From eef0687193087e16733f145b3f19a08602c770b5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 20 Mar 2019 16:41:50 +0100 Subject: [PATCH] 4.14-stable patches added patches: fix-cgroup_do_mount-handling-of-failure-exits.patch libnvdimm-fix-altmap-reservation-size-calculation.patch libnvdimm-label-clear-updating-flag-after-label-set-update.patch libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch stm-class-prevent-division-by-zero.patch --- ...p_do_mount-handling-of-failure-exits.patch | 95 ++++++++++++++++++ ...-altmap-reservation-size-calculation.patch | 59 +++++++++++ ...updating-flag-after-label-set-update.patch | 97 +++++++++++++++++++ ...pfn-fix-over-trim-in-trim_pfn_device.patch | 37 +++++++ ...or-force_raw-for-legacy-pmem-regions.patch | 46 +++++++++ queue-4.14/series | 6 ++ .../stm-class-prevent-division-by-zero.patch | 48 +++++++++ 7 files changed, 388 insertions(+) create mode 100644 queue-4.14/fix-cgroup_do_mount-handling-of-failure-exits.patch create mode 100644 queue-4.14/libnvdimm-fix-altmap-reservation-size-calculation.patch create mode 100644 queue-4.14/libnvdimm-label-clear-updating-flag-after-label-set-update.patch create mode 100644 queue-4.14/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch create mode 100644 queue-4.14/libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch create mode 100644 queue-4.14/stm-class-prevent-division-by-zero.patch diff --git a/queue-4.14/fix-cgroup_do_mount-handling-of-failure-exits.patch b/queue-4.14/fix-cgroup_do_mount-handling-of-failure-exits.patch new file mode 100644 index 00000000000..271d0347789 --- /dev/null +++ b/queue-4.14/fix-cgroup_do_mount-handling-of-failure-exits.patch @@ -0,0 +1,95 @@ +From 399504e21a10be16dd1408ba0147367d9d82a10c Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 6 Jan 2019 11:41:29 -0500 +Subject: fix cgroup_do_mount() handling of failure exits + +From: Al Viro + +commit 399504e21a10be16dd1408ba0147367d9d82a10c upstream. + +same story as with last May fixes in sysfs (7b745a4e4051 +"unfuck sysfs_mount()"); new_sb is left uninitialized +in case of early errors in kernfs_mount_ns() and papering +over it by treating any error from kernfs_mount_ns() as +equivalent to !new_ns ends up conflating the cases when +objects had never been transferred to a superblock with +ones when that has happened and resulting new superblock +had been dropped. Easily fixed (same way as in sysfs +case). Additionally, there's a superblock leak on +kernfs_node_dentry() failure *and* a dentry leak inside +kernfs_node_dentry() itself - the latter on probably +impossible errors, but the former not impossible to trigger +(as the matter of fact, injecting allocation failures +at that point *does* trigger it). + +Cc: stable@kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/kernfs/mount.c | 8 ++++++-- + kernel/cgroup/cgroup.c | 9 ++++++--- + 2 files changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/kernfs/mount.c ++++ b/fs/kernfs/mount.c +@@ -196,8 +196,10 @@ struct dentry *kernfs_node_dentry(struct + return dentry; + + knparent = find_next_ancestor(kn, NULL); +- if (WARN_ON(!knparent)) ++ if (WARN_ON(!knparent)) { ++ dput(dentry); + return ERR_PTR(-EINVAL); ++ } + + do { + struct dentry *dtmp; +@@ -206,8 +208,10 @@ struct dentry *kernfs_node_dentry(struct + if (kn == knparent) + return dentry; + kntmp = find_next_ancestor(kn, knparent); +- if (WARN_ON(!kntmp)) ++ if (WARN_ON(!kntmp)) { ++ dput(dentry); + return ERR_PTR(-EINVAL); ++ } + dtmp = lookup_one_len_unlocked(kntmp->name, dentry, + strlen(kntmp->name)); + dput(dentry); +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -1942,7 +1942,7 @@ struct dentry *cgroup_do_mount(struct fi + struct cgroup_namespace *ns) + { + struct dentry *dentry; +- bool new_sb; ++ bool new_sb = false; + + dentry = kernfs_mount(fs_type, flags, root->kf_root, magic, &new_sb); + +@@ -1952,6 +1952,7 @@ struct dentry *cgroup_do_mount(struct fi + */ + if (!IS_ERR(dentry) && ns != &init_cgroup_ns) { + struct dentry *nsdentry; ++ struct super_block *sb = dentry->d_sb; + struct cgroup *cgrp; + + mutex_lock(&cgroup_mutex); +@@ -1962,12 +1963,14 @@ struct dentry *cgroup_do_mount(struct fi + spin_unlock_irq(&css_set_lock); + mutex_unlock(&cgroup_mutex); + +- nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb); ++ nsdentry = kernfs_node_dentry(cgrp->kn, sb); + dput(dentry); ++ if (IS_ERR(nsdentry)) ++ deactivate_locked_super(sb); + dentry = nsdentry; + } + +- if (IS_ERR(dentry) || !new_sb) ++ if (!new_sb) + cgroup_put(&root->cgrp); + + return dentry; diff --git a/queue-4.14/libnvdimm-fix-altmap-reservation-size-calculation.patch b/queue-4.14/libnvdimm-fix-altmap-reservation-size-calculation.patch new file mode 100644 index 00000000000..2f7811ee6c5 --- /dev/null +++ b/queue-4.14/libnvdimm-fix-altmap-reservation-size-calculation.patch @@ -0,0 +1,59 @@ +From 07464e88365e9236febaca9ed1a2e2006d8bc952 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Wed, 6 Feb 2019 13:04:53 +1100 +Subject: libnvdimm: Fix altmap reservation size calculation + +From: Oliver O'Halloran + +commit 07464e88365e9236febaca9ed1a2e2006d8bc952 upstream. + +Libnvdimm reserves the first 8K of pfn and devicedax namespaces to +store a superblock describing the namespace. This 8K reservation +is contained within the altmap area which the kernel uses for the +vmemmap backing for the pages within the namespace. The altmap +allows for some pages at the start of the altmap area to be reserved +and that mechanism is used to protect the superblock from being +re-used as vmemmap backing. + +The number of PFNs to reserve is calculated using: + + PHYS_PFN(SZ_8K) + +Which is implemented as: + + #define PHYS_PFN(x) ((unsigned long)((x) >> PAGE_SHIFT)) + +So on systems where PAGE_SIZE is greater than 8K the reservation +size is truncated to zero and the superblock area is re-used as +vmemmap backing. As a result all the namespace information stored +in the superblock (i.e. if it's a PFN or DAX namespace) is lost +and the namespace needs to be re-created to get access to the +contents. + +This patch fixes this by using PFN_UP() rather than PHYS_PFN() to ensure +that at least one page is reserved. On systems with a 4K pages size this +patch should have no effect. + +Cc: stable@vger.kernel.org +Cc: Dan Williams +Fixes: ac515c084be9 ("libnvdimm, pmem, pfn: move pfn setup to the core") +Signed-off-by: Oliver O'Halloran +Reviewed-by: Vishal Verma +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/pfn_devs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -535,7 +535,7 @@ static unsigned long init_altmap_base(re + + static unsigned long init_altmap_reserve(resource_size_t base) + { +- unsigned long reserve = PHYS_PFN(SZ_8K); ++ unsigned long reserve = PFN_UP(SZ_8K); + unsigned long base_pfn = PHYS_PFN(base); + + reserve += base_pfn - PFN_SECTION_ALIGN_DOWN(base_pfn); diff --git a/queue-4.14/libnvdimm-label-clear-updating-flag-after-label-set-update.patch b/queue-4.14/libnvdimm-label-clear-updating-flag-after-label-set-update.patch new file mode 100644 index 00000000000..9bd7abcd2f6 --- /dev/null +++ b/queue-4.14/libnvdimm-label-clear-updating-flag-after-label-set-update.patch @@ -0,0 +1,97 @@ +From 966d23a006ca7b44ac8cf4d0c96b19785e0c3da0 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Tue, 15 Jan 2019 10:47:00 -0800 +Subject: libnvdimm/label: Clear 'updating' flag after label-set update + +From: Dan Williams + +commit 966d23a006ca7b44ac8cf4d0c96b19785e0c3da0 upstream. + +The UEFI 2.7 specification sets expectations that the 'updating' flag is +eventually cleared. To date, the libnvdimm core has never adhered to +that protocol. The policy of the core matches the policy of other +multi-device info-block formats like MD-Software-RAID that expect +administrator intervention on inconsistent info-blocks, not automatic +invalidation. + +However, some pre-boot environments may unfortunately attempt to "clean +up" the labels and invalidate a set when it fails to find at least one +"non-updating" label in the set. Clear the updating flag after set +updates to minimize the window of vulnerability to aggressive pre-boot +environments. + +Ideally implementations would not write to the label area outside of +creating namespaces. + +Note that this only minimizes the window, it does not close it as the +system can still crash while clearing the flag and the set can be +subsequently deleted / invalidated by the pre-boot environment. + +Fixes: f524bf271a5c ("libnvdimm: write pmem label set") +Cc: +Cc: Kelly Couch +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/label.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/nvdimm/label.c ++++ b/drivers/nvdimm/label.c +@@ -616,7 +616,7 @@ static const guid_t *to_abstraction_guid + + static int __pmem_label_update(struct nd_region *nd_region, + struct nd_mapping *nd_mapping, struct nd_namespace_pmem *nspm, +- int pos) ++ int pos, unsigned long flags) + { + struct nd_namespace_common *ndns = &nspm->nsio.common; + struct nd_interleave_set *nd_set = nd_region->nd_set; +@@ -657,7 +657,7 @@ static int __pmem_label_update(struct nd + memcpy(nd_label->uuid, nspm->uuid, NSLABEL_UUID_LEN); + if (nspm->alt_name) + memcpy(nd_label->name, nspm->alt_name, NSLABEL_NAME_LEN); +- nd_label->flags = __cpu_to_le32(NSLABEL_FLAG_UPDATING); ++ nd_label->flags = __cpu_to_le32(flags); + nd_label->nlabel = __cpu_to_le16(nd_region->ndr_mappings); + nd_label->position = __cpu_to_le16(pos); + nd_label->isetcookie = __cpu_to_le64(cookie); +@@ -1111,13 +1111,13 @@ static int del_labels(struct nd_mapping + int nd_pmem_namespace_label_update(struct nd_region *nd_region, + struct nd_namespace_pmem *nspm, resource_size_t size) + { +- int i; ++ int i, rc; + + for (i = 0; i < nd_region->ndr_mappings; i++) { + struct nd_mapping *nd_mapping = &nd_region->mapping[i]; + struct nvdimm_drvdata *ndd = to_ndd(nd_mapping); + struct resource *res; +- int rc, count = 0; ++ int count = 0; + + if (size == 0) { + rc = del_labels(nd_mapping, nspm->uuid); +@@ -1135,7 +1135,20 @@ int nd_pmem_namespace_label_update(struc + if (rc < 0) + return rc; + +- rc = __pmem_label_update(nd_region, nd_mapping, nspm, i); ++ rc = __pmem_label_update(nd_region, nd_mapping, nspm, i, ++ NSLABEL_FLAG_UPDATING); ++ if (rc) ++ return rc; ++ } ++ ++ if (size == 0) ++ return 0; ++ ++ /* Clear the UPDATING flag per UEFI 2.7 expectations */ ++ for (i = 0; i < nd_region->ndr_mappings; i++) { ++ struct nd_mapping *nd_mapping = &nd_region->mapping[i]; ++ ++ rc = __pmem_label_update(nd_region, nd_mapping, nspm, i, 0); + if (rc) + return rc; + } diff --git a/queue-4.14/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch b/queue-4.14/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch new file mode 100644 index 00000000000..edf62e9f2ac --- /dev/null +++ b/queue-4.14/libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch @@ -0,0 +1,37 @@ +From f101ada7da6551127d192c2f1742c1e9e0f62799 Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Tue, 22 Jan 2019 10:48:09 +0800 +Subject: libnvdimm, pfn: Fix over-trim in trim_pfn_device() + +From: Wei Yang + +commit f101ada7da6551127d192c2f1742c1e9e0f62799 upstream. + +When trying to see whether current nd_region intersects with others, +trim_pfn_device() has already calculated the *size* to be expanded to +SECTION size. + +Do not double append 'adjust' to 'size' when calculating whether the end +of a region collides with the next pmem region. + +Fixes: ae86cbfef381 "libnvdimm, pfn: Pad pfn namespaces relative to other regions" +Cc: +Signed-off-by: Wei Yang +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/pfn_devs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -618,7 +618,7 @@ static void trim_pfn_device(struct nd_pf + if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, + IORES_DESC_NONE) == REGION_MIXED + || !IS_ALIGNED(end, nd_pfn->align) +- || nd_region_conflict(nd_region, start, size + adjust)) ++ || nd_region_conflict(nd_region, start, size)) + *end_trunc = end - phys_pmem_align_down(nd_pfn, end); + } + diff --git a/queue-4.14/libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch b/queue-4.14/libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch new file mode 100644 index 00000000000..6f25dfe3e51 --- /dev/null +++ b/queue-4.14/libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch @@ -0,0 +1,46 @@ +From fa7d2e639cd90442d868dfc6ca1d4cc9d8bf206e Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 24 Jan 2019 17:33:06 -0800 +Subject: libnvdimm/pmem: Honor force_raw for legacy pmem regions + +From: Dan Williams + +commit fa7d2e639cd90442d868dfc6ca1d4cc9d8bf206e upstream. + +For recovery, where non-dax access is needed to a given physical address +range, and testing, allow the 'force_raw' attribute to override the +default establishment of a dev_pagemap. + +Otherwise without this capability it is possible to end up with a +namespace that can not be activated due to corrupted info-block, and one +that can not be repaired due to a section collision. + +Cc: +Fixes: 004f1afbe199 ("libnvdimm, pmem: direct map legacy pmem by default") +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/namespace_devs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/nvdimm/namespace_devs.c ++++ b/drivers/nvdimm/namespace_devs.c +@@ -138,6 +138,7 @@ bool nd_is_uuid_unique(struct device *de + bool pmem_should_map_pages(struct device *dev) + { + struct nd_region *nd_region = to_nd_region(dev->parent); ++ struct nd_namespace_common *ndns = to_ndns(dev); + struct nd_namespace_io *nsio; + + if (!IS_ENABLED(CONFIG_ZONE_DEVICE)) +@@ -149,6 +150,9 @@ bool pmem_should_map_pages(struct device + if (is_nd_pfn(dev) || is_nd_btt(dev)) + return false; + ++ if (ndns->force_raw) ++ return false; ++ + nsio = to_nd_namespace_io(dev); + if (region_intersects(nsio->res.start, resource_size(&nsio->res), + IORESOURCE_SYSTEM_RAM, diff --git a/queue-4.14/series b/queue-4.14/series index 7ec421873ba..b47900e083d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -66,3 +66,9 @@ nfp-bpf-fix-alu32-high-bits-clearance-bug.patch net-set-static-variable-an-initial-value-in-atl2_pro.patch tmpfs-fix-uninitialized-return-value-in-shmem_link.patch media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch +stm-class-prevent-division-by-zero.patch +libnvdimm-label-clear-updating-flag-after-label-set-update.patch +libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch +libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch +libnvdimm-fix-altmap-reservation-size-calculation.patch +fix-cgroup_do_mount-handling-of-failure-exits.patch diff --git a/queue-4.14/stm-class-prevent-division-by-zero.patch b/queue-4.14/stm-class-prevent-division-by-zero.patch new file mode 100644 index 00000000000..2889ccf7c48 --- /dev/null +++ b/queue-4.14/stm-class-prevent-division-by-zero.patch @@ -0,0 +1,48 @@ +From bf7cbaae0831252b416f375ca9b1027ecd4642dd Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 21 Feb 2019 14:19:17 +0200 +Subject: stm class: Prevent division by zero + +From: Alexander Shishkin + +commit bf7cbaae0831252b416f375ca9b1027ecd4642dd upstream. + +Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM +device that supplies zero mmio channel size, will trigger a division by +zero bug in the kernel. + +Prevent this by disallowing channel widths other than 1 for such devices. + +Signed-off-by: Alexander Shishkin +Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices") +CC: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -561,7 +561,7 @@ static int stm_char_policy_set_ioctl(str + { + struct stm_device *stm = stmf->stm; + struct stp_policy_id *id; +- int ret = -EINVAL; ++ int ret = -EINVAL, wlimit = 1; + u32 size; + + if (stmf->output.nr_chans) +@@ -589,8 +589,10 @@ static int stm_char_policy_set_ioctl(str + if (id->__reserved_0 || id->__reserved_1) + goto err_free; + +- if (id->width < 1 || +- id->width > PAGE_SIZE / stm->data->sw_mmiosz) ++ if (stm->data->sw_mmiosz) ++ wlimit = PAGE_SIZE / stm->data->sw_mmiosz; ++ ++ if (id->width < 1 || id->width > wlimit) + goto err_free; + + ret = stm_file_assign(stmf, id->id, id->width); -- 2.47.2