Linux kernel -stable discussions
 help / color / mirror / Atom feed
* [PATCH v2] IB/hfi1: Protect the global dev_cntr_names and port_cntr_names
From: Mike Marciniszyn @ 2017-05-23 19:44 UTC (permalink / raw)
  To: stable; +Cc: linux-rdma, stable-commits

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit 62eed66e98b4c2286fef2ce5911d8d75b7515f7b upstream.

Protect the global dev_cntr_names and port_cntr_names with the global
mutex as they are allocated and freed in a function called per device.
Otherwise there is a danger of double free and memory leaks.

Cc: stable <stable@vger.kernel.org> # v4.10
Fixes: Commit b7481944b06e ("IB/hfi1: Show statistics counters under IB stats interface")
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Reviewed-by: Easwar Hariharan <easwar.hariharan@intel.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
v2 - fix upstream commit id.
 drivers/infiniband/hw/hfi1/verbs.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
index 6002aa9..5105b95 100644
--- a/drivers/infiniband/hw/hfi1/verbs.c
+++ b/drivers/infiniband/hw/hfi1/verbs.c
@@ -1605,6 +1605,7 @@ static void hfi1_get_dev_fw_str(struct ib_device *ibdev, char *str,
 	"DRIVER_EgrHdrFull"
 };
 
+static DEFINE_MUTEX(cntr_names_lock); /* protects the *_cntr_names bufers */
 static const char **dev_cntr_names;
 static const char **port_cntr_names;
 static int num_driver_cntrs = ARRAY_SIZE(driver_cntr_names);
@@ -1659,6 +1660,7 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 {
 	int i, err;
 
+	mutex_lock(&cntr_names_lock);
 	if (!cntr_names_initialized) {
 		struct hfi1_devdata *dd = dd_from_ibdev(ibdev);
 
@@ -1667,8 +1669,10 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 				      num_driver_cntrs,
 				      &num_dev_cntrs,
 				      &dev_cntr_names);
-		if (err)
+		if (err) {
+			mutex_unlock(&cntr_names_lock);
 			return NULL;
+		}
 
 		for (i = 0; i < num_driver_cntrs; i++)
 			dev_cntr_names[num_dev_cntrs + i] =
@@ -1682,10 +1686,12 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 		if (err) {
 			kfree(dev_cntr_names);
 			dev_cntr_names = NULL;
+			mutex_unlock(&cntr_names_lock);
 			return NULL;
 		}
 		cntr_names_initialized = 1;
 	}
+	mutex_unlock(&cntr_names_lock);
 
 	if (!port_num)
 		return rdma_alloc_hw_stats_struct(
@@ -1903,9 +1909,13 @@ void hfi1_unregister_ib_device(struct hfi1_devdata *dd)
 	del_timer_sync(&dev->mem_timer);
 	verbs_txreq_exit(dev);
 
+	mutex_lock(&cntr_names_lock);
 	kfree(dev_cntr_names);
 	kfree(port_cntr_names);
+	dev_cntr_names = NULL;
+	port_cntr_names = NULL;
 	cntr_names_initialized = 0;
+	mutex_unlock(&cntr_names_lock);
 }
 
 void hfi1_cnp_rcv(struct hfi1_packet *packet)

^ permalink raw reply related

* [PATCH v2] IB/hfi1: Protect the global dev_cntr_names and port_cntr_names
From: Mike Marciniszyn @ 2017-05-23 19:42 UTC (permalink / raw)
  To: stable; +Cc: linux-rdma, stable-commits

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit 62eed66e98b4c2286fef2ce5911d8d75b7515f7b upstream.

Protect the global dev_cntr_names and port_cntr_names with the global
mutex as they are allocated and freed in a function called per device.
Otherwise there is a danger of double free and memory leaks.

Cc: stable <stable@vger.kernel.org> # v4.11
Fixes: Commit b7481944b06e ("IB/hfi1: Show statistics counters under IB stats interface")
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Reviewed-by: Easwar Hariharan <easwar.hariharan@intel.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
v2 - fix upstream commit id
 drivers/infiniband/hw/hfi1/verbs.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
index 16ef7b1..1c67745 100644
--- a/drivers/infiniband/hw/hfi1/verbs.c
+++ b/drivers/infiniband/hw/hfi1/verbs.c
@@ -1524,6 +1524,7 @@ static void hfi1_get_dev_fw_str(struct ib_device *ibdev, char *str,
 	"DRIVER_EgrHdrFull"
 };
 
+static DEFINE_MUTEX(cntr_names_lock); /* protects the *_cntr_names bufers */
 static const char **dev_cntr_names;
 static const char **port_cntr_names;
 static int num_driver_cntrs = ARRAY_SIZE(driver_cntr_names);
@@ -1578,6 +1579,7 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 {
 	int i, err;
 
+	mutex_lock(&cntr_names_lock);
 	if (!cntr_names_initialized) {
 		struct hfi1_devdata *dd = dd_from_ibdev(ibdev);
 
@@ -1586,8 +1588,10 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 				      num_driver_cntrs,
 				      &num_dev_cntrs,
 				      &dev_cntr_names);
-		if (err)
+		if (err) {
+			mutex_unlock(&cntr_names_lock);
 			return NULL;
+		}
 
 		for (i = 0; i < num_driver_cntrs; i++)
 			dev_cntr_names[num_dev_cntrs + i] =
@@ -1601,10 +1605,12 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 		if (err) {
 			kfree(dev_cntr_names);
 			dev_cntr_names = NULL;
+			mutex_unlock(&cntr_names_lock);
 			return NULL;
 		}
 		cntr_names_initialized = 1;
 	}
+	mutex_unlock(&cntr_names_lock);
 
 	if (!port_num)
 		return rdma_alloc_hw_stats_struct(
@@ -1823,9 +1829,13 @@ void hfi1_unregister_ib_device(struct hfi1_devdata *dd)
 	del_timer_sync(&dev->mem_timer);
 	verbs_txreq_exit(dev);
 
+	mutex_lock(&cntr_names_lock);
 	kfree(dev_cntr_names);
 	kfree(port_cntr_names);
+	dev_cntr_names = NULL;
+	port_cntr_names = NULL;
 	cntr_names_initialized = 0;
+	mutex_unlock(&cntr_names_lock);
 }
 
 void hfi1_cnp_rcv(struct hfi1_packet *packet)

^ permalink raw reply related

* Re: [PATCH] IB/hfi1: Protect the global dev_cntr_names and port_cntr_names
From: Greg KH @ 2017-05-23 19:40 UTC (permalink / raw)
  To: Mike Marciniszyn; +Cc: stable, linux-rdma, stable-commits
In-Reply-To: <20170523191715.23627.88704.stgit@phlsvslse11.ph.intel.com>

On Tue, May 23, 2017 at 03:17:15PM -0400, Mike Marciniszyn wrote:
> From: Tadeusz Struk <tadeusz.struk@intel.com>
> 
> commit d5483feda85a8f39ee2e940e279547c686aac30c upstream.

No, that is not what this commit is :(

Please fix up and be more careful and resend...

greg k-h

^ permalink raw reply

* Re: [PATCH] IB/hfi1: Protect the global dev_cntr_names and port_cntr_names
From: Greg KH @ 2017-05-23 19:39 UTC (permalink / raw)
  To: Mike Marciniszyn; +Cc: stable, linux-rdma, stable-commits
In-Reply-To: <20170523192000.23809.10271.stgit@phlsvslse11.ph.intel.com>

On Tue, May 23, 2017 at 03:20:00PM -0400, Mike Marciniszyn wrote:
> From: Tadeusz Struk <tadeusz.struk@intel.com>
> 
> commit d5483feda85a8f39ee2e940e279547c686aac30c upstream.
> 
> Protect the global dev_cntr_names and port_cntr_names with the global
> mutex as they are allocated and freed in a function called per device.
> Otherwise there is a danger of double free and memory leaks.
> 
> Cc: stable <stable@vger.kernel.org> # v4.10

Thanks, but 4.10 is end-of-life.

greg k-h

^ permalink raw reply

* Re: Patch "nfsd: check for oversized NFSv2/v3 arguments" has been added to the 3.18-stable tree
From: Greg KH @ 2017-05-23 19:37 UTC (permalink / raw)
  To: J. Bruce Fields; +Cc: ari, thaan, stable, stable-commits
In-Reply-To: <20170523191340.GC7556@parsley.fieldses.org>

On Tue, May 23, 2017 at 03:13:41PM -0400, J. Bruce Fields wrote:
> NAK to this and all other backports of 51f567777799 (but I'll try to NAK
> them all individually).
> 
> I also tentatively have a stable cc on the upstream revert that I've got
> queued up--I figured that might be good just in case any backports slip
> through.  (But if getting the cc on a revert that probably doesn't apply
> is more annoying, tell me.)
> 
> Apologies for this one, the problem was fixed by e6838a29ecb "nfsd:
> check for oversized NFSv2/v3 arguments", but I accidentally left this
> earlier attempt at a fix on the branch that I submitted for 4.12.

Thanks for letting me know, I've now dropped this from all of the stable
queues.

greg k-h

^ permalink raw reply

* Patch "usb: misc: legousbtower: Fix memory leak" has been added to the 3.18-stable tree
From: gregkh @ 2017-05-23 19:34 UTC (permalink / raw)
  To: maksim.salau, gregkh, heikki.krogerus; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    usb: misc: legousbtower: Fix memory leak

to the 3.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usb-misc-legousbtower-fix-memory-leak.patch
and it can be found in the queue-3.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3 Mon Sep 17 00:00:00 2001
From: Maksim Salau <maksim.salau@gmail.com>
Date: Sat, 13 May 2017 23:49:26 +0300
Subject: usb: misc: legousbtower: Fix memory leak

From: Maksim Salau <maksim.salau@gmail.com>

commit 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3 upstream.

get_version_reply is not freed if function returns with success.

Fixes: 942a48730faf ("usb: misc: legousbtower: Fix buffers on stack")
Reported-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/legousbtower.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/misc/legousbtower.c
+++ b/drivers/usb/misc/legousbtower.c
@@ -954,6 +954,7 @@ static int tower_probe (struct usb_inter
 
 
 exit:
+	kfree(get_version_reply);
 	return retval;
 
 error:


Patches currently in stable-queue which might be from maksim.salau@gmail.com are

queue-3.18/usb-misc-legousbtower-fix-memory-leak.patch

^ permalink raw reply

* Re: Patch "nfsd: check for oversized NFSv2/v3 arguments" has been added to the 4.9-stable tree
From: J. Bruce Fields @ 2017-05-23 19:28 UTC (permalink / raw)
  To: gregkh; +Cc: ari, thaan, stable, stable-commits
In-Reply-To: <1495564689231179@kroah.com>

NAK.--b.

On Tue, May 23, 2017 at 08:38:09PM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     nfsd: check for oversized NFSv2/v3 arguments
> 
> to the 4.9-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      nfsd-check-for-oversized-nfsv2-v3-arguments.patch
> and it can be found in the queue-4.9 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> From 51f567777799c9d85a778302b9eb61cf15214a98 Mon Sep 17 00:00:00 2001
> From: "J. Bruce Fields" <bfields@redhat.com>
> Date: Thu, 6 Apr 2017 22:36:31 -0400
> Subject: nfsd: check for oversized NFSv2/v3 arguments
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> From: J. Bruce Fields <bfields@redhat.com>
> 
> commit 51f567777799c9d85a778302b9eb61cf15214a98 upstream.
> 
> A client can append random data to the end of an NFSv2 or NFSv3 RPC call
> without our complaining; we'll just stop parsing at the end of the
> expected data and ignore the rest.
> 
> Encoded arguments and replies are stored together in an array of pages,
> and if a call is too large it could leave inadequate space for the
> reply.  This is normally OK because NFS RPC's typically have either
> short arguments and long replies (like READ) or long arguments and short
> replies (like WRITE).  But a client that sends an incorrectly long reply
> can violate those assumptions.  This was observed to cause crashes.
> 
> So, insist that the argument not be any longer than we expect.
> 
> Also, several operations increment rq_next_page in the decode routine
> before checking the argument size, which can leave rq_next_page pointing
> well past the end of the page array, causing trouble later in
> svc_free_pages.
> 
> As followup we may also want to rewrite the encoding routines to check
> more carefully that they aren't running off the end of the page array.
> 
> Reported-by: Tuomas Haanp�� <thaan@synopsys.com>
> Reported-by: Ari Kauppi <ari@synopsys.com>
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  fs/nfsd/nfs3xdr.c          |   23 +++++++++++++++++------
>  fs/nfsd/nfsxdr.c           |   13 ++++++++++---
>  include/linux/sunrpc/svc.h |    3 +--
>  3 files changed, 28 insertions(+), 11 deletions(-)
> 
> --- a/fs/nfsd/nfs3xdr.c
> +++ b/fs/nfsd/nfs3xdr.c
> @@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst
>  	if (!p)
>  		return 0;
>  	p = xdr_decode_hyper(p, &args->offset);
> -
>  	args->count = ntohl(*p++);
> +
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = min(args->count, max_blocksize);
>  
>  	/* set up the kvec */
> @@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst
>  		v++;
>  	}
>  	args->vlen = v;
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -541,9 +544,11 @@ nfs3svc_decode_readlinkargs(struct svc_r
>  	p = decode_fh(p, &args->fh);
>  	if (!p)
>  		return 0;
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -569,10 +574,14 @@ nfs3svc_decode_readdirargs(struct svc_rq
>  	args->verf   = p; p += 2;
>  	args->dircount = ~0;
>  	args->count  = ntohl(*p++);
> +
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	args->count  = min_t(u32, args->count, PAGE_SIZE);
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -590,6 +599,9 @@ nfs3svc_decode_readdirplusargs(struct sv
>  	args->dircount = ntohl(*p++);
>  	args->count    = ntohl(*p++);
>  
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = args->count = min(args->count, max_blocksize);
>  	while (len > 0) {
>  		struct page *p = *(rqstp->rq_next_page++);
> @@ -597,8 +609,7 @@ nfs3svc_decode_readdirplusargs(struct sv
>  			args->buffer = page_address(p);
>  		len -= PAGE_SIZE;
>  	}
> -
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> --- a/fs/nfsd/nfsxdr.c
> +++ b/fs/nfsd/nfsxdr.c
> @@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *
>  	len = args->count     = ntohl(*p++);
>  	p++; /* totalcount - unused */
>  
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
>  
>  	/* set up somewhere to store response.
> @@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *
>  		v++;
>  	}
>  	args->vlen = v;
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -362,9 +365,11 @@ nfssvc_decode_readlinkargs(struct svc_rq
>  	p = decode_fh(p, &args->fh);
>  	if (!p)
>  		return 0;
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -402,9 +407,11 @@ nfssvc_decode_readdirargs(struct svc_rqs
>  	args->cookie = ntohl(*p++);
>  	args->count  = ntohl(*p++);
>  	args->count  = min_t(u32, args->count, PAGE_SIZE);
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  /*
> --- a/include/linux/sunrpc/svc.h
> +++ b/include/linux/sunrpc/svc.h
> @@ -336,8 +336,7 @@ xdr_argsize_check(struct svc_rqst *rqstp
>  {
>  	char *cp = (char *)p;
>  	struct kvec *vec = &rqstp->rq_arg.head[0];
> -	return cp >= (char*)vec->iov_base
> -		&& cp <= (char*)vec->iov_base + vec->iov_len;
> +	return cp == (char *)vec->iov_base + vec->iov_len;
>  }
>  
>  static inline int
> 
> 
> Patches currently in stable-queue which might be from bfields@redhat.com are
> 
> queue-4.9/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
> queue-4.9/nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch
> queue-4.9/nfsd-fix-undefined-behavior-in-nfsd4_layout_verify.patch
> queue-4.9/nfsd-fix-up-the-supattr_exclcreat-attributes.patch

^ permalink raw reply

* Re: Patch "nfsd: check for oversized NFSv2/v3 arguments" has been added to the 4.4-stable tree
From: J. Bruce Fields @ 2017-05-23 19:27 UTC (permalink / raw)
  To: gregkh; +Cc: ari, thaan, stable, stable-commits
In-Reply-To: <149556465281153@kroah.com>

NAK.--b.

On Tue, May 23, 2017 at 08:37:32PM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     nfsd: check for oversized NFSv2/v3 arguments
> 
> to the 4.4-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      nfsd-check-for-oversized-nfsv2-v3-arguments.patch
> and it can be found in the queue-4.4 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> From 51f567777799c9d85a778302b9eb61cf15214a98 Mon Sep 17 00:00:00 2001
> From: "J. Bruce Fields" <bfields@redhat.com>
> Date: Thu, 6 Apr 2017 22:36:31 -0400
> Subject: nfsd: check for oversized NFSv2/v3 arguments
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> From: J. Bruce Fields <bfields@redhat.com>
> 
> commit 51f567777799c9d85a778302b9eb61cf15214a98 upstream.
> 
> A client can append random data to the end of an NFSv2 or NFSv3 RPC call
> without our complaining; we'll just stop parsing at the end of the
> expected data and ignore the rest.
> 
> Encoded arguments and replies are stored together in an array of pages,
> and if a call is too large it could leave inadequate space for the
> reply.  This is normally OK because NFS RPC's typically have either
> short arguments and long replies (like READ) or long arguments and short
> replies (like WRITE).  But a client that sends an incorrectly long reply
> can violate those assumptions.  This was observed to cause crashes.
> 
> So, insist that the argument not be any longer than we expect.
> 
> Also, several operations increment rq_next_page in the decode routine
> before checking the argument size, which can leave rq_next_page pointing
> well past the end of the page array, causing trouble later in
> svc_free_pages.
> 
> As followup we may also want to rewrite the encoding routines to check
> more carefully that they aren't running off the end of the page array.
> 
> Reported-by: Tuomas Haanp�� <thaan@synopsys.com>
> Reported-by: Ari Kauppi <ari@synopsys.com>
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  fs/nfsd/nfs3xdr.c          |   23 +++++++++++++++++------
>  fs/nfsd/nfsxdr.c           |   13 ++++++++++---
>  include/linux/sunrpc/svc.h |    3 +--
>  3 files changed, 28 insertions(+), 11 deletions(-)
> 
> --- a/fs/nfsd/nfs3xdr.c
> +++ b/fs/nfsd/nfs3xdr.c
> @@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst
>  	if (!p)
>  		return 0;
>  	p = xdr_decode_hyper(p, &args->offset);
> -
>  	args->count = ntohl(*p++);
> +
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = min(args->count, max_blocksize);
>  
>  	/* set up the kvec */
> @@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst
>  		v++;
>  	}
>  	args->vlen = v;
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -540,9 +543,11 @@ nfs3svc_decode_readlinkargs(struct svc_r
>  	p = decode_fh(p, &args->fh);
>  	if (!p)
>  		return 0;
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -568,10 +573,14 @@ nfs3svc_decode_readdirargs(struct svc_rq
>  	args->verf   = p; p += 2;
>  	args->dircount = ~0;
>  	args->count  = ntohl(*p++);
> +
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	args->count  = min_t(u32, args->count, PAGE_SIZE);
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -589,6 +598,9 @@ nfs3svc_decode_readdirplusargs(struct sv
>  	args->dircount = ntohl(*p++);
>  	args->count    = ntohl(*p++);
>  
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = args->count = min(args->count, max_blocksize);
>  	while (len > 0) {
>  		struct page *p = *(rqstp->rq_next_page++);
> @@ -596,8 +608,7 @@ nfs3svc_decode_readdirplusargs(struct sv
>  			args->buffer = page_address(p);
>  		len -= PAGE_SIZE;
>  	}
> -
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> --- a/fs/nfsd/nfsxdr.c
> +++ b/fs/nfsd/nfsxdr.c
> @@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *
>  	len = args->count     = ntohl(*p++);
>  	p++; /* totalcount - unused */
>  
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
>  
>  	/* set up somewhere to store response.
> @@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *
>  		v++;
>  	}
>  	args->vlen = v;
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -362,9 +365,11 @@ nfssvc_decode_readlinkargs(struct svc_rq
>  	p = decode_fh(p, &args->fh);
>  	if (!p)
>  		return 0;
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -402,9 +407,11 @@ nfssvc_decode_readdirargs(struct svc_rqs
>  	args->cookie = ntohl(*p++);
>  	args->count  = ntohl(*p++);
>  	args->count  = min_t(u32, args->count, PAGE_SIZE);
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  /*
> --- a/include/linux/sunrpc/svc.h
> +++ b/include/linux/sunrpc/svc.h
> @@ -335,8 +335,7 @@ xdr_argsize_check(struct svc_rqst *rqstp
>  {
>  	char *cp = (char *)p;
>  	struct kvec *vec = &rqstp->rq_arg.head[0];
> -	return cp >= (char*)vec->iov_base
> -		&& cp <= (char*)vec->iov_base + vec->iov_len;
> +	return cp == (char *)vec->iov_base + vec->iov_len;
>  }
>  
>  static inline int
> 
> 
> Patches currently in stable-queue which might be from bfields@redhat.com are
> 
> queue-4.4/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
> queue-4.4/nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch
> queue-4.4/nfsd-fix-up-the-supattr_exclcreat-attributes.patch

^ permalink raw reply

* Re: Patch "nfsd: Fix up the "supattr_exclcreat" attributes" has been added to the 4.9-stable tree
From: Greg KH @ 2017-05-23 19:26 UTC (permalink / raw)
  To: trond.myklebust, bfields; +Cc: stable, stable-commits
In-Reply-To: <1495564691109155@kroah.com>

Same problem here on 4.9, it breaks this tree too...

greg k-h


On Tue, May 23, 2017 at 08:38:11PM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     nfsd: Fix up the "supattr_exclcreat" attributes
> 
> to the 4.9-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      nfsd-fix-up-the-supattr_exclcreat-attributes.patch
> and it can be found in the queue-4.9 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> >From b26b78cb726007533d81fdf90a62e915002ef5c8 Mon Sep 17 00:00:00 2001
> From: Trond Myklebust <trond.myklebust@primarydata.com>
> Date: Tue, 9 May 2017 16:24:59 -0400
> Subject: nfsd: Fix up the "supattr_exclcreat" attributes
> 
> From: Trond Myklebust <trond.myklebust@primarydata.com>
> 
> commit b26b78cb726007533d81fdf90a62e915002ef5c8 upstream.
> 
> If an NFSv4 client asks us for the supattr_exclcreat, then we must
> not return attributes that are unsupported by this minor version.
> 
> Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
> Fixes: 75976de6556f ("NFSD: Return word2 bitmask if setting security..,")
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  fs/nfsd/nfs4xdr.c |   11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -2793,9 +2793,14 @@ out_acl:
>  	}
>  #endif /* CONFIG_NFSD_PNFS */
>  	if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) {
> -		status = nfsd4_encode_bitmap(xdr, NFSD_SUPPATTR_EXCLCREAT_WORD0,
> -						  NFSD_SUPPATTR_EXCLCREAT_WORD1,
> -						  NFSD_SUPPATTR_EXCLCREAT_WORD2);
> +		u32 supp[3];
> +
> +		memcpy(supp, nfsd_suppattrs[minorversion], sizeof(supp));
> +		supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0;
> +		supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1;
> +		supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2;
> +
> +		status = nfsd4_encode_bitmap(xdr, supp[0], supp[1], supp[2]);
>  		if (status)
>  			goto out;
>  	}
> 
> 
> Patches currently in stable-queue which might be from trond.myklebust@primarydata.com are
> 
> queue-4.9/nfs-use-gfp_noio-for-two-allocations-in-writeback.patch
> queue-4.9/nfsv4-fix-a-hang-in-open-related-to-server-reboot.patch
> queue-4.9/nfsd-fix-up-the-supattr_exclcreat-attributes.patch
> queue-4.9/nfs-fix-use-after-free-in-write-error-path.patch

^ permalink raw reply

* Re: Patch "nfsd: Fix up the "supattr_exclcreat" attributes" has been added to the 4.4-stable tree
From: Greg KH @ 2017-05-23 19:23 UTC (permalink / raw)
  To: trond.myklebust, bfields; +Cc: stable, stable-commits
In-Reply-To: <14955646521694@kroah.com>

Oops, nope, this breaks the build on 4.4, can someone please provide a
working backport as it is "supposed" to be added to that kernel...

thanks,

greg k-h

On Tue, May 23, 2017 at 08:37:32PM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     nfsd: Fix up the "supattr_exclcreat" attributes
> 
> to the 4.4-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      nfsd-fix-up-the-supattr_exclcreat-attributes.patch
> and it can be found in the queue-4.4 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> >From b26b78cb726007533d81fdf90a62e915002ef5c8 Mon Sep 17 00:00:00 2001
> From: Trond Myklebust <trond.myklebust@primarydata.com>
> Date: Tue, 9 May 2017 16:24:59 -0400
> Subject: nfsd: Fix up the "supattr_exclcreat" attributes
> 
> From: Trond Myklebust <trond.myklebust@primarydata.com>
> 
> commit b26b78cb726007533d81fdf90a62e915002ef5c8 upstream.
> 
> If an NFSv4 client asks us for the supattr_exclcreat, then we must
> not return attributes that are unsupported by this minor version.
> 
> Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
> Fixes: 75976de6556f ("NFSD: Return word2 bitmask if setting security..,")
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  fs/nfsd/nfs4xdr.c |   11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -2753,9 +2753,14 @@ out_acl:
>  	}
>  #endif /* CONFIG_NFSD_PNFS */
>  	if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) {
> -		status = nfsd4_encode_bitmap(xdr, NFSD_SUPPATTR_EXCLCREAT_WORD0,
> -						  NFSD_SUPPATTR_EXCLCREAT_WORD1,
> -						  NFSD_SUPPATTR_EXCLCREAT_WORD2);
> +		u32 supp[3];
> +
> +		memcpy(supp, nfsd_suppattrs[minorversion], sizeof(supp));
> +		supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0;
> +		supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1;
> +		supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2;
> +
> +		status = nfsd4_encode_bitmap(xdr, supp[0], supp[1], supp[2]);
>  		if (status)
>  			goto out;
>  	}
> 
> 
> Patches currently in stable-queue which might be from trond.myklebust@primarydata.com are
> 
> queue-4.4/nfsd-fix-up-the-supattr_exclcreat-attributes.patch

^ permalink raw reply

* Re: [PATCH v5 1/2] PCI / PM: Add needs_resume flag to avoid suspend complete optimization
From: Bjorn Helgaas @ 2017-05-23 19:20 UTC (permalink / raw)
  To: Imre Deak
  Cc: Bjorn Helgaas, Jani Nikula, Rafael J . Wysocki, linux-pci, stable
In-Reply-To: <1493891315-11867-1-git-send-email-imre.deak@intel.com>

On Thu, May 04, 2017 at 12:48:35PM +0300, Imre Deak wrote:
> Some drivers - like i915 - may not support the system suspend direct
> complete optimization due to differences in their runtime and system
> suspend sequence. Add a flag that when set resumes the device before
> calling the driver's system suspend handlers which effectively disables
> the optimization.
> 
> Needed by the next patch fixing suspend/resume on i915.
> 
> Suggested by Rafael.
> 
> v2-v3:
> - unchanged
> 
> v4:
> - Move the flag to dev_flags instead of using a bit field. (Rafael)
> 
> v5:
> - Rebase on pci/next branch using the free next enum number available.
> 
> Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> Cc: Bjorn Helgaas <bhelgaas@google.com>
> Cc: linux-pci@vger.kernel.org
> Cc: stable@vger.kernel.org
> Signed-off-by: Imre Deak <imre.deak@intel.com>
> Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

Applied this patch only to for-linus for v4.12.  I'll try to remember to cc
you when I ask Linus to pull it.

> ---
> 
> [ Bjorn, could you apply this one patch to the pci tree? We would merge
>   the second patch via the drm-tip tree once this one shows up in Linus'
>   tree. ]
> ---
>  drivers/pci/pci.c   | 3 ++-
>  include/linux/pci.h | 5 +++++
>  2 files changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
> index b01bd5b..563901c 100644
> --- a/drivers/pci/pci.c
> +++ b/drivers/pci/pci.c
> @@ -2144,7 +2144,8 @@ bool pci_dev_keep_suspended(struct pci_dev *pci_dev)
>  
>  	if (!pm_runtime_suspended(dev)
>  	    || pci_target_state(pci_dev) != pci_dev->current_state
> -	    || platform_pci_need_resume(pci_dev))
> +	    || platform_pci_need_resume(pci_dev)
> +	    || (pci_dev->dev_flags & PCI_DEV_FLAGS_NEEDS_RESUME))
>  		return false;
>  
>  	/*
> diff --git a/include/linux/pci.h b/include/linux/pci.h
> index 88185ff..ce82b60 100644
> --- a/include/linux/pci.h
> +++ b/include/linux/pci.h
> @@ -183,6 +183,11 @@ enum pci_dev_flags {
>  	PCI_DEV_FLAGS_BRIDGE_XLATE_ROOT = (__force pci_dev_flags_t) (1 << 9),
>  	/* Do not use FLR even if device advertises PCI_AF_CAP */
>  	PCI_DEV_FLAGS_NO_FLR_RESET = (__force pci_dev_flags_t) (1 << 10),
> +	/*
> +	 * Resume before calling the driver's system suspend hooks, disabling
> +	 * the direct_complete optimization.
> +	 */
> +	PCI_DEV_FLAGS_NEEDS_RESUME = (__force pci_dev_flags_t) (1 << 11),
>  };
>  
>  enum pci_irq_reroute_variant {
> -- 
> 2.7.4
> 

^ permalink raw reply

* [PATCH] IB/hfi1: Protect the global dev_cntr_names and port_cntr_names
From: Mike Marciniszyn @ 2017-05-23 19:20 UTC (permalink / raw)
  To: stable; +Cc: linux-rdma, stable-commits

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit d5483feda85a8f39ee2e940e279547c686aac30c upstream.

Protect the global dev_cntr_names and port_cntr_names with the global
mutex as they are allocated and freed in a function called per device.
Otherwise there is a danger of double free and memory leaks.

Cc: stable <stable@vger.kernel.org> # v4.10
Fixes: Commit b7481944b06e ("IB/hfi1: Show statistics counters under IB stats interface")
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Reviewed-by: Easwar Hariharan <easwar.hariharan@intel.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
 drivers/infiniband/hw/hfi1/verbs.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
index 6002aa9..5105b95 100644
--- a/drivers/infiniband/hw/hfi1/verbs.c
+++ b/drivers/infiniband/hw/hfi1/verbs.c
@@ -1605,6 +1605,7 @@ static void hfi1_get_dev_fw_str(struct ib_device *ibdev, char *str,
 	"DRIVER_EgrHdrFull"
 };
 
+static DEFINE_MUTEX(cntr_names_lock); /* protects the *_cntr_names bufers */
 static const char **dev_cntr_names;
 static const char **port_cntr_names;
 static int num_driver_cntrs = ARRAY_SIZE(driver_cntr_names);
@@ -1659,6 +1660,7 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 {
 	int i, err;
 
+	mutex_lock(&cntr_names_lock);
 	if (!cntr_names_initialized) {
 		struct hfi1_devdata *dd = dd_from_ibdev(ibdev);
 
@@ -1667,8 +1669,10 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 				      num_driver_cntrs,
 				      &num_dev_cntrs,
 				      &dev_cntr_names);
-		if (err)
+		if (err) {
+			mutex_unlock(&cntr_names_lock);
 			return NULL;
+		}
 
 		for (i = 0; i < num_driver_cntrs; i++)
 			dev_cntr_names[num_dev_cntrs + i] =
@@ -1682,10 +1686,12 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 		if (err) {
 			kfree(dev_cntr_names);
 			dev_cntr_names = NULL;
+			mutex_unlock(&cntr_names_lock);
 			return NULL;
 		}
 		cntr_names_initialized = 1;
 	}
+	mutex_unlock(&cntr_names_lock);
 
 	if (!port_num)
 		return rdma_alloc_hw_stats_struct(
@@ -1903,9 +1909,13 @@ void hfi1_unregister_ib_device(struct hfi1_devdata *dd)
 	del_timer_sync(&dev->mem_timer);
 	verbs_txreq_exit(dev);
 
+	mutex_lock(&cntr_names_lock);
 	kfree(dev_cntr_names);
 	kfree(port_cntr_names);
+	dev_cntr_names = NULL;
+	port_cntr_names = NULL;
 	cntr_names_initialized = 0;
+	mutex_unlock(&cntr_names_lock);
 }
 
 void hfi1_cnp_rcv(struct hfi1_packet *packet)

^ permalink raw reply related

* [PATCH] IB/hfi1: Protect the global dev_cntr_names and port_cntr_names
From: Mike Marciniszyn @ 2017-05-23 19:17 UTC (permalink / raw)
  To: stable; +Cc: linux-rdma, stable-commits

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit d5483feda85a8f39ee2e940e279547c686aac30c upstream.

Protect the global dev_cntr_names and port_cntr_names with the global
mutex as they are allocated and freed in a function called per device.
Otherwise there is a danger of double free and memory leaks.

Cc: stable <stable@vger.kernel.org> # v4.11
Fixes: Commit b7481944b06e ("IB/hfi1: Show statistics counters under IB stats interface")
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Reviewed-by: Easwar Hariharan <easwar.hariharan@intel.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
---
 drivers/infiniband/hw/hfi1/verbs.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
index 16ef7b1..1c67745 100644
--- a/drivers/infiniband/hw/hfi1/verbs.c
+++ b/drivers/infiniband/hw/hfi1/verbs.c
@@ -1524,6 +1524,7 @@ static void hfi1_get_dev_fw_str(struct ib_device *ibdev, char *str,
 	"DRIVER_EgrHdrFull"
 };
 
+static DEFINE_MUTEX(cntr_names_lock); /* protects the *_cntr_names bufers */
 static const char **dev_cntr_names;
 static const char **port_cntr_names;
 static int num_driver_cntrs = ARRAY_SIZE(driver_cntr_names);
@@ -1578,6 +1579,7 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 {
 	int i, err;
 
+	mutex_lock(&cntr_names_lock);
 	if (!cntr_names_initialized) {
 		struct hfi1_devdata *dd = dd_from_ibdev(ibdev);
 
@@ -1586,8 +1588,10 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 				      num_driver_cntrs,
 				      &num_dev_cntrs,
 				      &dev_cntr_names);
-		if (err)
+		if (err) {
+			mutex_unlock(&cntr_names_lock);
 			return NULL;
+		}
 
 		for (i = 0; i < num_driver_cntrs; i++)
 			dev_cntr_names[num_dev_cntrs + i] =
@@ -1601,10 +1605,12 @@ static struct rdma_hw_stats *alloc_hw_stats(struct ib_device *ibdev,
 		if (err) {
 			kfree(dev_cntr_names);
 			dev_cntr_names = NULL;
+			mutex_unlock(&cntr_names_lock);
 			return NULL;
 		}
 		cntr_names_initialized = 1;
 	}
+	mutex_unlock(&cntr_names_lock);
 
 	if (!port_num)
 		return rdma_alloc_hw_stats_struct(
@@ -1823,9 +1829,13 @@ void hfi1_unregister_ib_device(struct hfi1_devdata *dd)
 	del_timer_sync(&dev->mem_timer);
 	verbs_txreq_exit(dev);
 
+	mutex_lock(&cntr_names_lock);
 	kfree(dev_cntr_names);
 	kfree(port_cntr_names);
+	dev_cntr_names = NULL;
+	port_cntr_names = NULL;
 	cntr_names_initialized = 0;
+	mutex_unlock(&cntr_names_lock);
 }
 
 void hfi1_cnp_rcv(struct hfi1_packet *packet)

^ permalink raw reply related

* Re: Patch "nfsd: check for oversized NFSv2/v3 arguments" has been added to the 4.11-stable tree
From: J. Bruce Fields @ 2017-05-23 19:13 UTC (permalink / raw)
  To: gregkh; +Cc: ari, thaan, stable, stable-commits
In-Reply-To: <149556461119183@kroah.com>

NAK.--b.

On Tue, May 23, 2017 at 08:36:51PM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     nfsd: check for oversized NFSv2/v3 arguments
> 
> to the 4.11-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      nfsd-check-for-oversized-nfsv2-v3-arguments.patch
> and it can be found in the queue-4.11 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> From 51f567777799c9d85a778302b9eb61cf15214a98 Mon Sep 17 00:00:00 2001
> From: "J. Bruce Fields" <bfields@redhat.com>
> Date: Thu, 6 Apr 2017 22:36:31 -0400
> Subject: nfsd: check for oversized NFSv2/v3 arguments
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> From: J. Bruce Fields <bfields@redhat.com>
> 
> commit 51f567777799c9d85a778302b9eb61cf15214a98 upstream.
> 
> A client can append random data to the end of an NFSv2 or NFSv3 RPC call
> without our complaining; we'll just stop parsing at the end of the
> expected data and ignore the rest.
> 
> Encoded arguments and replies are stored together in an array of pages,
> and if a call is too large it could leave inadequate space for the
> reply.  This is normally OK because NFS RPC's typically have either
> short arguments and long replies (like READ) or long arguments and short
> replies (like WRITE).  But a client that sends an incorrectly long reply
> can violate those assumptions.  This was observed to cause crashes.
> 
> So, insist that the argument not be any longer than we expect.
> 
> Also, several operations increment rq_next_page in the decode routine
> before checking the argument size, which can leave rq_next_page pointing
> well past the end of the page array, causing trouble later in
> svc_free_pages.
> 
> As followup we may also want to rewrite the encoding routines to check
> more carefully that they aren't running off the end of the page array.
> 
> Reported-by: Tuomas Haanp�� <thaan@synopsys.com>
> Reported-by: Ari Kauppi <ari@synopsys.com>
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  fs/nfsd/nfs3xdr.c          |   23 +++++++++++++++++------
>  fs/nfsd/nfsxdr.c           |   13 ++++++++++---
>  include/linux/sunrpc/svc.h |    3 +--
>  3 files changed, 28 insertions(+), 11 deletions(-)
> 
> --- a/fs/nfsd/nfs3xdr.c
> +++ b/fs/nfsd/nfs3xdr.c
> @@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst
>  	if (!p)
>  		return 0;
>  	p = xdr_decode_hyper(p, &args->offset);
> -
>  	args->count = ntohl(*p++);
> +
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = min(args->count, max_blocksize);
>  
>  	/* set up the kvec */
> @@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst
>  		v++;
>  	}
>  	args->vlen = v;
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -541,9 +544,11 @@ nfs3svc_decode_readlinkargs(struct svc_r
>  	p = decode_fh(p, &args->fh);
>  	if (!p)
>  		return 0;
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -569,10 +574,14 @@ nfs3svc_decode_readdirargs(struct svc_rq
>  	args->verf   = p; p += 2;
>  	args->dircount = ~0;
>  	args->count  = ntohl(*p++);
> +
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	args->count  = min_t(u32, args->count, PAGE_SIZE);
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -590,6 +599,9 @@ nfs3svc_decode_readdirplusargs(struct sv
>  	args->dircount = ntohl(*p++);
>  	args->count    = ntohl(*p++);
>  
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = args->count = min(args->count, max_blocksize);
>  	while (len > 0) {
>  		struct page *p = *(rqstp->rq_next_page++);
> @@ -597,8 +609,7 @@ nfs3svc_decode_readdirplusargs(struct sv
>  			args->buffer = page_address(p);
>  		len -= PAGE_SIZE;
>  	}
> -
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> --- a/fs/nfsd/nfsxdr.c
> +++ b/fs/nfsd/nfsxdr.c
> @@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *
>  	len = args->count     = ntohl(*p++);
>  	p++; /* totalcount - unused */
>  
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
>  
>  	/* set up somewhere to store response.
> @@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *
>  		v++;
>  	}
>  	args->vlen = v;
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -362,9 +365,11 @@ nfssvc_decode_readlinkargs(struct svc_rq
>  	p = decode_fh(p, &args->fh);
>  	if (!p)
>  		return 0;
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -402,9 +407,11 @@ nfssvc_decode_readdirargs(struct svc_rqs
>  	args->cookie = ntohl(*p++);
>  	args->count  = ntohl(*p++);
>  	args->count  = min_t(u32, args->count, PAGE_SIZE);
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  /*
> --- a/include/linux/sunrpc/svc.h
> +++ b/include/linux/sunrpc/svc.h
> @@ -336,8 +336,7 @@ xdr_argsize_check(struct svc_rqst *rqstp
>  {
>  	char *cp = (char *)p;
>  	struct kvec *vec = &rqstp->rq_arg.head[0];
> -	return cp >= (char*)vec->iov_base
> -		&& cp <= (char*)vec->iov_base + vec->iov_len;
> +	return cp == (char *)vec->iov_base + vec->iov_len;
>  }
>  
>  static inline int
> 
> 
> Patches currently in stable-queue which might be from bfields@redhat.com are
> 
> queue-4.11/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
> queue-4.11/nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch
> queue-4.11/nfsd-fix-undefined-behavior-in-nfsd4_layout_verify.patch
> queue-4.11/nfsd-fix-up-the-supattr_exclcreat-attributes.patch

^ permalink raw reply

* Re: Patch "nfsd: check for oversized NFSv2/v3 arguments" has been added to the 3.18-stable tree
From: J. Bruce Fields @ 2017-05-23 19:13 UTC (permalink / raw)
  To: gregkh; +Cc: ari, thaan, stable, stable-commits
In-Reply-To: <149556457717213@kroah.com>

NAK to this and all other backports of 51f567777799 (but I'll try to NAK
them all individually).

I also tentatively have a stable cc on the upstream revert that I've got
queued up--I figured that might be good just in case any backports slip
through.  (But if getting the cc on a revert that probably doesn't apply
is more annoying, tell me.)

Apologies for this one, the problem was fixed by e6838a29ecb "nfsd:
check for oversized NFSv2/v3 arguments", but I accidentally left this
earlier attempt at a fix on the branch that I submitted for 4.12.

--b.

On Tue, May 23, 2017 at 08:36:17PM +0200, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     nfsd: check for oversized NFSv2/v3 arguments
> 
> to the 3.18-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      nfsd-check-for-oversized-nfsv2-v3-arguments.patch
> and it can be found in the queue-3.18 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> From 51f567777799c9d85a778302b9eb61cf15214a98 Mon Sep 17 00:00:00 2001
> From: "J. Bruce Fields" <bfields@redhat.com>
> Date: Thu, 6 Apr 2017 22:36:31 -0400
> Subject: nfsd: check for oversized NFSv2/v3 arguments
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> From: J. Bruce Fields <bfields@redhat.com>
> 
> commit 51f567777799c9d85a778302b9eb61cf15214a98 upstream.
> 
> A client can append random data to the end of an NFSv2 or NFSv3 RPC call
> without our complaining; we'll just stop parsing at the end of the
> expected data and ignore the rest.
> 
> Encoded arguments and replies are stored together in an array of pages,
> and if a call is too large it could leave inadequate space for the
> reply.  This is normally OK because NFS RPC's typically have either
> short arguments and long replies (like READ) or long arguments and short
> replies (like WRITE).  But a client that sends an incorrectly long reply
> can violate those assumptions.  This was observed to cause crashes.
> 
> So, insist that the argument not be any longer than we expect.
> 
> Also, several operations increment rq_next_page in the decode routine
> before checking the argument size, which can leave rq_next_page pointing
> well past the end of the page array, causing trouble later in
> svc_free_pages.
> 
> As followup we may also want to rewrite the encoding routines to check
> more carefully that they aren't running off the end of the page array.
> 
> Reported-by: Tuomas Haanp�� <thaan@synopsys.com>
> Reported-by: Ari Kauppi <ari@synopsys.com>
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  fs/nfsd/nfs3xdr.c          |   23 +++++++++++++++++------
>  fs/nfsd/nfsxdr.c           |   13 ++++++++++---
>  include/linux/sunrpc/svc.h |    3 +--
>  3 files changed, 28 insertions(+), 11 deletions(-)
> 
> --- a/fs/nfsd/nfs3xdr.c
> +++ b/fs/nfsd/nfs3xdr.c
> @@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst
>  	if (!p)
>  		return 0;
>  	p = xdr_decode_hyper(p, &args->offset);
> -
>  	args->count = ntohl(*p++);
> +
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = min(args->count, max_blocksize);
>  
>  	/* set up the kvec */
> @@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst
>  		v++;
>  	}
>  	args->vlen = v;
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -536,9 +539,11 @@ nfs3svc_decode_readlinkargs(struct svc_r
>  	p = decode_fh(p, &args->fh);
>  	if (!p)
>  		return 0;
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -564,10 +569,14 @@ nfs3svc_decode_readdirargs(struct svc_rq
>  	args->verf   = p; p += 2;
>  	args->dircount = ~0;
>  	args->count  = ntohl(*p++);
> +
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	args->count  = min_t(u32, args->count, PAGE_SIZE);
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -585,6 +594,9 @@ nfs3svc_decode_readdirplusargs(struct sv
>  	args->dircount = ntohl(*p++);
>  	args->count    = ntohl(*p++);
>  
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = args->count = min(args->count, max_blocksize);
>  	while (len > 0) {
>  		struct page *p = *(rqstp->rq_next_page++);
> @@ -592,8 +604,7 @@ nfs3svc_decode_readdirplusargs(struct sv
>  			args->buffer = page_address(p);
>  		len -= PAGE_SIZE;
>  	}
> -
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> --- a/fs/nfsd/nfsxdr.c
> +++ b/fs/nfsd/nfsxdr.c
> @@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst *
>  	len = args->count     = ntohl(*p++);
>  	p++; /* totalcount - unused */
>  
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
> +
>  	len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2);
>  
>  	/* set up somewhere to store response.
> @@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst *
>  		v++;
>  	}
>  	args->vlen = v;
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -360,9 +363,11 @@ nfssvc_decode_readlinkargs(struct svc_rq
>  	p = decode_fh(p, &args->fh);
>  	if (!p)
>  		return 0;
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  int
> @@ -400,9 +405,11 @@ nfssvc_decode_readdirargs(struct svc_rqs
>  	args->cookie = ntohl(*p++);
>  	args->count  = ntohl(*p++);
>  	args->count  = min_t(u32, args->count, PAGE_SIZE);
> +	if (!xdr_argsize_check(rqstp, p))
> +		return 0;
>  	args->buffer = page_address(*(rqstp->rq_next_page++));
>  
> -	return xdr_argsize_check(rqstp, p);
> +	return 1;
>  }
>  
>  /*
> --- a/include/linux/sunrpc/svc.h
> +++ b/include/linux/sunrpc/svc.h
> @@ -326,8 +326,7 @@ xdr_argsize_check(struct svc_rqst *rqstp
>  {
>  	char *cp = (char *)p;
>  	struct kvec *vec = &rqstp->rq_arg.head[0];
> -	return cp >= (char*)vec->iov_base
> -		&& cp <= (char*)vec->iov_base + vec->iov_len;
> +	return cp == (char *)vec->iov_base + vec->iov_len;
>  }
>  
>  static inline int
> 
> 
> Patches currently in stable-queue which might be from bfields@redhat.com are
> 
> queue-3.18/nfsd-check-for-oversized-nfsv2-v3-arguments.patch

^ permalink raw reply

* Patch "tracing/kprobes: Enforce kprobes teardown after testing" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: tglx, gregkh, mhiramat, rostedt; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    tracing/kprobes: Enforce kprobes teardown after testing

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tracing-kprobes-enforce-kprobes-teardown-after-testing.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Wed, 17 May 2017 10:19:49 +0200
Subject: tracing/kprobes: Enforce kprobes teardown after testing

From: Thomas Gleixner <tglx@linutronix.de>

commit 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd upstream.

Enabling the tracer selftest triggers occasionally the warning in
text_poke(), which warns when the to be modified page is not marked
reserved.

The reason is that the tracer selftest installs kprobes on functions marked
__init for testing. These probes are removed after the tests, but that
removal schedules the delayed kprobes_optimizer work, which will do the
actual text poke. If the work is executed after the init text is freed,
then the warning triggers. The bug can be reproduced reliably when the work
delay is increased.

Flush the optimizer work and wait for the optimizing/unoptimizing lists to
become empty before returning from the kprobes tracer selftest. That
ensures that all operations which were queued due to the probes removal
have completed.

Link: http://lkml.kernel.org/r/20170516094802.76a468bb@gandalf.local.home

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Fixes: 6274de498 ("kprobes: Support delayed unoptimizing")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/kprobes.h     |    4 +++-
 kernel/kprobes.c            |    2 +-
 kernel/trace/trace_kprobe.c |    5 +++++
 3 files changed, 9 insertions(+), 2 deletions(-)

--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -330,7 +330,9 @@ extern int proc_kprobes_optimization_han
 					     int write, void __user *buffer,
 					     size_t *length, loff_t *ppos);
 #endif
-
+extern void wait_for_kprobe_optimizer(void);
+#else
+static inline void wait_for_kprobe_optimizer(void) { }
 #endif /* CONFIG_OPTPROBES */
 #ifdef CONFIG_KPROBES_ON_FTRACE
 extern void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -563,7 +563,7 @@ static void kprobe_optimizer(struct work
 }
 
 /* Wait for completing optimization and unoptimization */
-static void wait_for_kprobe_optimizer(void)
+void wait_for_kprobe_optimizer(void)
 {
 	mutex_lock(&kprobe_mutex);
 
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -1484,6 +1484,11 @@ static __init int kprobe_trace_self_test
 
 end:
 	release_all_trace_kprobes();
+	/*
+	 * Wait for the optimizer work to finish. Otherwise it might fiddle
+	 * with probes in already freed __init text.
+	 */
+	wait_for_kprobe_optimizer();
 	if (warn)
 		pr_cont("NG: Some tests are failed. Please check them.\n");
 	else


Patches currently in stable-queue which might be from tglx@linutronix.de are

queue-4.9/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch
queue-4.9/genirq-fix-chained-interrupt-data-ordering.patch
queue-4.9/tracing-kprobes-enforce-kprobes-teardown-after-testing.patch

^ permalink raw reply

* Patch "um: Fix to call read_initrd after init_bootmem" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: mhiramat, gregkh, richard; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    um: Fix to call read_initrd after init_bootmem

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     um-fix-to-call-read_initrd-after-init_bootmem.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 5b4236e17cc1bd9fa14b2b0c7a4ae632d41f2e20 Mon Sep 17 00:00:00 2001
From: Masami Hiramatsu <mhiramat@kernel.org>
Date: Thu, 27 Apr 2017 12:15:10 +0900
Subject: um: Fix to call read_initrd after init_bootmem

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 5b4236e17cc1bd9fa14b2b0c7a4ae632d41f2e20 upstream.

Since read_initrd() invokes alloc_bootmem() for allocating
memory to load initrd image, it must be called after init_bootmem.

This makes read_initrd() called directly from setup_arch()
after init_bootmem() and mem_total_pages().

Fixes: b63236972e1 ("um: Setup physical memory in setup_arch()")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/um/kernel/initrd.c  |    4 +---
 arch/um/kernel/um_arch.c |    6 ++++++
 2 files changed, 7 insertions(+), 3 deletions(-)

--- a/arch/um/kernel/initrd.c
+++ b/arch/um/kernel/initrd.c
@@ -14,7 +14,7 @@
 static char *initrd __initdata = NULL;
 static int load_initrd(char *filename, void *buf, int size);
 
-static int __init read_initrd(void)
+int __init read_initrd(void)
 {
 	void *area;
 	long long size;
@@ -46,8 +46,6 @@ static int __init read_initrd(void)
 	return 0;
 }
 
-__uml_postsetup(read_initrd);
-
 static int __init uml_initrd_setup(char *line, int *add)
 {
 	initrd = line;
--- a/arch/um/kernel/um_arch.c
+++ b/arch/um/kernel/um_arch.c
@@ -336,11 +336,17 @@ int __init linux_main(int argc, char **a
 	return start_uml();
 }
 
+int __init __weak read_initrd(void)
+{
+	return 0;
+}
+
 void __init setup_arch(char **cmdline_p)
 {
 	stack_protections((unsigned long) &init_thread_info);
 	setup_physmem(uml_physmem, uml_reserved, physmem_size, highmem);
 	mem_total_pages(physmem_size, iomem_size, highmem);
+	read_initrd();
 
 	paging_init();
 	strlcpy(boot_command_line, command_line, COMMAND_LINE_SIZE);


Patches currently in stable-queue which might be from mhiramat@kernel.org are

queue-4.9/um-fix-to-call-read_initrd-after-init_bootmem.patch
queue-4.9/tracing-kprobes-enforce-kprobes-teardown-after-testing.patch

^ permalink raw reply

* Patch "PCI: Only allow WC mmap on prefetchable resources" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: dwmw, bhelgaas, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    PCI: Only allow WC mmap on prefetchable resources

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-only-allow-wc-mmap-on-prefetchable-resources.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From cef4d02305a06be581bb7f4353446717a1b319ec Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw@amazon.co.uk>
Date: Wed, 12 Apr 2017 13:25:52 +0100
Subject: PCI: Only allow WC mmap on prefetchable resources

From: David Woodhouse <dwmw@amazon.co.uk>

commit cef4d02305a06be581bb7f4353446717a1b319ec upstream.

The /proc/bus/pci mmap interface allows the user to specify whether they
want WC or not.  Don't let them do so on non-prefetchable BARs.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/proc.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,7 +231,7 @@ static int proc_bus_pci_mmap(struct file
 {
 	struct pci_dev *dev = PDE_DATA(file_inode(file));
 	struct pci_filp_private *fpriv = file->private_data;
-	int i, ret, write_combine, res_bit;
+	int i, ret, write_combine = 0, res_bit;
 
 	if (!capable(CAP_SYS_RAWIO))
 		return -EPERM;
@@ -251,10 +251,13 @@ static int proc_bus_pci_mmap(struct file
 	if (i >= PCI_ROM_RESOURCE)
 		return -ENODEV;
 
-	if (fpriv->mmap_state == pci_mmap_mem)
-		write_combine = fpriv->write_combine;
-	else
-		write_combine = 0;
+	if (fpriv->mmap_state == pci_mmap_mem &&
+	    fpriv->write_combine) {
+		if (dev->resource[i].flags & IORESOURCE_PREFETCH)
+			write_combine = 1;
+		else
+			return -EINVAL;
+	}
 	ret = pci_mmap_page_range(dev, vma,
 				  fpriv->mmap_state, write_combine);
 	if (ret < 0)


Patches currently in stable-queue which might be from dwmw@amazon.co.uk are

queue-4.9/pci-fix-another-sanity-check-bug-in-proc-pci-mmap.patch
queue-4.9/pci-only-allow-wc-mmap-on-prefetchable-resources.patch
queue-4.9/pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch
queue-4.9/iommu-vt-d-flush-the-iotlb-to-get-rid-of-the-initial-kdump-mappings.patch

^ permalink raw reply

* Patch "PCI: Freeze PME scan before suspending devices" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: lukas; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    PCI: Freeze PME scan before suspending devices

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-freeze-pme-scan-before-suspending-devices.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From ea00353f36b64375518662a8ad15e39218a1f324 Mon Sep 17 00:00:00 2001
From: Lukas Wunner <lukas@wunner.de>
Date: Tue, 18 Apr 2017 20:44:30 +0200
Subject: PCI: Freeze PME scan before suspending devices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Lukas Wunner <lukas@wunner.de>

commit ea00353f36b64375518662a8ad15e39218a1f324 upstream.

Laurent Pinchart reported that the Renesas R-Car H2 Lager board (r8a7790)
crashes during suspend tests.  Geert Uytterhoeven managed to reproduce the
issue on an M2-W Koelsch board (r8a7791):

  It occurs when the PME scan runs, once per second.  During PME scan, the
  PCI host bridge (rcar-pci) registers are accessed while its module clock
  has already been disabled, leading to the crash.

One reproducer is to configure s2ram to use "s2idle" instead of "deep"
suspend:

  # echo 0 > /sys/module/printk/parameters/console_suspend
  # echo s2idle > /sys/power/mem_sleep
  # echo mem > /sys/power/state

Another reproducer is to write either "platform" or "processors" to
/sys/power/pm_test.  It does not (or is less likely) to happen during full
system suspend ("core" or "none") because system suspend also disables
timers, and thus the workqueue handling PME scans no longer runs.  Geert
believes the issue may still happen in the small window between disabling
module clocks and disabling timers:

  # echo 0 > /sys/module/printk/parameters/console_suspend
  # echo platform > /sys/power/pm_test    # Or "processors"
  # echo mem > /sys/power/state

(Make sure CONFIG_PCI_RCAR_GEN2 and CONFIG_USB_OHCI_HCD_PCI are enabled.)

Rafael Wysocki agrees that PME scans should be suspended before the host
bridge registers become inaccessible.  To that end, queue the task on a
workqueue that gets frozen before devices suspend.

Rafael notes however that as a result, some wakeup events may be missed if
they are delivered via PME from a device without working IRQ (which hence
must be polled) and occur after the workqueue has been frozen.  If that
turns out to be an issue in practice, it may be possible to solve it by
calling pci_pme_list_scan() once directly from one of the host bridge's
pm_ops callbacks.

Stacktrace for posterity:

  PM: Syncing filesystems ... [   38.566237] done.
  PM: Preparing system for sleep (mem)
  Freezing user space processes ... [   38.579813] (elapsed 0.001 seconds) done.
  Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
  PM: Suspending system (mem)
  PM: suspend of devices complete after 152.456 msecs
  PM: late suspend of devices complete after 2.809 msecs
  PM: noirq suspend of devices complete after 29.863 msecs
  suspend debug: Waiting for 5 second(s).
  Unhandled fault: asynchronous external abort (0x1211) at 0x00000000
  pgd = c0003000
  [00000000] *pgd=80000040004003, *pmd=00000000
  Internal error: : 1211 [#1] SMP ARM
  Modules linked in:
  CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted
  4.9.0-rc1-koelsch-00011-g68db9bc814362e7f #3383
  Hardware name: Generic R8A7791 (Flattened Device Tree)
  Workqueue: events pci_pme_list_scan
  task: eb56e140 task.stack: eb58e000
  PC is at pci_generic_config_read+0x64/0x6c
  LR is at rcar_pci_cfg_base+0x64/0x84
  pc : [<c041d7b4>]    lr : [<c04309a0>]    psr: 600d0093
  sp : eb58fe98  ip : c041d750  fp : 00000008
  r10: c0e2283c  r9 : 00000000  r8 : 600d0013
  r7 : 00000008  r6 : eb58fed6  r5 : 00000002  r4 : eb58feb4
  r3 : 00000000  r2 : 00000044  r1 : 00000008  r0 : 00000000
  Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
  Control: 30c5387d  Table: 6a9f6c80  DAC: 55555555
  Process kworker/1:1 (pid: 20, stack limit = 0xeb58e210)
  Stack: (0xeb58fe98 to 0xeb590000)
  fe80:                                                       00000002 00000044
  fea0: eb6f5800 c041d9b0 eb58feb4 00000008 00000044 00000000 eb78a000 eb78a000
  fec0: 00000044 00000000 eb9aff00 c0424bf0 eb78a000 00000000 eb78a000 c0e22830
  fee0: ea8a6fc0 c0424c5c eaae79c0 c0424ce0 eb55f380 c0e22838 eb9a9800 c0235fbc
  ff00: eb55f380 c0e22838 eb55f380 eb9a9800 eb9a9800 eb58e000 eb9a9824 c0e02100
  ff20: eb55f398 c02366c4 eb56e140 eb5631c0 00000000 eb55f380 c023641c 00000000
  ff40: 00000000 00000000 00000000 c023a928 cd105598 00000000 40506a34 eb55f380
  ff60: 00000000 00000000 dead4ead ffffffff ffffffff eb58ff74 eb58ff74 00000000
  ff80: 00000000 dead4ead ffffffff ffffffff eb58ff90 eb58ff90 eb58ffac eb5631c0
  ffa0: c023a844 00000000 00000000 c0206d68 00000000 00000000 00000000 00000000
  ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 3a81336c 10ccd1dd
  [<c041d7b4>] (pci_generic_config_read) from [<c041d9b0>]
  (pci_bus_read_config_word+0x58/0x80)
  [<c041d9b0>] (pci_bus_read_config_word) from [<c0424bf0>]
  (pci_check_pme_status+0x34/0x78)
  [<c0424bf0>] (pci_check_pme_status) from [<c0424c5c>] (pci_pme_wakeup+0x28/0x54)
  [<c0424c5c>] (pci_pme_wakeup) from [<c0424ce0>] (pci_pme_list_scan+0x58/0xb4)
  [<c0424ce0>] (pci_pme_list_scan) from [<c0235fbc>]
  (process_one_work+0x1bc/0x308)
  [<c0235fbc>] (process_one_work) from [<c02366c4>] (worker_thread+0x2a8/0x3e0)
  [<c02366c4>] (worker_thread) from [<c023a928>] (kthread+0xe4/0xfc)
  [<c023a928>] (kthread) from [<c0206d68>] (ret_from_fork+0x14/0x2c)
  Code: ea000000 e5903000 f57ff04f e3a00000 (e5843000)
  ---[ end trace 667d43ba3aa9e589 ]---

Fixes: df17e62e5bff ("PCI: Add support for polling PME state on suspended legacy PCI devices")
Reported-and-tested-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reported-and-tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Cc: Simon Horman <horms+renesas@verge.net.au>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/pci.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1782,8 +1782,8 @@ static void pci_pme_list_scan(struct wor
 		}
 	}
 	if (!list_empty(&pci_pme_list))
-		schedule_delayed_work(&pci_pme_work,
-				      msecs_to_jiffies(PME_TIMEOUT));
+		queue_delayed_work(system_freezable_wq, &pci_pme_work,
+				   msecs_to_jiffies(PME_TIMEOUT));
 	mutex_unlock(&pci_pme_list_mutex);
 }
 
@@ -1848,8 +1848,9 @@ void pci_pme_active(struct pci_dev *dev,
 			mutex_lock(&pci_pme_list_mutex);
 			list_add(&pme_dev->list, &pci_pme_list);
 			if (list_is_singular(&pci_pme_list))
-				schedule_delayed_work(&pci_pme_work,
-						      msecs_to_jiffies(PME_TIMEOUT));
+				queue_delayed_work(system_freezable_wq,
+						   &pci_pme_work,
+						   msecs_to_jiffies(PME_TIMEOUT));
 			mutex_unlock(&pci_pme_list_mutex);
 		} else {
 			mutex_lock(&pci_pme_list_mutex);


Patches currently in stable-queue which might be from lukas@wunner.de are

queue-4.9/pci-freeze-pme-scan-before-suspending-devices.patch

^ permalink raw reply

* Patch "PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: kys, bhelgaas, gregkh, longli; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-hv-specify-cpu_affinity_all-for-msi-affinity-when-32-cpus.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 433fcf6b7b31f1f233dd50aeb9d066a0f6ed4b9d Mon Sep 17 00:00:00 2001
From: "K. Y. Srinivasan" <kys@microsoft.com>
Date: Fri, 24 Mar 2017 11:07:21 -0700
Subject: PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs

From: K. Y. Srinivasan <kys@microsoft.com>

commit 433fcf6b7b31f1f233dd50aeb9d066a0f6ed4b9d upstream.

When we have 32 or more CPUs in the affinity mask, we should use a special
constant to specify that to the host. Fix this issue.

Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/host/pci-hyperv.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/pci/host/pci-hyperv.c
+++ b/drivers/pci/host/pci-hyperv.c
@@ -72,6 +72,7 @@ enum {
 	PCI_PROTOCOL_VERSION_CURRENT = PCI_PROTOCOL_VERSION_1_1
 };
 
+#define CPU_AFFINITY_ALL	-1ULL
 #define PCI_CONFIG_MMIO_LENGTH	0x2000
 #define CFG_PAGE_OFFSET 0x1000
 #define CFG_PAGE_SIZE (PCI_CONFIG_MMIO_LENGTH - CFG_PAGE_OFFSET)
@@ -889,9 +890,13 @@ static void hv_compose_msi_msg(struct ir
 	 * processors because Hyper-V only supports 64 in a guest.
 	 */
 	affinity = irq_data_get_affinity_mask(data);
-	for_each_cpu_and(cpu, affinity, cpu_online_mask) {
-		int_pkt->int_desc.cpu_mask |=
-			(1ULL << vmbus_cpu_number_to_vp_number(cpu));
+	if (cpumask_weight(affinity) >= 32) {
+		int_pkt->int_desc.cpu_mask = CPU_AFFINITY_ALL;
+	} else {
+		for_each_cpu_and(cpu, affinity, cpu_online_mask) {
+			int_pkt->int_desc.cpu_mask |=
+				(1ULL << vmbus_cpu_number_to_vp_number(cpu));
+		}
 	}
 
 	ret = vmbus_sendpacket(hpdev->hbus->hdev->channel, int_pkt,


Patches currently in stable-queue which might be from kys@microsoft.com are

queue-4.9/pci-hv-allocate-interrupt-descriptors-with-gfp_atomic.patch
queue-4.9/pci-hv-specify-cpu_affinity_all-for-msi-affinity-when-32-cpus.patch

^ permalink raw reply

* Patch "PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: kys, bhelgaas, gregkh, longli; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-hv-allocate-interrupt-descriptors-with-gfp_atomic.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 59c58ceeea9cdc6144d7b0303753e6bd26d87455 Mon Sep 17 00:00:00 2001
From: "K. Y. Srinivasan" <kys@microsoft.com>
Date: Fri, 24 Mar 2017 11:07:22 -0700
Subject: PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC

From: K. Y. Srinivasan <kys@microsoft.com>

commit 59c58ceeea9cdc6144d7b0303753e6bd26d87455 upstream.

The memory allocation here needs to be non-blocking.  Fix the issue.

Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/host/pci-hyperv.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pci/host/pci-hyperv.c
+++ b/drivers/pci/host/pci-hyperv.c
@@ -868,7 +868,7 @@ static void hv_compose_msi_msg(struct ir
 		hv_int_desc_free(hpdev, int_desc);
 	}
 
-	int_desc = kzalloc(sizeof(*int_desc), GFP_KERNEL);
+	int_desc = kzalloc(sizeof(*int_desc), GFP_ATOMIC);
 	if (!int_desc)
 		goto drop_reference;
 


Patches currently in stable-queue which might be from kys@microsoft.com are

queue-4.9/pci-hv-allocate-interrupt-descriptors-with-gfp_atomic.patch
queue-4.9/pci-hv-specify-cpu_affinity_all-for-msi-affinity-when-32-cpus.patch

^ permalink raw reply

* Patch "PCI: Fix another sanity check bug in /proc/pci mmap" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: dwmw, bhelgaas, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    PCI: Fix another sanity check bug in /proc/pci mmap

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-fix-another-sanity-check-bug-in-proc-pci-mmap.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 17caf56731311c9596e7d38a70c88fcb6afa6a1b Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw@amazon.co.uk>
Date: Wed, 12 Apr 2017 13:25:51 +0100
Subject: PCI: Fix another sanity check bug in /proc/pci mmap

From: David Woodhouse <dwmw@amazon.co.uk>

commit 17caf56731311c9596e7d38a70c88fcb6afa6a1b upstream.

Don't match MMIO maps with I/O BARs and vice versa.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/proc.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,14 +231,20 @@ static int proc_bus_pci_mmap(struct file
 {
 	struct pci_dev *dev = PDE_DATA(file_inode(file));
 	struct pci_filp_private *fpriv = file->private_data;
-	int i, ret, write_combine;
+	int i, ret, write_combine, res_bit;
 
 	if (!capable(CAP_SYS_RAWIO))
 		return -EPERM;
 
+	if (fpriv->mmap_state == pci_mmap_io)
+		res_bit = IORESOURCE_IO;
+	else
+		res_bit = IORESOURCE_MEM;
+
 	/* Make sure the caller is mapping a real resource for this device */
 	for (i = 0; i < PCI_ROM_RESOURCE; i++) {
-		if (pci_mmap_fits(dev, i, vma,  PCI_MMAP_PROCFS))
+		if (dev->resource[i].flags & res_bit &&
+		    pci_mmap_fits(dev, i, vma,  PCI_MMAP_PROCFS))
 			break;
 	}
 


Patches currently in stable-queue which might be from dwmw@amazon.co.uk are

queue-4.9/pci-fix-another-sanity-check-bug-in-proc-pci-mmap.patch
queue-4.9/pci-only-allow-wc-mmap-on-prefetchable-resources.patch
queue-4.9/pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch
queue-4.9/iommu-vt-d-flush-the-iotlb-to-get-rid-of-the-initial-kdump-mappings.patch

^ permalink raw reply

* Patch "PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: dwmw, bhelgaas, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 6bccc7f426abd640f08d8c75fb22f99483f201b4 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw@amazon.co.uk>
Date: Wed, 12 Apr 2017 13:25:50 +0100
Subject: PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms

From: David Woodhouse <dwmw@amazon.co.uk>

commit 6bccc7f426abd640f08d8c75fb22f99483f201b4 upstream.

In the PCI_MMAP_PROCFS case when the address being passed by the user is a
'user visible' resource address based on the bus window, and not the actual
contents of the resource, that's what we need to be checking it against.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/pci-sysfs.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -974,15 +974,19 @@ void pci_remove_legacy_files(struct pci_
 int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma,
 		  enum pci_mmap_api mmap_api)
 {
-	unsigned long nr, start, size, pci_start;
+	unsigned long nr, start, size;
+	resource_size_t pci_start = 0, pci_end;
 
 	if (pci_resource_len(pdev, resno) == 0)
 		return 0;
 	nr = vma_pages(vma);
 	start = vma->vm_pgoff;
 	size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1;
-	pci_start = (mmap_api == PCI_MMAP_PROCFS) ?
-			pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
+	if (mmap_api == PCI_MMAP_PROCFS) {
+		pci_resource_to_user(pdev, resno, &pdev->resource[resno],
+				     &pci_start, &pci_end);
+		pci_start >>= PAGE_SHIFT;
+	}
 	if (start >= pci_start && start < pci_start + size &&
 			start + nr <= pci_start + size)
 		return 1;


Patches currently in stable-queue which might be from dwmw@amazon.co.uk are

queue-4.9/pci-fix-another-sanity-check-bug-in-proc-pci-mmap.patch
queue-4.9/pci-only-allow-wc-mmap-on-prefetchable-resources.patch
queue-4.9/pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch
queue-4.9/iommu-vt-d-flush-the-iotlb-to-get-rid-of-the-initial-kdump-mappings.patch

^ permalink raw reply

* Patch "NFSv4: Fix a hang in OPEN related to server reboot" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: trond.myklebust, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    NFSv4: Fix a hang in OPEN related to server reboot

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfsv4-fix-a-hang-in-open-related-to-server-reboot.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 56e0d71ef12f026d96213e45a662bde6bbff4676 Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Sat, 15 Apr 2017 19:20:01 -0400
Subject: NFSv4: Fix a hang in OPEN related to server reboot

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit 56e0d71ef12f026d96213e45a662bde6bbff4676 upstream.

If the server fails to return the attributes as part of an OPEN
reply, and then reboots, we can end up hanging. The reason is that
the client attempts to send a GETATTR in order to pick up the
missing OPEN call, but fails to release the slot first, causing
reboot recovery to deadlock.

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Fixes: 2e80dbe7ac51a ("NFSv4.1: Close callback races for OPEN, LAYOUTGET...")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/nfs4proc.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2385,8 +2385,10 @@ static int _nfs4_proc_open(struct nfs4_o
 		if (status != 0)
 			return status;
 	}
-	if (!(o_res->f_attr->valid & NFS_ATTR_FATTR))
+	if (!(o_res->f_attr->valid & NFS_ATTR_FATTR)) {
+		nfs4_sequence_free_slot(&o_res->seq_res);
 		nfs4_proc_getattr(server, &o_res->fh, o_res->f_attr, o_res->f_label);
+	}
 	return 0;
 }
 


Patches currently in stable-queue which might be from trond.myklebust@primarydata.com are

queue-4.9/nfs-use-gfp_noio-for-two-allocations-in-writeback.patch
queue-4.9/nfsv4-fix-a-hang-in-open-related-to-server-reboot.patch
queue-4.9/nfsd-fix-up-the-supattr_exclcreat-attributes.patch
queue-4.9/nfs-fix-use-after-free-in-write-error-path.patch

^ permalink raw reply

* Patch "osf_wait4(): fix infoleak" has been added to the 4.9-stable tree
From: gregkh @ 2017-05-23 18:38 UTC (permalink / raw)
  To: viro, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    osf_wait4(): fix infoleak

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     osf_wait4-fix-infoleak.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From a8c39544a6eb2093c04afd5005b6192bd0e880c6 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun, 14 May 2017 21:47:25 -0400
Subject: osf_wait4(): fix infoleak

From: Al Viro <viro@zeniv.linux.org.uk>

commit a8c39544a6eb2093c04afd5005b6192bd0e880c6 upstream.

failing sys_wait4() won't fill struct rusage...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/alpha/kernel/osf_sys.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/alpha/kernel/osf_sys.c
+++ b/arch/alpha/kernel/osf_sys.c
@@ -1188,8 +1188,10 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
 	if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
 		return -EFAULT;
 
-	err = 0;
-	err |= put_user(status, ustatus);
+	err = put_user(status, ustatus);
+	if (ret < 0)
+		return err ? err : ret;
+
 	err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
 	err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
 	err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);


Patches currently in stable-queue which might be from viro@zeniv.linux.org.uk are

queue-4.9/metag-uaccess-check-access_ok-in-strncpy_from_user.patch
queue-4.9/osf_wait4-fix-infoleak.patch
queue-4.9/x86-fix-32-bit-case-of-__get_user_asm_u64.patch
queue-4.9/metag-uaccess-fix-access_ok.patch

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox