From: Greg Kroah-Hartman Date: Sun, 16 Sep 2018 12:31:33 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.18.9~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f9b40c56d2abf55c55cc2068c6d925f1b42f349;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: android-binder-fix-the-race-mmap-and-alloc_new_buf_locked.patch arm64-kvm-only-force-fpexc32_el2.en-if-trapping-fpsimd.patch block-bfq-swap-puts-in-bfqg_and_blkg_put.patch block-don-t-warn-when-doing-fsync-on-read-only-devices.patch btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch btrfs-fix-qgroup_free-wrong-num_bytes-in-btrfs_subvolume_reserve_metadata.patch cifs-connect-to-servername-instead-of-ip-for-ipc-share.patch hid-core-fix-grouping-by-application.patch hid-i2c-hid-fix-flooded-incomplete-report-after-s3-on-rayd-touchscreen.patch hid-input-fix-leaking-custom-input-node-name.patch hid-multitouch-fix-elan-panels-with-2-input-modes-declaration.patch i2c-i801-fix-dnv-s-smbctrl-register-offset.patch i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch kvm-arm-arm64-clean-dcache-to-poc-when-changing-pte-due-to-cow.patch kvm-ppc-book3s-hv-use-correct-pagesize-in-kvm_unmap_radix.patch kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch kvm-x86-default-to-not-allowing-emulation-retry-in-kvm_mmu_page_fault.patch kvm-x86-do-not-re-try-execute-after-failed-emulation-in-l2.patch kvm-x86-invert-emulation-re-execute-behavior-to-make-it-opt-in.patch kvm-x86-merge-emultype_retry-and-emultype_allow_reexecute.patch kvm-x86-svm-set-emultype_no_reexecute-for-rsm-emulation.patch mac80211-don-t-update-the-pm-state-of-a-peer-upon-a-multicast-frame.patch memory_hotplug-fix-kernel_panic-on-offline-page-processing.patch mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch mm-hugetlb-filter-out-hugetlb-pages-if-hugepage-migration-is-not-supported.patch nbd-don-t-allow-invalid-blocksize-settings.patch scsi-lpfc-correct-mds-diag-and-nvmet-configuration.patch smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch smb3-check-for-and-properly-advertise-directory-lease-support.patch --- diff --git a/queue-4.18/android-binder-fix-the-race-mmap-and-alloc_new_buf_locked.patch b/queue-4.18/android-binder-fix-the-race-mmap-and-alloc_new_buf_locked.patch new file mode 100644 index 00000000000..68ecec8a2fe --- /dev/null +++ b/queue-4.18/android-binder-fix-the-race-mmap-and-alloc_new_buf_locked.patch @@ -0,0 +1,181 @@ +From da1b9564e85b1d7baf66cbfabcab27e183a1db63 Mon Sep 17 00:00:00 2001 +From: Minchan Kim +Date: Thu, 23 Aug 2018 14:29:56 +0900 +Subject: android: binder: fix the race mmap and alloc_new_buf_locked + +From: Minchan Kim + +commit da1b9564e85b1d7baf66cbfabcab27e183a1db63 upstream. + +There is RaceFuzzer report like below because we have no lock to close +below the race between binder_mmap and binder_alloc_new_buf_locked. +To close the race, let's use memory barrier so that if someone see +alloc->vma is not NULL, alloc->vma_vm_mm should be never NULL. + +(I didn't add stable mark intentionallybecause standard android +userspace libraries that interact with binder (libbinder & libhwbinder) +prevent the mmap/ioctl race. - from Todd) + +" +Thread interleaving: +CPU0 (binder_alloc_mmap_handler) CPU1 (binder_alloc_new_buf_locked) +===== ===== +// drivers/android/binder_alloc.c +// #L718 (v4.18-rc3) +alloc->vma = vma; + // drivers/android/binder_alloc.c + // #L346 (v4.18-rc3) + if (alloc->vma == NULL) { + ... + // alloc->vma is not NULL at this point + return ERR_PTR(-ESRCH); + } + ... + // #L438 + binder_update_page_range(alloc, 0, + (void *)PAGE_ALIGN((uintptr_t)buffer->data), + end_page_addr); + + // In binder_update_page_range() #L218 + // But still alloc->vma_vm_mm is NULL here + if (need_mm && mmget_not_zero(alloc->vma_vm_mm)) +alloc->vma_vm_mm = vma->vm_mm; + +Crash Log: +================================================================== +BUG: KASAN: null-ptr-deref in __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline] +BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:533 [inline] +BUG: KASAN: null-ptr-deref in mmget_not_zero include/linux/sched/mm.h:75 [inline] +BUG: KASAN: null-ptr-deref in binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218 +Write of size 4 at addr 0000000000000058 by task syz-executor0/11184 + +CPU: 1 PID: 11184 Comm: syz-executor0 Not tainted 4.18.0-rc3 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x16e/0x22c lib/dump_stack.c:113 + kasan_report_error mm/kasan/report.c:352 [inline] + kasan_report+0x163/0x380 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x140/0x1a0 mm/kasan/kasan.c:267 + kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 + __atomic_add_unless include/asm-generic/atomic-instrumented.h:89 [inline] + atomic_add_unless include/linux/atomic.h:533 [inline] + mmget_not_zero include/linux/sched/mm.h:75 [inline] + binder_update_page_range+0xece/0x18e0 drivers/android/binder_alloc.c:218 + binder_alloc_new_buf_locked drivers/android/binder_alloc.c:443 [inline] + binder_alloc_new_buf+0x467/0xc30 drivers/android/binder_alloc.c:513 + binder_transaction+0x125b/0x4fb0 drivers/android/binder.c:2957 + binder_thread_write+0xc08/0x2770 drivers/android/binder.c:3528 + binder_ioctl_write_read.isra.39+0x24f/0x8e0 drivers/android/binder.c:4456 + binder_ioctl+0xa86/0xf34 drivers/android/binder.c:4596 + vfs_ioctl fs/ioctl.c:46 [inline] + do_vfs_ioctl+0x154/0xd40 fs/ioctl.c:686 + ksys_ioctl+0x94/0xb0 fs/ioctl.c:701 + __do_sys_ioctl fs/ioctl.c:708 [inline] + __se_sys_ioctl fs/ioctl.c:706 [inline] + __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:706 + do_syscall_64+0x167/0x4b0 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +" + +Signed-off-by: Todd Kjos +Signed-off-by: Minchan Kim +Reviewed-by: Martijn Coenen +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 43 +++++++++++++++++++++++++++++++++-------- + 1 file changed, 35 insertions(+), 8 deletions(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -327,6 +327,35 @@ err_no_vma: + return vma ? -ENOMEM : -ESRCH; + } + ++ ++static inline void binder_alloc_set_vma(struct binder_alloc *alloc, ++ struct vm_area_struct *vma) ++{ ++ if (vma) ++ alloc->vma_vm_mm = vma->vm_mm; ++ /* ++ * If we see alloc->vma is not NULL, buffer data structures set up ++ * completely. Look at smp_rmb side binder_alloc_get_vma. ++ * We also want to guarantee new alloc->vma_vm_mm is always visible ++ * if alloc->vma is set. ++ */ ++ smp_wmb(); ++ alloc->vma = vma; ++} ++ ++static inline struct vm_area_struct *binder_alloc_get_vma( ++ struct binder_alloc *alloc) ++{ ++ struct vm_area_struct *vma = NULL; ++ ++ if (alloc->vma) { ++ /* Look at description in binder_alloc_set_vma */ ++ smp_rmb(); ++ vma = alloc->vma; ++ } ++ return vma; ++} ++ + static struct binder_buffer *binder_alloc_new_buf_locked( + struct binder_alloc *alloc, + size_t data_size, +@@ -343,7 +372,7 @@ static struct binder_buffer *binder_allo + size_t size, data_offsets_size; + int ret; + +- if (alloc->vma == NULL) { ++ if (!binder_alloc_get_vma(alloc)) { + pr_err("%d: binder_alloc_buf, no vma\n", + alloc->pid); + return ERR_PTR(-ESRCH); +@@ -714,9 +743,7 @@ int binder_alloc_mmap_handler(struct bin + buffer->free = 1; + binder_insert_free_buffer(alloc, buffer); + alloc->free_async_space = alloc->buffer_size / 2; +- barrier(); +- alloc->vma = vma; +- alloc->vma_vm_mm = vma->vm_mm; ++ binder_alloc_set_vma(alloc, vma); + mmgrab(alloc->vma_vm_mm); + + return 0; +@@ -743,10 +770,10 @@ void binder_alloc_deferred_release(struc + int buffers, page_count; + struct binder_buffer *buffer; + +- BUG_ON(alloc->vma); +- + buffers = 0; + mutex_lock(&alloc->mutex); ++ BUG_ON(alloc->vma); ++ + while ((n = rb_first(&alloc->allocated_buffers))) { + buffer = rb_entry(n, struct binder_buffer, rb_node); + +@@ -889,7 +916,7 @@ int binder_alloc_get_allocated_count(str + */ + void binder_alloc_vma_close(struct binder_alloc *alloc) + { +- WRITE_ONCE(alloc->vma, NULL); ++ binder_alloc_set_vma(alloc, NULL); + } + + /** +@@ -924,7 +951,7 @@ enum lru_status binder_alloc_free_page(s + + index = page - alloc->pages; + page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; +- vma = alloc->vma; ++ vma = binder_alloc_get_vma(alloc); + if (vma) { + if (!mmget_not_zero(alloc->vma_vm_mm)) + goto err_mmget; diff --git a/queue-4.18/arm64-kvm-only-force-fpexc32_el2.en-if-trapping-fpsimd.patch b/queue-4.18/arm64-kvm-only-force-fpexc32_el2.en-if-trapping-fpsimd.patch new file mode 100644 index 00000000000..6fe61874f15 --- /dev/null +++ b/queue-4.18/arm64-kvm-only-force-fpexc32_el2.en-if-trapping-fpsimd.patch @@ -0,0 +1,68 @@ +From 7d14919c0d475a795c0127631ac8ecb2b0f31831 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 23 Aug 2018 11:51:43 +0100 +Subject: arm64: KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD + +From: Marc Zyngier + +commit 7d14919c0d475a795c0127631ac8ecb2b0f31831 upstream. + +If trapping FPSIMD in the context of an AArch32 guest, it is critical +to set FPEXC32_EL2.EN to 1 so that the trapping is taken to EL2 and +not EL1. + +Conversely, it is just as critical *not* to set FPEXC32_EL2.EN to 1 +if we're not going to trap FPSIMD, as we then corrupt the existing +VFP state. + +Moving the call to __activate_traps_fpsimd32 to the point where we +know for sure that we are going to trap ensures that we don't set that +bit spuriously. + +Fixes: e6b673b741ea ("KVM: arm64: Optimise FPSIMD handling to reduce guest/host thrashing") +Cc: stable@vger.kernel.org # v4.18 +Cc: Dave Martin +Reported-by: Alexander Graf +Tested-by: Alexander Graf +Signed-off-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/hyp/switch.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -98,8 +98,10 @@ static void activate_traps_vhe(struct kv + val = read_sysreg(cpacr_el1); + val |= CPACR_EL1_TTA; + val &= ~CPACR_EL1_ZEN; +- if (!update_fp_enabled(vcpu)) ++ if (!update_fp_enabled(vcpu)) { + val &= ~CPACR_EL1_FPEN; ++ __activate_traps_fpsimd32(vcpu); ++ } + + write_sysreg(val, cpacr_el1); + +@@ -114,8 +116,10 @@ static void __hyp_text __activate_traps_ + + val = CPTR_EL2_DEFAULT; + val |= CPTR_EL2_TTA | CPTR_EL2_TZ; +- if (!update_fp_enabled(vcpu)) ++ if (!update_fp_enabled(vcpu)) { + val |= CPTR_EL2_TFP; ++ __activate_traps_fpsimd32(vcpu); ++ } + + write_sysreg(val, cptr_el2); + } +@@ -129,7 +133,6 @@ static void __hyp_text __activate_traps( + if (cpus_have_const_cap(ARM64_HAS_RAS_EXTN) && (hcr & HCR_VSE)) + write_sysreg_s(vcpu->arch.vsesr_el2, SYS_VSESR_EL2); + +- __activate_traps_fpsimd32(vcpu); + if (has_vhe()) + activate_traps_vhe(vcpu); + else diff --git a/queue-4.18/block-bfq-swap-puts-in-bfqg_and_blkg_put.patch b/queue-4.18/block-bfq-swap-puts-in-bfqg_and_blkg_put.patch new file mode 100644 index 00000000000..84ee8168f0a --- /dev/null +++ b/queue-4.18/block-bfq-swap-puts-in-bfqg_and_blkg_put.patch @@ -0,0 +1,35 @@ +From d5274b3cd6a814ccb2f56d81ee87cbbf51bd4cf7 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 6 Sep 2018 11:05:44 +0300 +Subject: block: bfq: swap puts in bfqg_and_blkg_put + +From: Konstantin Khlebnikov + +commit d5274b3cd6a814ccb2f56d81ee87cbbf51bd4cf7 upstream. + +Fix trivial use-after-free. This could be last reference to bfqg. + +Fixes: 8f9bebc33dd7 ("block, bfq: access and cache blkg data only when safe") +Acked-by: Paolo Valente +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/bfq-cgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -275,9 +275,9 @@ static void bfqg_and_blkg_get(struct bfq + + void bfqg_and_blkg_put(struct bfq_group *bfqg) + { +- bfqg_put(bfqg); +- + blkg_put(bfqg_to_blkg(bfqg)); ++ ++ bfqg_put(bfqg); + } + + /* @stats = 0 */ diff --git a/queue-4.18/block-don-t-warn-when-doing-fsync-on-read-only-devices.patch b/queue-4.18/block-don-t-warn-when-doing-fsync-on-read-only-devices.patch new file mode 100644 index 00000000000..3cb7b019a8d --- /dev/null +++ b/queue-4.18/block-don-t-warn-when-doing-fsync-on-read-only-devices.patch @@ -0,0 +1,43 @@ +From 8b2ded1c94c06f841f8c1612bcfa33c85012a36b Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 5 Sep 2018 16:14:36 -0600 +Subject: block: don't warn when doing fsync on read-only devices + +From: Mikulas Patocka + +commit 8b2ded1c94c06f841f8c1612bcfa33c85012a36b upstream. + +It is possible to call fsync on a read-only handle (for example, fsck.ext2 +does it when doing read-only check), and this call results in kernel +warning. + +The patch b089cfd95d32 ("block: don't warn for flush on read-only device") +attempted to disable the warning, but it is buggy and it doesn't +(op_is_flush tests flags, but bio_op strips off the flags). + +Signed-off-by: Mikulas Patocka +Fixes: 721c7fc701c7 ("block: fail op_is_write() requests to read-only partitions") +Cc: stable@vger.kernel.org # 4.18 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -2161,9 +2161,12 @@ static inline bool bio_check_ro(struct b + { + const int op = bio_op(bio); + +- if (part->policy && (op_is_write(op) && !op_is_flush(op))) { ++ if (part->policy && op_is_write(op)) { + char b[BDEVNAME_SIZE]; + ++ if (op_is_flush(bio->bi_opf) && !bio_sectors(bio)) ++ return false; ++ + WARN_ONCE(1, + "generic_make_request: Trying to write " + "to read-only block-device %s (partno %d)\n", diff --git a/queue-4.18/btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch b/queue-4.18/btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch new file mode 100644 index 00000000000..039f785f0fa --- /dev/null +++ b/queue-4.18/btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch @@ -0,0 +1,126 @@ +From de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 17 Aug 2018 09:38:59 +0100 +Subject: Btrfs: fix data corruption when deduplicating between different files + +From: Filipe Manana + +commit de02b9f6bb65a6a1848f346f7a3617b7a9b930c0 upstream. + +If we deduplicate extents between two different files we can end up +corrupting data if the source range ends at the size of the source file, +the source file's size is not aligned to the filesystem's block size +and the destination range does not go past the size of the destination +file size. + +Example: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + + $ xfs_io -f -c "pwrite -S 0x6b 0 2518890" /mnt/foo + # The first byte with a value of 0xae starts at an offset (2518890) + # which is not a multiple of the sector size. + $ xfs_io -c "pwrite -S 0xae 2518890 102398" /mnt/foo + + # Confirm the file content is full of bytes with values 0x6b and 0xae. + $ od -t x1 /mnt/foo + 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b + * + 11467540 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ae ae ae ae ae ae + 11467560 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae + * + 11777540 ae ae ae ae ae ae ae ae + 11777550 + + # Create a second file with a length not aligned to the sector size, + # whose bytes all have the value 0x6b, so that its extent(s) can be + # deduplicated with the first file. + $ xfs_io -f -c "pwrite -S 0x6b 0 557771" /mnt/bar + + # Now deduplicate the entire second file into a range of the first file + # that also has all bytes with the value 0x6b. The destination range's + # end offset must not be aligned to the sector size and must be less + # then the offset of the first byte with the value 0xae (byte at offset + # 2518890). + $ xfs_io -c "dedupe /mnt/bar 0 1957888 557771" /mnt/foo + + # The bytes in the range starting at offset 2515659 (end of the + # deduplication range) and ending at offset 2519040 (start offset + # rounded up to the block size) must all have the value 0xae (and not + # replaced with 0x00 values). In other words, we should have exactly + # the same data we had before we asked for deduplication. + $ od -t x1 /mnt/foo + 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b + * + 11467540 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ae ae ae ae ae ae + 11467560 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae + * + 11777540 ae ae ae ae ae ae ae ae + 11777550 + + # Unmount the filesystem and mount it again. This guarantees any file + # data in the page cache is dropped. + $ umount /dev/sdb + $ mount /dev/sdb /mnt + + $ od -t x1 /mnt/foo + 0000000 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b + * + 11461300 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 00 + 11461320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + * + 11470000 ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae ae + * + 11777540 ae ae ae ae ae ae ae ae + 11777550 + + # The bytes in range 2515659 to 2519040 have a value of 0x00 and not a + # value of 0xae, data corruption happened due to the deduplication + # operation. + +So fix this by rounding down, to the sector size, the length used for the +deduplication when the following conditions are met: + + 1) Source file's range ends at its i_size; + 2) Source file's i_size is not aligned to the sector size; + 3) Destination range does not cross the i_size of the destination file. + +Fixes: e1d227a42ea2 ("btrfs: Handle unaligned length in extent_same") +CC: stable@vger.kernel.org # 4.2+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3463,6 +3463,25 @@ static int btrfs_extent_same_range(struc + + same_lock_start = min_t(u64, loff, dst_loff); + same_lock_len = max_t(u64, loff, dst_loff) + len - same_lock_start; ++ } else { ++ /* ++ * If the source and destination inodes are different, the ++ * source's range end offset matches the source's i_size, that ++ * i_size is not a multiple of the sector size, and the ++ * destination range does not go past the destination's i_size, ++ * we must round down the length to the nearest sector size ++ * multiple. If we don't do this adjustment we end replacing ++ * with zeroes the bytes in the range that starts at the ++ * deduplication range's end offset and ends at the next sector ++ * size multiple. ++ */ ++ if (loff + olen == i_size_read(src) && ++ dst_loff + len < i_size_read(dst)) { ++ const u64 sz = BTRFS_I(src)->root->fs_info->sectorsize; ++ ++ len = round_down(i_size_read(src), sz) - loff; ++ olen = len; ++ } + } + + again: diff --git a/queue-4.18/btrfs-fix-qgroup_free-wrong-num_bytes-in-btrfs_subvolume_reserve_metadata.patch b/queue-4.18/btrfs-fix-qgroup_free-wrong-num_bytes-in-btrfs_subvolume_reserve_metadata.patch new file mode 100644 index 00000000000..3b61c68007e --- /dev/null +++ b/queue-4.18/btrfs-fix-qgroup_free-wrong-num_bytes-in-btrfs_subvolume_reserve_metadata.patch @@ -0,0 +1,79 @@ +From a5b7f4295eeae8b05ca91f6d145cd8773b08de9e Mon Sep 17 00:00:00 2001 +From: Lu Fengqi +Date: Thu, 9 Aug 2018 09:46:04 +0800 +Subject: btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata + +From: Lu Fengqi + +commit a5b7f4295eeae8b05ca91f6d145cd8773b08de9e upstream. + +After btrfs_qgroup_reserve_meta_prealloc(), num_bytes will be assigned +again by btrfs_calc_trans_metadata_size(). Once block_rsv fails, we +can't properly free the num_bytes of the previous qgroup_reserve. Use a +separate variable to store the num_bytes of the qgroup_reserve. + +Delete the comment for the qgroup_reserved that does not exist and add a +comment about use_global_rsv. + +Fixes: c4c129db5da8 ("btrfs: drop unused parameter qgroup_reserved") +CC: stable@vger.kernel.org # 4.18+ +Signed-off-by: Lu Fengqi +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -5935,7 +5935,7 @@ void btrfs_trans_release_chunk_metadata( + * root: the root of the parent directory + * rsv: block reservation + * items: the number of items that we need do reservation +- * qgroup_reserved: used to return the reserved size in qgroup ++ * use_global_rsv: allow fallback to the global block reservation + * + * This function is used to reserve the space for snapshot/subvolume + * creation and deletion. Those operations are different with the +@@ -5945,10 +5945,10 @@ void btrfs_trans_release_chunk_metadata( + * the space reservation mechanism in start_transaction(). + */ + int btrfs_subvolume_reserve_metadata(struct btrfs_root *root, +- struct btrfs_block_rsv *rsv, +- int items, ++ struct btrfs_block_rsv *rsv, int items, + bool use_global_rsv) + { ++ u64 qgroup_num_bytes = 0; + u64 num_bytes; + int ret; + struct btrfs_fs_info *fs_info = root->fs_info; +@@ -5956,12 +5956,11 @@ int btrfs_subvolume_reserve_metadata(str + + if (test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) { + /* One for parent inode, two for dir entries */ +- num_bytes = 3 * fs_info->nodesize; +- ret = btrfs_qgroup_reserve_meta_prealloc(root, num_bytes, true); ++ qgroup_num_bytes = 3 * fs_info->nodesize; ++ ret = btrfs_qgroup_reserve_meta_prealloc(root, ++ qgroup_num_bytes, true); + if (ret) + return ret; +- } else { +- num_bytes = 0; + } + + num_bytes = btrfs_calc_trans_metadata_size(fs_info, items); +@@ -5973,8 +5972,8 @@ int btrfs_subvolume_reserve_metadata(str + if (ret == -ENOSPC && use_global_rsv) + ret = btrfs_block_rsv_migrate(global_rsv, rsv, num_bytes, 1); + +- if (ret && num_bytes) +- btrfs_qgroup_free_meta_prealloc(root, num_bytes); ++ if (ret && qgroup_num_bytes) ++ btrfs_qgroup_free_meta_prealloc(root, qgroup_num_bytes); + + return ret; + } diff --git a/queue-4.18/cifs-connect-to-servername-instead-of-ip-for-ipc-share.patch b/queue-4.18/cifs-connect-to-servername-instead-of-ip-for-ipc-share.patch new file mode 100644 index 00000000000..6426555f771 --- /dev/null +++ b/queue-4.18/cifs-connect-to-servername-instead-of-ip-for-ipc-share.patch @@ -0,0 +1,42 @@ +From 395a2076b4064f97d3fce03af15210ff2a7bb7f9 Mon Sep 17 00:00:00 2001 +From: Thomas Werschlein +Date: Thu, 30 Aug 2018 18:29:20 +0200 +Subject: cifs: connect to servername instead of IP for IPC$ share +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Werschlein + +commit 395a2076b4064f97d3fce03af15210ff2a7bb7f9 upstream. + +This patch is required allows access to a Microsoft fileserver failover +cluster behind a 1:1 NAT firewall. + +The change also provides stronger context for authentication and share +connection (see MS-SMB2 3.3.5.7 and MS-SRVS 3.1.6.8) as noted by +Tom Talpey, and addresses comments about the buffer size for the UNC +made by Aurélien Aptel. + +Signed-off-by: Thomas Werschlein +Signed-off-by: Steve French +CC: Tom Talpey +Reviewed-by: Aurelien Aptel +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2523,7 +2523,7 @@ cifs_setup_ipc(struct cifs_ses *ses, str + if (tcon == NULL) + return -ENOMEM; + +- snprintf(unc, sizeof(unc), "\\\\%s\\IPC$", ses->serverName); ++ snprintf(unc, sizeof(unc), "\\\\%s\\IPC$", ses->server->hostname); + + /* cannot fail */ + nls_codepage = load_nls_default(); diff --git a/queue-4.18/hid-core-fix-grouping-by-application.patch b/queue-4.18/hid-core-fix-grouping-by-application.patch new file mode 100644 index 00000000000..e018be7795e --- /dev/null +++ b/queue-4.18/hid-core-fix-grouping-by-application.patch @@ -0,0 +1,78 @@ +From 0d6c3011409135ea84e2a231b013a22017ff999a Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 4 Sep 2018 15:31:14 +0200 +Subject: HID: core: fix grouping by application + +From: Benjamin Tissoires + +commit 0d6c3011409135ea84e2a231b013a22017ff999a upstream. + +commit f07b3c1da92d ("HID: generic: create one input report per +application type") was effectively the same as MULTI_INPUT: +hidinput->report was never set, so hidinput_match_application() +always returned null. + +Fix that by testing against the real application. + +Note that this breaks some old eGalax touchscreens that expect MULTI_INPUT +instead of HID_QUIRK_INPUT_PER_APP. Enable this quirk for backward +compatibility on all non-Win8 touchscreens. + +link: https://bugzilla.kernel.org/show_bug.cgi?id=200847 +link: https://bugzilla.kernel.org/show_bug.cgi?id=200849 +link: https://bugs.archlinux.org/task/59699 +link: https://github.com/NixOS/nixpkgs/issues/45165 + +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-input.c | 4 ++-- + drivers/hid/hid-multitouch.c | 3 +++ + include/linux/hid.h | 1 + + 3 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1579,6 +1579,7 @@ static struct hid_input *hidinput_alloca + input_dev->dev.parent = &hid->dev; + + hidinput->input = input_dev; ++ hidinput->application = application; + list_add_tail(&hidinput->list, &hid->inputs); + + INIT_LIST_HEAD(&hidinput->reports); +@@ -1674,8 +1675,7 @@ static struct hid_input *hidinput_match_ + struct hid_input *hidinput; + + list_for_each_entry(hidinput, &hid->inputs, list) { +- if (hidinput->report && +- hidinput->report->application == report->application) ++ if (hidinput->application == report->application) + return hidinput; + } + +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1488,6 +1488,9 @@ static int mt_probe(struct hid_device *h + */ + hdev->quirks |= HID_QUIRK_INPUT_PER_APP; + ++ if (id->group != HID_GROUP_MULTITOUCH_WIN_8) ++ hdev->quirks |= HID_QUIRK_MULTI_INPUT; ++ + timer_setup(&td->release_timer, mt_expired_timeout, 0); + + ret = hid_parse(hdev); +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -520,6 +520,7 @@ struct hid_input { + const char *name; + bool registered; + struct list_head reports; /* the list of reports */ ++ unsigned int application; /* application usage for this input */ + }; + + enum hid_type { diff --git a/queue-4.18/hid-i2c-hid-fix-flooded-incomplete-report-after-s3-on-rayd-touchscreen.patch b/queue-4.18/hid-i2c-hid-fix-flooded-incomplete-report-after-s3-on-rayd-touchscreen.patch new file mode 100644 index 00000000000..f4505ffbc1d --- /dev/null +++ b/queue-4.18/hid-i2c-hid-fix-flooded-incomplete-report-after-s3-on-rayd-touchscreen.patch @@ -0,0 +1,52 @@ +From fb6acf76c3fdd97fea6995e64e2c665725f00fc5 Mon Sep 17 00:00:00 2001 +From: AceLan Kao +Date: Tue, 21 Aug 2018 16:55:13 +0800 +Subject: HID: i2c-hid: Fix flooded incomplete report after S3 on Rayd touchscreen + +From: AceLan Kao + +commit fb6acf76c3fdd97fea6995e64e2c665725f00fc5 upstream. + +The incomplete report flooded after S3 and touchscreen becomes +malfunctioned. +[ 1367.646244] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/18785) +[ 1367.649471] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/28743) +[ 1367.651092] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/26757) +[ 1367.652658] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/52280) +[ 1367.654287] i2c_hid i2c-CUST0000:00: i2c_hid_get_input: incomplete report (58/56059) + +Adding device ID, 04F3:30CC, to the quirk to re-send report description +after resume. + +Cc: stable@vger.kernel.org +Signed-off-by: AceLan Kao +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/i2c-hid/i2c-hid.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -528,6 +528,7 @@ + + #define I2C_VENDOR_ID_RAYD 0x2386 + #define I2C_PRODUCT_ID_RAYD_3118 0x3118 ++#define I2C_PRODUCT_ID_RAYD_4B33 0x4B33 + + #define USB_VENDOR_ID_HANWANG 0x0b57 + #define USB_DEVICE_ID_HANWANG_TABLET_FIRST 0x5000 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -174,6 +174,8 @@ static const struct i2c_hid_quirks { + I2C_HID_QUIRK_RESEND_REPORT_DESCR }, + { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH, + I2C_HID_QUIRK_RESEND_REPORT_DESCR }, ++ { I2C_VENDOR_ID_RAYD, I2C_PRODUCT_ID_RAYD_4B33, ++ I2C_HID_QUIRK_RESEND_REPORT_DESCR }, + { 0, 0 } + }; + diff --git a/queue-4.18/hid-input-fix-leaking-custom-input-node-name.patch b/queue-4.18/hid-input-fix-leaking-custom-input-node-name.patch new file mode 100644 index 00000000000..9899e1a7124 --- /dev/null +++ b/queue-4.18/hid-input-fix-leaking-custom-input-node-name.patch @@ -0,0 +1,31 @@ +From e38c0ac55ee67cf3626cfbc2283f8873dc44d370 Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Tue, 28 Aug 2018 13:29:55 +0200 +Subject: HID: input: fix leaking custom input node name + +From: Stefan Agner + +commit e38c0ac55ee67cf3626cfbc2283f8873dc44d370 upstream. + +Make sure to free the custom input node name on disconnect. + +Cc: stable@vger.kernel.org # v4.18+ +Fixes: c554bb045511 ("HID: input: append a suffix matching the application") +Signed-off-by: Stefan Agner +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-input.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1812,6 +1812,7 @@ void hidinput_disconnect(struct hid_devi + input_unregister_device(hidinput->input); + else + input_free_device(hidinput->input); ++ kfree(hidinput->name); + kfree(hidinput); + } + diff --git a/queue-4.18/hid-multitouch-fix-elan-panels-with-2-input-modes-declaration.patch b/queue-4.18/hid-multitouch-fix-elan-panels-with-2-input-modes-declaration.patch new file mode 100644 index 00000000000..57eea02530b --- /dev/null +++ b/queue-4.18/hid-multitouch-fix-elan-panels-with-2-input-modes-declaration.patch @@ -0,0 +1,81 @@ +From ec6adef5fbc3f140c70e7499fdad818acb3a46c6 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 4 Sep 2018 15:31:12 +0200 +Subject: HID: multitouch: fix Elan panels with 2 input modes declaration + +From: Benjamin Tissoires + +commit ec6adef5fbc3f140c70e7499fdad818acb3a46c6 upstream. + +When implementing commit 7f81c8db5489 ("HID: multitouch: simplify +the settings of the various features"), I wrongly removed a test +that made sure we never try to set the second InputMode feature +to something else than 0. + +This broke badly some recent Elan panels that now forget to send the +click button in some area of the touchpad. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200899 +Fixes: 7f81c8db5489 ("HID: multitouch: simplify the settings of the various features") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-multitouch.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -1167,7 +1167,8 @@ static bool mt_need_to_apply_feature(str + struct hid_usage *usage, + enum latency_mode latency, + bool surface_switch, +- bool button_switch) ++ bool button_switch, ++ bool *inputmode_found) + { + struct mt_device *td = hid_get_drvdata(hdev); + struct mt_class *cls = &td->mtclass; +@@ -1179,6 +1180,14 @@ static bool mt_need_to_apply_feature(str + + switch (usage->hid) { + case HID_DG_INPUTMODE: ++ /* ++ * Some elan panels wrongly declare 2 input mode features, ++ * and silently ignore when we set the value in the second ++ * field. Skip the second feature and hope for the best. ++ */ ++ if (*inputmode_found) ++ return false; ++ + if (cls->quirks & MT_QUIRK_FORCE_GET_FEATURE) { + report_len = hid_report_len(report); + buf = hid_alloc_report_buf(report, GFP_KERNEL); +@@ -1194,6 +1203,7 @@ static bool mt_need_to_apply_feature(str + } + + field->value[index] = td->inputmode_value; ++ *inputmode_found = true; + return true; + + case HID_DG_CONTACTMAX: +@@ -1231,6 +1241,7 @@ static void mt_set_modes(struct hid_devi + struct hid_usage *usage; + int i, j; + bool update_report; ++ bool inputmode_found = false; + + rep_enum = &hdev->report_enum[HID_FEATURE_REPORT]; + list_for_each_entry(rep, &rep_enum->report_list, list) { +@@ -1249,7 +1260,8 @@ static void mt_set_modes(struct hid_devi + usage, + latency, + surface_switch, +- button_switch)) ++ button_switch, ++ &inputmode_found)) + update_report = true; + } + } diff --git a/queue-4.18/i2c-i801-fix-dnv-s-smbctrl-register-offset.patch b/queue-4.18/i2c-i801-fix-dnv-s-smbctrl-register-offset.patch new file mode 100644 index 00000000000..20be78d1686 --- /dev/null +++ b/queue-4.18/i2c-i801-fix-dnv-s-smbctrl-register-offset.patch @@ -0,0 +1,47 @@ +From 851a15114895c5bce163a6f2d57e0aa4658a1be4 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Mon, 3 Sep 2018 11:24:57 +0300 +Subject: i2c: i801: fix DNV's SMBCTRL register offset + +From: Felipe Balbi + +commit 851a15114895c5bce163a6f2d57e0aa4658a1be4 upstream. + +DNV's iTCO is slightly different with SMBCTRL sitting at a different +offset when compared to all other devices. Let's fix so that we can +properly use iTCO watchdog. + +Fixes: 84d7f2ebd70d ("i2c: i801: Add support for Intel DNV") +Cc: # v4.4+ +Signed-off-by: Felipe Balbi +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-i801.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -139,6 +139,7 @@ + + #define SBREG_BAR 0x10 + #define SBREG_SMBCTRL 0xc6000c ++#define SBREG_SMBCTRL_DNV 0xcf000c + + /* Host status bits for SMBPCISTS */ + #define SMBPCISTS_INTS BIT(3) +@@ -1396,7 +1397,11 @@ static void i801_add_tco(struct i801_pri + spin_unlock(&p2sb_spinlock); + + res = &tco_res[ICH_RES_MEM_OFF]; +- res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL; ++ if (pci_dev->device == PCI_DEVICE_ID_INTEL_DNV_SMBUS) ++ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL_DNV; ++ else ++ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL; ++ + res->end = res->start + 3; + res->flags = IORESOURCE_MEM; + diff --git a/queue-4.18/i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch b/queue-4.18/i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch new file mode 100644 index 00000000000..7c883b60dc1 --- /dev/null +++ b/queue-4.18/i2c-xiic-make-the-start-and-the-byte-count-write-atomic.patch @@ -0,0 +1,59 @@ +From ae7304c3ea28a3ba47a7a8312c76c654ef24967e Mon Sep 17 00:00:00 2001 +From: Shubhrajyoti Datta +Date: Mon, 3 Sep 2018 15:11:11 +0530 +Subject: i2c: xiic: Make the start and the byte count write atomic + +From: Shubhrajyoti Datta + +commit ae7304c3ea28a3ba47a7a8312c76c654ef24967e upstream. + +Disable interrupts while configuring the transfer and enable them back. + +We have below as the programming sequence +1. start and slave address +2. byte count and stop + +In some customer platform there was a lot of interrupts between 1 and 2 +and after slave address (around 7 clock cyles) if 2 is not executed +then the transaction is nacked. + +To fix this case make the 2 writes atomic. + +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Michal Simek +[wsa: added a newline for better readability] +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-xiic.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -532,6 +532,7 @@ static void xiic_start_recv(struct xiic_ + { + u8 rx_watermark; + struct i2c_msg *msg = i2c->rx_msg = i2c->tx_msg; ++ unsigned long flags; + + /* Clear and enable Rx full interrupt. */ + xiic_irq_clr_en(i2c, XIIC_INTR_RX_FULL_MASK | XIIC_INTR_TX_ERROR_MASK); +@@ -547,6 +548,7 @@ static void xiic_start_recv(struct xiic_ + rx_watermark = IIC_RX_FIFO_DEPTH; + xiic_setreg8(i2c, XIIC_RFD_REG_OFFSET, rx_watermark - 1); + ++ local_irq_save(flags); + if (!(msg->flags & I2C_M_NOSTART)) + /* write the address */ + xiic_setreg16(i2c, XIIC_DTR_REG_OFFSET, +@@ -556,6 +558,8 @@ static void xiic_start_recv(struct xiic_ + + xiic_setreg16(i2c, XIIC_DTR_REG_OFFSET, + msg->len | ((i2c->nmsgs == 1) ? XIIC_TX_DYN_STOP_MASK : 0)); ++ local_irq_restore(flags); ++ + if (i2c->nmsgs == 1) + /* very last, enable bus not busy as well */ + xiic_irq_clr_en(i2c, XIIC_INTR_BNB_MASK); diff --git a/queue-4.18/kvm-arm-arm64-clean-dcache-to-poc-when-changing-pte-due-to-cow.patch b/queue-4.18/kvm-arm-arm64-clean-dcache-to-poc-when-changing-pte-due-to-cow.patch new file mode 100644 index 00000000000..71ca76956ce --- /dev/null +++ b/queue-4.18/kvm-arm-arm64-clean-dcache-to-poc-when-changing-pte-due-to-cow.patch @@ -0,0 +1,60 @@ +From 694556d54f354d3fe43bb2e61fd6103cca2638a4 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 23 Aug 2018 09:58:27 +0100 +Subject: KVM: arm/arm64: Clean dcache to PoC when changing PTE due to CoW + +From: Marc Zyngier + +commit 694556d54f354d3fe43bb2e61fd6103cca2638a4 upstream. + +When triggering a CoW, we unmap the RO page via an MMU notifier +(invalidate_range_start), and then populate the new PTE using another +one (change_pte). In the meantime, we'll have copied the old page +into the new one. + +The problem is that the data for the new page is sitting in the +cache, and should the guest have an uncached mapping to that page +(or its MMU off), following accesses will bypass the cache. + +In a way, this is similar to what happens on a translation fault: +We need to clean the page to the PoC before mapping it. So let's just +do that. + +This fixes a KVM unit test regression observed on a HiSilicon platform, +and subsequently reproduced on Seattle. + +Fixes: a9c0e12ebee5 ("KVM: arm/arm64: Only clean the dcache on translation fault") +Cc: stable@vger.kernel.org # v4.16+ +Reported-by: Mike Galbraith +Signed-off-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/mmu.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/virt/kvm/arm/mmu.c ++++ b/virt/kvm/arm/mmu.c +@@ -1831,13 +1831,20 @@ static int kvm_set_spte_handler(struct k + void kvm_set_spte_hva(struct kvm *kvm, unsigned long hva, pte_t pte) + { + unsigned long end = hva + PAGE_SIZE; ++ kvm_pfn_t pfn = pte_pfn(pte); + pte_t stage2_pte; + + if (!kvm->arch.pgd) + return; + + trace_kvm_set_spte_hva(hva); +- stage2_pte = pfn_pte(pte_pfn(pte), PAGE_S2); ++ ++ /* ++ * We've moved a page around, probably through CoW, so let's treat it ++ * just like a translation fault and clean the cache to the PoC. ++ */ ++ clean_dcache_guest_page(pfn, PAGE_SIZE); ++ stage2_pte = pfn_pte(pfn, PAGE_S2); + handle_hva_to_gpa(kvm, hva, end, &kvm_set_spte_handler, &stage2_pte); + } + diff --git a/queue-4.18/kvm-ppc-book3s-hv-use-correct-pagesize-in-kvm_unmap_radix.patch b/queue-4.18/kvm-ppc-book3s-hv-use-correct-pagesize-in-kvm_unmap_radix.patch new file mode 100644 index 00000000000..aaea4ff1eb5 --- /dev/null +++ b/queue-4.18/kvm-ppc-book3s-hv-use-correct-pagesize-in-kvm_unmap_radix.patch @@ -0,0 +1,45 @@ +From c066fafc595eef5ae3c83ae3a8305956b8c3ef15 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Tue, 14 Aug 2018 20:37:45 +1000 +Subject: KVM: PPC: Book3S HV: Use correct pagesize in kvm_unmap_radix() + +From: Paul Mackerras + +commit c066fafc595eef5ae3c83ae3a8305956b8c3ef15 upstream. + +Since commit e641a317830b ("KVM: PPC: Book3S HV: Unify dirty page map +between HPT and radix", 2017-10-26), kvm_unmap_radix() computes the +number of PAGE_SIZEd pages being unmapped and passes it to +kvmppc_update_dirty_map(), which expects to be passed the page size +instead. Consequently it will only mark one system page dirty even +when a large page (for example a THP page) is being unmapped. The +consequence of this is that part of the THP page might not get copied +during live migration, resulting in memory corruption for the guest. + +This fixes it by computing and passing the page size in kvm_unmap_radix(). + +Cc: stable@vger.kernel.org # v4.15+ +Fixes: e641a317830b (KVM: PPC: Book3S HV: Unify dirty page map between HPT and radix) +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_64_mmu_radix.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kvm/book3s_64_mmu_radix.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_radix.c +@@ -738,10 +738,10 @@ int kvm_unmap_radix(struct kvm *kvm, str + gpa, shift); + kvmppc_radix_tlbie_page(kvm, gpa, shift); + if ((old & _PAGE_DIRTY) && memslot->dirty_bitmap) { +- unsigned long npages = 1; ++ unsigned long psize = PAGE_SIZE; + if (shift) +- npages = 1ul << (shift - PAGE_SHIFT); +- kvmppc_update_dirty_map(memslot, gfn, npages); ++ psize = 1ul << shift; ++ kvmppc_update_dirty_map(memslot, gfn, psize); + } + } + return 0; diff --git a/queue-4.18/kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch b/queue-4.18/kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch new file mode 100644 index 00000000000..c971f30785a --- /dev/null +++ b/queue-4.18/kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch @@ -0,0 +1,38 @@ +From 204c97245612b6c255edf4e21e24d417c4a0c008 Mon Sep 17 00:00:00 2001 +From: Pierre Morel +Date: Thu, 23 Aug 2018 12:25:54 +0200 +Subject: KVM: s390: vsie: copy wrapping keys to right place + +From: Pierre Morel + +commit 204c97245612b6c255edf4e21e24d417c4a0c008 upstream. + +Copy the key mask to the right offset inside the shadow CRYCB + +Fixes: bbeaa58b3 ("KVM: s390: vsie: support aes dea wrapping keys") +Signed-off-by: Pierre Morel +Reviewed-by: David Hildenbrand +Reviewed-by: Cornelia Huck +Reviewed-by: Janosch Frank +Cc: stable@vger.kernel.org # v4.8+ +Message-Id: <1535019956-23539-2-git-send-email-pmorel@linux.ibm.com> +Signed-off-by: Janosch Frank +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/vsie.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -173,7 +173,8 @@ static int shadow_crycb(struct kvm_vcpu + return set_validity_icpt(scb_s, 0x0039U); + + /* copy only the wrapping keys */ +- if (read_guest_real(vcpu, crycb_addr + 72, &vsie_page->crycb, 56)) ++ if (read_guest_real(vcpu, crycb_addr + 72, ++ vsie_page->crycb.dea_wrapping_key_mask, 56)) + return set_validity_icpt(scb_s, 0x0035U); + + scb_s->ecb3 |= ecb3_flags; diff --git a/queue-4.18/kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch b/queue-4.18/kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch new file mode 100644 index 00000000000..9ac520b01f1 --- /dev/null +++ b/queue-4.18/kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch @@ -0,0 +1,48 @@ +From c4409905cd6eb42cfd06126e9226b0150e05a715 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 23 Aug 2018 13:56:46 -0700 +Subject: KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO instr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit c4409905cd6eb42cfd06126e9226b0150e05a715 upstream. + +Re-execution after an emulation decode failure is only intended to +handle a case where two or vCPUs race to write a shadowed page, i.e. +we should never re-execute an instruction as part of MMIO emulation. +As handle_ept_misconfig() is only used for MMIO emulation, it should +pass EMULTYPE_NO_REEXECUTE when using the emulator to skip an instr +in the fast-MMIO case where VM_EXIT_INSTRUCTION_LEN is invalid. + +And because the cr2 value passed to x86_emulate_instruction() is only +destined for use when retrying or reexecuting, we can simply call +emulate_instruction(). + +Fixes: d391f1207067 ("x86/kvm/vmx: do not use vm-exit instruction length + for fast MMIO when running nested") +Cc: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7539,8 +7539,8 @@ static int handle_ept_misconfig(struct k + if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) + return kvm_skip_emulated_instruction(vcpu); + else +- return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP, +- NULL, 0) == EMULATE_DONE; ++ return emulate_instruction(vcpu, EMULTYPE_SKIP) == ++ EMULATE_DONE; + } + + return kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0); diff --git a/queue-4.18/kvm-x86-default-to-not-allowing-emulation-retry-in-kvm_mmu_page_fault.patch b/queue-4.18/kvm-x86-default-to-not-allowing-emulation-retry-in-kvm_mmu_page_fault.patch new file mode 100644 index 00000000000..9a147d25b82 --- /dev/null +++ b/queue-4.18/kvm-x86-default-to-not-allowing-emulation-retry-in-kvm_mmu_page_fault.patch @@ -0,0 +1,70 @@ +From 472faffacd9032164f611f56329d0025ddca55b5 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 23 Aug 2018 13:56:50 -0700 +Subject: KVM: x86: Default to not allowing emulation retry in kvm_mmu_page_fault +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 472faffacd9032164f611f56329d0025ddca55b5 upstream. + +Effectively force kvm_mmu_page_fault() to opt-in to allowing retry to +make it more obvious when and why it allows emulation to be retried. +Previously this approach was less convenient due to retry and +re-execute behavior being controlled by separate flags that were also +inverted in their implementations (opt-in versus opt-out). + +Suggested-by: Paolo Bonzini +Signed-off-by: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4960,7 +4960,7 @@ static int make_mmu_pages_available(stru + int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code, + void *insn, int insn_len) + { +- int r, emulation_type = EMULTYPE_ALLOW_RETRY; ++ int r, emulation_type = 0; + enum emulation_result er; + bool direct = vcpu->arch.mmu.direct_map; + +@@ -4973,10 +4973,8 @@ int kvm_mmu_page_fault(struct kvm_vcpu * + r = RET_PF_INVALID; + if (unlikely(error_code & PFERR_RSVD_MASK)) { + r = handle_mmio_page_fault(vcpu, cr2, direct); +- if (r == RET_PF_EMULATE) { +- emulation_type = 0; ++ if (r == RET_PF_EMULATE) + goto emulate; +- } + } + + if (r == RET_PF_INVALID) { +@@ -5003,8 +5001,16 @@ int kvm_mmu_page_fault(struct kvm_vcpu * + return 1; + } + +- if (mmio_info_in_cache(vcpu, cr2, direct)) +- emulation_type = 0; ++ /* ++ * vcpu->arch.mmu.page_fault returned RET_PF_EMULATE, but we can still ++ * optimistically try to just unprotect the page and let the processor ++ * re-execute the instruction that caused the page fault. Do not allow ++ * retrying MMIO emulation, as it's not only pointless but could also ++ * cause us to enter an infinite loop because the processor will keep ++ * faulting on the non-existent MMIO address. ++ */ ++ if (!mmio_info_in_cache(vcpu, cr2, direct)) ++ emulation_type = EMULTYPE_ALLOW_RETRY; + emulate: + /* + * On AMD platforms, under certain conditions insn_len may be zero on #NPF. diff --git a/queue-4.18/kvm-x86-do-not-re-try-execute-after-failed-emulation-in-l2.patch b/queue-4.18/kvm-x86-do-not-re-try-execute-after-failed-emulation-in-l2.patch new file mode 100644 index 00000000000..d5972b55ed5 --- /dev/null +++ b/queue-4.18/kvm-x86-do-not-re-try-execute-after-failed-emulation-in-l2.patch @@ -0,0 +1,121 @@ +From 6c3dfeb6a48b1562bd5b8ec5f3317ef34d0134ef Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 23 Aug 2018 13:56:51 -0700 +Subject: KVM: x86: Do not re-{try,execute} after failed emulation in L2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 6c3dfeb6a48b1562bd5b8ec5f3317ef34d0134ef upstream. + +Commit a6f177efaa58 ("KVM: Reenter guest after emulation failure if +due to access to non-mmio address") added reexecute_instruction() to +handle the scenario where two (or more) vCPUS race to write a shadowed +page, i.e. reexecute_instruction() is intended to return true if and +only if the instruction being emulated was accessing a shadowed page. +As L0 is only explicitly shadowing L1 tables, an emulation failure of +a nested VM instruction cannot be due to a race to write a shadowed +page and so should never be re-executed. + +This fixes an issue where an "MMIO" emulation failure[1] in L2 is all +but guaranteed to result in an infinite loop when TDP is enabled. +Because "cr2" is actually an L2 GPA when TDP is enabled, calling +kvm_mmu_gva_to_gpa_write() to translate cr2 in the non-direct mapped +case (L2 is never direct mapped) will almost always yield UNMAPPED_GVA +and cause reexecute_instruction() to immediately return true. The +!mmio_info_in_cache() check in kvm_mmu_page_fault() doesn't catch this +case because mmio_info_in_cache() returns false for a nested MMU (the +MMIO caching currently handles L1 only, e.g. to cache nested guests' +GPAs we'd have to manually flush the cache when switching between +VMs and when L1 updated its page tables controlling the nested guest). + +Way back when, commit 68be0803456b ("KVM: x86: never re-execute +instruction with enabled tdp") changed reexecute_instruction() to +always return false when using TDP under the assumption that KVM would +only get into the emulator for MMIO. Commit 95b3cf69bdf8 ("KVM: x86: +let reexecute_instruction work for tdp") effectively reverted that +behavior in order to handle the scenario where emulation failed due to +an access from L1 to the shadow page tables for L2, but it didn't +account for the case where emulation failed in L2 with TDP enabled. + +All of the above logic also applies to retry_instruction(), added by +commit 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing +instructions"). An indefinite loop in retry_instruction() should be +impossible as it protects against retrying the same instruction over +and over, but it's still correct to not retry an L2 instruction in +the first place. + +Fix the immediate issue by adding a check for a nested guest when +determining whether or not to allow retry in kvm_mmu_page_fault(). +In addition to fixing the immediate bug, add WARN_ON_ONCE in the +retry functions since they are not designed to handle nested cases, +i.e. they need to be modified even if there is some scenario in the +future where we want to allow retrying a nested guest. + +[1] This issue was encountered after commit 3a2936dedd20 ("kvm: mmu: + Don't expose private memslots to L2") changed the page fault path + to return KVM_PFN_NOSLOT when translating an L2 access to a + prive memslot. Returning KVM_PFN_NOSLOT is semantically correct + when we want to hide a memslot from L2, i.e. there effectively is + no defined memory region for L2, but it has the unfortunate side + effect of making KVM think the GFN is a MMIO page, thus triggering + emulation. The failure occurred with in-development code that + deliberately exposed a private memslot to L2, which L2 accessed + with an instruction that is not emulated by KVM. + +Fixes: 95b3cf69bdf8 ("KVM: x86: let reexecute_instruction work for tdp") +Fixes: 1cb3f3ae5a38 ("KVM: x86: retry non-page-table writing instructions") +Signed-off-by: Sean Christopherson +Cc: Jim Mattson +Cc: Krish Sadhukhan +Cc: Xiao Guangrong +Cc: stable@vger.kernel.org +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 7 +++++-- + arch/x86/kvm/x86.c | 6 ++++++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -5007,9 +5007,12 @@ int kvm_mmu_page_fault(struct kvm_vcpu * + * re-execute the instruction that caused the page fault. Do not allow + * retrying MMIO emulation, as it's not only pointless but could also + * cause us to enter an infinite loop because the processor will keep +- * faulting on the non-existent MMIO address. ++ * faulting on the non-existent MMIO address. Retrying an instruction ++ * from a nested guest is also pointless and dangerous as we are only ++ * explicitly shadowing L1's page tables, i.e. unprotecting something ++ * for L1 isn't going to magically fix whatever issue cause L2 to fail. + */ +- if (!mmio_info_in_cache(vcpu, cr2, direct)) ++ if (!mmio_info_in_cache(vcpu, cr2, direct) && !is_guest_mode(vcpu)) + emulation_type = EMULTYPE_ALLOW_RETRY; + emulate: + /* +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5813,6 +5813,9 @@ static bool reexecute_instruction(struct + if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) + return false; + ++ if (WARN_ON_ONCE(is_guest_mode(vcpu))) ++ return false; ++ + if (!vcpu->arch.mmu.direct_map) { + /* + * Write permission should be allowed since only +@@ -5901,6 +5904,9 @@ static bool retry_instruction(struct x86 + if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) + return false; + ++ if (WARN_ON_ONCE(is_guest_mode(vcpu))) ++ return false; ++ + if (x86_page_table_writing_insn(ctxt)) + return false; + diff --git a/queue-4.18/kvm-x86-invert-emulation-re-execute-behavior-to-make-it-opt-in.patch b/queue-4.18/kvm-x86-invert-emulation-re-execute-behavior-to-make-it-opt-in.patch new file mode 100644 index 00000000000..c88aafa6f8f --- /dev/null +++ b/queue-4.18/kvm-x86-invert-emulation-re-execute-behavior-to-make-it-opt-in.patch @@ -0,0 +1,79 @@ +From 8065dbd1ee0ef04321d80da7999b4f0086e0a407 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 23 Aug 2018 13:56:48 -0700 +Subject: KVM: x86: Invert emulation re-execute behavior to make it opt-in +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 8065dbd1ee0ef04321d80da7999b4f0086e0a407 upstream. + +Re-execution of an instruction after emulation decode failure is +intended to be used only when emulating shadow page accesses. Invert +the flag to make allowing re-execution opt-in since that behavior is +by far in the minority. + +Signed-off-by: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 8 +++----- + arch/x86/kvm/mmu.c | 2 +- + arch/x86/kvm/x86.c | 2 +- + 3 files changed, 5 insertions(+), 7 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1199,7 +1199,7 @@ enum emulation_result { + #define EMULTYPE_TRAP_UD (1 << 1) + #define EMULTYPE_SKIP (1 << 2) + #define EMULTYPE_RETRY (1 << 3) +-#define EMULTYPE_NO_REEXECUTE (1 << 4) ++#define EMULTYPE_ALLOW_REEXECUTE (1 << 4) + #define EMULTYPE_NO_UD_ON_FAIL (1 << 5) + #define EMULTYPE_VMWARE (1 << 6) + int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2, +@@ -1208,15 +1208,13 @@ int x86_emulate_instruction(struct kvm_v + static inline int emulate_instruction(struct kvm_vcpu *vcpu, + int emulation_type) + { +- return x86_emulate_instruction(vcpu, 0, +- emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0); ++ return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0); + } + + static inline int kvm_emulate_instruction_from_buffer(struct kvm_vcpu *vcpu, + void *insn, int insn_len) + { +- return x86_emulate_instruction(vcpu, 0, EMULTYPE_NO_REEXECUTE, +- insn, insn_len); ++ return x86_emulate_instruction(vcpu, 0, 0, insn, insn_len); + } + + void kvm_enable_efer_bits(u64); +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4960,7 +4960,7 @@ static int make_mmu_pages_available(stru + int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code, + void *insn, int insn_len) + { +- int r, emulation_type = EMULTYPE_RETRY; ++ int r, emulation_type = EMULTYPE_RETRY | EMULTYPE_ALLOW_REEXECUTE; + enum emulation_result er; + bool direct = vcpu->arch.mmu.direct_map; + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5810,7 +5810,7 @@ static bool reexecute_instruction(struct + gpa_t gpa = cr2; + kvm_pfn_t pfn; + +- if (emulation_type & EMULTYPE_NO_REEXECUTE) ++ if (!(emulation_type & EMULTYPE_ALLOW_REEXECUTE)) + return false; + + if (!vcpu->arch.mmu.direct_map) { diff --git a/queue-4.18/kvm-x86-merge-emultype_retry-and-emultype_allow_reexecute.patch b/queue-4.18/kvm-x86-merge-emultype_retry-and-emultype_allow_reexecute.patch new file mode 100644 index 00000000000..051632c8262 --- /dev/null +++ b/queue-4.18/kvm-x86-merge-emultype_retry-and-emultype_allow_reexecute.patch @@ -0,0 +1,77 @@ +From 384bf2218e96f57118270945b1841e4dbbe9e352 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 23 Aug 2018 13:56:49 -0700 +Subject: KVM: x86: Merge EMULTYPE_RETRY and EMULTYPE_ALLOW_REEXECUTE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 384bf2218e96f57118270945b1841e4dbbe9e352 upstream. + +retry_instruction() and reexecute_instruction() are a package deal, +i.e. there is no scenario where one is allowed and the other is not. +Merge their controlling emulation type flags to enforce this in code. +Name the combined flag EMULTYPE_ALLOW_RETRY to make it abundantly +clear that we are allowing re{try,execute} to occur, as opposed to +explicitly requesting retry of a previously failed instruction. + +Signed-off-by: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 7 +++---- + arch/x86/kvm/mmu.c | 2 +- + arch/x86/kvm/x86.c | 4 ++-- + 3 files changed, 6 insertions(+), 7 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1198,10 +1198,9 @@ enum emulation_result { + #define EMULTYPE_NO_DECODE (1 << 0) + #define EMULTYPE_TRAP_UD (1 << 1) + #define EMULTYPE_SKIP (1 << 2) +-#define EMULTYPE_RETRY (1 << 3) +-#define EMULTYPE_ALLOW_REEXECUTE (1 << 4) +-#define EMULTYPE_NO_UD_ON_FAIL (1 << 5) +-#define EMULTYPE_VMWARE (1 << 6) ++#define EMULTYPE_ALLOW_RETRY (1 << 3) ++#define EMULTYPE_NO_UD_ON_FAIL (1 << 4) ++#define EMULTYPE_VMWARE (1 << 5) + int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2, + int emulation_type, void *insn, int insn_len); + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -4960,7 +4960,7 @@ static int make_mmu_pages_available(stru + int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code, + void *insn, int insn_len) + { +- int r, emulation_type = EMULTYPE_RETRY | EMULTYPE_ALLOW_REEXECUTE; ++ int r, emulation_type = EMULTYPE_ALLOW_RETRY; + enum emulation_result er; + bool direct = vcpu->arch.mmu.direct_map; + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5810,7 +5810,7 @@ static bool reexecute_instruction(struct + gpa_t gpa = cr2; + kvm_pfn_t pfn; + +- if (!(emulation_type & EMULTYPE_ALLOW_REEXECUTE)) ++ if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) + return false; + + if (!vcpu->arch.mmu.direct_map) { +@@ -5898,7 +5898,7 @@ static bool retry_instruction(struct x86 + */ + vcpu->arch.last_retry_eip = vcpu->arch.last_retry_addr = 0; + +- if (!(emulation_type & EMULTYPE_RETRY)) ++ if (!(emulation_type & EMULTYPE_ALLOW_RETRY)) + return false; + + if (x86_page_table_writing_insn(ctxt)) diff --git a/queue-4.18/kvm-x86-svm-set-emultype_no_reexecute-for-rsm-emulation.patch b/queue-4.18/kvm-x86-svm-set-emultype_no_reexecute-for-rsm-emulation.patch new file mode 100644 index 00000000000..247eb10a4ec --- /dev/null +++ b/queue-4.18/kvm-x86-svm-set-emultype_no_reexecute-for-rsm-emulation.patch @@ -0,0 +1,63 @@ +From 35be0aded76b54a24dc8aa678a71bca22273e8d8 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 23 Aug 2018 13:56:47 -0700 +Subject: KVM: x86: SVM: Set EMULTYPE_NO_REEXECUTE for RSM emulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Christopherson + +commit 35be0aded76b54a24dc8aa678a71bca22273e8d8 upstream. + +Re-execution after an emulation decode failure is only intended to +handle a case where two or vCPUs race to write a shadowed page, i.e. +we should never re-execute an instruction as part of RSM emulation. + +Add a new helper, kvm_emulate_instruction_from_buffer(), to support +emulating from a pre-defined buffer. This eliminates the last direct +call to x86_emulate_instruction() outside of kvm_mmu_page_fault(), +which means x86_emulate_instruction() can be unexported in a future +patch. + +Fixes: 7607b7174405 ("KVM: SVM: install RSM intercept") +Cc: Brijesh Singh +Signed-off-by: Sean Christopherson +Cc: stable@vger.kernel.org +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 7 +++++++ + arch/x86/kvm/svm.c | 4 ++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1212,6 +1212,13 @@ static inline int emulate_instruction(st + emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0); + } + ++static inline int kvm_emulate_instruction_from_buffer(struct kvm_vcpu *vcpu, ++ void *insn, int insn_len) ++{ ++ return x86_emulate_instruction(vcpu, 0, EMULTYPE_NO_REEXECUTE, ++ insn, insn_len); ++} ++ + void kvm_enable_efer_bits(u64); + bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer); + int kvm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr); +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3875,8 +3875,8 @@ static int emulate_on_interception(struc + + static int rsm_interception(struct vcpu_svm *svm) + { +- return x86_emulate_instruction(&svm->vcpu, 0, 0, +- rsm_ins_bytes, 2) == EMULATE_DONE; ++ return kvm_emulate_instruction_from_buffer(&svm->vcpu, ++ rsm_ins_bytes, 2) == EMULATE_DONE; + } + + static int rdpmc_interception(struct vcpu_svm *svm) diff --git a/queue-4.18/mac80211-don-t-update-the-pm-state-of-a-peer-upon-a-multicast-frame.patch b/queue-4.18/mac80211-don-t-update-the-pm-state-of-a-peer-upon-a-multicast-frame.patch new file mode 100644 index 00000000000..04031f92903 --- /dev/null +++ b/queue-4.18/mac80211-don-t-update-the-pm-state-of-a-peer-upon-a-multicast-frame.patch @@ -0,0 +1,61 @@ +From 20932750d9c78d307e4f2f18f9c6a32b82b1e0e8 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 20 Aug 2018 13:56:07 +0300 +Subject: mac80211: don't update the PM state of a peer upon a multicast frame + +From: Emmanuel Grumbach + +commit 20932750d9c78d307e4f2f18f9c6a32b82b1e0e8 upstream. + +I changed the way mac80211 updates the PM state of the peer. +I forgot that we could also have multicast frames from the +peer and that those frame should of course not change the +PM state of the peer: A peer goes to power save when it +needs to scan, but it won't send the broadcast Probe Request +with the PM bit set. + +This made us mark the peer as awake when it wasn't and then +Intel's firmware would fail to transmit because the peer is +asleep according to its database. The driver warned about +this and it looked like this: + + WARNING: CPU: 0 PID: 184 at /usr/src/linux-4.16.14/drivers/net/wireless/intel/iwlwifi/mvm/tx.c:1369 iwl_mvm_rx_tx_cmd+0x53b/0x860 + CPU: 0 PID: 184 Comm: irq/124-iwlwifi Not tainted 4.16.14 #1 + RIP: 0010:iwl_mvm_rx_tx_cmd+0x53b/0x860 + Call Trace: + iwl_pcie_rx_handle+0x220/0x880 + iwl_pcie_irq_handler+0x6c9/0xa20 + ? irq_forced_thread_fn+0x60/0x60 + ? irq_thread_dtor+0x90/0x90 + +The relevant code that spits the WARNING is: + + case TX_STATUS_FAIL_DEST_PS: + /* the FW should have stopped the queue and not + * return this status + */ + WARN_ON(1); + info->flags |= IEEE80211_TX_STAT_TX_FILTERED; + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199967. + +Fixes: 9fef65443388 ("mac80211: always update the PM state of a peer on MGMT / DATA frames") +Cc: #4.16+ +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1612,6 +1612,7 @@ ieee80211_rx_h_sta_process(struct ieee80 + */ + if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) && + !ieee80211_has_morefrags(hdr->frame_control) && ++ !is_multicast_ether_addr(hdr->addr1) && + (ieee80211_is_mgmt(hdr->frame_control) || + ieee80211_is_data(hdr->frame_control)) && + !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && diff --git a/queue-4.18/memory_hotplug-fix-kernel_panic-on-offline-page-processing.patch b/queue-4.18/memory_hotplug-fix-kernel_panic-on-offline-page-processing.patch new file mode 100644 index 00000000000..238bb26b0c7 --- /dev/null +++ b/queue-4.18/memory_hotplug-fix-kernel_panic-on-offline-page-processing.patch @@ -0,0 +1,91 @@ +From 4e8346d0be889c7ab5eb2d3deedc18111d741e99 Mon Sep 17 00:00:00 2001 +From: Mikhail Zaslonko +Date: Tue, 4 Sep 2018 15:46:09 -0700 +Subject: memory_hotplug: fix kernel_panic on offline page processing + +From: Mikhail Zaslonko + +commit 4e8346d0be889c7ab5eb2d3deedc18111d741e99 upstream. + +Within show_valid_zones() the function test_pages_in_a_zone() should be +called for online memory blocks only. + +Otherwise it might lead to the VM_BUG_ON due to uninitialized struct +pages (when CONFIG_DEBUG_VM_PGFLAGS kernel option is set): + + page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) + ------------[ cut here ]------------ + Call Trace: + ([<000000000038f91e>] test_pages_in_a_zone+0xe6/0x168) + [<0000000000923472>] show_valid_zones+0x5a/0x1a8 + [<0000000000900284>] dev_attr_show+0x3c/0x78 + [<000000000046f6f0>] sysfs_kf_seq_show+0xd0/0x150 + [<00000000003ef662>] seq_read+0x212/0x4b8 + [<00000000003bf202>] __vfs_read+0x3a/0x178 + [<00000000003bf3ca>] vfs_read+0x8a/0x148 + [<00000000003bfa3a>] ksys_read+0x62/0xb8 + [<0000000000bc2220>] system_call+0xdc/0x2d8 + +That VM_BUG_ON was triggered by the page poisoning introduced in +mm/sparse.c with the git commit d0dc12e86b31 ("mm/memory_hotplug: +optimize memory hotplug"). + +With the same commit the new 'nid' field has been added to the struct +memory_block in order to store and later on derive the node id for +offline pages (instead of accessing struct page which might be +uninitialized). But one reference to nid in show_valid_zones() function +has been overlooked. Fixed with current commit. Also, nr_pages will +not be used any more after test_pages_in_a_zone() call, do not update +it. + +Link: http://lkml.kernel.org/r/20180828090539.41491-1-zaslonko@linux.ibm.com +Fixes: d0dc12e86b31 ("mm/memory_hotplug: optimize memory hotplug") +Signed-off-by: Mikhail Zaslonko +Acked-by: Michal Hocko +Reviewed-by: Pavel Tatashin +Cc: [4.17+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/memory.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -417,25 +417,23 @@ static ssize_t show_valid_zones(struct d + int nid; + + /* +- * The block contains more than one zone can not be offlined. +- * This can happen e.g. for ZONE_DMA and ZONE_DMA32 +- */ +- if (!test_pages_in_a_zone(start_pfn, start_pfn + nr_pages, &valid_start_pfn, &valid_end_pfn)) +- return sprintf(buf, "none\n"); +- +- start_pfn = valid_start_pfn; +- nr_pages = valid_end_pfn - start_pfn; +- +- /* + * Check the existing zone. Make sure that we do that only on the + * online nodes otherwise the page_zone is not reliable + */ + if (mem->state == MEM_ONLINE) { ++ /* ++ * The block contains more than one zone can not be offlined. ++ * This can happen e.g. for ZONE_DMA and ZONE_DMA32 ++ */ ++ if (!test_pages_in_a_zone(start_pfn, start_pfn + nr_pages, ++ &valid_start_pfn, &valid_end_pfn)) ++ return sprintf(buf, "none\n"); ++ start_pfn = valid_start_pfn; + strcat(buf, page_zone(pfn_to_page(start_pfn))->name); + goto out; + } + +- nid = pfn_to_nid(start_pfn); ++ nid = mem->nid; + default_zone = zone_for_pfn_range(MMOP_ONLINE_KEEP, nid, start_pfn, nr_pages); + strcat(buf, default_zone->name); + diff --git a/queue-4.18/mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch b/queue-4.18/mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch new file mode 100644 index 00000000000..260a03dd5fd --- /dev/null +++ b/queue-4.18/mips-vdso-match-data-page-cache-colouring-when-d-aliases.patch @@ -0,0 +1,90 @@ +From 0f02cfbc3d9e413d450d8d0fd660077c23f67eff Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Thu, 30 Aug 2018 11:01:21 -0700 +Subject: MIPS: VDSO: Match data page cache colouring when D$ aliases + +From: Paul Burton + +commit 0f02cfbc3d9e413d450d8d0fd660077c23f67eff upstream. + +When a system suffers from dcache aliasing a user program may observe +stale VDSO data from an aliased cache line. Notably this can break the +expectation that clock_gettime(CLOCK_MONOTONIC, ...) is, as its name +suggests, monotonic. + +In order to ensure that users observe updates to the VDSO data page as +intended, align the user mappings of the VDSO data page such that their +cache colouring matches that of the virtual address range which the +kernel will use to update the data page - typically its unmapped address +within kseg0. + +This ensures that we don't introduce aliasing cache lines for the VDSO +data page, and therefore that userland will observe updates without +requiring cache invalidation. + +Signed-off-by: Paul Burton +Reported-by: Hauke Mehrtens +Reported-by: Rene Nielsen +Reported-by: Alexandre Belloni +Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") +Patchwork: https://patchwork.linux-mips.org/patch/20344/ +Tested-by: Alexandre Belloni +Tested-by: Hauke Mehrtens +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/vdso.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/arch/mips/kernel/vdso.c ++++ b/arch/mips/kernel/vdso.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -20,6 +21,7 @@ + + #include + #include ++#include + #include + + /* Kernel-provided data used by the VDSO. */ +@@ -128,12 +130,30 @@ int arch_setup_additional_pages(struct l + vvar_size = gic_size + PAGE_SIZE; + size = vvar_size + image->size; + ++ /* ++ * Find a region that's large enough for us to perform the ++ * colour-matching alignment below. ++ */ ++ if (cpu_has_dc_aliases) ++ size += shm_align_mask + 1; ++ + base = get_unmapped_area(NULL, 0, size, 0, 0); + if (IS_ERR_VALUE(base)) { + ret = base; + goto out; + } + ++ /* ++ * If we suffer from dcache aliasing, ensure that the VDSO data page ++ * mapping is coloured the same as the kernel's mapping of that memory. ++ * This ensures that when the kernel updates the VDSO data userland ++ * will observe it without requiring cache invalidations. ++ */ ++ if (cpu_has_dc_aliases) { ++ base = __ALIGN_MASK(base, shm_align_mask); ++ base += ((unsigned long)&vdso_data - gic_size) & shm_align_mask; ++ } ++ + data_addr = base + gic_size; + vdso_addr = data_addr + PAGE_SIZE; + diff --git a/queue-4.18/mm-hugetlb-filter-out-hugetlb-pages-if-hugepage-migration-is-not-supported.patch b/queue-4.18/mm-hugetlb-filter-out-hugetlb-pages-if-hugepage-migration-is-not-supported.patch new file mode 100644 index 00000000000..6e905965e8a --- /dev/null +++ b/queue-4.18/mm-hugetlb-filter-out-hugetlb-pages-if-hugepage-migration-is-not-supported.patch @@ -0,0 +1,69 @@ +From 464c7ffbcb164b2e5cebfa406b7fc6cdb7945344 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Tue, 4 Sep 2018 15:45:59 -0700 +Subject: mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not supported. + +From: Aneesh Kumar K.V + +commit 464c7ffbcb164b2e5cebfa406b7fc6cdb7945344 upstream. + +When scanning for movable pages, filter out Hugetlb pages if hugepage +migration is not supported. Without this we hit infinte loop in +__offline_pages() where we do + + pfn = scan_movable_pages(start_pfn, end_pfn); + if (pfn) { /* We have movable pages */ + ret = do_migrate_range(pfn, end_pfn); + goto repeat; + } + +Fix this by checking hugepage_migration_supported both in +has_unmovable_pages which is the primary backoff mechanism for page +offlining and for consistency reasons also into scan_movable_pages +because it doesn't make any sense to return a pfn to non-migrateable +huge page. + +This issue was revealed by, but not caused by 72b39cfc4d75 ("mm, +memory_hotplug: do not fail offlining too early"). + +Link: http://lkml.kernel.org/r/20180824063314.21981-1-aneesh.kumar@linux.ibm.com +Fixes: 72b39cfc4d75 ("mm, memory_hotplug: do not fail offlining too early") +Signed-off-by: Aneesh Kumar K.V +Reported-by: Haren Myneni +Acked-by: Michal Hocko +Reviewed-by: Naoya Horiguchi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory_hotplug.c | 3 ++- + mm/page_alloc.c | 4 ++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1341,7 +1341,8 @@ static unsigned long scan_movable_pages( + if (__PageMovable(page)) + return pfn; + if (PageHuge(page)) { +- if (page_huge_active(page)) ++ if (hugepage_migration_supported(page_hstate(page)) && ++ page_huge_active(page)) + return pfn; + else + pfn = round_up(pfn + 1, +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -7649,6 +7649,10 @@ bool has_unmovable_pages(struct zone *zo + * handle each tail page individually in migration. + */ + if (PageHuge(page)) { ++ ++ if (!hugepage_migration_supported(page_hstate(page))) ++ goto unmovable; ++ + iter = round_up(iter + 1, 1< +Date: Tue, 4 Sep 2018 11:52:34 -0600 +Subject: nbd: don't allow invalid blocksize settings + +From: Jens Axboe + +commit bc811f05d77f47059c197a98b6ad242eb03999cb upstream. + +syzbot reports a divide-by-zero off the NBD_SET_BLKSIZE ioctl. +We need proper validation of the input here. Not just if it's +zero, but also if the value is a power-of-2 and in a valid +range. Add that. + +Cc: stable@vger.kernel.org +Reported-by: syzbot +Reviewed-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/nbd.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1239,6 +1239,9 @@ static int __nbd_ioctl(struct block_devi + case NBD_SET_SOCK: + return nbd_add_socket(nbd, arg, false); + case NBD_SET_BLKSIZE: ++ if (!arg || !is_power_of_2(arg) || arg < 512 || ++ arg > PAGE_SIZE) ++ return -EINVAL; + nbd_size_set(nbd, arg, + div_s64(config->bytesize, arg)); + return 0; diff --git a/queue-4.18/scsi-lpfc-correct-mds-diag-and-nvmet-configuration.patch b/queue-4.18/scsi-lpfc-correct-mds-diag-and-nvmet-configuration.patch new file mode 100644 index 00000000000..b61d9c715bd --- /dev/null +++ b/queue-4.18/scsi-lpfc-correct-mds-diag-and-nvmet-configuration.patch @@ -0,0 +1,42 @@ +From 53e13ee087a80e8d4fc95436318436e5c2c1f8c2 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Thu, 16 Aug 2018 16:04:05 -0700 +Subject: scsi: lpfc: Correct MDS diag and nvmet configuration + +From: James Smart + +commit 53e13ee087a80e8d4fc95436318436e5c2c1f8c2 upstream. + +A recent change added some MDS processing in the lpfc_drain_txq routine +that relies on the fcp_wq being allocated. For nvmet operation the fcp_wq +is not allocated because it can only be an nvme-target. When the original +MDS support was added LS_MDS_LOOPBACK was defined wrong, (0x16) it should +have been 0x10 (decimal value used for hex setting). This incorrect value +allowed MDS_LOOPBACK to be set simultaneously with LS_NPIV_FAB_SUPPORTED, +causing the driver to crash when it accesses the non-existent fcp_wq. + +Correct the bad value setting for LS_MDS_LOOPBACK. + +Fixes: ae9e28f36a6c ("lpfc: Add MDS Diagnostic support.") +Cc: # v4.12+ +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Tested-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/lpfc/lpfc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -672,7 +672,7 @@ struct lpfc_hba { + #define LS_NPIV_FAB_SUPPORTED 0x2 /* Fabric supports NPIV */ + #define LS_IGNORE_ERATT 0x4 /* intr handler should ignore ERATT */ + #define LS_MDS_LINK_DOWN 0x8 /* MDS Diagnostics Link Down */ +-#define LS_MDS_LOOPBACK 0x16 /* MDS Diagnostics Link Up (Loopback) */ ++#define LS_MDS_LOOPBACK 0x10 /* MDS Diagnostics Link Up (Loopback) */ + + uint32_t hba_flag; /* hba generic flags */ + #define HBA_ERATT_HANDLED 0x1 /* This flag is set when eratt handled */ diff --git a/queue-4.18/series b/queue-4.18/series index e8decc49bac..2812d501fa7 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -18,3 +18,13 @@ smb3-check-for-and-properly-advertise-directory-lease-support.patch cifs-connect-to-servername-instead-of-ip-for-ipc-share.patch btrfs-fix-qgroup_free-wrong-num_bytes-in-btrfs_subvolume_reserve_metadata.patch btrfs-fix-data-corruption-when-deduplicating-between-different-files.patch +arm64-kvm-only-force-fpexc32_el2.en-if-trapping-fpsimd.patch +kvm-arm-arm64-clean-dcache-to-poc-when-changing-pte-due-to-cow.patch +kvm-ppc-book3s-hv-use-correct-pagesize-in-kvm_unmap_radix.patch +kvm-s390-vsie-copy-wrapping-keys-to-right-place.patch +kvm-x86-svm-set-emultype_no_reexecute-for-rsm-emulation.patch +kvm-vmx-do-not-allow-reexecute_instruction-when-skipping-mmio-instr.patch +kvm-x86-invert-emulation-re-execute-behavior-to-make-it-opt-in.patch +kvm-x86-merge-emultype_retry-and-emultype_allow_reexecute.patch +kvm-x86-default-to-not-allowing-emulation-retry-in-kvm_mmu_page_fault.patch +kvm-x86-do-not-re-try-execute-after-failed-emulation-in-l2.patch diff --git a/queue-4.18/smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch b/queue-4.18/smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch new file mode 100644 index 00000000000..2f0f436732d --- /dev/null +++ b/queue-4.18/smb3-backup-intent-flag-missing-for-directory-opens-with-backupuid-mounts.patch @@ -0,0 +1,102 @@ +From 5e19697b56a64004e2d0ff1bb952ea05493c088f Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 27 Aug 2018 17:04:13 -0500 +Subject: SMB3: Backup intent flag missing for directory opens with backupuid mounts + +From: Steve French + +commit 5e19697b56a64004e2d0ff1bb952ea05493c088f upstream. + +When "backup intent" is requested on the mount (e.g. backupuid or +backupgid mount options), the corresponding flag needs to be set +on opens of directories (and files) but was missing in some +places causing access denied trying to enumerate and backup +servers. + +Fixes kernel bugzilla #200953 +https://bugzilla.kernel.org/show_bug.cgi?id=200953 + +Reported-and-tested-by: +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 2 ++ + fs/cifs/smb2ops.c | 25 ++++++++++++++++++++----- + 2 files changed, 22 insertions(+), 5 deletions(-) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -469,6 +469,8 @@ cifs_sfu_type(struct cifs_fattr *fattr, + oparms.cifs_sb = cifs_sb; + oparms.desired_access = GENERIC_READ; + oparms.create_options = CREATE_NOT_DIR; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options |= CREATE_OPEN_BACKUP_INTENT; + oparms.disposition = FILE_OPEN; + oparms.path = path; + oparms.fid = &fid; +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -626,7 +626,10 @@ smb2_is_path_accessible(const unsigned i + oparms.tcon = tcon; + oparms.desired_access = FILE_READ_ATTRIBUTES; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = &fid; + oparms.reconnect = false; + +@@ -775,7 +778,10 @@ smb2_query_eas(const unsigned int xid, s + oparms.tcon = tcon; + oparms.desired_access = FILE_READ_EA; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = &fid; + oparms.reconnect = false; + +@@ -854,7 +860,10 @@ smb2_set_ea(const unsigned int xid, stru + oparms.tcon = tcon; + oparms.desired_access = FILE_WRITE_EA; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = &fid; + oparms.reconnect = false; + +@@ -1460,7 +1469,10 @@ smb2_query_dir_first(const unsigned int + oparms.tcon = tcon; + oparms.desired_access = FILE_READ_ATTRIBUTES | FILE_READ_DATA; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = fid; + oparms.reconnect = false; + +@@ -1735,7 +1747,10 @@ smb2_query_symlink(const unsigned int xi + oparms.tcon = tcon; + oparms.desired_access = FILE_READ_ATTRIBUTES; + oparms.disposition = FILE_OPEN; +- oparms.create_options = 0; ++ if (backup_cred(cifs_sb)) ++ oparms.create_options = CREATE_OPEN_BACKUP_INTENT; ++ else ++ oparms.create_options = 0; + oparms.fid = &fid; + oparms.reconnect = false; + diff --git a/queue-4.18/smb3-check-for-and-properly-advertise-directory-lease-support.patch b/queue-4.18/smb3-check-for-and-properly-advertise-directory-lease-support.patch new file mode 100644 index 00000000000..48d9beca24d --- /dev/null +++ b/queue-4.18/smb3-check-for-and-properly-advertise-directory-lease-support.patch @@ -0,0 +1,86 @@ +From f801568332321e2b1e7a8bd26c3e4913a312a2ec Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 31 Aug 2018 15:12:10 -0500 +Subject: smb3: check for and properly advertise directory lease support + +From: Steve French + +commit f801568332321e2b1e7a8bd26c3e4913a312a2ec upstream. + +Although servers will typically ignore unsupported features, +we should advertise the support for directory leases (as +Windows e.g. does) in the negotiate protocol capabilities we +pass to the server, and should check for the server capability +(CAP_DIRECTORY_LEASING) before sending a lease request for an +open of a directory. This will prevent us from accidentally +sending directory leases to SMB2.1 or SMB2 server for example. + +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 10 +++++----- + fs/cifs/smb2pdu.c | 3 +++ + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3478,7 +3478,7 @@ struct smb_version_values smb21_values = + struct smb_version_values smb3any_values = { + .version_string = SMB3ANY_VERSION_STRING, + .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */ +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +@@ -3499,7 +3499,7 @@ struct smb_version_values smb3any_values + struct smb_version_values smbdefault_values = { + .version_string = SMBDEFAULT_VERSION_STRING, + .protocol_id = SMB302_PROT_ID, /* doesn't matter, send protocol array */ +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +@@ -3520,7 +3520,7 @@ struct smb_version_values smbdefault_val + struct smb_version_values smb30_values = { + .version_string = SMB30_VERSION_STRING, + .protocol_id = SMB30_PROT_ID, +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +@@ -3541,7 +3541,7 @@ struct smb_version_values smb30_values = + struct smb_version_values smb302_values = { + .version_string = SMB302_VERSION_STRING, + .protocol_id = SMB302_PROT_ID, +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +@@ -3563,7 +3563,7 @@ struct smb_version_values smb302_values + struct smb_version_values smb311_values = { + .version_string = SMB311_VERSION_STRING, + .protocol_id = SMB311_PROT_ID, +- .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION, ++ .req_capabilities = SMB2_GLOBAL_CAP_DFS | SMB2_GLOBAL_CAP_LEASING | SMB2_GLOBAL_CAP_LARGE_MTU | SMB2_GLOBAL_CAP_PERSISTENT_HANDLES | SMB2_GLOBAL_CAP_ENCRYPTION | SMB2_GLOBAL_CAP_DIRECTORY_LEASING, + .large_lock_type = 0, + .exclusive_lock_type = SMB2_LOCKFLAG_EXCLUSIVE_LOCK, + .shared_lock_type = SMB2_LOCKFLAG_SHARED_LOCK, +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2179,6 +2179,9 @@ SMB2_open(const unsigned int xid, struct + if (!(server->capabilities & SMB2_GLOBAL_CAP_LEASING) || + *oplock == SMB2_OPLOCK_LEVEL_NONE) + req->RequestedOplockLevel = *oplock; ++ else if (!(server->capabilities & SMB2_GLOBAL_CAP_DIRECTORY_LEASING) && ++ (oparms->create_options & CREATE_NOT_FILE)) ++ req->RequestedOplockLevel = *oplock; /* no srv lease support */ + else { + rc = add_lease_context(server, iov, &n_iov, + oparms->fid->lease_key, oplock);