6 +177,7 @@ int inode_init_always(struct super_block + mapping->a_ops = &empty_aops; + mapping->host = inode; + mapping->flags = 0; ++ mapping->wb_err = 0; + atomic_set(&mapping->i_mmap_writable, 0); + mapping_set_gfp_mask(mapping, GFP_HIGHUSER_MOVABLE); + mapping->private_data = NULL; diff --git a/queue-4.14/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch b/queue-4.14/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch new file mode 100644 index 00000000000..0a4de51a184 --- /dev/null +++ b/queue-4.14/ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch @@ -0,0 +1,146 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Julian Anastasov +Date: Sat, 19 May 2018 18:22:35 +0300 +Subject: ipvs: fix buffer overflow with sync daemon and service + +From: Julian Anastasov + +[ Upstream commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a ] + +syzkaller reports for buffer overflow for interface name +when starting sync daemons [1] + +What we do is that we copy user structure into larger stack +buffer but later we search NUL past the stack buffer. +The same happens for sched_name when adding/editing virtual server. + +We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN +being used as size in include/uapi/linux/ip_vs.h, so they +include the space for NUL. + +As using strlcpy is wrong for unsafe source, replace it with +strscpy and add checks to return EINVAL if source string is not +NUL-terminated. The incomplete strlcpy fix comes from 2.6.13. + +For the netlink interface reduce the len parameter for +IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME, +so that we get proper EINVAL. + +[1] +kernel BUG at lib/string.c:1052! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051 +RSP: 0018:ffff8801c976f800 EFLAGS: 00010282 +RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000 +RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6 +RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0 +R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20 +R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b +FS: 00007fd99f75e700(0000) GS:ffff8801daf00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + strlen include/linux/string.h:270 [inline] + strlcpy include/linux/string.h:293 [inline] + do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388 + nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] + nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115 + ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253 + udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487 + ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917 + tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057 + sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046 + __sys_setsockopt+0x1bd/0x390 net/socket.c:1903 + __do_sys_setsockopt net/socket.c:1914 [inline] + __se_sys_setsockopt net/socket.c:1911 [inline] + __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911 + do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x447369 +RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369 +RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000 +R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0 +R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001 +Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb +de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90 +90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56 +RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800 + +Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com +Fixes: e4ff67513096 ("ipvs: add sync_maxlen parameter for the sync daemon") +Fixes: 4da62fc70d7c ("[IPVS]: Fix for overflows") +Signed-off-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_ctl.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2384,8 +2384,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cm + struct ipvs_sync_daemon_cfg cfg; + + memset(&cfg, 0, sizeof(cfg)); +- strlcpy(cfg.mcast_ifn, dm->mcast_ifn, +- sizeof(cfg.mcast_ifn)); ++ ret = -EINVAL; ++ if (strscpy(cfg.mcast_ifn, dm->mcast_ifn, ++ sizeof(cfg.mcast_ifn)) <= 0) ++ goto out_dec; + cfg.syncid = dm->syncid; + ret = start_sync_thread(ipvs, &cfg, dm->state); + } else { +@@ -2423,12 +2425,19 @@ do_ip_vs_set_ctl(struct sock *sk, int cm + } + } + ++ if ((cmd == IP_VS_SO_SET_ADD || cmd == IP_VS_SO_SET_EDIT) && ++ strnlen(usvc.sched_name, IP_VS_SCHEDNAME_MAXLEN) == ++ IP_VS_SCHEDNAME_MAXLEN) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + /* Check for valid protocol: TCP or UDP or SCTP, even for fwmark!=0 */ + if (usvc.protocol != IPPROTO_TCP && usvc.protocol != IPPROTO_UDP && + usvc.protocol != IPPROTO_SCTP) { +- pr_err("set_ctl: invalid protocol: %d %pI4:%d %s\n", ++ pr_err("set_ctl: invalid protocol: %d %pI4:%d\n", + usvc.protocol, &usvc.addr.ip, +- ntohs(usvc.port), usvc.sched_name); ++ ntohs(usvc.port)); + ret = -EFAULT; + goto out_unlock; + } +@@ -2850,7 +2859,7 @@ static const struct nla_policy ip_vs_cmd + static const struct nla_policy ip_vs_daemon_policy[IPVS_DAEMON_ATTR_MAX + 1] = { + [IPVS_DAEMON_ATTR_STATE] = { .type = NLA_U32 }, + [IPVS_DAEMON_ATTR_MCAST_IFN] = { .type = NLA_NUL_STRING, +- .len = IP_VS_IFNAME_MAXLEN }, ++ .len = IP_VS_IFNAME_MAXLEN - 1 }, + [IPVS_DAEMON_ATTR_SYNC_ID] = { .type = NLA_U32 }, + [IPVS_DAEMON_ATTR_SYNC_MAXLEN] = { .type = NLA_U16 }, + [IPVS_DAEMON_ATTR_MCAST_GROUP] = { .type = NLA_U32 }, +@@ -2868,7 +2877,7 @@ static const struct nla_policy ip_vs_svc + [IPVS_SVC_ATTR_PORT] = { .type = NLA_U16 }, + [IPVS_SVC_ATTR_FWMARK] = { .type = NLA_U32 }, + [IPVS_SVC_ATTR_SCHED_NAME] = { .type = NLA_NUL_STRING, +- .len = IP_VS_SCHEDNAME_MAXLEN }, ++ .len = IP_VS_SCHEDNAME_MAXLEN - 1 }, + [IPVS_SVC_ATTR_PE_NAME] = { .type = NLA_NUL_STRING, + .len = IP_VS_PENAME_MAXLEN }, + [IPVS_SVC_ATTR_FLAGS] = { .type = NLA_BINARY, diff --git a/queue-4.14/iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch b/queue-4.14/iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch new file mode 100644 index 00000000000..168e0c9ff0e --- /dev/null +++ b/queue-4.14/iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch @@ -0,0 +1,71 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Hao Wei Tee +Date: Tue, 29 May 2018 10:25:17 +0300 +Subject: iwlwifi: pcie: compare with number of IRQs requested for, not number of CPUs + +From: Hao Wei Tee + +[ Upstream commit ab1068d6866e28bf6427ceaea681a381e5870a4a ] + +When there are 16 or more logical CPUs, we request for +`IWL_MAX_RX_HW_QUEUES` (16) IRQs only as we limit to that number of +IRQs, but later on we compare the number of IRQs returned to +nr_online_cpus+2 instead of max_irqs, the latter being what we +actually asked for. This ends up setting num_rx_queues to 17 which +causes lots of out-of-bounds array accesses later on. + +Compare to max_irqs instead, and also add an assertion in case +num_rx_queues > IWM_MAX_RX_HW_QUEUES. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199551 + +Fixes: 2e5d4a8f61dc ("iwlwifi: pcie: Add new configuration to enable MSIX") +Signed-off-by: Hao Wei Tee +Tested-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -1499,14 +1499,13 @@ static void iwl_pcie_set_interrupt_capa( + struct iwl_trans *trans) + { + struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans); +- int max_irqs, num_irqs, i, ret, nr_online_cpus; ++ int max_irqs, num_irqs, i, ret; + u16 pci_cmd; + + if (!trans->cfg->mq_rx_supported) + goto enable_msi; + +- nr_online_cpus = num_online_cpus(); +- max_irqs = min_t(u32, nr_online_cpus + 2, IWL_MAX_RX_HW_QUEUES); ++ max_irqs = min_t(u32, num_online_cpus() + 2, IWL_MAX_RX_HW_QUEUES); + for (i = 0; i < max_irqs; i++) + trans_pcie->msix_entries[i].entry = i; + +@@ -1532,16 +1531,17 @@ static void iwl_pcie_set_interrupt_capa( + * Two interrupts less: non rx causes shared with FBQ and RSS. + * More than two interrupts: we will use fewer RSS queues. + */ +- if (num_irqs <= nr_online_cpus) { ++ if (num_irqs <= max_irqs - 2) { + trans_pcie->trans->num_rx_queues = num_irqs + 1; + trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX | + IWL_SHARED_IRQ_FIRST_RSS; +- } else if (num_irqs == nr_online_cpus + 1) { ++ } else if (num_irqs == max_irqs - 1) { + trans_pcie->trans->num_rx_queues = num_irqs; + trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX; + } else { + trans_pcie->trans->num_rx_queues = num_irqs - 1; + } ++ WARN_ON(trans_pcie->trans->num_rx_queues > IWL_MAX_RX_HW_QUEUES); + + trans_pcie->alloc_vecs = num_irqs; + trans_pcie->msix_enabled = true; diff --git a/queue-4.14/mtd-rawnand-fix-return-value-check-for-bad-block-status.patch b/queue-4.14/mtd-rawnand-fix-return-value-check-for-bad-block-status.patch new file mode 100644 index 00000000000..990b9aa16c0 --- /dev/null +++ b/queue-4.14/mtd-rawnand-fix-return-value-check-for-bad-block-status.patch @@ -0,0 +1,39 @@ +From e9893e6fa932f42c90c4ac5849fa9aa0f0f00a34 Mon Sep 17 00:00:00 2001 +From: Abhishek Sahu +Date: Wed, 13 Jun 2018 14:32:36 +0530 +Subject: mtd: rawnand: fix return value check for bad block status + +From: Abhishek Sahu + +commit e9893e6fa932f42c90c4ac5849fa9aa0f0f00a34 upstream. + +Positive return value from read_oob() is making false BAD +blocks. For some of the NAND controllers, OOB bytes will be +protected with ECC and read_oob() will return number of bitflips. +If there is any bitflip in ECC protected OOB bytes for BAD block +status page, then that block is getting treated as BAD. + +Fixes: c120e75e0e7d ("mtd: nand: use read_oob() instead of cmdfunc() for bad block check") +Cc: +Signed-off-by: Abhishek Sahu +Reviewed-by: Miquel Raynal +Signed-off-by: Boris Brezillon +[backported to 4.14.y] +Signed-off-by: Abhishek Sahu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -440,7 +440,7 @@ static int nand_block_bad(struct mtd_inf + + for (; page < page_end; page++) { + res = chip->ecc.read_oob(mtd, chip, page); +- if (res) ++ if (res < 0) + return res; + + bad = chip->oob_poi[chip->badblockpos]; diff --git a/queue-4.14/net-dsa-b53-add-bcm5389-support.patch b/queue-4.14/net-dsa-b53-add-bcm5389-support.patch new file mode 100644 index 00000000000..25f8c934fd7 --- /dev/null +++ b/queue-4.14/net-dsa-b53-add-bcm5389-support.patch @@ -0,0 +1,100 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: "Damien Thébault" +Date: Thu, 31 May 2018 07:04:01 +0000 +Subject: net: dsa: b53: Add BCM5389 support + +From: "Damien Thébault" + +[ Upstream commit a95691bc54af1ac4b12c354f91e9cabf1cb068df ] + +This patch adds support for the BCM5389 switch connected through MDIO. + +Signed-off-by: Damien Thébault +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/net/dsa/b53.txt | 1 + + drivers/net/dsa/b53/b53_common.c | 13 +++++++++++++ + drivers/net/dsa/b53/b53_mdio.c | 5 ++++- + drivers/net/dsa/b53/b53_priv.h | 1 + + 4 files changed, 19 insertions(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/net/dsa/b53.txt ++++ b/Documentation/devicetree/bindings/net/dsa/b53.txt +@@ -10,6 +10,7 @@ Required properties: + "brcm,bcm53128" + "brcm,bcm5365" + "brcm,bcm5395" ++ "brcm,bcm5389" + "brcm,bcm5397" + "brcm,bcm5398" + +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1550,6 +1550,18 @@ static const struct b53_chip_data b53_sw + .duplex_reg = B53_DUPLEX_STAT_FE, + }, + { ++ .chip_id = BCM5389_DEVICE_ID, ++ .dev_name = "BCM5389", ++ .vlans = 4096, ++ .enabled_ports = 0x1f, ++ .arl_entries = 4, ++ .cpu_port = B53_CPU_PORT, ++ .vta_regs = B53_VTA_REGS, ++ .duplex_reg = B53_DUPLEX_STAT_GE, ++ .jumbo_pm_reg = B53_JUMBO_PORT_MASK, ++ .jumbo_size_reg = B53_JUMBO_MAX_SIZE, ++ }, ++ { + .chip_id = BCM5395_DEVICE_ID, + .dev_name = "BCM5395", + .vlans = 4096, +@@ -1872,6 +1884,7 @@ int b53_switch_detect(struct b53_device + else + dev->chip_id = BCM5365_DEVICE_ID; + break; ++ case BCM5389_DEVICE_ID: + case BCM5395_DEVICE_ID: + case BCM5397_DEVICE_ID: + case BCM5398_DEVICE_ID: +--- a/drivers/net/dsa/b53/b53_mdio.c ++++ b/drivers/net/dsa/b53/b53_mdio.c +@@ -285,6 +285,7 @@ static const struct b53_io_ops b53_mdio_ + #define B53_BRCM_OUI_1 0x0143bc00 + #define B53_BRCM_OUI_2 0x03625c00 + #define B53_BRCM_OUI_3 0x00406000 ++#define B53_BRCM_OUI_4 0x01410c00 + + static int b53_mdio_probe(struct mdio_device *mdiodev) + { +@@ -311,7 +312,8 @@ static int b53_mdio_probe(struct mdio_de + */ + if ((phy_id & 0xfffffc00) != B53_BRCM_OUI_1 && + (phy_id & 0xfffffc00) != B53_BRCM_OUI_2 && +- (phy_id & 0xfffffc00) != B53_BRCM_OUI_3) { ++ (phy_id & 0xfffffc00) != B53_BRCM_OUI_3 && ++ (phy_id & 0xfffffc00) != B53_BRCM_OUI_4) { + dev_err(&mdiodev->dev, "Unsupported device: 0x%08x\n", phy_id); + return -ENODEV; + } +@@ -360,6 +362,7 @@ static const struct of_device_id b53_of_ + { .compatible = "brcm,bcm53125" }, + { .compatible = "brcm,bcm53128" }, + { .compatible = "brcm,bcm5365" }, ++ { .compatible = "brcm,bcm5389" }, + { .compatible = "brcm,bcm5395" }, + { .compatible = "brcm,bcm5397" }, + { .compatible = "brcm,bcm5398" }, +--- a/drivers/net/dsa/b53/b53_priv.h ++++ b/drivers/net/dsa/b53/b53_priv.h +@@ -48,6 +48,7 @@ struct b53_io_ops { + enum { + BCM5325_DEVICE_ID = 0x25, + BCM5365_DEVICE_ID = 0x65, ++ BCM5389_DEVICE_ID = 0x89, + BCM5395_DEVICE_ID = 0x95, + BCM5397_DEVICE_ID = 0x97, + BCM5398_DEVICE_ID = 0x98, diff --git a/queue-4.14/net-qmi_wwan-add-netgear-aircard-779s.patch b/queue-4.14/net-qmi_wwan-add-netgear-aircard-779s.patch new file mode 100644 index 00000000000..5900602068c --- /dev/null +++ b/queue-4.14/net-qmi_wwan-add-netgear-aircard-779s.patch @@ -0,0 +1,30 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Josh Hill +Date: Sun, 27 May 2018 20:10:41 -0400 +Subject: net: qmi_wwan: Add Netgear Aircard 779S + +From: Josh Hill + +[ Upstream commit 2415f3bd059fe050eb98aedf93664d000ceb4e92 ] + +Add support for Netgear Aircard 779S + +Signed-off-by: Josh Hill +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1103,6 +1103,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)}, + {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */ + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, ++ {QMI_FIXED_INTF(0x0846, 0x68d3, 8)}, /* Netgear Aircard 779S */ + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ + {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ diff --git a/queue-4.14/net-sonic-use-dma_mapping_error.patch b/queue-4.14/net-sonic-use-dma_mapping_error.patch new file mode 100644 index 00000000000..333380967de --- /dev/null +++ b/queue-4.14/net-sonic-use-dma_mapping_error.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Finn Thain +Date: Wed, 30 May 2018 13:03:51 +1000 +Subject: net/sonic: Use dma_mapping_error() + +From: Finn Thain + +[ Upstream commit 26de0b76d9ba3200f09c6cb9d9618bda338be5f7 ] + +With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the +message, "DMA-API: device driver failed to check map error". +Add the missing dma_mapping_error() call. + +Cc: Thomas Bogendoerfer +Signed-off-by: Finn Thain +Acked-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/natsemi/sonic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -71,7 +71,7 @@ static int sonic_open(struct net_device + for (i = 0; i < SONIC_NUM_RRS; i++) { + dma_addr_t laddr = dma_map_single(lp->device, skb_put(lp->rx_skb[i], SONIC_RBSIZE), + SONIC_RBSIZE, DMA_FROM_DEVICE); +- if (!laddr) { ++ if (dma_mapping_error(lp->device, laddr)) { + while(i > 0) { /* free any that were mapped successfully */ + i--; + dma_unmap_single(lp->device, lp->rx_laddr[i], SONIC_RBSIZE, DMA_FROM_DEVICE); diff --git a/queue-4.14/netfilter-ebtables-handle-string-from-userspace-with-care.patch b/queue-4.14/netfilter-ebtables-handle-string-from-userspace-with-care.patch new file mode 100644 index 00000000000..a8f19a9e220 --- /dev/null +++ b/queue-4.14/netfilter-ebtables-handle-string-from-userspace-with-care.patch @@ -0,0 +1,100 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Paolo Abeni +Date: Fri, 27 Apr 2018 10:45:31 +0200 +Subject: netfilter: ebtables: handle string from userspace with care + +From: Paolo Abeni + +[ Upstream commit 94c752f99954797da583a84c4907ff19e92550a4 ] + +strlcpy() can't be safely used on a user-space provided string, +as it can try to read beyond the buffer's end, if the latter is +not NULL terminated. + +Leveraging the above, syzbot has been able to trigger the following +splat: + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 +[inline] +BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user +net/bridge/netfilter/ebtables.c:1957 [inline] +BUG: KASAN: stack-out-of-bounds in ebt_size_mwt +net/bridge/netfilter/ebtables.c:2059 [inline] +BUG: KASAN: stack-out-of-bounds in size_entry_mwt +net/bridge/netfilter/ebtables.c:2155 [inline] +BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0 +net/bridge/netfilter/ebtables.c:2194 +Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504 + +CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1b9/0x294 lib/dump_stack.c:113 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline] + ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline] + size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline] + compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194 + compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285 + compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367 + compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline] + compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156 + compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279 + inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041 + compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901 + compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050 + __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403 + __do_compat_sys_setsockopt net/compat.c:416 [inline] + __se_compat_sys_setsockopt net/compat.c:413 [inline] + __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413 + do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline] + do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394 + entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7fb3cb9 +RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000 +RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +The buggy address belongs to the page: +page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x2fffc0000000000() +raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff +raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000 +page dumped because: kasan: bad access detected + +Fix the issue replacing the unsafe function with strscpy() and +taking care of possible errors. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1950,7 +1950,8 @@ static int compat_mtw_from_user(struct c + int off, pad = 0; + unsigned int size_kern, match_size = mwt->match_size; + +- strlcpy(name, mwt->u.name, sizeof(name)); ++ if (strscpy(name, mwt->u.name, sizeof(name)) < 0) ++ return -EINVAL; + + if (state->buf_kern_start) + dst = state->buf_kern_start + state->buf_kern_offset; diff --git a/queue-4.14/netfilter-nft_limit-fix-packet-ratelimiting.patch b/queue-4.14/netfilter-nft_limit-fix-packet-ratelimiting.patch new file mode 100644 index 00000000000..291ec96791b --- /dev/null +++ b/queue-4.14/netfilter-nft_limit-fix-packet-ratelimiting.patch @@ -0,0 +1,116 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Pablo Neira Ayuso +Date: Wed, 16 May 2018 22:58:33 +0200 +Subject: netfilter: nft_limit: fix packet ratelimiting + +From: Pablo Neira Ayuso + +[ Upstream commit 3e0f64b7dd3149f75e8652ff1df56cffeedc8fc1 ] + +Credit calculations for the packet ratelimiting are not correct, as per +the applied ratelimit of 25/second and burst 8, a total of 33 packets +should have been accepted. This is true in iptables(33) but not in +nftables (~65). For packet ratelimiting, use: + + div_u64(limit->nsecs, limit->rate) * limit->burst; + +to calculate credit, just like in iptables' xt_limit does. + +Moreover, use default burst in iptables, users are expecting similar +behaviour. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_limit.c | 38 ++++++++++++++++++++++++-------------- + 1 file changed, 24 insertions(+), 14 deletions(-) + +--- a/net/netfilter/nft_limit.c ++++ b/net/netfilter/nft_limit.c +@@ -51,10 +51,13 @@ static inline bool nft_limit_eval(struct + return !limit->invert; + } + ++/* Use same default as in iptables. */ ++#define NFT_LIMIT_PKT_BURST_DEFAULT 5 ++ + static int nft_limit_init(struct nft_limit *limit, +- const struct nlattr * const tb[]) ++ const struct nlattr * const tb[], bool pkts) + { +- u64 unit; ++ u64 unit, tokens; + + if (tb[NFTA_LIMIT_RATE] == NULL || + tb[NFTA_LIMIT_UNIT] == NULL) +@@ -68,18 +71,25 @@ static int nft_limit_init(struct nft_lim + + if (tb[NFTA_LIMIT_BURST]) + limit->burst = ntohl(nla_get_be32(tb[NFTA_LIMIT_BURST])); +- else +- limit->burst = 0; ++ ++ if (pkts && limit->burst == 0) ++ limit->burst = NFT_LIMIT_PKT_BURST_DEFAULT; + + if (limit->rate + limit->burst < limit->rate) + return -EOVERFLOW; + +- /* The token bucket size limits the number of tokens can be +- * accumulated. tokens_max specifies the bucket size. +- * tokens_max = unit * (rate + burst) / rate. +- */ +- limit->tokens = div_u64(limit->nsecs * (limit->rate + limit->burst), +- limit->rate); ++ if (pkts) { ++ tokens = div_u64(limit->nsecs, limit->rate) * limit->burst; ++ } else { ++ /* The token bucket size limits the number of tokens can be ++ * accumulated. tokens_max specifies the bucket size. ++ * tokens_max = unit * (rate + burst) / rate. ++ */ ++ tokens = div_u64(limit->nsecs * (limit->rate + limit->burst), ++ limit->rate); ++ } ++ ++ limit->tokens = tokens; + limit->tokens_max = limit->tokens; + + if (tb[NFTA_LIMIT_FLAGS]) { +@@ -144,7 +154,7 @@ static int nft_limit_pkts_init(const str + struct nft_limit_pkts *priv = nft_expr_priv(expr); + int err; + +- err = nft_limit_init(&priv->limit, tb); ++ err = nft_limit_init(&priv->limit, tb, true); + if (err < 0) + return err; + +@@ -185,7 +195,7 @@ static int nft_limit_bytes_init(const st + { + struct nft_limit *priv = nft_expr_priv(expr); + +- return nft_limit_init(priv, tb); ++ return nft_limit_init(priv, tb, false); + } + + static int nft_limit_bytes_dump(struct sk_buff *skb, +@@ -246,7 +256,7 @@ static int nft_limit_obj_pkts_init(const + struct nft_limit_pkts *priv = nft_obj_data(obj); + int err; + +- err = nft_limit_init(&priv->limit, tb); ++ err = nft_limit_init(&priv->limit, tb, true); + if (err < 0) + return err; + +@@ -289,7 +299,7 @@ static int nft_limit_obj_bytes_init(cons + { + struct nft_limit *priv = nft_obj_data(obj); + +- return nft_limit_init(priv, tb); ++ return nft_limit_init(priv, tb, false); + } + + static int nft_limit_obj_bytes_dump(struct sk_buff *skb, diff --git a/queue-4.14/perf-bpf-fix-null-return-handling-in-bpf__prepare_load.patch b/queue-4.14/perf-bpf-fix-null-return-handling-in-bpf__prepare_load.patch new file mode 100644 index 00000000000..7501f4f38cc --- /dev/null +++ b/queue-4.14/perf-bpf-fix-null-return-handling-in-bpf__prepare_load.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: YueHaibing +Date: Fri, 11 May 2018 19:21:42 +0800 +Subject: perf bpf: Fix NULL return handling in bpf__prepare_load() + +From: YueHaibing + +[ Upstream commit ab4e32ff5aa797eaea551dbb67946e2fcb56cc7e ] + +bpf_object__open()/bpf_object__open_buffer can return error pointer or +NULL, check the return values with IS_ERR_OR_NULL() in bpf__prepare_load +and bpf__prepare_load_buffer + +Signed-off-by: YueHaibing +Acked-by: Daniel Borkmann +Cc: Alexander Shishkin +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: netdev@vger.kernel.org +Link: https://lkml.kernel.org/n/tip-psf4xwc09n62al2cb9s33v9h@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/bpf-loader.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/util/bpf-loader.c ++++ b/tools/perf/util/bpf-loader.c +@@ -66,7 +66,7 @@ bpf__prepare_load_buffer(void *obj_buf, + } + + obj = bpf_object__open_buffer(obj_buf, obj_buf_sz, name); +- if (IS_ERR(obj)) { ++ if (IS_ERR_OR_NULL(obj)) { + pr_debug("bpf: failed to load buffer\n"); + return ERR_PTR(-EINVAL); + } +@@ -102,14 +102,14 @@ struct bpf_object *bpf__prepare_load(con + pr_debug("bpf: successfull builtin compilation\n"); + obj = bpf_object__open_buffer(obj_buf, obj_buf_sz, filename); + +- if (!IS_ERR(obj) && llvm_param.dump_obj) ++ if (!IS_ERR_OR_NULL(obj) && llvm_param.dump_obj) + llvm__dump_obj(filename, obj_buf, obj_buf_sz); + + free(obj_buf); + } else + obj = bpf_object__open(filename); + +- if (IS_ERR(obj)) { ++ if (IS_ERR_OR_NULL(obj)) { + pr_debug("bpf: failed to load %s\n", filename); + return obj; + } diff --git a/queue-4.14/perf-test-session-topology-dumps-core-on-s390.patch b/queue-4.14/perf-test-session-topology-dumps-core-on-s390.patch new file mode 100644 index 00000000000..ad019eee1b4 --- /dev/null +++ b/queue-4.14/perf-test-session-topology-dumps-core-on-s390.patch @@ -0,0 +1,118 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Thomas Richter +Date: Mon, 28 May 2018 09:36:57 +0200 +Subject: perf test: "Session topology" dumps core on s390 + +From: Thomas Richter + +[ Upstream commit d121109100bda84bbbb199dab97f9d56432ab235 ] + +The "perf test Session topology" entry fails with core dump on s390. The root +cause is a NULL pointer dereference in function check_cpu_topology() line 76 +(or line 82 without -v). + +The session->header.env.cpu variable is NULL because on s390 function +process_cpu_topology() returns with error: + + socket_id number is too big. + You may need to upgrade the perf tool. + +and releases the env.cpu variable via zfree() and sets it to NULL. + +Here is the gdb output: +(gdb) n +76 pr_debug("CPU %d, core %d, socket %d\n", i, +(gdb) n + +Program received signal SIGSEGV, Segmentation fault. +0x00000000010f4d9e in check_cpu_topology (path=0x3ffffffd6c8 + "/tmp/perf-test-J6CHMa", map=0x14a1740) at tests/topology.c:76 +76 pr_debug("CPU %d, core %d, socket %d\n", i, +(gdb) + +Make sure the env.cpu variable is not used when its NULL. +Test for NULL pointer and return TEST_SKIP if so. + +Output before: + + [root@p23lp27 perf]# ./perf test -F 39 + 39: Session topology :Segmentation fault (core dumped) + [root@p23lp27 perf]# + +Output after: + + [root@p23lp27 perf]# ./perf test -vF 39 + 39: Session topology : + --- start --- + templ file: /tmp/perf-test-Ajx59D + socket_id number is too big.You may need to upgrade the perf tool. + ---- end ---- + Session topology: Skip + [root@p23lp27 perf]# + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180528073657.11743-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/topology.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +--- a/tools/perf/tests/topology.c ++++ b/tools/perf/tests/topology.c +@@ -66,6 +66,27 @@ static int check_cpu_topology(char *path + session = perf_session__new(&file, false, NULL); + TEST_ASSERT_VAL("can't get session", session); + ++ /* On platforms with large numbers of CPUs process_cpu_topology() ++ * might issue an error while reading the perf.data file section ++ * HEADER_CPU_TOPOLOGY and the cpu_topology_map pointed to by member ++ * cpu is a NULL pointer. ++ * Example: On s390 ++ * CPU 0 is on core_id 0 and physical_package_id 6 ++ * CPU 1 is on core_id 1 and physical_package_id 3 ++ * ++ * Core_id and physical_package_id are platform and architecture ++ * dependend and might have higher numbers than the CPU id. ++ * This actually depends on the configuration. ++ * ++ * In this case process_cpu_topology() prints error message: ++ * "socket_id number is too big. You may need to upgrade the ++ * perf tool." ++ * ++ * This is the reason why this test might be skipped. ++ */ ++ if (!session->header.env.cpu) ++ return TEST_SKIP; ++ + for (i = 0; i < session->header.env.nr_cpus_avail; i++) { + if (!cpu_map__has(map, i)) + continue; +@@ -91,7 +112,7 @@ int test__session_topology(struct test * + { + char path[PATH_MAX]; + struct cpu_map *map; +- int ret = -1; ++ int ret = TEST_FAIL; + + TEST_ASSERT_VAL("can't get templ file", !get_temp(path)); + +@@ -106,12 +127,9 @@ int test__session_topology(struct test * + goto free_path; + } + +- if (check_cpu_topology(path, map)) +- goto free_map; +- ret = 0; +- +-free_map: ++ ret = check_cpu_topology(path, map); + cpu_map__put(map); ++ + free_path: + unlink(path); + return ret; diff --git a/queue-4.14/platform-x86-asus-wmi-fix-null-pointer-dereference.patch b/queue-4.14/platform-x86-asus-wmi-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..c62eff2d7cf --- /dev/null +++ b/queue-4.14/platform-x86-asus-wmi-fix-null-pointer-dereference.patch @@ -0,0 +1,122 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: "João Paulo Rechi Vita" +Date: Tue, 22 May 2018 14:30:15 -0700 +Subject: platform/x86: asus-wmi: Fix NULL pointer dereference + +From: "João Paulo Rechi Vita" + +[ Upstream commit 32ffd6e8d1f6cef94bedca15dfcdebdeb590499d ] + +Do not perform the rfkill cleanup routine when +(asus->driver->wlan_ctrl_by_user && ashs_present()) is true, since +nothing is registered with the rfkill subsystem in that case. Doing so +leads to the following kernel NULL pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [] __mutex_lock_slowpath+0x98/0x120 + PGD 1a3aa8067 + PUD 1a3b3d067 + PMD 0 + + Oops: 0002 [#1] PREEMPT SMP + Modules linked in: bnep ccm binfmt_misc uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core hid_a4tech videodev x86_pkg_temp_thermal intel_powerclamp coretemp ath3k btusb btrtl btintel bluetooth kvm_intel snd_hda_codec_hdmi kvm snd_hda_codec_realtek snd_hda_codec_generic irqbypass crc32c_intel arc4 i915 snd_hda_intel snd_hda_codec ath9k ath9k_common ath9k_hw ath i2c_algo_bit snd_hwdep mac80211 ghash_clmulni_intel snd_hda_core snd_pcm snd_timer cfg80211 ehci_pci xhci_pci drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm xhci_hcd ehci_hcd asus_nb_wmi(-) asus_wmi sparse_keymap r8169 rfkill mxm_wmi serio_raw snd mii mei_me lpc_ich i2c_i801 video soundcore mei i2c_smbus wmi i2c_core mfd_core + CPU: 3 PID: 3275 Comm: modprobe Not tainted 4.9.34-gentoo #34 + Hardware name: ASUSTeK COMPUTER INC. K56CM/K56CM, BIOS K56CM.206 08/21/2012 + task: ffff8801a639ba00 task.stack: ffffc900014cc000 + RIP: 0010:[] [] __mutex_lock_slowpath+0x98/0x120 + RSP: 0018:ffffc900014cfce0 EFLAGS: 00010282 + RAX: 0000000000000000 RBX: ffff8801a54315b0 RCX: 00000000c0000100 + RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8801a54315b4 + RBP: ffffc900014cfd30 R08: 0000000000000000 R09: 0000000000000002 + R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801a54315b4 + R13: ffff8801a639ba00 R14: 00000000ffffffff R15: ffff8801a54315b8 + FS: 00007faa254fb700(0000) GS:ffff8801aef80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001a3b1b000 CR4: 00000000001406e0 + Stack: + ffff8801a54315b8 0000000000000000 ffffffff814733ae ffffc900014cfd28 + ffffffff8146a28c ffff8801a54315b0 0000000000000000 ffff8801a54315b0 + ffff8801a66f3820 0000000000000000 ffffc900014cfd48 ffffffff816c73e7 + Call Trace: + [] ? acpi_ut_release_mutex+0x5d/0x61 + [] ? acpi_ns_get_node+0x49/0x52 + [] mutex_lock+0x17/0x30 + [] asus_rfkill_hotplug+0x24/0x1a0 [asus_wmi] + [] asus_wmi_rfkill_exit+0x61/0x150 [asus_wmi] + [] asus_wmi_remove+0x61/0xb0 [asus_wmi] + [] platform_drv_remove+0x28/0x40 + [] __device_release_driver+0xa1/0x160 + [] device_release_driver+0x23/0x30 + [] bus_remove_device+0xfd/0x170 + [] device_del+0x139/0x270 + [] platform_device_del+0x28/0x90 + [] platform_device_unregister+0x12/0x30 + [] asus_wmi_unregister_driver+0x19/0x30 [asus_wmi] + [] asus_nb_wmi_exit+0x10/0xf26 [asus_nb_wmi] + [] SyS_delete_module+0x192/0x270 + [] ? exit_to_usermode_loop+0x92/0xa0 + [] entry_SYSCALL_64_fastpath+0x13/0x94 + Code: e8 5e 30 00 00 8b 03 83 f8 01 0f 84 93 00 00 00 48 8b 43 10 4c 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48> 89 20 4c 89 6c 24 10 eb 1d 4c 89 e7 49 c7 45 08 02 00 00 00 + RIP [] __mutex_lock_slowpath+0x98/0x120 + RSP + CR2: 0000000000000000 + ---[ end trace 8d484233fa7cb512 ]--- + note: modprobe[3275] exited with preempt_count 2 + +https://bugzilla.kernel.org/show_bug.cgi?id=196467 + +Reported-by: red.f0xyz@gmail.com +Signed-off-by: João Paulo Rechi Vita +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-wmi.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -161,6 +161,16 @@ MODULE_LICENSE("GPL"); + + static const char * const ashs_ids[] = { "ATK4001", "ATK4002", NULL }; + ++static bool ashs_present(void) ++{ ++ int i = 0; ++ while (ashs_ids[i]) { ++ if (acpi_dev_found(ashs_ids[i++])) ++ return true; ++ } ++ return false; ++} ++ + struct bios_args { + u32 arg0; + u32 arg1; +@@ -962,6 +972,9 @@ static int asus_new_rfkill(struct asus_w + + static void asus_wmi_rfkill_exit(struct asus_wmi *asus) + { ++ if (asus->driver->wlan_ctrl_by_user && ashs_present()) ++ return; ++ + asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P5"); + asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P6"); + asus_unregister_rfkill_notifier(asus, "\\_SB.PCI0.P0P7"); +@@ -2058,16 +2071,6 @@ static int asus_wmi_fan_init(struct asus + return 0; + } + +-static bool ashs_present(void) +-{ +- int i = 0; +- while (ashs_ids[i]) { +- if (acpi_dev_found(ashs_ids[i++])) +- return true; +- } +- return false; +-} +- + /* + * WMI Driver + */ diff --git a/queue-4.14/s390-dasd-use-blk_mq_rq_from_pdu-for-per-request-data.patch b/queue-4.14/s390-dasd-use-blk_mq_rq_from_pdu-for-per-request-data.patch new file mode 100644 index 00000000000..98aff1f76fa --- /dev/null +++ b/queue-4.14/s390-dasd-use-blk_mq_rq_from_pdu-for-per-request-data.patch @@ -0,0 +1,103 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Sebastian Ott +Date: Tue, 15 May 2018 14:05:13 +0200 +Subject: s390/dasd: use blk_mq_rq_from_pdu for per request data + +From: Sebastian Ott + +[ Upstream commit f0f59a2fab8e52b9d582b39da39f22230ca80aee ] + +Dasd uses completion_data from struct request to store per request +private data - this is problematic since this member is part of a +union which is also used by IO schedulers. +Let the block layer maintain space for per request data behind each +struct request. + +Fixes crashes on block layer timeouts like this one: + +Unable to handle kernel pointer dereference in virtual kernel address space +Failing address: 0000000000000000 TEID: 0000000000000483 +Fault in home space mode while using kernel ASCE. +AS:0000000001308007 R3:00000000fffc8007 S:00000000fffcc000 P:000000000000013d +Oops: 0004 ilc:2 [#1] PREEMPT SMP +Modules linked in: [...] +CPU: 0 PID: 1480 Comm: kworker/0:2H Not tainted 4.17.0-rc4-00046-gaa3bcd43b5af #203 +Hardware name: IBM 3906 M02 702 (LPAR) +Workqueue: kblockd blk_mq_timeout_work +Krnl PSW : 0000000067ac406b 00000000b6960308 (do_raw_spin_trylock+0x30/0x78) + R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 +Krnl GPRS: 0000000000000c00 0000000000000000 0000000000000000 0000000000000001 + 0000000000b9d3c8 0000000000000000 0000000000000001 00000000cf9639d8 + 0000000000000000 0700000000000000 0000000000000000 000000000099f09e + 0000000000000000 000000000076e9d0 000000006247bb08 000000006247bae0 +Krnl Code: 00000000001c159c: b90400c2 lgr %r12,%r2 + 00000000001c15a0: a7180000 lhi %r1,0 + #00000000001c15a4: 583003a4 l %r3,932 + >00000000001c15a8: ba132000 cs %r1,%r3,0(%r2) + 00000000001c15ac: a7180001 lhi %r1,1 + 00000000001c15b0: a784000b brc 8,1c15c6 + 00000000001c15b4: c0e5004e72aa brasl %r14,b8fb08 + 00000000001c15ba: 1812 lr %r1,%r2 +Call Trace: +([<0700000000000000>] 0x700000000000000) + [<0000000000b9d3d2>] _raw_spin_lock_irqsave+0x7a/0xb8 + [<000000000099f09e>] dasd_times_out+0x46/0x278 + [<000000000076ea6e>] blk_mq_terminate_expired+0x9e/0x108 + [<000000000077497a>] bt_for_each+0x102/0x130 + [<0000000000774e54>] blk_mq_queue_tag_busy_iter+0x74/0xd8 + [<000000000076fea0>] blk_mq_timeout_work+0x260/0x320 + [<0000000000169dd4>] process_one_work+0x3bc/0x708 + [<000000000016a382>] worker_thread+0x262/0x408 + [<00000000001723a8>] kthread+0x160/0x178 + [<0000000000b9e73a>] kernel_thread_starter+0x6/0xc + [<0000000000b9e734>] kernel_thread_starter+0x0/0xc +INFO: lockdep is turned off. +Last Breaking-Event-Address: + [<0000000000b9d3cc>] _raw_spin_lock_irqsave+0x74/0xb8 + +Kernel panic - not syncing: Fatal exception: panic_on_oops + +Signed-off-by: Sebastian Ott +Reviewed-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -3049,7 +3049,8 @@ static blk_status_t do_dasd_request(stru + cqr->callback_data = req; + cqr->status = DASD_CQR_FILLED; + cqr->dq = dq; +- req->completion_data = cqr; ++ *((struct dasd_ccw_req **) blk_mq_rq_to_pdu(req)) = cqr; ++ + blk_mq_start_request(req); + spin_lock(&block->queue_lock); + list_add_tail(&cqr->blocklist, &block->ccw_queue); +@@ -3073,12 +3074,13 @@ out: + */ + enum blk_eh_timer_return dasd_times_out(struct request *req, bool reserved) + { +- struct dasd_ccw_req *cqr = req->completion_data; + struct dasd_block *block = req->q->queuedata; + struct dasd_device *device; ++ struct dasd_ccw_req *cqr; + unsigned long flags; + int rc = 0; + ++ cqr = *((struct dasd_ccw_req **) blk_mq_rq_to_pdu(req)); + if (!cqr) + return BLK_EH_NOT_HANDLED; + +@@ -3184,6 +3186,7 @@ static int dasd_alloc_queue(struct dasd_ + int rc; + + block->tag_set.ops = &dasd_mq_ops; ++ block->tag_set.cmd_size = sizeof(struct dasd_ccw_req *); + block->tag_set.nr_hw_queues = DASD_NR_HW_QUEUES; + block->tag_set.queue_depth = DASD_MAX_LCU_DEV * DASD_REQ_PER_DEV; + block->tag_set.flags = BLK_MQ_F_SHOULD_MERGE; diff --git a/queue-4.14/sched-core-fix-rules-for-running-on-online-active-cpus.patch b/queue-4.14/sched-core-fix-rules-for-running-on-online-active-cpus.patch new file mode 100644 index 00000000000..ea530c65d16 --- /dev/null +++ b/queue-4.14/sched-core-fix-rules-for-running-on-online-active-cpus.patch @@ -0,0 +1,102 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Peter Zijlstra +Date: Tue, 25 Jul 2017 18:58:21 +0200 +Subject: sched/core: Fix rules for running on online && !active CPUs + +From: Peter Zijlstra + +[ Upstream commit 175f0e25abeaa2218d431141ce19cf1de70fa82d ] + +As already enforced by the WARN() in __set_cpus_allowed_ptr(), the rules +for running on an online && !active CPU are stricter than just being a +kthread, you need to be a per-cpu kthread. + +If you're not strictly per-CPU, you have better CPUs to run on and +don't need the partially booted one to get your work done. + +The exception is to allow smpboot threads to bootstrap the CPU itself +and get kernel 'services' initialized before we allow userspace on it. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Tejun Heo +Cc: Thomas Gleixner +Fixes: 955dbdf4ce87 ("sched: Allow migrating kthreads into online but inactive CPUs") +Link: http://lkml.kernel.org/r/20170725165821.cejhb7v2s3kecems@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 42 ++++++++++++++++++++++++++++++------------ + 1 file changed, 30 insertions(+), 12 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -894,6 +894,33 @@ void check_preempt_curr(struct rq *rq, s + } + + #ifdef CONFIG_SMP ++ ++static inline bool is_per_cpu_kthread(struct task_struct *p) ++{ ++ if (!(p->flags & PF_KTHREAD)) ++ return false; ++ ++ if (p->nr_cpus_allowed != 1) ++ return false; ++ ++ return true; ++} ++ ++/* ++ * Per-CPU kthreads are allowed to run on !actie && online CPUs, see ++ * __set_cpus_allowed_ptr() and select_fallback_rq(). ++ */ ++static inline bool is_cpu_allowed(struct task_struct *p, int cpu) ++{ ++ if (!cpumask_test_cpu(cpu, &p->cpus_allowed)) ++ return false; ++ ++ if (is_per_cpu_kthread(p)) ++ return cpu_online(cpu); ++ ++ return cpu_active(cpu); ++} ++ + /* + * This is how migration works: + * +@@ -951,16 +978,8 @@ struct migration_arg { + static struct rq *__migrate_task(struct rq *rq, struct rq_flags *rf, + struct task_struct *p, int dest_cpu) + { +- if (p->flags & PF_KTHREAD) { +- if (unlikely(!cpu_online(dest_cpu))) +- return rq; +- } else { +- if (unlikely(!cpu_active(dest_cpu))) +- return rq; +- } +- + /* Affinity changed (again). */ +- if (!cpumask_test_cpu(dest_cpu, &p->cpus_allowed)) ++ if (!is_cpu_allowed(p, dest_cpu)) + return rq; + + update_rq_clock(rq); +@@ -1489,10 +1508,9 @@ static int select_fallback_rq(int cpu, s + for (;;) { + /* Any allowed, online CPU? */ + for_each_cpu(dest_cpu, &p->cpus_allowed) { +- if (!(p->flags & PF_KTHREAD) && !cpu_active(dest_cpu)) +- continue; +- if (!cpu_online(dest_cpu)) ++ if (!is_cpu_allowed(p, dest_cpu)) + continue; ++ + goto out; + } + diff --git a/queue-4.14/sched-core-require-cpu_active-in-select_task_rq-for-user-tasks.patch b/queue-4.14/sched-core-require-cpu_active-in-select_task_rq-for-user-tasks.patch new file mode 100644 index 00000000000..47a8d2fb57c --- /dev/null +++ b/queue-4.14/sched-core-require-cpu_active-in-select_task_rq-for-user-tasks.patch @@ -0,0 +1,103 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Paul Burton +Date: Sat, 26 May 2018 08:46:47 -0700 +Subject: sched/core: Require cpu_active() in select_task_rq(), for user tasks + +From: Paul Burton + +[ Upstream commit 7af443ee1697607541c6346c87385adab2214743 ] + +select_task_rq() is used in a few paths to select the CPU upon which a +thread should be run - for example it is used by try_to_wake_up() & by +fork or exec balancing. As-is it allows use of any online CPU that is +present in the task's cpus_allowed mask. + +This presents a problem because there is a period whilst CPUs are +brought online where a CPU is marked online, but is not yet fully +initialized - ie. the period where CPUHP_AP_ONLINE_IDLE <= state < +CPUHP_ONLINE. Usually we don't run any user tasks during this window, +but there are corner cases where this can happen. An example observed +is: + + - Some user task A, running on CPU X, forks to create task B. + + - sched_fork() calls __set_task_cpu() with cpu=X, setting task B's + task_struct::cpu field to X. + + - CPU X is offlined. + + - Task A, currently somewhere between the __set_task_cpu() in + copy_process() and the call to wake_up_new_task(), is migrated to + CPU Y by migrate_tasks() when CPU X is offlined. + + - CPU X is onlined, but still in the CPUHP_AP_ONLINE_IDLE state. The + scheduler is now active on CPU X, but there are no user tasks on + the runqueue. + + - Task A runs on CPU Y & reaches wake_up_new_task(). This calls + select_task_rq() with cpu=X, taken from task B's task_struct, + and select_task_rq() allows CPU X to be returned. + + - Task A enqueues task B on CPU X's runqueue, via activate_task() & + enqueue_task(). + + - CPU X now has a user task on its runqueue before it has reached the + CPUHP_ONLINE state. + +In most cases, the user tasks that schedule on the newly onlined CPU +have no idea that anything went wrong, but one case observed to be +problematic is if the task goes on to invoke the sched_setaffinity +syscall. The newly onlined CPU reaches the CPUHP_AP_ONLINE_IDLE state +before the CPU that brought it online calls stop_machine_unpark(). This +means that for a portion of the window of time between +CPUHP_AP_ONLINE_IDLE & CPUHP_ONLINE the newly onlined CPU's struct +cpu_stopper has its enabled field set to false. If a user thread is +executed on the CPU during this window and it invokes sched_setaffinity +with a CPU mask that does not include the CPU it's running on, then when +__set_cpus_allowed_ptr() calls stop_one_cpu() intending to invoke +migration_cpu_stop() and perform the actual migration away from the CPU +it will simply return -ENOENT rather than calling migration_cpu_stop(). +We then return from the sched_setaffinity syscall back to the user task +that is now running on a CPU which it just asked not to run on, and +which is not present in its cpus_allowed mask. + +This patch resolves the problem by having select_task_rq() enforce that +user tasks run on CPUs that are active - the same requirement that +select_fallback_rq() already enforces. This should ensure that newly +onlined CPUs reach the CPUHP_AP_ACTIVE state before being able to +schedule user tasks, and also implies that bringup_wait_for_ap() will +have called stop_machine_unpark() which resolves the sched_setaffinity +issue above. + +I haven't yet investigated them, but it may be of interest to review +whether any of the actions performed by hotplug states between +CPUHP_AP_ONLINE_IDLE & CPUHP_AP_ACTIVE could have similar unintended +effects on user tasks that might schedule before they are reached, which +might widen the scope of the problem from just affecting the behaviour +of sched_setaffinity. + +Signed-off-by: Paul Burton +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180526154648.11635-2-paul.burton@mips.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1573,8 +1573,7 @@ int select_task_rq(struct task_struct *p + * [ this allows ->select_task() to simply return task_cpu(p) and + * not worry about this generic constraint ] + */ +- if (unlikely(!cpumask_test_cpu(cpu, &p->cpus_allowed) || +- !cpu_online(cpu))) ++ if (unlikely(!is_cpu_allowed(p, cpu))) + cpu = select_fallback_rq(task_cpu(p), p); + + return cpu; diff --git a/queue-4.14/series b/queue-4.14/series index 13d300c0c6b..6000530918d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -40,3 +40,22 @@ md-remove-special-meaning-of-quiesce-..-2.patch netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch netfilter-ip6t_rpfilter-provide-input-interface-for-route-lookup.patch netfilter-nf_tables-use-warn_on_once-instead-of-bug_on-in-nft_do_chain.patch +arm-dts-imx6q-use-correct-sdma-script-for-spi5-core.patch +mtd-rawnand-fix-return-value-check-for-bad-block-status.patch +xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch +afs-fix-directory-permissions-check.patch +netfilter-ebtables-handle-string-from-userspace-with-care.patch +s390-dasd-use-blk_mq_rq_from_pdu-for-per-request-data.patch +netfilter-nft_limit-fix-packet-ratelimiting.patch +ipvs-fix-buffer-overflow-with-sync-daemon-and-service.patch +iwlwifi-pcie-compare-with-number-of-irqs-requested-for-not-number-of-cpus.patch +atm-zatm-fix-memcmp-casting.patch +net-qmi_wwan-add-netgear-aircard-779s.patch +perf-test-session-topology-dumps-core-on-s390.patch +perf-bpf-fix-null-return-handling-in-bpf__prepare_load.patch +fs-clear-writeback-errors-in-inode_init_always.patch +sched-core-fix-rules-for-running-on-online-active-cpus.patch +sched-core-require-cpu_active-in-select_task_rq-for-user-tasks.patch +platform-x86-asus-wmi-fix-null-pointer-dereference.patch +net-sonic-use-dma_mapping_error.patch +net-dsa-b53-add-bcm5389-support.patch diff --git a/queue-4.14/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch b/queue-4.14/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch new file mode 100644 index 00000000000..29bd1c0461b --- /dev/null +++ b/queue-4.14/xfrm6-avoid-potential-infinite-loop-in-_decode_session6.patch @@ -0,0 +1,97 @@ +From foo@baz Thu Jul 5 20:15:13 CEST 2018 +From: Eric Dumazet +Date: Sat, 12 May 2018 02:49:30 -0700 +Subject: xfrm6: avoid potential infinite loop in _decode_session6() + +From: Eric Dumazet + +[ Upstream commit d9f92772e8ec388d070752ee8f187ef8fa18621f ] + +syzbot found a way to trigger an infinitie loop by overflowing +@offset variable that has been forced to use u16 for some very +obscure reason in the past. + +We probably want to look at NEXTHDR_FRAGMENT handling which looks +wrong, in a separate patch. + +In net-next, we shall try to use skb_header_pointer() instead of +pskb_may_pull(). + +watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553] +Modules linked in: +irq event stamp: 13885653 +hardirqs last enabled at (13885652): [] restore_regs_and_return_to_kernel+0x0/0x2b +hardirqs last disabled at (13885653): [] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625 +softirqs last enabled at (13614028): [] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline] +softirqs last enabled at (13614028): [] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825 +softirqs last disabled at (13614032): [] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942 +CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline] +RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101 +RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006 +RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277 +RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8 +R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f +R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8 +FS: 0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150 + __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368 + xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline] + icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372 + icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551 + icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43 + ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305 + NF_HOOK include/linux/netfilter.h:288 [inline] + ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327 + dst_input include/net/dst.h:450 [inline] + ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71 + NF_HOOK include/linux/netfilter.h:288 [inline] + ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208 + __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711 + netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785 + napi_frags_finish net/core/dev.c:5226 [inline] + napi_gro_frags+0x631/0xc40 net/core/dev.c:5299 + tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951 + tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996 + call_write_iter include/linux/fs.h:1784 [inline] + do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680 + do_iter_write+0x185/0x5f0 fs/read_write.c:959 + vfs_writev+0x1c7/0x330 fs/read_write.c:1004 + do_writev+0x112/0x2f0 fs/read_write.c:1039 + __do_sys_writev fs/read_write.c:1112 [inline] + __se_sys_writev fs/read_write.c:1109 [inline] + __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109 + do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Cc: Nicolas Dichtel +Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -123,7 +123,7 @@ _decode_session6(struct sk_buff *skb, st + struct flowi6 *fl6 = &fl->u.ip6; + int onlyproto = 0; + const struct ipv6hdr *hdr = ipv6_hdr(skb); +- u16 offset = sizeof(*hdr); ++ u32 offset = sizeof(*hdr); + struct ipv6_opt_hdr *exthdr; + const unsigned char *nh = skb_network_header(skb); + u16 nhoff = IP6CB(skb)->nhoff;