From: Greg Kroah-Hartman Date: Tue, 10 Jul 2018 11:15:09 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v3.18.115~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c8ccd98e6e7e18e01a9152e62691809829f0a582;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: acpi-battery-safe-unregistering-of-hooks.patch acpica-drop-leading-newlines-from-error-messages.patch drm-amdgpu-make-struct-amdgpu_atif-private-to-amdgpu_acpi.c.patch mm-hugetlb-yield-when-prepping-struct-pages.patch mm-teach-dump_page-to-correctly-output-poisoned-struct-pages.patch pci-acpi-pm-resume-bridges-w-o-drivers-on-suspend-to-ram.patch scsi-sg-mitigate-read-write-abuse.patch tracing-avoid-string-overflow.patch tracing-fix-missing-return-symbol-in-function_graph-output.patch userfaultfd-hugetlbfs-fix-userfaultfd_huge_must_wait-pte-access.patch --- diff --git a/queue-4.17/acpi-battery-safe-unregistering-of-hooks.patch b/queue-4.17/acpi-battery-safe-unregistering-of-hooks.patch new file mode 100644 index 00000000000..78f15b037bc --- /dev/null +++ b/queue-4.17/acpi-battery-safe-unregistering-of-hooks.patch @@ -0,0 +1,70 @@ +From 673b4271665a12fa839a12abb50e6f6e9953c081 Mon Sep 17 00:00:00 2001 +From: Jouke Witteveen +Date: Wed, 4 Jul 2018 12:27:15 +0200 +Subject: ACPI / battery: Safe unregistering of hooks + +From: Jouke Witteveen + +commit 673b4271665a12fa839a12abb50e6f6e9953c081 upstream. + +A hooking API was implemented for 4.17 in fa93854f7a7ed63d followed +by hooks for Thinkpad laptops in 2801b9683f740012. The Thinkpad +drivers did not support the Thinkpad 13 and the hooking API crashes +on unsupported batteries by altering a list of hooks during unsafe +iteration. Thus, Thinkpad 13 laptops could no longer boot. + +Additionally, a lock was kept in place and debugging information was +printed out of order. + +Fixes: fa93854f7a7e (battery: Add the battery hooking API) +Cc: 4.17+ # 4.17+ +Signed-off-by: Jouke Witteveen +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/battery.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -709,10 +709,11 @@ void battery_hook_register(struct acpi_b + */ + pr_err("extension failed to load: %s", hook->name); + __battery_hook_unregister(hook, 0); +- return; ++ goto end; + } + } + pr_info("new extension: %s\n", hook->name); ++end: + mutex_unlock(&hook_mutex); + } + EXPORT_SYMBOL_GPL(battery_hook_register); +@@ -724,7 +725,7 @@ EXPORT_SYMBOL_GPL(battery_hook_register) + */ + static void battery_hook_add_battery(struct acpi_battery *battery) + { +- struct acpi_battery_hook *hook_node; ++ struct acpi_battery_hook *hook_node, *tmp; + + mutex_lock(&hook_mutex); + INIT_LIST_HEAD(&battery->list); +@@ -736,15 +737,15 @@ static void battery_hook_add_battery(str + * when a battery gets hotplugged or initialized + * during the battery module initialization. + */ +- list_for_each_entry(hook_node, &battery_hook_list, list) { ++ list_for_each_entry_safe(hook_node, tmp, &battery_hook_list, list) { + if (hook_node->add_battery(battery->bat)) { + /* + * The notification of the extensions has failed, to + * prevent further errors we will unload the extension. + */ +- __battery_hook_unregister(hook_node, 0); + pr_err("error in extension, unloading: %s", + hook_node->name); ++ __battery_hook_unregister(hook_node, 0); + } + } + mutex_unlock(&hook_mutex); diff --git a/queue-4.17/acpica-drop-leading-newlines-from-error-messages.patch b/queue-4.17/acpica-drop-leading-newlines-from-error-messages.patch new file mode 100644 index 00000000000..00e88fbc60a --- /dev/null +++ b/queue-4.17/acpica-drop-leading-newlines-from-error-messages.patch @@ -0,0 +1,54 @@ +From a0d5f3b69af7733f3173a8e19d51f68a08017c76 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Sat, 30 Jun 2018 23:24:04 +0200 +Subject: ACPICA: Drop leading newlines from error messages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafael J. Wysocki + +commit a0d5f3b69af7733f3173a8e19d51f68a08017c76 upstream. + +Commit 5088814a6e93 (ACPICA: AML parser: attempt to continue loading +table after error) unintentionally added leading newlines to error +messages emitted by ACPICA which caused unexpected things to be +printed to the kernel log. Drop these newlines (which effectively +reverts the part of commit 5088814a6e93 adding them). + +Fixes: 5088814a6e93 (ACPICA: AML parser: attempt to continue loading table after error) +Reported-by: Toralf Förster +Reported-by: Guenter Roeck +Cc: 4.17+ # 4.17+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpica/uterror.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/acpica/uterror.c ++++ b/drivers/acpi/acpica/uterror.c +@@ -182,19 +182,19 @@ acpi_ut_prefixed_namespace_error(const c + switch (lookup_status) { + case AE_ALREADY_EXISTS: + +- acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR); ++ acpi_os_printf(ACPI_MSG_BIOS_ERROR); + message = "Failure creating"; + break; + + case AE_NOT_FOUND: + +- acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR); ++ acpi_os_printf(ACPI_MSG_BIOS_ERROR); + message = "Could not resolve"; + break; + + default: + +- acpi_os_printf("\n" ACPI_MSG_ERROR); ++ acpi_os_printf(ACPI_MSG_ERROR); + message = "Failure resolving"; + break; + } diff --git a/queue-4.17/drm-amdgpu-make-struct-amdgpu_atif-private-to-amdgpu_acpi.c.patch b/queue-4.17/drm-amdgpu-make-struct-amdgpu_atif-private-to-amdgpu_acpi.c.patch new file mode 100644 index 00000000000..6f034e66af8 --- /dev/null +++ b/queue-4.17/drm-amdgpu-make-struct-amdgpu_atif-private-to-amdgpu_acpi.c.patch @@ -0,0 +1,191 @@ +From 2cd5fe22d9a45cdf11c62bbe8db3ce9101207510 Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Mon, 25 Jun 2018 21:09:04 -0400 +Subject: drm/amdgpu: Make struct amdgpu_atif private to amdgpu_acpi.c + +From: Lyude Paul + +commit 2cd5fe22d9a45cdf11c62bbe8db3ce9101207510 upstream. + +Currently, there is nothing in amdgpu that actually uses these structs +other than amdgpu_acpi.c. Additionally, since we're about to start +saving the correct ACPI handle to use for calling ATIF in this struct +this saves us from having to handle making sure that the acpi_handle +(and by proxy, the type definition for acpi_handle and all of the other +acpi headers) doesn't need to be included within the amdgpu_drv struct +itself. This follows the example set by amdgpu_atpx_handler.c. + +Signed-off-by: Lyude Paul +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 40 +--------------------- + drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 54 +++++++++++++++++++++++++++++-- + 2 files changed, 53 insertions(+), 41 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -188,6 +188,7 @@ struct amdgpu_job; + struct amdgpu_irq_src; + struct amdgpu_fpriv; + struct amdgpu_bo_va_mapping; ++struct amdgpu_atif; + + enum amdgpu_cp_irq { + AMDGPU_CP_IRQ_GFX_EOP = 0, +@@ -1246,43 +1247,6 @@ struct amdgpu_vram_scratch { + /* + * ACPI + */ +-struct amdgpu_atif_notification_cfg { +- bool enabled; +- int command_code; +-}; +- +-struct amdgpu_atif_notifications { +- bool display_switch; +- bool expansion_mode_change; +- bool thermal_state; +- bool forced_power_state; +- bool system_power_state; +- bool display_conf_change; +- bool px_gfx_switch; +- bool brightness_change; +- bool dgpu_display_event; +-}; +- +-struct amdgpu_atif_functions { +- bool system_params; +- bool sbios_requests; +- bool select_active_disp; +- bool lid_state; +- bool get_tv_standard; +- bool set_tv_standard; +- bool get_panel_expansion_mode; +- bool set_panel_expansion_mode; +- bool temperature_change; +- bool graphics_device_types; +-}; +- +-struct amdgpu_atif { +- struct amdgpu_atif_notifications notifications; +- struct amdgpu_atif_functions functions; +- struct amdgpu_atif_notification_cfg notification_cfg; +- struct amdgpu_encoder *encoder_for_bl; +-}; +- + struct amdgpu_atcs_functions { + bool get_ext_state; + bool pcie_perf_req; +@@ -1430,7 +1394,7 @@ struct amdgpu_device { + #if defined(CONFIG_DEBUG_FS) + struct dentry *debugfs_regs[AMDGPU_DEBUGFS_MAX_COMPONENTS]; + #endif +- struct amdgpu_atif atif; ++ struct amdgpu_atif *atif; + struct amdgpu_atcs atcs; + struct mutex srbm_mutex; + /* GRBM index mutex. Protects concurrent access to GRBM index */ +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -34,6 +34,43 @@ + #include "amd_acpi.h" + #include "atom.h" + ++struct amdgpu_atif_notification_cfg { ++ bool enabled; ++ int command_code; ++}; ++ ++struct amdgpu_atif_notifications { ++ bool display_switch; ++ bool expansion_mode_change; ++ bool thermal_state; ++ bool forced_power_state; ++ bool system_power_state; ++ bool display_conf_change; ++ bool px_gfx_switch; ++ bool brightness_change; ++ bool dgpu_display_event; ++}; ++ ++struct amdgpu_atif_functions { ++ bool system_params; ++ bool sbios_requests; ++ bool select_active_disp; ++ bool lid_state; ++ bool get_tv_standard; ++ bool set_tv_standard; ++ bool get_panel_expansion_mode; ++ bool set_panel_expansion_mode; ++ bool temperature_change; ++ bool graphics_device_types; ++}; ++ ++struct amdgpu_atif { ++ struct amdgpu_atif_notifications notifications; ++ struct amdgpu_atif_functions functions; ++ struct amdgpu_atif_notification_cfg notification_cfg; ++ struct amdgpu_encoder *encoder_for_bl; ++}; ++ + /* Call the ATIF method + */ + /** +@@ -292,7 +329,7 @@ out: + static int amdgpu_atif_handler(struct amdgpu_device *adev, + struct acpi_bus_event *event) + { +- struct amdgpu_atif *atif = &adev->atif; ++ struct amdgpu_atif *atif = adev->atif; + struct atif_sbios_requests req; + acpi_handle handle; + int count; +@@ -303,7 +340,8 @@ static int amdgpu_atif_handler(struct am + if (strcmp(event->device_class, ACPI_VIDEO_CLASS) != 0) + return NOTIFY_DONE; + +- if (!atif->notification_cfg.enabled || ++ if (!atif || ++ !atif->notification_cfg.enabled || + event->type != atif->notification_cfg.command_code) + /* Not our event */ + return NOTIFY_DONE; +@@ -642,7 +680,7 @@ static int amdgpu_acpi_event(struct noti + int amdgpu_acpi_init(struct amdgpu_device *adev) + { + acpi_handle handle; +- struct amdgpu_atif *atif = &adev->atif; ++ struct amdgpu_atif *atif; + struct amdgpu_atcs *atcs = &adev->atcs; + int ret; + +@@ -659,11 +697,19 @@ int amdgpu_acpi_init(struct amdgpu_devic + } + + /* Call the ATIF method */ ++ atif = kzalloc(sizeof(*atif), GFP_KERNEL); ++ if (!atif) { ++ DRM_WARN("Not enough memory to initialize ATIF\n"); ++ goto out; ++ } ++ + ret = amdgpu_atif_verify_interface(handle, atif); + if (ret) { + DRM_DEBUG_DRIVER("Call to ATIF verify_interface failed: %d\n", ret); ++ kfree(atif); + goto out; + } ++ adev->atif = atif; + + if (atif->notifications.brightness_change) { + struct drm_encoder *tmp; +@@ -720,4 +766,6 @@ out: + void amdgpu_acpi_fini(struct amdgpu_device *adev) + { + unregister_acpi_notifier(&adev->acpi_nb); ++ if (adev->atif) ++ kfree(adev->atif); + } diff --git a/queue-4.17/mm-hugetlb-yield-when-prepping-struct-pages.patch b/queue-4.17/mm-hugetlb-yield-when-prepping-struct-pages.patch new file mode 100644 index 00000000000..275961c1feb --- /dev/null +++ b/queue-4.17/mm-hugetlb-yield-when-prepping-struct-pages.patch @@ -0,0 +1,52 @@ +From 520495fe96d74e05db585fc748351e0504d8f40d Mon Sep 17 00:00:00 2001 +From: Cannon Matthews +Date: Tue, 3 Jul 2018 17:02:43 -0700 +Subject: mm: hugetlb: yield when prepping struct pages + +From: Cannon Matthews + +commit 520495fe96d74e05db585fc748351e0504d8f40d upstream. + +When booting with very large numbers of gigantic (i.e. 1G) pages, the +operations in the loop of gather_bootmem_prealloc, and specifically +prep_compound_gigantic_page, takes a very long time, and can cause a +softlockup if enough pages are requested at boot. + +For example booting with 3844 1G pages requires prepping +(set_compound_head, init the count) over 1 billion 4K tail pages, which +takes considerable time. + +Add a cond_resched() to the outer loop in gather_bootmem_prealloc() to +prevent this lockup. + +Tested: Booted with softlockup_panic=1 hugepagesz=1G hugepages=3844 and +no softlockup is reported, and the hugepages are reported as +successfully setup. + +Link: http://lkml.kernel.org/r/20180627214447.260804-1-cannonmatthews@google.com +Signed-off-by: Cannon Matthews +Reviewed-by: Andrew Morton +Reviewed-by: Mike Kravetz +Acked-by: Michal Hocko +Cc: Andres Lagar-Cavilla +Cc: Peter Feiner +Cc: Greg Thelen +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2163,6 +2163,7 @@ static void __init gather_bootmem_preall + */ + if (hstate_is_gigantic(h)) + adjust_managed_page_count(page, 1 << h->order); ++ cond_resched(); + } + } + diff --git a/queue-4.17/mm-teach-dump_page-to-correctly-output-poisoned-struct-pages.patch b/queue-4.17/mm-teach-dump_page-to-correctly-output-poisoned-struct-pages.patch new file mode 100644 index 00000000000..41a305bd75a --- /dev/null +++ b/queue-4.17/mm-teach-dump_page-to-correctly-output-poisoned-struct-pages.patch @@ -0,0 +1,82 @@ +From fc36def997cfd6cbff3eda4f82853a5c311c5466 Mon Sep 17 00:00:00 2001 +From: Pavel Tatashin +Date: Tue, 3 Jul 2018 17:02:53 -0700 +Subject: mm: teach dump_page() to correctly output poisoned struct pages + +From: Pavel Tatashin + +commit fc36def997cfd6cbff3eda4f82853a5c311c5466 upstream. + +If struct page is poisoned, and uninitialized access is detected via +PF_POISONED_CHECK(page) dump_page() is called to output the page. But, +the dump_page() itself accesses struct page to determine how to print +it, and therefore gets into a recursive loop. + +For example: + + dump_page() + __dump_page() + PageSlab(page) + PF_POISONED_CHECK(page) + VM_BUG_ON_PGFLAGS(PagePoisoned(page), page) + dump_page() recursion loop. + +Link: http://lkml.kernel.org/r/20180702180536.2552-1-pasha.tatashin@oracle.com +Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking") +Signed-off-by: Pavel Tatashin +Acked-by: Michal Hocko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/debug.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/mm/debug.c ++++ b/mm/debug.c +@@ -43,12 +43,25 @@ const struct trace_print_flags vmaflag_n + + void __dump_page(struct page *page, const char *reason) + { ++ bool page_poisoned = PagePoisoned(page); ++ int mapcount; ++ ++ /* ++ * If struct page is poisoned don't access Page*() functions as that ++ * leads to recursive loop. Page*() check for poisoned pages, and calls ++ * dump_page() when detected. ++ */ ++ if (page_poisoned) { ++ pr_emerg("page:%px is uninitialized and poisoned", page); ++ goto hex_only; ++ } ++ + /* + * Avoid VM_BUG_ON() in page_mapcount(). + * page->_mapcount space in struct page is used by sl[aou]b pages to + * encode own info. + */ +- int mapcount = PageSlab(page) ? 0 : page_mapcount(page); ++ mapcount = PageSlab(page) ? 0 : page_mapcount(page); + + pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx", + page, page_ref_count(page), mapcount, +@@ -60,6 +73,7 @@ void __dump_page(struct page *page, cons + + pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags); + ++hex_only: + print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32, + sizeof(unsigned long), page, + sizeof(struct page), false); +@@ -68,7 +82,7 @@ void __dump_page(struct page *page, cons + pr_alert("page dumped because: %s\n", reason); + + #ifdef CONFIG_MEMCG +- if (page->mem_cgroup) ++ if (!page_poisoned && page->mem_cgroup) + pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup); + #endif + } diff --git a/queue-4.17/pci-acpi-pm-resume-bridges-w-o-drivers-on-suspend-to-ram.patch b/queue-4.17/pci-acpi-pm-resume-bridges-w-o-drivers-on-suspend-to-ram.patch new file mode 100644 index 00000000000..3c5bf49eeb4 --- /dev/null +++ b/queue-4.17/pci-acpi-pm-resume-bridges-w-o-drivers-on-suspend-to-ram.patch @@ -0,0 +1,64 @@ +From 26112ddc254c98681b224aa9ededefc01b6e02d2 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Sat, 30 Jun 2018 23:19:33 +0200 +Subject: PCI / ACPI / PM: Resume bridges w/o drivers on suspend-to-RAM + +From: Rafael J. Wysocki + +commit 26112ddc254c98681b224aa9ededefc01b6e02d2 upstream. + +It is reported that commit c62ec4610c40 (PM / core: Fix direct_complete +handling for devices with no callbacks) introduced a system suspend +regression on Samsung 305V4A by allowing a PCI bridge (not a PCIe +port) to stay in D3 over suspend-to-RAM, which is a side effect of +setting power.direct_complete for the children of that bridge that +have no PM callbacks. + +On the majority of systems PCI bridges are not allowed to be +runtime-suspended (the power/control sysfs attribute is set to "on" +for them by default), but user space can change that setting and if +it does so and a given bridge has no children with PM callbacks, the +direct_complete optimization will be applied to it and it will stay +in suspend over system suspend. Apparently, that confuses the +platform firmware on the affected machine and that may very well +happen elsewhere, so avoid the direct_complete optimization for +PCI bridges with no drivers (if there is a driver, it should take +care of the PM handling) on suspend-to-RAM altogether (that should +not matter for suspend-to-idle as platform firmware is not involved +in it). + +Fixes: c62ec4610c40 (PM / core: Fix direct_complete handling for devices with no callbacks) +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199941 +Reported-by: n0000b.n000b@gmail.com +Tested-by: n0000b.n000b@gmail.com +Reviewed-by: Mika Westerberg +Acked-by: Bjorn Helgaas +Cc: 4.15+ # 4.15+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-acpi.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -598,6 +598,18 @@ static bool acpi_pci_need_resume(struct + { + struct acpi_device *adev = ACPI_COMPANION(&dev->dev); + ++ /* ++ * In some cases (eg. Samsung 305V4A) leaving a bridge in suspend over ++ * system-wide suspend/resume confuses the platform firmware, so avoid ++ * doing that, unless the bridge has a driver that should take care of ++ * the PM handling. According to Section 16.1.6 of ACPI 6.2, endpoint ++ * devices are expected to be in D3 before invoking the S3 entry path ++ * from the firmware, so they should not be affected by this issue. ++ */ ++ if (pci_is_bridge(dev) && !dev->driver && ++ acpi_target_system_state() != ACPI_STATE_S0) ++ return true; ++ + if (!adev || !acpi_device_power_manageable(adev)) + return false; + diff --git a/queue-4.17/scsi-sg-mitigate-read-write-abuse.patch b/queue-4.17/scsi-sg-mitigate-read-write-abuse.patch new file mode 100644 index 00000000000..1e8586ff39d --- /dev/null +++ b/queue-4.17/scsi-sg-mitigate-read-write-abuse.patch @@ -0,0 +1,111 @@ +From 26b5b874aff5659a7e26e5b1997e3df2c41fa7fd Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 25 Jun 2018 16:25:44 +0200 +Subject: scsi: sg: mitigate read/write abuse + +From: Jann Horn + +commit 26b5b874aff5659a7e26e5b1997e3df2c41fa7fd upstream. + +As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit +to be called under KERNEL_DS"), sg improperly accesses userspace memory +outside the provided buffer, permitting kernel memory corruption via +splice(). But it doesn't just do it on ->write(), also on ->read(). + +As a band-aid, make sure that the ->read() and ->write() handlers can not +be called in weird contexts (kernel context or credentials different from +file opener), like for ib_safe_file_access(). + +If someone needs to use these interfaces from different security contexts, +a new interface should be written that goes through the ->ioctl() handler. + +I've mostly copypasted ib_safe_file_access() over as sg_safe_file_access() +because I couldn't find a good common header - please tell me if you know a +better way. + +[mkp: s/_safe_/_check_/] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: +Signed-off-by: Jann Horn +Acked-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 42 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 40 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -51,6 +51,7 @@ static int sg_version_num = 30536; /* 2 + #include + #include + #include ++#include /* for sg_check_file_access() */ + + #include "scsi.h" + #include +@@ -210,6 +211,33 @@ static void sg_device_destroy(struct kre + sdev_prefix_printk(prefix, (sdp)->device, \ + (sdp)->disk->disk_name, fmt, ##a) + ++/* ++ * The SCSI interfaces that use read() and write() as an asynchronous variant of ++ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways ++ * to trigger read() and write() calls from various contexts with elevated ++ * privileges. This can lead to kernel memory corruption (e.g. if these ++ * interfaces are called through splice()) and privilege escalation inside ++ * userspace (e.g. if a process with access to such a device passes a file ++ * descriptor to a SUID binary as stdin/stdout/stderr). ++ * ++ * This function provides protection for the legacy API by restricting the ++ * calling context. ++ */ ++static int sg_check_file_access(struct file *filp, const char *caller) ++{ ++ if (filp->f_cred != current_real_cred()) { ++ pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EPERM; ++ } ++ if (uaccess_kernel()) { ++ pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EACCES; ++ } ++ return 0; ++} ++ + static int sg_allow_access(struct file *filp, unsigned char *cmd) + { + struct sg_fd *sfp = filp->private_data; +@@ -394,6 +422,14 @@ sg_read(struct file *filp, char __user * + struct sg_header *old_hdr = NULL; + int retval = 0; + ++ /* ++ * This could cause a response to be stranded. Close the associated ++ * file descriptor to free up any resources being held. ++ */ ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; ++ + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; + SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, +@@ -581,9 +617,11 @@ sg_write(struct file *filp, const char _ + struct sg_header old_hdr; + sg_io_hdr_t *hp; + unsigned char cmnd[SG_MAX_CDB_SIZE]; ++ int retval; + +- if (unlikely(uaccess_kernel())) +- return -EINVAL; ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; + + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; diff --git a/queue-4.17/tracing-avoid-string-overflow.patch b/queue-4.17/tracing-avoid-string-overflow.patch new file mode 100644 index 00000000000..a2ea4b99633 --- /dev/null +++ b/queue-4.17/tracing-avoid-string-overflow.patch @@ -0,0 +1,42 @@ +From cf4d418e653afc84c9c873236033e06be5d58f1c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 28 Mar 2018 16:09:10 +0200 +Subject: tracing: Avoid string overflow + +From: Arnd Bergmann + +commit cf4d418e653afc84c9c873236033e06be5d58f1c upstream. + +'err' is used as a NUL-terminated string, but using strncpy() with the length +equal to the buffer size may result in lack of the termination: + +kernel/trace/trace_events_hist.c: In function 'hist_err_event': +kernel/trace/trace_events_hist.c:396:3: error: 'strncpy' specified bound 256 equals destination size [-Werror=stringop-truncation] + strncpy(err, var, MAX_FILTER_STR_VAL); + +This changes it to use the safer strscpy() instead. + +Link: http://lkml.kernel.org/r/20180328140920.2842153-1-arnd@arndb.de + +Cc: stable@vger.kernel.org +Fixes: f404da6e1d46 ("tracing: Add 'last error' error facility for hist triggers") +Acked-by: Tom Zanussi +Signed-off-by: Arnd Bergmann +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_hist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -393,7 +393,7 @@ static void hist_err_event(char *str, ch + else if (system) + snprintf(err, MAX_FILTER_STR_VAL, "%s.%s", system, event); + else +- strncpy(err, var, MAX_FILTER_STR_VAL); ++ strscpy(err, var, MAX_FILTER_STR_VAL); + + hist_err(str, err); + } diff --git a/queue-4.17/tracing-fix-missing-return-symbol-in-function_graph-output.patch b/queue-4.17/tracing-fix-missing-return-symbol-in-function_graph-output.patch new file mode 100644 index 00000000000..8fb9f7d78b1 --- /dev/null +++ b/queue-4.17/tracing-fix-missing-return-symbol-in-function_graph-output.patch @@ -0,0 +1,85 @@ +From 1fe4293f4b8de75824935f8d8e9a99c7fc6873da Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Wed, 31 Jan 2018 23:48:49 +0800 +Subject: tracing: Fix missing return symbol in function_graph output + +From: Changbin Du + +commit 1fe4293f4b8de75824935f8d8e9a99c7fc6873da upstream. + +The function_graph tracer does not show the interrupt return marker for the +leaf entry. On leaf entries, we see an unbalanced interrupt marker (the +interrupt was entered, but nevern left). + +Before: + 1) | SyS_write() { + 1) | __fdget_pos() { + 1) 0.061 us | __fget_light(); + 1) 0.289 us | } + 1) | vfs_write() { + 1) 0.049 us | rw_verify_area(); + 1) + 15.424 us | __vfs_write(); + 1) ==========> | + 1) 6.003 us | smp_apic_timer_interrupt(); + 1) 0.055 us | __fsnotify_parent(); + 1) 0.073 us | fsnotify(); + 1) + 23.665 us | } + 1) + 24.501 us | } + +After: + 0) | SyS_write() { + 0) | __fdget_pos() { + 0) 0.052 us | __fget_light(); + 0) 0.328 us | } + 0) | vfs_write() { + 0) 0.057 us | rw_verify_area(); + 0) | __vfs_write() { + 0) ==========> | + 0) 8.548 us | smp_apic_timer_interrupt(); + 0) <========== | + 0) + 36.507 us | } /* __vfs_write */ + 0) 0.049 us | __fsnotify_parent(); + 0) 0.066 us | fsnotify(); + 0) + 50.064 us | } + 0) + 50.952 us | } + +Link: http://lkml.kernel.org/r/1517413729-20411-1-git-send-email-changbin.du@intel.com + +Cc: stable@vger.kernel.org +Fixes: f8b755ac8e0cc ("tracing/function-graph-tracer: Output arrows signal on hardirq call/return") +Signed-off-by: Changbin Du +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_functions_graph.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -831,6 +831,7 @@ print_graph_entry_leaf(struct trace_iter + struct ftrace_graph_ret *graph_ret; + struct ftrace_graph_ent *call; + unsigned long long duration; ++ int cpu = iter->cpu; + int i; + + graph_ret = &ret_entry->ret; +@@ -839,7 +840,6 @@ print_graph_entry_leaf(struct trace_iter + + if (data) { + struct fgraph_cpu_data *cpu_data; +- int cpu = iter->cpu; + + cpu_data = per_cpu_ptr(data->cpu_data, cpu); + +@@ -869,6 +869,9 @@ print_graph_entry_leaf(struct trace_iter + + trace_seq_printf(s, "%ps();\n", (void *)call->func); + ++ print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET, ++ cpu, iter->ent->pid, flags); ++ + return trace_handle_return(s); + } + diff --git a/queue-4.17/userfaultfd-hugetlbfs-fix-userfaultfd_huge_must_wait-pte-access.patch b/queue-4.17/userfaultfd-hugetlbfs-fix-userfaultfd_huge_must_wait-pte-access.patch new file mode 100644 index 00000000000..fedabd29f37 --- /dev/null +++ b/queue-4.17/userfaultfd-hugetlbfs-fix-userfaultfd_huge_must_wait-pte-access.patch @@ -0,0 +1,63 @@ +From 1e2c043628c7736dd56536d16c0ce009bc834ae7 Mon Sep 17 00:00:00 2001 +From: Janosch Frank +Date: Tue, 3 Jul 2018 17:02:39 -0700 +Subject: userfaultfd: hugetlbfs: fix userfaultfd_huge_must_wait() pte access + +From: Janosch Frank + +commit 1e2c043628c7736dd56536d16c0ce009bc834ae7 upstream. + +Use huge_ptep_get() to translate huge ptes to normal ptes so we can +check them with the huge_pte_* functions. Otherwise some architectures +will check the wrong values and will not wait for userspace to bring in +the memory. + +Link: http://lkml.kernel.org/r/20180626132421.78084-1-frankja@linux.ibm.com +Fixes: 369cd2121be4 ("userfaultfd: hugetlbfs: userfaultfd_huge_must_wait for hugepmd ranges") +Signed-off-by: Janosch Frank +Reviewed-by: David Hildenbrand +Reviewed-by: Mike Kravetz +Cc: Andrea Arcangeli +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/userfaultfd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -220,24 +220,26 @@ static inline bool userfaultfd_huge_must + unsigned long reason) + { + struct mm_struct *mm = ctx->mm; +- pte_t *pte; ++ pte_t *ptep, pte; + bool ret = true; + + VM_BUG_ON(!rwsem_is_locked(&mm->mmap_sem)); + +- pte = huge_pte_offset(mm, address, vma_mmu_pagesize(vma)); +- if (!pte) ++ ptep = huge_pte_offset(mm, address, vma_mmu_pagesize(vma)); ++ ++ if (!ptep) + goto out; + + ret = false; ++ pte = huge_ptep_get(ptep); + + /* + * Lockless access: we're in a wait_event so it's ok if it + * changes under us. + */ +- if (huge_pte_none(*pte)) ++ if (huge_pte_none(pte)) + ret = true; +- if (!huge_pte_write(*pte) && (reason & VM_UFFD_WP)) ++ if (!huge_pte_write(pte) && (reason & VM_UFFD_WP)) + ret = true; + out: + return ret;