From: Greg Kroah-Hartman Date: Sun, 16 Sep 2018 12:31:14 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.18.9~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ac3d73f07c25d0fc065f7815c636e3db4fa0b59;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: android-binder-fix-the-race-mmap-and-alloc_new_buf_locked.patch block-bfq-swap-puts-in-bfqg_and_blkg_put.patch btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch i2c-i801-fix-dnv-s-smbctrl-register-offset.patch i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch nbd-don-t-allow-invalid-blocksize-settings.patch scsi-lpfc-correct-mds-diag-and-nvmet-configuration.patch smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch smb3-check-for-and-properly-advertise-directory-lease-support.patch --- diff --git a/queue-4.14/android-binder-fix-the-race-mmap-and-alloc_new_buf_locked.patch b/queue-4.14/android-binder-fix-the-race-mmap-and-alloc_new_buf_locked.patch new file mode 100644 index 00000000000..97fcdbc2bed --- /dev/null +++ b/queue-4.14/android-binder-fix-the-race-mmap-and-alloc_new_buf_locked.patch @@ -0,0 +1,180 @@ +From da1b9564e85b1d7baf66cbfabcab27e183a1db63 Mon Sep 17 00:00:00 2001 +From: Minchan Kim +Date: Thu, 23 Aug 2018 14:29:56 +0900 +Subject: android: binder: fix the race mmap and alloc_new_buf_locked + +From: Minchan Kim + +commit da1b9564e85b1d7baf66cbfabcab27e183a1db63 upstream. + +There is RaceFuzzer report like below because we have no lock to close +below the race between binder_mmap and binder_alloc_new_buf_locked. +To close the race, let's use memory barrier so that if someone see +alloc->vma is not NULL, alloc->vma_vm_mm should be never NULL. + +(I didn't add stable mark intentionallybecause standard android +userspace libraries that interact with binder (libbinder & libhwbinder) +prevent the mmap/ioctl race. - from Todd) + +" +Thread interleaving: +CPU0 (binder_alloc_mmap_handler) CPU1 (binder_alloc_new_buf_locked) +===== ===== +// drivers/android/binder_alloc.c +// #L718 (v4.18-rc3) +alloc->vma = vma; + // drivers/android/binder_alloc.c + // #L346 (v4.18-rc3) + if (alloc->vma == NULL) { + ... + // alloc->vma is not NULL at this point + return ERR_PTR(-ESRCH); + } + ... + // #L438 + binder_update_page_range(alloc, 0, + (void *)PAGE_ALIGN((uintptr_t)buffer->data), + end_page_addr); + + // In binder_update_page_range() #L218 + // But still alloc->vma_vm_mm is NULL here + if (need_mm && mmget_not_zero(alloc->vma_vm_mm)) +alloc->vma_vm_mm = vma->vm_mm; + +Crash Log: +================================================================== +BUG: KASAN: null-ptr-deref in __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline] +BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:533 [inline] +BUG: KASAN: null-ptr-deref in mmget_not_zero include/linux/sched/mm.h:75 [inline] +BUG: KASAN: null-ptr-deref in binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218 +Write of size 4 at addr 0000000000000058 by task syz-executor0/11184 + +CPU: 1 PID: 11184 Comm: syz-executor0 Not tainted 4.18.0-rc3 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x16e/0x22c lib/dump_stack.c:113 + kasan_report_error mm/kasan/report.c:352 [inline] + kasan_report+0x163/0x380 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x140/0x1a0 mm/kasan/kasan.c:267 + kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 + __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline] + atomic_add_unless include/linux/atomic.h:533 [inline] + mmget_not_zero include/linux/sched/mm.h:75 [inline] + binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218 + binder_alloc_new_buf_locked drivers/android/binder_alloc.c:443 [inline] + binder_alloc_new_buf+0x467/0xc30 drivers/android/binder_alloc.c:513 + binder_transaction+0x125b/0x4fb0 drivers/android/binder.c:2957 + binder_thread_write+0xc08/0x2770 drivers/android/binder.c:3528 + binder_ioctl_write_read.isra.39+0x24f/0x8e0 drivers/android/binder.c:4456 + binder_ioctl+0xa86/0xf34 drivers/android/binder.c:4596 + vfs_ioctl fs/ioctl.c:46 [inline] + do_vfs_ioctl+0x154/0xd40 fs/ioctl.c:686 + ksys_ioctl+0x94/0xb0 fs/ioctl.c:701 + __do_sys_ioctl fs/ioctl.c:708 [inline] + __se_sys_ioctl fs/ioctl.c:706 [inline] + __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:706 + do_syscall_64+0x167/0x4b0 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +" + +Signed-off-by: Todd Kjos +Signed-off-by: Minchan Kim +Reviewed-by: Martijn Coenen +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 42 +++++++++++++++++++++++++++++++++-------- + 1 file changed, 34 insertions(+), 8 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -324,6 +324,34 @@ err_no_vma: + return vma ? -ENOMEM : -ESRCH; + } + ++static inline void binder_alloc_set_vma(struct binder_alloc *alloc, ++ struct vm_area_struct *vma) ++{ ++ if (vma) ++ alloc->vma_vm_mm = vma->vm_mm; ++ /* ++ * If we see alloc->vma is not NULL, buffer data structures set up ++ * completely. Look at smp_rmb side binder_alloc_get_vma. ++ * We also want to guarantee new alloc->vma_vm_mm is always visible ++ * if alloc->vma is set. ++ */ ++ smp_wmb(); ++ alloc->vma = vma; ++} ++ ++static inline struct vm_area_struct *binder_alloc_get_vma( ++ struct binder_alloc *alloc) ++{ ++ struct vm_area_struct *vma = NULL; ++ ++ if (alloc->vma) { ++ /* Look at description in binder_alloc_set_vma */ ++ smp_rmb(); ++ vma = alloc->vma; ++ } ++ return vma; ++} ++ + struct binder_buffer *binder_alloc_new_buf_locked(struct binder_alloc *alloc, + size_t data_size, + size_t offsets_size, +@@ -339,7 +367,7 @@ struct binder_buffer *binder_alloc_new_b + size_t size, data_offsets_size; + int ret; + +- if (alloc->vma == NULL) { ++ if (!binder_alloc_get_vma(alloc)) { + pr_err("%d: binder_alloc_buf, no vma\n", + alloc->pid); + return ERR_PTR(-ESRCH); +@@ -712,9 +740,7 @@ int binder_alloc_mmap_handler(struct bin + buffer->free = 1; + binder_insert_free_buffer(alloc, buffer); + alloc->free_async_space = alloc->buffer_size / 2; +- barrier(); +- alloc->vma = vma; +- alloc->vma_vm_mm = vma->vm_mm; ++ binder_alloc_set_vma(alloc, vma); + mmgrab(alloc->vma_vm_mm); + + return 0; +@@ -741,10 +767,10 @@ void binder_alloc_deferred_release(struc + int buffers, page_count; + struct binder_buffer *buffer; + +- BUG_ON(alloc->vma); +- + buffers = 0; + mutex_lock(&alloc->mutex); ++ BUG_ON(alloc->vma); ++ + while ((n = rb_first(&alloc->allocated_buffers))) { + buffer = rb_entry(n, struct binder_buffer, rb_node); + +@@ -886,7 +912,7 @@ int binder_alloc_get_allocated_count(str + */ + void binder_alloc_vma_close(struct binder_alloc *alloc) + { +- WRITE_ONCE(alloc->vma, NULL); ++ binder_alloc_set_vma(alloc, NULL); + } + + /** +@@ -921,7 +947,7 @@ enum lru_status binder_alloc_free_page(s + + index = page - alloc->pages; + page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; +- vma = alloc->vma; ++ vma = binder_alloc_get_vma(alloc); + if (vma) { + if (!mmget_not_zero(alloc->vma_vm_mm)) + goto err_mmget; diff --git a/queue-4.14/block-bfq-swap-puts-in-bfqg_and_blkg_put.patch b/queue-4.14/block-bfq-swap-puts-in-bfqg_and_blkg_put.patch new file mode 100644 index 00000000000..752d0a3aab9 --- /dev/null +++ b/queue-4.14/block-bfq-swap-puts-in-bfqg_and_blkg_put.patch @@ -0,0 +1,35 @@ +From d5274b3cd6a814ccb2f56d81ee87cbbf51bd4cf7 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 6 Sep 2018 11:05:44 +0300 +Subject: block: bfq: swap puts in bfqg_and_blkg_put + +From: Konstantin Khlebnikov + +commit d5274b3cd6a814ccb2f56d81ee87cbbf51bd4cf7 upstream. + +Fix trivial use-after-free. This could be last reference to bfqg. + +Fixes: 8f9bebc33dd7 ("block, bfq: access and cache blkg data only when safe") +Acked-by: Paolo Valente +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/bfq-cgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -224,9 +224,9 @@ static void bfqg_and_blkg_get(struct bfq + + void bfqg_and_blkg_put(struct bfq_group *bfqg) + { +- bfqg_put(bfqg); +- + blkg_put(bfqg_to_blkg(bfqg)); ++ ++ bfqg_put(bfqg); + } + + void bfqg_stats_update_io_add(struct bfq_group *bfqg, struct bfq_queue *bfqq, diff --git a/queue-4.14/btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch b/queue-4.14/btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch new file mode 100644 index 00000000000..c9d7793f303 --- /dev/null +++ b/queue-4.14/btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch @@ -0,0 +1,126 @@ +From de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 17 Aug 2018 09:38:59 +0100 +Subject: Btrfs: fix data corruption when deduplicating between different files + +From: Filipe Manana + +commit de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 upstream. + +If we deduplicate extents between two different files we can end up +corrupting data if the source range ends at the size of the source file, +the source file's size is not aligned to the filesystem's block size +and the destination range does not go past the size of the destination +file size. + +Example: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + + $ xfs_io -f -c "pwrite -S 0x6b 0 2518890" /mnt/foo + # The first byte with a value of 0xae starts at an offset (2518890) + # which is not a multiple of the sector size. + $ xfs_io -c "pwrite -S 0xae 2518890 102398" /mnt/foo + + # Confirm the file content is full of bytes with values 0x6b and 0xae. + $ od -t x1 /mnt/foo + 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b + * + 11467540 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ae ae ae ae ae ae + 11467560 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae + * + 11777540 ae ae ae ae ae ae ae ae + 11777550 + + # Create a second file with a length not aligned to the sector size, + # whose bytes all have the value 0x6b, so that its extent(s) can be + # deduplicated with the first file. + $ xfs_io -f -c "pwrite -S 0x6b 0 557771" /mnt/bar + + # Now deduplicate the entire second file into a range of the first file + # that also has all bytes with the value 0x6b. The destination range's + # end offset must not be aligned to the sector size and must be less + # then the offset of the first byte with the value 0xae (byte at offset + # 2518890). + $ xfs_io -c "dedupe /mnt/bar 0 1957888 557771" /mnt/foo + + # The bytes in the range starting at offset 2515659 (end of the + # deduplication range) and ending at offset 2519040 (start offset + # rounded up to the block size) must all have the value 0xae (and not + # replaced with 0x00 values). In other words, we should have exactly + # the same data we had before we asked for deduplication. + $ od -t x1 /mnt/foo + 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b + * + 11467540 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ae ae ae ae ae ae + 11467560 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae + * + 11777540 ae ae ae ae ae ae ae ae + 11777550 + + # Unmount the filesystem and mount it again. This guarantees any file + # data in the page cache is dropped. + $ umount /dev/sdb + $ mount /dev/sdb /mnt + + $ od -t x1 /mnt/foo + 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b + * + 11461300 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 00 + 11461320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + * + 11470000 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae + * + 11777540 ae ae ae ae ae ae ae ae + 11777550 + + # The bytes in range 2515659 to 2519040 have a value of 0x00 and not a + # value of 0xae, data corruption happened due to the deduplication + # operation. + +So fix this by rounding down, to the sector size, the length used for the +deduplication when the following conditions are met: + + 1) Source file's range ends at its i_size; + 2) Source file's i_size is not aligned to the sector size; + 3) Destination range does not cross the i_size of the destination file. + +Fixes: e1d227a42ea2 ("btrfs: Handle unaligned length in extent_same") +CC: stable@vger.kernel.org # 4.2+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3158,6 +3158,25 @@ static int btrfs_extent_same(struct inod + + same_lock_start = min_t(u64, loff, dst_loff); + same_lock_len = max_t(u64, loff, dst_loff) + len - same_lock_start; ++ } else { ++ /* ++ * If the source and destination inodes are different, the ++ * source's range end offset matches the source's i_size, that ++ * i_size is not a multiple of the sector size, and the ++ * destination range does not go past the destination's i_size, ++ * we must round down the length to the nearest sector size ++ * multiple. If we don't do this adjustment we end replacing ++ * with zeroes the bytes in the range that starts at the ++ * deduplication range's end offset and ends at the next sector ++ * size multiple. ++ */ ++ if (loff + olen == i_size_read(src) && ++ dst_loff + len < i_size_read(dst)) { ++ const u64 sz = BTRFS_I(src)->root->fs_info->sectorsize; ++ ++ len = round_down(i_size_read(src), sz) - loff; ++ olen = len; ++ } + } + + /* don't make the dst file partly checksummed */ diff --git a/queue-4.14/i2c-i801-fix-dnv-s-smbctrl-register-offset.patch b/queue-4.14/i2c-i801-fix-dnv-s-smbctrl-register-offset.patch new file mode 100644 index 00000000000..1c4db8644db --- /dev/null +++ b/queue-4.14/i2c-i801-fix-dnv-s-smbctrl-register-offset.patch @@ -0,0 +1,47 @@ +From 851a15114895c5bce163a6f2d57e0aa4658a1be4 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Mon, 3 Sep 2018 11:24:57 +0300 +Subject: i2c: i801: fix DNV's SMBCTRL register offset + +From: Felipe Balbi + +commit 851a15114895c5bce163a6f2d57e0aa4658a1be4 upstream. + +DNV's iTCO is slightly different with SMBCTRL sitting at a different +offset when compared to all other devices. Let's fix so that we can +properly use iTCO watchdog. + +Fixes: 84d7f2ebd70d ("i2c: i801: Add support for Intel DNV") +Cc: # v4.4+ +Signed-off-by: Felipe Balbi +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-i801.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -138,6 +138,7 @@ + + #define SBREG_BAR 0x10 + #define SBREG_SMBCTRL 0xc6000c ++#define SBREG_SMBCTRL_DNV 0xcf000c + + /* Host status bits for SMBPCISTS */ + #define SMBPCISTS_INTS BIT(3) +@@ -1395,7 +1396,11 @@ static void i801_add_tco(struct i801_pri + spin_unlock(&p2sb_spinlock); + + res = &tco_res[ICH_RES_MEM_OFF]; +- res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL; ++ if (pci_dev->device == PCI_DEVICE_ID_INTEL_DNV_SMBUS) ++ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL_DNV; ++ else ++ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL; ++ + res->end = res->start + 3; + res->flags = IORESOURCE_MEM; + diff --git a/queue-4.14/i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch b/queue-4.14/i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch new file mode 100644 index 00000000000..a559a95dda3 --- /dev/null +++ b/queue-4.14/i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch @@ -0,0 +1,59 @@ +From ae7304c3ea28a3ba47a7a8312c76c654ef24967e Mon Sep 17 00:00:00 2001 +From: Shubhrajyoti Datta +Date: Mon, 3 Sep 2018 15:11:11 +0530 +Subject: i2c: xiic: Make the start and the byte count write atomic + +From: Shubhrajyoti Datta + +commit ae7304c3ea28a3ba47a7a8312c76c654ef24967e upstream. + +Disable interrupts while configuring the transfer and enable them back. + +We have below as the programming sequence +1. start and slave address +2. byte count and stop + +In some customer platform there was a lot of interrupts between 1 and 2 +and after slave address (around 7 clock cyles) if 2 is not executed +then the transaction is nacked. + +To fix this case make the 2 writes atomic. + +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Michal Simek +[wsa: added a newline for better readability] +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-xiic.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -538,6 +538,7 @@ static void xiic_start_recv(struct xiic_ + { + u8 rx_watermark; + struct i2c_msg *msg = i2c->rx_msg = i2c->tx_msg; ++ unsigned long flags; + + /* Clear and enable Rx full interrupt. */ + xiic_irq_clr_en(i2c, XIIC_INTR_RX_FULL_MASK | XIIC_INTR_TX_ERROR_MASK); +@@ -553,6 +554,7 @@ static void xiic_start_recv(struct xiic_ + rx_watermark = IIC_RX_FIFO_DEPTH; + xiic_setreg8(i2c, XIIC_RFD_REG_OFFSET, rx_watermark - 1); + ++ local_irq_save(flags); + if (!(msg->flags & I2C_M_NOSTART)) + /* write the address */ + xiic_setreg16(i2c, XIIC_DTR_REG_OFFSET, +@@ -563,6 +565,8 @@ static void xiic_start_recv(struct xiic_ + + xiic_setreg16(i2c, XIIC_DTR_REG_OFFSET, + msg->len | ((i2c->nmsgs == 1) ? XIIC_TX_DYN_STOP_MASK : 0)); ++ local_irq_restore(flags); ++ + if (i2c->nmsgs == 1) + /* very last, enable bus not busy as well */ + xiic_irq_clr_en(i2c, XIIC_INTR_BNB_MASK); diff --git a/queue-4.14/kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch b/queue-4.14/kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch new file mode 100644 index 00000000000..b71efe6cb12 --- /dev/null +++ b/queue-4.14/kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch @@ -0,0 +1,38 @@ +From 204c97245612b6c255edf4e21e24d417c4a0c008 Mon Sep 17 00:00:00 2001 +From: Pierre Morel +Date: Thu, 23 Aug 2018 12:25:54 +0200 +Subject: KVM: s390: vsie: copy wrapping keys to right place + +From: Pierre Morel + +commit 204c97245612b6c255edf4e21e24d417c4a0c008 upstream. + +Copy the key mask to the right offset inside the shadow CRYCB + +Fixes: bbeaa58b3 ("KVM: s390: vsie: support aes dea wrapping keys") +Signed-off-by: Pierre Morel +Reviewed-by: David Hildenbrand +Reviewed-by: Cornelia Huck +Reviewed-by: Janosch Frank +Cc: stable@vger.kernel.org # v4.8+ +Message-Id: <1535019956-23539-2-git-send-email-pmorel@linux.ibm.com> +Signed-off-by: Janosch Frank +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/vsie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -170,7 +170,8 @@ static int shadow_crycb(struct kvm_vcpu + return set_validity_icpt(scb_s, 0x0039U); + + /* copy only the wrapping keys */ +- if (read_guest_real(vcpu, crycb_addr + 72, &vsie_page->crycb, 56)) ++ if (read_guest_real(vcpu, crycb_addr + 72, ++ vsie_page->crycb.dea_wrapping_key_mask, 56)) + return set_validity_icpt(scb_s, 0x0035U); + + scb_s->ecb3 |= ecb3_flags; diff --git a/queue-4.14/kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch b/queue-4.14/kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch new file mode 100644 index 00000000000..dd4ac73221b --- /dev/null +++ b/queue-4.14/kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch @@ -0,0 +1,48 @@ +From c4409905cd6eb42cfd06126e9226b0150e05a715 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 23 Aug 2018 13:56:46 -0700 +Subject: KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO instr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit c4409905cd6eb42cfd06126e9226b0150e05a715 upstream. + +Re-execution after an emulation decode failure is only intended to +handle a case where two or vCPUs race to write a shadowed page, i.e. +we should never re-execute an instruction as part of MMIO emulation. +As handle_ept_misconfig() is only used for MMIO emulation, it should +pass EMULTYPE_NO_REEXECUTE when using the emulator to skip an instr +in the fast-MMIO case where VM_EXIT_INSTRUCTION_LEN is invalid. + +And because the cr2 value passed to x86_emulate_instruction() is only +destined for use when retrying or reexecuting, we can simply call +emulate_instruction(). + +Fixes: d391f1207067 ("x86/kvm/vmx: do not use vm-exit instruction length + for fast MMIO when running nested") +Cc: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6965,8 +6965,8 @@ static int handle_ept_misconfig(struct k + if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) + return kvm_skip_emulated_instruction(vcpu); + else +- return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP, +- NULL, 0) == EMULATE_DONE; ++ return emulate_instruction(vcpu, EMULTYPE_SKIP) == ++ EMULATE_DONE; + } + + ret = kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0); diff --git a/queue-4.14/mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch b/queue-4.14/mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch new file mode 100644 index 00000000000..260a03dd5fd --- /dev/null +++ b/queue-4.14/mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch @@ -0,0 +1,90 @@ +From 0f02cfbc3d9e413d450d8d0fd660077c23f67eff Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 30 Aug 2018 11:01:21 -0700 +Subject: MIPS: VDSO: Match data page cache colouring when D$ aliases + +From: Paul Burton + +commit 0f02cfbc3d9e413d450d8d0fd660077c23f67eff upstream. + +When a system suffers from dcache aliasing a user program may observe +stale VDSO data from an aliased cache line. Notably this can break the +expectation that clock_gettime(CLOCK_MONOTONIC, ...) is, as its name +suggests, monotonic. + +In order to ensure that users observe updates to the VDSO data page as +intended, align the user mappings of the VDSO data page such that their +cache colouring matches that of the virtual address range which the +kernel will use to update the data page - typically its unmapped address +within kseg0. + +This ensures that we don't introduce aliasing cache lines for the VDSO +data page, and therefore that userland will observe updates without +requiring cache invalidation. + +Signed-off-by: Paul Burton +Reported-by: Hauke Mehrtens +Reported-by: Rene Nielsen +Reported-by: Alexandre Belloni +Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") +Patchwork: https://patchwork.linux-mips.org/patch/20344/ +Tested-by: Alexandre Belloni +Tested-by: Hauke Mehrtens +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/vdso.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/arch/mips/kernel/vdso.c ++++ b/arch/mips/kernel/vdso.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -20,6 +21,7 @@ + + #include + #include ++#include + #include + + /* Kernel-provided data used by the VDSO. */ +@@ -128,12 +130,30 @@ int arch_setup_additional_pages(struct l + vvar_size = gic_size + PAGE_SIZE; + size = vvar_size + image->size; + ++ /* ++ * Find a region that's large enough for us to perform the ++ * colour-matching alignment below. ++ */ ++ if (cpu_has_dc_aliases) ++ size += shm_align_mask + 1; ++ + base = get_unmapped_area(NULL, 0, size, 0, 0); + if (IS_ERR_VALUE(base)) { + ret = base; + goto out; + } + ++ /* ++ * If we suffer from dcache aliasing, ensure that the VDSO data page ++ * mapping is coloured the same as the kernel's mapping of that memory. ++ * This ensures that when the kernel updates the VDSO data userland ++ * will observe it without requiring cache invalidations. ++ */ ++ if (cpu_has_dc_aliases) { ++ base = __ALIGN_MASK(base, shm_align_mask); ++ base += ((unsigned long)&vdso_data - gic_size) & shm_align_mask; ++ } ++ + data_addr = base + gic_size; + vdso_addr = data_addr + PAGE_SIZE; + diff --git a/queue-4.14/nbd-don-t-allow-invalid-blocksize-settings.patch b/queue-4.14/nbd-don-t-allow-invalid-blocksize-settings.patch new file mode 100644 index 00000000000..079364e5267 --- /dev/null +++ b/queue-4.14/nbd-don-t-allow-invalid-blocksize-settings.patch @@ -0,0 +1,36 @@ +From bc811f05d77f47059c197a98b6ad242eb03999cb Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 4 Sep 2018 11:52:34 -0600 +Subject: nbd: don't allow invalid blocksize settings + +From: Jens Axboe + +commit bc811f05d77f47059c197a98b6ad242eb03999cb upstream. + +syzbot reports a divide-by-zero off the NBD_SET_BLKSIZE ioctl. +We need proper validation of the input here. Not just if it's +zero, but also if the value is a power-of-2 and in a valid +range. Add that. + +Cc: stable@vger.kernel.org +Reported-by: syzbot +Reviewed-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/nbd.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1228,6 +1228,9 @@ static int __nbd_ioctl(struct block_devi + case NBD_SET_SOCK: + return nbd_add_socket(nbd, arg, false); + case NBD_SET_BLKSIZE: ++ if (!arg || !is_power_of_2(arg) || arg < 512 || ++ arg > PAGE_SIZE) ++ return -EINVAL; + nbd_size_set(nbd, arg, + div_s64(config->bytesize, arg)); + return 0; diff --git a/queue-4.14/scsi-lpfc-correct-mds-diag-and-nvmet-configuration.patch b/queue-4.14/scsi-lpfc-correct-mds-diag-and-nvmet-configuration.patch new file mode 100644 index 00000000000..cc82aa6e356 --- /dev/null +++ b/queue-4.14/scsi-lpfc-correct-mds-diag-and-nvmet-configuration.patch @@ -0,0 +1,42 @@ +From 53e13ee087a80e8d4fc95436318436e5c2c1f8c2 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Thu, 16 Aug 2018 16:04:05 -0700 +Subject: scsi: lpfc: Correct MDS diag and nvmet configuration + +From: James Smart + +commit 53e13ee087a80e8d4fc95436318436e5c2c1f8c2 upstream. + +A recent change added some MDS processing in the lpfc_drain_txq routine +that relies on the fcp_wq being allocated. For nvmet operation the fcp_wq +is not allocated because it can only be an nvme-target. When the original +MDS support was added LS_MDS_LOOPBACK was defined wrong, (0x16) it should +have been 0x10 (decimal value used for hex setting). This incorrect value +allowed MDS_LOOPBACK to be set simultaneously with LS_NPIV_FAB_SUPPORTED, +causing the driver to crash when it accesses the non-existent fcp_wq. + +Correct the bad value setting for LS_MDS_LOOPBACK. + +Fixes: ae9e28f36a6c ("lpfc: Add MDS Diagnostic support.") +Cc: # v4.12+ +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Tested-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -676,7 +676,7 @@ struct lpfc_hba { + #define LS_NPIV_FAB_SUPPORTED 0x2 /* Fabric supports NPIV */ + #define LS_IGNORE_ERATT 0x4 /* intr handler should ignore ERATT */ + #define LS_MDS_LINK_DOWN 0x8 /* MDS Diagnostics Link Down */ +-#define LS_MDS_LOOPBACK 0x16 /* MDS Diagnostics Link Up (Loopback) */ ++#define LS_MDS_LOOPBACK 0x10 /* MDS Diagnostics Link Up (Loopback) */ + + uint32_t hba_flag; /* hba generic flags */ + #define HBA_ERATT_HANDLED 0x1 /* This flag is set when eratt handled */ diff --git a/queue-4.14/series b/queue-4.14/series index 1e503f6e4df..1d5e15d5535 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -8,3 +8,5 @@ mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch smb3-check-for-and-properly-advertise-directory-lease-support.patch btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch +kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch +kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch diff --git a/queue-4.14/smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch b/queue-4.14/smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch new file mode 100644 index 00000000000..233550b8736 --- /dev/null +++ b/queue-4.14/smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch @@ -0,0 +1,102 @@ +From 5e19697b56a64004e2d0ff1bb952ea05493c088f Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 27 Aug 2018 17:04:13 -0500 +Subject: SMB3: Backup intent flag missing for directory opens with backupuid mounts + +From: Steve French + +commit 5e19697b56a64004e2d0ff1bb952ea05493c088f upstream. + +When "backup intent" is requested on the mount (e.g. backupuid or +backupgid mount options), the corresponding flag needs to be set +on opens of directories (and files) but was missing in some +places causing access denied trying to enumerate and backup +servers. + +Fixes kernel bugzilla #200953 +https://bugzilla.kernel.org/show_bug.cgi?id=200953 + +Reported-and-tested-by: +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 2 ++ + fs/cifs/smb2ops.c | 25 ++++++++++++++++++++----- + 2 files changed, 22 insertions(+), 5 deletions(-) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -467,6 +467,8 @@ cifs_sfu_type(struct cifs_fattr *fattr, + oparms.cifs_sb = cifs_sb; + oparms.desired_access = GENERIC_READ; + oparms.create_options = CREATE_NOT_DIR; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options |= CREATE_OPEN_BACKUP_INTENT; + oparms.disposition = FILE_OPEN; + oparms.path = path; + oparms.fid = &fid; +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -385,7 +385,10 @@ smb2_is_path_accessible(const unsigned i + oparms.tcon = tcon; + oparms.desired_access = FILE_READ_ATTRIBUTES; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = &fid; + oparms.reconnect = false; + +@@ -534,7 +537,10 @@ smb2_query_eas(const unsigned int xid, s + oparms.tcon = tcon; + oparms.desired_access = FILE_READ_EA; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = &fid; + oparms.reconnect = false; + +@@ -613,7 +619,10 @@ smb2_set_ea(const unsigned int xid, stru + oparms.tcon = tcon; + oparms.desired_access = FILE_WRITE_EA; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = &fid; + oparms.reconnect = false; + +@@ -1215,7 +1224,10 @@ smb2_query_dir_first(const unsigned int + oparms.tcon = tcon; + oparms.desired_access = FILE_READ_ATTRIBUTES | FILE_READ_DATA; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = fid; + oparms.reconnect = false; + +@@ -1491,7 +1503,10 @@ smb2_query_symlink(const unsigned int xi + oparms.tcon = tcon; + oparms.desired_access = FILE_READ_ATTRIBUTES; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = &fid; + oparms.reconnect = false; + diff --git a/queue-4.14/smb3-check-for-and-properly-advertise-directory-lease-support.patch b/queue-4.14/smb3-check-for-and-properly-advertise-directory-lease-support.patch new file mode 100644 index 00000000000..fbd8e679c6f --- /dev/null +++ b/queue-4.14/smb3-check-for-and-properly-advertise-directory-lease-support.patch @@ -0,0 +1,86 @@ +From f801568332321e2b1e7a8bd26c3e4913a312a2ec Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 31 Aug 2018 15:12:10 -0500 +Subject: smb3: check for and properly advertise directory lease support + +From: Steve French + +commit f801568332321e2b1e7a8bd26c3e4913a312a2ec upstream. + +Although servers will typically ignore unsupported features, +we should advertise the support for directory leases (as +Windows e.g. does) in the negotiate protocol capabilities we +pass to the server, and should check for the server capability +(CAP_DIRECTORY_LEASING) before sending a lease request for an +open of a directory. This will prevent us from accidentally +sending directory leases to SMB2.1 or SMB2 server for example. + +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 10 +++++----- + fs/cifs/smb2pdu.c | 3 +++ + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3215,7 +3215,7 @@ struct smb_version_values smb21_values = + struct smb_version_values smb3any_values = { + .version_string = SMB3ANY_VERSION_STRING, + .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */ +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +@@ -3235,7 +3235,7 @@ struct smb_version_values smb3any_values + struct smb_version_values smbdefault_values = { + .version_string = SMBDEFAULT_VERSION_STRING, + .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */ +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +@@ -3255,7 +3255,7 @@ struct smb_version_values smbdefault_val + struct smb_version_values smb30_values = { + .version_string = SMB30_VERSION_STRING, + .protocol_id = SMB30_PROT_ID, +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +@@ -3275,7 +3275,7 @@ struct smb_version_values smb30_values = + struct smb_version_values smb302_values = { + .version_string = SMB302_VERSION_STRING, + .protocol_id = SMB302_PROT_ID, +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +@@ -3296,7 +3296,7 @@ struct smb_version_values smb302_values + struct smb_version_values smb311_values = { + .version_string = SMB311_VERSION_STRING, + .protocol_id = SMB311_PROT_ID, +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1816,6 +1816,9 @@ SMB2_open(const unsigned int xid, struct + if (!(server->capabilities & SMB2_GLOBAL_CAP_LEASING) || + *oplock == SMB2_OPLOCK_LEVEL_NONE) + req->RequestedOplockLevel = *oplock; ++ else if (!(server->capabilities & SMB2_GLOBAL_CAP_DIRECTORY_LEASING) && ++ (oparms->create_options & CREATE_NOT_FILE)) ++ req->RequestedOplockLevel = *oplock; /* no srv lease support */ + else { + rc = add_lease_context(server, iov, &n_iov, oplock); + if (rc) {