From 53f3a5d9564682a0f3271be7918fc6e81aa5c163 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 5 Nov 2015 22:58:23 -0800 Subject: [PATCH] 3.14-stable patches added patches: crypto-api-only-abort-operations-on-fatal-signal.patch ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch md-raid1-submit_bio_wait-returns-0-on-success.patch md-raid10-submit_bio_wait-returns-0-on-success.patch mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch --- ...nly-abort-operations-on-fatal-signal.patch | 93 +++++++++++++++++++ ...ee-duplicate-free-and-use-after-free.patch | 52 +++++++++++ ...submit_bio_wait-returns-0-on-success.patch | 34 +++++++ ...submit_bio_wait-returns-0-on-success.patch | 34 +++++++ ...er-dereference-in-mvs_slot_task_free.patch | 40 ++++++++ ...d-device-to-be-hot-added-to-an-array.patch | 50 ++++++++++ queue-3.14/series | 6 ++ 7 files changed, 309 insertions(+) create mode 100644 queue-3.14/crypto-api-only-abort-operations-on-fatal-signal.patch create mode 100644 queue-3.14/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch create mode 100644 queue-3.14/md-raid1-submit_bio_wait-returns-0-on-success.patch create mode 100644 queue-3.14/md-raid10-submit_bio_wait-returns-0-on-success.patch create mode 100644 queue-3.14/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch create mode 100644 queue-3.14/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch diff --git a/queue-3.14/crypto-api-only-abort-operations-on-fatal-signal.patch b/queue-3.14/crypto-api-only-abort-operations-on-fatal-signal.patch new file mode 100644 index 00000000000..ed4b9ab2032 --- /dev/null +++ b/queue-3.14/crypto-api-only-abort-operations-on-fatal-signal.patch @@ -0,0 +1,93 @@ +From 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 19 Oct 2015 18:23:57 +0800 +Subject: crypto: api - Only abort operations on fatal signal + +From: Herbert Xu + +commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream. + +Currently a number of Crypto API operations may fail when a signal +occurs. This causes nasty problems as the caller of those operations +are often not in a good position to restart the operation. + +In fact there is currently no need for those operations to be +interrupted by user signals at all. All we need is for them to +be killable. + +This patch replaces the relevant calls of signal_pending with +fatal_signal_pending, and wait_for_completion_interruptible with +wait_for_completion_killable, respectively. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ablkcipher.c | 2 +- + crypto/algapi.c | 2 +- + crypto/api.c | 6 +++--- + crypto/crypto_user.c | 2 +- + 4 files changed, 6 insertions(+), 6 deletions(-) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -695,7 +695,7 @@ struct crypto_ablkcipher *crypto_alloc_a + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -325,7 +325,7 @@ static void crypto_wait_for_test(struct + crypto_alg_tested(larval->alg.cra_driver_name, 0); + } + +- err = wait_for_completion_interruptible(&larval->completion); ++ err = wait_for_completion_killable(&larval->completion); + WARN_ON(err); + + out: +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -172,7 +172,7 @@ static struct crypto_alg *crypto_larval_ + struct crypto_larval *larval = (void *)alg; + long timeout; + +- timeout = wait_for_completion_interruptible_timeout( ++ timeout = wait_for_completion_killable_timeout( + &larval->completion, 60 * HZ); + + alg = larval->adult; +@@ -435,7 +435,7 @@ struct crypto_tfm *crypto_alloc_base(con + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +@@ -552,7 +552,7 @@ void *crypto_alloc_tfm(const char *alg_n + err: + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -361,7 +361,7 @@ static struct crypto_alg *crypto_user_ae + err = PTR_ERR(alg); + if (err != -EAGAIN) + break; +- if (signal_pending(current)) { ++ if (fatal_signal_pending(current)) { + err = -EINTR; + break; + } diff --git a/queue-3.14/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch b/queue-3.14/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch new file mode 100644 index 00000000000..878a8db4041 --- /dev/null +++ b/queue-3.14/ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch @@ -0,0 +1,52 @@ +From 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 Mon Sep 17 00:00:00 2001 +From: Doron Tsur +Date: Sun, 11 Oct 2015 15:58:17 +0300 +Subject: IB/cm: Fix rb-tree duplicate free and use-after-free + +From: Doron Tsur + +commit 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 upstream. + +ib_send_cm_sidr_rep could sometimes erase the node from the sidr +(depending on errors in the process). Since ib_send_cm_sidr_rep is +called both from cm_sidr_req_handler and cm_destroy_id, cm_id_priv +could be either erased from the rb_tree twice or not erased at all. +Fixing that by making sure it's erased only once before freeing +cm_id_priv. + +Fixes: a977049dacde ('[PATCH] IB: Add the kernel CM implementation') +Signed-off-by: Doron Tsur +Signed-off-by: Matan Barak +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -860,6 +860,11 @@ retest: + case IB_CM_SIDR_REQ_RCVD: + spin_unlock_irq(&cm_id_priv->lock); + cm_reject_sidr_req(cm_id_priv, IB_SIDR_REJECT); ++ spin_lock_irq(&cm.lock); ++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) ++ rb_erase(&cm_id_priv->sidr_id_node, ++ &cm.remote_sidr_table); ++ spin_unlock_irq(&cm.lock); + break; + case IB_CM_REQ_SENT: + ib_cancel_mad(cm_id_priv->av.port->mad_agent, cm_id_priv->msg); +@@ -3099,7 +3104,10 @@ int ib_send_cm_sidr_rep(struct ib_cm_id + spin_unlock_irqrestore(&cm_id_priv->lock, flags); + + spin_lock_irqsave(&cm.lock, flags); +- rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table); ++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) { ++ rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table); ++ RB_CLEAR_NODE(&cm_id_priv->sidr_id_node); ++ } + spin_unlock_irqrestore(&cm.lock, flags); + return 0; + diff --git a/queue-3.14/md-raid1-submit_bio_wait-returns-0-on-success.patch b/queue-3.14/md-raid1-submit_bio_wait-returns-0-on-success.patch new file mode 100644 index 00000000000..bd1b4310e98 --- /dev/null +++ b/queue-3.14/md-raid1-submit_bio_wait-returns-0-on-success.patch @@ -0,0 +1,34 @@ +From 203d27b0226a05202438ddb39ef0ef1acb14a759 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Tue, 20 Oct 2015 12:09:12 -0400 +Subject: md/raid1: submit_bio_wait() returns 0 on success + +From: Jes Sorensen + +commit 203d27b0226a05202438ddb39ef0ef1acb14a759 upstream. + +This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b +which changed the return value of submit_bio_wait() to return != 0 on +error, but didn't update the caller accordingly. + +Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md") +Reported-by: Bill Kuzeja +Signed-off-by: Jes Sorensen +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2251,7 +2251,7 @@ static int narrow_write_error(struct r1b + bio_trim(wbio, sector - r1_bio->sector, sectors); + wbio->bi_iter.bi_sector += rdev->data_offset; + wbio->bi_bdev = rdev->bdev; +- if (submit_bio_wait(WRITE, wbio) == 0) ++ if (submit_bio_wait(WRITE, wbio) < 0) + /* failure! */ + ok = rdev_set_badblocks(rdev, sector, + sectors, 0) diff --git a/queue-3.14/md-raid10-submit_bio_wait-returns-0-on-success.patch b/queue-3.14/md-raid10-submit_bio_wait-returns-0-on-success.patch new file mode 100644 index 00000000000..68025a75325 --- /dev/null +++ b/queue-3.14/md-raid10-submit_bio_wait-returns-0-on-success.patch @@ -0,0 +1,34 @@ +From 681ab4696062f5aa939c9e04d058732306a97176 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Tue, 20 Oct 2015 12:09:13 -0400 +Subject: md/raid10: submit_bio_wait() returns 0 on success + +From: Jes Sorensen + +commit 681ab4696062f5aa939c9e04d058732306a97176 upstream. + +This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b +which changed the return value of submit_bio_wait() to return != 0 on +error, but didn't update the caller accordingly. + +Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md") +Reported-by: Bill Kuzeja +Signed-off-by: Jes Sorensen +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid10.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2604,7 +2604,7 @@ static int narrow_write_error(struct r10 + choose_data_offset(r10_bio, rdev) + + (sector - r10_bio->sector)); + wbio->bi_bdev = rdev->bdev; +- if (submit_bio_wait(WRITE, wbio) == 0) ++ if (submit_bio_wait(WRITE, wbio) < 0) + /* Failure! */ + ok = rdev_set_badblocks(rdev, sector, + sectors, 0) diff --git a/queue-3.14/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch b/queue-3.14/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch new file mode 100644 index 00000000000..28daf4534a0 --- /dev/null +++ b/queue-3.14/mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch @@ -0,0 +1,40 @@ +From 2280521719e81919283b82902ac24058f87dfc1b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= +Date: Fri, 21 Aug 2015 07:29:22 +0300 +Subject: mvsas: Fix NULL pointer dereference in mvs_slot_task_free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= + +commit 2280521719e81919283b82902ac24058f87dfc1b upstream. + +When pci_pool_alloc fails in mvs_task_prep then task->lldd_task stays +NULL but it's later used in mvs_abort_task as slot which is passed +to mvs_slot_task_free causing NULL pointer dereference. + +Just return from mvs_slot_task_free when passed with NULL slot. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101891 +Signed-off-by: Dāvis Mosāns +Reviewed-by: Tomas Henzl +Reviewed-by: Johannes Thumshirn +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mvsas/mv_sas.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -988,6 +988,8 @@ static void mvs_slot_free(struct mvs_inf + static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task, + struct mvs_slot_info *slot, u32 slot_idx) + { ++ if (!slot) ++ return; + if (!slot->task) + return; + if (!sas_protocol_ata(task->task_proto)) diff --git a/queue-3.14/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch b/queue-3.14/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch new file mode 100644 index 00000000000..ab702dd71db --- /dev/null +++ b/queue-3.14/revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch @@ -0,0 +1,50 @@ +From d01552a76d71f9879af448e9142389ee9be6e95b Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Sat, 31 Oct 2015 11:00:56 +1100 +Subject: Revert "md: allow a partially recovered device to be hot-added to an array." + +From: NeilBrown + +commit d01552a76d71f9879af448e9142389ee9be6e95b upstream. + +This reverts commit 7eb418851f3278de67126ea0c427641ab4792c57. + +This commit is poorly justified, I can find not discusison in email, +and it clearly causes a problem. + +If a device which is being recovered fails and is subsequently +re-added to an array, there could easily have been changes to the +array *before* the point where the recovery was up to. So the +recovery must start again from the beginning. + +If a spare is being recovered and fails, then when it is re-added we +really should do a bitmap-based recovery up to the recovery-offset, +and then a full recovery from there. Before this reversion, we only +did the "full recovery from there" which is not corect. After this +reversion with will do a full recovery from the start, which is safer +but not ideal. + +It will be left to a future patch to arrange the two different styles +of recovery. + +Reported-and-tested-by: Nate Dailey +Signed-off-by: NeilBrown +Fixes: 7eb418851f32 ("md: allow a partially recovered device to be hot-added to an array.") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7775,8 +7775,7 @@ static int remove_and_add_spares(struct + !test_bit(Bitmap_sync, &rdev->flags))) + continue; + +- if (rdev->saved_raid_disk < 0) +- rdev->recovery_offset = 0; ++ rdev->recovery_offset = 0; + if (mddev->pers-> + hot_add_disk(mddev, rdev) == 0) { + if (sysfs_link_rdev(mddev, rdev)) diff --git a/queue-3.14/series b/queue-3.14/series index 8a2961f2fd2..299012b168d 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -25,3 +25,9 @@ xhci-handle-no-ping-response-error-properly.patch xhci-add-spurious-wakeup-quirk-for-lynxpoint-lp-controllers.patch xen-blkfront-check-for-null-drvdata-in-blkback_changed-xenbusstateclosing.patch module-fix-locking-in-symbol_put_addr.patch +crypto-api-only-abort-operations-on-fatal-signal.patch +md-raid1-submit_bio_wait-returns-0-on-success.patch +md-raid10-submit_bio_wait-returns-0-on-success.patch +revert-md-allow-a-partially-recovered-device-to-be-hot-added-to-an-array.patch +mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch +ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch -- 2.47.2