From: Greg Kroah-Hartman Date: Tue, 2 Feb 2016 01:03:10 +0000 (-0800) Subject: 4.3-stable patches X-Git-Tag: v4.4.2~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6803d6c21959d0d5f5316b5a315479b1da50189f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.3-stable patches added patches: block-always-check-queue-limits-for-cloned-requests.patch block-ensure-to-split-after-potentially-bouncing-a-bio.patch crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch crypto-algif_skcipher-use-new-skcipher-interface.patch crypto-caam-fix-non-block-aligned-hash-calculation.patch crypto-crc32c-pclmul-use-.rodata-instead-of-.rotata.patch crypto-nx-fix-timing-leak-in-gcm-and-ccm-decryption.patch crypto-qat-don-t-use-userspace-pointer.patch crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch crypto-sun4i-ss-add-missing-statesize.patch crypto-talitos-fix-timing-leak-in-esp-icv-verification.patch dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch f2fs-crypto-allocate-buffer-for-decrypting-filename.patch hid-usbhid-fix-recursive-deadlock.patch nfsv4.1-pnfs-fixup-an-lo-plh_block_lgets-imbalance-in-layoutreturn.patch ocfs2-nfs-hangs-in-__ocfs2_cluster_lock-due-to-race-with-ocfs2_unblock_lock.patch --- diff --git a/queue-4.3/block-always-check-queue-limits-for-cloned-requests.patch b/queue-4.3/block-always-check-queue-limits-for-cloned-requests.patch new file mode 100644 index 00000000000..bfa09dfbab8 --- /dev/null +++ b/queue-4.3/block-always-check-queue-limits-for-cloned-requests.patch @@ -0,0 +1,97 @@ +From bf4e6b4e757488dee1b6a581f49c7ac34cd217f8 Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Thu, 26 Nov 2015 08:46:57 +0100 +Subject: block: Always check queue limits for cloned requests + +From: Hannes Reinecke + +commit bf4e6b4e757488dee1b6a581f49c7ac34cd217f8 upstream. + +When a cloned request is retried on other queues it always needs +to be checked against the queue limits of that queue. +Otherwise the calculations for nr_phys_segments might be wrong, +leading to a crash in scsi_init_sgtable(). + +To clarify this the patch renames blk_rq_check_limits() +to blk_cloned_rq_check_limits() and removes the symbol +export, as the new function should only be used for +cloned requests and never exported. + +Cc: Mike Snitzer +Cc: Ewan Milne +Cc: Jeff Moyer +Signed-off-by: Hannes Reinecke +Fixes: e2a60da74 ("block: Clean up special command handling logic") +Acked-by: Mike Snitzer +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 21 +++++++-------------- + include/linux/blkdev.h | 1 - + 2 files changed, 7 insertions(+), 15 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -2023,7 +2023,8 @@ void submit_bio(int rw, struct bio *bio) + EXPORT_SYMBOL(submit_bio); + + /** +- * blk_rq_check_limits - Helper function to check a request for the queue limit ++ * blk_cloned_rq_check_limits - Helper function to check a cloned request ++ * for new the queue limits + * @q: the queue + * @rq: the request being checked + * +@@ -2034,20 +2035,13 @@ EXPORT_SYMBOL(submit_bio); + * after it is inserted to @q, it should be checked against @q before + * the insertion using this generic function. + * +- * This function should also be useful for request stacking drivers +- * in some cases below, so export this function. + * Request stacking drivers like request-based dm may change the queue +- * limits while requests are in the queue (e.g. dm's table swapping). +- * Such request stacking drivers should check those requests against +- * the new queue limits again when they dispatch those requests, +- * although such checkings are also done against the old queue limits +- * when submitting requests. ++ * limits when retrying requests on other queues. Those requests need ++ * to be checked against the new queue limits again during dispatch. + */ +-int blk_rq_check_limits(struct request_queue *q, struct request *rq) ++static int blk_cloned_rq_check_limits(struct request_queue *q, ++ struct request *rq) + { +- if (!rq_mergeable(rq)) +- return 0; +- + if (blk_rq_sectors(rq) > blk_queue_get_max_sectors(q, rq->cmd_flags)) { + printk(KERN_ERR "%s: over max size limit.\n", __func__); + return -EIO; +@@ -2067,7 +2061,6 @@ int blk_rq_check_limits(struct request_q + + return 0; + } +-EXPORT_SYMBOL_GPL(blk_rq_check_limits); + + /** + * blk_insert_cloned_request - Helper for stacking drivers to submit a request +@@ -2079,7 +2072,7 @@ int blk_insert_cloned_request(struct req + unsigned long flags; + int where = ELEVATOR_INSERT_BACK; + +- if (blk_rq_check_limits(q, rq)) ++ if (blk_cloned_rq_check_limits(q, rq)) + return -EIO; + + if (rq->rq_disk && +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -767,7 +767,6 @@ extern void blk_rq_set_block_pc(struct r + extern void blk_requeue_request(struct request_queue *, struct request *); + extern void blk_add_request_payload(struct request *rq, struct page *page, + unsigned int len); +-extern int blk_rq_check_limits(struct request_queue *q, struct request *rq); + extern int blk_lld_busy(struct request_queue *q); + extern int blk_rq_prep_clone(struct request *rq, struct request *rq_src, + struct bio_set *bs, gfp_t gfp_mask, diff --git a/queue-4.3/block-ensure-to-split-after-potentially-bouncing-a-bio.patch b/queue-4.3/block-ensure-to-split-after-potentially-bouncing-a-bio.patch new file mode 100644 index 00000000000..e9430cc75c3 --- /dev/null +++ b/queue-4.3/block-ensure-to-split-after-potentially-bouncing-a-bio.patch @@ -0,0 +1,43 @@ +From 23688bf4f830a89866fd0ed3501e342a7360fe4f Mon Sep 17 00:00:00 2001 +From: Junichi Nomura +Date: Tue, 22 Dec 2015 10:23:44 -0700 +Subject: block: ensure to split after potentially bouncing a bio + +From: Junichi Nomura + +commit 23688bf4f830a89866fd0ed3501e342a7360fe4f upstream. + +blk_queue_bio() does split then bounce, which makes the segment +counting based on pages before bouncing and could go wrong. Move +the split to after bouncing, like we do for blk-mq, and the we +fix the issue of having the bio count for segments be wrong. + +Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios") +Tested-by: Artem S. Tashkinov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -1616,8 +1616,6 @@ static void blk_queue_bio(struct request + struct request *req; + unsigned int request_count = 0; + +- blk_queue_split(q, &bio, q->bio_split); +- + /* + * low level driver can indicate that it wants pages above a + * certain limit bounced to low memory (ie for highmem, or even +@@ -1625,6 +1623,8 @@ static void blk_queue_bio(struct request + */ + blk_queue_bounce(q, &bio); + ++ blk_queue_split(q, &bio, q->bio_split); ++ + if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) { + bio->bi_error = -EIO; + bio_endio(bio); diff --git a/queue-4.3/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch b/queue-4.3/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch new file mode 100644 index 00000000000..7b16f9712f1 --- /dev/null +++ b/queue-4.3/crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch @@ -0,0 +1,54 @@ +From 4afa5f9617927453ac04b24b584f6c718dfb4f45 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Sun, 1 Nov 2015 17:11:19 +0800 +Subject: crypto: algif_hash - Only export and import on sockets with data + +From: Herbert Xu + +commit 4afa5f9617927453ac04b24b584f6c718dfb4f45 upstream. + +The hash_accept call fails to work on sockets that have not received +any data. For some algorithm implementations it may cause crashes. + +This patch fixes this by ensuring that we only export and import on +sockets that have received data. + +Reported-by: Harsh Jain +Signed-off-by: Herbert Xu +Tested-by: Stephan Mueller +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algif_hash.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/crypto/algif_hash.c ++++ b/crypto/algif_hash.c +@@ -181,9 +181,14 @@ static int hash_accept(struct socket *so + struct sock *sk2; + struct alg_sock *ask2; + struct hash_ctx *ctx2; ++ bool more; + int err; + +- err = crypto_ahash_export(req, state); ++ lock_sock(sk); ++ more = ctx->more; ++ err = more ? crypto_ahash_export(req, state) : 0; ++ release_sock(sk); ++ + if (err) + return err; + +@@ -194,7 +199,10 @@ static int hash_accept(struct socket *so + sk2 = newsock->sk; + ask2 = alg_sk(sk2); + ctx2 = ask2->private; +- ctx2->more = 1; ++ ctx2->more = more; ++ ++ if (!more) ++ return err; + + err = crypto_ahash_import(&ctx2->req, state); + if (err) { diff --git a/queue-4.3/crypto-algif_skcipher-use-new-skcipher-interface.patch b/queue-4.3/crypto-algif_skcipher-use-new-skcipher-interface.patch new file mode 100644 index 00000000000..f3ed828e854 --- /dev/null +++ b/queue-4.3/crypto-algif_skcipher-use-new-skcipher-interface.patch @@ -0,0 +1,198 @@ +From 0d96e4bab2855a030077cc695a3563fd7cb0e7d8 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 18 Dec 2015 19:16:57 +0800 +Subject: crypto: algif_skcipher - Use new skcipher interface + +From: Herbert Xu + +commit 0d96e4bab2855a030077cc695a3563fd7cb0e7d8 upstream. + +This patch replaces uses of ablkcipher with the new skcipher +interface. + +Signed-off-by: Herbert Xu +Tested-by: +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algif_skcipher.c | 61 +++++++++++++++++++++++------------------------- + 1 file changed, 30 insertions(+), 31 deletions(-) + +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -47,7 +47,7 @@ struct skcipher_ctx { + bool merge; + bool enc; + +- struct ablkcipher_request req; ++ struct skcipher_request req; + }; + + struct skcipher_async_rsgl { +@@ -64,13 +64,13 @@ struct skcipher_async_req { + }; + + #define GET_SREQ(areq, ctx) (struct skcipher_async_req *)((char *)areq + \ +- crypto_ablkcipher_reqsize(crypto_ablkcipher_reqtfm(&ctx->req))) ++ crypto_skcipher_reqsize(crypto_skcipher_reqtfm(&ctx->req))) + + #define GET_REQ_SIZE(ctx) \ +- crypto_ablkcipher_reqsize(crypto_ablkcipher_reqtfm(&ctx->req)) ++ crypto_skcipher_reqsize(crypto_skcipher_reqtfm(&ctx->req)) + + #define GET_IV_SIZE(ctx) \ +- crypto_ablkcipher_ivsize(crypto_ablkcipher_reqtfm(&ctx->req)) ++ crypto_skcipher_ivsize(crypto_skcipher_reqtfm(&ctx->req)) + + #define MAX_SGL_ENTS ((4096 - sizeof(struct skcipher_sg_list)) / \ + sizeof(struct scatterlist) - 1) +@@ -302,8 +302,8 @@ static int skcipher_sendmsg(struct socke + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + struct skcipher_ctx *ctx = ask->private; +- struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(&ctx->req); +- unsigned ivsize = crypto_ablkcipher_ivsize(tfm); ++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(&ctx->req); ++ unsigned ivsize = crypto_skcipher_ivsize(tfm); + struct skcipher_sg_list *sgl; + struct af_alg_control con = {}; + long copied = 0; +@@ -507,7 +507,7 @@ static int skcipher_recvmsg_async(struct + struct skcipher_sg_list *sgl; + struct scatterlist *sg; + struct skcipher_async_req *sreq; +- struct ablkcipher_request *req; ++ struct skcipher_request *req; + struct skcipher_async_rsgl *last_rsgl = NULL; + unsigned int txbufs = 0, len = 0, tx_nents = skcipher_all_sg_nents(ctx); + unsigned int reqlen = sizeof(struct skcipher_async_req) + +@@ -531,9 +531,9 @@ static int skcipher_recvmsg_async(struct + } + sg_init_table(sreq->tsg, tx_nents); + memcpy(sreq->iv, ctx->iv, GET_IV_SIZE(ctx)); +- ablkcipher_request_set_tfm(req, crypto_ablkcipher_reqtfm(&ctx->req)); +- ablkcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, +- skcipher_async_cb, sk); ++ skcipher_request_set_tfm(req, crypto_skcipher_reqtfm(&ctx->req)); ++ skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, ++ skcipher_async_cb, sk); + + while (iov_iter_count(&msg->msg_iter)) { + struct skcipher_async_rsgl *rsgl; +@@ -608,10 +608,10 @@ static int skcipher_recvmsg_async(struct + if (mark) + sg_mark_end(sreq->tsg + txbufs - 1); + +- ablkcipher_request_set_crypt(req, sreq->tsg, sreq->first_sgl.sgl.sg, +- len, sreq->iv); +- err = ctx->enc ? crypto_ablkcipher_encrypt(req) : +- crypto_ablkcipher_decrypt(req); ++ skcipher_request_set_crypt(req, sreq->tsg, sreq->first_sgl.sgl.sg, ++ len, sreq->iv); ++ err = ctx->enc ? crypto_skcipher_encrypt(req) : ++ crypto_skcipher_decrypt(req); + if (err == -EINPROGRESS) { + atomic_inc(&ctx->inflight); + err = -EIOCBQUEUED; +@@ -632,7 +632,7 @@ static int skcipher_recvmsg_sync(struct + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + struct skcipher_ctx *ctx = ask->private; +- unsigned bs = crypto_ablkcipher_blocksize(crypto_ablkcipher_reqtfm( ++ unsigned bs = crypto_skcipher_blocksize(crypto_skcipher_reqtfm( + &ctx->req)); + struct skcipher_sg_list *sgl; + struct scatterlist *sg; +@@ -669,14 +669,13 @@ static int skcipher_recvmsg_sync(struct + if (!used) + goto free; + +- ablkcipher_request_set_crypt(&ctx->req, sg, +- ctx->rsgl.sg, used, +- ctx->iv); ++ skcipher_request_set_crypt(&ctx->req, sg, ctx->rsgl.sg, used, ++ ctx->iv); + + err = af_alg_wait_for_completion( + ctx->enc ? +- crypto_ablkcipher_encrypt(&ctx->req) : +- crypto_ablkcipher_decrypt(&ctx->req), ++ crypto_skcipher_encrypt(&ctx->req) : ++ crypto_skcipher_decrypt(&ctx->req), + &ctx->completion); + + free: +@@ -751,17 +750,17 @@ static struct proto_ops algif_skcipher_o + + static void *skcipher_bind(const char *name, u32 type, u32 mask) + { +- return crypto_alloc_ablkcipher(name, type, mask); ++ return crypto_alloc_skcipher(name, type, mask); + } + + static void skcipher_release(void *private) + { +- crypto_free_ablkcipher(private); ++ crypto_free_skcipher(private); + } + + static int skcipher_setkey(void *private, const u8 *key, unsigned int keylen) + { +- return crypto_ablkcipher_setkey(private, key, keylen); ++ return crypto_skcipher_setkey(private, key, keylen); + } + + static void skcipher_wait(struct sock *sk) +@@ -778,13 +777,13 @@ static void skcipher_sock_destruct(struc + { + struct alg_sock *ask = alg_sk(sk); + struct skcipher_ctx *ctx = ask->private; +- struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(&ctx->req); ++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(&ctx->req); + + if (atomic_read(&ctx->inflight)) + skcipher_wait(sk); + + skcipher_free_sgl(sk); +- sock_kzfree_s(sk, ctx->iv, crypto_ablkcipher_ivsize(tfm)); ++ sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm)); + sock_kfree_s(sk, ctx, ctx->len); + af_alg_release_parent(sk); + } +@@ -793,20 +792,20 @@ static int skcipher_accept_parent(void * + { + struct skcipher_ctx *ctx; + struct alg_sock *ask = alg_sk(sk); +- unsigned int len = sizeof(*ctx) + crypto_ablkcipher_reqsize(private); ++ unsigned int len = sizeof(*ctx) + crypto_skcipher_reqsize(private); + + ctx = sock_kmalloc(sk, len, GFP_KERNEL); + if (!ctx) + return -ENOMEM; + +- ctx->iv = sock_kmalloc(sk, crypto_ablkcipher_ivsize(private), ++ ctx->iv = sock_kmalloc(sk, crypto_skcipher_ivsize(private), + GFP_KERNEL); + if (!ctx->iv) { + sock_kfree_s(sk, ctx, len); + return -ENOMEM; + } + +- memset(ctx->iv, 0, crypto_ablkcipher_ivsize(private)); ++ memset(ctx->iv, 0, crypto_skcipher_ivsize(private)); + + INIT_LIST_HEAD(&ctx->tsgl); + ctx->len = len; +@@ -819,9 +818,9 @@ static int skcipher_accept_parent(void * + + ask->private = ctx; + +- ablkcipher_request_set_tfm(&ctx->req, private); +- ablkcipher_request_set_callback(&ctx->req, CRYPTO_TFM_REQ_MAY_BACKLOG, +- af_alg_complete, &ctx->completion); ++ skcipher_request_set_tfm(&ctx->req, private); ++ skcipher_request_set_callback(&ctx->req, CRYPTO_TFM_REQ_MAY_BACKLOG, ++ af_alg_complete, &ctx->completion); + + sk->sk_destruct = skcipher_sock_destruct; + diff --git a/queue-4.3/crypto-caam-fix-non-block-aligned-hash-calculation.patch b/queue-4.3/crypto-caam-fix-non-block-aligned-hash-calculation.patch new file mode 100644 index 00000000000..4789d732bf1 --- /dev/null +++ b/queue-4.3/crypto-caam-fix-non-block-aligned-hash-calculation.patch @@ -0,0 +1,74 @@ +From c7556ff7e3e4f2747583bcc787f12ec9460ec3a6 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Sun, 18 Oct 2015 17:51:20 +0100 +Subject: crypto: caam - fix non-block aligned hash calculation + +From: Russell King + +commit c7556ff7e3e4f2747583bcc787f12ec9460ec3a6 upstream. + +caam does not properly calculate the size of the retained state +when non-block aligned hashes are requested - it uses the wrong +buffer sizes, which results in errors such as: + +caam_jr 2102000.jr1: 40000501: DECO: desc idx 5: SGT Length Error. The descriptor is trying to read more data than is contained in the SGT table. + +We end up here with: + +in_len 0x46 blocksize 0x40 last_bufsize 0x0 next_bufsize 0x6 +to_hash 0x40 ctx_len 0x28 nbytes 0x20 + +which results in a job descriptor of: + +jobdesc@889: ed03d918: b0861c08 3daa0080 f1400000 3d03d938 +jobdesc@889: ed03d928: 00000068 f8400000 3cde2a40 00000028 + +where the word at 0xed03d928 is the expected data size (0x68), and a +scatterlist containing: + +sg@892: ed03d938: 00000000 3cde2a40 00000028 00000000 +sg@892: ed03d948: 00000000 3d03d100 00000006 00000000 +sg@892: ed03d958: 00000000 7e8aa700 40000020 00000000 + +0x68 comes from 0x28 (the context size) plus the "in_len" rounded down +to a block size (0x40). in_len comes from 0x26 bytes of unhashed data +from the previous operation, plus the 0x20 bytes from the latest +operation. + +The fixed version would create: + +sg@892: ed03d938: 00000000 3cde2a40 00000028 00000000 +sg@892: ed03d948: 00000000 3d03d100 00000026 00000000 +sg@892: ed03d958: 00000000 7e8aa700 40000020 00000000 + +which replaces the 0x06 length with the correct 0x26 bytes of previously +unhashed data. + +This fixes a previous commit which erroneously "fixed" this due to a +DMA-API bug report; that commit indicates that the bug was caused via a +test_ahash_pnum() function in the tcrypt module. No such function has +ever existed in the mainline kernel. Given that the change in this +commit has been tested with DMA API debug enabled and shows no issue, +I can only conclude that test_ahash_pnum() was triggering that bad +behaviour by CAAM. + +Fixes: 7d5196aba3c8 ("crypto: caam - Correct DMA unmap size in ahash_update_ctx()") +Signed-off-by: Russell King +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -829,7 +829,7 @@ static int ahash_update_ctx(struct ahash + state->buf_dma = try_buf_map_to_sec4_sg(jrdev, + edesc->sec4_sg + 1, + buf, state->buf_dma, +- *next_buflen, *buflen); ++ *buflen, last_buflen); + + if (src_nents) { + src_map_to_sec4_sg(jrdev, req->src, src_nents, diff --git a/queue-4.3/crypto-crc32c-pclmul-use-.rodata-instead-of-.rotata.patch b/queue-4.3/crypto-crc32c-pclmul-use-.rodata-instead-of-.rotata.patch new file mode 100644 index 00000000000..f9df08b01d2 --- /dev/null +++ b/queue-4.3/crypto-crc32c-pclmul-use-.rodata-instead-of-.rotata.patch @@ -0,0 +1,33 @@ +From 97bce7e0b58dfc7d159ded329f57961868fb060b Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sun, 20 Sep 2015 16:42:36 +0200 +Subject: crypto: crc32c-pclmul - use .rodata instead of .rotata + +From: Nicolas Iooss + +commit 97bce7e0b58dfc7d159ded329f57961868fb060b upstream. + +Module crc32c-intel uses a special read-only data section named .rotata. +This section is defined for K_table, and its name seems to be a spelling +mistake for .rodata. + +Fixes: 473946e674eb ("crypto: crc32c-pclmul - Shrink K_table to 32-bit words") +Signed-off-by: Nicolas Iooss +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S ++++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S +@@ -330,7 +330,7 @@ ENDPROC(crc_pcl) + ## PCLMULQDQ tables + ## Table is 128 entries x 2 words (8 bytes) each + ################################################################ +-.section .rotata, "a", %progbits ++.section .rodata, "a", %progbits + .align 8 + K_table: + .long 0x493c7d27, 0x00000001 diff --git a/queue-4.3/crypto-nx-fix-timing-leak-in-gcm-and-ccm-decryption.patch b/queue-4.3/crypto-nx-fix-timing-leak-in-gcm-and-ccm-decryption.patch new file mode 100644 index 00000000000..7704dfff791 --- /dev/null +++ b/queue-4.3/crypto-nx-fix-timing-leak-in-gcm-and-ccm-decryption.patch @@ -0,0 +1,52 @@ +From cb8affb55c7e64816f3effcd9b2fc3268c016fac Mon Sep 17 00:00:00 2001 +From: David Gstir +Date: Sun, 15 Nov 2015 17:14:41 +0100 +Subject: crypto: nx - Fix timing leak in GCM and CCM decryption + +From: David Gstir + +commit cb8affb55c7e64816f3effcd9b2fc3268c016fac upstream. + +Using non-constant time memcmp() makes the verification of the authentication +tag in the decrypt path vulnerable to timing attacks. Fix this by using +crypto_memneq() instead. + +Signed-off-by: David Gstir +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/nx/nx-aes-ccm.c | 2 +- + drivers/crypto/nx/nx-aes-gcm.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/nx/nx-aes-ccm.c ++++ b/drivers/crypto/nx/nx-aes-ccm.c +@@ -409,7 +409,7 @@ static int ccm_nx_decrypt(struct aead_re + processed += to_process; + } while (processed < nbytes); + +- rc = memcmp(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag, ++ rc = crypto_memneq(csbcpb->cpb.aes_ccm.out_pat_or_mac, priv->oauth_tag, + authsize) ? -EBADMSG : 0; + out: + spin_unlock_irqrestore(&nx_ctx->lock, irq_flags); +--- a/drivers/crypto/nx/nx-aes-gcm.c ++++ b/drivers/crypto/nx/nx-aes-gcm.c +@@ -21,6 +21,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -418,7 +419,7 @@ mac: + itag, req->src, req->assoclen + nbytes, + crypto_aead_authsize(crypto_aead_reqtfm(req)), + SCATTERWALK_FROM_SG); +- rc = memcmp(itag, otag, ++ rc = crypto_memneq(itag, otag, + crypto_aead_authsize(crypto_aead_reqtfm(req))) ? + -EBADMSG : 0; + } diff --git a/queue-4.3/crypto-qat-don-t-use-userspace-pointer.patch b/queue-4.3/crypto-qat-don-t-use-userspace-pointer.patch new file mode 100644 index 00000000000..e1ce9b2184d --- /dev/null +++ b/queue-4.3/crypto-qat-don-t-use-userspace-pointer.patch @@ -0,0 +1,30 @@ +From 176155dac13f528e0a58c14dc322623219365d91 Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Wed, 21 Oct 2015 14:57:09 -0700 +Subject: crypto: qat - don't use userspace pointer + +From: Tadeusz Struk + +commit 176155dac13f528e0a58c14dc322623219365d91 upstream. + +Bugfix - don't dereference userspace pointer. + +Signed-off-by: Tadeusz Struk +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/qat/qat_common/adf_ctl_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/qat/qat_common/adf_ctl_drv.c ++++ b/drivers/crypto/qat/qat_common/adf_ctl_drv.c +@@ -198,7 +198,7 @@ static int adf_copy_key_value_data(struc + goto out_err; + } + +- params_head = section_head->params; ++ params_head = section.params; + + while (params_head) { + if (copy_from_user(&key_val, (void __user *)params_head, diff --git a/queue-4.3/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch b/queue-4.3/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch new file mode 100644 index 00000000000..7f5a33b0703 --- /dev/null +++ b/queue-4.3/crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch @@ -0,0 +1,62 @@ +From 70d906bc17500edfa9bdd8c8b7e59618c7911613 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 6 Dec 2015 02:51:37 +0100 +Subject: crypto: skcipher - Copy iv from desc even for 0-len walks + +From: "Jason A. Donenfeld" + +commit 70d906bc17500edfa9bdd8c8b7e59618c7911613 upstream. + +Some ciphers actually support encrypting zero length plaintexts. For +example, many AEAD modes support this. The resulting ciphertext for +those winds up being only the authentication tag, which is a result of +the key, the iv, the additional data, and the fact that the plaintext +had zero length. The blkcipher constructors won't copy the IV to the +right place, however, when using a zero length input, resulting in +some significant problems when ciphers call their initialization +routines, only to find that the ->iv parameter is uninitialized. One +such example of this would be using chacha20poly1305 with a zero length +input, which then calls chacha20, which calls the key setup routine, +which eventually OOPSes due to the uninitialized ->iv member. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ablkcipher.c | 2 +- + crypto/blkcipher.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -277,12 +277,12 @@ static int ablkcipher_walk_first(struct + if (WARN_ON_ONCE(in_irq())) + return -EDEADLK; + ++ walk->iv = req->info; + walk->nbytes = walk->total; + if (unlikely(!walk->total)) + return 0; + + walk->iv_buffer = NULL; +- walk->iv = req->info; + if (unlikely(((unsigned long)walk->iv & alignmask))) { + int err = ablkcipher_copy_iv(walk, tfm, alignmask); + +--- a/crypto/blkcipher.c ++++ b/crypto/blkcipher.c +@@ -326,12 +326,12 @@ static int blkcipher_walk_first(struct b + if (WARN_ON_ONCE(in_irq())) + return -EDEADLK; + ++ walk->iv = desc->info; + walk->nbytes = walk->total; + if (unlikely(!walk->total)) + return 0; + + walk->buffer = NULL; +- walk->iv = desc->info; + if (unlikely(((unsigned long)walk->iv & walk->alignmask))) { + int err = blkcipher_copy_iv(walk); + if (err) diff --git a/queue-4.3/crypto-sun4i-ss-add-missing-statesize.patch b/queue-4.3/crypto-sun4i-ss-add-missing-statesize.patch new file mode 100644 index 00000000000..784f22b3e01 --- /dev/null +++ b/queue-4.3/crypto-sun4i-ss-add-missing-statesize.patch @@ -0,0 +1,42 @@ +From 4f9ea86604e3ba64edd2817795798168fbb3c1a6 Mon Sep 17 00:00:00 2001 +From: LABBE Corentin +Date: Mon, 16 Nov 2015 09:35:54 +0100 +Subject: crypto: sun4i-ss - add missing statesize + +From: LABBE Corentin + +commit 4f9ea86604e3ba64edd2817795798168fbb3c1a6 upstream. + +sun4i-ss implementaton of md5/sha1 is via ahash algorithms. +Commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero") +made impossible to load them without giving statesize. This patch +specifiy statesize for sha1 and md5. + +Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Tested-by: Chen-Yu Tsai +Signed-off-by: LABBE Corentin +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/sunxi-ss/sun4i-ss-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c +@@ -39,6 +39,7 @@ static struct sun4i_ss_alg_template ss_a + .import = sun4i_hash_import_md5, + .halg = { + .digestsize = MD5_DIGEST_SIZE, ++ .statesize = sizeof(struct md5_state), + .base = { + .cra_name = "md5", + .cra_driver_name = "md5-sun4i-ss", +@@ -66,6 +67,7 @@ static struct sun4i_ss_alg_template ss_a + .import = sun4i_hash_import_sha1, + .halg = { + .digestsize = SHA1_DIGEST_SIZE, ++ .statesize = sizeof(struct sha1_state), + .base = { + .cra_name = "sha1", + .cra_driver_name = "sha1-sun4i-ss", diff --git a/queue-4.3/crypto-talitos-fix-timing-leak-in-esp-icv-verification.patch b/queue-4.3/crypto-talitos-fix-timing-leak-in-esp-icv-verification.patch new file mode 100644 index 00000000000..fb6024bc49e --- /dev/null +++ b/queue-4.3/crypto-talitos-fix-timing-leak-in-esp-icv-verification.patch @@ -0,0 +1,32 @@ +From 79960943fdc114fd4583c9ab164b5c89da7aa601 Mon Sep 17 00:00:00 2001 +From: David Gstir +Date: Sun, 15 Nov 2015 17:14:42 +0100 +Subject: crypto: talitos - Fix timing leak in ESP ICV verification + +From: David Gstir + +commit 79960943fdc114fd4583c9ab164b5c89da7aa601 upstream. + +Using non-constant time memcmp() makes the verification of the authentication +tag in the decrypt path vulnerable to timing attacks. Fix this by using +crypto_memneq() instead. + +Signed-off-by: David Gstir +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/talitos.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1015,7 +1015,7 @@ static void ipsec_esp_decrypt_swauth_don + } else + oicv = (char *)&edesc->link_tbl[0]; + +- err = memcmp(oicv, icv, authsize) ? -EBADMSG : 0; ++ err = crypto_memneq(oicv, icv, authsize) ? -EBADMSG : 0; + } + + kfree(edesc); diff --git a/queue-4.3/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch b/queue-4.3/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch new file mode 100644 index 00000000000..c8f84e36ce1 --- /dev/null +++ b/queue-4.3/dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch @@ -0,0 +1,37 @@ +From 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Mon, 23 Nov 2015 16:24:45 -0500 +Subject: dm btree: fix leak of bufio-backed block in btree_split_sibling error path + +From: Mike Snitzer + +commit 30ce6e1cc5a0f781d60227e9096c86e188d2c2bd upstream. + +The block allocated at the start of btree_split_sibling() is never +released if later insert_at() fails. + +Fix this by releasing the previously allocated bufio block using +unlock_block(). + +Reported-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/persistent-data/dm-btree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -471,8 +471,10 @@ static int btree_split_sibling(struct sh + + r = insert_at(sizeof(__le64), pn, parent_index + 1, + le64_to_cpu(rn->keys[0]), &location); +- if (r) ++ if (r) { ++ unlock_block(s->info, right); + return r; ++ } + + if (key < le64_to_cpu(rn->keys[0])) { + unlock_block(s->info, right); diff --git a/queue-4.3/drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch b/queue-4.3/drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch new file mode 100644 index 00000000000..11a2deb39d9 --- /dev/null +++ b/queue-4.3/drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch @@ -0,0 +1,52 @@ +From 26bbe7ef6d5cdc7ec08cba6d433fca4060f258f3 Mon Sep 17 00:00:00 2001 +From: Seth Jennings +Date: Fri, 11 Dec 2015 13:40:57 -0800 +Subject: drivers/base/memory.c: prohibit offlining of memory blocks with missing sections + +From: Seth Jennings + +commit 26bbe7ef6d5cdc7ec08cba6d433fca4060f258f3 upstream. + +Commit bdee237c0343 ("x86: mm: Use 2GB memory block size on large-memory +x86-64 systems") and 982792c782ef ("x86, mm: probe memory block size for +generic x86 64bit") introduced large block sizes for x86. This made it +possible to have multiple sections per memory block where previously, +there was a only every one section per block. + +Since blocks consist of contiguous ranges of section, there can be holes +in the blocks where sections are not present. If one attempts to +offline such a block, a crash occurs since the code is not designed to +deal with this. + +This patch is a quick fix to gaurd against the crash by not allowing +blocks with non-present sections to be offlined. + +Addresses https://bugzilla.kernel.org/show_bug.cgi?id=107781 + +Signed-off-by: Seth Jennings +Reported-by: Andrew Banman +Cc: Daniel J Blueman +Cc: Yinghai Lu +Cc: Greg KH +Cc: Russ Anderson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/memory.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -303,6 +303,10 @@ static int memory_subsys_offline(struct + if (mem->state == MEM_OFFLINE) + return 0; + ++ /* Can't offline block with non-present sections */ ++ if (mem->section_count != sections_per_block) ++ return -EINVAL; ++ + return memory_block_change_state(mem, MEM_OFFLINE, MEM_ONLINE); + } + diff --git a/queue-4.3/f2fs-crypto-allocate-buffer-for-decrypting-filename.patch b/queue-4.3/f2fs-crypto-allocate-buffer-for-decrypting-filename.patch new file mode 100644 index 00000000000..7b880385d89 --- /dev/null +++ b/queue-4.3/f2fs-crypto-allocate-buffer-for-decrypting-filename.patch @@ -0,0 +1,105 @@ +From 569cf1876a32e574ba8a7fb825cd91bafd003882 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Thu, 3 Sep 2015 13:38:23 -0700 +Subject: f2fs crypto: allocate buffer for decrypting filename + +From: Jaegeuk Kim + +commit 569cf1876a32e574ba8a7fb825cd91bafd003882 upstream. + +We got dentry pages from high_mem, and its address space directly goes into the +decryption path via f2fs_fname_disk_to_usr. +But, sg_init_one assumes the address is not from high_mem, so we can get this +panic since it doesn't call kmap_high but kunmap_high is triggered at the end. + +kernel BUG at ../../../../../../kernel/mm/highmem.c:290! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM +... + (kunmap_high+0xb0/0xb8) from [] (__kunmap_atomic+0xa0/0xa4) + (__kunmap_atomic+0xa0/0xa4) from [] (blkcipher_walk_done+0x128/0x1ec) + (blkcipher_walk_done+0x128/0x1ec) from [] (crypto_cbc_decrypt+0xc0/0x170) + (crypto_cbc_decrypt+0xc0/0x170) from [] (crypto_cts_decrypt+0xc0/0x114) + (crypto_cts_decrypt+0xc0/0x114) from [] (async_decrypt+0x40/0x48) + (async_decrypt+0x40/0x48) from [] (f2fs_fname_disk_to_usr+0x124/0x304) + (f2fs_fname_disk_to_usr+0x124/0x304) from [] (f2fs_fill_dentries+0xac/0x188) + (f2fs_fill_dentries+0xac/0x188) from [] (f2fs_readdir+0x1f0/0x300) + (f2fs_readdir+0x1f0/0x300) from [] (vfs_readdir+0x90/0xb4) + (vfs_readdir+0x90/0xb4) from [] (SyS_getdents64+0x64/0xcc) + (SyS_getdents64+0x64/0xcc) from [] (ret_fast_syscall+0x0/0x30) + +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/dir.c | 13 ++++++++++--- + fs/f2fs/namei.c | 10 +++++++++- + 2 files changed, 19 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -787,7 +787,6 @@ bool f2fs_fill_dentries(struct dir_conte + else + d_type = DT_UNKNOWN; + +- /* encrypted case */ + de_name.name = d->filename[bit_pos]; + de_name.len = le16_to_cpu(de->name_len); + +@@ -795,12 +794,20 @@ bool f2fs_fill_dentries(struct dir_conte + int save_len = fstr->len; + int ret; + ++ de_name.name = kmalloc(de_name.len, GFP_NOFS); ++ if (!de_name.name) ++ return false; ++ ++ memcpy(de_name.name, d->filename[bit_pos], de_name.len); ++ + ret = f2fs_fname_disk_to_usr(d->inode, &de->hash_code, + &de_name, fstr); +- de_name = *fstr; +- fstr->len = save_len; ++ kfree(de_name.name); + if (ret < 0) + return true; ++ ++ de_name = *fstr; ++ fstr->len = save_len; + } + + if (!dir_emit(ctx, de_name.name, de_name.len, +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -947,8 +947,13 @@ static const char *f2fs_encrypted_follow + + /* Symlink is encrypted */ + sd = (struct f2fs_encrypted_symlink_data *)caddr; +- cstr.name = sd->encrypted_path; + cstr.len = le16_to_cpu(sd->len); ++ cstr.name = kmalloc(cstr.len, GFP_NOFS); ++ if (!cstr.name) { ++ res = -ENOMEM; ++ goto errout; ++ } ++ memcpy(cstr.name, sd->encrypted_path, cstr.len); + + /* this is broken symlink case */ + if (cstr.name[0] == 0 && cstr.len == 0) { +@@ -970,6 +975,8 @@ static const char *f2fs_encrypted_follow + if (res < 0) + goto errout; + ++ kfree(cstr.name); ++ + paddr = pstr.name; + + /* Null-terminate the name */ +@@ -979,6 +986,7 @@ static const char *f2fs_encrypted_follow + page_cache_release(cpage); + return *cookie = paddr; + errout: ++ kfree(cstr.name); + f2fs_fname_crypto_free_buffer(&pstr); + kunmap(cpage); + page_cache_release(cpage); diff --git a/queue-4.3/hid-usbhid-fix-recursive-deadlock.patch b/queue-4.3/hid-usbhid-fix-recursive-deadlock.patch new file mode 100644 index 00000000000..e74292abbd5 --- /dev/null +++ b/queue-4.3/hid-usbhid-fix-recursive-deadlock.patch @@ -0,0 +1,61 @@ +From e470127e9606b1fa151c4184243e61296d1e0c0f Mon Sep 17 00:00:00 2001 +From: Ioan-Adrian Ratiu +Date: Fri, 20 Nov 2015 22:19:02 +0200 +Subject: HID: usbhid: fix recursive deadlock + +From: Ioan-Adrian Ratiu + +commit e470127e9606b1fa151c4184243e61296d1e0c0f upstream. + +The critical section protected by usbhid->lock in hid_ctrl() is too +big and because of this it causes a recursive deadlock. "Too big" means +the case statement and the call to hid_input_report() do not need to be +protected by the spinlock (no URB operations are done inside them). + +The deadlock happens because in certain rare cases drivers try to grab +the lock while handling the ctrl irq which grabs the lock before them +as described above. For example newer wacom tablets like 056a:033c try +to reschedule proximity reads from wacom_intuos_schedule_prox_event() +calling hid_hw_request() -> usbhid_request() -> usbhid_submit_report() +which tries to grab the usbhid lock already held by hid_ctrl(). + +There are two ways to get out of this deadlock: + 1. Make the drivers work "around" the ctrl critical region, in the + wacom case for ex. by delaying the scheduling of the proximity read + request itself to a workqueue. + 2. Shrink the critical region so the usbhid lock protects only the + instructions which modify usbhid state, calling hid_input_report() + with the spinlock unlocked, allowing the device driver to grab the + lock first, finish and then grab the lock afterwards in hid_ctrl(). + +This patch implements the 2nd solution. + +Signed-off-by: Ioan-Adrian Ratiu +Signed-off-by: Jiri Kosina +Signed-off-by: Jason Gerecke +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -477,8 +477,6 @@ static void hid_ctrl(struct urb *urb) + struct usbhid_device *usbhid = hid->driver_data; + int unplug = 0, status = urb->status; + +- spin_lock(&usbhid->lock); +- + switch (status) { + case 0: /* success */ + if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN) +@@ -498,6 +496,8 @@ static void hid_ctrl(struct urb *urb) + hid_warn(urb->dev, "ctrl urb status %d received\n", status); + } + ++ spin_lock(&usbhid->lock); ++ + if (unplug) { + usbhid->ctrltail = usbhid->ctrlhead; + } else { diff --git a/queue-4.3/nfsv4.1-pnfs-fixup-an-lo-plh_block_lgets-imbalance-in-layoutreturn.patch b/queue-4.3/nfsv4.1-pnfs-fixup-an-lo-plh_block_lgets-imbalance-in-layoutreturn.patch new file mode 100644 index 00000000000..d089191d6d7 --- /dev/null +++ b/queue-4.3/nfsv4.1-pnfs-fixup-an-lo-plh_block_lgets-imbalance-in-layoutreturn.patch @@ -0,0 +1,31 @@ +From 1a093ceb053832c25b92f3cf26b957543c7baf9b Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 28 Dec 2015 11:27:15 -0500 +Subject: NFSv4.1/pnfs: Fixup an lo->plh_block_lgets imbalance in layoutreturn + +From: Trond Myklebust + +commit 1a093ceb053832c25b92f3cf26b957543c7baf9b upstream. + +Since commit 2d8ae84fbc32, nothing is bumping lo->plh_block_lgets in the +layoutreturn path, so it should not be touched in nfs4_layoutreturn_release +either. + +Fixes: 2d8ae84fbc32 ("NFSv4.1/pnfs: Remove redundant lo->plh_block_lgets...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -8060,7 +8060,6 @@ static void nfs4_layoutreturn_release(vo + pnfs_set_layout_stateid(lo, &lrp->res.stateid, true); + pnfs_mark_matching_lsegs_invalid(lo, &freeme, &lrp->args.range); + pnfs_clear_layoutreturn_waitbit(lo); +- lo->plh_block_lgets--; + spin_unlock(&lo->plh_inode->i_lock); + pnfs_free_lseg_list(&freeme); + pnfs_put_layout_hdr(lrp->args.layout); diff --git a/queue-4.3/ocfs2-nfs-hangs-in-__ocfs2_cluster_lock-due-to-race-with-ocfs2_unblock_lock.patch b/queue-4.3/ocfs2-nfs-hangs-in-__ocfs2_cluster_lock-due-to-race-with-ocfs2_unblock_lock.patch new file mode 100644 index 00000000000..2b87cbf8c9c --- /dev/null +++ b/queue-4.3/ocfs2-nfs-hangs-in-__ocfs2_cluster_lock-due-to-race-with-ocfs2_unblock_lock.patch @@ -0,0 +1,93 @@ +From b1b1e15ef6b80facf76d6757649dfd7295eda29f Mon Sep 17 00:00:00 2001 +From: Tariq Saeed +Date: Thu, 21 Jan 2016 16:40:39 -0800 +Subject: ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock + +From: Tariq Saeed + +commit b1b1e15ef6b80facf76d6757649dfd7295eda29f upstream. + +NFS on a 2 node ocfs2 cluster each node exporting dir. The lock causing +the hang is the global bit map inode lock. Node 1 is master, has the +lock granted in PR mode; Node 2 is in the converting list (PR -> EX). +There are no holders of the lock on the master node so it should +downconvert to NL and grant EX to node 2 but that does not happen. +BLOCKED + QUEUED in lock res are set and it is on osb blocked list. +Threads are waiting in __ocfs2_cluster_lock on BLOCKED. One thread +wants EX, rest want PR. So it is as though the downconvert thread needs +to be kicked to complete the conv. + +The hang is caused by an EX req coming into __ocfs2_cluster_lock on the +heels of a PR req after it sets BUSY (drops l_lock, releasing EX +thread), forcing the incoming EX to wait on BUSY without doing anything. +PR has called ocfs2_dlm_lock, which sets the node 1 lock from NL -> PR, +queues ast. + +At this time, upconvert (PR ->EX) arrives from node 2, finds conflict +with node 1 lock in PR, so the lock res is put on dlm thread's dirty +listt. + +After ret from ocf2_dlm_lock, PR thread now waits behind EX on BUSY till +awoken by ast. + +Now it is dlm_thread that serially runs dlm_shuffle_lists, ast, bast, in +that order. dlm_shuffle_lists ques a bast on behalf of node 2 (which +will be run by dlm_thread right after the ast). ast does its part, sets +UPCONVERT_FINISHING, clears BUSY and wakes its waiters. Next, +dlm_thread runs bast. It sets BLOCKED and kicks dc thread. dc thread +runs ocfs2_unblock_lock, but since UPCONVERT_FINISHING set, skips doing +anything and reques. + +Inside of __ocfs2_cluster_lock, since EX has been waiting on BUSY ahead +of PR, it wakes up first, finds BLOCKED set and skips doing anything but +clearing UPCONVERT_FINISHING (which was actually "meant" for the PR +thread), and this time waits on BLOCKED. Next, the PR thread comes out +of wait but since UPCONVERT_FINISHING is not set, it skips updating the +l_ro_holders and goes straight to wait on BLOCKED. So there, we have a +hang! Threads in __ocfs2_cluster_lock wait on BLOCKED, lock res in osb +blocked list. Only when dc thread is awoken, it will run +ocfs2_unblock_lock and things will unhang. + +One way to fix this is to wake the dc thread on the flag after clearing +UPCONVERT_FINISHING + +Orabug: 20933419 +Signed-off-by: Tariq Saeed +Signed-off-by: Santosh Shilimkar +Reviewed-by: Wengang Wang +Reviewed-by: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Reviewed-by: Joseph Qi +Cc: Eric Ren +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/dlmglue.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -1390,6 +1390,7 @@ static int __ocfs2_cluster_lock(struct o + unsigned int gen; + int noqueue_attempted = 0; + int dlm_locked = 0; ++ int kick_dc = 0; + + if (!(lockres->l_flags & OCFS2_LOCK_INITIALIZED)) { + mlog_errno(-EINVAL); +@@ -1524,7 +1525,12 @@ update_holders: + unlock: + lockres_clear_flags(lockres, OCFS2_LOCK_UPCONVERT_FINISHING); + ++ /* ocfs2_unblock_lock reques on seeing OCFS2_LOCK_UPCONVERT_FINISHING */ ++ kick_dc = (lockres->l_flags & OCFS2_LOCK_BLOCKED); ++ + spin_unlock_irqrestore(&lockres->l_lock, flags); ++ if (kick_dc) ++ ocfs2_wake_downconvert_thread(osb); + out: + /* + * This is helping work around a lock inversion between the page lock diff --git a/queue-4.3/series b/queue-4.3/series new file mode 100644 index 00000000000..ad741cceb29 --- /dev/null +++ b/queue-4.3/series @@ -0,0 +1,17 @@ +crypto-crc32c-pclmul-use-.rodata-instead-of-.rotata.patch +crypto-caam-fix-non-block-aligned-hash-calculation.patch +f2fs-crypto-allocate-buffer-for-decrypting-filename.patch +crypto-algif_hash-only-export-and-import-on-sockets-with-data.patch +crypto-qat-don-t-use-userspace-pointer.patch +crypto-nx-fix-timing-leak-in-gcm-and-ccm-decryption.patch +crypto-talitos-fix-timing-leak-in-esp-icv-verification.patch +crypto-skcipher-copy-iv-from-desc-even-for-0-len-walks.patch +crypto-algif_skcipher-use-new-skcipher-interface.patch +crypto-sun4i-ss-add-missing-statesize.patch +block-always-check-queue-limits-for-cloned-requests.patch +dm-btree-fix-leak-of-bufio-backed-block-in-btree_split_sibling-error-path.patch +drivers-base-memory.c-prohibit-offlining-of-memory-blocks-with-missing-sections.patch +block-ensure-to-split-after-potentially-bouncing-a-bio.patch +nfsv4.1-pnfs-fixup-an-lo-plh_block_lgets-imbalance-in-layoutreturn.patch +ocfs2-nfs-hangs-in-__ocfs2_cluster_lock-due-to-race-with-ocfs2_unblock_lock.patch +hid-usbhid-fix-recursive-deadlock.patch