From: Greg Kroah-Hartman Date: Mon, 10 Apr 2017 14:28:37 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.61~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=51893de777796ede092f171b87a92e26b06c702d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-gpio-do-not-fall-back-to-parsing-_crs-when-we-get-a-deferral.patch brcmfmac-use-local-iftype-avoiding-use-after-free-of-virtual-interface.patch dm-verity-fec-fix-bufio-leaks.patch dm-verity-fec-limit-error-correction-recursion.patch kbuild-use-cc-disable-warning-consistently-for-maybe-uninitialized.patch mac80211-unconditionally-start-new-netdev-queues-with-itxq-support.patch mm-page_alloc.c-fix-print-order-in-show_free_areas.patch orangefs-move-features-validation-to-fix-filesystem-hang.patch ptrace-fix-ptrace_listen-race-corrupting-task-state.patch reset-treeid-to-zero-on-smb2-tree_connect.patch ring-buffer-fix-return-value-check-in-test_ringbuffer.patch xfs-honor-falloc_fl_keep_size-when-punching-ends-of-files.patch --- diff --git a/queue-4.9/acpi-gpio-do-not-fall-back-to-parsing-_crs-when-we-get-a-deferral.patch b/queue-4.9/acpi-gpio-do-not-fall-back-to-parsing-_crs-when-we-get-a-deferral.patch new file mode 100644 index 00000000000..e0facc0661c --- /dev/null +++ b/queue-4.9/acpi-gpio-do-not-fall-back-to-parsing-_crs-when-we-get-a-deferral.patch @@ -0,0 +1,37 @@ +From 693bdaa164b40b7aa6018b98af6f7e40dbd52457 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 23 Mar 2017 13:21:38 -0700 +Subject: ACPI / gpio: do not fall back to parsing _CRS when we get a deferral + +From: Dmitry Torokhov + +commit 693bdaa164b40b7aa6018b98af6f7e40dbd52457 upstream. + +If, while locating GPIOs by name, we get probe deferral, we should +immediately report it to caller rather than trying to fall back to parsing +unnamed GPIOs from _CRS block. + +Signed-off-by: Dmitry Torokhov +Acked-by: Mika Westerberg +Acked-and-Tested-by: Hans de Goede +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib-acpi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -571,8 +571,10 @@ struct gpio_desc *acpi_find_gpio(struct + } + + desc = acpi_get_gpiod_by_index(adev, propname, idx, &info); +- if (!IS_ERR(desc) || (PTR_ERR(desc) == -EPROBE_DEFER)) ++ if (!IS_ERR(desc)) + break; ++ if (PTR_ERR(desc) == -EPROBE_DEFER) ++ return ERR_CAST(desc); + } + + /* Then from plain _CRS GPIOs */ diff --git a/queue-4.9/brcmfmac-use-local-iftype-avoiding-use-after-free-of-virtual-interface.patch b/queue-4.9/brcmfmac-use-local-iftype-avoiding-use-after-free-of-virtual-interface.patch new file mode 100644 index 00000000000..9fa572377b4 --- /dev/null +++ b/queue-4.9/brcmfmac-use-local-iftype-avoiding-use-after-free-of-virtual-interface.patch @@ -0,0 +1,65 @@ +From d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Tue, 28 Mar 2017 09:11:30 +0100 +Subject: brcmfmac: use local iftype avoiding use-after-free of virtual interface + +From: Arend Van Spriel + +commit d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 upstream. + +A use-after-free was found using KASAN. In brcmf_p2p_del_if() the virtual +interface is removed using call to brcmf_remove_interface(). After that +the virtual interface instance has been freed and should not be referenced. +Solve this by storing the nl80211 iftype in local variable, which is used +in a couple of places anyway. + +Reported-by: Daniel J Blueman +Reviewed-by: Hante Meuleman +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Franky Lin +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +@@ -2238,14 +2238,16 @@ int brcmf_p2p_del_vif(struct wiphy *wiph + struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy); + struct brcmf_p2p_info *p2p = &cfg->p2p; + struct brcmf_cfg80211_vif *vif; ++ enum nl80211_iftype iftype; + bool wait_for_disable = false; + int err; + + brcmf_dbg(TRACE, "delete P2P vif\n"); + vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev); + ++ iftype = vif->wdev.iftype; + brcmf_cfg80211_arm_vif_event(cfg, vif); +- switch (vif->wdev.iftype) { ++ switch (iftype) { + case NL80211_IFTYPE_P2P_CLIENT: + if (test_bit(BRCMF_VIF_STATUS_DISCONNECTING, &vif->sme_state)) + wait_for_disable = true; +@@ -2275,7 +2277,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph + BRCMF_P2P_DISABLE_TIMEOUT); + + err = 0; +- if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) { ++ if (iftype != NL80211_IFTYPE_P2P_DEVICE) { + brcmf_vif_clear_mgmt_ies(vif); + err = brcmf_p2p_release_p2p_if(vif); + } +@@ -2291,7 +2293,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph + brcmf_remove_interface(vif->ifp, true); + + brcmf_cfg80211_arm_vif_event(cfg, NULL); +- if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) ++ if (iftype != NL80211_IFTYPE_P2P_DEVICE) + p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL; + + return err; diff --git a/queue-4.9/dm-verity-fec-fix-bufio-leaks.patch b/queue-4.9/dm-verity-fec-fix-bufio-leaks.patch new file mode 100644 index 00000000000..5ac2cc0ab89 --- /dev/null +++ b/queue-4.9/dm-verity-fec-fix-bufio-leaks.patch @@ -0,0 +1,49 @@ +From 86e3e83b443669dd2bcc5c8a83b23e3aa0694c0d Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Fri, 31 Mar 2017 12:32:45 -0700 +Subject: dm verity fec: fix bufio leaks + +From: Sami Tolvanen + +commit 86e3e83b443669dd2bcc5c8a83b23e3aa0694c0d upstream. + +Buffers read through dm_bufio_read() were not released in all code paths. + +Fixes: a739ff3f543a ("dm verity: add support for forward error correction") +Signed-off-by: Sami Tolvanen +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-verity-fec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -146,8 +146,6 @@ static int fec_decode_bufs(struct dm_ver + block = fec_buffer_rs_block(v, fio, n, i); + res = fec_decode_rs8(v, fio, block, &par[offset], neras); + if (res < 0) { +- dm_bufio_release(buf); +- + r = res; + goto error; + } +@@ -172,6 +170,8 @@ static int fec_decode_bufs(struct dm_ver + done: + r = corrected; + error: ++ dm_bufio_release(buf); ++ + if (r < 0 && neras) + DMERR_LIMIT("%s: FEC %llu: failed to correct: %d", + v->data_dev->name, (unsigned long long)rsb, r); +@@ -269,7 +269,7 @@ static int fec_read_bufs(struct dm_verit + &is_zero) == 0) { + /* skip known zero blocks entirely */ + if (is_zero) +- continue; ++ goto done; + + /* + * skip if we have already found the theoretical diff --git a/queue-4.9/dm-verity-fec-limit-error-correction-recursion.patch b/queue-4.9/dm-verity-fec-limit-error-correction-recursion.patch new file mode 100644 index 00000000000..d63b0767bbb --- /dev/null +++ b/queue-4.9/dm-verity-fec-limit-error-correction-recursion.patch @@ -0,0 +1,86 @@ +From f1a880a93baaadb14c10a348fd199f1cdb6bcccd Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Wed, 15 Mar 2017 15:12:23 -0700 +Subject: dm verity fec: limit error correction recursion + +From: Sami Tolvanen + +commit f1a880a93baaadb14c10a348fd199f1cdb6bcccd upstream. + +If the hash tree itself is sufficiently corrupt in addition to data blocks, +it's possible for error correction to end up in a deep recursive loop, +which eventually causes a kernel panic. This change limits the +recursion to a reasonable level during a single I/O operation. + +Fixes: a739ff3f543a ("dm verity: add support for forward error correction") +Signed-off-by: Sami Tolvanen +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-verity-fec.c | 12 +++++++++++- + drivers/md/dm-verity-fec.h | 4 ++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -439,6 +439,13 @@ int verity_fec_decode(struct dm_verity * + if (!verity_fec_is_enabled(v)) + return -EOPNOTSUPP; + ++ if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) { ++ DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name); ++ return -EIO; ++ } ++ ++ fio->level++; ++ + if (type == DM_VERITY_BLOCK_TYPE_METADATA) + block += v->data_blocks; + +@@ -470,7 +477,7 @@ int verity_fec_decode(struct dm_verity * + if (r < 0) { + r = fec_decode_rsb(v, io, fio, rsb, offset, true); + if (r < 0) +- return r; ++ goto done; + } + + if (dest) +@@ -480,6 +487,8 @@ int verity_fec_decode(struct dm_verity * + r = verity_for_bv_block(v, io, iter, fec_bv_copy); + } + ++done: ++ fio->level--; + return r; + } + +@@ -520,6 +529,7 @@ void verity_fec_init_io(struct dm_verity + memset(fio->bufs, 0, sizeof(fio->bufs)); + fio->nbufs = 0; + fio->output = NULL; ++ fio->level = 0; + } + + /* +--- a/drivers/md/dm-verity-fec.h ++++ b/drivers/md/dm-verity-fec.h +@@ -27,6 +27,9 @@ + #define DM_VERITY_FEC_BUF_MAX \ + (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS)) + ++/* maximum recursion level for verity_fec_decode */ ++#define DM_VERITY_FEC_MAX_RECURSION 4 ++ + #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device" + #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks" + #define DM_VERITY_OPT_FEC_START "fec_start" +@@ -58,6 +61,7 @@ struct dm_verity_fec_io { + unsigned nbufs; /* number of buffers allocated */ + u8 *output; /* buffer for corrected output */ + size_t output_pos; ++ unsigned level; /* recursion level */ + }; + + #ifdef CONFIG_DM_VERITY_FEC diff --git a/queue-4.9/kbuild-use-cc-disable-warning-consistently-for-maybe-uninitialized.patch b/queue-4.9/kbuild-use-cc-disable-warning-consistently-for-maybe-uninitialized.patch new file mode 100644 index 00000000000..ce9fb7f349d --- /dev/null +++ b/queue-4.9/kbuild-use-cc-disable-warning-consistently-for-maybe-uninitialized.patch @@ -0,0 +1,53 @@ +From b334e19ae9381f12a7521976883022385d2b7eef Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 13 Jan 2017 16:40:01 +0100 +Subject: Kbuild: use cc-disable-warning consistently for maybe-uninitialized + +From: Arnd Bergmann + +commit b334e19ae9381f12a7521976883022385d2b7eef upstream. + +In commit a76bcf557ef4 ("Kbuild: enable -Wmaybe-uninitialized warning +for "make W=1""), I reverted another change that happened to fix a problem +with old compilers, and now we get this report again with old compilers +(prior to gcc-4.8) and GCOV enabled: + + cc1: warnings being treated as errors + drivers/gpu/drm/i915/intel_ringbuffer.c: In function 'intel_ring_setup_status_page': + drivers/gpu/drm/i915/intel_ringbuffer.c:438: error: 'mmio.reg' may be used uninitialized in this function + At top level: +>> cc1: error: unrecognized command line option "-Wno-maybe-uninitialized" + +The problem is that we turn off the warning conditionally in a number +of places as we should, but one of them does it unconditionally. +Instead, change it to call cc-disable-warning as we do elsewhere. + +The original patch that caused it was merged into linux-4.7, then +4.8 removed the change and 4.9 brought it back, so we probably want +a backport to 4.9 once this is merged. + +Use a ':=' assignment instead of '=' to force the cc-disable-warning +call to only be evaluated once instead of every time. + +Fixes: a76bcf557ef4 ("Kbuild: enable -Wmaybe-uninitialized warning for "make W=1"") +Fixes: e72e2dfe7c16 ("gcov: disable -Wmaybe-uninitialized warning") +Reported-by: kbuild test robot +Signed-off-by: Arnd Bergmann +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Makefile ++++ b/Makefile +@@ -370,7 +370,7 @@ LDFLAGS_MODULE = + CFLAGS_KERNEL = + AFLAGS_KERNEL = + LDFLAGS_vmlinux = +-CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized ++CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,) + CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,) + + diff --git a/queue-4.9/mac80211-unconditionally-start-new-netdev-queues-with-itxq-support.patch b/queue-4.9/mac80211-unconditionally-start-new-netdev-queues-with-itxq-support.patch new file mode 100644 index 00000000000..5fc913f459d --- /dev/null +++ b/queue-4.9/mac80211-unconditionally-start-new-netdev-queues-with-itxq-support.patch @@ -0,0 +1,36 @@ +From 7d65f82954dadbbe7b6e1aec7e07ad17bc6d958b Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 29 Mar 2017 14:15:24 +0200 +Subject: mac80211: unconditionally start new netdev queues with iTXQ support + +From: Johannes Berg + +commit 7d65f82954dadbbe7b6e1aec7e07ad17bc6d958b upstream. + +When internal mac80211 TXQs aren't supported, netdev queues must +always started out started even when driver queues are stopped +while the interface is added. This is necessary because with the +internal TXQ support netdev queues are never stopped and packet +scheduling/dropping is done in mac80211. + +Fixes: 80a83cfc434b1 ("mac80211: skip netdev queue control with software queuing") +Reported-and-tested-by: Sven Eckelmann +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/iface.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -726,7 +726,8 @@ int ieee80211_do_open(struct wireless_de + ieee80211_recalc_ps(local); + + if (sdata->vif.type == NL80211_IFTYPE_MONITOR || +- sdata->vif.type == NL80211_IFTYPE_AP_VLAN) { ++ sdata->vif.type == NL80211_IFTYPE_AP_VLAN || ++ local->ops->wake_tx_queue) { + /* XXX: for AP_VLAN, actually track AP queues */ + netif_tx_start_all_queues(dev); + } else if (dev) { diff --git a/queue-4.9/mm-page_alloc.c-fix-print-order-in-show_free_areas.patch b/queue-4.9/mm-page_alloc.c-fix-print-order-in-show_free_areas.patch new file mode 100644 index 00000000000..e8cdf8a090f --- /dev/null +++ b/queue-4.9/mm-page_alloc.c-fix-print-order-in-show_free_areas.patch @@ -0,0 +1,40 @@ +From 1f06b81aea5ecba2c1f8afd87e0ba1b9f8f90160 Mon Sep 17 00:00:00 2001 +From: Alexander Polakov +Date: Fri, 7 Apr 2017 16:04:45 -0700 +Subject: mm/page_alloc.c: fix print order in show_free_areas() + +From: Alexander Polakov + +commit 1f06b81aea5ecba2c1f8afd87e0ba1b9f8f90160 upstream. + +Fixes: 11fb998986a72a ("mm: move most file-based accounting to the node") +Link: http://lkml.kernel.org/r/1490377730.30219.2.camel@beget.ru +Signed-off-by: Alexander Polyakov +Acked-by: Michal Hocko +Cc: Mel Gorman +Cc: Vlastimil Babka +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -4345,13 +4345,13 @@ void show_free_areas(unsigned int filter + K(node_page_state(pgdat, NR_FILE_MAPPED)), + K(node_page_state(pgdat, NR_FILE_DIRTY)), + K(node_page_state(pgdat, NR_WRITEBACK)), ++ K(node_page_state(pgdat, NR_SHMEM)), + #ifdef CONFIG_TRANSPARENT_HUGEPAGE + K(node_page_state(pgdat, NR_SHMEM_THPS) * HPAGE_PMD_NR), + K(node_page_state(pgdat, NR_SHMEM_PMDMAPPED) + * HPAGE_PMD_NR), + K(node_page_state(pgdat, NR_ANON_THPS) * HPAGE_PMD_NR), + #endif +- K(node_page_state(pgdat, NR_SHMEM)), + K(node_page_state(pgdat, NR_WRITEBACK_TEMP)), + K(node_page_state(pgdat, NR_UNSTABLE_NFS)), + node_page_state(pgdat, NR_PAGES_SCANNED), diff --git a/queue-4.9/orangefs-move-features-validation-to-fix-filesystem-hang.patch b/queue-4.9/orangefs-move-features-validation-to-fix-filesystem-hang.patch new file mode 100644 index 00000000000..211d638417a --- /dev/null +++ b/queue-4.9/orangefs-move-features-validation-to-fix-filesystem-hang.patch @@ -0,0 +1,85 @@ +From cefdc26e86728812aea54248a534fd4a5da2a43d Mon Sep 17 00:00:00 2001 +From: Martin Brandenburg +Date: Thu, 6 Apr 2017 18:11:00 -0400 +Subject: orangefs: move features validation to fix filesystem hang + +From: Martin Brandenburg + +commit cefdc26e86728812aea54248a534fd4a5da2a43d upstream. + +Without this fix (and another to the userspace component itself +described later), the kernel will be unable to process any OrangeFS +requests after the userspace component is restarted (due to a crash or +at the administrator's behest). + +The bug here is that inside orangefs_remount, the orangefs_request_mutex +is locked. When the userspace component restarts while the filesystem +is mounted, it sends a ORANGEFS_DEV_REMOUNT_ALL ioctl to the device, +which causes the kernel to send it a few requests aimed at synchronizing +the state between the two. While this is happening the +orangefs_request_mutex is locked to prevent any other requests going +through. + +This is only half of the bugfix. The other half is in the userspace +component which outright ignores(!) requests made before it considers +the filesystem remounted, which is after the ioctl returns. Of course +the ioctl doesn't return until after the userspace component responds to +the request it ignores. The userspace component has been changed to +allow ORANGEFS_VFS_OP_FEATURES regardless of the mount status. + +Mike Marshall says: + "I've tested this patch against the fixed userspace part. This patch is + real important, I hope it can make it into 4.11... + + Here's what happens when the userspace daemon is restarted, without + the patch: + + ============================================= + [ INFO: possible recursive locking detected ] + [ 4.10.0-00007-ge98bdb3 #1 Not tainted ] + --------------------------------------------- + pvfs2-client-co/29032 is trying to acquire lock: + (orangefs_request_mutex){+.+.+.}, at: service_operation+0x3c7/0x7b0 [orangefs] + but task is already holding lock: + (orangefs_request_mutex){+.+.+.}, at: dispatch_ioctl_command+0x1bf/0x330 [orangefs] + + CPU: 0 PID: 29032 Comm: pvfs2-client-co Not tainted 4.10.0-00007-ge98bdb3 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.fc25 04/01/2014 + Call Trace: + __lock_acquire+0x7eb/0x1290 + lock_acquire+0xe8/0x1d0 + mutex_lock_killable_nested+0x6f/0x6e0 + service_operation+0x3c7/0x7b0 [orangefs] + orangefs_remount+0xea/0x150 [orangefs] + dispatch_ioctl_command+0x227/0x330 [orangefs] + orangefs_devreq_ioctl+0x29/0x70 [orangefs] + do_vfs_ioctl+0xa3/0x6e0 + SyS_ioctl+0x79/0x90" + +Signed-off-by: Martin Brandenburg +Acked-by: Mike Marshall +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/orangefs/super.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/orangefs/super.c ++++ b/fs/orangefs/super.c +@@ -263,8 +263,13 @@ int orangefs_remount(struct orangefs_sb_ + if (!new_op) + return -ENOMEM; + new_op->upcall.req.features.features = 0; +- ret = service_operation(new_op, "orangefs_features", 0); +- orangefs_features = new_op->downcall.resp.features.features; ++ ret = service_operation(new_op, "orangefs_features", ++ ORANGEFS_OP_PRIORITY | ORANGEFS_OP_NO_MUTEX); ++ if (!ret) ++ orangefs_features = ++ new_op->downcall.resp.features.features; ++ else ++ orangefs_features = 0; + op_release(new_op); + } else { + orangefs_features = 0; diff --git a/queue-4.9/ptrace-fix-ptrace_listen-race-corrupting-task-state.patch b/queue-4.9/ptrace-fix-ptrace_listen-race-corrupting-task-state.patch new file mode 100644 index 00000000000..6ee3995b885 --- /dev/null +++ b/queue-4.9/ptrace-fix-ptrace_listen-race-corrupting-task-state.patch @@ -0,0 +1,61 @@ +From 5402e97af667e35e54177af8f6575518bf251d51 Mon Sep 17 00:00:00 2001 +From: "bsegall@google.com" +Date: Fri, 7 Apr 2017 16:04:51 -0700 +Subject: ptrace: fix PTRACE_LISTEN race corrupting task->state + +From: bsegall@google.com + +commit 5402e97af667e35e54177af8f6575518bf251d51 upstream. + +In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against +__TASK_TRACED. If this races with the ptrace_unfreeze_traced at the end +of a PTRACE_LISTEN, this can wake the task /after/ the check against +__TASK_TRACED, but before the reset of state to TASK_TRACED. This +causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup +against TRACED while the task is still on the rq wake_list, corrupting +it. + +Oleg said: + "The kernel can crash or this can lead to other hard-to-debug problems. + In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced() + assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the + contract. Obviusly it is very wrong to manipulate task->state if this + task is already running, or WAKING, or it sleeps again" + +[akpm@linux-foundation.org: coding-style fixes] +Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL") +Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.com +Signed-off-by: Ben Segall +Acked-by: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/ptrace.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -181,11 +181,17 @@ static void ptrace_unfreeze_traced(struc + + WARN_ON(!task->ptrace || task->parent != current); + ++ /* ++ * PTRACE_LISTEN can allow ptrace_trap_notify to wake us up remotely. ++ * Recheck state under the lock to close this race. ++ */ + spin_lock_irq(&task->sighand->siglock); +- if (__fatal_signal_pending(task)) +- wake_up_state(task, __TASK_TRACED); +- else +- task->state = TASK_TRACED; ++ if (task->state == __TASK_TRACED) { ++ if (__fatal_signal_pending(task)) ++ wake_up_state(task, __TASK_TRACED); ++ else ++ task->state = TASK_TRACED; ++ } + spin_unlock_irq(&task->sighand->siglock); + } + diff --git a/queue-4.9/reset-treeid-to-zero-on-smb2-tree_connect.patch b/queue-4.9/reset-treeid-to-zero-on-smb2-tree_connect.patch new file mode 100644 index 00000000000..aee52abf3f7 --- /dev/null +++ b/queue-4.9/reset-treeid-to-zero-on-smb2-tree_connect.patch @@ -0,0 +1,38 @@ +From 806a28efe9b78ffae5e2757e1ee924b8e50c08ab Mon Sep 17 00:00:00 2001 +From: Jan-Marek Glogowski +Date: Mon, 20 Feb 2017 12:25:58 +0100 +Subject: Reset TreeId to zero on SMB2 TREE_CONNECT + +From: Jan-Marek Glogowski + +commit 806a28efe9b78ffae5e2757e1ee924b8e50c08ab upstream. + +Currently the cifs module breaks the CIFS specs on reconnect as +described in http://msdn.microsoft.com/en-us/library/cc246529.aspx: + +"TreeId (4 bytes): Uniquely identifies the tree connect for the +command. This MUST be 0 for the SMB2 TREE_CONNECT Request." + +Signed-off-by: Jan-Marek Glogowski +Reviewed-by: Aurelien Aptel +Tested-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1104,6 +1104,10 @@ SMB2_tcon(const unsigned int xid, struct + return -EINVAL; + } + ++ /* SMB2 TREE_CONNECT request must be called with TreeId == 0 */ ++ if (tcon) ++ tcon->tid = 0; ++ + rc = small_smb2_init(SMB2_TREE_CONNECT, tcon, (void **) &req); + if (rc) { + kfree(unc_path); diff --git a/queue-4.9/ring-buffer-fix-return-value-check-in-test_ringbuffer.patch b/queue-4.9/ring-buffer-fix-return-value-check-in-test_ringbuffer.patch new file mode 100644 index 00000000000..4d6012a4e15 --- /dev/null +++ b/queue-4.9/ring-buffer-fix-return-value-check-in-test_ringbuffer.patch @@ -0,0 +1,50 @@ +From 62277de758b155dc04b78f195a1cb5208c37b2df Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Fri, 17 Jun 2016 17:33:59 +0000 +Subject: ring-buffer: Fix return value check in test_ringbuffer() + +From: Wei Yongjun + +commit 62277de758b155dc04b78f195a1cb5208c37b2df upstream. + +In case of error, the function kthread_run() returns ERR_PTR() +and never returns NULL. The NULL test in the return value check +should be replaced with IS_ERR(). + +Link: http://lkml.kernel.org/r/1466184839-14927-1-git-send-email-weiyj_lk@163.com + +Fixes: 6c43e554a ("ring-buffer: Add ring buffer startup selftest") +Signed-off-by: Wei Yongjun +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4870,9 +4870,9 @@ static __init int test_ringbuffer(void) + rb_data[cpu].cnt = cpu; + rb_threads[cpu] = kthread_create(rb_test, &rb_data[cpu], + "rbtester/%d", cpu); +- if (WARN_ON(!rb_threads[cpu])) { ++ if (WARN_ON(IS_ERR(rb_threads[cpu]))) { + pr_cont("FAILED\n"); +- ret = -1; ++ ret = PTR_ERR(rb_threads[cpu]); + goto out_free; + } + +@@ -4882,9 +4882,9 @@ static __init int test_ringbuffer(void) + + /* Now create the rb hammer! */ + rb_hammer = kthread_run(rb_hammer_test, NULL, "rbhammer"); +- if (WARN_ON(!rb_hammer)) { ++ if (WARN_ON(IS_ERR(rb_hammer))) { + pr_cont("FAILED\n"); +- ret = -1; ++ ret = PTR_ERR(rb_hammer); + goto out_free; + } + diff --git a/queue-4.9/series b/queue-4.9/series index 75d1f82a34c..fe0a6d6ac4a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -14,3 +14,15 @@ kvm-arm-arm64-fix-locking-for-kvm_free_stage2_pgd.patch iio-bmg160-reset-chip-when-probing.patch arm64-mm-unaligned-access-by-user-land-should-be-received-as-sigbus.patch cfg80211-check-rdev-resume-callback-only-for-registered-wiphy.patch +reset-treeid-to-zero-on-smb2-tree_connect.patch +mm-page_alloc.c-fix-print-order-in-show_free_areas.patch +ptrace-fix-ptrace_listen-race-corrupting-task-state.patch +dm-verity-fec-limit-error-correction-recursion.patch +dm-verity-fec-fix-bufio-leaks.patch +acpi-gpio-do-not-fall-back-to-parsing-_crs-when-we-get-a-deferral.patch +kbuild-use-cc-disable-warning-consistently-for-maybe-uninitialized.patch +orangefs-move-features-validation-to-fix-filesystem-hang.patch +xfs-honor-falloc_fl_keep_size-when-punching-ends-of-files.patch +ring-buffer-fix-return-value-check-in-test_ringbuffer.patch +mac80211-unconditionally-start-new-netdev-queues-with-itxq-support.patch +brcmfmac-use-local-iftype-avoiding-use-after-free-of-virtual-interface.patch diff --git a/queue-4.9/xfs-honor-falloc_fl_keep_size-when-punching-ends-of-files.patch b/queue-4.9/xfs-honor-falloc_fl_keep_size-when-punching-ends-of-files.patch new file mode 100644 index 00000000000..873c4ef0011 --- /dev/null +++ b/queue-4.9/xfs-honor-falloc_fl_keep_size-when-punching-ends-of-files.patch @@ -0,0 +1,62 @@ +From 3dd09d5a8589c640abb49cfcf92b4ed669eafad1 Mon Sep 17 00:00:00 2001 +From: Calvin Owens +Date: Mon, 3 Apr 2017 12:22:29 -0700 +Subject: xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files + +From: Calvin Owens + +commit 3dd09d5a8589c640abb49cfcf92b4ed669eafad1 upstream. + +When punching past EOF on XFS, fallocate(mode=PUNCH_HOLE|KEEP_SIZE) will +round the file size up to the nearest multiple of PAGE_SIZE: + + calvinow@vm-disks/generic-xfs-1 ~$ dd if=/dev/urandom of=test bs=2048 count=1 + calvinow@vm-disks/generic-xfs-1 ~$ stat test + Size: 2048 Blocks: 8 IO Block: 4096 regular file + calvinow@vm-disks/generic-xfs-1 ~$ fallocate -n -l 2048 -o 2048 -p test + calvinow@vm-disks/generic-xfs-1 ~$ stat test + Size: 4096 Blocks: 8 IO Block: 4096 regular file + +Commit 3c2bdc912a1cc050 ("xfs: kill xfs_zero_remaining_bytes") replaced +xfs_zero_remaining_bytes() with calls to iomap helpers. The new helpers +don't enforce that [pos,offset) lies strictly on [0,i_size) when being +called from xfs_free_file_space(), so by "leaking" these ranges into +xfs_zero_range() we get this buggy behavior. + +Fix this by reintroducing the checks xfs_zero_remaining_bytes() did +against i_size at the bottom of xfs_free_file_space(). + +Reported-by: Aaron Gao +Fixes: 3c2bdc912a1cc050 ("xfs: kill xfs_zero_remaining_bytes") +Cc: Christoph Hellwig +Cc: Brian Foster +Signed-off-by: Calvin Owens +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_bmap_util.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -1318,8 +1318,16 @@ xfs_free_file_space( + /* + * Now that we've unmap all full blocks we'll have to zero out any + * partial block at the beginning and/or end. xfs_zero_range is +- * smart enough to skip any holes, including those we just created. ++ * smart enough to skip any holes, including those we just created, ++ * but we must take care not to zero beyond EOF and enlarge i_size. + */ ++ ++ if (offset >= XFS_ISIZE(ip)) ++ return 0; ++ ++ if (offset + len > XFS_ISIZE(ip)) ++ len = XFS_ISIZE(ip) - offset; ++ + return xfs_zero_range(ip, offset, len, NULL); + } +