From 97c569a1a3575b1cf9d37b20f42aa82f2cf47700 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 15 Jun 2019 19:17:07 -0400 Subject: [PATCH] fixes for 4.9 Signed-off-by: Sasha Levin --- ...e-of-get-subscription-call-vs-port-d.patch | 102 +++++++++++ ...ect-in-kernel-ioctl-calls-with-mutex.patch | 53 ++++++ ...m64-mm-inhibit-huge-vmap-with-ptdump.patch | 76 ++++++++ ...-out-of-bounds-access-in-function-pa.patch | 46 +++++ ...ory-slot-handling-for-kvm_set_user_m.patch | 69 ++++++++ ...ot-mask-the-value-that-is-written-to.patch | 48 +++++ ...protect-in-kernel-ioctl-calls-with-m.patch | 50 ++++++ ...incorrect-cast-to-u64-on-shift-opera.patch | 37 ++++ ...eck-for-loss-of-ndlp-when-sending-rr.patch | 38 ++++ ...mers-add-missing-fflush-stdout-calls.patch | 167 ++++++++++++++++++ queue-4.9/series | 12 ++ .../usbnet-ipheth-fix-racing-condition.patch | 62 +++++++ ...uaccess-kcov-disable-stack-protector.patch | 42 +++++ 13 files changed, 802 insertions(+) create mode 100644 queue-4.9/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch create mode 100644 queue-4.9/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch create mode 100644 queue-4.9/arm64-mm-inhibit-huge-vmap-with-ptdump.patch create mode 100644 queue-4.9/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch create mode 100644 queue-4.9/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch create mode 100644 queue-4.9/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch create mode 100644 queue-4.9/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch create mode 100644 queue-4.9/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch create mode 100644 queue-4.9/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch create mode 100644 queue-4.9/selftests-timers-add-missing-fflush-stdout-calls.patch create mode 100644 queue-4.9/usbnet-ipheth-fix-racing-condition.patch create mode 100644 queue-4.9/x86-uaccess-kcov-disable-stack-protector.patch diff --git a/queue-4.9/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch b/queue-4.9/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch new file mode 100644 index 00000000000..7e2a3dc6d63 --- /dev/null +++ b/queue-4.9/alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch @@ -0,0 +1,102 @@ +From 90cd45c81685630a708da8336462eebbab95de8d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 18:04:17 +0200 +Subject: ALSA: seq: Fix race of get-subscription call vs port-delete ioctls + +[ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ] + +The snd_seq_ioctl_get_subscription() retrieves the port subscriber +information as a pointer, while the object isn't protected, hence it +may be deleted before the actual reference. This race was spotted by +syzkaller and may lead to a UAF. + +The fix is simply copying the data in the lookup function that +performs in the rwsem to protect against the deletion. + +Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 10 ++-------- + sound/core/seq/seq_ports.c | 13 ++++++++----- + sound/core/seq/seq_ports.h | 5 +++-- + 3 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 3b1b2e9fb33e..881c965555c5 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1905,20 +1905,14 @@ static int snd_seq_ioctl_get_subscription(struct snd_seq_client *client, + int result; + struct snd_seq_client *sender = NULL; + struct snd_seq_client_port *sport = NULL; +- struct snd_seq_subscribers *p; + + result = -EINVAL; + if ((sender = snd_seq_client_use_ptr(subs->sender.client)) == NULL) + goto __end; + if ((sport = snd_seq_port_use_ptr(sender, subs->sender.port)) == NULL) + goto __end; +- p = snd_seq_port_get_subscription(&sport->c_src, &subs->dest); +- if (p) { +- result = 0; +- *subs = p->info; +- } else +- result = -ENOENT; +- ++ result = snd_seq_port_get_subscription(&sport->c_src, &subs->dest, ++ subs); + __end: + if (sport) + snd_seq_port_unlock(sport); +diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c +index a42e2ce4a726..9cfe4fcee9a5 100644 +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -635,20 +635,23 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector, + + + /* get matched subscriber */ +-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, +- struct snd_seq_addr *dest_addr) ++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, ++ struct snd_seq_addr *dest_addr, ++ struct snd_seq_port_subscribe *subs) + { +- struct snd_seq_subscribers *s, *found = NULL; ++ struct snd_seq_subscribers *s; ++ int err = -ENOENT; + + down_read(&src_grp->list_mutex); + list_for_each_entry(s, &src_grp->list_head, src_list) { + if (addr_match(dest_addr, &s->info.dest)) { +- found = s; ++ *subs = s->info; ++ err = 0; + break; + } + } + up_read(&src_grp->list_mutex); +- return found; ++ return err; + } + + /* +diff --git a/sound/core/seq/seq_ports.h b/sound/core/seq/seq_ports.h +index 26bd71f36c41..06003b36652e 100644 +--- a/sound/core/seq/seq_ports.h ++++ b/sound/core/seq/seq_ports.h +@@ -135,7 +135,8 @@ int snd_seq_port_subscribe(struct snd_seq_client_port *port, + struct snd_seq_port_subscribe *info); + + /* get matched subscriber */ +-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, +- struct snd_seq_addr *dest_addr); ++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp, ++ struct snd_seq_addr *dest_addr, ++ struct snd_seq_port_subscribe *subs); + + #endif +-- +2.20.1 + diff --git a/queue-4.9/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch b/queue-4.9/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch new file mode 100644 index 00000000000..e5660cbc2db --- /dev/null +++ b/queue-4.9/alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch @@ -0,0 +1,53 @@ +From f803fd6dadeea3e9c512b50031a1ae253a19c46e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 9 Apr 2019 17:35:22 +0200 +Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex + +[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ] + +ALSA OSS sequencer calls the ioctl function indirectly via +snd_seq_kernel_client_ctl(). While we already applied the protection +against races between the normal ioctls and writes via the client's +ioctl_mutex, this code path was left untouched. And this seems to be +the cause of still remaining some rare UAF as spontaneously triggered +by syzkaller. + +For the sake of robustness, wrap the ioctl_mutex also for the call via +snd_seq_kernel_client_ctl(), too. + +Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 09491b27092e..3b1b2e9fb33e 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2354,14 +2354,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; ++ int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) +- return handler->func(client, arg); ++ if (handler->cmd == cmd) { ++ mutex_lock(&client->ioctl_mutex); ++ err = handler->func(client, arg); ++ mutex_unlock(&client->ioctl_mutex); ++ return err; ++ } + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-4.9/arm64-mm-inhibit-huge-vmap-with-ptdump.patch b/queue-4.9/arm64-mm-inhibit-huge-vmap-with-ptdump.patch new file mode 100644 index 00000000000..49f81fcc032 --- /dev/null +++ b/queue-4.9/arm64-mm-inhibit-huge-vmap-with-ptdump.patch @@ -0,0 +1,76 @@ +From c02767771b72c3af9348fd42a422d86326ff67e2 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 14 May 2019 14:30:06 +0530 +Subject: arm64/mm: Inhibit huge-vmap with ptdump + +[ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ] + +The arm64 ptdump code can race with concurrent modification of the +kernel page tables. At the time this was added, this was sound as: + +* Modifications to leaf entries could result in stale information being + logged, but would not result in a functional problem. + +* Boot time modifications to non-leaf entries (e.g. freeing of initmem) + were performed when the ptdump code cannot be invoked. + +* At runtime, modifications to non-leaf entries only occurred in the + vmalloc region, and these were strictly additive, as intermediate + entries were never freed. + +However, since commit: + + commit 324420bf91f6 ("arm64: add support for ioremap() block mappings") + +... it has been possible to create huge mappings in the vmalloc area at +runtime, and as part of this existing intermediate levels of table my be +removed and freed. + +It's possible for the ptdump code to race with this, and continue to +walk tables which have been freed (and potentially poisoned or +reallocated). As a result of this, the ptdump code may dereference bogus +addresses, which could be fatal. + +Since huge-vmap is a TLB and memory optimization, we can disable it when +the runtime ptdump code is in use to avoid this problem. + +Cc: Catalin Marinas +Fixes: 324420bf91f60582 ("arm64: add support for ioremap() block mappings") +Acked-by: Ard Biesheuvel +Signed-off-by: Mark Rutland +Signed-off-by: Anshuman Khandual +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 0a56898f8410..efd65fc85238 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -765,13 +765,18 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys) + + int __init arch_ioremap_pud_supported(void) + { +- /* only 4k granule supports level 1 block mappings */ +- return IS_ENABLED(CONFIG_ARM64_4K_PAGES); ++ /* ++ * Only 4k granule supports level 1 block mappings. ++ * SW table walks can't handle removal of intermediate entries. ++ */ ++ return IS_ENABLED(CONFIG_ARM64_4K_PAGES) && ++ !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + + int __init arch_ioremap_pmd_supported(void) + { +- return 1; ++ /* See arch_ioremap_pud_supported() */ ++ return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS); + } + + int pud_set_huge(pud_t *pud, phys_addr_t phys, pgprot_t prot) +-- +2.20.1 + diff --git a/queue-4.9/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch b/queue-4.9/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch new file mode 100644 index 00000000000..6e9a57ba6d1 --- /dev/null +++ b/queue-4.9/drivers-misc-fix-out-of-bounds-access-in-function-pa.patch @@ -0,0 +1,46 @@ +From 681f44c7295df6288871bba98e673c196d0c7f16 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Fri, 12 Apr 2019 15:45:06 +0800 +Subject: Drivers: misc: fix out-of-bounds access in function + param_set_kgdbts_var + +[ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ] + +There is an out-of-bounds access to "config[len - 1]" array when the +variable "len" is zero. + +See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug +in param_set_kgdboc_var()") for details. + +Signed-off-by: Young Xiao +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/kgdbts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c +index 99635dd9dbac..bb3a76ad80da 100644 +--- a/drivers/misc/kgdbts.c ++++ b/drivers/misc/kgdbts.c +@@ -1132,7 +1132,7 @@ static void kgdbts_put_char(u8 chr) + + static int param_set_kgdbts_var(const char *kmessage, struct kernel_param *kp) + { +- int len = strlen(kmessage); ++ size_t len = strlen(kmessage); + + if (len >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdbts: config string too long\n"); +@@ -1152,7 +1152,7 @@ static int param_set_kgdbts_var(const char *kmessage, struct kernel_param *kp) + + strcpy(config, kmessage); + /* Chop out \n char as a result of echo */ +- if (config[len - 1] == '\n') ++ if (len && config[len - 1] == '\n') + config[len - 1] = '\0'; + + /* Go and configure with the new params. */ +-- +2.20.1 + diff --git a/queue-4.9/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch b/queue-4.9/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch new file mode 100644 index 00000000000..bda3396d2d9 --- /dev/null +++ b/queue-4.9/kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch @@ -0,0 +1,69 @@ +From 928ef7ef0ea00fd23187f23ea566268060fe0526 Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 24 May 2019 16:06:23 +0200 +Subject: KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION + +[ Upstream commit 19ec166c3f39fe1d3789888a74cc95544ac266d4 ] + +kselftests exposed a problem in the s390 handling for memory slots. +Right now we only do proper memory slot handling for creation of new +memory slots. Neither MOVE, nor DELETION are handled properly. Let us +implement those. + +Signed-off-by: Christian Borntraeger +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 2032ab81b2d7..07f571900676 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -3288,21 +3288,28 @@ void kvm_arch_commit_memory_region(struct kvm *kvm, + const struct kvm_memory_slot *new, + enum kvm_mr_change change) + { +- int rc; +- +- /* If the basics of the memslot do not change, we do not want +- * to update the gmap. Every update causes several unnecessary +- * segment translation exceptions. This is usually handled just +- * fine by the normal fault handler + gmap, but it will also +- * cause faults on the prefix page of running guest CPUs. +- */ +- if (old->userspace_addr == mem->userspace_addr && +- old->base_gfn * PAGE_SIZE == mem->guest_phys_addr && +- old->npages * PAGE_SIZE == mem->memory_size) +- return; ++ int rc = 0; + +- rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr, +- mem->guest_phys_addr, mem->memory_size); ++ switch (change) { ++ case KVM_MR_DELETE: ++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE, ++ old->npages * PAGE_SIZE); ++ break; ++ case KVM_MR_MOVE: ++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE, ++ old->npages * PAGE_SIZE); ++ if (rc) ++ break; ++ /* FALLTHROUGH */ ++ case KVM_MR_CREATE: ++ rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr, ++ mem->guest_phys_addr, mem->memory_size); ++ break; ++ case KVM_MR_FLAGS_ONLY: ++ break; ++ default: ++ WARN(1, "Unknown KVM MR CHANGE: %d\n", change); ++ } + if (rc) + pr_warn("failed to commit memory region\n"); + return; +-- +2.20.1 + diff --git a/queue-4.9/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch b/queue-4.9/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch new file mode 100644 index 00000000000..656091372b6 --- /dev/null +++ b/queue-4.9/kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch @@ -0,0 +1,48 @@ +From 1abdc7e52abb4227689ac20ac0eadff1b0454019 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 May 2019 17:34:30 +0200 +Subject: KVM: x86/pmu: do not mask the value that is written to fixed PMUs + +[ Upstream commit 2924b52117b2812e9633d5ea337333299166d373 ] + +According to the SDM, for MSR_IA32_PERFCTR0/1 "the lower-order 32 bits of +each MSR may be written with any value, and the high-order 8 bits are +sign-extended according to the value of bit 31", but the fixed counters +in real hardware are limited to the width of the fixed counters ("bits +beyond the width of the fixed-function counter are reserved and must be +written as zeros"). Fix KVM to do the same. + +Reported-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/pmu_intel.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c +index 5ab4a364348e..2729131fe9bf 100644 +--- a/arch/x86/kvm/pmu_intel.c ++++ b/arch/x86/kvm/pmu_intel.c +@@ -235,11 +235,14 @@ static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + } + break; + default: +- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) || +- (pmc = get_fixed_pmc(pmu, msr))) { +- if (!msr_info->host_initiated) +- data = (s64)(s32)data; +- pmc->counter += data - pmc_read_counter(pmc); ++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) { ++ if (msr_info->host_initiated) ++ pmc->counter = data; ++ else ++ pmc->counter = (s32)data; ++ return 0; ++ } else if ((pmc = get_fixed_pmc(pmu, msr))) { ++ pmc->counter = data; + return 0; + } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) { + if (data == pmc->eventsel) +-- +2.20.1 + diff --git a/queue-4.9/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch b/queue-4.9/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch new file mode 100644 index 00000000000..5fdfe8e81a8 --- /dev/null +++ b/queue-4.9/revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch @@ -0,0 +1,50 @@ +From dd03b1fee7b8410464beedaf696be7a3deec7fbd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 11 Apr 2019 19:58:32 +0200 +Subject: Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex" + +[ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ] + +This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32. + +The fix attempt was incorrect, leading to the mutex deadlock through +the close of OSS sequencer client. The proper fix needs more +consideration, so let's revert it now. + +Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex") +Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_clientmgr.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 881c965555c5..bc6d371031fc 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2348,19 +2348,14 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg) + { + const struct ioctl_handler *handler; + struct snd_seq_client *client; +- int err; + + client = clientptr(clientid); + if (client == NULL) + return -ENXIO; + + for (handler = ioctl_handlers; handler->cmd > 0; ++handler) { +- if (handler->cmd == cmd) { +- mutex_lock(&client->ioctl_mutex); +- err = handler->func(client, arg); +- mutex_unlock(&client->ioctl_mutex); +- return err; +- } ++ if (handler->cmd == cmd) ++ return handler->func(client, arg); + } + + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", +-- +2.20.1 + diff --git a/queue-4.9/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch b/queue-4.9/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch new file mode 100644 index 00000000000..7175e077434 --- /dev/null +++ b/queue-4.9/scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch @@ -0,0 +1,37 @@ +From dcd64802cff863b28cf08e3ca092acb2fddf96ff Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sat, 4 May 2019 17:48:29 +0100 +Subject: scsi: bnx2fc: fix incorrect cast to u64 on shift operation + +[ Upstream commit d0c0d902339249c75da85fd9257a86cbb98dfaa5 ] + +Currently an int is being shifted and the result is being cast to a u64 +which leads to undefined behaviour if the shift is more than 31 bits. Fix +this by casting the integer value 1 to u64 before the shift operation. + +Addresses-Coverity: ("Bad shift operation") +Fixes: 7b594769120b ("[SCSI] bnx2fc: Handle REC_TOV error code from firmware") +Signed-off-by: Colin Ian King +Acked-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2fc/bnx2fc_hwi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c +index 5ff9f89c17c7..39b2f60149d9 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c +@@ -829,7 +829,7 @@ ret_err_rqe: + ((u64)err_entry->data.err_warn_bitmap_hi << 32) | + (u64)err_entry->data.err_warn_bitmap_lo; + for (i = 0; i < BNX2FC_NUM_ERR_BITS; i++) { +- if (err_warn_bit_map & (u64) (1 << i)) { ++ if (err_warn_bit_map & ((u64)1 << i)) { + err_warn = i; + break; + } +-- +2.20.1 + diff --git a/queue-4.9/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch b/queue-4.9/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch new file mode 100644 index 00000000000..cc6d78f7909 --- /dev/null +++ b/queue-4.9/scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch @@ -0,0 +1,38 @@ +From 5e62b88fb9b0117108bfe19fe220b52fc220e2fd Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Mon, 6 May 2019 17:26:49 -0700 +Subject: scsi: lpfc: add check for loss of ndlp when sending RRQ + +[ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ] + +There was a missing qualification of a valid ndlp structure when calling to +send an RRQ for an abort. Add the check. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Tested-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 4905455bbfc7..b5be4df05733 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -6789,7 +6789,10 @@ int + lpfc_send_rrq(struct lpfc_hba *phba, struct lpfc_node_rrq *rrq) + { + struct lpfc_nodelist *ndlp = lpfc_findnode_did(rrq->vport, +- rrq->nlp_DID); ++ rrq->nlp_DID); ++ if (!ndlp) ++ return 1; ++ + if (lpfc_test_rrq_active(phba, ndlp, rrq->xritag)) + return lpfc_issue_els_rrq(rrq->vport, ndlp, + rrq->nlp_DID, rrq); +-- +2.20.1 + diff --git a/queue-4.9/selftests-timers-add-missing-fflush-stdout-calls.patch b/queue-4.9/selftests-timers-add-missing-fflush-stdout-calls.patch new file mode 100644 index 00000000000..6273a3a5422 --- /dev/null +++ b/queue-4.9/selftests-timers-add-missing-fflush-stdout-calls.patch @@ -0,0 +1,167 @@ +From 9e36bd5b4bcbd8560f799bf5dac9ea8db9695c9d Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 20 May 2019 15:37:49 -0700 +Subject: selftests/timers: Add missing fflush(stdout) calls + +[ Upstream commit fe48319243a626c860fd666ca032daacc2ba84a5 ] + +When running under a pipe, some timer tests would not report output in +real-time because stdout flushes were missing after printf()s that lacked +a newline. This adds them to restore real-time status output that humans +can enjoy. + +Signed-off-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/timers/adjtick.c | 1 + + tools/testing/selftests/timers/leapcrash.c | 1 + + tools/testing/selftests/timers/mqueue-lat.c | 1 + + tools/testing/selftests/timers/nanosleep.c | 1 + + tools/testing/selftests/timers/nsleep-lat.c | 1 + + tools/testing/selftests/timers/raw_skew.c | 1 + + tools/testing/selftests/timers/set-tai.c | 1 + + tools/testing/selftests/timers/set-tz.c | 2 ++ + tools/testing/selftests/timers/threadtest.c | 1 + + tools/testing/selftests/timers/valid-adjtimex.c | 2 ++ + 10 files changed, 12 insertions(+) + +diff --git a/tools/testing/selftests/timers/adjtick.c b/tools/testing/selftests/timers/adjtick.c +index 9887fd538fec..91316ab4b041 100644 +--- a/tools/testing/selftests/timers/adjtick.c ++++ b/tools/testing/selftests/timers/adjtick.c +@@ -147,6 +147,7 @@ int check_tick_adj(long tickval) + + eppm = get_ppm_drift(); + printf("%lld usec, %lld ppm", systick + (systick * eppm / MILLION), eppm); ++ fflush(stdout); + + tx1.modes = 0; + adjtimex(&tx1); +diff --git a/tools/testing/selftests/timers/leapcrash.c b/tools/testing/selftests/timers/leapcrash.c +index a1071bdbdeb7..a77c70b47495 100644 +--- a/tools/testing/selftests/timers/leapcrash.c ++++ b/tools/testing/selftests/timers/leapcrash.c +@@ -114,6 +114,7 @@ int main(void) + } + clear_time_state(); + printf("."); ++ fflush(stdout); + } + printf("[OK]\n"); + return ksft_exit_pass(); +diff --git a/tools/testing/selftests/timers/mqueue-lat.c b/tools/testing/selftests/timers/mqueue-lat.c +index a2a3924d0b41..efdb62470052 100644 +--- a/tools/testing/selftests/timers/mqueue-lat.c ++++ b/tools/testing/selftests/timers/mqueue-lat.c +@@ -113,6 +113,7 @@ int main(int argc, char **argv) + int ret; + + printf("Mqueue latency : "); ++ fflush(stdout); + + ret = mqueue_lat_test(); + if (ret < 0) { +diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c +index ff942ff7c9b3..2e6e94c02a33 100644 +--- a/tools/testing/selftests/timers/nanosleep.c ++++ b/tools/testing/selftests/timers/nanosleep.c +@@ -153,6 +153,7 @@ int main(int argc, char **argv) + continue; + + printf("Nanosleep %-31s ", clockstring(clockid)); ++ fflush(stdout); + + length = 10; + while (length <= (NSEC_PER_SEC * 10)) { +diff --git a/tools/testing/selftests/timers/nsleep-lat.c b/tools/testing/selftests/timers/nsleep-lat.c +index 2d7898fda0f1..ac06cf10a5c2 100644 +--- a/tools/testing/selftests/timers/nsleep-lat.c ++++ b/tools/testing/selftests/timers/nsleep-lat.c +@@ -166,6 +166,7 @@ int main(int argc, char **argv) + continue; + + printf("nsleep latency %-26s ", clockstring(clockid)); ++ fflush(stdout); + + length = 10; + while (length <= (NSEC_PER_SEC * 10)) { +diff --git a/tools/testing/selftests/timers/raw_skew.c b/tools/testing/selftests/timers/raw_skew.c +index 0ab937a17ebb..4e631da7f956 100644 +--- a/tools/testing/selftests/timers/raw_skew.c ++++ b/tools/testing/selftests/timers/raw_skew.c +@@ -124,6 +124,7 @@ int main(int argv, char **argc) + printf("WARNING: ADJ_OFFSET in progress, this will cause inaccurate results\n"); + + printf("Estimating clock drift: "); ++ fflush(stdout); + sleep(120); + + get_monotonic_and_raw(&mon, &raw); +diff --git a/tools/testing/selftests/timers/set-tai.c b/tools/testing/selftests/timers/set-tai.c +index dc88dbc8831f..3ae76ab483de 100644 +--- a/tools/testing/selftests/timers/set-tai.c ++++ b/tools/testing/selftests/timers/set-tai.c +@@ -66,6 +66,7 @@ int main(int argc, char **argv) + printf("tai offset started at %i\n", ret); + + printf("Checking tai offsets can be properly set: "); ++ fflush(stdout); + for (i = 1; i <= 60; i++) { + ret = set_tai(i); + ret = get_tai(); +diff --git a/tools/testing/selftests/timers/set-tz.c b/tools/testing/selftests/timers/set-tz.c +index f4184928b16b..b038131c9682 100644 +--- a/tools/testing/selftests/timers/set-tz.c ++++ b/tools/testing/selftests/timers/set-tz.c +@@ -76,6 +76,7 @@ int main(int argc, char **argv) + printf("tz_minuteswest started at %i, dst at %i\n", min, dst); + + printf("Checking tz_minuteswest can be properly set: "); ++ fflush(stdout); + for (i = -15*60; i < 15*60; i += 30) { + ret = set_tz(i, dst); + ret = get_tz_min(); +@@ -87,6 +88,7 @@ int main(int argc, char **argv) + printf("[OK]\n"); + + printf("Checking invalid tz_minuteswest values are caught: "); ++ fflush(stdout); + + if (!set_tz(-15*60-1, dst)) { + printf("[FAILED] %i didn't return failure!\n", -15*60-1); +diff --git a/tools/testing/selftests/timers/threadtest.c b/tools/testing/selftests/timers/threadtest.c +index e632e116f05e..a4bf736dd842 100644 +--- a/tools/testing/selftests/timers/threadtest.c ++++ b/tools/testing/selftests/timers/threadtest.c +@@ -175,6 +175,7 @@ int main(int argc, char **argv) + strftime(buf, 255, "%a, %d %b %Y %T %z", localtime(&start)); + printf("%s\n", buf); + printf("Testing consistency with %i threads for %ld seconds: ", thread_count, runtime); ++ fflush(stdout); + + /* spawn */ + for (i = 0; i < thread_count; i++) +diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c +index 60fe3c569bd9..a747645d79f4 100644 +--- a/tools/testing/selftests/timers/valid-adjtimex.c ++++ b/tools/testing/selftests/timers/valid-adjtimex.c +@@ -134,6 +134,7 @@ int validate_freq(void) + /* Set the leap second insert flag */ + + printf("Testing ADJ_FREQ... "); ++ fflush(stdout); + for (i = 0; i < NUM_FREQ_VALID; i++) { + tx.modes = ADJ_FREQUENCY; + tx.freq = valid_freq[i]; +@@ -261,6 +262,7 @@ int set_bad_offset(long sec, long usec, int use_nano) + int validate_set_offset(void) + { + printf("Testing ADJ_SETOFFSET... "); ++ fflush(stdout); + + /* Test valid values */ + if (set_offset(NSEC_PER_SEC - 1, 1)) +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index dbbf718e913..23b7d33aaeb 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -66,3 +66,15 @@ bcache-fix-stack-corruption-by-preceding_key.patch cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch asoc-cs42xx8-add-regcache-mask-dirty.patch asoc-fsl_asrc-fix-the-issue-about-unsupported-rate.patch +x86-uaccess-kcov-disable-stack-protector.patch +alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch +alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch +revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch +drivers-misc-fix-out-of-bounds-access-in-function-pa.patch +scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch +arm64-mm-inhibit-huge-vmap-with-ptdump.patch +scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch +selftests-timers-add-missing-fflush-stdout-calls.patch +usbnet-ipheth-fix-racing-condition.patch +kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch +kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch diff --git a/queue-4.9/usbnet-ipheth-fix-racing-condition.patch b/queue-4.9/usbnet-ipheth-fix-racing-condition.patch new file mode 100644 index 00000000000..0270b27ee9f --- /dev/null +++ b/queue-4.9/usbnet-ipheth-fix-racing-condition.patch @@ -0,0 +1,62 @@ +From 3d109e979f72e05b3022f3a1747d9bcb079b908d Mon Sep 17 00:00:00 2001 +From: Bernd Eckstein <3erndeckstein@gmail.com> +Date: Mon, 20 May 2019 17:31:09 +0200 +Subject: usbnet: ipheth: fix racing condition + +[ Upstream commit 94d250fae48e6f873d8362308f5c4d02cd1b1fd2 ] + +Fix a racing condition in ipheth.c that can lead to slow performance. + +Bug: In ipheth_tx(), netif_wake_queue() may be called on the callback +ipheth_sndbulk_callback(), _before_ netif_stop_queue() is called. +When this happens, the queue is stopped longer than it needs to be, +thus reducing network performance. + +Fix: Move netif_stop_queue() in front of usb_submit_urb(). Now the order +is always correct. In case, usb_submit_urb() fails, the queue is woken up +again as callback will not fire. + +Testing: This racing condition is usually not noticeable, as it has to +occur very frequently to slowdown the network. The callback from the USB +is usually triggered slow enough, so the situation does not appear. +However, on a Ubuntu Linux on VMWare Workstation, running on Windows 10, +the we loose the race quite often and the following speedup can be noticed: + +Without this patch: Download: 4.10 Mbit/s, Upload: 4.01 Mbit/s +With this patch: Download: 36.23 Mbit/s, Upload: 17.61 Mbit/s + +Signed-off-by: Oliver Zweigle +Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com> +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ipheth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index 01f95d192d25..2b16a5fed9de 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -437,17 +437,18 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net) + dev); + dev->tx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + ++ netif_stop_queue(net); + retval = usb_submit_urb(dev->tx_urb, GFP_ATOMIC); + if (retval) { + dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n", + __func__, retval); + dev->net->stats.tx_errors++; + dev_kfree_skb_any(skb); ++ netif_wake_queue(net); + } else { + dev->net->stats.tx_packets++; + dev->net->stats.tx_bytes += skb->len; + dev_consume_skb_any(skb); +- netif_stop_queue(net); + } + + return NETDEV_TX_OK; +-- +2.20.1 + diff --git a/queue-4.9/x86-uaccess-kcov-disable-stack-protector.patch b/queue-4.9/x86-uaccess-kcov-disable-stack-protector.patch new file mode 100644 index 00000000000..257758e6f08 --- /dev/null +++ b/queue-4.9/x86-uaccess-kcov-disable-stack-protector.patch @@ -0,0 +1,42 @@ +From e59bc317814f6548a21fb3f146c6e6fadd9e6e30 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 7 Mar 2019 19:54:25 +0100 +Subject: x86/uaccess, kcov: Disable stack protector + +[ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ] + +New tooling noticed this mishap: + + kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled + kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled + +All the other instrumentation (KASAN,UBSAN) also have stack protector +disabled. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/Makefile b/kernel/Makefile +index 314e7d62f5f0..184fa9aa5802 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -28,6 +28,7 @@ KCOV_INSTRUMENT_extable.o := n + # Don't self-instrument. + KCOV_INSTRUMENT_kcov.o := n + KASAN_SANITIZE_kcov.o := n ++CFLAGS_kcov.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector) + + # cond_syscall is currently not LTO compatible + CFLAGS_sys_ni.o = $(DISABLE_LTO) +-- +2.20.1 + -- 2.47.2