From: Greg Kroah-Hartman Date: Sat, 28 Jul 2018 06:50:20 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.17.12~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c302c12c3b85611f50994c8bbd37a6b21f97d20e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: drivers-infiniband-core-verbs.c-fix-build-with-gcc-4.4.4.patch drivers-infiniband-ulp-srpt-ib_srpt.c-fix-build-with-gcc-4.4.4.patch fork-unconditionally-clear-stack-on-fork.patch i2c-core-decrease-reference-count-of-device-node-in-i2c_unregister_device.patch ib-srpt-fix-an-out-of-bounds-stack-access-in-srpt_zerolength_write.patch rdma-core-avoid-that-ib_drain_qp-triggers-an-out-of-bounds-stack-access.patch spi-spi-s3c64xx-fix-system-resume-support.patch --- diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..e69de29bb2d diff --git a/queue-4.14/drivers-infiniband-core-verbs.c-fix-build-with-gcc-4.4.4.patch b/queue-4.14/drivers-infiniband-core-verbs.c-fix-build-with-gcc-4.4.4.patch new file mode 100644 index 00000000000..1c018e6562e --- /dev/null +++ b/queue-4.14/drivers-infiniband-core-verbs.c-fix-build-with-gcc-4.4.4.patch @@ -0,0 +1,44 @@ +From 6ee687735e745eafae9e6b93d1ea70bc52e7ad07 Mon Sep 17 00:00:00 2001 +From: Andrew Morton +Date: Tue, 13 Mar 2018 14:51:57 -0700 +Subject: drivers/infiniband/core/verbs.c: fix build with gcc-4.4.4 + +From: Andrew Morton + +commit 6ee687735e745eafae9e6b93d1ea70bc52e7ad07 upstream. + +gcc-4.4.4 has issues with initialization of anonymous unions. + +drivers/infiniband/core/verbs.c: In function '__ib_drain_sq': +drivers/infiniband/core/verbs.c:2204: error: unknown field 'wr_cqe' specified in initializer +drivers/infiniband/core/verbs.c:2204: warning: initialization makes integer from pointer without a cast + +Work around this. + +Fixes: a1ae7d0345edd5 ("RDMA/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access") +Cc: Bart Van Assche +Cc: Steve Wise +Cc: Sagi Grimberg +Cc: Jason Gunthorpe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Doug Ledford +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/verbs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2118,8 +2118,9 @@ static void __ib_drain_sq(struct ib_qp * + struct ib_send_wr *bad_swr; + struct ib_rdma_wr swr = { + .wr = { ++ .next = NULL, ++ { .wr_cqe = &sdrain.cqe, }, + .opcode = IB_WR_RDMA_WRITE, +- .wr_cqe = &sdrain.cqe, + }, + }; + int ret; diff --git a/queue-4.14/drivers-infiniband-ulp-srpt-ib_srpt.c-fix-build-with-gcc-4.4.4.patch b/queue-4.14/drivers-infiniband-ulp-srpt-ib_srpt.c-fix-build-with-gcc-4.4.4.patch new file mode 100644 index 00000000000..0411cefc022 --- /dev/null +++ b/queue-4.14/drivers-infiniband-ulp-srpt-ib_srpt.c-fix-build-with-gcc-4.4.4.patch @@ -0,0 +1,43 @@ +From 06892cc190550807d332c95a0114c7e175584012 Mon Sep 17 00:00:00 2001 +From: Andrew Morton +Date: Tue, 13 Mar 2018 15:06:45 -0700 +Subject: drivers/infiniband/ulp/srpt/ib_srpt.c: fix build with gcc-4.4.4 + +From: Andrew Morton + +commit 06892cc190550807d332c95a0114c7e175584012 upstream. + +gcc-4.4.4 has issues with initialization of anonymous unions: + +drivers/infiniband/ulp/srpt/ib_srpt.c: In function 'srpt_zerolength_write': +drivers/infiniband/ulp/srpt/ib_srpt.c:854: error: unknown field 'wr_cqe' specified in initializer +drivers/infiniband/ulp/srpt/ib_srpt.c:854: warning: initialization makes integer from pointer without a cast + +Work aound this. + +Fixes: 2a78cb4db487 ("IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write()") +Cc: Bart Van Assche +Cc: Christoph Hellwig +Cc: Jason Gunthorpe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Doug Ledford +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -790,8 +790,9 @@ static int srpt_zerolength_write(struct + struct ib_send_wr *bad_wr; + struct ib_rdma_wr wr = { + .wr = { ++ .next = NULL, ++ { .wr_cqe = &ch->zw_cqe, }, + .opcode = IB_WR_RDMA_WRITE, +- .wr_cqe = &ch->zw_cqe, + .send_flags = IB_SEND_SIGNALED, + } + }; diff --git a/queue-4.14/fork-unconditionally-clear-stack-on-fork.patch b/queue-4.14/fork-unconditionally-clear-stack-on-fork.patch new file mode 100644 index 00000000000..72e0b96166e --- /dev/null +++ b/queue-4.14/fork-unconditionally-clear-stack-on-fork.patch @@ -0,0 +1,99 @@ +From e01e80634ecdde1dd113ac43b3adad21b47f3957 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 20 Apr 2018 14:55:31 -0700 +Subject: fork: unconditionally clear stack on fork + +From: Kees Cook + +commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream. + +One of the classes of kernel stack content leaks[1] is exposing the +contents of prior heap or stack contents when a new process stack is +allocated. Normally, those stacks are not zeroed, and the old contents +remain in place. In the face of stack content exposure flaws, those +contents can leak to userspace. + +Fixing this will make the kernel no longer vulnerable to these flaws, as +the stack will be wiped each time a stack is assigned to a new process. +There's not a meaningful change in runtime performance; it almost looks +like it provides a benefit. + +Performing back-to-back kernel builds before: + Run times: 157.86 157.09 158.90 160.94 160.80 + Mean: 159.12 + Std Dev: 1.54 + +and after: + Run times: 159.31 157.34 156.71 158.15 160.81 + Mean: 158.46 + Std Dev: 1.46 + +Instead of making this a build or runtime config, Andy Lutomirski +recommended this just be enabled by default. + +[1] A noisy search for many kinds of stack content leaks can be seen here: +https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak + +I did some more with perf and cycle counts on running 100,000 execs of +/bin/true. + +before: +Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841 +Mean: 221015379122.60 +Std Dev: 4662486552.47 + +after: +Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348 +Mean: 217745009865.40 +Std Dev: 5935559279.99 + +It continues to look like it's faster, though the deviation is rather +wide, but I'm not sure what I could do that would be less noisy. I'm +open to ideas! + +Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast +Signed-off-by: Kees Cook +Acked-by: Michal Hocko +Reviewed-by: Andrew Morton +Cc: Andy Lutomirski +Cc: Laura Abbott +Cc: Rasmus Villemoes +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/thread_info.h | 6 +----- + kernel/fork.c | 3 +-- + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/include/linux/thread_info.h ++++ b/include/linux/thread_info.h +@@ -43,11 +43,7 @@ enum { + #define THREAD_ALIGN THREAD_SIZE + #endif + +-#if IS_ENABLED(CONFIG_DEBUG_STACK_USAGE) || IS_ENABLED(CONFIG_DEBUG_KMEMLEAK) +-# define THREADINFO_GFP (GFP_KERNEL_ACCOUNT | __GFP_ZERO) +-#else +-# define THREADINFO_GFP (GFP_KERNEL_ACCOUNT) +-#endif ++#define THREADINFO_GFP (GFP_KERNEL_ACCOUNT | __GFP_ZERO) + + /* + * flag set/clear/test wrappers +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -215,10 +215,9 @@ static unsigned long *alloc_thread_stack + if (!s) + continue; + +-#ifdef CONFIG_DEBUG_KMEMLEAK + /* Clear stale pointers from reused stack. */ + memset(s->addr, 0, THREAD_SIZE); +-#endif ++ + tsk->stack_vm_area = s; + return s->addr; + } diff --git a/queue-4.14/i2c-core-decrease-reference-count-of-device-node-in-i2c_unregister_device.patch b/queue-4.14/i2c-core-decrease-reference-count-of-device-node-in-i2c_unregister_device.patch new file mode 100644 index 00000000000..37daf750f42 --- /dev/null +++ b/queue-4.14/i2c-core-decrease-reference-count-of-device-node-in-i2c_unregister_device.patch @@ -0,0 +1,38 @@ +From e0638fa400eaccf9fa8060f67140264c4e276552 Mon Sep 17 00:00:00 2001 +From: Lixin Wang +Date: Mon, 27 Nov 2017 15:06:55 +0800 +Subject: i2c: core: decrease reference count of device node in i2c_unregister_device + +From: Lixin Wang + +commit e0638fa400eaccf9fa8060f67140264c4e276552 upstream. + +Reference count of device node was increased in of_i2c_register_device, +but without decreasing it in i2c_unregister_device. Then the added +device node will never be released. Fix this by adding the of_node_put. + +Signed-off-by: Lixin Wang +Tested-by: Wolfram Sang +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-core-base.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -808,8 +808,11 @@ EXPORT_SYMBOL_GPL(i2c_new_device); + */ + void i2c_unregister_device(struct i2c_client *client) + { +- if (client->dev.of_node) ++ if (client->dev.of_node) { + of_node_clear_flag(client->dev.of_node, OF_POPULATED); ++ of_node_put(client->dev.of_node); ++ } ++ + if (ACPI_COMPANION(&client->dev)) + acpi_device_clear_enumerated(ACPI_COMPANION(&client->dev)); + device_unregister(&client->dev); diff --git a/queue-4.14/ib-srpt-fix-an-out-of-bounds-stack-access-in-srpt_zerolength_write.patch b/queue-4.14/ib-srpt-fix-an-out-of-bounds-stack-access-in-srpt_zerolength_write.patch new file mode 100644 index 00000000000..d18e26d0df7 --- /dev/null +++ b/queue-4.14/ib-srpt-fix-an-out-of-bounds-stack-access-in-srpt_zerolength_write.patch @@ -0,0 +1,71 @@ +From 2a78cb4db487372152bed2055c038f9634d595e8 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 1 Mar 2018 14:00:30 -0800 +Subject: IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write() + +From: Bart Van Assche + +commit 2a78cb4db487372152bed2055c038f9634d595e8 upstream. + +Avoid triggering an out-of-bounds stack access by changing the type +of 'wr' from ib_send_wr into ib_rdma_wr. + +This patch fixes the following KASAN bug report: + +BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x7a9/0x9a0 [rdma_rxe] +Read of size 8 at addr ffff880068197a48 by task kworker/2:1/44 + +Workqueue: ib_cm cm_work_handler [ib_cm] +Call Trace: + dump_stack+0x8e/0xcd + print_address_description+0x6f/0x280 + kasan_report+0x25a/0x380 + __asan_load8+0x54/0x90 + rxe_post_send+0x7a9/0x9a0 [rdma_rxe] + srpt_zerolength_write+0xf0/0x180 [ib_srpt] + srpt_cm_rtu_recv+0x68/0x110 [ib_srpt] + srpt_rdma_cm_handler+0xbb/0x15b [ib_srpt] + cma_ib_handler+0x1aa/0x4a0 [rdma_cm] + cm_process_work+0x30/0x100 [ib_cm] + cm_work_handler+0xa86/0x351b [ib_cm] + process_one_work+0x475/0x9f0 + worker_thread+0x69/0x690 + kthread+0x1ad/0x1d0 + ret_from_fork+0x3a/0x50 + +Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably") +Signed-off-by: Bart Van Assche +Cc: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -787,13 +787,16 @@ static int srpt_post_recv(struct srpt_de + */ + static int srpt_zerolength_write(struct srpt_rdma_ch *ch) + { +- struct ib_send_wr wr, *bad_wr; ++ struct ib_send_wr *bad_wr; ++ struct ib_rdma_wr wr = { ++ .wr = { ++ .opcode = IB_WR_RDMA_WRITE, ++ .wr_cqe = &ch->zw_cqe, ++ .send_flags = IB_SEND_SIGNALED, ++ } ++ }; + +- memset(&wr, 0, sizeof(wr)); +- wr.opcode = IB_WR_RDMA_WRITE; +- wr.wr_cqe = &ch->zw_cqe; +- wr.send_flags = IB_SEND_SIGNALED; +- return ib_post_send(ch->qp, &wr, &bad_wr); ++ return ib_post_send(ch->qp, &wr.wr, &bad_wr); + } + + static void srpt_zerolength_write_done(struct ib_cq *cq, struct ib_wc *wc) diff --git a/queue-4.14/rdma-core-avoid-that-ib_drain_qp-triggers-an-out-of-bounds-stack-access.patch b/queue-4.14/rdma-core-avoid-that-ib_drain_qp-triggers-an-out-of-bounds-stack-access.patch new file mode 100644 index 00000000000..a8b8cacdcb5 --- /dev/null +++ b/queue-4.14/rdma-core-avoid-that-ib_drain_qp-triggers-an-out-of-bounds-stack-access.patch @@ -0,0 +1,91 @@ +From a1ae7d0345edd593d6725d3218434d903a0af95d Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 1 Mar 2018 14:00:28 -0800 +Subject: RDMA/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access + +From: Bart Van Assche + +commit a1ae7d0345edd593d6725d3218434d903a0af95d upstream. + +This patch fixes the following KASAN complaint: + +================================================================== +BUG: KASAN: stack-out-of-bounds in rxe_post_send+0x77d/0x9b0 [rdma_rxe] +Read of size 8 at addr ffff880061aef860 by task 01/1080 + +CPU: 2 PID: 1080 Comm: 01 Not tainted 4.16.0-rc3-dbg+ #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: +dump_stack+0x85/0xc7 +print_address_description+0x65/0x270 +kasan_report+0x231/0x350 +rxe_post_send+0x77d/0x9b0 [rdma_rxe] +__ib_drain_sq+0x1ad/0x250 [ib_core] +ib_drain_qp+0x9/0x30 [ib_core] +srp_destroy_qp+0x51/0x70 [ib_srp] +srp_free_ch_ib+0xfc/0x380 [ib_srp] +srp_create_target+0x1071/0x19e0 [ib_srp] +kernfs_fop_write+0x180/0x210 +__vfs_write+0xb1/0x2e0 +vfs_write+0xf6/0x250 +SyS_write+0x99/0x110 +do_syscall_64+0xee/0x2b0 +entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +The buggy address belongs to the page: +page:ffffea000186bbc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x4000000000000000() +raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff +raw: 0000000000000000 ffffea000186bbe0 0000000000000000 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: +ffff880061aef700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +ffff880061aef780: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 +>ffff880061aef800: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 + ^ +ffff880061aef880: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 f2 f2 +ffff880061aef900: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 +================================================================== + +Fixes: 765d67748bcf ("IB: new common API for draining queues") +Signed-off-by: Bart Van Assche +Cc: Steve Wise +Cc: Sagi Grimberg +Cc: stable@vger.kernel.org +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/verbs.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2115,10 +2115,15 @@ static void __ib_drain_sq(struct ib_qp * + struct ib_cq *cq = qp->send_cq; + struct ib_qp_attr attr = { .qp_state = IB_QPS_ERR }; + struct ib_drain_cqe sdrain; +- struct ib_send_wr swr = {}, *bad_swr; ++ struct ib_send_wr *bad_swr; ++ struct ib_rdma_wr swr = { ++ .wr = { ++ .opcode = IB_WR_RDMA_WRITE, ++ .wr_cqe = &sdrain.cqe, ++ }, ++ }; + int ret; + +- swr.wr_cqe = &sdrain.cqe; + sdrain.cqe.done = ib_drain_qp_done; + init_completion(&sdrain.done); + +@@ -2128,7 +2133,7 @@ static void __ib_drain_sq(struct ib_qp * + return; + } + +- ret = ib_post_send(qp, &swr, &bad_swr); ++ ret = ib_post_send(qp, &swr.wr, &bad_swr); + if (ret) { + WARN_ONCE(ret, "failed to drain send queue: %d\n", ret); + return; diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..5d030dd3c33 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,7 @@ +fork-unconditionally-clear-stack-on-fork.patch +i2c-core-decrease-reference-count-of-device-node-in-i2c_unregister_device.patch +rdma-core-avoid-that-ib_drain_qp-triggers-an-out-of-bounds-stack-access.patch +drivers-infiniband-core-verbs.c-fix-build-with-gcc-4.4.4.patch +ib-srpt-fix-an-out-of-bounds-stack-access-in-srpt_zerolength_write.patch +drivers-infiniband-ulp-srpt-ib_srpt.c-fix-build-with-gcc-4.4.4.patch +spi-spi-s3c64xx-fix-system-resume-support.patch diff --git a/queue-4.14/spi-spi-s3c64xx-fix-system-resume-support.patch b/queue-4.14/spi-spi-s3c64xx-fix-system-resume-support.patch new file mode 100644 index 00000000000..784e450474e --- /dev/null +++ b/queue-4.14/spi-spi-s3c64xx-fix-system-resume-support.patch @@ -0,0 +1,49 @@ +From e935dba111621bd6a0c5d48e6511a4d9885103b4 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 16 May 2018 10:42:39 +0200 +Subject: spi: spi-s3c64xx: Fix system resume support + +From: Marek Szyprowski + +commit e935dba111621bd6a0c5d48e6511a4d9885103b4 upstream. + +Since Linux v4.10 release (commit 1d9174fbc55e "PM / Runtime: Defer +resuming of the device in pm_runtime_force_resume()"), +pm_runtime_force_resume() function doesn't runtime resume device if it was +not runtime active before system suspend. Thus, driver should not do any +register access after pm_runtime_force_resume() without checking the +runtime status of the device. To fix this issue, simply move +s3c64xx_spi_hwinit() call to s3c64xx_spi_runtime_resume() to ensure that +hardware is always properly initialized. This fixes Synchronous external +abort issue on system suspend/resume cycle on newer Exynos SoCs. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-s3c64xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -1273,8 +1273,6 @@ static int s3c64xx_spi_resume(struct dev + if (ret < 0) + return ret; + +- s3c64xx_spi_hwinit(sdd, sdd->port_id); +- + return spi_master_resume(master); + } + #endif /* CONFIG_PM_SLEEP */ +@@ -1312,6 +1310,8 @@ static int s3c64xx_spi_runtime_resume(st + if (ret != 0) + goto err_disable_src_clk; + ++ s3c64xx_spi_hwinit(sdd, sdd->port_id); ++ + return 0; + + err_disable_src_clk: diff --git a/queue-4.17/series b/queue-4.17/series new file mode 100644 index 00000000000..47ad375b4d8 --- /dev/null +++ b/queue-4.17/series @@ -0,0 +1 @@ +spi-spi-s3c64xx-fix-system-resume-support.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..aa8328ca544 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1 @@ +mips-fix-off-by-one-in-pci_resource_to_user.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..e69de29bb2d