From: Greg Kroah-Hartman Date: Fri, 9 Sep 2016 14:36:19 +0000 (+0200) Subject: 3.14-stable patches X-Git-Tag: v3.14.79~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5525329ca318567225eac8a9a1ff3214c82185bb;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: fix-d_walk-non-delayed-__d_free-race.patch mm-thp-fix-smp-race-condition-between-thp-page-fault-and-madv_dontneed.patch rds-fix-an-infoleak-in-rds_inc_info_copy.patch s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch staging-comedi-ni_mio_common-fix-wrong-insn_write-handler.patch --- diff --git a/queue-3.14/fix-d_walk-non-delayed-__d_free-race.patch b/queue-3.14/fix-d_walk-non-delayed-__d_free-race.patch new file mode 100644 index 00000000000..75609629313 --- /dev/null +++ b/queue-3.14/fix-d_walk-non-delayed-__d_free-race.patch @@ -0,0 +1,72 @@ +From w@1wt.eu Fri Sep 9 16:26:43 2016 +From: Willy Tarreau +Date: Sat, 27 Aug 2016 11:31:35 +0200 +Subject: fix d_walk()/non-delayed __d_free() race +To: Greg Kroah-Hartman , Jiri Slaby +Cc: Jari Ruusu , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Al Viro , Ben Hutchings +Message-ID: <20160827093135.GA28378@1wt.eu> +Content-Disposition: inline + +From: Willy Tarreau + +I checked Jari's explanation below and found that v3.14.77 and v3.12.62 +are missing the same fix as 3.10. In fact Al's original commit 3d56c25 +("fix d_walk()/non-delayed __d_free() race") used to mention to check +this __d_materialise_dentry() function in the Cc: stable line, but this +got lost during the backports. + +Normally all of our 3 kernels need to apply the following patch that +Ben correctly put in 3.16 and 3.2. I'm fixing the backport in 3.10.103 +right now. + +On Mon, Aug 22, 2016 at 04:56:57PM +0300, Jari Ruusu wrote: +> This patch for 3.10 branch appears to be missing one important +> +> + dentry->d_flags |= DCACHE_RCUACCESS; +> +> in fs/dcache.c __d_materialise_dentry() function. When Ben Hutchings +> backported Al Viro's original fix to stable branches that he maintains, +> he added that one additional line to both 3.2 and 3.16 branches. Please +> consider including that additional one line fix for 3.10 stable branch +> also. +> +> +> Ben Hutchings said this on his 3.2.82-rc1 patch: +> [bwh: Backported to 3.2: +> - Adjust context +> - Also set the flag in __d_materialise_dentry())] +> +> http://marc.info/?l=linux-kernel&m=147117565612275&w=2 +> +> +> Ben Hutchings said this on his 3.16.37-rc1 patch: +> [bwh: Backported to 3.16: +> - Adjust context +> - Also set the flag in __d_materialise_dentry())] +> +> http://marc.info/?l=linux-kernel&m=147117433412006&w=2 +> +> +> Also mentioned by Sasha Levin on 3.18 and 4.1 commits: +> Cc: stable@vger.kernel.org # v3.2+ (and watch out for __d_materialise_dentry()) +> +> http://marc.info/?l=linux-stable-commits&m=146648034410827&w=2 +> http://marc.info/?l=linux-stable-commits&m=146647471009771&w=2 + + +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2652,6 +2652,7 @@ static void __d_materialise_dentry(struc + switch_names(dentry, anon); + swap(dentry->d_name.hash, anon->d_name.hash); + ++ dentry->d_flags |= DCACHE_RCUACCESS; + dentry->d_parent = dentry; + list_del_init(&dentry->d_child); + anon->d_parent = dparent; diff --git a/queue-3.14/mm-thp-fix-smp-race-condition-between-thp-page-fault-and-madv_dontneed.patch b/queue-3.14/mm-thp-fix-smp-race-condition-between-thp-page-fault-and-madv_dontneed.patch new file mode 100644 index 00000000000..02f47e56b89 --- /dev/null +++ b/queue-3.14/mm-thp-fix-smp-race-condition-between-thp-page-fault-and-madv_dontneed.patch @@ -0,0 +1,64 @@ +From ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 Mon Sep 17 00:00:00 2001 +From: Andrea Arcangeli +Date: Fri, 26 Feb 2016 15:19:28 -0800 +Subject: mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED + +From: Andrea Arcangeli + +commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 upstream. + +pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were +introduced to locklessy (but atomically) detect when a pmd is a regular +(stable) pmd or when the pmd is unstable and can infinitely transition +from pmd_none() and pmd_trans_huge() from under us, while only holding +the mmap_sem for reading (for writing not). + +While holding the mmap_sem only for reading, MADV_DONTNEED can run from +under us and so before we can assume the pmd to be a regular stable pmd +we need to compare it against pmd_none() and pmd_trans_huge() in an +atomic way, with pmd_trans_unstable(). The old pmd_trans_huge() left a +tiny window for a race. + +Useful applications are unlikely to notice the difference as doing +MADV_DONTNEED concurrently with a page fault would lead to undefined +behavior. + +[js] 3.12 backport: no pmd_devmap in 3.12 yet. + +[akpm@linux-foundation.org: tidy up comment grammar/layout] +Signed-off-by: Andrea Arcangeli +Reported-by: Kirill A. Shutemov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Vlastimil Babka +Signed-off-by: Jiri Slaby +Signed-off-by: Greg Kroah-Hartman + + +--- + mm/memory.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3770,8 +3770,18 @@ static int __handle_mm_fault(struct mm_s + if (unlikely(pmd_none(*pmd)) && + unlikely(__pte_alloc(mm, vma, pmd, address))) + return VM_FAULT_OOM; +- /* if an huge pmd materialized from under us just retry later */ +- if (unlikely(pmd_trans_huge(*pmd))) ++ /* ++ * If a huge pmd materialized under us just retry later. Use ++ * pmd_trans_unstable() instead of pmd_trans_huge() to ensure the pmd ++ * didn't become pmd_trans_huge under us and then back to pmd_none, as ++ * a result of MADV_DONTNEED running immediately after a huge pmd fault ++ * in a different thread of this mm, in turn leading to a misleading ++ * pmd_trans_huge() retval. All we have to ensure is that it is a ++ * regular pmd that we can walk with pte_offset_map() and we can do that ++ * through an atomic read in C, which is what pmd_trans_unstable() ++ * provides. ++ */ ++ if (unlikely(pmd_trans_unstable(pmd))) + return 0; + /* + * A regular pmd is established and it can't morph into a huge pmd diff --git a/queue-3.14/rds-fix-an-infoleak-in-rds_inc_info_copy.patch b/queue-3.14/rds-fix-an-infoleak-in-rds_inc_info_copy.patch new file mode 100644 index 00000000000..77c9d2dec73 --- /dev/null +++ b/queue-3.14/rds-fix-an-infoleak-in-rds_inc_info_copy.patch @@ -0,0 +1,33 @@ +From 4116def2337991b39919f3b448326e21c40e0dbb Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 2 Jun 2016 04:11:20 -0400 +Subject: rds: fix an infoleak in rds_inc_info_copy + +From: Kangjie Lu + +commit 4116def2337991b39919f3b448326e21c40e0dbb upstream. + +The last field "flags" of object "minfo" is not initialized. +Copying this object out may leak kernel stack data. +Assign 0 to it to avoid leak. + +Signed-off-by: Kangjie Lu +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Juerg Haefliger +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/recv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -543,5 +543,7 @@ void rds_inc_info_copy(struct rds_incomi + minfo.fport = inc->i_hdr.h_dport; + } + ++ minfo.flags = 0; ++ + rds_info_copy(iter, &minfo, sizeof(minfo)); + } diff --git a/queue-3.14/s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch b/queue-3.14/s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch new file mode 100644 index 00000000000..8ceb66b4baa --- /dev/null +++ b/queue-3.14/s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch @@ -0,0 +1,57 @@ +From 532c34b5fbf1687df63b3fcd5b2846312ac943c6 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 25 Apr 2016 17:54:28 +0200 +Subject: s390/sclp_ctl: fix potential information leak with /dev/sclp + +From: Martin Schwidefsky + +commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream. + +The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to +retrieve the sclp request from user space. The first copy_from_user +fetches the length of the request which is stored in the first two +bytes of the request. The second copy_from_user gets the complete +sclp request, but this copies the length field a second time. +A malicious user may have changed the length in the meantime. + +Reported-by: Pengfei Wang +Reviewed-by: Michael Holzheu +Signed-off-by: Martin Schwidefsky +Signed-off-by: Juerg Haefliger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/char/sclp_ctl.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/s390/char/sclp_ctl.c ++++ b/drivers/s390/char/sclp_ctl.c +@@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __us + { + struct sclp_ctl_sccb ctl_sccb; + struct sccb_header *sccb; ++ unsigned long copied; + int rc; + + if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb))) +@@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __us + sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA); + if (!sccb) + return -ENOMEM; +- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) { ++ copied = PAGE_SIZE - ++ copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE); ++ if (offsetof(struct sccb_header, length) + ++ sizeof(sccb->length) > copied || sccb->length > copied) { + rc = -EFAULT; + goto out_free; + } +- if (sccb->length > PAGE_SIZE || sccb->length < 8) +- return -EINVAL; +- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) { +- rc = -EFAULT; ++ if (sccb->length < 8) { ++ rc = -EINVAL; + goto out_free; + } + rc = sclp_sync_request(ctl_sccb.cmdw, sccb); diff --git a/queue-3.14/series b/queue-3.14/series index 3566af00f1d..e2ca974f46e 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -4,3 +4,8 @@ hid-hid-input-add-parentheses-to-quell-gcc-warning.patch alsa-oxygen-fix-logical-not-parentheses-warning.patch stb6100-fix-buffer-length-check-in-stb6100_write_reg_range.patch ext4-validate-that-metadata-blocks-do-not-overlap-superblock.patch +staging-comedi-ni_mio_common-fix-wrong-insn_write-handler.patch +rds-fix-an-infoleak-in-rds_inc_info_copy.patch +s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch +fix-d_walk-non-delayed-__d_free-race.patch +mm-thp-fix-smp-race-condition-between-thp-page-fault-and-madv_dontneed.patch diff --git a/queue-3.14/staging-comedi-ni_mio_common-fix-wrong-insn_write-handler.patch b/queue-3.14/staging-comedi-ni_mio_common-fix-wrong-insn_write-handler.patch new file mode 100644 index 00000000000..0929320a088 --- /dev/null +++ b/queue-3.14/staging-comedi-ni_mio_common-fix-wrong-insn_write-handler.patch @@ -0,0 +1,36 @@ +From abbotti@mev.co.uk Fri Sep 9 16:17:25 2016 +From: Ian Abbott +Date: Wed, 7 Sep 2016 15:33:12 +0100 +Subject: staging: comedi: ni_mio_common: fix wrong insn_write handler +To: stable@vger.kernel.org +Cc: Greg Kroah-Hartman , Ben Hutchings , Ian Abbott +Message-ID: <20160907143312.19224-1-abbotti@mev.co.uk> + +From: Ian Abbott + +commit 5ca05345c56cb979e1a25ab6146437002f95cac8 upstream. + +For counter subdevices, the `s->insn_write` handler is being set to the +wrong function, `ni_tio_insn_read()`. It should be +`ni_tio_insn_write()`. + +Signed-off-by: Ian Abbott +Reported-by: Éric Piel +Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a proper comedi (*insn_write)") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/ni_mio_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/ni_mio_common.c ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c +@@ -4404,7 +4404,7 @@ static int ni_E_init(struct comedi_devic + else + s->maxdata = 0xffffff; + s->insn_read = ni_tio_insn_read; +- s->insn_write = ni_tio_insn_read; ++ s->insn_write = ni_tio_insn_write; + s->insn_config = ni_tio_insn_config; + #ifdef PCIDMA + s->subdev_flags |= SDF_CMD_READ /* | SDF_CMD_WRITE */;