From: Greg Kroah-Hartman Date: Thu, 15 Nov 2018 01:07:22 +0000 (-0800) Subject: 4.19-stable patches X-Git-Tag: v4.19.3~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a742f31b1d5e2d748191e974aec8832da410b52c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drm-msm-fix-of-child-node-lookup.patch fuse-fix-blocked_waitq-wakeup.patch fuse-fix-use-after-free-in-fuse_dev_do_read.patch fuse-fix-use-after-free-in-fuse_dev_do_write.patch fuse-set-fr_sent-while-locked.patch scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch scsi-qla2xxx-fix-duplicate-switch-database-entries.patch scsi-qla2xxx-fix-nvme-target-discovery.patch vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch --- diff --git a/queue-4.19/drm-msm-fix-of-child-node-lookup.patch b/queue-4.19/drm-msm-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..0a26ad66825 --- /dev/null +++ b/queue-4.19/drm-msm-fix-of-child-node-lookup.patch @@ -0,0 +1,52 @@ +From f9a7082327e26f54067a49cac2316d31e0cc8ba7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:47 +0200 +Subject: drm/msm: fix OF child-node lookup + +From: Johan Hovold + +commit f9a7082327e26f54067a49cac2316d31e0cc8ba7 upstream. + +Use the new of_get_compatible_child() helper to lookup the legacy +pwrlevels child node instead of using of_find_compatible_node(), which +searches the entire tree from a given start node and thus can return an +unrelated (i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the probed device's node). + +While at it, also fix the related child-node reference leak. + +Fixes: e2af8b6b0ca1 ("drm/msm: gpu: Use OPP tables if we can") +Cc: stable # 4.12 +Cc: Jordan Crouse +Cc: Rob Clark +Cc: David Airlie +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +index da1363a0c54d..93d70f4a2154 100644 +--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +@@ -633,8 +633,7 @@ static int adreno_get_legacy_pwrlevels(struct device *dev) + struct device_node *child, *node; + int ret; + +- node = of_find_compatible_node(dev->of_node, NULL, +- "qcom,gpu-pwrlevels"); ++ node = of_get_compatible_child(dev->of_node, "qcom,gpu-pwrlevels"); + if (!node) { + dev_err(dev, "Could not find the GPU powerlevels\n"); + return -ENXIO; +@@ -655,6 +654,8 @@ static int adreno_get_legacy_pwrlevels(struct device *dev) + dev_pm_opp_add(dev, val, 0); + } + ++ of_node_put(node); ++ + return 0; + } + diff --git a/queue-4.19/fuse-fix-blocked_waitq-wakeup.patch b/queue-4.19/fuse-fix-blocked_waitq-wakeup.patch new file mode 100644 index 00000000000..602eaa85acf --- /dev/null +++ b/queue-4.19/fuse-fix-blocked_waitq-wakeup.patch @@ -0,0 +1,49 @@ +From 908a572b80f6e9577b45e81b3dfe2e22111286b8 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 28 Sep 2018 16:43:22 +0200 +Subject: fuse: fix blocked_waitq wakeup + +From: Miklos Szeredi + +commit 908a572b80f6e9577b45e81b3dfe2e22111286b8 upstream. + +Using waitqueue_active() is racy. Make sure we issue a wake_up() +unconditionally after storing into fc->blocked. After that it's okay to +optimize with waitqueue_active() since the first wake up provides the +necessary barrier for all waiters, not the just the woken one. + +Signed-off-by: Miklos Szeredi +Fixes: 3c18ef8117f0 ("fuse: optimize wake_up") +Cc: # v3.10 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -391,12 +391,19 @@ static void request_end(struct fuse_conn + if (test_bit(FR_BACKGROUND, &req->flags)) { + spin_lock(&fc->lock); + clear_bit(FR_BACKGROUND, &req->flags); +- if (fc->num_background == fc->max_background) ++ if (fc->num_background == fc->max_background) { + fc->blocked = 0; +- +- /* Wake up next waiter, if any */ +- if (!fc->blocked && waitqueue_active(&fc->blocked_waitq)) + wake_up(&fc->blocked_waitq); ++ } else if (!fc->blocked) { ++ /* ++ * Wake up next waiter, if any. It's okay to use ++ * waitqueue_active(), as we've already synced up ++ * fc->blocked with waiters with the wake_up() call ++ * above. ++ */ ++ if (waitqueue_active(&fc->blocked_waitq)) ++ wake_up(&fc->blocked_waitq); ++ } + + if (fc->num_background == fc->congestion_threshold && fc->sb) { + clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC); diff --git a/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_read.patch b/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_read.patch new file mode 100644 index 00000000000..9f6ffe2db6d --- /dev/null +++ b/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_read.patch @@ -0,0 +1,50 @@ +From bc78abbd55dd28e2287ec6d6502b842321a17c87 Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Tue, 25 Sep 2018 12:28:55 +0300 +Subject: fuse: Fix use-after-free in fuse_dev_do_read() + +From: Kirill Tkhai + +commit bc78abbd55dd28e2287ec6d6502b842321a17c87 upstream. + +We may pick freed req in this way: + +[cpu0] [cpu1] +fuse_dev_do_read() fuse_dev_do_write() + list_move_tail(&req->list, ...); ... + spin_unlock(&fpq->lock); ... + ... request_end(fc, req); + ... fuse_put_request(fc, req); + if (test_bit(FR_INTERRUPTED, ...)) + queue_interrupt(fiq, req); + +Fix that by keeping req alive until we finish all manipulations. + +Reported-by: syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com +Signed-off-by: Kirill Tkhai +Signed-off-by: Miklos Szeredi +Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts") +Cc: # v4.2 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1311,12 +1311,14 @@ static ssize_t fuse_dev_do_read(struct f + goto out_end; + } + list_move_tail(&req->list, &fpq->processing); ++ __fuse_get_request(req); + spin_unlock(&fpq->lock); + set_bit(FR_SENT, &req->flags); + /* matches barrier in request_wait_answer() */ + smp_mb__after_atomic(); + if (test_bit(FR_INTERRUPTED, &req->flags)) + queue_interrupt(fiq, req); ++ fuse_put_request(fc, req); + + return reqsize; + diff --git a/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_write.patch b/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_write.patch new file mode 100644 index 00000000000..ad33fd9ba26 --- /dev/null +++ b/queue-4.19/fuse-fix-use-after-free-in-fuse_dev_do_write.patch @@ -0,0 +1,60 @@ +From d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Tue, 25 Sep 2018 12:52:42 +0300 +Subject: fuse: Fix use-after-free in fuse_dev_do_write() + +From: Kirill Tkhai + +commit d2d2d4fb1f54eff0f3faa9762d84f6446a4bc5d0 upstream. + +After we found req in request_find() and released the lock, +everything may happen with the req in parallel: + +cpu0 cpu1 +fuse_dev_do_write() fuse_dev_do_write() + req = request_find(fpq, ...) ... + spin_unlock(&fpq->lock) ... + ... req = request_find(fpq, oh.unique) + ... spin_unlock(&fpq->lock) + queue_interrupt(&fc->iq, req); ... + ... ... + ... ... + request_end(fc, req); + fuse_put_request(fc, req); + ... queue_interrupt(&fc->iq, req); + + +Signed-off-by: Kirill Tkhai +Signed-off-by: Miklos Szeredi +Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts") +Cc: # v4.2 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1877,16 +1877,20 @@ static ssize_t fuse_dev_do_write(struct + + /* Is it an interrupt reply? */ + if (req->intr_unique == oh.unique) { ++ __fuse_get_request(req); + spin_unlock(&fpq->lock); + + err = -EINVAL; +- if (nbytes != sizeof(struct fuse_out_header)) ++ if (nbytes != sizeof(struct fuse_out_header)) { ++ fuse_put_request(fc, req); + goto err_finish; ++ } + + if (oh.error == -ENOSYS) + fc->no_interrupt = 1; + else if (oh.error == -EAGAIN) + queue_interrupt(&fc->iq, req); ++ fuse_put_request(fc, req); + + fuse_copy_finish(cs); + return nbytes; diff --git a/queue-4.19/fuse-set-fr_sent-while-locked.patch b/queue-4.19/fuse-set-fr_sent-while-locked.patch new file mode 100644 index 00000000000..ef4b622dcd2 --- /dev/null +++ b/queue-4.19/fuse-set-fr_sent-while-locked.patch @@ -0,0 +1,35 @@ +From 4c316f2f3ff315cb48efb7435621e5bfb81df96d Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 28 Sep 2018 16:43:22 +0200 +Subject: fuse: set FR_SENT while locked + +From: Miklos Szeredi + +commit 4c316f2f3ff315cb48efb7435621e5bfb81df96d upstream. + +Otherwise fuse_dev_do_write() could come in and finish off the request, and +the set_bit(FR_SENT, ...) could trigger the WARN_ON(test_bit(FR_SENT, ...)) +in request_end(). + +Signed-off-by: Miklos Szeredi +Reported-by: syzbot+ef054c4d3f64cd7f7cec@syzkaller.appspotmai +Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts") +Cc: # v4.2 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1319,8 +1319,8 @@ static ssize_t fuse_dev_do_read(struct f + } + list_move_tail(&req->list, &fpq->processing); + __fuse_get_request(req); +- spin_unlock(&fpq->lock); + set_bit(FR_SENT, &req->flags); ++ spin_unlock(&fpq->lock); + /* matches barrier in request_wait_answer() */ + smp_mb__after_atomic(); + if (test_bit(FR_INTERRUPTED, &req->flags)) diff --git a/queue-4.19/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch b/queue-4.19/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch new file mode 100644 index 00000000000..263a0ca9496 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch @@ -0,0 +1,36 @@ +From 39553065f77c297239308470ee313841f4e07db4 Mon Sep 17 00:00:00 2001 +From: Himanshu Madhani +Date: Wed, 26 Sep 2018 22:05:15 -0700 +Subject: scsi: qla2xxx: Fix driver hang when FC-NVMe LUNs are configured + +From: Himanshu Madhani + +commit 39553065f77c297239308470ee313841f4e07db4 upstream. + +This patch fixes multiple call for qla_nvme_unregister_remote_port() as part +of qlt_schedule_session_for_deletion(), Do not call it again during +qla_nvme_delete() + +Fixes: e473b3074104 ("scsi: qla2xxx: Add FC-NVMe abort processing") +Cc: +Reviewed-by: Ewan D. Milne +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_nvme.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -660,9 +660,6 @@ void qla_nvme_delete(struct scsi_qla_hos + __func__, fcport); + + nvme_fc_set_remoteport_devloss(fcport->nvme_remote_port, 0); +- init_completion(&fcport->nvme_del_done); +- nvme_fc_unregister_remoteport(fcport->nvme_remote_port); +- wait_for_completion(&fcport->nvme_del_done); + } + + if (vha->nvme_local_port) { diff --git a/queue-4.19/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch b/queue-4.19/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch new file mode 100644 index 00000000000..98fb4b48e6c --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-duplicate-switch-database-entries.patch @@ -0,0 +1,40 @@ +From 732ee9a912cf2d9a50c5f9c4213cdc2f885d6aa6 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 26 Sep 2018 22:05:13 -0700 +Subject: scsi: qla2xxx: Fix duplicate switch database entries + +From: Quinn Tran + +commit 732ee9a912cf2d9a50c5f9c4213cdc2f885d6aa6 upstream. + +The response data buffer used in switch scan is reused 4 times. (For example, +for commands GPN_FT, GNN_FT for FCP and FC-NVME) Before driver reuses this +buffer, clear it to prevent duplicate entries in our database. + +Fixes: a4239945b8ad1 ("scsi: qla2xxx: Add switch command to simplify fabric discovery" +Cc: +Signed-off-by: Quinn Tran +Reviewed-by: Ewan D. Milne +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_gs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_gs.c ++++ b/drivers/scsi/qla2xxx/qla_gs.c +@@ -4447,9 +4447,9 @@ int qla24xx_async_gpnft(scsi_qla_host_t + sp->u.iocb_cmd.timeout = qla2x00_async_iocb_timeout; + qla2x00_init_timer(sp, qla2x00_get_async_timeout(vha) + 2); + +- rspsz = sizeof(struct ct_sns_gpnft_rsp) + +- ((vha->hw->max_fibre_devices - 1) * +- sizeof(struct ct_sns_gpn_ft_data)); ++ rspsz = sp->u.iocb_cmd.u.ctarg.rsp_size; ++ memset(sp->u.iocb_cmd.u.ctarg.rsp, 0, sp->u.iocb_cmd.u.ctarg.rsp_size); ++ memset(sp->u.iocb_cmd.u.ctarg.req, 0, sp->u.iocb_cmd.u.ctarg.req_size); + + ct_sns = (struct ct_sns_pkt *)sp->u.iocb_cmd.u.ctarg.req; + /* CT_IU preamble */ diff --git a/queue-4.19/scsi-qla2xxx-fix-nvme-target-discovery.patch b/queue-4.19/scsi-qla2xxx-fix-nvme-target-discovery.patch new file mode 100644 index 00000000000..c0d25fd990f --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-nvme-target-discovery.patch @@ -0,0 +1,43 @@ +From db186382af21e926e90df19499475f2552192b77 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 26 Sep 2018 22:05:12 -0700 +Subject: scsi: qla2xxx: Fix NVMe Target discovery + +From: Quinn Tran + +commit db186382af21e926e90df19499475f2552192b77 upstream. + +This patch fixes issue when remoteport registers itself as both FCP and +FC-NVMe with the switch, driver will pick FC-NVMe personality as default when +scanning for targets. + +Driver was using comaprative operator instead of bitwise operator to check for +fc4_type for both FCP and FC-NVME. + +Fixes: 2b5b96473efc ("scsi: qla2xxx: Fix FC-NVMe LUN discovery") +Cc: +Signed-off-by: Quinn Tran +Reviewed-by: Ewan D. Milne +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4808,10 +4808,10 @@ void qla24xx_create_new_sess(struct scsi + fcport->d_id = e->u.new_sess.id; + fcport->flags |= FCF_FABRIC_DEVICE; + fcport->fw_login_state = DSC_LS_PLOGI_PEND; +- if (e->u.new_sess.fc4_type == FS_FC4TYPE_FCP) ++ if (e->u.new_sess.fc4_type & FS_FC4TYPE_FCP) + fcport->fc4_type = FC4_TYPE_FCP_SCSI; + +- if (e->u.new_sess.fc4_type == FS_FC4TYPE_NVME) { ++ if (e->u.new_sess.fc4_type & FS_FC4TYPE_NVME) { + fcport->fc4_type = FC4_TYPE_OTHER; + fcport->fc4f_nvme = FC4_TYPE_NVME; + } diff --git a/queue-4.19/series b/queue-4.19/series index f59cb64ffdd..c701c934651 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -57,3 +57,12 @@ scsi-qla2xxx-reject-bsg-request-if-chip-is-down.patch scsi-qla2xxx-fix-re-using-loopid-when-handle-is-in-use.patch scsi-qla2xxx-fix-for-double-free-of-srb-structure.patch scsi-qla2xxx-fix-nvme-session-hang-on-unload.patch +scsi-qla2xxx-fix-nvme-target-discovery.patch +scsi-qla2xxx-fix-duplicate-switch-database-entries.patch +scsi-qla2xxx-fix-driver-hang-when-fc-nvme-luns-are-configured.patch +vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch +fuse-fix-use-after-free-in-fuse_dev_do_read.patch +fuse-fix-use-after-free-in-fuse_dev_do_write.patch +fuse-fix-blocked_waitq-wakeup.patch +fuse-set-fr_sent-while-locked.patch +drm-msm-fix-of-child-node-lookup.patch diff --git a/queue-4.19/vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch b/queue-4.19/vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch new file mode 100644 index 00000000000..3be3ee76d9e --- /dev/null +++ b/queue-4.19/vfs-fix-figetbsz-ioctl-on-an-overlayfs-file.patch @@ -0,0 +1,38 @@ +From 8f97d1e99149a7f1aa19e47a51b09764382a482e Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 11 Oct 2018 17:38:14 +0300 +Subject: vfs: fix FIGETBSZ ioctl on an overlayfs file + +From: Amir Goldstein + +commit 8f97d1e99149a7f1aa19e47a51b09764382a482e upstream. + +Some anon_bdev filesystems (e.g. overlayfs, ceph) don't have s_blocksize +set. Returning zero from FIGETBSZ ioctl results in a Floating point +exception from the e2fsprogs utility filefrag, which divides the size of +the file with the value returned by FIGETBSZ. + +Fix the interface by returning -EINVAL for these filesystems. + +Fixes: d1d04ef8572b ("ovl: stack file ops") +Cc: # v4.19 +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ioctl.c ++++ b/fs/ioctl.c +@@ -669,6 +669,9 @@ int do_vfs_ioctl(struct file *filp, unsi + return ioctl_fiemap(filp, arg); + + case FIGETBSZ: ++ /* anon_bdev filesystems may not have a block size */ ++ if (!inode->i_sb->s_blocksize) ++ return -EINVAL; + return put_user(inode->i_sb->s_blocksize, argp); + + case FICLONE: