From a848fc0f07fb26632978243ce36055657023e8cf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 30 Aug 2018 10:04:14 -0700 Subject: [PATCH] 4.9-stable patches added patches: arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch ext4-check-for-nul-characters-in-extended-attribute-s-name.patch ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch ext4-sysfs-print-ext4_super_block-fields-as-little-endian.patch kprobes-arm64-fix-p-uses-in-error-messages.patch s390-kvm-fix-deadlock-when-killed-by-oom.patch --- ...r-upper-page_shift-bits-in-pfn_valid.patch | 59 +++++++++++++++++++ ...s-don-t-leak-ret-from-do_chunk_alloc.patch | 35 ----------- ...racters-in-extended-attribute-s-name.patch | 38 ++++++++++++ ...-code-in-ext4_find_entry-in-fallback.patch | 37 ++++++++++++ ..._super_block-fields-as-little-endian.patch | 59 +++++++++++++++++++ ...s-arm64-fix-p-uses-in-error-messages.patch | 52 ++++++++++++++++ ...-kvm-fix-deadlock-when-killed-by-oom.patch | 40 +++++++++++++ queue-4.9/series | 7 ++- 8 files changed, 291 insertions(+), 36 deletions(-) create mode 100644 queue-4.9/arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch delete mode 100644 queue-4.9/btrfs-don-t-leak-ret-from-do_chunk_alloc.patch create mode 100644 queue-4.9/ext4-check-for-nul-characters-in-extended-attribute-s-name.patch create mode 100644 queue-4.9/ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch create mode 100644 queue-4.9/ext4-sysfs-print-ext4_super_block-fields-as-little-endian.patch create mode 100644 queue-4.9/kprobes-arm64-fix-p-uses-in-error-messages.patch create mode 100644 queue-4.9/s390-kvm-fix-deadlock-when-killed-by-oom.patch diff --git a/queue-4.9/arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch b/queue-4.9/arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch new file mode 100644 index 00000000000..0d159e440ed --- /dev/null +++ b/queue-4.9/arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch @@ -0,0 +1,59 @@ +From 5ad356eabc47d26a92140a0c4b20eba471c10de3 Mon Sep 17 00:00:00 2001 +From: Greg Hackmann +Date: Wed, 15 Aug 2018 12:51:21 -0700 +Subject: arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() + +From: Greg Hackmann + +commit 5ad356eabc47d26a92140a0c4b20eba471c10de3 upstream. + +ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input +before seeing if the PFN is valid. This leads to false positives when +some of the upper bits are set, but the lower bits match a valid PFN. + +For example, the following userspace code looks up a bogus entry in +/proc/kpageflags: + + int pagemap = open("/proc/self/pagemap", O_RDONLY); + int pageflags = open("/proc/kpageflags", O_RDONLY); + uint64_t pfn, val; + + lseek64(pagemap, [...], SEEK_SET); + read(pagemap, &pfn, sizeof(pfn)); + if (pfn & (1UL << 63)) { /* valid PFN */ + pfn &= ((1UL << 55) - 1); /* clear flag bits */ + pfn |= (1UL << 55); + lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET); + read(pageflags, &val, sizeof(val)); + } + +On ARM64 this causes the userspace process to crash with SIGSEGV rather +than reading (1 << KPF_NOPAGE). kpageflags_read() treats the offset as +valid, and stable_page_flags() will try to access an address between the +user and kernel address ranges. + +Fixes: c1cc1552616d ("arm64: MMU initialisation") +Cc: stable@vger.kernel.org +Signed-off-by: Greg Hackmann +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/init.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm64/mm/init.c ++++ b/arch/arm64/mm/init.c +@@ -147,7 +147,11 @@ static void __init zone_sizes_init(unsig + #ifdef CONFIG_HAVE_ARCH_PFN_VALID + int pfn_valid(unsigned long pfn) + { +- return memblock_is_map_memory(pfn << PAGE_SHIFT); ++ phys_addr_t addr = pfn << PAGE_SHIFT; ++ ++ if ((addr >> PAGE_SHIFT) != pfn) ++ return 0; ++ return memblock_is_map_memory(addr); + } + EXPORT_SYMBOL(pfn_valid); + #endif diff --git a/queue-4.9/btrfs-don-t-leak-ret-from-do_chunk_alloc.patch b/queue-4.9/btrfs-don-t-leak-ret-from-do_chunk_alloc.patch deleted file mode 100644 index 1d3d639d79f..00000000000 --- a/queue-4.9/btrfs-don-t-leak-ret-from-do_chunk_alloc.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4559b0a71749c442d34f7cfb9e72c9e58db83948 Mon Sep 17 00:00:00 2001 -From: Josef Bacik -Date: Thu, 19 Jul 2018 10:49:51 -0400 -Subject: btrfs: don't leak ret from do_chunk_alloc - -From: Josef Bacik - -commit 4559b0a71749c442d34f7cfb9e72c9e58db83948 upstream. - -If we're trying to make a data reservation and we have to allocate a -data chunk we could leak ret == 1, as do_chunk_alloc() will return 1 if -it allocated a chunk. Since the end of the function is the success path -just return 0. - -CC: stable@vger.kernel.org # 4.4+ -Signed-off-by: Josef Bacik -Reviewed-by: Nikolay Borisov -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman - ---- - fs/btrfs/extent-tree.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/btrfs/extent-tree.c -+++ b/fs/btrfs/extent-tree.c -@@ -4258,7 +4258,7 @@ commit_trans: - data_sinfo->flags, bytes, 1); - spin_unlock(&data_sinfo->lock); - -- return ret; -+ return 0; - } - - /* diff --git a/queue-4.9/ext4-check-for-nul-characters-in-extended-attribute-s-name.patch b/queue-4.9/ext4-check-for-nul-characters-in-extended-attribute-s-name.patch new file mode 100644 index 00000000000..5e7b09bb88b --- /dev/null +++ b/queue-4.9/ext4-check-for-nul-characters-in-extended-attribute-s-name.patch @@ -0,0 +1,38 @@ +From 7d95178c77014dbd8dce36ee40bbbc5e6c121ff5 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 1 Aug 2018 12:36:52 -0400 +Subject: ext4: check for NUL characters in extended attribute's name + +From: Theodore Ts'o + +commit 7d95178c77014dbd8dce36ee40bbbc5e6c121ff5 upstream. + +Extended attribute names are defined to be NUL-terminated, so the name +must not contain a NUL character. This is important because there are +places when remove extended attribute, the code uses strlen to +determine the length of the entry. That should probably be fixed at +some point, but code is currently really messy, so the simplest fix +for now is to simply validate that the extended attributes are sane. + +https://bugzilla.kernel.org/show_bug.cgi?id=200401 + +Reported-by: Wen Xu +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -184,6 +184,8 @@ ext4_xattr_check_names(struct ext4_xattr + struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e); + if ((void *)next >= end) + return -EFSCORRUPTED; ++ if (strnlen(e->e_name, e->e_name_len) != e->e_name_len) ++ return -EFSCORRUPTED; + e = next; + } + diff --git a/queue-4.9/ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch b/queue-4.9/ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch new file mode 100644 index 00000000000..fae58f91dc5 --- /dev/null +++ b/queue-4.9/ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch @@ -0,0 +1,37 @@ +From f39b3f45dbcb0343822cce31ea7636ad66e60bc2 Mon Sep 17 00:00:00 2001 +From: Eric Sandeen +Date: Sun, 29 Jul 2018 17:13:42 -0400 +Subject: ext4: reset error code in ext4_find_entry in fallback + +From: Eric Sandeen + +commit f39b3f45dbcb0343822cce31ea7636ad66e60bc2 upstream. + +When ext4_find_entry() falls back to "searching the old fashioned +way" due to a corrupt dx dir, it needs to reset the error code +to NULL so that the nonstandard ERR_BAD_DX_DIR code isn't returned +to userspace. + +https://bugzilla.kernel.org/show_bug.cgi?id=199947 + +Reported-by: Anatoly Trosinenko +Reviewed-by: Andreas Dilger +Signed-off-by: Eric Sandeen +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1415,6 +1415,7 @@ static struct buffer_head * ext4_find_en + goto cleanup_and_exit; + dxtrace(printk(KERN_DEBUG "ext4_find_entry: dx failed, " + "falling back\n")); ++ ret = NULL; + } + nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb); + if (!nblocks) { diff --git a/queue-4.9/ext4-sysfs-print-ext4_super_block-fields-as-little-endian.patch b/queue-4.9/ext4-sysfs-print-ext4_super_block-fields-as-little-endian.patch new file mode 100644 index 00000000000..e93d90e636e --- /dev/null +++ b/queue-4.9/ext4-sysfs-print-ext4_super_block-fields-as-little-endian.patch @@ -0,0 +1,59 @@ +From a4d2aadca184ece182418950d45ba4ffc7b652d2 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Sun, 29 Jul 2018 15:48:00 -0400 +Subject: ext4: sysfs: print ext4_super_block fields as little-endian + +From: Arnd Bergmann + +commit a4d2aadca184ece182418950d45ba4ffc7b652d2 upstream. + +While working on extended rand for last_error/first_error timestamps, +I noticed that the endianess is wrong; we access the little-endian +fields in struct ext4_super_block as native-endian when we print them. + +This adds a special case in ext4_attr_show() and ext4_attr_store() +to byteswap the superblock fields if needed. + +In older kernels, this code was part of super.c, it got moved to +sysfs.c in linux-4.4. + +Cc: stable@vger.kernel.org +Fixes: 52c198c6820f ("ext4: add sysfs entry showing whether the fs contains errors") +Reviewed-by: Andreas Dilger +Signed-off-by: Arnd Bergmann +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/sysfs.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/ext4/sysfs.c ++++ b/fs/ext4/sysfs.c +@@ -277,8 +277,12 @@ static ssize_t ext4_attr_show(struct kob + case attr_pointer_ui: + if (!ptr) + return 0; +- return snprintf(buf, PAGE_SIZE, "%u\n", +- *((unsigned int *) ptr)); ++ if (a->attr_ptr == ptr_ext4_super_block_offset) ++ return snprintf(buf, PAGE_SIZE, "%u\n", ++ le32_to_cpup(ptr)); ++ else ++ return snprintf(buf, PAGE_SIZE, "%u\n", ++ *((unsigned int *) ptr)); + case attr_pointer_atomic: + if (!ptr) + return 0; +@@ -311,7 +315,10 @@ static ssize_t ext4_attr_store(struct ko + ret = kstrtoul(skip_spaces(buf), 0, &t); + if (ret) + return ret; +- *((unsigned int *) ptr) = t; ++ if (a->attr_ptr == ptr_ext4_super_block_offset) ++ *((__le32 *) ptr) = cpu_to_le32(t); ++ else ++ *((unsigned int *) ptr) = t; + return len; + case attr_inode_readahead: + return inode_readahead_blks_store(a, sbi, buf, len); diff --git a/queue-4.9/kprobes-arm64-fix-p-uses-in-error-messages.patch b/queue-4.9/kprobes-arm64-fix-p-uses-in-error-messages.patch new file mode 100644 index 00000000000..89cd329b4f7 --- /dev/null +++ b/queue-4.9/kprobes-arm64-fix-p-uses-in-error-messages.patch @@ -0,0 +1,52 @@ +From 0722867dcbc28cc9b269b57acd847c7c1aa638d6 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sat, 28 Apr 2018 21:38:04 +0900 +Subject: kprobes/arm64: Fix %p uses in error messages + +From: Masami Hiramatsu + +commit 0722867dcbc28cc9b269b57acd847c7c1aa638d6 upstream. + +Fix %p uses in error messages by removing it because +those are redundant or meaningless. + +Signed-off-by: Masami Hiramatsu +Acked-by: Will Deacon +Cc: Ananth N Mavinakayanahalli +Cc: Anil S Keshavamurthy +Cc: Arnd Bergmann +Cc: David Howells +Cc: David S . Miller +Cc: Heiko Carstens +Cc: Jon Medhurst +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Thomas Richter +Cc: Tobin C . Harding +Cc: acme@kernel.org +Cc: akpm@linux-foundation.org +Cc: brueckner@linux.vnet.ibm.com +Cc: linux-arch@vger.kernel.org +Cc: rostedt@goodmis.org +Cc: schwidefsky@de.ibm.com +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/lkml/152491908405.9916.12425053035317241111.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/probes/kprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/probes/kprobes.c ++++ b/arch/arm64/kernel/probes/kprobes.c +@@ -274,7 +274,7 @@ static int __kprobes reenter_kprobe(stru + break; + case KPROBE_HIT_SS: + case KPROBE_REENTER: +- pr_warn("Unrecoverable kprobe detected at %p.\n", p->addr); ++ pr_warn("Unrecoverable kprobe detected.\n"); + dump_kprobe(p); + BUG(); + break; diff --git a/queue-4.9/s390-kvm-fix-deadlock-when-killed-by-oom.patch b/queue-4.9/s390-kvm-fix-deadlock-when-killed-by-oom.patch new file mode 100644 index 00000000000..303d5502f2a --- /dev/null +++ b/queue-4.9/s390-kvm-fix-deadlock-when-killed-by-oom.patch @@ -0,0 +1,40 @@ +From 306d6c49ac9ded11114cb53b0925da52f2c2ada1 Mon Sep 17 00:00:00 2001 +From: Claudio Imbrenda +Date: Mon, 16 Jul 2018 10:38:57 +0200 +Subject: s390/kvm: fix deadlock when killed by oom + +From: Claudio Imbrenda + +commit 306d6c49ac9ded11114cb53b0925da52f2c2ada1 upstream. + +When the oom killer kills a userspace process in the page fault handler +while in guest context, the fault handler fails to release the mm_sem +if the FAULT_FLAG_RETRY_NOWAIT option is set. This leads to a deadlock +when tearing down the mm when the process terminates. This bug can only +happen when pfault is enabled, so only KVM clients are affected. + +The problem arises in the rare cases in which handle_mm_fault does not +release the mm_sem. This patch fixes the issue by manually releasing +the mm_sem when needed. + +Fixes: 24eb3a824c4f3 ("KVM: s390: Add FAULT_FLAG_RETRY_NOWAIT for guest fault") +Cc: # 3.15+ +Signed-off-by: Claudio Imbrenda +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/fault.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/mm/fault.c ++++ b/arch/s390/mm/fault.c +@@ -462,6 +462,8 @@ retry: + /* No reason to continue if interrupted by SIGKILL. */ + if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current)) { + fault = VM_FAULT_SIGNAL; ++ if (flags & FAULT_FLAG_RETRY_NOWAIT) ++ goto out_up; + goto out; + } + if (unlikely(fault & VM_FAULT_ERROR)) diff --git a/queue-4.9/series b/queue-4.9/series index 7f14ed79843..5748b2b9085 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -55,5 +55,10 @@ smb3-enumerating-snapshots-was-leaving-part-of-the-data-off-end.patch smb3-do-not-send-smb3-set_info-if-nothing-changed.patch smb3-don-t-request-leases-in-symlink-creation-and-query.patch smb3-fill-in-statfs-fsid-and-correct-namelen.patch -btrfs-don-t-leak-ret-from-do_chunk_alloc.patch +kprobes-arm64-fix-p-uses-in-error-messages.patch +arm64-mm-check-for-upper-page_shift-bits-in-pfn_valid.patch +s390-kvm-fix-deadlock-when-killed-by-oom.patch +ext4-check-for-nul-characters-in-extended-attribute-s-name.patch +ext4-sysfs-print-ext4_super_block-fields-as-little-endian.patch +ext4-reset-error-code-in-ext4_find_entry-in-fallback.patch bpf-arm32-fix-stack-var-offset-in-jit.patch -- 2.47.3