From: Greg Kroah-Hartman Date: Wed, 21 Feb 2018 09:41:32 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.15.5~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bfddf40301a7524b15cbf5d328f524b64651d26a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: dm-correctly-handle-chained-bios-in-dec_pending.patch vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch x86-fix-build-warnign-with-32-bit-pae.patch --- diff --git a/queue-4.9/dm-correctly-handle-chained-bios-in-dec_pending.patch b/queue-4.9/dm-correctly-handle-chained-bios-in-dec_pending.patch new file mode 100644 index 00000000000..1f13dcd4bab --- /dev/null +++ b/queue-4.9/dm-correctly-handle-chained-bios-in-dec_pending.patch @@ -0,0 +1,55 @@ +From 8dd601fa8317243be887458c49f6c29c2f3d719f Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Thu, 15 Feb 2018 20:00:15 +1100 +Subject: dm: correctly handle chained bios in dec_pending() + +From: NeilBrown + +commit 8dd601fa8317243be887458c49f6c29c2f3d719f upstream. + +dec_pending() is given an error status (possibly 0) to be recorded +against a bio. It can be called several times on the one 'struct +dm_io', and it is careful to only assign a non-zero error to +io->status. However when it then assigned io->status to bio->bi_status, +it is not careful and could overwrite a genuine error status with 0. + +This can happen when chained bios are in use. If a bio is chained +beneath the bio that this dm_io is handling, the child bio might +complete and set bio->bi_status before the dm_io completes. + +This has been possible since chained bios were introduced in 3.14, and +has become a lot easier to trigger with commit 18a25da84354 ("dm: ensure +bio submission follows a depth-first tree walk") as that commit caused +dm to start using chained bios itself. + +A particular failure mode is that if a bio spans an 'error' target and a +working target, the 'error' fragment will complete instantly and set the +->bi_status, and the other fragment will normally complete a little +later, and will clear ->bi_status. + +The fix is simply to only assign io_error to bio->bi_status when +io_error is not zero. + +Reported-and-tested-by: Milan Broz +Cc: stable@vger.kernel.org (v3.14+) +Signed-off-by: NeilBrown +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/md/dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -809,7 +809,8 @@ static void dec_pending(struct dm_io *io + } else { + /* done with normal IO or empty flush */ + trace_block_bio_complete(md->queue, bio, io_error); +- bio->bi_error = io_error; ++ if (io_error) ++ bio->bi_error = io_error; + bio_endio(bio); + } + } diff --git a/queue-4.9/series b/queue-4.9/series index f5b333e6c03..525b9a8e3d8 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -30,6 +30,7 @@ alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1204.patch alsa-seq-fix-racy-pool-initializations.patch mvpp2-fix-multicast-address-filter.patch usb-move-usb_uhci_big_endian_-out-of-usb_support.patch +dm-correctly-handle-chained-bios-in-dec_pending.patch powerpc-fix-build-errors-in-stable-tree.patch ib-qib-fix-comparison-error-with-qperf-compare-swap-test.patch ib-mlx4-fix-incorrectly-releasing-steerable-ud-qps-when-have-only-eth-ports.patch @@ -63,3 +64,5 @@ selftests-x86-mpx-fix-incorrect-bounds-with-old-_sigfault.patch x86-cpu-rename-cpu_data.x86_mask-to-cpu_data.x86_stepping.patch x86-spectre-fix-an-error-message.patch x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch +x86-fix-build-warnign-with-32-bit-pae.patch +vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch diff --git a/queue-4.9/vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch b/queue-4.9/vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch new file mode 100644 index 00000000000..552101939f1 --- /dev/null +++ b/queue-4.9/vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch @@ -0,0 +1,48 @@ +From c0eb027e5aef70b71e5a38ee3e264dc0b497f343 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sun, 2 Apr 2017 17:10:08 -0700 +Subject: vfs: don't do RCU lookup of empty pathnames + +From: Linus Torvalds + +commit c0eb027e5aef70b71e5a38ee3e264dc0b497f343 upstream. + +Normal pathname lookup doesn't allow empty pathnames, but using +AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you +can trigger an empty pathname lookup. + +And not only is the RCU lookup in that case entirely unnecessary +(because we'll obviously immediately finalize the end result), it is +actively wrong. + +Why? An empth path is a special case that will return the original +'dirfd' dentry - and that dentry may not actually be RCU-free'd, +resulting in a potential use-after-free if we were to initialize the +path lazily under the RCU read lock and depend on complete_walk() +finalizing the dentry. + +Found by syzkaller and KASAN. + +Reported-by: Dmitry Vyukov +Reported-by: Vegard Nossum +Acked-by: Al Viro +Signed-off-by: Linus Torvalds +Cc: Eric Biggers +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2138,6 +2138,9 @@ static const char *path_init(struct name + int retval = 0; + const char *s = nd->name->name; + ++ if (!*s) ++ flags &= ~LOOKUP_RCU; ++ + nd->last_type = LAST_ROOT; /* if there are only slashes... */ + nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT; + nd->depth = 0; diff --git a/queue-4.9/x86-fix-build-warnign-with-32-bit-pae.patch b/queue-4.9/x86-fix-build-warnign-with-32-bit-pae.patch new file mode 100644 index 00000000000..ada1e2d985a --- /dev/null +++ b/queue-4.9/x86-fix-build-warnign-with-32-bit-pae.patch @@ -0,0 +1,48 @@ +From arnd@arndb.de Wed Feb 21 10:34:37 2018 +From: Arnd Bergmann +Date: Thu, 15 Feb 2018 16:16:57 +0100 +Subject: x86: fix build warnign with 32-bit PAE +To: stable@vger.kernel.org +Cc: x86@kernel.org, Dave Hansen , Ben Hutchings , Arnd Bergmann , Greg Kroah-Hartman , Hugh Dickins , Kees Cook , linux-kernel@vger.kernel.org +Message-ID: <20180215151710.1473117-2-arnd@arndb.de> + + +I ran into a 4.9 build warning in randconfig testing, starting with the +KAISER patches: + +arch/x86/kernel/ldt.c: In function 'alloc_ldt_struct': +arch/x86/include/asm/pgtable_types.h:208:24: error: large integer implicitly truncated to unsigned type [-Werror=overflow] + #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX) + ^ +arch/x86/kernel/ldt.c:81:6: note: in expansion of macro '__PAGE_KERNEL' + __PAGE_KERNEL); + ^~~~~~~~~~~~~ + +I originally ran into this last year when the patches were part of linux-next, +and tried to work around it by using the proper 'pteval_t' types consistently, +but that caused additional problems. + +This takes a much simpler approach, and makes the argument type of the dummy +helper always 64-bit, which is wide enough for any page table layout and +won't hurt since this call is just an empty stub anyway. + +Fixes: 8f0baadf2bea ("kaiser: merged update") +Signed-off-by: Arnd Bergmann +Acked-by: Kees Cook +Acked-by: Hugh Dickins +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kaiser.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/kaiser.h ++++ b/include/linux/kaiser.h +@@ -32,7 +32,7 @@ static inline void kaiser_init(void) + { + } + static inline int kaiser_add_mapping(unsigned long addr, +- unsigned long size, unsigned long flags) ++ unsigned long size, u64 flags) + { + return 0; + }