From: Greg Kroah-Hartman Date: Mon, 21 Jan 2019 10:23:53 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.20.4~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3562a55a57c6ccf6bc279af6fb3514dd285d5e4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: btrfs-wait-on-ordered-extents-on-abort-cleanup.patch crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch crypto-bcm-convert-to-use-crypto_authenc_extractkeys.patch crypto-caam-fix-zero-length-buffer-dma-mapping.patch crypto-talitos-fix-ablkcipher-for-config_vmap_stack.patch crypto-talitos-reorder-code-in-talitos_edesc_alloc.patch revert-btrfs-balance-dirty-metadata-pages-in-btrfs_finish_ordered_io.patch scsi-core-synchronize-request-queue-pm-status-only-on-successful-resume.patch scsi-sd-fix-cache_type_store.patch yama-check-for-pid-death-before-checking-ancestry.patch --- diff --git a/queue-4.14/btrfs-wait-on-ordered-extents-on-abort-cleanup.patch b/queue-4.14/btrfs-wait-on-ordered-extents-on-abort-cleanup.patch new file mode 100644 index 00000000000..1b91be49691 --- /dev/null +++ b/queue-4.14/btrfs-wait-on-ordered-extents-on-abort-cleanup.patch @@ -0,0 +1,86 @@ +From 74d5d229b1bf60f93bff244b2dfc0eb21ec32a07 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 21 Nov 2018 14:05:45 -0500 +Subject: btrfs: wait on ordered extents on abort cleanup + +From: Josef Bacik + +commit 74d5d229b1bf60f93bff244b2dfc0eb21ec32a07 upstream. + +If we flip read-only before we initiate writeback on all dirty pages for +ordered extents we've created then we'll have ordered extents left over +on umount, which results in all sorts of bad things happening. Fix this +by making sure we wait on ordered extents if we have to do the aborted +transaction cleanup stuff. + +generic/475 can produce this warning: + + [ 8531.177332] WARNING: CPU: 2 PID: 11997 at fs/btrfs/disk-io.c:3856 btrfs_free_fs_root+0x95/0xa0 [btrfs] + [ 8531.183282] CPU: 2 PID: 11997 Comm: umount Tainted: G W 5.0.0-rc1-default+ #394 + [ 8531.185164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),BIOS rel-1.11.2-0-gf9626cc-prebuilt.qemu-project.org 04/01/2014 + [ 8531.187851] RIP: 0010:btrfs_free_fs_root+0x95/0xa0 [btrfs] + [ 8531.193082] RSP: 0018:ffffb1ab86163d98 EFLAGS: 00010286 + [ 8531.194198] RAX: ffff9f3449494d18 RBX: ffff9f34a2695000 RCX:0000000000000000 + [ 8531.195629] RDX: 0000000000000002 RSI: 0000000000000001 RDI:0000000000000000 + [ 8531.197315] RBP: ffff9f344e930000 R08: 0000000000000001 R09:0000000000000000 + [ 8531.199095] R10: 0000000000000000 R11: ffff9f34494d4ff8 R12:ffffb1ab86163dc0 + [ 8531.200870] R13: ffff9f344e9300b0 R14: ffffb1ab86163db8 R15:0000000000000000 + [ 8531.202707] FS: 00007fc68e949fc0(0000) GS:ffff9f34bd800000(0000)knlGS:0000000000000000 + [ 8531.204851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 8531.205942] CR2: 00007ffde8114dd8 CR3: 000000002dfbd000 CR4:00000000000006e0 + [ 8531.207516] Call Trace: + [ 8531.208175] btrfs_free_fs_roots+0xdb/0x170 [btrfs] + [ 8531.210209] ? wait_for_completion+0x5b/0x190 + [ 8531.211303] close_ctree+0x157/0x350 [btrfs] + [ 8531.212412] generic_shutdown_super+0x64/0x100 + [ 8531.213485] kill_anon_super+0x14/0x30 + [ 8531.214430] btrfs_kill_super+0x12/0xa0 [btrfs] + [ 8531.215539] deactivate_locked_super+0x29/0x60 + [ 8531.216633] cleanup_mnt+0x3b/0x70 + [ 8531.217497] task_work_run+0x98/0xc0 + [ 8531.218397] exit_to_usermode_loop+0x83/0x90 + [ 8531.219324] do_syscall_64+0x15b/0x180 + [ 8531.220192] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [ 8531.221286] RIP: 0033:0x7fc68e5e4d07 + [ 8531.225621] RSP: 002b:00007ffde8116608 EFLAGS: 00000246 ORIG_RAX:00000000000000a6 + [ 8531.227512] RAX: 0000000000000000 RBX: 00005580c2175970 RCX:00007fc68e5e4d07 + [ 8531.229098] RDX: 0000000000000001 RSI: 0000000000000000 RDI:00005580c2175b80 + [ 8531.230730] RBP: 0000000000000000 R08: 00005580c2175ba0 R09:00007ffde8114e80 + [ 8531.232269] R10: 0000000000000000 R11: 0000000000000246 R12:00005580c2175b80 + [ 8531.233839] R13: 00007fc68eac61c4 R14: 00005580c2175a68 R15:0000000000000000 + +Leaving a tree in the rb-tree: + +3853 void btrfs_free_fs_root(struct btrfs_root *root) +3854 { +3855 iput(root->ino_cache_inode); +3856 WARN_ON(!RB_EMPTY_ROOT(&root->inode_tree)); + +CC: stable@vger.kernel.org +Reviewed-by: Nikolay Borisov +Signed-off-by: Josef Bacik +[ add stacktrace ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/disk-io.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4115,6 +4115,14 @@ static void btrfs_destroy_all_ordered_ex + spin_lock(&fs_info->ordered_root_lock); + } + spin_unlock(&fs_info->ordered_root_lock); ++ ++ /* ++ * We need this here because if we've been flipped read-only we won't ++ * get sync() from the umount, so we need to make sure any ordered ++ * extents that haven't had their dirty pages IO start writeout yet ++ * actually get run and error out properly. ++ */ ++ btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1); + } + + static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans, diff --git a/queue-4.14/crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch b/queue-4.14/crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch new file mode 100644 index 00000000000..8864b10a1f8 --- /dev/null +++ b/queue-4.14/crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch @@ -0,0 +1,116 @@ +From 8f9c469348487844328e162db57112f7d347c49f Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 16 Dec 2018 23:23:22 -0800 +Subject: crypto: authenc - fix parsing key with misaligned rta_len + +From: Eric Biggers + +commit 8f9c469348487844328e162db57112f7d347c49f upstream. + +Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte +'enckeylen', followed by an authentication key and an encryption key. +crypto_authenc_extractkeys() parses the key to find the inner keys. + +However, it fails to consider the case where the rtattr's payload is +longer than 4 bytes but not 4-byte aligned, and where the key ends +before the next 4-byte aligned boundary. In this case, 'keylen -= +RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This +causes a buffer overread and crash during crypto_ahash_setkey(). + +Fix it by restricting the rtattr payload to the expected size. + +Reproducer using AF_ALG: + + #include + #include + #include + + int main() + { + int fd; + struct sockaddr_alg addr = { + .salg_type = "aead", + .salg_name = "authenc(hmac(sha256),cbc(aes))", + }; + struct { + struct rtattr attr; + __be32 enckeylen; + char keys[1]; + } __attribute__((packed)) key = { + .attr.rta_len = sizeof(key), + .attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */, + }; + + fd = socket(AF_ALG, SOCK_SEQPACKET, 0); + bind(fd, (void *)&addr, sizeof(addr)); + setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key)); + } + +It caused: + + BUG: unable to handle kernel paging request at ffff88007ffdc000 + PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0 + Oops: 0000 [#1] SMP + CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014 + RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155 + [...] + Call Trace: + sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321 + crypto_shash_finup+0x1a/0x30 crypto/shash.c:178 + shash_digest_unaligned+0x45/0x60 crypto/shash.c:186 + crypto_shash_digest+0x24/0x40 crypto/shash.c:202 + hmac_setkey+0x135/0x1e0 crypto/hmac.c:66 + crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66 + shash_async_setkey+0x10/0x20 crypto/shash.c:223 + crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202 + crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96 + crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62 + aead_setkey+0xc/0x10 crypto/algif_aead.c:526 + alg_setkey crypto/af_alg.c:223 [inline] + alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256 + __sys_setsockopt+0x6d/0xd0 net/socket.c:1902 + __do_sys_setsockopt net/socket.c:1913 [inline] + __se_sys_setsockopt net/socket.c:1910 [inline] + __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910 + do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: e236d4a89a2f ("[CRYPTO] authenc: Move enckeylen into key itself") +Cc: # v2.6.25+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/authenc.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct cr + return -EINVAL; + if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM) + return -EINVAL; +- if (RTA_PAYLOAD(rta) < sizeof(*param)) ++ ++ /* ++ * RTA_OK() didn't align the rtattr's payload when validating that it ++ * fits in the buffer. Yet, the keys should start on the next 4-byte ++ * aligned boundary. To avoid confusion, require that the rtattr ++ * payload be exactly the param struct, which has a 4-byte aligned size. ++ */ ++ if (RTA_PAYLOAD(rta) != sizeof(*param)) + return -EINVAL; ++ BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO); + + param = RTA_DATA(rta); + keys->enckeylen = be32_to_cpu(param->enckeylen); + +- key += RTA_ALIGN(rta->rta_len); +- keylen -= RTA_ALIGN(rta->rta_len); ++ key += rta->rta_len; ++ keylen -= rta->rta_len; + + if (keylen < keys->enckeylen) + return -EINVAL; diff --git a/queue-4.14/crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch b/queue-4.14/crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch new file mode 100644 index 00000000000..3afcba4dac2 --- /dev/null +++ b/queue-4.14/crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch @@ -0,0 +1,67 @@ +From a7773363624b034ab198c738661253d20a8055c2 Mon Sep 17 00:00:00 2001 +From: Harsh Jain +Date: Thu, 3 Jan 2019 14:21:05 +0530 +Subject: crypto: authencesn - Avoid twice completion call in decrypt path + +From: Harsh Jain + +commit a7773363624b034ab198c738661253d20a8055c2 upstream. + +Authencesn template in decrypt path unconditionally calls aead_request_complete +after ahash_verify which leads to following kernel panic in after decryption. + +[ 338.539800] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 +[ 338.548372] PGD 0 P4D 0 +[ 338.551157] Oops: 0000 [#1] SMP PTI +[ 338.554919] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Tainted: G W I 4.19.7+ #13 +[ 338.564431] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0 07/29/10 +[ 338.572212] RIP: 0010:esp_input_done2+0x350/0x410 [esp4] +[ 338.578030] Code: ff 0f b6 68 10 48 8b 83 c8 00 00 00 e9 8e fe ff ff 8b 04 25 04 00 00 00 83 e8 01 48 98 48 8b 3c c5 10 00 00 00 e9 f7 fd ff ff <8b> 04 25 04 00 00 00 83 e8 01 48 98 4c 8b 24 c5 10 00 00 00 e9 3b +[ 338.598547] RSP: 0018:ffff911c97803c00 EFLAGS: 00010246 +[ 338.604268] RAX: 0000000000000002 RBX: ffff911c4469ee00 RCX: 0000000000000000 +[ 338.612090] RDX: 0000000000000000 RSI: 0000000000000130 RDI: ffff911b87c20400 +[ 338.619874] RBP: 0000000000000000 R08: ffff911b87c20498 R09: 000000000000000a +[ 338.627610] R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000 +[ 338.635402] R13: ffff911c89590000 R14: ffff911c91730000 R15: 0000000000000000 +[ 338.643234] FS: 0000000000000000(0000) GS:ffff911c97800000(0000) knlGS:0000000000000000 +[ 338.652047] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 338.658299] CR2: 0000000000000004 CR3: 00000001ec20a000 CR4: 00000000000006f0 +[ 338.666382] Call Trace: +[ 338.669051] +[ 338.671254] esp_input_done+0x12/0x20 [esp4] +[ 338.675922] chcr_handle_resp+0x3b5/0x790 [chcr] +[ 338.680949] cpl_fw6_pld_handler+0x37/0x60 [chcr] +[ 338.686080] chcr_uld_rx_handler+0x22/0x50 [chcr] +[ 338.691233] uldrx_handler+0x8c/0xc0 [cxgb4] +[ 338.695923] process_responses+0x2f0/0x5d0 [cxgb4] +[ 338.701177] ? bitmap_find_next_zero_area_off+0x3a/0x90 +[ 338.706882] ? matrix_alloc_area.constprop.7+0x60/0x90 +[ 338.712517] ? apic_update_irq_cfg+0x82/0xf0 +[ 338.717177] napi_rx_handler+0x14/0xe0 [cxgb4] +[ 338.722015] net_rx_action+0x2aa/0x3e0 +[ 338.726136] __do_softirq+0xcb/0x280 +[ 338.730054] irq_exit+0xde/0xf0 +[ 338.733504] do_IRQ+0x54/0xd0 +[ 338.736745] common_interrupt+0xf/0xf + +Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD...") +Signed-off-by: Harsh Jain +Cc: stable@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/authencesn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -279,7 +279,7 @@ static void authenc_esn_verify_ahash_don + struct aead_request *req = areq->data; + + err = err ?: crypto_authenc_esn_decrypt_tail(req, 0); +- aead_request_complete(req, err); ++ authenc_esn_request_complete(req, err); + } + + static int crypto_authenc_esn_decrypt(struct aead_request *req) diff --git a/queue-4.14/crypto-bcm-convert-to-use-crypto_authenc_extractkeys.patch b/queue-4.14/crypto-bcm-convert-to-use-crypto_authenc_extractkeys.patch new file mode 100644 index 00000000000..379e5a8947d --- /dev/null +++ b/queue-4.14/crypto-bcm-convert-to-use-crypto_authenc_extractkeys.patch @@ -0,0 +1,122 @@ +From ab57b33525c3221afaebd391458fa0cbcd56903d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 16 Dec 2018 23:23:23 -0800 +Subject: crypto: bcm - convert to use crypto_authenc_extractkeys() + +From: Eric Biggers + +commit ab57b33525c3221afaebd391458fa0cbcd56903d upstream. + +Convert the bcm crypto driver to use crypto_authenc_extractkeys() so +that it picks up the fix for broken validation of rtattr::rta_len. + +This also fixes the DES weak key check to actually be done on the right +key. (It was checking the authentication key, not the encryption key...) + +Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") +Cc: # v4.11+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/Kconfig | 1 + + drivers/crypto/bcm/cipher.c | 44 +++++++++++++------------------------------- + 2 files changed, 14 insertions(+), 31 deletions(-) + +--- a/drivers/crypto/Kconfig ++++ b/drivers/crypto/Kconfig +@@ -679,6 +679,7 @@ config CRYPTO_DEV_BCM_SPU + depends on ARCH_BCM_IPROC + depends on MAILBOX + default m ++ select CRYPTO_AUTHENC + select CRYPTO_DES + select CRYPTO_MD5 + select CRYPTO_SHA1 +--- a/drivers/crypto/bcm/cipher.c ++++ b/drivers/crypto/bcm/cipher.c +@@ -2846,44 +2846,28 @@ static int aead_authenc_setkey(struct cr + struct spu_hw *spu = &iproc_priv.spu; + struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher); + struct crypto_tfm *tfm = crypto_aead_tfm(cipher); +- struct rtattr *rta = (void *)key; +- struct crypto_authenc_key_param *param; +- const u8 *origkey = key; +- const unsigned int origkeylen = keylen; +- +- int ret = 0; ++ struct crypto_authenc_keys keys; ++ int ret; + + flow_log("%s() aead:%p key:%p keylen:%u\n", __func__, cipher, key, + keylen); + flow_dump(" key: ", key, keylen); + +- if (!RTA_OK(rta, keylen)) +- goto badkey; +- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM) ++ ret = crypto_authenc_extractkeys(&keys, key, keylen); ++ if (ret) + goto badkey; +- if (RTA_PAYLOAD(rta) < sizeof(*param)) +- goto badkey; +- +- param = RTA_DATA(rta); +- ctx->enckeylen = be32_to_cpu(param->enckeylen); + +- key += RTA_ALIGN(rta->rta_len); +- keylen -= RTA_ALIGN(rta->rta_len); +- +- if (keylen < ctx->enckeylen) +- goto badkey; +- if (ctx->enckeylen > MAX_KEY_SIZE) ++ if (keys.enckeylen > MAX_KEY_SIZE || ++ keys.authkeylen > MAX_KEY_SIZE) + goto badkey; + +- ctx->authkeylen = keylen - ctx->enckeylen; +- +- if (ctx->authkeylen > MAX_KEY_SIZE) +- goto badkey; ++ ctx->enckeylen = keys.enckeylen; ++ ctx->authkeylen = keys.authkeylen; + +- memcpy(ctx->enckey, key + ctx->authkeylen, ctx->enckeylen); ++ memcpy(ctx->enckey, keys.enckey, keys.enckeylen); + /* May end up padding auth key. So make sure it's zeroed. */ + memset(ctx->authkey, 0, sizeof(ctx->authkey)); +- memcpy(ctx->authkey, key, ctx->authkeylen); ++ memcpy(ctx->authkey, keys.authkey, keys.authkeylen); + + switch (ctx->alg->cipher_info.alg) { + case CIPHER_ALG_DES: +@@ -2891,7 +2875,7 @@ static int aead_authenc_setkey(struct cr + u32 tmp[DES_EXPKEY_WORDS]; + u32 flags = CRYPTO_TFM_RES_WEAK_KEY; + +- if (des_ekey(tmp, key) == 0) { ++ if (des_ekey(tmp, keys.enckey) == 0) { + if (crypto_aead_get_flags(cipher) & + CRYPTO_TFM_REQ_WEAK_KEY) { + crypto_aead_set_flags(cipher, flags); +@@ -2906,7 +2890,7 @@ static int aead_authenc_setkey(struct cr + break; + case CIPHER_ALG_3DES: + if (ctx->enckeylen == (DES_KEY_SIZE * 3)) { +- const u32 *K = (const u32 *)key; ++ const u32 *K = (const u32 *)keys.enckey; + u32 flags = CRYPTO_TFM_RES_BAD_KEY_SCHED; + + if (!((K[0] ^ K[2]) | (K[1] ^ K[3])) || +@@ -2957,9 +2941,7 @@ static int aead_authenc_setkey(struct cr + ctx->fallback_cipher->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK; + ctx->fallback_cipher->base.crt_flags |= + tfm->crt_flags & CRYPTO_TFM_REQ_MASK; +- ret = +- crypto_aead_setkey(ctx->fallback_cipher, origkey, +- origkeylen); ++ ret = crypto_aead_setkey(ctx->fallback_cipher, key, keylen); + if (ret) { + flow_log(" fallback setkey() returned:%d\n", ret); + tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK; diff --git a/queue-4.14/crypto-caam-fix-zero-length-buffer-dma-mapping.patch b/queue-4.14/crypto-caam-fix-zero-length-buffer-dma-mapping.patch new file mode 100644 index 00000000000..2350dfe50eb --- /dev/null +++ b/queue-4.14/crypto-caam-fix-zero-length-buffer-dma-mapping.patch @@ -0,0 +1,96 @@ +From 04e6d25c5bb244c1a37eb9fe0b604cc11a04e8c5 Mon Sep 17 00:00:00 2001 +From: Aymen Sghaier +Date: Wed, 19 Dec 2018 16:36:44 +0200 +Subject: crypto: caam - fix zero-length buffer DMA mapping +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aymen Sghaier + +commit 04e6d25c5bb244c1a37eb9fe0b604cc11a04e8c5 upstream. + +Recent changes - probably DMA API related (generic and/or arm64-specific) - +exposed a case where driver maps a zero-length buffer: +ahash_init()->ahash_update()->ahash_final() with a zero-length string to +hash + +kernel BUG at kernel/dma/swiotlb.c:475! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +Modules linked in: +CPU: 2 PID: 1823 Comm: cryptomgr_test Not tainted 4.20.0-rc1-00108-g00c9fe37a7f2 #1 +Hardware name: LS1046A RDB Board (DT) +pstate: 80000005 (Nzcv daif -PAN -UAO) +pc : swiotlb_tbl_map_single+0x170/0x2b8 +lr : swiotlb_map_page+0x134/0x1f8 +sp : ffff00000f79b8f0 +x29: ffff00000f79b8f0 x28: 0000000000000000 +x27: ffff0000093d0000 x26: 0000000000000000 +x25: 00000000001f3ffe x24: 0000000000200000 +x23: 0000000000000000 x22: 00000009f2c538c0 +x21: ffff800970aeb410 x20: 0000000000000001 +x19: ffff800970aeb410 x18: 0000000000000007 +x17: 000000000000000e x16: 0000000000000001 +x15: 0000000000000019 x14: c32cb8218a167fe8 +x13: ffffffff00000000 x12: ffff80097fdae348 +x11: 0000800976bca000 x10: 0000000000000010 +x9 : 0000000000000000 x8 : ffff0000091fd6c8 +x7 : 0000000000000000 x6 : 00000009f2c538bf +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : 0000000000000000 x2 : 00000009f2c538c0 +x1 : 00000000f9fff000 x0 : 0000000000000000 +Process cryptomgr_test (pid: 1823, stack limit = 0x(____ptrval____)) +Call trace: + swiotlb_tbl_map_single+0x170/0x2b8 + swiotlb_map_page+0x134/0x1f8 + ahash_final_no_ctx+0xc4/0x6cc + ahash_final+0x10/0x18 + crypto_ahash_op+0x30/0x84 + crypto_ahash_final+0x14/0x1c + __test_hash+0x574/0xe0c + test_hash+0x28/0x80 + __alg_test_hash+0x84/0xd0 + alg_test_hash+0x78/0x144 + alg_test.part.30+0x12c/0x2b4 + alg_test+0x3c/0x68 + cryptomgr_test+0x44/0x4c + kthread+0xfc/0x128 + ret_from_fork+0x10/0x18 +Code: d34bfc18 2a1a03f7 1a9f8694 35fff89a (d4210000) + +Cc: +Signed-off-by: Aymen Sghaier +Signed-off-by: Horia Geantă +Reviewed-by: Christoph Hellwig +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -1109,13 +1109,16 @@ static int ahash_final_no_ctx(struct aha + + desc = edesc->hw_desc; + +- state->buf_dma = dma_map_single(jrdev, buf, buflen, DMA_TO_DEVICE); +- if (dma_mapping_error(jrdev, state->buf_dma)) { +- dev_err(jrdev, "unable to map src\n"); +- goto unmap; +- } ++ if (buflen) { ++ state->buf_dma = dma_map_single(jrdev, buf, buflen, ++ DMA_TO_DEVICE); ++ if (dma_mapping_error(jrdev, state->buf_dma)) { ++ dev_err(jrdev, "unable to map src\n"); ++ goto unmap; ++ } + +- append_seq_in_ptr(desc, state->buf_dma, buflen, 0); ++ append_seq_in_ptr(desc, state->buf_dma, buflen, 0); ++ } + + edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result, + digestsize); diff --git a/queue-4.14/crypto-talitos-fix-ablkcipher-for-config_vmap_stack.patch b/queue-4.14/crypto-talitos-fix-ablkcipher-for-config_vmap_stack.patch new file mode 100644 index 00000000000..8ff29476e70 --- /dev/null +++ b/queue-4.14/crypto-talitos-fix-ablkcipher-for-config_vmap_stack.patch @@ -0,0 +1,79 @@ +From 1bea445b0a022ee126ca328b3705cd4df18ebc14 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 8 Jan 2019 06:56:48 +0000 +Subject: crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe Leroy + +commit 1bea445b0a022ee126ca328b3705cd4df18ebc14 upstream. + +[ 2.364486] WARNING: CPU: 0 PID: 60 at ./arch/powerpc/include/asm/io.h:837 dma_nommu_map_page+0x44/0xd4 +[ 2.373579] CPU: 0 PID: 60 Comm: cryptomgr_test Tainted: G W 4.20.0-rc5-00560-g6bfb52e23a00-dirty #531 +[ 2.384740] NIP: c000c540 LR: c000c584 CTR: 00000000 +[ 2.389743] REGS: c95abab0 TRAP: 0700 Tainted: G W (4.20.0-rc5-00560-g6bfb52e23a00-dirty) +[ 2.400042] MSR: 00029032 CR: 24042204 XER: 00000000 +[ 2.406669] +[ 2.406669] GPR00: c02f2244 c95abb60 c6262990 c95abd80 0000256a 00000001 00000001 00000001 +[ 2.406669] GPR08: 00000000 00002000 00000010 00000010 24042202 00000000 00000100 c95abd88 +[ 2.406669] GPR16: 00000000 c05569d4 00000001 00000010 c95abc88 c0615664 00000004 00000000 +[ 2.406669] GPR24: 00000010 c95abc88 c95abc88 00000000 c61ae210 c7ff6d40 c61ae210 00003d68 +[ 2.441559] NIP [c000c540] dma_nommu_map_page+0x44/0xd4 +[ 2.446720] LR [c000c584] dma_nommu_map_page+0x88/0xd4 +[ 2.451762] Call Trace: +[ 2.454195] [c95abb60] [82000808] 0x82000808 (unreliable) +[ 2.459572] [c95abb80] [c02f2244] talitos_edesc_alloc+0xbc/0x3c8 +[ 2.465493] [c95abbb0] [c02f2600] ablkcipher_edesc_alloc+0x4c/0x5c +[ 2.471606] [c95abbd0] [c02f4ed0] ablkcipher_encrypt+0x20/0x64 +[ 2.477389] [c95abbe0] [c02023b0] __test_skcipher+0x4bc/0xa08 +[ 2.483049] [c95abe00] [c0204b60] test_skcipher+0x2c/0xcc +[ 2.488385] [c95abe20] [c0204c48] alg_test_skcipher+0x48/0xbc +[ 2.494064] [c95abe40] [c0205cec] alg_test+0x164/0x2e8 +[ 2.499142] [c95abf00] [c0200dec] cryptomgr_test+0x48/0x50 +[ 2.504558] [c95abf10] [c0039ff4] kthread+0xe4/0x110 +[ 2.509471] [c95abf40] [c000e1d0] ret_from_kernel_thread+0x14/0x1c +[ 2.515532] Instruction dump: +[ 2.518468] 7c7e1b78 7c9d2378 7cbf2b78 41820054 3d20c076 8089c200 3d20c076 7c84e850 +[ 2.526127] 8129c204 7c842e70 7f844840 419c0008 <0fe00000> 2f9e0000 54847022 7c84fa14 +[ 2.533960] ---[ end trace bf78d94af73fe3b8 ]--- +[ 2.539123] talitos ff020000.crypto: master data transfer error +[ 2.544775] talitos ff020000.crypto: TEA error: ISR 0x20000000_00000040 +[ 2.551625] alg: skcipher: encryption failed on test 1 for ecb-aes-talitos: ret=22 + +IV cannot be on stack when CONFIG_VMAP_STACK is selected because the stack +cannot be DMA mapped anymore. + +This patch copies the IV into the extended descriptor. + +Fixes: 4de9d0b547b9 ("crypto: talitos - Add ablkcipher algorithms") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/talitos.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1398,12 +1398,15 @@ static struct talitos_edesc *talitos_ede + dma_len = 0; + alloc_len += icv_stashing ? authsize : 0; + } ++ alloc_len += ivsize; + + edesc = kmalloc(alloc_len, GFP_DMA | flags); + if (!edesc) + return ERR_PTR(-ENOMEM); +- if (ivsize) ++ if (ivsize) { ++ iv = memcpy(((u8 *)edesc) + alloc_len - ivsize, iv, ivsize); + iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE); ++ } + + edesc->src_nents = src_nents; + edesc->dst_nents = dst_nents; diff --git a/queue-4.14/crypto-talitos-reorder-code-in-talitos_edesc_alloc.patch b/queue-4.14/crypto-talitos-reorder-code-in-talitos_edesc_alloc.patch new file mode 100644 index 00000000000..4b17e24afb7 --- /dev/null +++ b/queue-4.14/crypto-talitos-reorder-code-in-talitos_edesc_alloc.patch @@ -0,0 +1,98 @@ +From c56c2e173773097a248fd3bace91ac8f6fc5386d Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 8 Jan 2019 06:56:46 +0000 +Subject: crypto: talitos - reorder code in talitos_edesc_alloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe Leroy + +commit c56c2e173773097a248fd3bace91ac8f6fc5386d upstream. + +This patch moves the mapping of IV after the kmalloc(). This +avoids having to unmap in case kmalloc() fails. + +Signed-off-by: Christophe Leroy +Reviewed-by: Horia Geantă +Cc: stable@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/talitos.c | 26 +++++++------------------- + 1 file changed, 7 insertions(+), 19 deletions(-) + +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1347,23 +1347,18 @@ static struct talitos_edesc *talitos_ede + struct talitos_private *priv = dev_get_drvdata(dev); + bool is_sec1 = has_ftr_sec1(priv); + int max_len = is_sec1 ? TALITOS1_MAX_DATA_LEN : TALITOS2_MAX_DATA_LEN; +- void *err; + + if (cryptlen + authsize > max_len) { + dev_err(dev, "length exceeds h/w max limit\n"); + return ERR_PTR(-EINVAL); + } + +- if (ivsize) +- iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE); +- + if (!dst || dst == src) { + src_len = assoclen + cryptlen + authsize; + src_nents = sg_nents_for_len(src, src_len); + if (src_nents < 0) { + dev_err(dev, "Invalid number of src SG.\n"); +- err = ERR_PTR(-EINVAL); +- goto error_sg; ++ return ERR_PTR(-EINVAL); + } + src_nents = (src_nents == 1) ? 0 : src_nents; + dst_nents = dst ? src_nents : 0; +@@ -1373,16 +1368,14 @@ static struct talitos_edesc *talitos_ede + src_nents = sg_nents_for_len(src, src_len); + if (src_nents < 0) { + dev_err(dev, "Invalid number of src SG.\n"); +- err = ERR_PTR(-EINVAL); +- goto error_sg; ++ return ERR_PTR(-EINVAL); + } + src_nents = (src_nents == 1) ? 0 : src_nents; + dst_len = assoclen + cryptlen + (encrypt ? authsize : 0); + dst_nents = sg_nents_for_len(dst, dst_len); + if (dst_nents < 0) { + dev_err(dev, "Invalid number of dst SG.\n"); +- err = ERR_PTR(-EINVAL); +- goto error_sg; ++ return ERR_PTR(-EINVAL); + } + dst_nents = (dst_nents == 1) ? 0 : dst_nents; + } +@@ -1407,11 +1400,10 @@ static struct talitos_edesc *talitos_ede + } + + edesc = kmalloc(alloc_len, GFP_DMA | flags); +- if (!edesc) { +- dev_err(dev, "could not allocate edescriptor\n"); +- err = ERR_PTR(-ENOMEM); +- goto error_sg; +- } ++ if (!edesc) ++ return ERR_PTR(-ENOMEM); ++ if (ivsize) ++ iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE); + + edesc->src_nents = src_nents; + edesc->dst_nents = dst_nents; +@@ -1423,10 +1415,6 @@ static struct talitos_edesc *talitos_ede + DMA_BIDIRECTIONAL); + + return edesc; +-error_sg: +- if (iv_dma) +- dma_unmap_single(dev, iv_dma, ivsize, DMA_TO_DEVICE); +- return err; + } + + static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv, diff --git a/queue-4.14/revert-btrfs-balance-dirty-metadata-pages-in-btrfs_finish_ordered_io.patch b/queue-4.14/revert-btrfs-balance-dirty-metadata-pages-in-btrfs_finish_ordered_io.patch new file mode 100644 index 00000000000..354cb69eb74 --- /dev/null +++ b/queue-4.14/revert-btrfs-balance-dirty-metadata-pages-in-btrfs_finish_ordered_io.patch @@ -0,0 +1,98 @@ +From 77b7aad195099e7c6da11e94b7fa6ef5e6fb0025 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Wed, 9 Jan 2019 15:02:23 +0100 +Subject: Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io" + +From: David Sterba + +commit 77b7aad195099e7c6da11e94b7fa6ef5e6fb0025 upstream. + +This reverts commit e73e81b6d0114d4a303205a952ab2e87c44bd279. + +This patch causes a few problems: + +- adds latency to btrfs_finish_ordered_io +- as btrfs_finish_ordered_io is used for free space cache, generating + more work from btrfs_btree_balance_dirty_nodelay could end up in the + same workque, effectively deadlocking + +12260 kworker/u96:16+btrfs-freespace-write D +[<0>] balance_dirty_pages+0x6e6/0x7ad +[<0>] balance_dirty_pages_ratelimited+0x6bb/0xa90 +[<0>] btrfs_finish_ordered_io+0x3da/0x770 +[<0>] normal_work_helper+0x1c5/0x5a0 +[<0>] process_one_work+0x1ee/0x5a0 +[<0>] worker_thread+0x46/0x3d0 +[<0>] kthread+0xf5/0x130 +[<0>] ret_from_fork+0x24/0x30 +[<0>] 0xffffffffffffffff + +Transaction commit will wait on the freespace cache: + +838 btrfs-transacti D +[<0>] btrfs_start_ordered_extent+0x154/0x1e0 +[<0>] btrfs_wait_ordered_range+0xbd/0x110 +[<0>] __btrfs_wait_cache_io+0x49/0x1a0 +[<0>] btrfs_write_dirty_block_groups+0x10b/0x3b0 +[<0>] commit_cowonly_roots+0x215/0x2b0 +[<0>] btrfs_commit_transaction+0x37e/0x910 +[<0>] transaction_kthread+0x14d/0x180 +[<0>] kthread+0xf5/0x130 +[<0>] ret_from_fork+0x24/0x30 +[<0>] 0xffffffffffffffff + +And then writepages ends up waiting on transaction commit: + +9520 kworker/u96:13+flush-btrfs-1 D +[<0>] wait_current_trans+0xac/0xe0 +[<0>] start_transaction+0x21b/0x4b0 +[<0>] cow_file_range_inline+0x10b/0x6b0 +[<0>] cow_file_range.isra.69+0x329/0x4a0 +[<0>] run_delalloc_range+0x105/0x3c0 +[<0>] writepage_delalloc+0x119/0x180 +[<0>] __extent_writepage+0x10c/0x390 +[<0>] extent_write_cache_pages+0x26f/0x3d0 +[<0>] extent_writepages+0x4f/0x80 +[<0>] do_writepages+0x17/0x60 +[<0>] __writeback_single_inode+0x59/0x690 +[<0>] writeback_sb_inodes+0x291/0x4e0 +[<0>] __writeback_inodes_wb+0x87/0xb0 +[<0>] wb_writeback+0x3bb/0x500 +[<0>] wb_workfn+0x40d/0x610 +[<0>] process_one_work+0x1ee/0x5a0 +[<0>] worker_thread+0x1e0/0x3d0 +[<0>] kthread+0xf5/0x130 +[<0>] ret_from_fork+0x24/0x30 +[<0>] 0xffffffffffffffff + +Eventually, we have every process in the system waiting on +balance_dirty_pages(), and nobody is able to make progress on page +writeback. + +The original patch tried to fix an OOM condition, that happened on 4.4 but no +success reproducing that on later kernels (4.19 and 4.20). This is more likely +a problem in OOM itself. + +Link: https://lore.kernel.org/linux-btrfs/20180528054821.9092-1-ethanlien@synology.com/ +Reported-by: Chris Mason +CC: stable@vger.kernel.org # 4.18+ +CC: ethanlien +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3170,9 +3170,6 @@ out: + /* once for the tree */ + btrfs_put_ordered_extent(ordered_extent); + +- /* Try to release some metadata so we don't get an OOM but don't wait */ +- btrfs_btree_balance_dirty_nodelay(fs_info); +- + return ret; + } + diff --git a/queue-4.14/scsi-core-synchronize-request-queue-pm-status-only-on-successful-resume.patch b/queue-4.14/scsi-core-synchronize-request-queue-pm-status-only-on-successful-resume.patch new file mode 100644 index 00000000000..a86d483d26b --- /dev/null +++ b/queue-4.14/scsi-core-synchronize-request-queue-pm-status-only-on-successful-resume.patch @@ -0,0 +1,97 @@ +From 3f7e62bba0003f9c68f599f5997c4647ef5b4f4e Mon Sep 17 00:00:00 2001 +From: Stanley Chu +Date: Thu, 3 Jan 2019 22:08:05 +0800 +Subject: scsi: core: Synchronize request queue PM status only on successful resume + +From: Stanley Chu + +commit 3f7e62bba0003f9c68f599f5997c4647ef5b4f4e upstream. + +The commit 356fd2663cff ("scsi: Set request queue runtime PM status back to +active on resume") fixed up the inconsistent RPM status between request +queue and device. However changing request queue RPM status shall be done +only on successful resume, otherwise status may be still inconsistent as +below, + +Request queue: RPM_ACTIVE +Device: RPM_SUSPENDED + +This ends up soft lockup because requests can be submitted to underlying +devices but those devices and their required resource are not resumed. + +For example, + +After above inconsistent status happens, IO request can be submitted to UFS +device driver but required resource (like clock) is not resumed yet thus +lead to warning as below call stack, + +WARN_ON(hba->clk_gating.state != CLKS_ON); +ufshcd_queuecommand +scsi_dispatch_cmd +scsi_request_fn +__blk_run_queue +cfq_insert_request +__elv_add_request +blk_flush_plug_list +blk_finish_plug +jbd2_journal_commit_transaction +kjournald2 + +We may see all behind IO requests hang because of no response from storage +host or device and then soft lockup happens in system. In the end, system +may crash in many ways. + +Fixes: 356fd2663cff (scsi: Set request queue runtime PM status back to active on resume) +Cc: stable@vger.kernel.org +Signed-off-by: Stanley Chu +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_pm.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/scsi_pm.c ++++ b/drivers/scsi/scsi_pm.c +@@ -79,8 +79,22 @@ static int scsi_dev_type_resume(struct d + + if (err == 0) { + pm_runtime_disable(dev); +- pm_runtime_set_active(dev); ++ err = pm_runtime_set_active(dev); + pm_runtime_enable(dev); ++ ++ /* ++ * Forcibly set runtime PM status of request queue to "active" ++ * to make sure we can again get requests from the queue ++ * (see also blk_pm_peek_request()). ++ * ++ * The resume hook will correct runtime PM status of the disk. ++ */ ++ if (!err && scsi_is_sdev_device(dev)) { ++ struct scsi_device *sdev = to_scsi_device(dev); ++ ++ if (sdev->request_queue->dev) ++ blk_set_runtime_active(sdev->request_queue); ++ } + } + + return err; +@@ -139,16 +153,6 @@ static int scsi_bus_resume_common(struct + else + fn = NULL; + +- /* +- * Forcibly set runtime PM status of request queue to "active" to +- * make sure we can again get requests from the queue (see also +- * blk_pm_peek_request()). +- * +- * The resume hook will correct runtime PM status of the disk. +- */ +- if (scsi_is_sdev_device(dev) && pm_runtime_suspended(dev)) +- blk_set_runtime_active(to_scsi_device(dev)->request_queue); +- + if (fn) { + async_schedule_domain(fn, dev, &scsi_sd_pm_domain); + diff --git a/queue-4.14/scsi-sd-fix-cache_type_store.patch b/queue-4.14/scsi-sd-fix-cache_type_store.patch new file mode 100644 index 00000000000..f61c7f4b24e --- /dev/null +++ b/queue-4.14/scsi-sd-fix-cache_type_store.patch @@ -0,0 +1,62 @@ +From 44759979a49bfd2d20d789add7fa81a21eb1a4ab Mon Sep 17 00:00:00 2001 +From: Ivan Mironov +Date: Sun, 23 Dec 2018 12:41:58 +0500 +Subject: scsi: sd: Fix cache_type_store() + +From: Ivan Mironov + +commit 44759979a49bfd2d20d789add7fa81a21eb1a4ab upstream. + +Changing of caching mode via /sys/devices/.../scsi_disk/.../cache_type may +fail if device responds to MODE SENSE command with DPOFUA flag set, and +then checks this flag to be not set on MODE SELECT command. + +In this scenario, when trying to change cache_type, write always fails: + + # echo "none" >cache_type + bash: echo: write error: Invalid argument + +And following appears in dmesg: + + [13007.865745] sd 1:0:1:0: [sda] Sense Key : Illegal Request [current] + [13007.865753] sd 1:0:1:0: [sda] Add. Sense: Invalid field in parameter list + +From SBC-4 r15, 6.5.1 "Mode pages overview", description of DEVICE-SPECIFIC +PARAMETER field in the mode parameter header: + ... + The write protect (WP) bit for mode data sent with a MODE SELECT + command shall be ignored by the device server. + ... + The DPOFUA bit is reserved for mode data sent with a MODE SELECT + command. + ... + +The remaining bits in the DEVICE-SPECIFIC PARAMETER byte are also reserved +and shall be set to zero. + +[mkp: shuffled commentary to commit description] + +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Mironov +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -206,6 +206,12 @@ cache_type_store(struct device *dev, str + sp = buffer_data[0] & 0x80 ? 1 : 0; + buffer_data[0] &= ~0x80; + ++ /* ++ * Ensure WP, DPOFUA, and RESERVED fields are cleared in ++ * received mode parameter buffer before doing MODE SELECT. ++ */ ++ data.device_specific = 0; ++ + if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT, + SD_MAX_RETRIES, &data, &sshdr)) { + if (scsi_sense_valid(&sshdr)) diff --git a/queue-4.14/series b/queue-4.14/series index 459ed15e0b4..93819fba090 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -15,3 +15,14 @@ net-bridge-fix-a-bug-on-using-a-neighbour-cache-entry-without-checking-its-state packet-do-not-leak-dev-refcounts-on-error-exit.patch bonding-update-nest-level-on-unlink.patch ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch +crypto-caam-fix-zero-length-buffer-dma-mapping.patch +crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch +crypto-bcm-convert-to-use-crypto_authenc_extractkeys.patch +crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch +revert-btrfs-balance-dirty-metadata-pages-in-btrfs_finish_ordered_io.patch +btrfs-wait-on-ordered-extents-on-abort-cleanup.patch +yama-check-for-pid-death-before-checking-ancestry.patch +scsi-core-synchronize-request-queue-pm-status-only-on-successful-resume.patch +scsi-sd-fix-cache_type_store.patch +crypto-talitos-reorder-code-in-talitos_edesc_alloc.patch +crypto-talitos-fix-ablkcipher-for-config_vmap_stack.patch diff --git a/queue-4.14/yama-check-for-pid-death-before-checking-ancestry.patch b/queue-4.14/yama-check-for-pid-death-before-checking-ancestry.patch new file mode 100644 index 00000000000..727ee09585d --- /dev/null +++ b/queue-4.14/yama-check-for-pid-death-before-checking-ancestry.patch @@ -0,0 +1,38 @@ +From 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 16 Jan 2019 10:31:09 -0800 +Subject: Yama: Check for pid death before checking ancestry + +From: Kees Cook + +commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream. + +It's possible that a pid has died before we take the rcu lock, in which +case we can't walk the ancestry list as it may be detached. Instead, check +for death first before doing the walk. + +Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com +Fixes: 2d514487faf1 ("security: Yama LSM") +Cc: stable@vger.kernel.org +Suggested-by: Oleg Nesterov +Signed-off-by: Kees Cook +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/yama/yama_lsm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/security/yama/yama_lsm.c ++++ b/security/yama/yama_lsm.c +@@ -373,7 +373,9 @@ static int yama_ptrace_access_check(stru + break; + case YAMA_SCOPE_RELATIONAL: + rcu_read_lock(); +- if (!task_is_descendant(current, child) && ++ if (!pid_alive(child)) ++ rc = -EPERM; ++ if (!rc && !task_is_descendant(current, child) && + !ptracer_exception_found(current, child) && + !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) + rc = -EPERM;