From: Greg Kroah-Hartman Date: Sat, 26 May 2018 10:23:12 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.111~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8abb3aa99718365fa8f471cb5635b1fe215e1b9c;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: affs_lookup-close-a-race-with-affs_remove_link.patch aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch mips-ptrace-expose-fir-register-through-fp-regset.patch --- diff --git a/queue-3.18/affs_lookup-close-a-race-with-affs_remove_link.patch b/queue-3.18/affs_lookup-close-a-race-with-affs_remove_link.patch new file mode 100644 index 00000000000..86c34d7f8ba --- /dev/null +++ b/queue-3.18/affs_lookup-close-a-race-with-affs_remove_link.patch @@ -0,0 +1,54 @@ +From 30da870ce4a4e007c901858a96e9e394a1daa74a Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 6 May 2018 12:15:20 -0400 +Subject: affs_lookup(): close a race with affs_remove_link() + +From: Al Viro + +commit 30da870ce4a4e007c901858a96e9e394a1daa74a upstream. + +we unlock the directory hash too early - if we are looking at secondary +link and primary (in another directory) gets removed just as we unlock, +we could have the old primary moved in place of the secondary, leaving +us to look into freed entry (and leaving our dentry with ->d_fsdata +pointing to a freed entry). + +Cc: stable@vger.kernel.org # 2.4.4+ +Acked-by: David Sterba +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/affs/namei.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/affs/namei.c ++++ b/fs/affs/namei.c +@@ -224,9 +224,10 @@ affs_lookup(struct inode *dir, struct de + + affs_lock_dir(dir); + bh = affs_find_entry(dir, dentry); +- affs_unlock_dir(dir); +- if (IS_ERR(bh)) ++ if (IS_ERR(bh)) { ++ affs_unlock_dir(dir); + return ERR_CAST(bh); ++ } + if (bh) { + u32 ino = bh->b_blocknr; + +@@ -240,10 +241,13 @@ affs_lookup(struct inode *dir, struct de + } + affs_brelse(bh); + inode = affs_iget(sb, ino); +- if (IS_ERR(inode)) ++ if (IS_ERR(inode)) { ++ affs_unlock_dir(dir); + return ERR_CAST(inode); ++ } + } + d_add(dentry, inode); ++ affs_unlock_dir(dir); + return NULL; + } + diff --git a/queue-3.18/aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch b/queue-3.18/aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch new file mode 100644 index 00000000000..ea46ee5c49c --- /dev/null +++ b/queue-3.18/aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch @@ -0,0 +1,68 @@ +From baf10564fbb66ea222cae66fbff11c444590ffd9 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 20 May 2018 16:46:23 -0400 +Subject: aio: fix io_destroy(2) vs. lookup_ioctx() race + +From: Al Viro + +commit baf10564fbb66ea222cae66fbff11c444590ffd9 upstream. + +kill_ioctx() used to have an explicit RCU delay between removing the +reference from ->ioctx_table and percpu_ref_kill() dropping the refcount. +At some point that delay had been removed, on the theory that +percpu_ref_kill() itself contained an RCU delay. Unfortunately, that was +the wrong kind of RCU delay and it didn't care about rcu_read_lock() used +by lookup_ioctx(). As the result, we could get ctx freed right under +lookup_ioctx(). Tejun has fixed that in a6d7cff472e ("fs/aio: Add explicit +RCU grace period when freeing kioctx"); however, that fix is not enough. + +Suppose io_destroy() from one thread races with e.g. io_setup() from another; +CPU1 removes the reference from current->mm->ioctx_table[...] just as CPU2 +has picked it (under rcu_read_lock()). Then CPU1 proceeds to drop the +refcount, getting it to 0 and triggering a call of free_ioctx_users(), +which proceeds to drop the secondary refcount and once that reaches zero +calls free_ioctx_reqs(). That does + INIT_RCU_WORK(&ctx->free_rwork, free_ioctx); + queue_rcu_work(system_wq, &ctx->free_rwork); +and schedules freeing the whole thing after RCU delay. + +In the meanwhile CPU2 has gotten around to percpu_ref_get(), bumping the +refcount from 0 to 1 and returned the reference to io_setup(). + +Tejun's fix (that queue_rcu_work() in there) guarantees that ctx won't get +freed until after percpu_ref_get(). Sure, we'd increment the counter before +ctx can be freed. Now we are out of rcu_read_lock() and there's nothing to +stop freeing of the whole thing. Unfortunately, CPU2 assumes that since it +has grabbed the reference, ctx is *NOT* going away until it gets around to +dropping that reference. + +The fix is obvious - use percpu_ref_tryget_live() and treat failure as miss. +It's not costlier than what we currently do in normal case, it's safe to +call since freeing *is* delayed and it closes the race window - either +lookup_ioctx() comes before percpu_ref_kill() (in which case ctx->users +won't reach 0 until the caller of lookup_ioctx() drops it) or lookup_ioctx() +fails, ctx->users is unaffected and caller of lookup_ioctx() doesn't see +the object in question at all. + +Cc: stable@kernel.org +Fixes: a6d7cff472e "fs/aio: Add explicit RCU grace period when freeing kioctx" +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1006,8 +1006,8 @@ static struct kioctx *lookup_ioctx(unsig + + ctx = rcu_dereference(table->table[id]); + if (ctx && ctx->user_id == ctx_id) { +- percpu_ref_get(&ctx->users); +- ret = ctx; ++ if (percpu_ref_tryget_live(&ctx->users)) ++ ret = ctx; + } + out: + rcu_read_unlock(); diff --git a/queue-3.18/kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch b/queue-3.18/kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch new file mode 100644 index 00000000000..12dfccbcd39 --- /dev/null +++ b/queue-3.18/kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch @@ -0,0 +1,35 @@ +From ba3696e94d9d590d9a7e55f68e81c25dba515191 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 14 May 2018 18:23:50 +0100 +Subject: KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" + +From: Colin Ian King + +commit ba3696e94d9d590d9a7e55f68e81c25dba515191 upstream. + +Trivial fix to spelling mistake in debugfs_entries text. + +Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM") +Signed-off-by: Colin Ian King +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: kernel-janitors@vger.kernel.org +Cc: # 3.10+ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/mips.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -39,7 +39,7 @@ struct kvm_stats_debugfs_item debugfs_en + { "cache", VCPU_STAT(cache_exits), KVM_STAT_VCPU }, + { "signal", VCPU_STAT(signal_exits), KVM_STAT_VCPU }, + { "interrupt", VCPU_STAT(int_exits), KVM_STAT_VCPU }, +- { "cop_unsuable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU }, ++ { "cop_unusable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU }, + { "tlbmod", VCPU_STAT(tlbmod_exits), KVM_STAT_VCPU }, + { "tlbmiss_ld", VCPU_STAT(tlbmiss_ld_exits), KVM_STAT_VCPU }, + { "tlbmiss_st", VCPU_STAT(tlbmiss_st_exits), KVM_STAT_VCPU }, diff --git a/queue-3.18/mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch b/queue-3.18/mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch new file mode 100644 index 00000000000..511272611f5 --- /dev/null +++ b/queue-3.18/mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch @@ -0,0 +1,67 @@ +From 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Mon, 14 May 2018 16:49:43 +0100 +Subject: MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs + +From: Maciej W. Rozycki + +commit 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 upstream. + +Check the TIF_32BIT_FPREGS task setting of the tracee rather than the +tracer in determining the layout of floating-point general registers in +the floating-point context, correcting access to odd-numbered registers +for o32 tracees where the setting disagrees between the two processes. + +Fixes: 597ce1723e0f ("MIPS: Support for 64-bit FP with O32 binaries") +Signed-off-by: Maciej W. Rozycki +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # 3.14+ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 4 ++-- + arch/mips/kernel/ptrace32.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -702,7 +702,7 @@ long arch_ptrace(struct task_struct *chi + fregs = get_fpu_regs(child); + + #ifdef CONFIG_32BIT +- if (test_thread_flag(TIF_32BIT_FPREGS)) { ++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { + /* + * The odd registers are actually the high + * order bits of the values stored in the even +@@ -796,7 +796,7 @@ long arch_ptrace(struct task_struct *chi + child->thread.fpu.fcr31 = 0; + } + #ifdef CONFIG_32BIT +- if (test_thread_flag(TIF_32BIT_FPREGS)) { ++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { + /* + * The odd registers are actually the high + * order bits of the values stored in the even +--- a/arch/mips/kernel/ptrace32.c ++++ b/arch/mips/kernel/ptrace32.c +@@ -97,7 +97,7 @@ long compat_arch_ptrace(struct task_stru + break; + } + fregs = get_fpu_regs(child); +- if (test_thread_flag(TIF_32BIT_FPREGS)) { ++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { + /* + * The odd registers are actually the high + * order bits of the values stored in the even +@@ -203,7 +203,7 @@ long compat_arch_ptrace(struct task_stru + sizeof(child->thread.fpu)); + child->thread.fpu.fcr31 = 0; + } +- if (test_thread_flag(TIF_32BIT_FPREGS)) { ++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { + /* + * The odd registers are actually the high + * order bits of the values stored in the even diff --git a/queue-3.18/mips-ptrace-expose-fir-register-through-fp-regset.patch b/queue-3.18/mips-ptrace-expose-fir-register-through-fp-regset.patch new file mode 100644 index 00000000000..0f3e955fe3e --- /dev/null +++ b/queue-3.18/mips-ptrace-expose-fir-register-through-fp-regset.patch @@ -0,0 +1,96 @@ +From 71e909c0cdad28a1df1fa14442929e68615dee45 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Mon, 30 Apr 2018 15:56:47 +0100 +Subject: MIPS: ptrace: Expose FIR register through FP regset + +From: Maciej W. Rozycki + +commit 71e909c0cdad28a1df1fa14442929e68615dee45 upstream. + +Correct commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") +and expose the FIR register using the unused 4 bytes at the end of the +NT_PRFPREG regset. Without that register included clients cannot use +the PTRACE_GETREGSET request to retrieve the complete FPU register set +and have to resort to one of the older interfaces, either PTRACE_PEEKUSR +or PTRACE_GETFPREGS, to retrieve the missing piece of data. Also the +register is irreversibly missing from core dumps. + +This register is architecturally hardwired and read-only so the write +path does not matter. Ignore data supplied on writes then. + +Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") +Signed-off-by: James Hogan +Signed-off-by: Maciej W. Rozycki +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # 3.13+ +Patchwork: https://patchwork.linux-mips.org/patch/19273/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -444,7 +444,7 @@ static int fpr_get_msa(struct task_struc + /* + * Copy the floating-point context to the supplied NT_PRFPREG buffer. + * Choose the appropriate helper for general registers, and then copy +- * the FCSR register separately. ++ * the FCSR and FIR registers separately. + */ + static int fpr_get(struct task_struct *target, + const struct user_regset *regset, +@@ -452,6 +452,7 @@ static int fpr_get(struct task_struct *t + void *kbuf, void __user *ubuf) + { + const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); ++ const int fir_pos = fcr31_pos + sizeof(u32); + int err; + + if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) +@@ -464,6 +465,12 @@ static int fpr_get(struct task_struct *t + err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, + &target->thread.fpu.fcr31, + fcr31_pos, fcr31_pos + sizeof(u32)); ++ if (err) ++ return err; ++ ++ err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, ++ &boot_cpu_data.fpu_id, ++ fir_pos, fir_pos + sizeof(u32)); + + return err; + } +@@ -512,7 +519,8 @@ static int fpr_set_msa(struct task_struc + /* + * Copy the supplied NT_PRFPREG buffer to the floating-point context. + * Choose the appropriate helper for general registers, and then copy +- * the FCSR register separately. ++ * the FCSR register separately. Ignore the incoming FIR register ++ * contents though, as the register is read-only. + * + * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0', + * which is supposed to have been guaranteed by the kernel before +@@ -526,6 +534,7 @@ static int fpr_set(struct task_struct *t + const void *kbuf, const void __user *ubuf) + { + const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); ++ const int fir_pos = fcr31_pos + sizeof(u32); + u32 fcr31; + int err; + +@@ -551,6 +560,11 @@ static int fpr_set(struct task_struct *t + target->thread.fpu.fcr31 = fcr31 & ~FPU_CSR_ALL_X; + } + ++ if (count > 0) ++ err = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, ++ fir_pos, ++ fir_pos + sizeof(u32)); ++ + return err; + } + diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..93d7b9d5f85 --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,5 @@ +mips-ptrace-expose-fir-register-through-fp-regset.patch +mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch +kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch +affs_lookup-close-a-race-with-affs_remove_link.patch +aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..587aacbc7d3 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,7 @@ +mips-c-r4k-fix-data-corruption-related-to-cache-coherence.patch +mips-ptrace-expose-fir-register-through-fp-regset.patch +mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch +kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch +affs_lookup-close-a-race-with-affs_remove_link.patch +fs-don-t-scan-the-inode-cache-before-sb_born-is-set.patch +aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch diff --git a/queue-4.16/series b/queue-4.16/series new file mode 100644 index 00000000000..d1c82149285 --- /dev/null +++ b/queue-4.16/series @@ -0,0 +1,11 @@ +mips-xilfpga-stop-generating-useless-dtb.o.patch +mips-xilfpga-actually-include-fdt-in-fitimage.patch +mips-c-r4k-fix-data-corruption-related-to-cache-coherence.patch +mips-fix-build-with-debug_zboot-and-mach_jz4770.patch +mips-ptrace-expose-fir-register-through-fp-regset.patch +mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch +kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch +affs_lookup-close-a-race-with-affs_remove_link.patch +fix-breakage-caused-by-d_find_alias-semantics-change.patch +fs-don-t-scan-the-inode-cache-before-sb_born-is-set.patch +aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..93d7b9d5f85 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,5 @@ +mips-ptrace-expose-fir-register-through-fp-regset.patch +mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch +kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch +affs_lookup-close-a-race-with-affs_remove_link.patch +aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..e0935263602 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,6 @@ +mips-c-r4k-fix-data-corruption-related-to-cache-coherence.patch +mips-ptrace-expose-fir-register-through-fp-regset.patch +mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch +kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch +affs_lookup-close-a-race-with-affs_remove_link.patch +aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch