diff --git a/debian/changelog b/debian/changelog index 9355ecff3..d4c09f3a5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.19.7-1~exp1) UNRELEASED; urgency=medium +linux (4.19.8-1~exp1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.6 @@ -6,6 +6,16 @@ linux (4.19.7-1~exp1) UNRELEASED; urgency=medium - [x86] KVM: LAPIC: Fix pv ipis use-before-initialization (CVE-2018-19406) - mm: cleancache: fix corruption on missed inode invalidation (CVE-2018-16862) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.8 + - blk-mq: fix corruption with direct issue (Closes: #915666) + - userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails + (CVE-2018-18397) + - userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem + (CVE-2018-18397) + - userfaultfd: shmem: add i_size checks (CVE-2018-18397) + - userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not + set (CVE-2018-18397) + - blk-mq: punt failed direct issue to dispatch list [ Marcin Juszkiewicz ] * [arm64] Enable ACPI IMPI @@ -34,10 +44,6 @@ linux (4.19.7-1~exp1) UNRELEASED; urgency=medium * debian/rules: Mark more targets as phony * libcpupower: Hide private function and drop it from .symbols file - [ Salvatore Bonaccorso ] - * blk-mq: fix corruption with direct issue (Closes: #915666) - * blk-mq: punt failed direct issue to dispatch list - -- Uwe Kleine-König Wed, 28 Nov 2018 12:20:46 +0100 linux (4.19.5-1~exp1) experimental; urgency=medium diff --git a/debian/patches/bugfix/all/blk-mq-fix-corruption-with-direct-issue.patch b/debian/patches/bugfix/all/blk-mq-fix-corruption-with-direct-issue.patch deleted file mode 100644 index 2cb95efa4..000000000 --- a/debian/patches/bugfix/all/blk-mq-fix-corruption-with-direct-issue.patch +++ /dev/null @@ -1,99 +0,0 @@ -From: Jens Axboe -Date: Tue, 4 Dec 2018 20:06:48 -0700 -Subject: blk-mq: fix corruption with direct issue -Origin: https://git.kernel.org/linus/ffe81d45322cc3cb140f0db080a4727ea284661e -Bug-Debian: https://bugs.debian.org/915666 - -If we attempt a direct issue to a SCSI device, and it returns BUSY, then -we queue the request up normally. However, the SCSI layer may have -already setup SG tables etc for this particular command. If we later -merge with this request, then the old tables are no longer valid. Once -we issue the IO, we only read/write the original part of the request, -not the new state of it. - -This causes data corruption, and is most often noticed with the file -system complaining about the just read data being invalid: - -[ 235.934465] EXT4-fs error (device sda1): ext4_iget:4831: inode #7142: comm dpkg-query: bad extra_isize 24937 (inode size 256) - -because most of it is garbage... - -This doesn't happen from the normal issue path, as we will simply defer -the request to the hardware queue dispatch list if we fail. Once it's on -the dispatch list, we never merge with it. - -Fix this from the direct issue path by flagging the request as -REQ_NOMERGE so we don't change the size of it before issue. - -See also: - https://bugzilla.kernel.org/show_bug.cgi?id=201685 - -Tested-by: Guenter Roeck -Fixes: 6ce3dd6eec1 ("blk-mq: issue directly if hw queue isn't busy in case of 'none'") -Cc: stable@vger.kernel.org -Signed-off-by: Jens Axboe ---- - block/blk-mq.c | 26 +++++++++++++++++++++++++- - 1 file changed, 25 insertions(+), 1 deletion(-) - -diff --git a/block/blk-mq.c b/block/blk-mq.c -index 3f91c6e5b17a..3262d83b9e07 100644 ---- a/block/blk-mq.c -+++ b/block/blk-mq.c -@@ -1715,6 +1715,15 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx, - break; - case BLK_STS_RESOURCE: - case BLK_STS_DEV_RESOURCE: -+ /* -+ * If direct dispatch fails, we cannot allow any merging on -+ * this IO. Drivers (like SCSI) may have set up permanent state -+ * for this request, like SG tables and mappings, and if we -+ * merge to it later on then we'll still only do IO to the -+ * original part. -+ */ -+ rq->cmd_flags |= REQ_NOMERGE; -+ - blk_mq_update_dispatch_busy(hctx, true); - __blk_mq_requeue_request(rq); - break; -@@ -1727,6 +1736,18 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx, - return ret; - } - -+/* -+ * Don't allow direct dispatch of anything but regular reads/writes, -+ * as some of the other commands can potentially share request space -+ * with data we need for the IO scheduler. If we attempt a direct dispatch -+ * on those and fail, we can't safely add it to the scheduler afterwards -+ * without potentially overwriting data that the driver has already written. -+ */ -+static bool blk_rq_can_direct_dispatch(struct request *rq) -+{ -+ return req_op(rq) == REQ_OP_READ || req_op(rq) == REQ_OP_WRITE; -+} -+ - static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx, - struct request *rq, - blk_qc_t *cookie, -@@ -1748,7 +1769,7 @@ static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx, - goto insert; - } - -- if (q->elevator && !bypass_insert) -+ if (!blk_rq_can_direct_dispatch(rq) || (q->elevator && !bypass_insert)) - goto insert; - - if (!blk_mq_get_dispatch_budget(hctx)) -@@ -1810,6 +1831,9 @@ void blk_mq_try_issue_list_directly(struct blk_mq_hw_ctx *hctx, - struct request *rq = list_first_entry(list, struct request, - queuelist); - -+ if (!blk_rq_can_direct_dispatch(rq)) -+ break; -+ - list_del_init(&rq->queuelist); - ret = blk_mq_request_issue_directly(rq); - if (ret != BLK_STS_OK) { --- -2.20.0.rc2 - diff --git a/debian/patches/bugfix/all/blk-mq-punt-failed-direct-issue-to-dispatch-list.patch b/debian/patches/bugfix/all/blk-mq-punt-failed-direct-issue-to-dispatch-list.patch deleted file mode 100644 index adf054eef..000000000 --- a/debian/patches/bugfix/all/blk-mq-punt-failed-direct-issue-to-dispatch-list.patch +++ /dev/null @@ -1,124 +0,0 @@ -From c616cbee97aed4bc6178f148a7240206dcdb85a6 Mon Sep 17 00:00:00 2001 -From: Jens Axboe -Date: Thu, 6 Dec 2018 22:17:44 -0700 -Subject: blk-mq: punt failed direct issue to dispatch list - -From: Jens Axboe - -commit c616cbee97aed4bc6178f148a7240206dcdb85a6 upstream. - -After the direct dispatch corruption fix, we permanently disallow direct -dispatch of non read/write requests. This works fine off the normal IO -path, as they will be retried like any other failed direct dispatch -request. But for the blk_insert_cloned_request() that only DM uses to -bypass the bottom level scheduler, we always first attempt direct -dispatch. For some types of requests, that's now a permanent failure, -and no amount of retrying will make that succeed. This results in a -livelock. - -Instead of making special cases for what we can direct issue, and now -having to deal with DM solving the livelock while still retaining a BUSY -condition feedback loop, always just add a request that has been through -->queue_rq() to the hardware queue dispatch list. These are safe to use -as no merging can take place there. Additionally, if requests do have -prepped data from drivers, we aren't dependent on them not sharing space -in the request structure to safely add them to the IO scheduler lists. - -This basically reverts ffe81d45322c and is based on a patch from Ming, -but with the list insert case covered as well. - -Fixes: ffe81d45322c ("blk-mq: fix corruption with direct issue") -Cc: stable@vger.kernel.org -Suggested-by: Ming Lei -Reported-by: Bart Van Assche -Tested-by: Ming Lei -Acked-by: Mike Snitzer -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman - ---- - block/blk-mq.c | 33 +++++---------------------------- - 1 file changed, 5 insertions(+), 28 deletions(-) - ---- a/block/blk-mq.c -+++ b/block/blk-mq.c -@@ -1698,15 +1698,6 @@ static blk_status_t __blk_mq_issue_direc - break; - case BLK_STS_RESOURCE: - case BLK_STS_DEV_RESOURCE: -- /* -- * If direct dispatch fails, we cannot allow any merging on -- * this IO. Drivers (like SCSI) may have set up permanent state -- * for this request, like SG tables and mappings, and if we -- * merge to it later on then we'll still only do IO to the -- * original part. -- */ -- rq->cmd_flags |= REQ_NOMERGE; -- - blk_mq_update_dispatch_busy(hctx, true); - __blk_mq_requeue_request(rq); - break; -@@ -1719,18 +1710,6 @@ static blk_status_t __blk_mq_issue_direc - return ret; - } - --/* -- * Don't allow direct dispatch of anything but regular reads/writes, -- * as some of the other commands can potentially share request space -- * with data we need for the IO scheduler. If we attempt a direct dispatch -- * on those and fail, we can't safely add it to the scheduler afterwards -- * without potentially overwriting data that the driver has already written. -- */ --static bool blk_rq_can_direct_dispatch(struct request *rq) --{ -- return req_op(rq) == REQ_OP_READ || req_op(rq) == REQ_OP_WRITE; --} -- - static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx, - struct request *rq, - blk_qc_t *cookie, -@@ -1752,7 +1731,7 @@ static blk_status_t __blk_mq_try_issue_d - goto insert; - } - -- if (!blk_rq_can_direct_dispatch(rq) || (q->elevator && !bypass_insert)) -+ if (q->elevator && !bypass_insert) - goto insert; - - if (!blk_mq_get_dispatch_budget(hctx)) -@@ -1768,7 +1747,7 @@ insert: - if (bypass_insert) - return BLK_STS_RESOURCE; - -- blk_mq_sched_insert_request(rq, false, run_queue, false); -+ blk_mq_request_bypass_insert(rq, run_queue); - return BLK_STS_OK; - } - -@@ -1784,7 +1763,7 @@ static void blk_mq_try_issue_directly(st - - ret = __blk_mq_try_issue_directly(hctx, rq, cookie, false); - if (ret == BLK_STS_RESOURCE || ret == BLK_STS_DEV_RESOURCE) -- blk_mq_sched_insert_request(rq, false, true, false); -+ blk_mq_request_bypass_insert(rq, true); - else if (ret != BLK_STS_OK) - blk_mq_end_request(rq, ret); - -@@ -1814,15 +1793,13 @@ void blk_mq_try_issue_list_directly(stru - struct request *rq = list_first_entry(list, struct request, - queuelist); - -- if (!blk_rq_can_direct_dispatch(rq)) -- break; -- - list_del_init(&rq->queuelist); - ret = blk_mq_request_issue_directly(rq); - if (ret != BLK_STS_OK) { - if (ret == BLK_STS_RESOURCE || - ret == BLK_STS_DEV_RESOURCE) { -- list_add(&rq->queuelist, list); -+ blk_mq_request_bypass_insert(rq, -+ list_empty(list)); - break; - } - blk_mq_end_request(rq, ret); diff --git a/debian/patches/series b/debian/patches/series index dc9998e5b..b5191ac9b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -91,8 +91,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch -bugfix/all/blk-mq-fix-corruption-with-direct-issue.patch -bugfix/all/blk-mq-punt-failed-direct-issue-to-dispatch-list.patch # Miscellaneous features