Update to 4.18.9
This updates the debian changelog for listing changes of this stable update. It also removes patches applied upstream and refreshes a patch that is part of 4.18.7-rt5.
This commit is contained in:
parent
d112adae70
commit
5ea1715db4
|
@ -1,4 +1,153 @@
|
|||
linux (4.18.8-2) UNRELEASED; urgency=medium
|
||||
linux (4.18.9-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.9
|
||||
- i2c: xiic: Make the start and the byte count write atomic
|
||||
- i2c: i801: fix DNV's SMBCTRL register offset
|
||||
- HID: multitouch: fix Elan panels with 2 input modes declaration
|
||||
- HID: core: fix grouping by application
|
||||
- HID: i2c-hid: Fix flooded incomplete report after S3 on Rayd touchscreen
|
||||
- HID: input: fix leaking custom input node name
|
||||
- mm/hugetlb: filter out hugetlb pages if HUGEPAGE migration is not
|
||||
supported.
|
||||
- mac80211: don't update the PM state of a peer upon a multicast frame
|
||||
- scsi: lpfc: Correct MDS diag and nvmet configuration
|
||||
- nbd: don't allow invalid blocksize settings
|
||||
- block: don't warn when doing fsync on read-only devices
|
||||
- block: bfq: swap puts in bfqg_and_blkg_put
|
||||
- android: binder: fix the race mmap and alloc_new_buf_locked
|
||||
- [mips*] VDSO: Match data page cache colouring when D$ aliases
|
||||
- smb3: Backup intent flag missing for directory opens with backupuid mounts
|
||||
- smb3: check for and properly advertise directory lease support
|
||||
- cifs: connect to servername instead of IP for IPC$ share
|
||||
- btrfs: fix qgroup_free wrong num_bytes in btrfs_subvolume_reserve_metadata
|
||||
- btrfs: fix data corruption when deduplicating between different files
|
||||
- [arm64] KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD
|
||||
- [armhf, arm64] KVM: Clean dcache to PoC when changing PTE due to CoW
|
||||
- [[powerpc*] KVM: Book3S HV: Use correct pagesize in kvm_unmap_radix()
|
||||
- [s390x] KVM: vsie: copy wrapping keys to right place
|
||||
- [x86] KVM: SVM: Set EMULTYPE_NO_REEXECUTE for RSM emulation
|
||||
- [x86] KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO
|
||||
instr
|
||||
- [x86] KVM: Invert emulation re-execute behavior to make it opt-in
|
||||
- [x86] KVM: Merge EMULTYPE_RETRY and EMULTYPE_ALLOW_REEXECUTE
|
||||
- [x86] KVM: Default to not allowing emulation retry in kvm_mmu_page_fault
|
||||
- [x86] KVM: Do not re-{try,execute} after failed emulation in L2
|
||||
- ACPI / LPSS: Force LPSS quirks on boot
|
||||
- memory: ti-aemif: fix a potential NULL-pointer dereference
|
||||
- ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
|
||||
- cpu/hotplug: Adjust misplaced smb() in cpuhp_thread_fun()
|
||||
- cpu/hotplug: Prevent state corruption on error rollback
|
||||
- [x86] microcode: Make sure boot_cpu_data.microcode is up-to-date
|
||||
- [x86] microcode: Update the new microcode revision unconditionally
|
||||
- [x86] process: Don't mix user/kernel regs in 64bit __show_regs()
|
||||
- [x86] apic/vector: Make error return value negative
|
||||
- switchtec: Fix Spectre v1 vulnerability
|
||||
- misc: mic: SCIF Fix scif_get_new_port() error handling
|
||||
- ALSA: hda/realtek - Add mute LED quirk for HP Spectre x360
|
||||
- ethtool: Remove trailing semicolon for static inline
|
||||
- i2c: aspeed: Add an explicit type casting for *get_clk_reg_val
|
||||
- Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
|
||||
- gpio: tegra: Move driver registration to subsys_init level
|
||||
- [powerpc*] powernv: Fix concurrency issue with npu->mmio_atsd_usage
|
||||
- [powerpc*] 4xx: Fix error return path in ppc4xx_msi_probe()
|
||||
- media: davinci: vpif_display: Mix memory leak on probe error path
|
||||
- media: dw2102: Fix memleak on sequence of probes
|
||||
- net: phy: Fix the register offsets in Broadcom iProc mdio mux driver
|
||||
- scsi: qla2xxx: Fix unintended Logout
|
||||
- scsi: qla2xxx: Fix session state stuck in Get Port DB
|
||||
- scsi: qla2xxx: Silent erroneous message
|
||||
- clk: scmi: Fix the rounding of clock rate
|
||||
- blk-mq: fix updating tags depth
|
||||
- scsi: lpfc: Fix driver crash when re-registering NVME rports.
|
||||
- scsi: target: fix __transport_register_session locking
|
||||
- md/raid5: fix data corruption of replacements after originals dropped
|
||||
- timers: Clear timer_base::must_forward_clk with timer_base::lock held
|
||||
- gpu: ipu-v3: default to id 0 on missing OF alias
|
||||
- misc: ti-st: Fix memory leak in the error path of probe()
|
||||
- uio: potential double frees if __uio_register_device() fails
|
||||
- firmware: vpd: Fix section enabled flag on vpd_section_destroy
|
||||
- [x86] Drivers: hv: vmbus: Cleanup synic memory free path
|
||||
- tty: rocket: Fix possible buffer overwrite on register_PCI
|
||||
- uio: fix possible circular locking dependency
|
||||
- iwlwifi: pcie: don't access periphery registers when not available
|
||||
- IB/IPoIB: Set ah valid flag in multicast send flow
|
||||
- f2fs: fix to active page in lru list for read path
|
||||
- f2fs: do not set free of current section
|
||||
- f2fs: Keep alloc_valid_block_count in sync
|
||||
- f2fs: issue discard align to section in LFS mode
|
||||
- f2fs: fix defined but not used build warnings
|
||||
- f2fs: fix to detect looped node chain correctly
|
||||
- ASoC: soc-pcm: Use delay set in component pointer function
|
||||
- perf tools: Allow overriding MAX_NR_CPUS at compile time
|
||||
- device-dax: avoid hang on error before devm_memremap_pages()
|
||||
- NFSv4.0 fix client reference leak in callback
|
||||
- perf c2c report: Fix crash for empty browser
|
||||
- perf evlist: Fix error out while applying initial delay and LBR
|
||||
- [powerpc*] pseries: fix EEH recovery of some IOV devices
|
||||
- [powerpc*] macintosh/via-pmu: Add missing mmio accessors
|
||||
- ath9k: report tx status on EOSP
|
||||
- ath9k_hw: fix channel maximum power level test
|
||||
- ath10k: prevent active scans on potential unusable channels
|
||||
- wlcore: Set rx_status boottime_ns field on rx
|
||||
- rpmsg: core: add support to power domains for devices
|
||||
- mtd: rawnand: make subop helpers return unsigned values
|
||||
- scsi: tcmu: do not set max_blocks if data_bitmap has been setup
|
||||
- [mips*] Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
|
||||
- ata: libahci: Allow reconfigure of DEVSLP register
|
||||
- ata: libahci: Correct setting of DEVSLP register
|
||||
- nfs: Referrals not inheriting proto setting from parent
|
||||
- scsi: 3ware: fix return 0 on the error path of probe
|
||||
- tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access()
|
||||
- ath10k: disable bundle mgmt tx completion event support
|
||||
- media: em28xx: explicitly disable TS packet filter
|
||||
- PCI: mobiveil: Fix struct mobiveil_pcie.pcie_reg_base address type
|
||||
- [powerpc*] mm: Don't report PUDs as memory leaks when using kmemleak
|
||||
- Bluetooth: hidp: Fix handling of strncpy for hid->name information
|
||||
- [x86] mm: Remove in_nmi() warning from vmalloc_fault()
|
||||
- [armhf] pinctrl: imx: off by one in imx_pinconf_group_dbg_show()
|
||||
- gpio: pxa: disable pinctrl calls for PXA3xx
|
||||
- gpio: ml-ioh: Fix buffer underwrite on probe error path
|
||||
- [x86, arm64] pinctrl/amd: only handle irq if it is pending and unmasked
|
||||
- [armhf, arm64] net: mvneta: fix mtu change on port without link
|
||||
- f2fs: try grabbing node page lock aggressively in sync scenario
|
||||
- pktcdvd: Fix possible Spectre-v1 for pkt_devs
|
||||
- f2fs: fix to skip GC if type in SSA and SIT is inconsistent
|
||||
- [x86] tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
|
||||
- f2fs: fix to do sanity check with reserved blkaddr of inline inode
|
||||
(CVE-2018-13099)
|
||||
- [mips*] Octeon: add missing of_node_put()
|
||||
- [mips*] generic: fix missing of_node_put()
|
||||
- thermal: rcar_thermal: avoid NULL dereference in absence of IRQ resources
|
||||
- thermal_hwmon: Sanitize attribute name passed to hwmon
|
||||
- net: dcb: For wild-card lookups, use priority -1, not 0
|
||||
- dm cache: only allow a single io_mode cache feature to be requested
|
||||
- Input: atmel_mxt_ts - only use first T9 instance
|
||||
- [powerpc*] partitions/aix: append null character to print data from disk
|
||||
- [powerpc*] partitions/aix: fix usage of uninitialized lv_info and lvname
|
||||
structures
|
||||
- drm/amd/display: Prevent PSR from being enabled if initialization fails
|
||||
- media: em28xx: Fix dual transport stream operation
|
||||
- [arm64] iommu/arm-smmu-v3: Abort all transactions if SMMU is enabled in
|
||||
kdump kernel
|
||||
- f2fs: fix to wait on page writeback before updating page
|
||||
- f2fs: Fix uninitialized return in f2fs_ioc_shutdown()
|
||||
- media: em28xx: Fix DualHD disconnect oops
|
||||
- f2fs: avoid potential deadlock in f2fs_sbi_store
|
||||
- f2fs: fix to do sanity check with secs_per_zone (CVE-2018-13100)
|
||||
- [armhf] mfd: ti_am335x_tscadc: Fix struct clk memory leak
|
||||
- f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
|
||||
- f2fs: fix to propagate return value of scan_nat_page()
|
||||
- f2fs: fix to do sanity check with extra_attr feature
|
||||
- RDMA/hns: Add illegal hop_num judgement
|
||||
- NFSv4.1: Fix a potential layoutget/layoutrecall deadlock
|
||||
- RDMA/hns: Update the data type of immediate data
|
||||
- [mips*] WARN_ON invalid DMA cache maintenance, not BUG_ON
|
||||
- [mips*] mscc: ocelot: fix length of memory address space for MIIM
|
||||
- RDMA/cma: Do not ignore net namespace for unbound cm_id
|
||||
- clocksource: Revert "Remove kthread"
|
||||
- autofs: fix autofs_sbi() does not check super block type
|
||||
- mm: get rid of vmacache_flush_all() entirely
|
||||
|
||||
[ Vagrant Cascadian ]
|
||||
* debian/rules.real: Generate linux-source tarball with root user and
|
||||
|
|
|
@ -22,14 +22,16 @@ Mike Galbraith,
|
|||
hard and soft variant]
|
||||
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
||||
---
|
||||
include/linux/irq_work.h | 8 ++++++
|
||||
kernel/irq_work.c | 60 ++++++++++++++++++++++++++++++++++++-----------
|
||||
kernel/rcu/tree.c | 1
|
||||
kernel/sched/topology.c | 1
|
||||
kernel/time/tick-sched.c | 1
|
||||
kernel/time/timer.c | 1
|
||||
6 files changed, 59 insertions(+), 13 deletions(-)
|
||||
include/linux/irq_work.h | 8 ++++++
|
||||
kernel/irq_work.c | 59 ++++++++++++++++++++++++++++++++--------
|
||||
kernel/rcu/tree.c | 1 +
|
||||
kernel/sched/topology.c | 1 +
|
||||
kernel/time/tick-sched.c | 1 +
|
||||
kernel/time/timer.c | 2 ++
|
||||
6 files changed, 60 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/include/linux/irq_work.h b/include/linux/irq_work.h
|
||||
index b11fcdfd0770..c1afbba27902 100644
|
||||
--- a/include/linux/irq_work.h
|
||||
+++ b/include/linux/irq_work.h
|
||||
@@ -18,6 +18,8 @@
|
||||
|
@ -41,17 +43,19 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
|
||||
#define IRQ_WORK_CLAIMED (IRQ_WORK_PENDING | IRQ_WORK_BUSY)
|
||||
|
||||
@@ -52,4 +54,10 @@ static inline bool irq_work_needs_cpu(vo
|
||||
@@ -52,4 +54,10 @@ static inline bool irq_work_needs_cpu(void) { return false; }
|
||||
static inline void irq_work_run(void) { }
|
||||
#endif
|
||||
|
||||
+#if defined(CONFIG_IRQ_WORK) && defined(CONFIG_PREEMPT_RT_FULL)
|
||||
+void irq_work_tick_soft(void);
|
||||
+#else
|
||||
+else
|
||||
+static inline void irq_work_tick_soft(void) { }
|
||||
+#endif
|
||||
+
|
||||
#endif /* _LINUX_IRQ_WORK_H */
|
||||
diff --git a/kernel/irq_work.c b/kernel/irq_work.c
|
||||
index 6b7cdf17ccf8..e765a79ef48b 100644
|
||||
--- a/kernel/irq_work.c
|
||||
+++ b/kernel/irq_work.c
|
||||
@@ -17,6 +17,7 @@
|
||||
|
@ -71,7 +75,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
/* All work should have been flushed before going offline */
|
||||
WARN_ON_ONCE(cpu_is_offline(cpu));
|
||||
|
||||
@@ -76,7 +79,12 @@ bool irq_work_queue_on(struct irq_work *
|
||||
@@ -76,7 +79,12 @@ bool irq_work_queue_on(struct irq_work *work, int cpu)
|
||||
if (!irq_work_claim(work))
|
||||
return false;
|
||||
|
||||
|
@ -85,7 +89,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
arch_send_call_function_single_ipi(cpu);
|
||||
|
||||
#else /* #ifdef CONFIG_SMP */
|
||||
@@ -89,6 +97,9 @@ bool irq_work_queue_on(struct irq_work *
|
||||
@@ -89,6 +97,9 @@ bool irq_work_queue_on(struct irq_work *work, int cpu)
|
||||
/* Enqueue the irq work @work on the current CPU */
|
||||
bool irq_work_queue(struct irq_work *work)
|
||||
{
|
||||
|
@ -95,7 +99,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
/* Only queue if not already pending */
|
||||
if (!irq_work_claim(work))
|
||||
return false;
|
||||
@@ -96,13 +107,15 @@ bool irq_work_queue(struct irq_work *wor
|
||||
@@ -96,13 +107,15 @@ bool irq_work_queue(struct irq_work *work)
|
||||
/* Queue the entry and raise the IPI if needed. */
|
||||
preempt_disable();
|
||||
|
||||
|
@ -130,7 +134,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
|
||||
/* All work should have been flushed before going offline */
|
||||
WARN_ON_ONCE(cpu_is_offline(smp_processor_id()));
|
||||
@@ -135,8 +147,12 @@ static void irq_work_run_list(struct lli
|
||||
@@ -135,7 +147,12 @@ static void irq_work_run_list(struct llist_head *list)
|
||||
struct llist_node *llnode;
|
||||
unsigned long flags;
|
||||
|
||||
|
@ -139,12 +143,11 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
+ * nort: On RT IRQ-work may run in SOFTIRQ context.
|
||||
+ */
|
||||
BUG_ON(!irqs_disabled());
|
||||
-
|
||||
+#endif
|
||||
|
||||
if (llist_empty(list))
|
||||
return;
|
||||
|
||||
@@ -168,7 +184,16 @@ static void irq_work_run_list(struct lli
|
||||
@@ -168,7 +185,16 @@ static void irq_work_run_list(struct llist_head *list)
|
||||
void irq_work_run(void)
|
||||
{
|
||||
irq_work_run_list(this_cpu_ptr(&raised_list));
|
||||
|
@ -162,7 +165,7 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
}
|
||||
EXPORT_SYMBOL_GPL(irq_work_run);
|
||||
|
||||
@@ -178,8 +203,17 @@ void irq_work_tick(void)
|
||||
@@ -178,8 +204,17 @@ void irq_work_tick(void)
|
||||
|
||||
if (!llist_empty(raised) && !arch_irq_work_has_interrupt())
|
||||
irq_work_run_list(raised);
|
||||
|
@ -180,9 +183,11 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
|
||||
/*
|
||||
* Synchronize against the irq_work @entry, ensures the entry is not
|
||||
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
|
||||
index aa7cade1b9f3..131fe93756c4 100644
|
||||
--- a/kernel/rcu/tree.c
|
||||
+++ b/kernel/rcu/tree.c
|
||||
@@ -1294,6 +1294,7 @@ static int rcu_implicit_dynticks_qs(stru
|
||||
@@ -1259,6 +1259,7 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp)
|
||||
!rdp->rcu_iw_pending && rdp->rcu_iw_gpnum != rnp->gpnum &&
|
||||
(rnp->ffmask & rdp->grpmask)) {
|
||||
init_irq_work(&rdp->rcu_iw, rcu_iw_handler);
|
||||
|
@ -190,9 +195,11 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
rdp->rcu_iw_pending = true;
|
||||
rdp->rcu_iw_gpnum = rnp->gpnum;
|
||||
irq_work_queue_on(&rdp->rcu_iw, rdp->cpu);
|
||||
diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c
|
||||
index 56a0fed30c0a..dc7fd09d66fa 100644
|
||||
--- a/kernel/sched/topology.c
|
||||
+++ b/kernel/sched/topology.c
|
||||
@@ -279,6 +279,7 @@ static int init_rootdomain(struct root_d
|
||||
@@ -279,6 +279,7 @@ static int init_rootdomain(struct root_domain *rd)
|
||||
rd->rto_cpu = -1;
|
||||
raw_spin_lock_init(&rd->rto_lock);
|
||||
init_irq_work(&rd->rto_push_work, rto_push_irq_work_func);
|
||||
|
@ -200,9 +207,11 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
#endif
|
||||
|
||||
init_dl_bw(&rd->dl_bw);
|
||||
diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
|
||||
index 5b33e2f5c0ed..2fd4a37ffdc2 100644
|
||||
--- a/kernel/time/tick-sched.c
|
||||
+++ b/kernel/time/tick-sched.c
|
||||
@@ -232,6 +232,7 @@ static void nohz_full_kick_func(struct i
|
||||
@@ -227,6 +227,7 @@ static void nohz_full_kick_func(struct irq_work *work)
|
||||
|
||||
static DEFINE_PER_CPU(struct irq_work, nohz_full_kick_work) = {
|
||||
.func = nohz_full_kick_func,
|
||||
|
@ -210,13 +219,19 @@ Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|||
};
|
||||
|
||||
/*
|
||||
diff --git a/kernel/time/timer.c b/kernel/time/timer.c
|
||||
index 786f8c014e7e..6c996ba08e0a 100644
|
||||
--- a/kernel/time/timer.c
|
||||
+++ b/kernel/time/timer.c
|
||||
@@ -1717,6 +1717,7 @@ static __latent_entropy void run_timer_s
|
||||
@@ -1692,6 +1692,8 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h)
|
||||
{
|
||||
struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
|
||||
|
||||
+ irq_work_tick_soft();
|
||||
/*
|
||||
* must_forward_clk must be cleared before running timers so that any
|
||||
* timer functions that call mod_timer will not try to forward the
|
||||
+
|
||||
__run_timers(base);
|
||||
if (IS_ENABLED(CONFIG_NO_HZ_COMMON))
|
||||
__run_timers(this_cpu_ptr(&timer_bases[BASE_DEF]));
|
||||
--
|
||||
2.19.0
|
||||
|
||||
|
|
|
@ -1,155 +0,0 @@
|
|||
From: Chao Yu <yuchao0@huawei.com>
|
||||
Date: Sat, 30 Jun 2018 18:13:40 +0800
|
||||
Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode
|
||||
Origin: https://git.kernel.org/linus/4dbe38dc386910c668c75ae616b99b823b59f3eb
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13099
|
||||
|
||||
As Wen Xu reported in bugzilla, after image was injected with random data
|
||||
by fuzzing, inline inode would contain invalid reserved blkaddr, then
|
||||
during inline conversion, we will encounter illegal memory accessing
|
||||
reported by KASAN, the root cause of this is when writing out converted
|
||||
inline page, we will use invalid reserved blkaddr to update sit bitmap,
|
||||
result in accessing memory beyond sit bitmap boundary.
|
||||
|
||||
In order to fix this issue, let's do sanity check with reserved block
|
||||
address of inline inode to avoid above condition.
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200179
|
||||
|
||||
[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0
|
||||
[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741
|
||||
|
||||
[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1
|
||||
[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
|
||||
[ 1428.846860] Call Trace:
|
||||
[ 1428.846868] dump_stack+0x71/0xab
|
||||
[ 1428.846875] print_address_description+0x6b/0x290
|
||||
[ 1428.846881] kasan_report+0x28e/0x390
|
||||
[ 1428.846888] ? update_sit_entry+0x80/0x7f0
|
||||
[ 1428.846898] update_sit_entry+0x80/0x7f0
|
||||
[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70
|
||||
[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590
|
||||
[ 1428.846920] do_write_page+0xc8/0x150
|
||||
[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210
|
||||
[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170
|
||||
[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130
|
||||
[ 1428.846946] ? __mod_node_page_state+0x22/0xa0
|
||||
[ 1428.846951] ? inc_zone_page_state+0x54/0x100
|
||||
[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0
|
||||
[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0
|
||||
[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0
|
||||
[ 1428.846978] ? __get_node_page+0x335/0x6b0
|
||||
[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500
|
||||
[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0
|
||||
[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40
|
||||
[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0
|
||||
[ 1428.847024] f2fs_file_mmap+0x79/0xc0
|
||||
[ 1428.847029] mmap_region+0x58b/0x880
|
||||
[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370
|
||||
[ 1428.847042] do_mmap+0x55b/0x7a0
|
||||
[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0
|
||||
[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50
|
||||
[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160
|
||||
[ 1428.847068] ? do_sys_open+0x206/0x2a0
|
||||
[ 1428.847073] ? __fget+0xb4/0x100
|
||||
[ 1428.847079] ksys_mmap_pgoff+0x278/0x360
|
||||
[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50
|
||||
[ 1428.847091] do_syscall_64+0x73/0x160
|
||||
[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9
|
||||
[ 1428.847102] RIP: 0033:0x7fb1430766ba
|
||||
[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00
|
||||
[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
|
||||
[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba
|
||||
[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000
|
||||
[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000
|
||||
[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000
|
||||
[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000
|
||||
|
||||
[ 1428.847252] Allocated by task 2683:
|
||||
[ 1428.847372] kasan_kmalloc+0xa6/0xd0
|
||||
[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0
|
||||
[ 1428.847385] getname_flags+0x73/0x2b0
|
||||
[ 1428.847390] user_path_at_empty+0x1d/0x40
|
||||
[ 1428.847395] vfs_statx+0xc1/0x150
|
||||
[ 1428.847401] __do_sys_newlstat+0x7e/0xd0
|
||||
[ 1428.847405] do_syscall_64+0x73/0x160
|
||||
[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9
|
||||
|
||||
[ 1428.847466] Freed by task 2683:
|
||||
[ 1428.847566] __kasan_slab_free+0x137/0x190
|
||||
[ 1428.847571] kmem_cache_free+0x85/0x1e0
|
||||
[ 1428.847575] filename_lookup+0x191/0x280
|
||||
[ 1428.847580] vfs_statx+0xc1/0x150
|
||||
[ 1428.847585] __do_sys_newlstat+0x7e/0xd0
|
||||
[ 1428.847590] do_syscall_64+0x73/0x160
|
||||
[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9
|
||||
|
||||
[ 1428.847648] The buggy address belongs to the object at ffff880194483300
|
||||
which belongs to the cache names_cache of size 4096
|
||||
[ 1428.847946] The buggy address is located 576 bytes inside of
|
||||
4096-byte region [ffff880194483300, ffff880194484300)
|
||||
[ 1428.848234] The buggy address belongs to the page:
|
||||
[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0
|
||||
[ 1428.848606] flags: 0x17fff8000008100(slab|head)
|
||||
[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380
|
||||
[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
|
||||
[ 1428.849122] page dumped because: kasan: bad access detected
|
||||
|
||||
[ 1428.849305] Memory state around the buggy address:
|
||||
[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
[ 1428.849985] ^
|
||||
[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
|
||||
[ 1428.850498] ==================================================================
|
||||
|
||||
Reported-by: Wen Xu <wen.xu@gatech.edu>
|
||||
Signed-off-by: Chao Yu <yuchao0@huawei.com>
|
||||
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
|
||||
---
|
||||
fs/f2fs/inline.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
|
||||
index 9a245d2d5b7c..2bcb2d36f024 100644
|
||||
--- a/fs/f2fs/inline.c
|
||||
+++ b/fs/f2fs/inline.c
|
||||
@@ -130,6 +130,16 @@ int f2fs_convert_inline_page(struct dnode_of_data *dn, struct page *page)
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
+ if (unlikely(dn->data_blkaddr != NEW_ADDR)) {
|
||||
+ f2fs_put_dnode(dn);
|
||||
+ set_sbi_flag(fio.sbi, SBI_NEED_FSCK);
|
||||
+ f2fs_msg(fio.sbi->sb, KERN_WARNING,
|
||||
+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
|
||||
+ "run fsck to fix.",
|
||||
+ __func__, dn->inode->i_ino, dn->data_blkaddr);
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page));
|
||||
|
||||
f2fs_do_read_inline_data(page, dn->inode_page);
|
||||
@@ -363,6 +373,17 @@ static int f2fs_move_inline_dirents(struct inode *dir, struct page *ipage,
|
||||
if (err)
|
||||
goto out;
|
||||
|
||||
+ if (unlikely(dn.data_blkaddr != NEW_ADDR)) {
|
||||
+ f2fs_put_dnode(&dn);
|
||||
+ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK);
|
||||
+ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING,
|
||||
+ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, "
|
||||
+ "run fsck to fix.",
|
||||
+ __func__, dir->i_ino, dn.data_blkaddr);
|
||||
+ err = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
f2fs_wait_on_page_writeback(page, DATA, true);
|
||||
|
||||
dentry_blk = page_address(page);
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,98 +0,0 @@
|
|||
From: Chao Yu <yuchao0@huawei.com>
|
||||
Date: Sat, 23 Jun 2018 00:12:36 +0800
|
||||
Subject: f2fs: fix to do sanity check with secs_per_zone
|
||||
Origin: https://git.kernel.org/linus/42bf546c1fe3f3654bdf914e977acbc2b80a5be5
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13100
|
||||
|
||||
As Wen Xu reported in below link:
|
||||
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=200183
|
||||
|
||||
- Overview
|
||||
Divide zero in reset_curseg() when mounting a crafted f2fs image
|
||||
|
||||
- Reproduce
|
||||
|
||||
- Kernel message
|
||||
[ 588.281510] divide error: 0000 [#1] SMP KASAN PTI
|
||||
[ 588.282701] CPU: 0 PID: 1293 Comm: mount Not tainted 4.18.0-rc1+ #4
|
||||
[ 588.284000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
|
||||
[ 588.286178] RIP: 0010:reset_curseg+0x94/0x1a0
|
||||
[ 588.298166] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
|
||||
[ 588.299360] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
|
||||
[ 588.300809] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
|
||||
[ 588.305272] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
|
||||
[ 588.306822] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
|
||||
[ 588.308456] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 588.309623] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
|
||||
[ 588.311085] Call Trace:
|
||||
[ 588.311637] f2fs_build_segment_manager+0x103f/0x3410
|
||||
[ 588.316136] ? f2fs_commit_super+0x1b0/0x1b0
|
||||
[ 588.317031] ? set_blocksize+0x90/0x140
|
||||
[ 588.319473] f2fs_mount+0x15/0x20
|
||||
[ 588.320166] mount_fs+0x60/0x1a0
|
||||
[ 588.320847] ? alloc_vfsmnt+0x309/0x360
|
||||
[ 588.321647] vfs_kern_mount+0x6b/0x1a0
|
||||
[ 588.322432] do_mount+0x34a/0x18c0
|
||||
[ 588.323175] ? strndup_user+0x46/0x70
|
||||
[ 588.323937] ? copy_mount_string+0x20/0x20
|
||||
[ 588.324793] ? memcg_kmem_put_cache+0x1b/0xa0
|
||||
[ 588.325702] ? kasan_check_write+0x14/0x20
|
||||
[ 588.326562] ? _copy_from_user+0x6a/0x90
|
||||
[ 588.327375] ? memdup_user+0x42/0x60
|
||||
[ 588.328118] ksys_mount+0x83/0xd0
|
||||
[ 588.328808] __x64_sys_mount+0x67/0x80
|
||||
[ 588.329607] do_syscall_64+0x78/0x170
|
||||
[ 588.330400] entry_SYSCALL_64_after_hwframe+0x44/0xa9
|
||||
[ 588.331461] RIP: 0033:0x7fad848e8b9a
|
||||
[ 588.336022] RSP: 002b:00007ffd7c5b6be8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
|
||||
[ 588.337547] RAX: ffffffffffffffda RBX: 00000000016f8030 RCX: 00007fad848e8b9a
|
||||
[ 588.338999] RDX: 00000000016f8210 RSI: 00000000016f9f30 RDI: 0000000001700ec0
|
||||
[ 588.340442] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
|
||||
[ 588.341887] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001700ec0
|
||||
[ 588.343341] R13: 00000000016f8210 R14: 0000000000000000 R15: 0000000000000003
|
||||
[ 588.354891] ---[ end trace 4ce02f25ff7d3df5 ]---
|
||||
[ 588.355862] RIP: 0010:reset_curseg+0x94/0x1a0
|
||||
[ 588.360742] RSP: 0018:ffff8801e88d7940 EFLAGS: 00010246
|
||||
[ 588.361812] RAX: 0000000000000014 RBX: ffff8801e1d46d00 RCX: ffffffffb88bf60b
|
||||
[ 588.363485] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801e1d46d64
|
||||
[ 588.365213] RBP: ffff8801e88d7968 R08: ffffed003c32266f R09: ffffed003c32266f
|
||||
[ 588.366661] R10: 0000000000000001 R11: ffffed003c32266e R12: ffff8801f0337700
|
||||
[ 588.368110] R13: 0000000000000000 R14: 0000000000000014 R15: 0000000000000000
|
||||
[ 588.370057] FS: 00007fad85008840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
|
||||
[ 588.372099] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 588.373291] CR2: 0000000001705078 CR3: 00000001f30f8000 CR4: 00000000000006f0
|
||||
|
||||
- Location
|
||||
https://elixir.bootlin.com/linux/latest/source/fs/f2fs/segment.c#L2147
|
||||
curseg->zone = GET_ZONE_FROM_SEG(sbi, curseg->segno);
|
||||
|
||||
If secs_per_zone is corrupted due to fuzzing test, it will cause divide
|
||||
zero operation when using GET_ZONE_FROM_SEG macro, so we should do more
|
||||
sanity check with secs_per_zone during mount to avoid this issue.
|
||||
|
||||
Signed-off-by: Chao Yu <yuchao0@huawei.com>
|
||||
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
|
||||
---
|
||||
fs/f2fs/super.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
|
||||
index 01d1cb6081fc..a041ee20492d 100644
|
||||
--- a/fs/f2fs/super.c
|
||||
+++ b/fs/f2fs/super.c
|
||||
@@ -2227,9 +2227,9 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
|
||||
return 1;
|
||||
}
|
||||
|
||||
- if (secs_per_zone > total_sections) {
|
||||
+ if (secs_per_zone > total_sections || !secs_per_zone) {
|
||||
f2fs_msg(sb, KERN_INFO,
|
||||
- "Wrong secs_per_zone (%u > %u)",
|
||||
+ "Wrong secs_per_zone / total_sections (%u, %u)",
|
||||
secs_per_zone, total_sections);
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
Date: Mon, 20 Aug 2018 13:56:07 +0300
|
||||
Subject: mac80211: don't update the PM state of a peer upon a multicast frame
|
||||
Origin: https://git.kernel.org/linus/20932750d9c78d307e4f2f18f9c6a32b82b1e0e8
|
||||
Bug-Debian: https://bugs.debian.org/887045
|
||||
Bug-Debian: https://bugs.debian.org/886292
|
||||
|
||||
I changed the way mac80211 updates the PM state of the peer.
|
||||
I forgot that we could also have multicast frames from the
|
||||
peer and that those frame should of course not change the
|
||||
PM state of the peer: A peer goes to power save when it
|
||||
needs to scan, but it won't send the broadcast Probe Request
|
||||
with the PM bit set.
|
||||
|
||||
This made us mark the peer as awake when it wasn't and then
|
||||
Intel's firmware would fail to transmit because the peer is
|
||||
asleep according to its database. The driver warned about
|
||||
this and it looked like this:
|
||||
|
||||
WARNING: CPU: 0 PID: 184 at /usr/src/linux-4.16.14/drivers/net/wireless/intel/iwlwifi/mvm/tx.c:1369 iwl_mvm_rx_tx_cmd+0x53b/0x860
|
||||
CPU: 0 PID: 184 Comm: irq/124-iwlwifi Not tainted 4.16.14 #1
|
||||
RIP: 0010:iwl_mvm_rx_tx_cmd+0x53b/0x860
|
||||
Call Trace:
|
||||
iwl_pcie_rx_handle+0x220/0x880
|
||||
iwl_pcie_irq_handler+0x6c9/0xa20
|
||||
? irq_forced_thread_fn+0x60/0x60
|
||||
? irq_thread_dtor+0x90/0x90
|
||||
|
||||
The relevant code that spits the WARNING is:
|
||||
|
||||
case TX_STATUS_FAIL_DEST_PS:
|
||||
/* the FW should have stopped the queue and not
|
||||
* return this status
|
||||
*/
|
||||
WARN_ON(1);
|
||||
info->flags |= IEEE80211_TX_STAT_TX_FILTERED;
|
||||
|
||||
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199967.
|
||||
|
||||
Fixes: 9fef65443388 ("mac80211: always update the PM state of a peer on MGMT / DATA frames")
|
||||
Cc: <stable@vger.kernel.org> #4.16+
|
||||
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
net/mac80211/rx.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
|
||||
index 932985ca4e66..3f80a5ca4050 100644
|
||||
--- a/net/mac80211/rx.c
|
||||
+++ b/net/mac80211/rx.c
|
||||
@@ -1612,6 +1612,7 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
|
||||
*/
|
||||
if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
|
||||
!ieee80211_has_morefrags(hdr->frame_control) &&
|
||||
+ !is_multicast_ether_addr(hdr->addr1) &&
|
||||
(ieee80211_is_mgmt(hdr->frame_control) ||
|
||||
ieee80211_is_data(hdr->frame_control)) &&
|
||||
!(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
|
||||
--
|
||||
2.19.0
|
||||
|
|
@ -98,7 +98,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
|||
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
|
||||
bugfix/all/netfilter-ipvs-Fix-invalid-bytes-in-IP_VS_MH_TAB_IND.patch
|
||||
bugfix/all/mac80211-don-t-update-the-PM-state-of-a-peer-upon-a-.patch
|
||||
|
||||
# Miscellaneous features
|
||||
features/all/kbuild-add-build-salt-to-the-kernel-and-modules.patch
|
||||
|
@ -144,8 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
||||
bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
|
||||
bugfix/all/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
|
||||
bugfix/all/f2fs-fix-to-do-sanity-check-with-secs_per_zone.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue