From: Greg Kroah-Hartman Date: Mon, 3 Jul 2017 09:13:44 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.60~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5acf8ba2d5b5853a939ddc90e6fcd467bd67420a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: kvm-x86-fix-fixing-of-hypercalls.patch qla2xxx-fix-erroneous-invalid-handle-message.patch scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch --- diff --git a/queue-4.4/kvm-x86-fix-fixing-of-hypercalls.patch b/queue-4.4/kvm-x86-fix-fixing-of-hypercalls.patch new file mode 100644 index 00000000000..9ca9589d593 --- /dev/null +++ b/queue-4.4/kvm-x86-fix-fixing-of-hypercalls.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Jul 3 11:12:35 CEST 2017 +From: Dmitry Vyukov +Date: Tue, 17 Jan 2017 14:51:04 +0100 +Subject: KVM: x86: fix fixing of hypercalls + +From: Dmitry Vyukov + + +[ Upstream commit ce2e852ecc9a42e4b8dabb46025cfef63209234a ] + +emulator_fix_hypercall() replaces hypercall with vmcall instruction, +but it does not handle GP exception properly when writes the new instruction. +It can return X86EMUL_PROPAGATE_FAULT without setting exception information. +This leads to incorrect emulation and triggers +WARN_ON(ctxt->exception.vector > 0x1f) in x86_emulate_insn() +as discovered by syzkaller fuzzer: + +WARNING: CPU: 2 PID: 18646 at arch/x86/kvm/emulate.c:5558 +Call Trace: + warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 + x86_emulate_insn+0x16a5/0x4090 arch/x86/kvm/emulate.c:5572 + x86_emulate_instruction+0x403/0x1cc0 arch/x86/kvm/x86.c:5618 + emulate_instruction arch/x86/include/asm/kvm_host.h:1127 [inline] + handle_exception+0x594/0xfd0 arch/x86/kvm/vmx.c:5762 + vmx_handle_exit+0x2b7/0x38b0 arch/x86/kvm/vmx.c:8625 + vcpu_enter_guest arch/x86/kvm/x86.c:6888 [inline] + vcpu_run arch/x86/kvm/x86.c:6947 [inline] + +Set exception information when write in emulator_fix_hypercall() fails. + +Signed-off-by: Dmitry Vyukov +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Wanpeng Li +Cc: kvm@vger.kernel.org +Cc: syzkaller@googlegroups.com +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5974,7 +5974,8 @@ static int emulator_fix_hypercall(struct + + kvm_x86_ops->patch_hypercall(vcpu, instruction); + +- return emulator_write_emulated(ctxt, rip, instruction, 3, NULL); ++ return emulator_write_emulated(ctxt, rip, instruction, 3, ++ &ctxt->exception); + } + + static int dm_request_for_irq_injection(struct kvm_vcpu *vcpu) diff --git a/queue-4.4/qla2xxx-fix-erroneous-invalid-handle-message.patch b/queue-4.4/qla2xxx-fix-erroneous-invalid-handle-message.patch new file mode 100644 index 00000000000..ace4350591f --- /dev/null +++ b/queue-4.4/qla2xxx-fix-erroneous-invalid-handle-message.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Jul 3 11:12:35 CEST 2017 +From: Quinn Tran +Date: Fri, 23 Dec 2016 18:06:13 -0800 +Subject: qla2xxx: Fix erroneous invalid handle message + +From: Quinn Tran + + +[ Upstream commit 4f060736f29a960aba8e781a88837464756200a8 ] + +Termination of Immediate Notify IOCB was using wrong +IOCB handle. IOCB completion code was unable to find +appropriate code path due to wrong handle. + +Following message is seen in the logs. + +"Error entry - invalid handle/queue (ffff)." + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Reviewed-by: Christoph Hellwig +[ bvanassche: Fixed word order in patch title ] +Signed-off-by: Bart Van Assche + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_isr.c | 4 ++++ + drivers/scsi/qla2xxx/qla_target.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -2466,6 +2466,10 @@ qla2x00_error_entry(scsi_qla_host_t *vha + if (pkt->entry_status & RF_BUSY) + res = DID_BUS_BUSY << 16; + ++ if (pkt->entry_type == NOTIFY_ACK_TYPE && ++ pkt->handle == QLA_TGT_SKIP_HANDLE) ++ return; ++ + sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); + if (sp) { + sp->done(ha, sp, res); +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -2865,7 +2865,7 @@ static int __qlt_send_term_imm_notif(str + + pkt->entry_type = NOTIFY_ACK_TYPE; + pkt->entry_count = 1; +- pkt->handle = QLA_TGT_SKIP_HANDLE | CTIO_COMPLETION_HANDLE_MARK; ++ pkt->handle = QLA_TGT_SKIP_HANDLE; + + nack = (struct nack_to_isp *)pkt; + nack->ox_id = ntfy->ox_id; diff --git a/queue-4.4/scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch b/queue-4.4/scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch new file mode 100644 index 00000000000..02eed9d6789 --- /dev/null +++ b/queue-4.4/scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Jul 3 11:12:35 CEST 2017 +From: Johannes Thumshirn +Date: Tue, 10 Jan 2017 12:05:54 +0100 +Subject: scsi: lpfc: Set elsiocb contexts to NULL after freeing it + +From: Johannes Thumshirn + + +[ Upstream commit 8667f515952feefebb3c0f8d9a9266c91b101a46 ] + +Set the elsiocb contexts to NULL after freeing as others depend on it. + +Signed-off-by: Johannes Thumshirn +Acked-by: Dick Kennedy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_els.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -3563,12 +3563,14 @@ lpfc_els_free_iocb(struct lpfc_hba *phba + } else { + buf_ptr1 = (struct lpfc_dmabuf *) elsiocb->context2; + lpfc_els_free_data(phba, buf_ptr1); ++ elsiocb->context2 = NULL; + } + } + + if (elsiocb->context3) { + buf_ptr = (struct lpfc_dmabuf *) elsiocb->context3; + lpfc_els_free_bpl(phba, buf_ptr); ++ elsiocb->context3 = NULL; + } + lpfc_sli_release_iocbq(phba, elsiocb); + return 0; diff --git a/queue-4.4/scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch b/queue-4.4/scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch new file mode 100644 index 00000000000..95f7cec25ea --- /dev/null +++ b/queue-4.4/scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Jul 3 11:12:35 CEST 2017 +From: Damien Le Moal +Date: Thu, 12 Jan 2017 15:25:10 +0900 +Subject: scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type + +From: Damien Le Moal + + +[ Upstream commit 26f2819772af891dee2843e1f8662c58e5129d5f ] + +Zoned block devices force the use of READ/WRITE(16) commands by setting +sdkp->use_16_for_rw and clearing sdkp->use_10_for_rw. This result in +DPOFUA always being disabled for these drives as the assumed use of +the deprecated READ/WRITE(6) commands only looks at sdkp->use_10_for_rw. +Strenghten the test by also checking that sdkp->use_16_for_rw is false. + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2566,7 +2566,8 @@ sd_read_cache_type(struct scsi_disk *sdk + if (sdp->broken_fua) { + sd_first_printk(KERN_NOTICE, sdkp, "Disabling FUA\n"); + sdkp->DPOFUA = 0; +- } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw) { ++ } else if (sdkp->DPOFUA && !sdkp->device->use_10_for_rw && ++ !sdkp->device->use_16_for_rw) { + sd_first_printk(KERN_NOTICE, sdkp, + "Uses READ/WRITE(6), disabling FUA\n"); + sdkp->DPOFUA = 0; diff --git a/queue-4.4/series b/queue-4.4/series index 6237ab75072..f0fc210ce7d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -29,3 +29,7 @@ usb-gadget-f_fs-fix-possibe-deadlock.patch sysctl-enable-strict-writes.patch block-fix-module-reference-leak-on-put_disk-call-for-cgroups-throttle.patch mm-numa-avoid-waiting-on-freed-migrated-pages.patch +kvm-x86-fix-fixing-of-hypercalls.patch +scsi-sd-fix-wrong-dpofua-disable-in-sd_read_cache_type.patch +scsi-lpfc-set-elsiocb-contexts-to-null-after-freeing-it.patch +qla2xxx-fix-erroneous-invalid-handle-message.patch