From: Greg Kroah-Hartman Date: Tue, 16 Oct 2018 14:06:37 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.9.134~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6db4d89915c773cc5f729e69954512b820a14619;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch --- diff --git a/queue-4.9/ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch b/queue-4.9/ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch new file mode 100644 index 00000000000..148427e703c --- /dev/null +++ b/queue-4.9/ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch @@ -0,0 +1,135 @@ +From 8bc1379b82b8e809eef77a9fedbb75c6c297be19 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 16 Jun 2018 23:41:59 -0400 +Subject: ext4: avoid running out of journal credits when appending to an inline file + +From: Theodore Ts'o + +commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream. + +Use a separate journal transaction if it turns out that we need to +convert an inline file to use an data block. Otherwise we could end +up failing due to not having journal credits. + +This addresses CVE-2018-10883. + +https://bugzilla.kernel.org/show_bug.cgi?id=200071 + +Change-Id: Ifbe92e379f7a25fb252a2584356ccb91f902ea8f +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +[fengc@google.com: 4.4 and 4.9 backport: adjust context] +Signed-off-by: Chenbo Feng +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 3 --- + fs/ext4/inline.c | 38 +------------------------------------- + fs/ext4/xattr.c | 18 ++---------------- + 3 files changed, 3 insertions(+), 56 deletions(-) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 43e27d8ec770..567a6c7af677 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -3038,9 +3038,6 @@ extern struct buffer_head *ext4_get_first_inline_block(struct inode *inode, + extern int ext4_inline_data_fiemap(struct inode *inode, + struct fiemap_extent_info *fieinfo, + int *has_inline, __u64 start, __u64 len); +-extern int ext4_try_to_evict_inline_data(handle_t *handle, +- struct inode *inode, +- int needed); + extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline); + + extern int ext4_convert_inline_data(struct inode *inode); +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 211539a7adfc..6779a9f1de3b 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -889,11 +889,11 @@ int ext4_da_write_inline_data_begin(struct address_space *mapping, + flags |= AOP_FLAG_NOFS; + + if (ret == -ENOSPC) { ++ ext4_journal_stop(handle); + ret = ext4_da_convert_inline_data_to_extent(mapping, + inode, + flags, + fsdata); +- ext4_journal_stop(handle); + if (ret == -ENOSPC && + ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry_journal; +@@ -1865,42 +1865,6 @@ int ext4_inline_data_fiemap(struct inode *inode, + return (error < 0 ? error : 0); + } + +-/* +- * Called during xattr set, and if we can sparse space 'needed', +- * just create the extent tree evict the data to the outer block. +- * +- * We use jbd2 instead of page cache to move data to the 1st block +- * so that the whole transaction can be committed as a whole and +- * the data isn't lost because of the delayed page cache write. +- */ +-int ext4_try_to_evict_inline_data(handle_t *handle, +- struct inode *inode, +- int needed) +-{ +- int error; +- struct ext4_xattr_entry *entry; +- struct ext4_inode *raw_inode; +- struct ext4_iloc iloc; +- +- error = ext4_get_inode_loc(inode, &iloc); +- if (error) +- return error; +- +- raw_inode = ext4_raw_inode(&iloc); +- entry = (struct ext4_xattr_entry *)((void *)raw_inode + +- EXT4_I(inode)->i_inline_off); +- if (EXT4_XATTR_LEN(entry->e_name_len) + +- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) { +- error = -ENOSPC; +- goto out; +- } +- +- error = ext4_convert_inline_data_nolock(handle, inode, &iloc); +-out: +- brelse(iloc.bh); +- return error; +-} +- + void ext4_inline_data_truncate(struct inode *inode, int *has_inline) + { + handle_t *handle; +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index c19c96840480..3b402c86565a 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1080,22 +1080,8 @@ int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode, + if (EXT4_I(inode)->i_extra_isize == 0) + return -ENOSPC; + error = ext4_xattr_set_entry(i, s); +- if (error) { +- if (error == -ENOSPC && +- ext4_has_inline_data(inode)) { +- error = ext4_try_to_evict_inline_data(handle, inode, +- EXT4_XATTR_LEN(strlen(i->name) + +- EXT4_XATTR_SIZE(i->value_len))); +- if (error) +- return error; +- error = ext4_xattr_ibody_find(inode, i, is); +- if (error) +- return error; +- error = ext4_xattr_set_entry(i, s); +- } +- if (error) +- return error; +- } ++ if (error) ++ return error; + header = IHDR(inode, ext4_raw_inode(&is->iloc)); + if (!IS_LAST_ENTRY(s->first)) { + header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC); +-- +2.19.0.605.g01d371f741-goog + diff --git a/queue-4.9/i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch b/queue-4.9/i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch new file mode 100644 index 00000000000..3c444d77a3e --- /dev/null +++ b/queue-4.9/i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch @@ -0,0 +1,60 @@ +From 08d9db00fe0e300d6df976e6c294f974988226dd Mon Sep 17 00:00:00 2001 +From: Edgar Cherkasov +Date: Thu, 27 Sep 2018 11:56:03 +0300 +Subject: i2c: i2c-scmi: fix for i2c_smbus_write_block_data + +From: Edgar Cherkasov + +commit 08d9db00fe0e300d6df976e6c294f974988226dd upstream. + +The i2c-scmi driver crashes when the SMBus Write Block transaction is +executed: + +WARNING: CPU: 9 PID: 2194 at mm/page_alloc.c:3931 __alloc_pages_slowpath+0x9db/0xec0 + Call Trace: + ? get_page_from_freelist+0x49d/0x11f0 + ? alloc_pages_current+0x6a/0xe0 + ? new_slab+0x499/0x690 + __alloc_pages_nodemask+0x265/0x280 + alloc_pages_current+0x6a/0xe0 + kmalloc_order+0x18/0x40 + kmalloc_order_trace+0x24/0xb0 + ? acpi_ut_allocate_object_desc_dbg+0x62/0x10c + __kmalloc+0x203/0x220 + acpi_os_allocate_zeroed+0x34/0x36 + acpi_ut_copy_eobject_to_iobject+0x266/0x31e + acpi_evaluate_object+0x166/0x3b2 + acpi_smbus_cmi_access+0x144/0x530 [i2c_scmi] + i2c_smbus_xfer+0xda/0x370 + i2cdev_ioctl_smbus+0x1bd/0x270 + i2cdev_ioctl+0xaa/0x250 + do_vfs_ioctl+0xa4/0x600 + SyS_ioctl+0x79/0x90 + do_syscall_64+0x73/0x130 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +ACPI Error: Evaluating _SBW: 4 (20170831/smbus_cmi-185) + +This problem occurs because the length of ACPI Buffer object is not +defined/initialized in the code before a corresponding ACPI method is +called. The obvious patch below fixes this issue. + +Signed-off-by: Edgar Cherkasov +Acked-by: Viktor Krasnov +Acked-by: Michael Brunner +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-scmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/i2c/busses/i2c-scmi.c ++++ b/drivers/i2c/busses/i2c-scmi.c +@@ -152,6 +152,7 @@ acpi_smbus_cmi_access(struct i2c_adapter + mt_params[3].type = ACPI_TYPE_INTEGER; + mt_params[3].integer.value = len; + mt_params[4].type = ACPI_TYPE_BUFFER; ++ mt_params[4].buffer.length = len; + mt_params[4].buffer.pointer = data->block + 1; + } + break; diff --git a/queue-4.9/series b/queue-4.9/series index 9092545eb24..ef6a1ddee1d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -17,3 +17,6 @@ mips-vdso-always-map-near-top-of-user-memory.patch mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch mm-preserve-_page_devmap-across-mprotect-calls.patch +i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch +xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch +ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch diff --git a/queue-4.9/xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch b/queue-4.9/xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch new file mode 100644 index 00000000000..303a827afe8 --- /dev/null +++ b/queue-4.9/xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch @@ -0,0 +1,61 @@ +From 1208d8a84fdcae6b395c57911cdf907450d30e70 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 12 Feb 2018 14:24:47 +0200 +Subject: xhci: Don't print a warning when setting link state for disabled ports + +From: Mathias Nyman + +commit 1208d8a84fdcae6b395c57911cdf907450d30e70 upstream. + +When disabling a USB3 port the hub driver will set the port link state to +U3 to prevent "ejected" or "safely removed" devices that are still +physically connected from immediately re-enumerating. + +If the device was really unplugged, then error messages were printed +as the hub tries to set the U3 link state for a port that is no longer +enabled. + +xhci-hcd ee000000.usb: Cannot set link state. +usb usb8-port1: cannot disable (err = -32) + +Don't print error message in xhci-hub if hub tries to set port link state +for a disabled port. Return -ENODEV instead which also silences hub driver. + +Signed-off-by: Mathias Nyman +Tested-by: Yoshihiro Shimoda +Signed-off-by: Ross Zwisler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-hub.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1072,17 +1072,17 @@ int xhci_hub_control(struct usb_hcd *hcd + temp = readl(port_array[wIndex]); + break; + } +- +- /* Software should not attempt to set +- * port link state above '3' (U3) and the port +- * must be enabled. +- */ +- if ((temp & PORT_PE) == 0 || +- (link_state > USB_SS_PORT_LS_U3)) { +- xhci_warn(xhci, "Cannot set link state.\n"); ++ /* Port must be enabled */ ++ if (!(temp & PORT_PE)) { ++ retval = -ENODEV; ++ break; ++ } ++ /* Can't set port link state above '3' (U3) */ ++ if (link_state > USB_SS_PORT_LS_U3) { ++ xhci_warn(xhci, "Cannot set port %d link state %d\n", ++ wIndex, link_state); + goto error; + } +- + if (link_state == USB_SS_PORT_LS_U3) { + slot_id = xhci_find_slot_id_by_port(hcd, xhci, + wIndex + 1);