From b1cd7285244cf9eb3156348f77b5044bc27c3c6f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 20 Mar 2019 18:25:41 +0100 Subject: [PATCH] 4.4-stable patches added patches: acpi-device_sysfs-avoid-of-modalias-creation-for-removed-device.patch cifs-fix-read-after-write-for-files-with-read-caching.patch crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch tracing-do-not-free-iter-trace-in-fail-path-of-tracing_open_pipe.patch --- ...modalias-creation-for-removed-device.patch | 75 +++++++++++++++++++ ...er-write-for-files-with-read-caching.patch | 54 +++++++++++++ ...-fix-logical-bug-in-aad-mac-handling.patch | 47 ++++++++++++ queue-4.4/series | 4 + ...ce-in-fail-path-of-tracing_open_pipe.patch | 39 ++++++++++ 5 files changed, 219 insertions(+) create mode 100644 queue-4.4/acpi-device_sysfs-avoid-of-modalias-creation-for-removed-device.patch create mode 100644 queue-4.4/cifs-fix-read-after-write-for-files-with-read-caching.patch create mode 100644 queue-4.4/crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch create mode 100644 queue-4.4/tracing-do-not-free-iter-trace-in-fail-path-of-tracing_open_pipe.patch diff --git a/queue-4.4/acpi-device_sysfs-avoid-of-modalias-creation-for-removed-device.patch b/queue-4.4/acpi-device_sysfs-avoid-of-modalias-creation-for-removed-device.patch new file mode 100644 index 00000000000..291acfa7695 --- /dev/null +++ b/queue-4.4/acpi-device_sysfs-avoid-of-modalias-creation-for-removed-device.patch @@ -0,0 +1,75 @@ +From f16eb8a4b096514ac06fb25bf599dcc792899b3d Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 11 Mar 2019 18:41:03 +0200 +Subject: ACPI / device_sysfs: Avoid OF modalias creation for removed device + +From: Andy Shevchenko + +commit f16eb8a4b096514ac06fb25bf599dcc792899b3d upstream. + +If SSDT overlay is loaded via ConfigFS and then unloaded the device, +we would like to have OF modalias for, already gone. Thus, acpi_get_name() +returns no allocated buffer for such case and kernel crashes afterwards: + + ACPI: Host-directed Dynamic ACPI Table Unload + ads7950 spi-PRP0001:00: Dropping the link to regulator.0 + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + #PF error: [normal kernel read fault] + PGD 80000000070d6067 P4D 80000000070d6067 PUD 70d0067 PMD 0 + Oops: 0000 [#1] SMP PTI + CPU: 0 PID: 40 Comm: kworker/u4:2 Not tainted 5.0.0+ #96 + Hardware name: Intel Corporation Merrifield/BODEGA BAY, BIOS 542 2015.01.21:18.19.48 + Workqueue: kacpi_hotplug acpi_device_del_work_fn + RIP: 0010:create_of_modalias.isra.1+0x4c/0x150 + Code: 00 00 48 89 44 24 18 31 c0 48 8d 54 24 08 48 c7 44 24 10 00 00 00 00 48 c7 44 24 08 ff ff ff ff e8 7a b0 03 00 48 8b 4c 24 10 <0f> b6 01 84 c0 74 27 48 c7 c7 00 09 f4 a5 0f b6 f0 8d 50 20 f6 04 + RSP: 0000:ffffa51040297c10 EFLAGS: 00010246 + RAX: 0000000000001001 RBX: 0000000000000785 RCX: 0000000000000000 + RDX: 0000000000001001 RSI: 0000000000000286 RDI: ffffa2163dc042e0 + RBP: ffffa216062b1196 R08: 0000000000001001 R09: ffffa21639873000 + R10: ffffffffa606761d R11: 0000000000000001 R12: ffffa21639873218 + R13: ffffa2163deb5060 R14: ffffa216063d1010 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffffa2163e000000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 0000000007114000 CR4: 00000000001006f0 + Call Trace: + __acpi_device_uevent_modalias+0xb0/0x100 + spi_uevent+0xd/0x40 + + ... + +In order to fix above let create_of_modalias() check the status returned +by acpi_get_name() and bail out in case of failure. + +Fixes: 8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=201381 +Reported-by: Ferry Toth +Tested-by: Ferry Toth +Signed-off-by: Andy Shevchenko +Reviewed-by: Mika Westerberg +Cc: 4.1+ # 4.1+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/device_sysfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -202,11 +202,15 @@ static int create_of_modalias(struct acp + { + struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER }; + const union acpi_object *of_compatible, *obj; ++ acpi_status status; + int len, count; + int i, nval; + char *c; + +- acpi_get_name(acpi_dev->handle, ACPI_SINGLE_NAME, &buf); ++ status = acpi_get_name(acpi_dev->handle, ACPI_SINGLE_NAME, &buf); ++ if (ACPI_FAILURE(status)) ++ return -ENODEV; ++ + /* DT strings are all in lower case */ + for (c = buf.pointer; *c != '\0'; c++) + *c = tolower(*c); diff --git a/queue-4.4/cifs-fix-read-after-write-for-files-with-read-caching.patch b/queue-4.4/cifs-fix-read-after-write-for-files-with-read-caching.patch new file mode 100644 index 00000000000..312afb3286f --- /dev/null +++ b/queue-4.4/cifs-fix-read-after-write-for-files-with-read-caching.patch @@ -0,0 +1,54 @@ +From 6dfbd84684700cb58b34e8602c01c12f3d2595c8 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 4 Mar 2019 17:48:01 -0800 +Subject: CIFS: Fix read after write for files with read caching + +From: Pavel Shilovsky + +commit 6dfbd84684700cb58b34e8602c01c12f3d2595c8 upstream. + +When we have a READ lease for a file and have just issued a write +operation to the server we need to purge the cache and set oplock/lease +level to NONE to avoid reading stale data. Currently we do that +only if a write operation succedeed thus not covering cases when +a request was sent to the server but a negative error code was +returned later for some other reasons (e.g. -EIOCBQUEUED or -EINTR). +Fix this by turning off caching regardless of the error code being +returned. + +The patches fixes generic tests 075 and 112 from the xfs-tests. + +Cc: +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2753,14 +2753,16 @@ cifs_strict_writev(struct kiocb *iocb, s + * these pages but not on the region from pos to ppos+len-1. + */ + written = cifs_user_writev(iocb, from); +- if (written > 0 && CIFS_CACHE_READ(cinode)) { ++ if (CIFS_CACHE_READ(cinode)) { + /* +- * Windows 7 server can delay breaking level2 oplock if a write +- * request comes - break it on the client to prevent reading +- * an old data. ++ * We have read level caching and we have just sent a write ++ * request to the server thus making data in the cache stale. ++ * Zap the cache and set oplock/lease level to NONE to avoid ++ * reading stale data from the cache. All subsequent read ++ * operations will read new data from the server. + */ + cifs_zap_mapping(inode); +- cifs_dbg(FYI, "Set no oplock for inode=%p after a write operation\n", ++ cifs_dbg(FYI, "Set Oplock/Lease to NONE for inode=%p after write\n", + inode); + cinode->oplock = 0; + } diff --git a/queue-4.4/crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch b/queue-4.4/crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch new file mode 100644 index 00000000000..2a724fd4f3f --- /dev/null +++ b/queue-4.4/crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch @@ -0,0 +1,47 @@ +From eaf46edf6ea89675bd36245369c8de5063a0272c Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 24 Jan 2019 17:33:45 +0100 +Subject: crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling + +From: Ard Biesheuvel + +commit eaf46edf6ea89675bd36245369c8de5063a0272c upstream. + +The NEON MAC calculation routine fails to handle the case correctly +where there is some data in the buffer, and the input fills it up +exactly. In this case, we enter the loop at the end with w8 == 0, +while a negative value is assumed, and so the loop carries on until +the increment of the 32-bit counter wraps around, which is quite +obviously wrong. + +So omit the loop altogether in this case, and exit right away. + +Reported-by: Eric Biggers +Fixes: a3fd82105b9d1 ("arm64/crypto: AES in CCM mode using ARMv8 Crypto ...") +Cc: stable@vger.kernel.org +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/crypto/aes-ce-ccm-core.S | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/arm64/crypto/aes-ce-ccm-core.S ++++ b/arch/arm64/crypto/aes-ce-ccm-core.S +@@ -74,12 +74,13 @@ ENTRY(ce_aes_ccm_auth_data) + beq 10f + ext v0.16b, v0.16b, v0.16b, #1 /* rotate out the mac bytes */ + b 7b +-8: mov w7, w8 ++8: cbz w8, 91f ++ mov w7, w8 + add w8, w8, #16 + 9: ext v1.16b, v1.16b, v1.16b, #1 + adds w7, w7, #1 + bne 9b +- eor v0.16b, v0.16b, v1.16b ++91: eor v0.16b, v0.16b, v1.16b + st1 {v0.16b}, [x0] + 10: str w8, [x3] + ret diff --git a/queue-4.4/series b/queue-4.4/series index 8c44423f4a7..ed1f8eeefcf 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -175,3 +175,7 @@ mac80211_hwsim-propagate-genlmsg_reply-return-code.patch net-set-static-variable-an-initial-value-in-atl2_pro.patch tmpfs-fix-uninitialized-return-value-in-shmem_link.patch stm-class-prevent-division-by-zero.patch +crypto-arm64-aes-ccm-fix-logical-bug-in-aad-mac-handling.patch +cifs-fix-read-after-write-for-files-with-read-caching.patch +tracing-do-not-free-iter-trace-in-fail-path-of-tracing_open_pipe.patch +acpi-device_sysfs-avoid-of-modalias-creation-for-removed-device.patch diff --git a/queue-4.4/tracing-do-not-free-iter-trace-in-fail-path-of-tracing_open_pipe.patch b/queue-4.4/tracing-do-not-free-iter-trace-in-fail-path-of-tracing_open_pipe.patch new file mode 100644 index 00000000000..0c28d00b42b --- /dev/null +++ b/queue-4.4/tracing-do-not-free-iter-trace-in-fail-path-of-tracing_open_pipe.patch @@ -0,0 +1,39 @@ +From e7f0c424d0806b05d6f47be9f202b037eb701707 Mon Sep 17 00:00:00 2001 +From: "zhangyi (F)" +Date: Wed, 13 Feb 2019 20:29:06 +0800 +Subject: tracing: Do not free iter->trace in fail path of tracing_open_pipe() + +From: zhangyi (F) + +commit e7f0c424d0806b05d6f47be9f202b037eb701707 upstream. + +Commit d716ff71dd12 ("tracing: Remove taking of trace_types_lock in +pipe files") use the current tracer instead of the copy in +tracing_open_pipe(), but it forget to remove the freeing sentence in +the error path. + +There's an error path that can call kfree(iter->trace) after the iter->trace +was assigned to tr->current_trace, which would be bad to free. + +Link: http://lkml.kernel.org/r/1550060946-45984-1-git-send-email-yi.zhang@huawei.com + +Cc: stable@vger.kernel.org +Fixes: d716ff71dd12 ("tracing: Remove taking of trace_types_lock in pipe files") +Signed-off-by: zhangyi (F) +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -4646,7 +4646,6 @@ out: + return ret; + + fail: +- kfree(iter->trace); + kfree(iter); + __trace_array_put(tr); + mutex_unlock(&trace_types_lock); -- 2.47.2