From 00c0596d560d32a94c0d207cb9708f924242a54d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 7 Sep 2018 12:19:12 +0200 Subject: [PATCH] 3.18-stable patches added patches: 9p-fix-multiple-null-pointer-dereferences.patch 9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch iio-ad9523-fix-displayed-phase.patch iio-ad9523-fix-return-value-for-ad952x_store.patch kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch net-9p-client.c-version-pointer-uninitialized.patch net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch spi-davinci-fix-a-null-pointer-dereference.patch tracing-blktrace-fix-to-allow-setting-same-value.patch tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch uart-fix-race-between-uart_put_char-and-uart_shutdown.patch uprobes-use-synchronize_rcu-not-synchronize_sched.patch --- ...x-multiple-null-pointer-dereferences.patch | 69 +++++ ...by-one-error-in-sg-list-bounds-check.patch | 44 +++ ...licy_hint_size-to-on-disk-superblock.patch | 53 ++++ .../iio-ad9523-fix-displayed-phase.patch | 36 +++ ...23-fix-return-value-for-ad952x_store.patch | 40 +++ ...-written-comm-when-creating-kthreads.patch | 83 ++++++ ...ient.c-version-pointer-uninitialized.patch | 43 +++ ...-flushing-workqueue-before-the-kfree.patch | 39 +++ ...h-memory-ranges-array-index-overflow.patch | 253 ++++++++++++++++++ ...while-restoring-of-r3-in-mce-handler.patch | 71 +++++ queue-3.18/series | 15 ++ ...vinci-fix-a-null-pointer-dereference.patch | 32 +++ ...race-fix-to-allow-setting-same-value.patch | 63 +++++ ...ions-when-tracing_on-does-not-change.patch | 41 +++ ...ween-uart_put_char-and-uart_shutdown.patch | 186 +++++++++++++ ...ynchronize_rcu-not-synchronize_sched.patch | 39 +++ queue-4.14/series | 51 ++++ queue-4.4/series | 26 ++ 18 files changed, 1184 insertions(+) create mode 100644 queue-3.18/9p-fix-multiple-null-pointer-dereferences.patch create mode 100644 queue-3.18/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch create mode 100644 queue-3.18/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch create mode 100644 queue-3.18/iio-ad9523-fix-displayed-phase.patch create mode 100644 queue-3.18/iio-ad9523-fix-return-value-for-ad952x_store.patch create mode 100644 queue-3.18/kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch create mode 100644 queue-3.18/net-9p-client.c-version-pointer-uninitialized.patch create mode 100644 queue-3.18/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch create mode 100644 queue-3.18/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch create mode 100644 queue-3.18/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch create mode 100644 queue-3.18/series create mode 100644 queue-3.18/spi-davinci-fix-a-null-pointer-dereference.patch create mode 100644 queue-3.18/tracing-blktrace-fix-to-allow-setting-same-value.patch create mode 100644 queue-3.18/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch create mode 100644 queue-3.18/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch create mode 100644 queue-3.18/uprobes-use-synchronize_rcu-not-synchronize_sched.patch create mode 100644 queue-4.14/series create mode 100644 queue-4.4/series diff --git a/queue-3.18/9p-fix-multiple-null-pointer-dereferences.patch b/queue-3.18/9p-fix-multiple-null-pointer-dereferences.patch new file mode 100644 index 00000000000..ea5f6ce3700 --- /dev/null +++ b/queue-3.18/9p-fix-multiple-null-pointer-dereferences.patch @@ -0,0 +1,69 @@ +From 10aa14527f458e9867cf3d2cc6b8cb0f6704448b Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Fri, 27 Jul 2018 13:05:58 +0200 +Subject: 9p: fix multiple NULL-pointer-dereferences + +From: Tomas Bortoli + +commit 10aa14527f458e9867cf3d2cc6b8cb0f6704448b upstream. + +Added checks to prevent GPFs from raising. + +Link: http://lkml.kernel.org/r/20180727110558.5479-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_fd.c | 5 ++++- + net/9p/trans_rdma.c | 3 +++ + net/9p/trans_virtio.c | 3 +++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -934,7 +934,7 @@ p9_fd_create_tcp(struct p9_client *clien + if (err < 0) + return err; + +- if (valid_ipaddr4(addr) < 0) ++ if (addr == NULL || valid_ipaddr4(addr) < 0) + return -EINVAL; + + csocket = NULL; +@@ -982,6 +982,9 @@ p9_fd_create_unix(struct p9_client *clie + + csocket = NULL; + ++ if (addr == NULL) ++ return -EINVAL; ++ + if (strlen(addr) >= UNIX_PATH_MAX) { + pr_err("%s (%d): address too long: %s\n", + __func__, task_pid_nr(current), addr); +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -623,6 +623,9 @@ rdma_create_trans(struct p9_client *clie + struct ib_qp_init_attr qp_attr; + struct ib_device_attr devattr; + ++ if (addr == NULL) ++ return -EINVAL; ++ + /* Parse the transport specific mount options */ + err = parse_opts(args, &opts); + if (err < 0) +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -617,6 +617,9 @@ p9_virtio_create(struct p9_client *clien + int ret = -ENOENT; + int found = 0; + ++ if (devname == NULL) ++ return -EINVAL; ++ + mutex_lock(&virtio_9p_lock); + list_for_each_entry(chan, &virtio_chan_list, chan_list) { + if (!strncmp(devname, chan->tag, chan->tag_len) && diff --git a/queue-3.18/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch b/queue-3.18/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch new file mode 100644 index 00000000000..71adaf47ff7 --- /dev/null +++ b/queue-3.18/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch @@ -0,0 +1,44 @@ +From 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 Mon Sep 17 00:00:00 2001 +From: jiangyiwen +Date: Fri, 3 Aug 2018 12:11:34 +0800 +Subject: 9p/virtio: fix off-by-one error in sg list bounds check + +From: jiangyiwen + +commit 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 upstream. + +Because the value of limit is VIRTQUEUE_NUM, if index is equal to +limit, it will cause sg array out of bounds, so correct the judgement +of BUG_ON. + +Link: http://lkml.kernel.org/r/5B63D5F6.6080109@huawei.com +Signed-off-by: Yiwen Jiang +Reported-By: Dan Carpenter +Acked-by: Jun Piao +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_virtio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -192,7 +192,7 @@ static int pack_sg_list(struct scatterli + s = rest_of_page(data); + if (s > count) + s = count; +- BUG_ON(index > limit); ++ BUG_ON(index >= limit); + /* Make sure we don't terminate early. */ + sg_unmark_end(&sg[index]); + sg_set_buf(&sg[index++], data, s); +@@ -238,6 +238,7 @@ pack_sg_list_p(struct scatterlist *sg, i + s = rest_of_page(data); + if (s > count) + s = count; ++ BUG_ON(index >= limit); + /* Make sure we don't terminate early. */ + sg_unmark_end(&sg[index]); + sg_set_page(&sg[index++], pdata[i++], s, data_off); diff --git a/queue-3.18/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch b/queue-3.18/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch new file mode 100644 index 00000000000..e2f63831b5b --- /dev/null +++ b/queue-3.18/dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch @@ -0,0 +1,53 @@ +From fd2fa95416188a767a63979296fa3e169a9ef5ec Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Thu, 2 Aug 2018 16:08:52 -0400 +Subject: dm cache metadata: save in-core policy_hint_size to on-disk superblock + +From: Mike Snitzer + +commit fd2fa95416188a767a63979296fa3e169a9ef5ec upstream. + +policy_hint_size starts as 0 during __write_initial_superblock(). It +isn't until the policy is loaded that policy_hint_size is set in-core +(cmd->policy_hint_size). But it never got recorded in the on-disk +superblock because __commit_transaction() didn't deal with transfering +the in-core cmd->policy_hint_size to the on-disk superblock. + +The in-core cmd->policy_hint_size gets initialized by metadata_open()'s +__begin_transaction_flags() which re-reads all superblock fields. +Because the superblock's policy_hint_size was never properly stored, when +the cache was created, hints_array_available() would always return false +when re-activating a previously created cache. This means +__load_mappings() always considered the hints invalid and never made use +of the hints (these hints served to optimize). + +Another detremental side-effect of this oversight is the cache_check +utility would fail with: "invalid hint width: 0" + +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -324,7 +324,7 @@ static int __write_initial_superblock(st + disk_super->version = cpu_to_le32(MAX_CACHE_VERSION); + memset(disk_super->policy_name, 0, sizeof(disk_super->policy_name)); + memset(disk_super->policy_version, 0, sizeof(disk_super->policy_version)); +- disk_super->policy_hint_size = 0; ++ disk_super->policy_hint_size = cpu_to_le32(0); + + __copy_sm_root(cmd, disk_super); + +@@ -635,6 +635,7 @@ static int __commit_transaction(struct d + disk_super->policy_version[0] = cpu_to_le32(cmd->policy_version[0]); + disk_super->policy_version[1] = cpu_to_le32(cmd->policy_version[1]); + disk_super->policy_version[2] = cpu_to_le32(cmd->policy_version[2]); ++ disk_super->policy_hint_size = cpu_to_le32(cmd->policy_hint_size); + + disk_super->read_hits = cpu_to_le32(cmd->stats.read_hits); + disk_super->read_misses = cpu_to_le32(cmd->stats.read_misses); diff --git a/queue-3.18/iio-ad9523-fix-displayed-phase.patch b/queue-3.18/iio-ad9523-fix-displayed-phase.patch new file mode 100644 index 00000000000..cbd676c5171 --- /dev/null +++ b/queue-3.18/iio-ad9523-fix-displayed-phase.patch @@ -0,0 +1,36 @@ +From 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Mon, 25 Jun 2018 11:03:07 +0300 +Subject: iio: ad9523: Fix displayed phase + +From: Lars-Peter Clausen + +commit 5a4e33c1c53ae7d4425f7d94e60e4458a37b349e upstream. + +Fix the displayed phase for the ad9523 driver. Currently the most +significant decimal place is dropped and all other digits are shifted one +to the left. This is due to a multiplication by 10, which is not necessary, +so remove it. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Alexandru Ardelean +Fixes: cd1678f9632 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/frequency/ad9523.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/frequency/ad9523.c ++++ b/drivers/iio/frequency/ad9523.c +@@ -641,7 +641,7 @@ static int ad9523_read_raw(struct iio_de + code = (AD9523_CLK_DIST_DIV_PHASE_REV(ret) * 3141592) / + AD9523_CLK_DIST_DIV_REV(ret); + *val = code / 1000000; +- *val2 = (code % 1000000) * 10; ++ *val2 = code % 1000000; + return IIO_VAL_INT_PLUS_MICRO; + default: + return -EINVAL; diff --git a/queue-3.18/iio-ad9523-fix-return-value-for-ad952x_store.patch b/queue-3.18/iio-ad9523-fix-return-value-for-ad952x_store.patch new file mode 100644 index 00000000000..7f79fc0a4f7 --- /dev/null +++ b/queue-3.18/iio-ad9523-fix-return-value-for-ad952x_store.patch @@ -0,0 +1,40 @@ +From 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Fri, 27 Jul 2018 09:42:45 +0300 +Subject: iio: ad9523: Fix return value for ad952x_store() + +From: Lars-Peter Clausen + +commit 9a5094ca29ea9b1da301b31fd377c0c0c4c23034 upstream. + +A sysfs write callback function needs to either return the number of +consumed characters or an error. + +The ad952x_store() function currently returns 0 if the input value was "0", +this will signal that no characters have been consumed and the function +will be called repeatedly in a loop indefinitely. Fix this by returning +number of supplied characters to indicate that the whole input string has +been consumed. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Alexandru Ardelean +Fixes: cd1678f96329 ("iio: frequency: New driver for AD9523 SPI Low Jitter Clock Generator") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/frequency/ad9523.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/frequency/ad9523.c ++++ b/drivers/iio/frequency/ad9523.c +@@ -507,7 +507,7 @@ static ssize_t ad9523_store(struct devic + return ret; + + if (!state) +- return 0; ++ return len; + + mutex_lock(&indio_dev->mlock); + switch ((u32)this_attr->address) { diff --git a/queue-3.18/kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch b/queue-3.18/kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch new file mode 100644 index 00000000000..54b6852611f --- /dev/null +++ b/queue-3.18/kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch @@ -0,0 +1,83 @@ +From 3e536e222f2930534c252c1cc7ae799c725c5ff9 Mon Sep 17 00:00:00 2001 +From: Snild Dolkow +Date: Thu, 26 Jul 2018 09:15:39 +0200 +Subject: kthread, tracing: Don't expose half-written comm when creating kthreads + +From: Snild Dolkow + +commit 3e536e222f2930534c252c1cc7ae799c725c5ff9 upstream. + +There is a window for racing when printing directly to task->comm, +allowing other threads to see a non-terminated string. The vsnprintf +function fills the buffer, counts the truncated chars, then finally +writes the \0 at the end. + + creator other + vsnprintf: + fill (not terminated) + count the rest trace_sched_waking(p): + ... memcpy(comm, p->comm, TASK_COMM_LEN) + write \0 + +The consequences depend on how 'other' uses the string. In our case, +it was copied into the tracing system's saved cmdlines, a buffer of +adjacent TASK_COMM_LEN-byte buffers (note the 'n' where 0 should be): + + crash-arm64> x/1024s savedcmd->saved_cmdlines | grep 'evenk' + 0xffffffd5b3818640: "irq/497-pwr_evenkworker/u16:12" + +...and a strcpy out of there would cause stack corruption: + + [224761.522292] Kernel panic - not syncing: stack-protector: + Kernel stack is corrupted in: ffffff9bf9783c78 + + crash-arm64> kbt | grep 'comm\|trace_print_context' + #6 0xffffff9bf9783c78 in trace_print_context+0x18c(+396) + comm (char [16]) = "irq/497-pwr_even" + + crash-arm64> rd 0xffffffd4d0e17d14 8 + ffffffd4d0e17d14: 2f71726900000000 5f7277702d373934 ....irq/497-pwr_ + ffffffd4d0e17d24: 726f776b6e657665 3a3631752f72656b evenkworker/u16: + ffffffd4d0e17d34: f9780248ff003231 cede60e0ffffff9b 12..H.x......`.. + ffffffd4d0e17d44: cede60c8ffffffd4 00000fffffffffd4 .....`.......... + +The workaround in e09e28671 (use strlcpy in __trace_find_cmdline) was +likely needed because of this same bug. + +Solved by vsnprintf:ing to a local buffer, then using set_task_comm(). +This way, there won't be a window where comm is not terminated. + +Link: http://lkml.kernel.org/r/20180726071539.188015-1-snild@sony.com + +Cc: stable@vger.kernel.org +Fixes: bc0c38d139ec7 ("ftrace: latency tracer infrastructure") +Reviewed-by: Steven Rostedt (VMware) +Signed-off-by: Snild Dolkow +Signed-off-by: Steven Rostedt (VMware) +[backported to 3.18 / 4.4 by Snild] +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kthread.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -309,10 +309,16 @@ struct task_struct *kthread_create_on_no + task = create->result; + if (!IS_ERR(task)) { + static const struct sched_param param = { .sched_priority = 0 }; ++ char name[TASK_COMM_LEN]; + va_list args; + + va_start(args, namefmt); +- vsnprintf(task->comm, sizeof(task->comm), namefmt, args); ++ /* ++ * task is already visible to other tasks, so updating ++ * COMM must be protected. ++ */ ++ vsnprintf(name, sizeof(name), namefmt, args); ++ set_task_comm(task, name); + va_end(args); + /* + * root may have changed our (kthreadd's) priority or CPU mask. diff --git a/queue-3.18/net-9p-client.c-version-pointer-uninitialized.patch b/queue-3.18/net-9p-client.c-version-pointer-uninitialized.patch new file mode 100644 index 00000000000..981e1ac7823 --- /dev/null +++ b/queue-3.18/net-9p-client.c-version-pointer-uninitialized.patch @@ -0,0 +1,43 @@ +From 7913690dcc5e18e235769fd87c34143072f5dbea Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Tue, 10 Jul 2018 00:29:43 +0200 +Subject: net/9p/client.c: version pointer uninitialized + +From: Tomas Bortoli + +commit 7913690dcc5e18e235769fd87c34143072f5dbea upstream. + +The p9_client_version() does not initialize the version pointer. If the +call to p9pdu_readf() returns an error and version has not been allocated +in p9pdu_readf(), then the program will jump to the "error" label and will +try to free the version pointer. If version is not initialized, free() +will be called with uninitialized, garbage data and will provoke a crash. + +Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com +Reviewed-by: Jun Piao +Reviewed-by: Yiwen Jiang +Cc: Eric Van Hensbergen +Cc: Ron Minnich +Cc: Latchesar Ionkov +Signed-off-by: Andrew Morton +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -938,7 +938,7 @@ static int p9_client_version(struct p9_c + { + int err = 0; + struct p9_req_t *req; +- char *version; ++ char *version = NULL; + int msize; + + p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n", diff --git a/queue-3.18/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch b/queue-3.18/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch new file mode 100644 index 00000000000..b54af0a98ce --- /dev/null +++ b/queue-3.18/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch @@ -0,0 +1,39 @@ +From 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Fri, 20 Jul 2018 11:27:30 +0200 +Subject: net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() + +From: Tomas Bortoli + +commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 upstream. + +The patch adds the flush in p9_mux_poll_stop() as it the function used by +p9_conn_destroy(), in turn called by p9_fd_close() to stop the async +polling associated with the data regarding the connection. + +Link: http://lkml.kernel.org/r/20180720092730.27104-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com +To: Eric Van Hensbergen +To: Ron Minnich +To: Latchesar Ionkov +Cc: Yiwen Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_fd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_c + spin_lock_irqsave(&p9_poll_lock, flags); + list_del_init(&m->poll_pending_link); + spin_unlock_irqrestore(&p9_poll_lock, flags); ++ ++ flush_work(&p9_poll_work); + } + + /** diff --git a/queue-3.18/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch b/queue-3.18/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch new file mode 100644 index 00000000000..6e0c02cfc40 --- /dev/null +++ b/queue-3.18/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch @@ -0,0 +1,253 @@ +From 1bd6a1c4b80a28d975287630644e6b47d0f977a5 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Tue, 7 Aug 2018 02:12:45 +0530 +Subject: powerpc/fadump: handle crash memory ranges array index overflow + +From: Hari Bathini + +commit 1bd6a1c4b80a28d975287630644e6b47d0f977a5 upstream. + +Crash memory ranges is an array of memory ranges of the crashing kernel +to be exported as a dump via /proc/vmcore file. The size of the array +is set based on INIT_MEMBLOCK_REGIONS, which works alright in most cases +where memblock memory regions count is less than INIT_MEMBLOCK_REGIONS +value. But this count can grow beyond INIT_MEMBLOCK_REGIONS value since +commit 142b45a72e22 ("memblock: Add array resizing support"). + +On large memory systems with a few DLPAR operations, the memblock memory +regions count could be larger than INIT_MEMBLOCK_REGIONS value. On such +systems, registering fadump results in crash or other system failures +like below: + + task: c00007f39a290010 ti: c00000000b738000 task.ti: c00000000b738000 + NIP: c000000000047df4 LR: c0000000000f9e58 CTR: c00000000010f180 + REGS: c00000000b73b570 TRAP: 0300 Tainted: G L X (4.4.140+) + MSR: 8000000000009033 CR: 22004484 XER: 20000000 + CFAR: c000000000008500 DAR: 000007a450000000 DSISR: 40000000 SOFTE: 0 + ... + NIP [c000000000047df4] smp_send_reschedule+0x24/0x80 + LR [c0000000000f9e58] resched_curr+0x138/0x160 + Call Trace: + resched_curr+0x138/0x160 (unreliable) + check_preempt_curr+0xc8/0xf0 + ttwu_do_wakeup+0x38/0x150 + try_to_wake_up+0x224/0x4d0 + __wake_up_common+0x94/0x100 + ep_poll_callback+0xac/0x1c0 + __wake_up_common+0x94/0x100 + __wake_up_sync_key+0x70/0xa0 + sock_def_readable+0x58/0xa0 + unix_stream_sendmsg+0x2dc/0x4c0 + sock_sendmsg+0x68/0xa0 + ___sys_sendmsg+0x2cc/0x2e0 + __sys_sendmsg+0x5c/0xc0 + SyS_socketcall+0x36c/0x3f0 + system_call+0x3c/0x100 + +as array index overflow is not checked for while setting up crash memory +ranges causing memory corruption. To resolve this issue, dynamically +allocate memory for crash memory ranges and resize it incrementally, +in units of pagesize, on hitting array size limit. + +Fixes: 2df173d9e85d ("fadump: Initialize elfcore header and add PT_LOAD program headers.") +Cc: stable@vger.kernel.org # v3.4+ +Signed-off-by: Hari Bathini +Reviewed-by: Mahesh Salgaonkar +[mpe: Just use PAGE_SIZE directly, fixup variable placement] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/fadump.h | 3 - + arch/powerpc/kernel/fadump.c | 91 ++++++++++++++++++++++++++++++++------ + 2 files changed, 77 insertions(+), 17 deletions(-) + +--- a/arch/powerpc/include/asm/fadump.h ++++ b/arch/powerpc/include/asm/fadump.h +@@ -194,9 +194,6 @@ struct fadump_crash_info_header { + struct cpumask cpu_online_mask; + }; + +-/* Crash memory ranges */ +-#define INIT_CRASHMEM_RANGES (INIT_MEMBLOCK_REGIONS + 2) +- + struct fad_crash_memory_ranges { + unsigned long long base; + unsigned long long size; +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -48,8 +48,10 @@ static struct fadump_mem_struct fdm; + static const struct fadump_mem_struct *fdm_active; + + static DEFINE_MUTEX(fadump_mutex); +-struct fad_crash_memory_ranges crash_memory_ranges[INIT_CRASHMEM_RANGES]; ++struct fad_crash_memory_ranges *crash_memory_ranges; ++int crash_memory_ranges_size; + int crash_mem_ranges; ++int max_crash_mem_ranges; + + /* Scan the Firmware Assisted dump configuration details. */ + int __init early_init_dt_scan_fw_dump(unsigned long node, +@@ -726,38 +728,88 @@ static int __init process_fadump(const s + return 0; + } + +-static inline void fadump_add_crash_memory(unsigned long long base, +- unsigned long long end) ++static void free_crash_memory_ranges(void) ++{ ++ kfree(crash_memory_ranges); ++ crash_memory_ranges = NULL; ++ crash_memory_ranges_size = 0; ++ max_crash_mem_ranges = 0; ++} ++ ++/* ++ * Allocate or reallocate crash memory ranges array in incremental units ++ * of PAGE_SIZE. ++ */ ++static int allocate_crash_memory_ranges(void) ++{ ++ struct fad_crash_memory_ranges *new_array; ++ u64 new_size; ++ ++ new_size = crash_memory_ranges_size + PAGE_SIZE; ++ pr_debug("Allocating %llu bytes of memory for crash memory ranges\n", ++ new_size); ++ ++ new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL); ++ if (new_array == NULL) { ++ pr_err("Insufficient memory for setting up crash memory ranges\n"); ++ free_crash_memory_ranges(); ++ return -ENOMEM; ++ } ++ ++ crash_memory_ranges = new_array; ++ crash_memory_ranges_size = new_size; ++ max_crash_mem_ranges = (new_size / ++ sizeof(struct fad_crash_memory_ranges)); ++ return 0; ++} ++ ++static inline int fadump_add_crash_memory(unsigned long long base, ++ unsigned long long end) + { + if (base == end) +- return; ++ return 0; ++ ++ if (crash_mem_ranges == max_crash_mem_ranges) { ++ int ret; ++ ++ ret = allocate_crash_memory_ranges(); ++ if (ret) ++ return ret; ++ } + + pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n", + crash_mem_ranges, base, end - 1, (end - base)); + crash_memory_ranges[crash_mem_ranges].base = base; + crash_memory_ranges[crash_mem_ranges].size = end - base; + crash_mem_ranges++; ++ return 0; + } + +-static void fadump_exclude_reserved_area(unsigned long long start, ++static int fadump_exclude_reserved_area(unsigned long long start, + unsigned long long end) + { + unsigned long long ra_start, ra_end; ++ int ret = 0; + + ra_start = fw_dump.reserve_dump_area_start; + ra_end = ra_start + fw_dump.reserve_dump_area_size; + + if ((ra_start < end) && (ra_end > start)) { + if ((start < ra_start) && (end > ra_end)) { +- fadump_add_crash_memory(start, ra_start); +- fadump_add_crash_memory(ra_end, end); ++ ret = fadump_add_crash_memory(start, ra_start); ++ if (ret) ++ return ret; ++ ++ ret = fadump_add_crash_memory(ra_end, end); + } else if (start < ra_start) { +- fadump_add_crash_memory(start, ra_start); ++ ret = fadump_add_crash_memory(start, ra_start); + } else if (ra_end < end) { +- fadump_add_crash_memory(ra_end, end); ++ ret = fadump_add_crash_memory(ra_end, end); + } + } else +- fadump_add_crash_memory(start, end); ++ ret = fadump_add_crash_memory(start, end); ++ ++ return ret; + } + + static int fadump_init_elfcore_header(char *bufp) +@@ -793,10 +845,11 @@ static int fadump_init_elfcore_header(ch + * Traverse through memblock structure and setup crash memory ranges. These + * ranges will be used create PT_LOAD program headers in elfcore header. + */ +-static void fadump_setup_crash_memory_ranges(void) ++static int fadump_setup_crash_memory_ranges(void) + { + struct memblock_region *reg; + unsigned long long start, end; ++ int ret; + + pr_debug("Setup crash memory ranges.\n"); + crash_mem_ranges = 0; +@@ -807,7 +860,9 @@ static void fadump_setup_crash_memory_ra + * specified during fadump registration. We need to create a separate + * program header for this chunk with the correct offset. + */ +- fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size); ++ ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size); ++ if (ret) ++ return ret; + + for_each_memblock(memory, reg) { + start = (unsigned long long)reg->base; +@@ -816,8 +871,12 @@ static void fadump_setup_crash_memory_ra + start = fw_dump.boot_memory_size; + + /* add this range excluding the reserved dump area. */ +- fadump_exclude_reserved_area(start, end); ++ ret = fadump_exclude_reserved_area(start, end); ++ if (ret) ++ return ret; + } ++ ++ return 0; + } + + /* +@@ -941,6 +1000,7 @@ static void register_fadump(void) + { + unsigned long addr; + void *vaddr; ++ int ret; + + /* + * If no memory is reserved then we can not register for firmware- +@@ -949,7 +1009,9 @@ static void register_fadump(void) + if (!fw_dump.reserve_dump_area_size) + return; + +- fadump_setup_crash_memory_ranges(); ++ ret = fadump_setup_crash_memory_ranges(); ++ if (ret) ++ return ret; + + addr = be64_to_cpu(fdm.rmr_region.destination_address) + be64_to_cpu(fdm.rmr_region.source_len); + /* Initialize fadump crash info header. */ +@@ -1028,6 +1090,7 @@ void fadump_cleanup(void) + } else if (fw_dump.dump_registered) { + /* Un-register Firmware-assisted dump if it was registered. */ + fadump_unregister_dump(&fdm); ++ free_crash_memory_ranges(); + } + } + diff --git a/queue-3.18/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch b/queue-3.18/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch new file mode 100644 index 00000000000..bf180cbc98b --- /dev/null +++ b/queue-3.18/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch @@ -0,0 +1,71 @@ +From cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Tue, 7 Aug 2018 19:46:46 +0530 +Subject: powerpc/pseries: Fix endianness while restoring of r3 in MCE handler. + +From: Mahesh Salgaonkar + +commit cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 upstream. + +During Machine Check interrupt on pseries platform, register r3 points +RTAS extended event log passed by hypervisor. Since hypervisor uses r3 +to pass pointer to rtas log, it stores the original r3 value at the +start of the memory (first 8 bytes) pointed by r3. Since hypervisor +stores this info and rtas log is in BE format, linux should make +sure to restore r3 value in correct endian format. + +Without this patch when MCE handler, after recovery, returns to code that +that caused the MCE may end up with Data SLB access interrupt for invalid +address followed by kernel panic or hang. + + Severe Machine check interrupt [Recovered] + NIP [d00000000ca301b8]: init_module+0x1b8/0x338 [bork_kernel] + Initiator: CPU + Error type: SLB [Multihit] + Effective address: d00000000ca70000 + cpu 0xa: Vector: 380 (Data SLB Access) at [c0000000fc7775b0] + pc: c0000000009694c0: vsnprintf+0x80/0x480 + lr: c0000000009698e0: vscnprintf+0x20/0x60 + sp: c0000000fc777830 + msr: 8000000002009033 + dar: a803a30c000000d0 + current = 0xc00000000bc9ef00 + paca = 0xc00000001eca5c00 softe: 3 irq_happened: 0x01 + pid = 8860, comm = insmod + vscnprintf+0x20/0x60 + vprintk_emit+0xb4/0x4b0 + vprintk_func+0x5c/0xd0 + printk+0x38/0x4c + init_module+0x1c0/0x338 [bork_kernel] + do_one_initcall+0x54/0x230 + do_init_module+0x8c/0x248 + load_module+0x12b8/0x15b0 + sys_finit_module+0xa8/0x110 + system_call+0x58/0x6c + --- Exception: c00 (System Call) at 00007fff8bda0644 + SP (7fffdfbfe980) is in userspace + +This patch fixes this issue. + +Fixes: a08a53ea4c97 ("powerpc/le: Enable RTAS events support") +Cc: stable@vger.kernel.org # v3.15+ +Reviewed-by: Nicholas Piggin +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/ras.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -298,7 +298,7 @@ static struct rtas_error_log *fwnmi_get_ + } + + savep = __va(regs->gpr[3]); +- regs->gpr[3] = savep[0]; /* restore original r3 */ ++ regs->gpr[3] = be64_to_cpu(savep[0]); /* restore original r3 */ + + /* If it isn't an extended log we can use the per cpu 64bit buffer */ + h = (struct rtas_error_log *)&savep[1]; diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..4feca2fe52d --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,15 @@ +spi-davinci-fix-a-null-pointer-dereference.patch +powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch +powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch +9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch +net-9p-client.c-version-pointer-uninitialized.patch +net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch +dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch +uart-fix-race-between-uart_put_char-and-uart_shutdown.patch +iio-ad9523-fix-displayed-phase.patch +iio-ad9523-fix-return-value-for-ad952x_store.patch +tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch +tracing-blktrace-fix-to-allow-setting-same-value.patch +kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch +uprobes-use-synchronize_rcu-not-synchronize_sched.patch +9p-fix-multiple-null-pointer-dereferences.patch diff --git a/queue-3.18/spi-davinci-fix-a-null-pointer-dereference.patch b/queue-3.18/spi-davinci-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..aa85e3c219c --- /dev/null +++ b/queue-3.18/spi-davinci-fix-a-null-pointer-dereference.patch @@ -0,0 +1,32 @@ +From 563a53f3906a6b43692498e5b3ae891fac93a4af Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 10 Aug 2018 11:13:52 +0200 +Subject: spi: davinci: fix a NULL pointer dereference + +From: Bartosz Golaszewski + +commit 563a53f3906a6b43692498e5b3ae891fac93a4af upstream. + +On non-OF systems spi->controlled_data may be NULL. This causes a NULL +pointer derefence on dm365-evm. + +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-davinci.c ++++ b/drivers/spi/spi-davinci.c +@@ -230,7 +230,7 @@ static void davinci_spi_chipselect(struc + } + + /* program delay transfers if tx_delay is non zero */ +- if (spicfg->wdelay) ++ if (spicfg && spicfg->wdelay) + spidat1 |= SPIDAT1_WDEL; + + /* diff --git a/queue-3.18/tracing-blktrace-fix-to-allow-setting-same-value.patch b/queue-3.18/tracing-blktrace-fix-to-allow-setting-same-value.patch new file mode 100644 index 00000000000..6436504f236 --- /dev/null +++ b/queue-3.18/tracing-blktrace-fix-to-allow-setting-same-value.patch @@ -0,0 +1,63 @@ +From 757d9140072054528b13bbe291583d9823cde195 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 16 Aug 2018 16:08:37 -0400 +Subject: tracing/blktrace: Fix to allow setting same value + +From: Steven Rostedt (VMware) + +commit 757d9140072054528b13bbe291583d9823cde195 upstream. + +Masami Hiramatsu reported: + + Current trace-enable attribute in sysfs returns an error + if user writes the same setting value as current one, + e.g. + + # cat /sys/block/sda/trace/enable + 0 + # echo 0 > /sys/block/sda/trace/enable + bash: echo: write error: Invalid argument + # echo 1 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + bash: echo: write error: Device or resource busy + + But this is not a preferred behavior, it should ignore + if new setting is same as current one. This fixes the + problem as below. + + # cat /sys/block/sda/trace/enable + 0 + # echo 0 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + # echo 1 > /sys/block/sda/trace/enable + +Link: http://lkml.kernel.org/r/20180816103802.08678002@gandalf.local.home + +Cc: Ingo Molnar +Cc: Jens Axboe +Cc: linux-block@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: cd649b8bb830d ("blktrace: remove sysfs_blk_trace_enable_show/store()") +Reported-by: Masami Hiramatsu +Tested-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/blktrace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1734,6 +1734,10 @@ static ssize_t sysfs_blk_trace_attr_stor + mutex_lock(&bdev->bd_mutex); + + if (attr == &dev_attr_enable) { ++ if (!!value == !!q->blk_trace) { ++ ret = 0; ++ goto out_unlock_bdev; ++ } + if (value) + ret = blk_trace_setup_queue(q, bdev); + else diff --git a/queue-3.18/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch b/queue-3.18/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch new file mode 100644 index 00000000000..9919f7730f7 --- /dev/null +++ b/queue-3.18/tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch @@ -0,0 +1,41 @@ +From f143641bfef9a4a60c57af30de26c63057e7e695 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 1 Aug 2018 15:40:57 -0400 +Subject: tracing: Do not call start/stop() functions when tracing_on does not change + +From: Steven Rostedt (VMware) + +commit f143641bfef9a4a60c57af30de26c63057e7e695 upstream. + +Currently, when one echo's in 1 into tracing_on, the current tracer's +"start()" function is executed, even if tracing_on was already one. This can +lead to strange side effects. One being that if the hwlat tracer is enabled, +and someone does "echo 1 > tracing_on" into tracing_on, the hwlat tracer's +start() function is called again which will recreate another kernel thread, +and make it unable to remove the old one. + +Link: http://lkml.kernel.org/r/1533120354-22923-1-git-send-email-erica.bugden@linutronix.de + +Cc: stable@vger.kernel.org +Fixes: 2df8f8a6a897e ("tracing: Fix regression with irqsoff tracer and tracing_on file") +Reported-by: Erica Bugden +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6209,7 +6209,9 @@ rb_simple_write(struct file *filp, const + + if (buffer) { + mutex_lock(&trace_types_lock); +- if (val) { ++ if (!!val == tracer_tracing_is_on(tr)) { ++ val = 0; /* do nothing */ ++ } else if (val) { + tracer_tracing_on(tr); + if (tr->current_trace->start) + tr->current_trace->start(tr); diff --git a/queue-3.18/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch b/queue-3.18/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch new file mode 100644 index 00000000000..8d255a30f4f --- /dev/null +++ b/queue-3.18/uart-fix-race-between-uart_put_char-and-uart_shutdown.patch @@ -0,0 +1,186 @@ +From a5ba1d95e46ecaea638ddd7cd144107c783acb5d Mon Sep 17 00:00:00 2001 +From: Tycho Andersen +Date: Fri, 6 Jul 2018 10:24:57 -0600 +Subject: uart: fix race between uart_put_char() and uart_shutdown() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tycho Andersen + +commit a5ba1d95e46ecaea638ddd7cd144107c783acb5d upstream. + +We have reports of the following crash: + + PID: 7 TASK: ffff88085c6d61c0 CPU: 1 COMMAND: "kworker/u25:0" + #0 [ffff88085c6db710] machine_kexec at ffffffff81046239 + #1 [ffff88085c6db760] crash_kexec at ffffffff810fc248 + #2 [ffff88085c6db830] oops_end at ffffffff81008ae7 + #3 [ffff88085c6db860] no_context at ffffffff81050b8f + #4 [ffff88085c6db8b0] __bad_area_nosemaphore at ffffffff81050d75 + #5 [ffff88085c6db900] bad_area_nosemaphore at ffffffff81050e83 + #6 [ffff88085c6db910] __do_page_fault at ffffffff8105132e + #7 [ffff88085c6db9b0] do_page_fault at ffffffff8105152c + #8 [ffff88085c6db9c0] page_fault at ffffffff81a3f122 + [exception RIP: uart_put_char+149] + RIP: ffffffff814b67b5 RSP: ffff88085c6dba78 RFLAGS: 00010006 + RAX: 0000000000000292 RBX: ffffffff827c5120 RCX: 0000000000000081 + RDX: 0000000000000000 RSI: 000000000000005f RDI: ffffffff827c5120 + RBP: ffff88085c6dba98 R8: 000000000000012c R9: ffffffff822ea320 + R10: ffff88085fe4db04 R11: 0000000000000001 R12: ffff881059f9c000 + R13: 0000000000000001 R14: 000000000000005f R15: 0000000000000fba + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #9 [ffff88085c6dbaa0] tty_put_char at ffffffff81497544 + #10 [ffff88085c6dbac0] do_output_char at ffffffff8149c91c + #11 [ffff88085c6dbae0] __process_echoes at ffffffff8149cb8b + #12 [ffff88085c6dbb30] commit_echoes at ffffffff8149cdc2 + #13 [ffff88085c6dbb60] n_tty_receive_buf_fast at ffffffff8149e49b + #14 [ffff88085c6dbbc0] __receive_buf at ffffffff8149ef5a + #15 [ffff88085c6dbc20] n_tty_receive_buf_common at ffffffff8149f016 + #16 [ffff88085c6dbca0] n_tty_receive_buf2 at ffffffff8149f194 + #17 [ffff88085c6dbcb0] flush_to_ldisc at ffffffff814a238a + #18 [ffff88085c6dbd50] process_one_work at ffffffff81090be2 + #19 [ffff88085c6dbe20] worker_thread at ffffffff81091b4d + #20 [ffff88085c6dbeb0] kthread at ffffffff81096384 + #21 [ffff88085c6dbf50] ret_from_fork at ffffffff81a3d69f​ + +after slogging through some dissasembly: + +ffffffff814b6720 : +ffffffff814b6720: 55 push %rbp +ffffffff814b6721: 48 89 e5 mov %rsp,%rbp +ffffffff814b6724: 48 83 ec 20 sub $0x20,%rsp +ffffffff814b6728: 48 89 1c 24 mov %rbx,(%rsp) +ffffffff814b672c: 4c 89 64 24 08 mov %r12,0x8(%rsp) +ffffffff814b6731: 4c 89 6c 24 10 mov %r13,0x10(%rsp) +ffffffff814b6736: 4c 89 74 24 18 mov %r14,0x18(%rsp) +ffffffff814b673b: e8 b0 8e 58 00 callq ffffffff81a3f5f0 +ffffffff814b6740: 4c 8b a7 88 02 00 00 mov 0x288(%rdi),%r12 +ffffffff814b6747: 45 31 ed xor %r13d,%r13d +ffffffff814b674a: 41 89 f6 mov %esi,%r14d +ffffffff814b674d: 49 83 bc 24 70 01 00 cmpq $0x0,0x170(%r12) +ffffffff814b6754: 00 00 +ffffffff814b6756: 49 8b 9c 24 80 01 00 mov 0x180(%r12),%rbx +ffffffff814b675d: 00 +ffffffff814b675e: 74 2f je ffffffff814b678f +ffffffff814b6760: 48 89 df mov %rbx,%rdi +ffffffff814b6763: e8 a8 67 58 00 callq ffffffff81a3cf10 <_raw_spin_lock_irqsave> +ffffffff814b6768: 41 8b 8c 24 78 01 00 mov 0x178(%r12),%ecx +ffffffff814b676f: 00 +ffffffff814b6770: 89 ca mov %ecx,%edx +ffffffff814b6772: f7 d2 not %edx +ffffffff814b6774: 41 03 94 24 7c 01 00 add 0x17c(%r12),%edx +ffffffff814b677b: 00 +ffffffff814b677c: 81 e2 ff 0f 00 00 and $0xfff,%edx +ffffffff814b6782: 75 23 jne ffffffff814b67a7 +ffffffff814b6784: 48 89 c6 mov %rax,%rsi +ffffffff814b6787: 48 89 df mov %rbx,%rdi +ffffffff814b678a: e8 e1 64 58 00 callq ffffffff81a3cc70 <_raw_spin_unlock_irqrestore> +ffffffff814b678f: 44 89 e8 mov %r13d,%eax +ffffffff814b6792: 48 8b 1c 24 mov (%rsp),%rbx +ffffffff814b6796: 4c 8b 64 24 08 mov 0x8(%rsp),%r12 +ffffffff814b679b: 4c 8b 6c 24 10 mov 0x10(%rsp),%r13 +ffffffff814b67a0: 4c 8b 74 24 18 mov 0x18(%rsp),%r14 +ffffffff814b67a5: c9 leaveq +ffffffff814b67a6: c3 retq +ffffffff814b67a7: 49 8b 94 24 70 01 00 mov 0x170(%r12),%rdx +ffffffff814b67ae: 00 +ffffffff814b67af: 48 63 c9 movslq %ecx,%rcx +ffffffff814b67b2: 41 b5 01 mov $0x1,%r13b +ffffffff814b67b5: 44 88 34 0a mov %r14b,(%rdx,%rcx,1) +ffffffff814b67b9: 41 8b 94 24 78 01 00 mov 0x178(%r12),%edx +ffffffff814b67c0: 00 +ffffffff814b67c1: 83 c2 01 add $0x1,%edx +ffffffff814b67c4: 81 e2 ff 0f 00 00 and $0xfff,%edx +ffffffff814b67ca: 41 89 94 24 78 01 00 mov %edx,0x178(%r12) +ffffffff814b67d1: 00 +ffffffff814b67d2: eb b0 jmp ffffffff814b6784 +ffffffff814b67d4: 66 66 66 2e 0f 1f 84 data32 data32 nopw %cs:0x0(%rax,%rax,1) +ffffffff814b67db: 00 00 00 00 00 + +for our build, this is crashing at: + + circ->buf[circ->head] = c; + +Looking in uart_port_startup(), it seems that circ->buf (state->xmit.buf) +protected by the "per-port mutex", which based on uart_port_check() is +state->port.mutex. Indeed, the lock acquired in uart_put_char() is +uport->lock, i.e. not the same lock. + +Anyway, since the lock is not acquired, if uart_shutdown() is called, the +last chunk of that function may release state->xmit.buf before its assigned +to null, and cause the race above. + +To fix it, let's lock uport->lock when allocating/deallocating +state->xmit.buf in addition to the per-port mutex. + +v2: switch to locking uport->lock on allocation/deallocation instead of + locking the per-port mutex in uart_put_char. Note that since + uport->lock is a spin lock, we have to switch the allocation to + GFP_ATOMIC. +v3: move the allocation outside the lock, so we can switch back to + GFP_KERNEL + +Signed-off-by: Tycho Andersen +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -136,6 +136,7 @@ static int uart_port_startup(struct tty_ + { + struct uart_port *uport = state->uart_port; + unsigned long page; ++ unsigned long flags = 0; + int retval = 0; + + if (uport->type == PORT_UNKNOWN) +@@ -150,15 +151,18 @@ static int uart_port_startup(struct tty_ + * Initialise and allocate the transmit and temporary + * buffer. + */ +- if (!state->xmit.buf) { +- /* This is protected by the per port mutex */ +- page = get_zeroed_page(GFP_KERNEL); +- if (!page) +- return -ENOMEM; ++ page = get_zeroed_page(GFP_KERNEL); ++ if (!page) ++ return -ENOMEM; + ++ uart_port_lock(state, flags); ++ if (!state->xmit.buf) { + state->xmit.buf = (unsigned char *) page; + uart_circ_clear(&state->xmit); ++ } else { ++ free_page(page); + } ++ uart_port_unlock(uport, flags); + + retval = uport->ops->startup(uport); + if (retval == 0) { +@@ -234,6 +238,7 @@ static void uart_shutdown(struct tty_str + { + struct uart_port *uport = state->uart_port; + struct tty_port *port = &state->port; ++ unsigned long flags = 0; + + /* + * Set the TTY IO error marker +@@ -264,10 +269,12 @@ static void uart_shutdown(struct tty_str + /* + * Free the transmit buffer page. + */ ++ uart_port_lock(state, flags); + if (state->xmit.buf) { + free_page((unsigned long)state->xmit.buf); + state->xmit.buf = NULL; + } ++ uart_port_unlock(uport, flags); + } + + /** diff --git a/queue-3.18/uprobes-use-synchronize_rcu-not-synchronize_sched.patch b/queue-3.18/uprobes-use-synchronize_rcu-not-synchronize_sched.patch new file mode 100644 index 00000000000..352626ed20d --- /dev/null +++ b/queue-3.18/uprobes-use-synchronize_rcu-not-synchronize_sched.patch @@ -0,0 +1,39 @@ +From 016f8ffc48cb01d1e7701649c728c5d2e737d295 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Thu, 9 Aug 2018 15:37:59 -0400 +Subject: uprobes: Use synchronize_rcu() not synchronize_sched() + +From: Steven Rostedt (VMware) + +commit 016f8ffc48cb01d1e7701649c728c5d2e737d295 upstream. + +While debugging another bug, I was looking at all the synchronize*() +functions being used in kernel/trace, and noticed that trace_uprobes was +using synchronize_sched(), with a comment to synchronize with +{u,ret}_probe_trace_func(). When looking at those functions, the data is +protected with "rcu_read_lock()" and not with "rcu_read_lock_sched()". This +is using the wrong synchronize_*() function. + +Link: http://lkml.kernel.org/r/20180809160553.469e1e32@gandalf.local.home + +Cc: stable@vger.kernel.org +Fixes: 70ed91c6ec7f8 ("tracing/uprobes: Support ftrace_event_file base multibuffer") +Acked-by: Oleg Nesterov +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_uprobe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -957,7 +957,7 @@ probe_event_disable(struct trace_uprobe + + list_del_rcu(&link->list); + /* synchronize with u{,ret}probe_trace_func */ +- synchronize_sched(); ++ synchronize_rcu(); + kfree(link); + + if (!list_empty(&tu->tp.files)) diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..f07af3cc30e --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,51 @@ +net-6lowpan-fix-reserved-space-for-single-frames.patch +net-mac802154-tx-expand-tailroom-if-necessary.patch +9p-net-fix-zero-copy-path-in-the-9p-virtio-transport.patch +spi-davinci-fix-a-null-pointer-dereference.patch +spi-pxa2xx-add-support-for-intel-ice-lake.patch +spi-spi-fsl-dspi-fix-imprecise-abort-on-vf500-during-probe.patch +spi-cadence-change-usleep_range-to-udelay-for-atomic-context.patch +mmc-renesas_sdhi_internal_dmac-fix-define-rst_reserved_bits.patch +readahead-stricter-check-for-bdi-io_pages.patch +block-blk_init_allocated_queue-set-q-fq-as-null-in-the-fail-case.patch +block-really-disable-runtime-pm-for-blk-mq.patch +drm-i915-userptr-reject-zero-user_size.patch +libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch +media-revert-tvp5150-fix-pad-format-frame-height.patch +mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch +replace-magic-for-trusting-the-secondary-keyring-with-define.patch +fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch +powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch +powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch +powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch +cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch +ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch +rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch +9p-fix-multiple-null-pointer-dereferences.patch +fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch +9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch +net-9p-client.c-version-pointer-uninitialized.patch +net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch +dm-integrity-change-suspending-variable-from-bool-to-int.patch +dm-thin-stop-no_space_timeout-worker-when-switching-to-write-mode.patch +dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch +dm-cache-metadata-set-dirty-on-all-cache-blocks-after-a-crash.patch +dm-crypt-don-t-decrease-device-limits.patch +uart-fix-race-between-uart_put_char-and-uart_shutdown.patch +drivers-hv-vmbus-reset-the-channel-callback-in-vmbus_onoffer_rescind.patch +iio-sca3000-fix-missing-return-in-switch.patch +iio-ad9523-fix-displayed-phase.patch +iio-ad9523-fix-return-value-for-ad952x_store.patch +extcon-release-locking-when-sending-the-notification-of-connector-state.patch +vmw_balloon-fix-inflation-of-64-bit-gfns.patch +vmw_balloon-do-not-use-2mb-without-batching.patch +vmw_balloon-vmci_doorbell_set-does-not-check-status.patch +vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch +rtc-omap-fix-potential-crash-on-power-off.patch +tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch +tracing-blktrace-fix-to-allow-setting-same-value.patch +printk-tracing-do-not-trace-printk_nmi_enter.patch +livepatch-validate-module-old-func-name-length.patch +uprobes-use-synchronize_rcu-not-synchronize_sched.patch +mfd-hi655x-fix-regmap-area-declared-size-for-hi655x.patch +ovl-fix-wrong-use-of-impure-dir-cache-in-ovl_iterate.patch diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..364a9fbce67 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,26 @@ +net-6lowpan-fix-reserved-space-for-single-frames.patch +net-mac802154-tx-expand-tailroom-if-necessary.patch +9p-net-fix-zero-copy-path-in-the-9p-virtio-transport.patch +net-lan78xx-fix-misplaced-tasklet_schedule-call.patch +spi-davinci-fix-a-null-pointer-dereference.patch +drm-i915-userptr-reject-zero-user_size.patch +powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch +powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch +fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch +9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch +net-9p-client.c-version-pointer-uninitialized.patch +net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch +x86-mm-pat-fix-l1tf-stable-backport-for-cpa-2nd-call.patch +dm-cache-metadata-save-in-core-policy_hint_size-to-on-disk-superblock.patch +uart-fix-race-between-uart_put_char-and-uart_shutdown.patch +iio-ad9523-fix-displayed-phase.patch +iio-ad9523-fix-return-value-for-ad952x_store.patch +vmw_balloon-fix-inflation-of-64-bit-gfns.patch +vmw_balloon-do-not-use-2mb-without-batching.patch +vmw_balloon-vmci_doorbell_set-does-not-check-status.patch +vmw_balloon-fix-vmci-use-when-balloon-built-into-kernel.patch +tracing-do-not-call-start-stop-functions-when-tracing_on-does-not-change.patch +tracing-blktrace-fix-to-allow-setting-same-value.patch +kthread-tracing-don-t-expose-half-written-comm-when-creating-kthreads.patch +uprobes-use-synchronize_rcu-not-synchronize_sched.patch +9p-fix-multiple-null-pointer-dereferences.patch -- 2.47.3