From 025d743a4f6f03acceed589ade505f551724ee42 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 5 Aug 2019 07:39:27 +0200 Subject: [PATCH] 4.4-stable patches added patches: s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch selinux-fix-memory-leak-in-policydb_init.patch xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch --- ...fter-read-unit-address-configuration.patch | 73 +++++++++++++++++++ ...nux-fix-memory-leak-in-policydb_init.patch | 47 ++++++++++++ queue-4.4/series | 3 + ...alling-xen_destroy_contiguous_region.patch | 44 +++++++++++ 4 files changed, 167 insertions(+) create mode 100644 queue-4.4/s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch create mode 100644 queue-4.4/selinux-fix-memory-leak-in-policydb_init.patch create mode 100644 queue-4.4/xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch diff --git a/queue-4.4/s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch b/queue-4.4/s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch new file mode 100644 index 00000000000..9d100f70948 --- /dev/null +++ b/queue-4.4/s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch @@ -0,0 +1,73 @@ +From 41995342b40c418a47603e1321256d2c4a2ed0fb Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Thu, 1 Aug 2019 13:06:30 +0200 +Subject: s390/dasd: fix endless loop after read unit address configuration + +From: Stefan Haberland + +commit 41995342b40c418a47603e1321256d2c4a2ed0fb upstream. + +After getting a storage server event that causes the DASD device driver +to update its unit address configuration during a device shutdown there is +the possibility of an endless loop in the device driver. + +In the system log there will be ongoing DASD error messages with RC: -19. + +The reason is that the loop starting the ruac request only terminates when +the retry counter is decreased to 0. But in the sleep_on function there are +early exit paths that do not decrease the retry counter. + +Prevent an endless loop by handling those cases separately. + +Remove the unnecessary do..while loop since the sleep_on function takes +care of retries by itself. + +Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1") +Cc: stable@vger.kernel.org # 2.6.25+ +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd_alias.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/drivers/s390/block/dasd_alias.c ++++ b/drivers/s390/block/dasd_alias.c +@@ -396,6 +396,20 @@ suborder_not_supported(struct dasd_ccw_r + char msg_format; + char msg_no; + ++ /* ++ * intrc values ENODEV, ENOLINK and EPERM ++ * will be optained from sleep_on to indicate that no ++ * IO operation can be started ++ */ ++ if (cqr->intrc == -ENODEV) ++ return 1; ++ ++ if (cqr->intrc == -ENOLINK) ++ return 1; ++ ++ if (cqr->intrc == -EPERM) ++ return 1; ++ + sense = dasd_get_sense(&cqr->irb); + if (!sense) + return 0; +@@ -460,12 +474,8 @@ static int read_unit_address_configurati + lcu->flags &= ~NEED_UAC_UPDATE; + spin_unlock_irqrestore(&lcu->lock, flags); + +- do { +- rc = dasd_sleep_on(cqr); +- if (rc && suborder_not_supported(cqr)) +- return -EOPNOTSUPP; +- } while (rc && (cqr->retries > 0)); +- if (rc) { ++ rc = dasd_sleep_on(cqr); ++ if (rc && !suborder_not_supported(cqr)) { + spin_lock_irqsave(&lcu->lock, flags); + lcu->flags |= NEED_UAC_UPDATE; + spin_unlock_irqrestore(&lcu->lock, flags); diff --git a/queue-4.4/selinux-fix-memory-leak-in-policydb_init.patch b/queue-4.4/selinux-fix-memory-leak-in-policydb_init.patch new file mode 100644 index 00000000000..3fb4ad11fe5 --- /dev/null +++ b/queue-4.4/selinux-fix-memory-leak-in-policydb_init.patch @@ -0,0 +1,47 @@ +From 45385237f65aeee73641f1ef737d7273905a233f Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 25 Jul 2019 12:52:43 +0200 +Subject: selinux: fix memory leak in policydb_init() + +From: Ondrej Mosnacek + +commit 45385237f65aeee73641f1ef737d7273905a233f upstream. + +Since roles_init() adds some entries to the role hash table, we need to +destroy also its keys/values on error, otherwise we get a memory leak in +the error path. + +Cc: +Reported-by: syzbot+fee3a14d4cdf92646287@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/policydb.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -266,6 +266,8 @@ static int rangetr_cmp(struct hashtab *h + return v; + } + ++static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap); ++ + /* + * Initialize a policy database structure. + */ +@@ -313,8 +315,10 @@ static int policydb_init(struct policydb + out: + hashtab_destroy(p->filename_trans); + hashtab_destroy(p->range_tr); +- for (i = 0; i < SYM_NUM; i++) ++ for (i = 0; i < SYM_NUM; i++) { ++ hashtab_map(p->symtab[i].table, destroy_f[i], NULL); + hashtab_destroy(p->symtab[i].table); ++ } + return rc; + } + diff --git a/queue-4.4/series b/queue-4.4/series index 005c5641bd3..80fad8527fc 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -17,3 +17,6 @@ coda-fix-build-using-bare-metal-toolchain.patch uapi-linux-coda_psdev.h-move-upc_req-definition-from.patch ipc-mqueue.c-only-perform-resource-calculation-if-us.patch x86-kvm-don-t-call-kvm_spurious_fault-from-.fixup.patch +selinux-fix-memory-leak-in-policydb_init.patch +s390-dasd-fix-endless-loop-after-read-unit-address-configuration.patch +xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch diff --git a/queue-4.4/xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch b/queue-4.4/xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch new file mode 100644 index 00000000000..ab0ba7c85c7 --- /dev/null +++ b/queue-4.4/xen-swiotlb-fix-condition-for-calling-xen_destroy_contiguous_region.patch @@ -0,0 +1,44 @@ +From 50f6393f9654c561df4cdcf8e6cfba7260143601 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 14 Jun 2019 07:46:02 +0200 +Subject: xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() + +From: Juergen Gross + +commit 50f6393f9654c561df4cdcf8e6cfba7260143601 upstream. + +The condition in xen_swiotlb_free_coherent() for deciding whether to +call xen_destroy_contiguous_region() is wrong: in case the region to +be freed is not contiguous calling xen_destroy_contiguous_region() is +the wrong thing to do: it would result in inconsistent mappings of +multiple PFNs to the same MFN. This will lead to various strange +crashes or data corruption. + +Instead of calling xen_destroy_contiguous_region() in that case a +warning should be issued as that situation should never occur. + +Cc: stable@vger.kernel.org +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Reviewed-by: Jan Beulich +Acked-by: Konrad Rzeszutek Wilk +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/swiotlb-xen.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -365,8 +365,8 @@ xen_swiotlb_free_coherent(struct device + /* Convert the size to actually allocated. */ + size = 1UL << (order + XEN_PAGE_SHIFT); + +- if (((dev_addr + size - 1 <= dma_mask)) || +- range_straddles_page_boundary(phys, size)) ++ if (!WARN_ON((dev_addr + size - 1 > dma_mask) || ++ range_straddles_page_boundary(phys, size))) + xen_destroy_contiguous_region(phys, order); + + xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs); -- 2.47.3