From: Greg Kroah-Hartman Date: Thu, 18 Oct 2018 12:45:48 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.18.16~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c95fd1161477c0217b3eb49b9c5808b7926164d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arc-build-don-t-set-cross_compile-in-arch-s-makefile.patch arc-build-get-rid-of-toolchain-check.patch mm-preserve-_page_devmap-across-mprotect-calls.patch mremap-properly-flush-tlb-before-releasing-the-page.patch netfilter-check-for-seqadj-ext-existence-before-adding-it-in-nf_nat_setup_info.patch --- diff --git a/queue-4.9/arc-build-don-t-set-cross_compile-in-arch-s-makefile.patch b/queue-4.9/arc-build-don-t-set-cross_compile-in-arch-s-makefile.patch new file mode 100644 index 00000000000..f14b496c2dc --- /dev/null +++ b/queue-4.9/arc-build-don-t-set-cross_compile-in-arch-s-makefile.patch @@ -0,0 +1,70 @@ +From 40660f1fcee8d524a60b5101538e42b1f39f106d Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Sun, 16 Sep 2018 23:47:57 +0300 +Subject: ARC: build: Don't set CROSS_COMPILE in arch's Makefile + +From: Alexey Brodkin + +commit 40660f1fcee8d524a60b5101538e42b1f39f106d upstream. + +There's not much sense in doing that because if user or +his build-system didn't set CROSS_COMPILE we still may +very well make incorrect guess. + +But as it turned out setting CROSS_COMPILE is not as harmless +as one may think: with recent changes that implemented automatic +discovery of __host__ gcc features unconditional setup of +CROSS_COMPILE leads to failures on execution of "make xxx_defconfig" +with absent cross-compiler, for more info see [1]. + +Set CROSS_COMPILE as well gets in the way if we want only to build +.dtb's (again with absent cross-compiler which is not really needed +for building .dtb's), see [2]. + +Note, we had to change LIBGCC assignment type from ":=" to "=" +so that is is resolved on its usage, otherwise if it is resolved +at declaration time with missing CROSS_COMPILE we're getting this +error message from host GCC: + +| gcc: error: unrecognized command line option -mmedium-calls +| gcc: error: unrecognized command line option -mno-sdata + +[1] http://lists.infradead.org/pipermail/linux-snps-arc/2018-September/004308.html +[2] http://lists.infradead.org/pipermail/linux-snps-arc/2018-September/004320.html + +Signed-off-by: Alexey Brodkin +Cc: Masahiro Yamada +Cc: Rob Herring +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/Makefile | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/arch/arc/Makefile ++++ b/arch/arc/Makefile +@@ -8,14 +8,6 @@ + + UTS_MACHINE := arc + +-ifeq ($(CROSS_COMPILE),) +-ifndef CONFIG_CPU_BIG_ENDIAN +-CROSS_COMPILE := arc-linux- +-else +-CROSS_COMPILE := arceb-linux- +-endif +-endif +- + KBUILD_DEFCONFIG := nsim_700_defconfig + + cflags-y += -fno-common -pipe -fno-builtin -mmedium-calls -D__linux__ +@@ -75,7 +67,7 @@ ldflags-$(CONFIG_CPU_BIG_ENDIAN) += -EB + # --build-id w/o "-marclinux". Default arc-elf32-ld is OK + ldflags-$(upto_gcc44) += -marclinux + +-LIBGCC := $(shell $(CC) $(cflags-y) --print-libgcc-file-name) ++LIBGCC = $(shell $(CC) $(cflags-y) --print-libgcc-file-name) + + # Modules with short calls might break for calls into builtin-kernel + KBUILD_CFLAGS_MODULE += -mlong-calls -mno-millicode diff --git a/queue-4.9/arc-build-get-rid-of-toolchain-check.patch b/queue-4.9/arc-build-get-rid-of-toolchain-check.patch new file mode 100644 index 00000000000..c4f246482e1 --- /dev/null +++ b/queue-4.9/arc-build-get-rid-of-toolchain-check.patch @@ -0,0 +1,65 @@ +From 615f64458ad890ef94abc879a66d8b27236e733a Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Thu, 13 Sep 2018 23:24:28 +0300 +Subject: ARC: build: Get rid of toolchain check + +From: Alexey Brodkin + +commit 615f64458ad890ef94abc879a66d8b27236e733a upstream. + +This check is very naive: we simply test if GCC invoked without +"-mcpu=XXX" has ARC700 define set. In that case we think that GCC +was built with "--with-cpu=arc700" and has libgcc built for ARC700. + +Otherwise if ARC700 is not defined we think that everythng was built +for ARCv2. + +But in reality our life is much more interesting. + +1. Regardless of GCC configuration (i.e. what we pass in "--with-cpu" + it may generate code for any ARC core). + +2. libgcc might be built with explicitly specified "--mcpu=YYY" + +That's exactly what happens in case of multilibbed toolchains: + - GCC is configured with default settings + - All the libs built for many different CPU flavors + +I.e. that check gets in the way of usage of multilibbed +toolchains. And even non-multilibbed toolchains are affected. +OpenEmbedded also builds GCC without "--with-cpu" because +each and every target component later is compiled with explicitly +set "-mcpu=ZZZ". + +Acked-by: Rob Herring +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/Makefile | 14 -------------- + 1 file changed, 14 deletions(-) + +--- a/arch/arc/Makefile ++++ b/arch/arc/Makefile +@@ -22,20 +22,6 @@ cflags-y += -fno-common -pipe -fno-built + cflags-$(CONFIG_ISA_ARCOMPACT) += -mA7 + cflags-$(CONFIG_ISA_ARCV2) += -mcpu=archs + +-is_700 = $(shell $(CC) -dM -E - < /dev/null | grep -q "ARC700" && echo 1 || echo 0) +- +-ifdef CONFIG_ISA_ARCOMPACT +-ifeq ($(is_700), 0) +- $(error Toolchain not configured for ARCompact builds) +-endif +-endif +- +-ifdef CONFIG_ISA_ARCV2 +-ifeq ($(is_700), 1) +- $(error Toolchain not configured for ARCv2 builds) +-endif +-endif +- + ifdef CONFIG_ARC_CURR_IN_REG + # For a global register defintion, make sure it gets passed to every file + # We had a customer reported bug where some code built in kernel was NOT using diff --git a/queue-4.9/mm-preserve-_page_devmap-across-mprotect-calls.patch b/queue-4.9/mm-preserve-_page_devmap-across-mprotect-calls.patch new file mode 100644 index 00000000000..45a2b69e58a --- /dev/null +++ b/queue-4.9/mm-preserve-_page_devmap-across-mprotect-calls.patch @@ -0,0 +1,65 @@ +From 4628a64591e6cee181237060961e98c615c33966 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 9 Oct 2018 12:19:17 +0200 +Subject: mm: Preserve _PAGE_DEVMAP across mprotect() calls + +From: Jan Kara + +commit 4628a64591e6cee181237060961e98c615c33966 upstream. + +Currently _PAGE_DEVMAP bit is not preserved in mprotect(2) calls. As a +result we will see warnings such as: + +BUG: Bad page map in process JobWrk0013 pte:800001803875ea25 pmd:7624381067 +addr:00007f0930720000 vm_flags:280000f9 anon_vma: (null) mapping:ffff97f2384056f0 index:0 +file:457-000000fe00000030-00000009-000000ca-00000001_2001.fileblock fault:xfs_filemap_fault [xfs] mmap:xfs_file_mmap [xfs] readpage: (null) +CPU: 3 PID: 15848 Comm: JobWrk0013 Tainted: G W 4.12.14-2.g7573215-default #1 SLE12-SP4 (unreleased) +Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.01.00.0833.051120182255 05/11/2018 +Call Trace: + dump_stack+0x5a/0x75 + print_bad_pte+0x217/0x2c0 + ? enqueue_task_fair+0x76/0x9f0 + _vm_normal_page+0xe5/0x100 + zap_pte_range+0x148/0x740 + unmap_page_range+0x39a/0x4b0 + unmap_vmas+0x42/0x90 + unmap_region+0x99/0xf0 + ? vma_gap_callbacks_rotate+0x1a/0x20 + do_munmap+0x255/0x3a0 + vm_munmap+0x54/0x80 + SyS_munmap+0x1d/0x30 + do_syscall_64+0x74/0x150 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +... + +when mprotect(2) gets used on DAX mappings. Also there is a wide variety +of other failures that can result from the missing _PAGE_DEVMAP flag +when the area gets used by get_user_pages() later. + +Fix the problem by including _PAGE_DEVMAP in a set of flags that get +preserved by mprotect(2). + +Fixes: 69660fd797c3 ("x86, mm: introduce _PAGE_DEVMAP") +Fixes: ebd31197931d ("powerpc/mm: Add devmap support for ppc64") +Cc: +Signed-off-by: Jan Kara +Acked-by: Michal Hocko +Reviewed-by: Johannes Thumshirn +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pgtable_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -134,7 +134,7 @@ + */ + #define _PAGE_CHG_MASK (PTE_PFN_MASK | _PAGE_PCD | _PAGE_PWT | \ + _PAGE_SPECIAL | _PAGE_ACCESSED | _PAGE_DIRTY | \ +- _PAGE_SOFT_DIRTY) ++ _PAGE_SOFT_DIRTY | _PAGE_DEVMAP) + #define _HPAGE_CHG_MASK (_PAGE_CHG_MASK | _PAGE_PSE) + + /* The ASID is the lower 12 bits of CR3 */ diff --git a/queue-4.9/mremap-properly-flush-tlb-before-releasing-the-page.patch b/queue-4.9/mremap-properly-flush-tlb-before-releasing-the-page.patch new file mode 100644 index 00000000000..f4f71c84484 --- /dev/null +++ b/queue-4.9/mremap-properly-flush-tlb-before-releasing-the-page.patch @@ -0,0 +1,170 @@ +From eb66ae030829605d61fbef1909ce310e29f78821 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 12 Oct 2018 15:22:59 -0700 +Subject: mremap: properly flush TLB before releasing the page + +From: Linus Torvalds + +commit eb66ae030829605d61fbef1909ce310e29f78821 upstream. + +Jann Horn points out that our TLB flushing was subtly wrong for the +mremap() case. What makes mremap() special is that we don't follow the +usual "add page to list of pages to be freed, then flush tlb, and then +free pages". No, mremap() obviously just _moves_ the page from one page +table location to another. + +That matters, because mremap() thus doesn't directly control the +lifetime of the moved page with a freelist: instead, the lifetime of the +page is controlled by the page table locking, that serializes access to +the entry. + +As a result, we need to flush the TLB not just before releasing the lock +for the source location (to avoid any concurrent accesses to the entry), +but also before we release the destination page table lock (to avoid the +TLB being flushed after somebody else has already done something to that +page). + +This also makes the whole "need_flush" logic unnecessary, since we now +always end up flushing the TLB for every valid entry. + +Reported-and-tested-by: Jann Horn +Acked-by: Will Deacon +Tested-by: Ingo Molnar +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/huge_mm.h | 2 +- + mm/huge_memory.c | 10 ++++------ + mm/mremap.c | 30 +++++++++++++----------------- + 3 files changed, 18 insertions(+), 24 deletions(-) + +--- a/include/linux/huge_mm.h ++++ b/include/linux/huge_mm.h +@@ -22,7 +22,7 @@ extern int mincore_huge_pmd(struct vm_ar + unsigned char *vec); + extern bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr, + unsigned long new_addr, unsigned long old_end, +- pmd_t *old_pmd, pmd_t *new_pmd, bool *need_flush); ++ pmd_t *old_pmd, pmd_t *new_pmd); + extern int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, + unsigned long addr, pgprot_t newprot, + int prot_numa); +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1445,7 +1445,7 @@ int zap_huge_pmd(struct mmu_gather *tlb, + + bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr, + unsigned long new_addr, unsigned long old_end, +- pmd_t *old_pmd, pmd_t *new_pmd, bool *need_flush) ++ pmd_t *old_pmd, pmd_t *new_pmd) + { + spinlock_t *old_ptl, *new_ptl; + pmd_t pmd; +@@ -1476,7 +1476,7 @@ bool move_huge_pmd(struct vm_area_struct + if (new_ptl != old_ptl) + spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING); + pmd = pmdp_huge_get_and_clear(mm, old_addr, old_pmd); +- if (pmd_present(pmd) && pmd_dirty(pmd)) ++ if (pmd_present(pmd)) + force_flush = true; + VM_BUG_ON(!pmd_none(*new_pmd)); + +@@ -1487,12 +1487,10 @@ bool move_huge_pmd(struct vm_area_struct + pgtable_trans_huge_deposit(mm, new_pmd, pgtable); + } + set_pmd_at(mm, new_addr, new_pmd, pmd_mksoft_dirty(pmd)); +- if (new_ptl != old_ptl) +- spin_unlock(new_ptl); + if (force_flush) + flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE); +- else +- *need_flush = true; ++ if (new_ptl != old_ptl) ++ spin_unlock(new_ptl); + spin_unlock(old_ptl); + return true; + } +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -104,7 +104,7 @@ static pte_t move_soft_dirty_pte(pte_t p + static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, + unsigned long old_addr, unsigned long old_end, + struct vm_area_struct *new_vma, pmd_t *new_pmd, +- unsigned long new_addr, bool need_rmap_locks, bool *need_flush) ++ unsigned long new_addr, bool need_rmap_locks) + { + struct mm_struct *mm = vma->vm_mm; + pte_t *old_pte, *new_pte, pte; +@@ -152,15 +152,17 @@ static void move_ptes(struct vm_area_str + + pte = ptep_get_and_clear(mm, old_addr, old_pte); + /* +- * If we are remapping a dirty PTE, make sure ++ * If we are remapping a valid PTE, make sure + * to flush TLB before we drop the PTL for the +- * old PTE or we may race with page_mkclean(). ++ * PTE. + * +- * This check has to be done after we removed the +- * old PTE from page tables or another thread may +- * dirty it after the check and before the removal. ++ * NOTE! Both old and new PTL matter: the old one ++ * for racing with page_mkclean(), the new one to ++ * make sure the physical page stays valid until ++ * the TLB entry for the old mapping has been ++ * flushed. + */ +- if (pte_present(pte) && pte_dirty(pte)) ++ if (pte_present(pte)) + force_flush = true; + pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr); + pte = move_soft_dirty_pte(pte); +@@ -168,13 +170,11 @@ static void move_ptes(struct vm_area_str + } + + arch_leave_lazy_mmu_mode(); ++ if (force_flush) ++ flush_tlb_range(vma, old_end - len, old_end); + if (new_ptl != old_ptl) + spin_unlock(new_ptl); + pte_unmap(new_pte - 1); +- if (force_flush) +- flush_tlb_range(vma, old_end - len, old_end); +- else +- *need_flush = true; + pte_unmap_unlock(old_pte - 1, old_ptl); + if (need_rmap_locks) + drop_rmap_locks(vma); +@@ -189,7 +189,6 @@ unsigned long move_page_tables(struct vm + { + unsigned long extent, next, old_end; + pmd_t *old_pmd, *new_pmd; +- bool need_flush = false; + unsigned long mmun_start; /* For mmu_notifiers */ + unsigned long mmun_end; /* For mmu_notifiers */ + +@@ -220,8 +219,7 @@ unsigned long move_page_tables(struct vm + if (need_rmap_locks) + take_rmap_locks(vma); + moved = move_huge_pmd(vma, old_addr, new_addr, +- old_end, old_pmd, new_pmd, +- &need_flush); ++ old_end, old_pmd, new_pmd); + if (need_rmap_locks) + drop_rmap_locks(vma); + if (moved) +@@ -239,10 +237,8 @@ unsigned long move_page_tables(struct vm + if (extent > LATENCY_LIMIT) + extent = LATENCY_LIMIT; + move_ptes(vma, old_pmd, old_addr, old_addr + extent, new_vma, +- new_pmd, new_addr, need_rmap_locks, &need_flush); ++ new_pmd, new_addr, need_rmap_locks); + } +- if (need_flush) +- flush_tlb_range(vma, old_end-len, old_addr); + + mmu_notifier_invalidate_range_end(vma->vm_mm, mmun_start, mmun_end); + diff --git a/queue-4.9/netfilter-check-for-seqadj-ext-existence-before-adding-it-in-nf_nat_setup_info.patch b/queue-4.9/netfilter-check-for-seqadj-ext-existence-before-adding-it-in-nf_nat_setup_info.patch new file mode 100644 index 00000000000..80b259a0c20 --- /dev/null +++ b/queue-4.9/netfilter-check-for-seqadj-ext-existence-before-adding-it-in-nf_nat_setup_info.patch @@ -0,0 +1,62 @@ +From ab6dd1beac7be3c17f8bf3d38bdf29ecb7293f1e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Thu, 10 Aug 2017 10:22:24 +0800 +Subject: netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info + +From: Xin Long + +commit ab6dd1beac7be3c17f8bf3d38bdf29ecb7293f1e upstream. + +Commit 4440a2ab3b9f ("netfilter: synproxy: Check oom when adding synproxy +and seqadj ct extensions") wanted to drop the packet when it fails to add +seqadj ext due to no memory by checking if nfct_seqadj_ext_add returns +NULL. + +But that nfct_seqadj_ext_add returns NULL can also happen when seqadj ext +already exists in a nf_conn. It will cause that userspace protocol doesn't +work when both dnat and snat are configured. + +Li Shuang found this issue in the case: + +Topo: + ftp client router ftp server + 10.167.131.2 <-> 10.167.131.254 10.167.141.254 <-> 10.167.141.1 + +Rules: + # iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j \ + DNAT --to-destination 10.167.141.1 + # iptables -t nat -A POSTROUTING -o eth2 -p tcp -m tcp --dport 21 -j \ + SNAT --to-source 10.167.141.254 + +In router, when both dnat and snat are added, nf_nat_setup_info will be +called twice. The packet can be dropped at the 2nd time for DNAT due to +seqadj ext is already added at the 1st time for SNAT. + +This patch is to fix it by checking for seqadj ext existence before adding +it, so that the packet will not be dropped if seqadj ext already exists. + +Note that as Florian mentioned, as a long term, we should review ext_add() +behaviour, it's better to return a pointer to the existing ext instead. + +Fixes: 4440a2ab3b9f ("netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions") +Reported-by: Li Shuang +Acked-by: Florian Westphal +Signed-off-by: Xin Long +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_nat_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_nat_core.c ++++ b/net/netfilter/nf_nat_core.c +@@ -421,7 +421,7 @@ nf_nat_setup_info(struct nf_conn *ct, + else + ct->status |= IPS_DST_NAT; + +- if (nfct_help(ct)) ++ if (nfct_help(ct) && !nfct_seqadj(ct)) + if (!nfct_seqadj_ext_add(ct)) + return NF_DROP; + } diff --git a/queue-4.9/series b/queue-4.9/series index 23bccff40f3..6ce3ef5d658 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -20,3 +20,8 @@ risc-v-include-linux-ftrace.h-in-asm-prototypes.h.patch powerpc-tm-fix-userspace-r13-corruption.patch powerpc-tm-avoid-possible-userspace-r1-corruption-on-reclaim.patch iommu-amd-return-devid-as-alias-for-acpi-hid-devices.patch +mremap-properly-flush-tlb-before-releasing-the-page.patch +mm-preserve-_page_devmap-across-mprotect-calls.patch +netfilter-check-for-seqadj-ext-existence-before-adding-it-in-nf_nat_setup_info.patch +arc-build-get-rid-of-toolchain-check.patch +arc-build-don-t-set-cross_compile-in-arch-s-makefile.patch