From 10ab6f3d774fc095f81d5e9004a4311f780bfcc0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 27 Apr 2018 14:20:32 +0200 Subject: [PATCH] 4.4-stable patches added patches: cdrom-information-leak-in-cdrom_ioctl_media_changed.patch s390-cio-update-chpid-descriptor-after-resource-accessibility-event.patch s390-uprobes-implement-arch_uretprobe_is_alive.patch scsi-mptsas-disable-write-same.patch --- ...on-leak-in-cdrom_ioctl_media_changed.patch | 36 ++++++++++++ ...r-after-resource-accessibility-event.patch | 56 +++++++++++++++++++ ...es-implement-arch_uretprobe_is_alive.patch | 46 +++++++++++++++ .../scsi-mptsas-disable-write-same.patch | 31 ++++++++++ queue-4.4/series | 4 ++ 5 files changed, 173 insertions(+) create mode 100644 queue-4.4/cdrom-information-leak-in-cdrom_ioctl_media_changed.patch create mode 100644 queue-4.4/s390-cio-update-chpid-descriptor-after-resource-accessibility-event.patch create mode 100644 queue-4.4/s390-uprobes-implement-arch_uretprobe_is_alive.patch create mode 100644 queue-4.4/scsi-mptsas-disable-write-same.patch diff --git a/queue-4.4/cdrom-information-leak-in-cdrom_ioctl_media_changed.patch b/queue-4.4/cdrom-information-leak-in-cdrom_ioctl_media_changed.patch new file mode 100644 index 00000000000..88d8a9bea91 --- /dev/null +++ b/queue-4.4/cdrom-information-leak-in-cdrom_ioctl_media_changed.patch @@ -0,0 +1,36 @@ +From 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 18 Apr 2018 12:51:31 +0300 +Subject: cdrom: information leak in cdrom_ioctl_media_changed() + +From: Dan Carpenter + +commit 9de4ee40547fd315d4a0ed1dd15a2fa3559ad707 upstream. + +This cast is wrong. "cdi->capacity" is an int and "arg" is an unsigned +long. The way the check is written now, if one of the high 32 bits is +set then we could read outside the info->slots[] array. + +This bug is pretty old and it predates git. + +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2358,7 +2358,7 @@ static int cdrom_ioctl_media_changed(str + if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT) + return media_changed(cdi, 1); + +- if ((unsigned int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + + info = kmalloc(sizeof(*info), GFP_KERNEL); diff --git a/queue-4.4/s390-cio-update-chpid-descriptor-after-resource-accessibility-event.patch b/queue-4.4/s390-cio-update-chpid-descriptor-after-resource-accessibility-event.patch new file mode 100644 index 00000000000..b63e9617b42 --- /dev/null +++ b/queue-4.4/s390-cio-update-chpid-descriptor-after-resource-accessibility-event.patch @@ -0,0 +1,56 @@ +From af2e460ade0b0180d0f3812ca4f4f59cc9597f3e Mon Sep 17 00:00:00 2001 +From: Sebastian Ott +Date: Wed, 11 Apr 2018 11:21:17 +0200 +Subject: s390/cio: update chpid descriptor after resource accessibility event + +From: Sebastian Ott + +commit af2e460ade0b0180d0f3812ca4f4f59cc9597f3e upstream. + +Channel path descriptors have been seen as something stable (as +long as the chpid is configured). Recent tests have shown that the +descriptor can also be altered when the link state of a channel path +changes. Thus it is necessary to update the descriptor during +handling of resource accessibility events. + +Cc: +Signed-off-by: Sebastian Ott +Reviewed-by: Peter Oberparleiter +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/chsc.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/s390/cio/chsc.c ++++ b/drivers/s390/cio/chsc.c +@@ -451,6 +451,7 @@ static void chsc_process_sei_link_incide + + static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area) + { ++ struct channel_path *chp; + struct chp_link link; + struct chp_id chpid; + int status; +@@ -463,10 +464,17 @@ static void chsc_process_sei_res_acc(str + chpid.id = sei_area->rsid; + /* allocate a new channel path structure, if needed */ + status = chp_get_status(chpid); +- if (status < 0) +- chp_new(chpid); +- else if (!status) ++ if (!status) + return; ++ ++ if (status < 0) { ++ chp_new(chpid); ++ } else { ++ chp = chpid_to_chp(chpid); ++ mutex_lock(&chp->lock); ++ chp_update_desc(chp); ++ mutex_unlock(&chp->lock); ++ } + memset(&link, 0, sizeof(struct chp_link)); + link.chpid = chpid; + if ((sei_area->vf & 0xc0) != 0) { diff --git a/queue-4.4/s390-uprobes-implement-arch_uretprobe_is_alive.patch b/queue-4.4/s390-uprobes-implement-arch_uretprobe_is_alive.patch new file mode 100644 index 00000000000..1708b553960 --- /dev/null +++ b/queue-4.4/s390-uprobes-implement-arch_uretprobe_is_alive.patch @@ -0,0 +1,46 @@ +From 783c3b53b9506db3e05daacfe34e0287eebb09d8 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 16 Apr 2018 12:22:24 +0200 +Subject: s390/uprobes: implement arch_uretprobe_is_alive() + +From: Heiko Carstens + +commit 783c3b53b9506db3e05daacfe34e0287eebb09d8 upstream. + +Implement s390 specific arch_uretprobe_is_alive() to avoid SIGSEGVs +observed with uretprobes in combination with setjmp/longjmp. + +See commit 2dea1d9c38e4 ("powerpc/uprobes: Implement +arch_uretprobe_is_alive()") for more details. + +With this implemented all test cases referenced in the above commit +pass. + +Reported-by: Ziqian SUN +Cc: # v4.3+ +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/uprobes.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/s390/kernel/uprobes.c ++++ b/arch/s390/kernel/uprobes.c +@@ -147,6 +147,15 @@ unsigned long arch_uretprobe_hijack_retu + return orig; + } + ++bool arch_uretprobe_is_alive(struct return_instance *ret, enum rp_check ctx, ++ struct pt_regs *regs) ++{ ++ if (ctx == RP_CHECK_CHAIN_CALL) ++ return user_stack_pointer(regs) <= ret->stack; ++ else ++ return user_stack_pointer(regs) < ret->stack; ++} ++ + /* Instruction Emulation */ + + static void adjust_psw_addr(psw_t *psw, unsigned long len) diff --git a/queue-4.4/scsi-mptsas-disable-write-same.patch b/queue-4.4/scsi-mptsas-disable-write-same.patch new file mode 100644 index 00000000000..dc6a51393bc --- /dev/null +++ b/queue-4.4/scsi-mptsas-disable-write-same.patch @@ -0,0 +1,31 @@ +From 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Wed, 18 Apr 2018 22:54:59 -0400 +Subject: scsi: mptsas: Disable WRITE SAME + +From: Martin K. Petersen + +commit 94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84 upstream. + +First generation MPT Fusion controllers can not translate WRITE SAME +when the attached device is a SATA drive. Disable WRITE SAME support. + +Reported-by: Nikola Ciprich +Cc: +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/message/fusion/mptsas.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/message/fusion/mptsas.c ++++ b/drivers/message/fusion/mptsas.c +@@ -1994,6 +1994,7 @@ static struct scsi_host_template mptsas_ + .cmd_per_lun = 7, + .use_clustering = ENABLE_CLUSTERING, + .shost_attrs = mptscsih_host_attrs, ++ .no_write_same = 1, + }; + + static int mptsas_get_linkerrors(struct sas_phy *phy) diff --git a/queue-4.4/series b/queue-4.4/series index 0ca520681c4..b36ff8e5fb1 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -44,3 +44,7 @@ net-fix-deadlock-while-clearing-neighbor-proxy-table.patch tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch net-af_packet-fix-race-in-packet_-r-t-x_ring.patch ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch +scsi-mptsas-disable-write-same.patch +cdrom-information-leak-in-cdrom_ioctl_media_changed.patch +s390-cio-update-chpid-descriptor-after-resource-accessibility-event.patch +s390-uprobes-implement-arch_uretprobe_is_alive.patch -- 2.47.3