From d9782a26843561379ed863902373144e632f5b41 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 7 Sep 2018 14:57:31 +0200 Subject: [PATCH] 4.4-stable patches added patches: bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch fs-quota-fix-spectre-gadget-in-do_quotactl.patch getxattr-use-correct-xattr-length.patch iommu-vt-d-add-definitions-for-pfsid.patch iommu-vt-d-fix-dev-iotlb-pfsid-use.patch mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch osf_getdomainname-use-copy_to_user.patch perf-auxtrace-fix-queue-resize.patch pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch revert-ubifs-fix-potential-integer-overflow-in-allocation.patch sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch ubifs-check-data-node-size-before-truncate.patch ubifs-fix-memory-leak-in-lprobs-self-check.patch ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch udlfb-set-optimal-write-delay.patch userns-move-user-access-out-of-the-mutex.patch --- ...ock-properly-in-bch_writeback_thread.patch | 39 ++ ...-when-the-user-unplugs-a-usb-adapter.patch | 124 +++++ ...ta-fix-spectre-gadget-in-do_quotactl.patch | 76 +++ .../getxattr-use-correct-xattr-length.patch | 134 ++++++ ...iommu-vt-d-add-definitions-for-pfsid.patch | 64 +++ .../iommu-vt-d-fix-dev-iotlb-pfsid-use.patch | 94 ++++ ...emove_table-non-concurrent-condition.patch | 52 ++ .../osf_getdomainname-use-copy_to_user.patch | 53 ++ .../perf-auxtrace-fix-queue-resize.patch | 37 ++ ...rpwm-fix-disabling-of-output-of-pwms.patch | 39 ++ ...ntial-integer-overflow-in-allocation.patch | 34 ++ queue-4.4/series | 17 + ...sem-while-accessing-userspace-memory.patch | 453 ++++++++++++++++++ ...check-data-node-size-before-truncate.patch | 46 ++ ...fix-memory-leak-in-lprobs-self-check.patch | 45 ++ ..._i_size-calculation-for-xattr-inodes.patch | 41 ++ queue-4.4/udlfb-set-optimal-write-delay.patch | 39 ++ ...ns-move-user-access-out-of-the-mutex.patch | 66 +++ 18 files changed, 1453 insertions(+) create mode 100644 queue-4.4/bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch create mode 100644 queue-4.4/fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch create mode 100644 queue-4.4/fs-quota-fix-spectre-gadget-in-do_quotactl.patch create mode 100644 queue-4.4/getxattr-use-correct-xattr-length.patch create mode 100644 queue-4.4/iommu-vt-d-add-definitions-for-pfsid.patch create mode 100644 queue-4.4/iommu-vt-d-fix-dev-iotlb-pfsid-use.patch create mode 100644 queue-4.4/mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch create mode 100644 queue-4.4/osf_getdomainname-use-copy_to_user.patch create mode 100644 queue-4.4/perf-auxtrace-fix-queue-resize.patch create mode 100644 queue-4.4/pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch create mode 100644 queue-4.4/revert-ubifs-fix-potential-integer-overflow-in-allocation.patch create mode 100644 queue-4.4/sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch create mode 100644 queue-4.4/ubifs-check-data-node-size-before-truncate.patch create mode 100644 queue-4.4/ubifs-fix-memory-leak-in-lprobs-self-check.patch create mode 100644 queue-4.4/ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch create mode 100644 queue-4.4/udlfb-set-optimal-write-delay.patch create mode 100644 queue-4.4/userns-move-user-access-out-of-the-mutex.patch diff --git a/queue-4.4/bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch b/queue-4.4/bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch new file mode 100644 index 00000000000..fc00c420c13 --- /dev/null +++ b/queue-4.4/bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch @@ -0,0 +1,39 @@ +From 3943b040f11ed0cc6d4585fd286a623ca8634547 Mon Sep 17 00:00:00 2001 +From: Shan Hai +Date: Thu, 23 Aug 2018 02:02:56 +0800 +Subject: bcache: release dc->writeback_lock properly in bch_writeback_thread() + +From: Shan Hai + +commit 3943b040f11ed0cc6d4585fd286a623ca8634547 upstream. + +The writeback thread would exit with a lock held when the cache device +is detached via sysfs interface, fix it by releasing the held lock +before exiting the while-loop. + +Fixes: fadd94e05c02 (bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set) +Signed-off-by: Shan Hai +Signed-off-by: Coly Li +Tested-by: Shenghui Wang +Cc: stable@vger.kernel.org #4.17+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/writeback.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -462,8 +462,10 @@ static int bch_writeback_thread(void *ar + * data on cache. BCACHE_DEV_DETACHING flag is set in + * bch_cached_dev_detach(). + */ +- if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) ++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) { ++ up_write(&dc->writeback_lock); + break; ++ } + } + + up_write(&dc->writeback_lock); diff --git a/queue-4.4/fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch b/queue-4.4/fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch new file mode 100644 index 00000000000..951589a48fe --- /dev/null +++ b/queue-4.4/fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch @@ -0,0 +1,124 @@ +From 8c5b044299951acd91e830a688dd920477ea1eda Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 25 Jul 2018 15:41:54 +0200 +Subject: fb: fix lost console when the user unplugs a USB adapter + +From: Mikulas Patocka + +commit 8c5b044299951acd91e830a688dd920477ea1eda upstream. + +I have a USB display adapter using the udlfb driver and I use it on an ARM +board that doesn't have any graphics card. When I plug the adapter in, the +console is properly displayed, however when I unplug and re-plug the +adapter, the console is not displayed and I can't access it until I reboot +the board. + +The reason is this: +When the adapter is unplugged, dlfb_usb_disconnect calls +unlink_framebuffer, then it waits until the reference count drops to zero +and then it deallocates the framebuffer. However, the console that is +attached to the framebuffer device keeps the reference count non-zero, so +the framebuffer device is never destroyed. When the USB adapter is plugged +again, it creates a new device /dev/fb1 and the console is not attached to +it. + +This patch fixes the bug by unbinding the console from unlink_framebuffer. +The code to unbind the console is moved from do_unregister_framebuffer to +a function unbind_console. When the console is unbound, the reference +count drops to zero and the udlfb driver frees the framebuffer. When the +adapter is plugged back, a new framebuffer is created and the console is +attached to it. + +Signed-off-by: Mikulas Patocka +Cc: Dave Airlie +Cc: Bernie Thompson +Cc: Ladislav Michl +Cc: stable@vger.kernel.org +[b.zolnierkie: preserve old behavior for do_unregister_framebuffer()] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/core/fbmem.c | 38 ++++++++++++++++++++++++++++++++------ + 1 file changed, 32 insertions(+), 6 deletions(-) + +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -1687,12 +1687,12 @@ static int do_register_framebuffer(struc + return 0; + } + +-static int do_unregister_framebuffer(struct fb_info *fb_info) ++static int unbind_console(struct fb_info *fb_info) + { + struct fb_event event; +- int i, ret = 0; ++ int ret; ++ int i = fb_info->node; + +- i = fb_info->node; + if (i < 0 || i >= FB_MAX || registered_fb[i] != fb_info) + return -EINVAL; + +@@ -1707,17 +1707,29 @@ static int do_unregister_framebuffer(str + unlock_fb_info(fb_info); + console_unlock(); + ++ return ret; ++} ++ ++static int __unlink_framebuffer(struct fb_info *fb_info); ++ ++static int do_unregister_framebuffer(struct fb_info *fb_info) ++{ ++ struct fb_event event; ++ int ret; ++ ++ ret = unbind_console(fb_info); ++ + if (ret) + return -EINVAL; + + pm_vt_switch_unregister(fb_info->dev); + +- unlink_framebuffer(fb_info); ++ __unlink_framebuffer(fb_info); + if (fb_info->pixmap.addr && + (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT)) + kfree(fb_info->pixmap.addr); + fb_destroy_modelist(&fb_info->modelist); +- registered_fb[i] = NULL; ++ registered_fb[fb_info->node] = NULL; + num_registered_fb--; + fb_cleanup_device(fb_info); + event.info = fb_info; +@@ -1730,7 +1742,7 @@ static int do_unregister_framebuffer(str + return 0; + } + +-int unlink_framebuffer(struct fb_info *fb_info) ++static int __unlink_framebuffer(struct fb_info *fb_info) + { + int i; + +@@ -1742,6 +1754,20 @@ int unlink_framebuffer(struct fb_info *f + device_destroy(fb_class, MKDEV(FB_MAJOR, i)); + fb_info->dev = NULL; + } ++ ++ return 0; ++} ++ ++int unlink_framebuffer(struct fb_info *fb_info) ++{ ++ int ret; ++ ++ ret = __unlink_framebuffer(fb_info); ++ if (ret) ++ return ret; ++ ++ unbind_console(fb_info); ++ + return 0; + } + EXPORT_SYMBOL(unlink_framebuffer); diff --git a/queue-4.4/fs-quota-fix-spectre-gadget-in-do_quotactl.patch b/queue-4.4/fs-quota-fix-spectre-gadget-in-do_quotactl.patch new file mode 100644 index 00000000000..743ae6ca3a6 --- /dev/null +++ b/queue-4.4/fs-quota-fix-spectre-gadget-in-do_quotactl.patch @@ -0,0 +1,76 @@ +From 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Tue, 31 Jul 2018 01:37:31 +0000 +Subject: fs/quota: Fix spectre gadget in do_quotactl + +From: Jeremy Cline + +commit 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 upstream. + +'type' is user-controlled, so sanitize it after the bounds check to +avoid using it in speculative execution. This covers the following +potential gadgets detected with the help of smatch: + +* fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue + 'sb_dqopt(sb)->files' [r] +* fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue + 'sb_dqopt(sb)->files' [r] +* fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue + 'sb_dqopt(sb)->files' [r] +* fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue + 'sb_dqopt(sb)->files' [r] +* fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue + 'sb_dqopt(sb)->info' [w] +* fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue + 'dquots' [r] +* fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre + issue 'dqopt->ops' [r] +* fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre + issue 'dqopt->files' [w] (local cap) +* fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre + issue 'dqopt->ops' [w] (local cap) +* fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre + issue 'dqopt->info' [w] (local cap) +* fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue + 'sb_dqopt(sb)->info' [r] +* fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre + issue 'quota_magics' [w] +* fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre + issue 'quota_versions' [w] +* fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre + issue 'dqopt->info' [r] +* fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre + issue 'dqopt->info' [r] + +Additionally, a quick inspection indicates there are array accesses with +'type' in quota_on() and quota_off() functions which are also addressed +by this. + +Cc: Josh Poimboeuf +Cc: stable@vger.kernel.org +Signed-off-by: Jeremy Cline +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/quota.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/quota/quota.c ++++ b/fs/quota/quota.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + static int check_quotactl_permission(struct super_block *sb, int type, int cmd, + qid_t id) +@@ -644,6 +645,7 @@ static int do_quotactl(struct super_bloc + + if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS)) + return -EINVAL; ++ type = array_index_nospec(type, MAXQUOTAS); + /* + * Quota not supported on this fs? Check this before s_quota_types + * since they needn't be set if quota is not supported at all. diff --git a/queue-4.4/getxattr-use-correct-xattr-length.patch b/queue-4.4/getxattr-use-correct-xattr-length.patch new file mode 100644 index 00000000000..657a42b2fe8 --- /dev/null +++ b/queue-4.4/getxattr-use-correct-xattr-length.patch @@ -0,0 +1,134 @@ +From 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Thu, 7 Jun 2018 13:43:48 +0200 +Subject: getxattr: use correct xattr length + +From: Christian Brauner + +commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 upstream. + +When running in a container with a user namespace, if you call getxattr +with name = "system.posix_acl_access" and size % 8 != 4, then getxattr +silently skips the user namespace fixup that it normally does resulting in +un-fixed-up data being returned. +This is caused by posix_acl_fix_xattr_to_user() being passed the total +buffer size and not the actual size of the xattr as returned by +vfs_getxattr(). +This commit passes the actual length of the xattr as returned by +vfs_getxattr() down. + +A reproducer for the issue is: + + touch acl_posix + + setfacl -m user:0:rwx acl_posix + +and the compile: + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + + /* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */ + int main(int argc, void **argv) + { + ssize_t ret1, ret2; + char buf1[128], buf2[132]; + int fret = EXIT_SUCCESS; + char *file; + + if (argc < 2) { + fprintf(stderr, + "Please specify a file with " + "\"system.posix_acl_access\" permissions set\n"); + _exit(EXIT_FAILURE); + } + file = argv[1]; + + ret1 = getxattr(file, "system.posix_acl_access", + buf1, sizeof(buf1)); + if (ret1 < 0) { + fprintf(stderr, "%s - Failed to retrieve " + "\"system.posix_acl_access\" " + "from \"%s\"\n", strerror(errno), file); + _exit(EXIT_FAILURE); + } + + ret2 = getxattr(file, "system.posix_acl_access", + buf2, sizeof(buf2)); + if (ret2 < 0) { + fprintf(stderr, "%s - Failed to retrieve " + "\"system.posix_acl_access\" " + "from \"%s\"\n", strerror(errno), file); + _exit(EXIT_FAILURE); + } + + if (ret1 != ret2) { + fprintf(stderr, "The value of \"system.posix_acl_" + "access\" for file \"%s\" changed " + "between two successive calls\n", file); + _exit(EXIT_FAILURE); + } + + for (ssize_t i = 0; i < ret2; i++) { + if (buf1[i] == buf2[i]) + continue; + + fprintf(stderr, + "Unexpected different in byte %zd: " + "%02x != %02x\n", i, buf1[i], buf2[i]); + fret = EXIT_FAILURE; + } + + if (fret == EXIT_SUCCESS) + fprintf(stderr, "Test passed\n"); + else + fprintf(stderr, "Test failed\n"); + + _exit(fret); + } +and run: + + ./tester acl_posix + +On a non-fixed up kernel this should return something like: + + root@c1:/# ./t + Unexpected different in byte 16: ffffffa0 != 00 + Unexpected different in byte 17: ffffff86 != 00 + Unexpected different in byte 18: 01 != 00 + +and on a fixed kernel: + + root@c1:~# ./t + Test passed + +Cc: stable@vger.kernel.org +Fixes: 2f6f0654ab61 ("userns: Convert vfs posix_acl support to use kuids and kgids") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945 +Reported-by: Colin Watson +Signed-off-by: Christian Brauner +Acked-by: Serge Hallyn +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -453,7 +453,7 @@ getxattr(struct dentry *d, const char __ + if (error > 0) { + if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || + (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) +- posix_acl_fix_xattr_to_user(kvalue, size); ++ posix_acl_fix_xattr_to_user(kvalue, error); + if (size && copy_to_user(value, kvalue, error)) + error = -EFAULT; + } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) { diff --git a/queue-4.4/iommu-vt-d-add-definitions-for-pfsid.patch b/queue-4.4/iommu-vt-d-add-definitions-for-pfsid.patch new file mode 100644 index 00000000000..b4c53ada985 --- /dev/null +++ b/queue-4.4/iommu-vt-d-add-definitions-for-pfsid.patch @@ -0,0 +1,64 @@ +From 0f725561e168485eff7277d683405c05b192f537 Mon Sep 17 00:00:00 2001 +From: Jacob Pan +Date: Thu, 7 Jun 2018 09:56:59 -0700 +Subject: iommu/vt-d: Add definitions for PFSID + +From: Jacob Pan + +commit 0f725561e168485eff7277d683405c05b192f537 upstream. + +When SRIOV VF device IOTLB is invalidated, we need to provide +the PF source ID such that IOMMU hardware can gauge the depth +of invalidation queue which is shared among VFs. This is needed +when device invalidation throttle (DIT) capability is supported. + +This patch adds bit definitions for checking and tracking PFSID. + +Signed-off-by: Jacob Pan +Cc: stable@vger.kernel.org +Cc: "Ashok Raj" +Cc: "Lu Baolu" +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 1 + + include/linux/intel-iommu.h | 3 +++ + 2 files changed, 4 insertions(+) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -419,6 +419,7 @@ struct device_domain_info { + struct list_head global; /* link to global list */ + u8 bus; /* PCI bus number */ + u8 devfn; /* PCI devfn number */ ++ u16 pfsid; /* SRIOV physical function source ID */ + u8 pasid_supported:3; + u8 pasid_enabled:1; + u8 pri_supported:1; +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -125,6 +125,7 @@ static inline void dmar_writeq(void __io + * Extended Capability Register + */ + ++#define ecap_dit(e) ((e >> 41) & 0x1) + #define ecap_pasid(e) ((e >> 40) & 0x1) + #define ecap_pss(e) ((e >> 35) & 0x1f) + #define ecap_eafs(e) ((e >> 34) & 0x1) +@@ -294,6 +295,7 @@ enum { + #define QI_DEV_IOTLB_SID(sid) ((u64)((sid) & 0xffff) << 32) + #define QI_DEV_IOTLB_QDEP(qdep) (((qdep) & 0x1f) << 16) + #define QI_DEV_IOTLB_ADDR(addr) ((u64)(addr) & VTD_PAGE_MASK) ++#define QI_DEV_IOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52)) + #define QI_DEV_IOTLB_SIZE 1 + #define QI_DEV_IOTLB_MAX_INVS 32 + +@@ -318,6 +320,7 @@ enum { + #define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32) + #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16) + #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4) ++#define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52)) + #define QI_DEV_EIOTLB_MAX_INVS 32 + + #define QI_PGRP_IDX(idx) (((u64)(idx)) << 55) diff --git a/queue-4.4/iommu-vt-d-fix-dev-iotlb-pfsid-use.patch b/queue-4.4/iommu-vt-d-fix-dev-iotlb-pfsid-use.patch new file mode 100644 index 00000000000..bd41e9566df --- /dev/null +++ b/queue-4.4/iommu-vt-d-fix-dev-iotlb-pfsid-use.patch @@ -0,0 +1,94 @@ +From 1c48db44924298ad0cb5a6386b88017539be8822 Mon Sep 17 00:00:00 2001 +From: Jacob Pan +Date: Thu, 7 Jun 2018 09:57:00 -0700 +Subject: iommu/vt-d: Fix dev iotlb pfsid use + +From: Jacob Pan + +commit 1c48db44924298ad0cb5a6386b88017539be8822 upstream. + +PFSID should be used in the invalidation descriptor for flushing +device IOTLBs on SRIOV VFs. + +Signed-off-by: Jacob Pan +Cc: stable@vger.kernel.org +Cc: "Ashok Raj" +Cc: "Lu Baolu" +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/dmar.c | 6 +++--- + drivers/iommu/intel-iommu.c | 17 ++++++++++++++++- + include/linux/intel-iommu.h | 5 ++--- + 3 files changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -1315,8 +1315,8 @@ void qi_flush_iotlb(struct intel_iommu * + qi_submit_sync(&desc, iommu); + } + +-void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep, +- u64 addr, unsigned mask) ++void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid, ++ u16 qdep, u64 addr, unsigned mask) + { + struct qi_desc desc; + +@@ -1331,7 +1331,7 @@ void qi_flush_dev_iotlb(struct intel_iom + qdep = 0; + + desc.low = QI_DEV_IOTLB_SID(sid) | QI_DEV_IOTLB_QDEP(qdep) | +- QI_DIOTLB_TYPE; ++ QI_DIOTLB_TYPE | QI_DEV_IOTLB_PFSID(pfsid); + + qi_submit_sync(&desc, iommu); + } +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1480,6 +1480,20 @@ static void iommu_enable_dev_iotlb(struc + return; + + pdev = to_pci_dev(info->dev); ++ /* For IOMMU that supports device IOTLB throttling (DIT), we assign ++ * PFSID to the invalidation desc of a VF such that IOMMU HW can gauge ++ * queue depth at PF level. If DIT is not set, PFSID will be treated as ++ * reserved, which should be set to 0. ++ */ ++ if (!ecap_dit(info->iommu->ecap)) ++ info->pfsid = 0; ++ else { ++ struct pci_dev *pf_pdev; ++ ++ /* pdev will be returned if device is not a vf */ ++ pf_pdev = pci_physfn(pdev); ++ info->pfsid = PCI_DEVID(pf_pdev->bus->number, pf_pdev->devfn); ++ } + + #ifdef CONFIG_INTEL_IOMMU_SVM + /* The PCIe spec, in its wisdom, declares that the behaviour of +@@ -1538,7 +1552,8 @@ static void iommu_flush_dev_iotlb(struct + + sid = info->bus << 8 | info->devfn; + qdep = info->ats_qdep; +- qi_flush_dev_iotlb(info->iommu, sid, qdep, addr, mask); ++ qi_flush_dev_iotlb(info->iommu, sid, info->pfsid, ++ qdep, addr, mask); + } + spin_unlock_irqrestore(&device_domain_lock, flags); + } +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -466,9 +466,8 @@ extern void qi_flush_context(struct inte + u8 fm, u64 type); + extern void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr, + unsigned int size_order, u64 type); +-extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep, +- u64 addr, unsigned mask); +- ++extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid, ++ u16 qdep, u64 addr, unsigned mask); + extern int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu); + + extern int dmar_ir_support(void); diff --git a/queue-4.4/mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch b/queue-4.4/mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch new file mode 100644 index 00000000000..224cc29a64b --- /dev/null +++ b/queue-4.4/mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch @@ -0,0 +1,52 @@ +From a6f572084fbee8b30f91465f4a085d7a90901c57 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 22 Aug 2018 17:30:14 +0200 +Subject: mm/tlb: Remove tlb_remove_table() non-concurrent condition + +From: Peter Zijlstra + +commit a6f572084fbee8b30f91465f4a085d7a90901c57 upstream. + +Will noted that only checking mm_users is incorrect; we should also +check mm_count in order to cover CPUs that have a lazy reference to +this mm (and could do speculative TLB operations). + +If removing this turns out to be a performance issue, we can +re-instate a more complete check, but in tlb_table_flush() eliding the +call_rcu_sched(). + +Fixes: 267239116987 ("mm, powerpc: move the RCU page-table freeing into generic code") +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Rik van Riel +Acked-by: Will Deacon +Cc: Nicholas Piggin +Cc: David Miller +Cc: Martin Schwidefsky +Cc: Michael Ellerman +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -361,15 +361,6 @@ void tlb_remove_table(struct mmu_gather + { + struct mmu_table_batch **batch = &tlb->batch; + +- /* +- * When there's less then two users of this mm there cannot be a +- * concurrent page-table walk. +- */ +- if (atomic_read(&tlb->mm->mm_users) < 2) { +- __tlb_remove_table(table); +- return; +- } +- + if (*batch == NULL) { + *batch = (struct mmu_table_batch *)__get_free_page(GFP_NOWAIT | __GFP_NOWARN); + if (*batch == NULL) { diff --git a/queue-4.4/osf_getdomainname-use-copy_to_user.patch b/queue-4.4/osf_getdomainname-use-copy_to_user.patch new file mode 100644 index 00000000000..fe23d2f9a3c --- /dev/null +++ b/queue-4.4/osf_getdomainname-use-copy_to_user.patch @@ -0,0 +1,53 @@ +From 9ba3eb5103cf56f0daaf07de4507df76e7813ed7 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 13 May 2017 21:39:49 -0400 +Subject: osf_getdomainname(): use copy_to_user() + +From: Al Viro + +commit 9ba3eb5103cf56f0daaf07de4507df76e7813ed7 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/osf_sys.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -561,25 +561,20 @@ SYSCALL_DEFINE0(getdtablesize) + */ + SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen) + { +- unsigned len; +- int i; ++ int len, err = 0; ++ char *kname; + +- if (!access_ok(VERIFY_WRITE, name, namelen)) +- return -EFAULT; +- +- len = namelen; +- if (len > 32) +- len = 32; ++ if (namelen > 32) ++ namelen = 32; + + down_read(&uts_sem); +- for (i = 0; i < len; ++i) { +- __put_user(utsname()->domainname[i], name + i); +- if (utsname()->domainname[i] == '\0') +- break; +- } ++ kname = utsname()->domainname; ++ len = strnlen(kname, namelen); ++ if (copy_to_user(name, kname, min(len + 1, namelen))) ++ err = -EFAULT; + up_read(&uts_sem); + +- return 0; ++ return err; + } + + /* diff --git a/queue-4.4/perf-auxtrace-fix-queue-resize.patch b/queue-4.4/perf-auxtrace-fix-queue-resize.patch new file mode 100644 index 00000000000..f8fb0f3e494 --- /dev/null +++ b/queue-4.4/perf-auxtrace-fix-queue-resize.patch @@ -0,0 +1,37 @@ +From 99cbbe56eb8bede625f410ab62ba34673ffa7d21 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 14 Aug 2018 11:46:08 +0300 +Subject: perf auxtrace: Fix queue resize + +From: Adrian Hunter + +commit 99cbbe56eb8bede625f410ab62ba34673ffa7d21 upstream. + +When the number of queues grows beyond 32, the array of queues is +resized but not all members were being copied. Fix by also copying +'tid', 'cpu' and 'set'. + +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Cc: stable@vger.kernel.org +Fixes: e502789302a6e ("perf auxtrace: Add helpers for queuing AUX area tracing data") +Link: http://lkml.kernel.org/r/20180814084608.6563-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/auxtrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/tools/perf/util/auxtrace.c ++++ b/tools/perf/util/auxtrace.c +@@ -186,6 +186,9 @@ static int auxtrace_queues__grow(struct + for (i = 0; i < queues->nr_queues; i++) { + list_splice_tail(&queues->queue_array[i].head, + &queue_array[i].head); ++ queue_array[i].tid = queues->queue_array[i].tid; ++ queue_array[i].cpu = queues->queue_array[i].cpu; ++ queue_array[i].set = queues->queue_array[i].set; + queue_array[i].priv = queues->queue_array[i].priv; + } + diff --git a/queue-4.4/pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch b/queue-4.4/pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch new file mode 100644 index 00000000000..4fd3fa2b323 --- /dev/null +++ b/queue-4.4/pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch @@ -0,0 +1,39 @@ +From 38dabd91ff0bde33352ca3cc65ef515599b77a05 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Mon, 11 Jun 2018 11:39:56 +0530 +Subject: pwm: tiehrpwm: Fix disabling of output of PWMs + +From: Vignesh R + +commit 38dabd91ff0bde33352ca3cc65ef515599b77a05 upstream. + +pwm-tiehrpwm driver disables PWM output by putting it in low output +state via active AQCSFRC register in ehrpwm_pwm_disable(). But, the +AQCSFRC shadow register is not updated. Therefore, when shadow AQCSFRC +register is re-enabled in ehrpwm_pwm_enable() (say to enable second PWM +output), previous settings are lost as shadow register value is loaded +into active register. This results in things like PWMA getting enabled +automatically, when PWMB is enabled and vice versa. Fix this by +updating AQCSFRC shadow register as well during ehrpwm_pwm_disable(). + +Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM") +Cc: stable@vger.kernel.org +Signed-off-by: Vignesh R +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pwm/pwm-tiehrpwm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pwm/pwm-tiehrpwm.c ++++ b/drivers/pwm/pwm-tiehrpwm.c +@@ -384,6 +384,8 @@ static void ehrpwm_pwm_disable(struct pw + aqcsfrc_mask = AQCSFRC_CSFA_MASK; + } + ++ /* Update shadow register first before modifying active register */ ++ ehrpwm_modify(pc->mmio_base, AQCSFRC, aqcsfrc_mask, aqcsfrc_val); + /* + * Changes to immediate action on Action Qualifier. This puts + * Action Qualifier control on PWM output from next TBCLK diff --git a/queue-4.4/revert-ubifs-fix-potential-integer-overflow-in-allocation.patch b/queue-4.4/revert-ubifs-fix-potential-integer-overflow-in-allocation.patch new file mode 100644 index 00000000000..a849079e14d --- /dev/null +++ b/queue-4.4/revert-ubifs-fix-potential-integer-overflow-in-allocation.patch @@ -0,0 +1,34 @@ +From 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sun, 1 Jul 2018 23:20:50 +0200 +Subject: Revert "UBIFS: Fix potential integer overflow in allocation" + +From: Richard Weinberger + +commit 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 upstream. + +This reverts commit 353748a359f1821ee934afc579cf04572406b420. +It bypassed the linux-mtd review process and fixes the issue not as it +should. + +Cc: Kees Cook +Cc: Silvio Cesare +Cc: stable@vger.kernel.org +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -1107,7 +1107,7 @@ static int recomp_data_node(const struct + int err, len, compr_type, out_len; + + out_len = le32_to_cpu(dn->size); +- buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS); ++ buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS); + if (!buf) + return -ENOMEM; + diff --git a/queue-4.4/series b/queue-4.4/series index 61bf3d5ed3f..d7ddb430247 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -26,3 +26,20 @@ uprobes-use-synchronize_rcu-not-synchronize_sched.patch pm-sleep-wakeup-fix-build-error-caused-by-missing-srcu-support.patch pnfs-blocklayout-off-by-one-in-bl_map_stripe.patch arm-tegra-fix-tegra30-cardhu-pca954x-reset.patch +mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch +iommu-vt-d-add-definitions-for-pfsid.patch +iommu-vt-d-fix-dev-iotlb-pfsid-use.patch +osf_getdomainname-use-copy_to_user.patch +sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch +userns-move-user-access-out-of-the-mutex.patch +ubifs-fix-memory-leak-in-lprobs-self-check.patch +revert-ubifs-fix-potential-integer-overflow-in-allocation.patch +ubifs-check-data-node-size-before-truncate.patch +ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch +pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch +fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch +udlfb-set-optimal-write-delay.patch +getxattr-use-correct-xattr-length.patch +bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch +perf-auxtrace-fix-queue-resize.patch +fs-quota-fix-spectre-gadget-in-do_quotactl.patch diff --git a/queue-4.4/sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch b/queue-4.4/sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch new file mode 100644 index 00000000000..636e13fcbe8 --- /dev/null +++ b/queue-4.4/sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch @@ -0,0 +1,453 @@ +From 42a0cc3478584d4d63f68f2f5af021ddbea771fa Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 25 Jun 2018 18:34:10 +0200 +Subject: sys: don't hold uts_sem while accessing userspace memory + +From: Jann Horn + +commit 42a0cc3478584d4d63f68f2f5af021ddbea771fa upstream. + +Holding uts_sem as a writer while accessing userspace memory allows a +namespace admin to stall all processes that attempt to take uts_sem. +Instead, move data through stack buffers and don't access userspace memory +while uts_sem is held. + +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jann Horn +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/osf_sys.c | 51 +++++++++----------- + arch/sparc/kernel/sys_sparc_32.c | 22 +++++---- + arch/sparc/kernel/sys_sparc_64.c | 20 ++++---- + kernel/sys.c | 95 ++++++++++++++++++--------------------- + kernel/utsname_sysctl.c | 41 ++++++++++------ + 5 files changed, 119 insertions(+), 110 deletions(-) + +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -526,24 +526,19 @@ SYSCALL_DEFINE4(osf_mount, unsigned long + SYSCALL_DEFINE1(osf_utsname, char __user *, name) + { + int error; ++ char tmp[5 * 32]; + + down_read(&uts_sem); +- error = -EFAULT; +- if (copy_to_user(name + 0, utsname()->sysname, 32)) +- goto out; +- if (copy_to_user(name + 32, utsname()->nodename, 32)) +- goto out; +- if (copy_to_user(name + 64, utsname()->release, 32)) +- goto out; +- if (copy_to_user(name + 96, utsname()->version, 32)) +- goto out; +- if (copy_to_user(name + 128, utsname()->machine, 32)) +- goto out; ++ memcpy(tmp + 0 * 32, utsname()->sysname, 32); ++ memcpy(tmp + 1 * 32, utsname()->nodename, 32); ++ memcpy(tmp + 2 * 32, utsname()->release, 32); ++ memcpy(tmp + 3 * 32, utsname()->version, 32); ++ memcpy(tmp + 4 * 32, utsname()->machine, 32); ++ up_read(&uts_sem); + +- error = 0; +- out: +- up_read(&uts_sem); +- return error; ++ if (copy_to_user(name, tmp, sizeof(tmp))) ++ return -EFAULT; ++ return 0; + } + + SYSCALL_DEFINE0(getpagesize) +@@ -563,18 +558,21 @@ SYSCALL_DEFINE2(osf_getdomainname, char + { + int len, err = 0; + char *kname; ++ char tmp[32]; + +- if (namelen > 32) ++ if (namelen < 0 || namelen > 32) + namelen = 32; + + down_read(&uts_sem); + kname = utsname()->domainname; + len = strnlen(kname, namelen); +- if (copy_to_user(name, kname, min(len + 1, namelen))) +- err = -EFAULT; ++ len = min(len + 1, namelen); ++ memcpy(tmp, kname, len); + up_read(&uts_sem); + +- return err; ++ if (copy_to_user(name, tmp, len)) ++ return -EFAULT; ++ return 0; + } + + /* +@@ -736,13 +734,14 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman + }; + unsigned long offset; + const char *res; +- long len, err = -EINVAL; ++ long len; ++ char tmp[__NEW_UTS_LEN + 1]; + + offset = command-1; + if (offset >= ARRAY_SIZE(sysinfo_table)) { + /* Digital UNIX has a few unpublished interfaces here */ + printk("sysinfo(%d)", command); +- goto out; ++ return -EINVAL; + } + + down_read(&uts_sem); +@@ -750,13 +749,11 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman + len = strlen(res)+1; + if ((unsigned long)len > (unsigned long)count) + len = count; +- if (copy_to_user(buf, res, len)) +- err = -EFAULT; +- else +- err = 0; ++ memcpy(tmp, res, len); + up_read(&uts_sem); +- out: +- return err; ++ if (copy_to_user(buf, tmp, len)) ++ return -EFAULT; ++ return 0; + } + + SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer, +--- a/arch/sparc/kernel/sys_sparc_32.c ++++ b/arch/sparc/kernel/sys_sparc_32.c +@@ -201,23 +201,27 @@ SYSCALL_DEFINE5(rt_sigaction, int, sig, + + asmlinkage long sys_getdomainname(char __user *name, int len) + { +- int nlen, err; +- ++ int nlen, err; ++ char tmp[__NEW_UTS_LEN + 1]; ++ + if (len < 0) + return -EINVAL; + +- down_read(&uts_sem); +- ++ down_read(&uts_sem); ++ + nlen = strlen(utsname()->domainname) + 1; + err = -EINVAL; + if (nlen > len) +- goto out; ++ goto out_unlock; ++ memcpy(tmp, utsname()->domainname, nlen); ++ ++ up_read(&uts_sem); + +- err = -EFAULT; +- if (!copy_to_user(name, utsname()->domainname, nlen)) +- err = 0; ++ if (copy_to_user(name, tmp, nlen)) ++ return -EFAULT; ++ return 0; + +-out: ++out_unlock: + up_read(&uts_sem); + return err; + } +--- a/arch/sparc/kernel/sys_sparc_64.c ++++ b/arch/sparc/kernel/sys_sparc_64.c +@@ -524,23 +524,27 @@ extern void check_pending(int signum); + + SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len) + { +- int nlen, err; ++ int nlen, err; ++ char tmp[__NEW_UTS_LEN + 1]; + + if (len < 0) + return -EINVAL; + +- down_read(&uts_sem); +- ++ down_read(&uts_sem); ++ + nlen = strlen(utsname()->domainname) + 1; + err = -EINVAL; + if (nlen > len) +- goto out; ++ goto out_unlock; ++ memcpy(tmp, utsname()->domainname, nlen); ++ ++ up_read(&uts_sem); + +- err = -EFAULT; +- if (!copy_to_user(name, utsname()->domainname, nlen)) +- err = 0; ++ if (copy_to_user(name, tmp, nlen)) ++ return -EFAULT; ++ return 0; + +-out: ++out_unlock: + up_read(&uts_sem); + return err; + } +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1142,18 +1142,19 @@ static int override_release(char __user + + SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name) + { +- int errno = 0; ++ struct new_utsname tmp; + + down_read(&uts_sem); +- if (copy_to_user(name, utsname(), sizeof *name)) +- errno = -EFAULT; ++ memcpy(&tmp, utsname(), sizeof(tmp)); + up_read(&uts_sem); ++ if (copy_to_user(name, &tmp, sizeof(tmp))) ++ return -EFAULT; + +- if (!errno && override_release(name->release, sizeof(name->release))) +- errno = -EFAULT; +- if (!errno && override_architecture(name)) +- errno = -EFAULT; +- return errno; ++ if (override_release(name->release, sizeof(name->release))) ++ return -EFAULT; ++ if (override_architecture(name)) ++ return -EFAULT; ++ return 0; + } + + #ifdef __ARCH_WANT_SYS_OLD_UNAME +@@ -1162,55 +1163,46 @@ SYSCALL_DEFINE1(newuname, struct new_uts + */ + SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) + { +- int error = 0; ++ struct old_utsname tmp; + + if (!name) + return -EFAULT; + + down_read(&uts_sem); +- if (copy_to_user(name, utsname(), sizeof(*name))) +- error = -EFAULT; ++ memcpy(&tmp, utsname(), sizeof(tmp)); + up_read(&uts_sem); ++ if (copy_to_user(name, &tmp, sizeof(tmp))) ++ return -EFAULT; + +- if (!error && override_release(name->release, sizeof(name->release))) +- error = -EFAULT; +- if (!error && override_architecture(name)) +- error = -EFAULT; +- return error; ++ if (override_release(name->release, sizeof(name->release))) ++ return -EFAULT; ++ if (override_architecture(name)) ++ return -EFAULT; ++ return 0; + } + + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) + { +- int error; ++ struct oldold_utsname tmp = {}; + + if (!name) + return -EFAULT; +- if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname))) +- return -EFAULT; + + down_read(&uts_sem); +- error = __copy_to_user(&name->sysname, &utsname()->sysname, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->sysname + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->nodename, &utsname()->nodename, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->nodename + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->release, &utsname()->release, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->release + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->version, &utsname()->version, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->version + __OLD_UTS_LEN); +- error |= __copy_to_user(&name->machine, &utsname()->machine, +- __OLD_UTS_LEN); +- error |= __put_user(0, name->machine + __OLD_UTS_LEN); ++ memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN); ++ memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN); ++ memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN); ++ memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN); ++ memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN); + up_read(&uts_sem); ++ if (copy_to_user(name, &tmp, sizeof(tmp))) ++ return -EFAULT; + +- if (!error && override_architecture(name)) +- error = -EFAULT; +- if (!error && override_release(name->release, sizeof(name->release))) +- error = -EFAULT; +- return error ? -EFAULT : 0; ++ if (override_architecture(name)) ++ return -EFAULT; ++ if (override_release(name->release, sizeof(name->release))) ++ return -EFAULT; ++ return 0; + } + #endif + +@@ -1224,17 +1216,18 @@ SYSCALL_DEFINE2(sethostname, char __user + + if (len < 0 || len > __NEW_UTS_LEN) + return -EINVAL; +- down_write(&uts_sem); + errno = -EFAULT; + if (!copy_from_user(tmp, name, len)) { +- struct new_utsname *u = utsname(); ++ struct new_utsname *u; + ++ down_write(&uts_sem); ++ u = utsname(); + memcpy(u->nodename, tmp, len); + memset(u->nodename + len, 0, sizeof(u->nodename) - len); + errno = 0; + uts_proc_notify(UTS_PROC_HOSTNAME); ++ up_write(&uts_sem); + } +- up_write(&uts_sem); + return errno; + } + +@@ -1242,8 +1235,9 @@ SYSCALL_DEFINE2(sethostname, char __user + + SYSCALL_DEFINE2(gethostname, char __user *, name, int, len) + { +- int i, errno; ++ int i; + struct new_utsname *u; ++ char tmp[__NEW_UTS_LEN + 1]; + + if (len < 0) + return -EINVAL; +@@ -1252,11 +1246,11 @@ SYSCALL_DEFINE2(gethostname, char __user + i = 1 + strlen(u->nodename); + if (i > len) + i = len; +- errno = 0; +- if (copy_to_user(name, u->nodename, i)) +- errno = -EFAULT; ++ memcpy(tmp, u->nodename, i); + up_read(&uts_sem); +- return errno; ++ if (copy_to_user(name, tmp, i)) ++ return -EFAULT; ++ return 0; + } + + #endif +@@ -1275,17 +1269,18 @@ SYSCALL_DEFINE2(setdomainname, char __us + if (len < 0 || len > __NEW_UTS_LEN) + return -EINVAL; + +- down_write(&uts_sem); + errno = -EFAULT; + if (!copy_from_user(tmp, name, len)) { +- struct new_utsname *u = utsname(); ++ struct new_utsname *u; + ++ down_write(&uts_sem); ++ u = utsname(); + memcpy(u->domainname, tmp, len); + memset(u->domainname + len, 0, sizeof(u->domainname) - len); + errno = 0; + uts_proc_notify(UTS_PROC_DOMAINNAME); ++ up_write(&uts_sem); + } +- up_write(&uts_sem); + return errno; + } + +--- a/kernel/utsname_sysctl.c ++++ b/kernel/utsname_sysctl.c +@@ -17,7 +17,7 @@ + + #ifdef CONFIG_PROC_SYSCTL + +-static void *get_uts(struct ctl_table *table, int write) ++static void *get_uts(struct ctl_table *table) + { + char *which = table->data; + struct uts_namespace *uts_ns; +@@ -25,21 +25,9 @@ static void *get_uts(struct ctl_table *t + uts_ns = current->nsproxy->uts_ns; + which = (which - (char *)&init_uts_ns) + (char *)uts_ns; + +- if (!write) +- down_read(&uts_sem); +- else +- down_write(&uts_sem); + return which; + } + +-static void put_uts(struct ctl_table *table, int write, void *which) +-{ +- if (!write) +- up_read(&uts_sem); +- else +- up_write(&uts_sem); +-} +- + /* + * Special case of dostring for the UTS structure. This has locks + * to observe. Should this be in kernel/sys.c ???? +@@ -49,13 +37,34 @@ static int proc_do_uts_string(struct ctl + { + struct ctl_table uts_table; + int r; ++ char tmp_data[__NEW_UTS_LEN + 1]; ++ + memcpy(&uts_table, table, sizeof(uts_table)); +- uts_table.data = get_uts(table, write); ++ uts_table.data = tmp_data; ++ ++ /* ++ * Buffer the value in tmp_data so that proc_dostring() can be called ++ * without holding any locks. ++ * We also need to read the original value in the write==1 case to ++ * support partial writes. ++ */ ++ down_read(&uts_sem); ++ memcpy(tmp_data, get_uts(table), sizeof(tmp_data)); ++ up_read(&uts_sem); + r = proc_dostring(&uts_table, write, buffer, lenp, ppos); +- put_uts(table, write, uts_table.data); + +- if (write) ++ if (write) { ++ /* ++ * Write back the new value. ++ * Note that, since we dropped uts_sem, the result can ++ * theoretically be incorrect if there are two parallel writes ++ * at non-zero offsets to the same sysctl. ++ */ ++ down_write(&uts_sem); ++ memcpy(get_uts(table), tmp_data, sizeof(tmp_data)); ++ up_write(&uts_sem); + proc_sys_poll_notify(table->poll); ++ } + + return r; + } diff --git a/queue-4.4/ubifs-check-data-node-size-before-truncate.patch b/queue-4.4/ubifs-check-data-node-size-before-truncate.patch new file mode 100644 index 00000000000..0192f18c95e --- /dev/null +++ b/queue-4.4/ubifs-check-data-node-size-before-truncate.patch @@ -0,0 +1,46 @@ +From 95a22d2084d72ea067d8323cc85677dba5d97cae Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Sun, 1 Jul 2018 23:20:51 +0200 +Subject: ubifs: Check data node size before truncate + +From: Richard Weinberger + +commit 95a22d2084d72ea067d8323cc85677dba5d97cae upstream. + +Check whether the size is within bounds before using it. +If the size is not correct, abort and dump the bad data node. + +Cc: Kees Cook +Cc: Silvio Cesare +Cc: stable@vger.kernel.org +Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") +Reported-by: Silvio Cesare +Signed-off-by: Richard Weinberger +Reviewed-by: Kees Cook +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -1186,7 +1186,16 @@ int ubifs_jnl_truncate(struct ubifs_info + else if (err) + goto out_free; + else { +- if (le32_to_cpu(dn->size) <= dlen) ++ int dn_len = le32_to_cpu(dn->size); ++ ++ if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) { ++ ubifs_err(c, "bad data node (block %u, inode %lu)", ++ blk, inode->i_ino); ++ ubifs_dump_node(c, dn); ++ goto out_free; ++ } ++ ++ if (dn_len <= dlen) + dlen = 0; /* Nothing to do */ + else { + int compr_type = le16_to_cpu(dn->compr_type); diff --git a/queue-4.4/ubifs-fix-memory-leak-in-lprobs-self-check.patch b/queue-4.4/ubifs-fix-memory-leak-in-lprobs-self-check.patch new file mode 100644 index 00000000000..40b023e4e28 --- /dev/null +++ b/queue-4.4/ubifs-fix-memory-leak-in-lprobs-self-check.patch @@ -0,0 +1,45 @@ +From eef19816ada3abd56d9f20c88794cc2fea83ebb2 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 12 Jun 2018 20:49:45 +0200 +Subject: ubifs: Fix memory leak in lprobs self-check + +From: Richard Weinberger + +commit eef19816ada3abd56d9f20c88794cc2fea83ebb2 upstream. + +Allocate the buffer after we return early. +Otherwise memory is being leaked. + +Cc: +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/lprops.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ubifs/lprops.c ++++ b/fs/ubifs/lprops.c +@@ -1091,10 +1091,6 @@ static int scan_check_cb(struct ubifs_in + } + } + +- buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL); +- if (!buf) +- return -ENOMEM; +- + /* + * After an unclean unmount, empty and freeable LEBs + * may contain garbage - do not scan them. +@@ -1113,6 +1109,10 @@ static int scan_check_cb(struct ubifs_in + return LPT_SCAN_CONTINUE; + } + ++ buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ + sleb = ubifs_scan(c, lnum, 0, buf, 0); + if (IS_ERR(sleb)) { + ret = PTR_ERR(sleb); diff --git a/queue-4.4/ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch b/queue-4.4/ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch new file mode 100644 index 00000000000..4e8230ef390 --- /dev/null +++ b/queue-4.4/ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch @@ -0,0 +1,41 @@ +From 59965593205fa4044850d35ee3557cf0b7edcd14 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 12 Jun 2018 00:52:28 +0200 +Subject: ubifs: Fix synced_i_size calculation for xattr inodes + +From: Richard Weinberger + +commit 59965593205fa4044850d35ee3557cf0b7edcd14 upstream. + +In ubifs_jnl_update() we sync parent and child inodes to the flash, +in case of xattrs, the parent inode (AKA host inode) has a non-zero +data_len. Therefore we need to adjust synced_i_size too. + +This issue was reported by ubifs self tests unter a xattr related work +load. +UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: ui_size is 4, synced_i_size is 0, but inode is clean +UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: i_ino 65, i_mode 0x81a4, i_size 4 + +Cc: +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/journal.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -661,6 +661,11 @@ int ubifs_jnl_update(struct ubifs_info * + spin_lock(&ui->ui_lock); + ui->synced_i_size = ui->ui_size; + spin_unlock(&ui->ui_lock); ++ if (xent) { ++ spin_lock(&host_ui->ui_lock); ++ host_ui->synced_i_size = host_ui->ui_size; ++ spin_unlock(&host_ui->ui_lock); ++ } + mark_inode_clean(c, ui); + mark_inode_clean(c, host_ui); + return 0; diff --git a/queue-4.4/udlfb-set-optimal-write-delay.patch b/queue-4.4/udlfb-set-optimal-write-delay.patch new file mode 100644 index 00000000000..ff2279b4803 --- /dev/null +++ b/queue-4.4/udlfb-set-optimal-write-delay.patch @@ -0,0 +1,39 @@ +From bb24153a3f13dd0dbc1f8055ad97fe346d598f66 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 25 Jul 2018 15:41:55 +0200 +Subject: udlfb: set optimal write delay + +From: Mikulas Patocka + +commit bb24153a3f13dd0dbc1f8055ad97fe346d598f66 upstream. + +The default delay 5 jiffies is too much when the kernel is compiled with +HZ=100 - it results in jumpy cursor in Xwindow. + +In order to find out the optimal delay, I benchmarked the driver on +1280x720x30fps video. I found out that with HZ=1000, 10ms is acceptable, +but with HZ=250 or HZ=300, we need 4ms, so that the video is played +without any frame skips. + +This patch changes the delay to this value. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + include/video/udlfb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/video/udlfb.h ++++ b/include/video/udlfb.h +@@ -87,7 +87,7 @@ struct dlfb_data { + #define MIN_RAW_PIX_BYTES 2 + #define MIN_RAW_CMD_BYTES (RAW_HEADER_BYTES + MIN_RAW_PIX_BYTES) + +-#define DL_DEFIO_WRITE_DELAY 5 /* fb_deferred_io.delay in jiffies */ ++#define DL_DEFIO_WRITE_DELAY msecs_to_jiffies(HZ <= 300 ? 4 : 10) /* optimal value for 720p video */ + #define DL_DEFIO_WRITE_DISABLE (HZ*60) /* "disable" with long delay */ + + /* remove these once align.h patch is taken into kernel */ diff --git a/queue-4.4/userns-move-user-access-out-of-the-mutex.patch b/queue-4.4/userns-move-user-access-out-of-the-mutex.patch new file mode 100644 index 00000000000..0c7a2364a79 --- /dev/null +++ b/queue-4.4/userns-move-user-access-out-of-the-mutex.patch @@ -0,0 +1,66 @@ +From 5820f140edef111a9ea2ef414ab2428b8cb805b1 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Mon, 25 Jun 2018 18:34:19 +0200 +Subject: userns: move user access out of the mutex + +From: Jann Horn + +commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream. + +The old code would hold the userns_state_mutex indefinitely if +memdup_user_nul stalled due to e.g. a userfault region. Prevent that by +moving the memdup_user_nul in front of the mutex_lock(). + +Note: This changes the error precedence of invalid buf/count/*ppos vs +map already written / capabilities missing. + +Fixes: 22d917d80e84 ("userns: Rework the user_namespace adding uid/gid...") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Acked-by: Christian Brauner +Acked-by: Serge Hallyn +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/user_namespace.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -604,7 +604,16 @@ static ssize_t map_write(struct file *fi + struct uid_gid_extent *extent = NULL; + unsigned long page = 0; + char *kbuf, *pos, *next_line; +- ssize_t ret = -EINVAL; ++ ssize_t ret; ++ ++ /* Only allow < page size writes at the beginning of the file */ ++ if ((*ppos != 0) || (count >= PAGE_SIZE)) ++ return -EINVAL; ++ ++ /* Slurp in the user data */ ++ if (copy_from_user(kbuf, buf, count)) ++ return -EFAULT; ++ kbuf[count] = '\0'; + + /* + * The userns_state_mutex serializes all writes to any given map. +@@ -645,17 +654,6 @@ static ssize_t map_write(struct file *fi + if (!page) + goto out; + +- /* Only allow < page size writes at the beginning of the file */ +- ret = -EINVAL; +- if ((*ppos != 0) || (count >= PAGE_SIZE)) +- goto out; +- +- /* Slurp in the user data */ +- ret = -EFAULT; +- if (copy_from_user(kbuf, buf, count)) +- goto out; +- kbuf[count] = '\0'; +- + /* Parse the user data */ + ret = -EINVAL; + pos = kbuf; -- 2.47.2