From: Greg Kroah-Hartman Date: Tue, 24 Apr 2018 13:50:31 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.16.5~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bdd5ee428d1b6430e98d5f5048a610c4da7f1c04;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: perf-fix-sample_max_stack-maximum-check.patch perf-return-proper-values-for-user-stack-errors.patch rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch --- diff --git a/queue-4.9/perf-fix-sample_max_stack-maximum-check.patch b/queue-4.9/perf-fix-sample_max_stack-maximum-check.patch new file mode 100644 index 00000000000..98e89492ef5 --- /dev/null +++ b/queue-4.9/perf-fix-sample_max_stack-maximum-check.patch @@ -0,0 +1,90 @@ +From 5af44ca53d019de47efe6dbc4003dd518e5197ed Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sun, 15 Apr 2018 11:23:51 +0200 +Subject: perf: Fix sample_max_stack maximum check + +From: Jiri Olsa + +commit 5af44ca53d019de47efe6dbc4003dd518e5197ed upstream. + +The syzbot hit KASAN bug in perf_callchain_store having the entry stored +behind the allocated bounds [1]. + +We miss the sample_max_stack check for the initial event that allocates +callchain buffers. This missing check allows to create an event with +sample_max_stack value bigger than the global sysctl maximum: + + # sysctl -a | grep perf_event_max_stack + kernel.perf_event_max_stack = 127 + + # perf record -vv -C 1 -e cycles/max-stack=256/ kill + ... + perf_event_attr: + size 112 + ... + sample_max_stack 256 + ------------------------------------------------------------ + sys_perf_event_open: pid -1 cpu 1 group_fd -1 flags 0x8 = 4 + +Note the '-C 1', which forces perf record to create just single event. +Otherwise it opens event for every cpu, then the sample_max_stack check +fails on the second event and all's fine. + +The fix is to run the sample_max_stack check also for the first event +with callchains. + +[1] https://marc.info/?l=linux-kernel&m=152352732920874&w=2 + +Reported-by: syzbot+7c449856228b63ac951e@syzkaller.appspotmail.com +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: H. Peter Anvin +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: syzkaller-bugs@googlegroups.com +Cc: x86@kernel.org +Fixes: 97c79a38cd45 ("perf core: Per event callchain limit") +Link: http://lkml.kernel.org/r/20180415092352.12403-2-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/callchain.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/kernel/events/callchain.c ++++ b/kernel/events/callchain.c +@@ -117,19 +117,22 @@ int get_callchain_buffers(int event_max_ + goto exit; + } + ++ /* ++ * If requesting per event more than the global cap, ++ * return a different error to help userspace figure ++ * this out. ++ * ++ * And also do it here so that we have &callchain_mutex held. ++ */ ++ if (event_max_stack > sysctl_perf_event_max_stack) { ++ err = -EOVERFLOW; ++ goto exit; ++ } ++ + if (count > 1) { + /* If the allocation failed, give up */ + if (!callchain_cpus_entries) + err = -ENOMEM; +- /* +- * If requesting per event more than the global cap, +- * return a different error to help userspace figure +- * this out. +- * +- * And also do it here so that we have &callchain_mutex held. +- */ +- if (event_max_stack > sysctl_perf_event_max_stack) +- err = -EOVERFLOW; + goto exit; + } + diff --git a/queue-4.9/perf-return-proper-values-for-user-stack-errors.patch b/queue-4.9/perf-return-proper-values-for-user-stack-errors.patch new file mode 100644 index 00000000000..2f1b59844ce --- /dev/null +++ b/queue-4.9/perf-return-proper-values-for-user-stack-errors.patch @@ -0,0 +1,46 @@ +From 78b562fbfa2cf0a9fcb23c3154756b690f4905c1 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sun, 15 Apr 2018 11:23:50 +0200 +Subject: perf: Return proper values for user stack errors + +From: Jiri Olsa + +commit 78b562fbfa2cf0a9fcb23c3154756b690f4905c1 upstream. + +Return immediately when we find issue in the user stack checks. The +error value could get overwritten by following check for +PERF_SAMPLE_REGS_INTR. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: H. Peter Anvin +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: syzkaller-bugs@googlegroups.com +Cc: x86@kernel.org +Fixes: 60e2364e60e8 ("perf: Add ability to sample machine state on interrupt") +Link: http://lkml.kernel.org/r/20180415092352.12403-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9456,9 +9456,9 @@ static int perf_copy_attr(struct perf_ev + * __u16 sample size limit. + */ + if (attr->sample_stack_user >= USHRT_MAX) +- ret = -EINVAL; ++ return -EINVAL; + else if (!IS_ALIGNED(attr->sample_stack_user, sizeof(u64))) +- ret = -EINVAL; ++ return -EINVAL; + } + + if (attr->sample_type & PERF_SAMPLE_REGS_INTR) diff --git a/queue-4.9/rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch b/queue-4.9/rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch new file mode 100644 index 00000000000..0bf4a66f9e6 --- /dev/null +++ b/queue-4.9/rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch @@ -0,0 +1,77 @@ +From 75a4598209cbe45540baa316c3b51d9db222e96e Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Sun, 11 Mar 2018 13:51:32 +0200 +Subject: RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs + +From: Leon Romanovsky + +commit 75a4598209cbe45540baa316c3b51d9db222e96e upstream. + +mlx5 modify_qp() relies on FW that the error will be thrown if wrong +state is supplied. The missing check in FW causes the following crash +while using XRC_TGT QPs. + +[ 14.769632] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 14.771085] IP: mlx5_ib_modify_qp+0xf60/0x13f0 +[ 14.771894] PGD 800000001472e067 P4D 800000001472e067 PUD 14529067 PMD 0 +[ 14.773126] Oops: 0002 [#1] SMP PTI +[ 14.773763] CPU: 0 PID: 365 Comm: ubsan Not tainted 4.16.0-rc1-00038-g8151138c0793 #119 +[ 14.775192] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +[ 14.777522] RIP: 0010:mlx5_ib_modify_qp+0xf60/0x13f0 +[ 14.778417] RSP: 0018:ffffbf48001c7bd8 EFLAGS: 00010246 +[ 14.779346] RAX: 0000000000000000 RBX: ffff9a8f9447d400 RCX: 0000000000000000 +[ 14.780643] RDX: 0000000000000000 RSI: 000000000000000a RDI: 0000000000000000 +[ 14.781930] RBP: 0000000000000000 R08: 00000000000217b0 R09: ffffffffbc9c1504 +[ 14.783214] R10: fffff4a180519480 R11: ffff9a8f94523600 R12: ffff9a8f9493e240 +[ 14.784507] R13: ffff9a8f9447d738 R14: 000000000000050a R15: 0000000000000000 +[ 14.785800] FS: 00007f545b466700(0000) GS:ffff9a8f9fc00000(0000) knlGS:0000000000000000 +[ 14.787073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 14.787792] CR2: 0000000000000000 CR3: 00000000144be000 CR4: 00000000000006b0 +[ 14.788689] Call Trace: +[ 14.789007] _ib_modify_qp+0x71/0x120 +[ 14.789475] modify_qp.isra.20+0x207/0x2f0 +[ 14.790010] ib_uverbs_modify_qp+0x90/0xe0 +[ 14.790532] ib_uverbs_write+0x1d2/0x3c0 +[ 14.791049] ? __handle_mm_fault+0x93c/0xe40 +[ 14.791644] __vfs_write+0x36/0x180 +[ 14.792096] ? handle_mm_fault+0xc1/0x210 +[ 14.792601] vfs_write+0xad/0x1e0 +[ 14.793018] SyS_write+0x52/0xc0 +[ 14.793422] do_syscall_64+0x75/0x180 +[ 14.793888] entry_SYSCALL_64_after_hwframe+0x21/0x86 +[ 14.794527] RIP: 0033:0x7f545ad76099 +[ 14.794975] RSP: 002b:00007ffd78787468 EFLAGS: 00000287 ORIG_RAX: 0000000000000001 +[ 14.795958] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f545ad76099 +[ 14.797075] RDX: 0000000000000078 RSI: 0000000020009000 RDI: 0000000000000003 +[ 14.798140] RBP: 00007ffd78787470 R08: 00007ffd78787480 R09: 00007ffd78787480 +[ 14.799207] R10: 00007ffd78787480 R11: 0000000000000287 R12: 00005599ada98760 +[ 14.800277] R13: 00007ffd78787560 R14: 0000000000000000 R15: 0000000000000000 +[ 14.801341] Code: 4c 8b 1c 24 48 8b 83 70 02 00 00 48 c7 83 cc 02 00 +00 00 00 00 00 48 c7 83 24 03 00 00 00 00 00 00 c7 83 2c 03 00 00 00 00 +00 00 00 00 00 00 00 48 8b 83 70 02 00 00 c7 40 04 00 00 00 00 4c +[ 14.804012] RIP: mlx5_ib_modify_qp+0xf60/0x13f0 RSP: ffffbf48001c7bd8 +[ 14.804838] CR2: 0000000000000000 +[ 14.805288] ---[ end trace 3f1da0df5c8b7c37 ]--- + +Cc: syzkaller +Reported-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -2848,7 +2848,8 @@ static int __mlx5_ib_modify_qp(struct ib + * If we moved a kernel QP to RESET, clean up all old CQ + * entries and reinitialize the QP. + */ +- if (new_state == IB_QPS_RESET && !ibqp->uobject) { ++ if (new_state == IB_QPS_RESET && ++ !ibqp->uobject && ibqp->qp_type != IB_QPT_XRC_TGT) { + mlx5_ib_cq_clean(recv_cq, base->mqp.qpn, + ibqp->srq ? to_msrq(ibqp->srq) : NULL); + if (send_cq != recv_cq) diff --git a/queue-4.9/series b/queue-4.9/series index 22c649822a9..6ae272beff7 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -10,3 +10,6 @@ usb-musb-call-pm_runtime_-get-put-_sync-before-reading-vbus-registers.patch usb-musb-fix-external-abort-in-musb_remove-on-omap2430.patch powerpc-eeh-fix-race-with-driver-un-bind.patch revert-perf-tools-decompress-kernel-module-when-reading-dso.patch +perf-fix-sample_max_stack-maximum-check.patch +perf-return-proper-values-for-user-stack-errors.patch +rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch