From 8e8dc213375dfb408fd0bf5b63457718c5b9e3ea Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:13:31 +0200 Subject: [PATCH 01/10] Add CVE id reference for CVE-2019-15216 --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 9dbd257d4..b8946a05d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -166,7 +166,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - [x86] ALSA: hda/realtek - Add new Dell platform for headset mode - [x86] ALSA: hda/realtek - Fixed Dell AIO speaker noise - [x86] ALSA: hda/realtek - Apply the fixup for ASUS Q325UAR - - USB: yurex: Fix protection fault after device removal + - USB: yurex: Fix protection fault after device removal (CVE-2019-15216) - USB: w1 ds2490: Fix bug caused by improper use of altsetting array - USB: dummy-hcd: Fix failure to give back unlinked URBs - usb: usbip: fix isoc packet num validation in get_pipe From 4d54b8bb16d033b6137aacebc1e65e35ad84ac2a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:22:59 +0200 Subject: [PATCH 02/10] Add CVE id for CVE-2019-15212 --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index b8946a05d..4e108317c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -849,7 +849,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor - USB: sisusbvga: fix oops in error path of sisusb_probe - USB: Add LPM quirk for Surface Dock GigE adapter - - USB: rio500: refuse more than one device at a time + - USB: rio500: refuse more than one device at a time (CVE-2019-15212) - USB: rio500: fix memory leak in close after disconnect - media: usb: siano: Fix general protection fault in smsusb - media: usb: siano: Fix false-positive "uninitialized variable" warning From 92583c3bcb7b698b924efc7847ae60c92e08a861 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:23:39 +0200 Subject: [PATCH 03/10] Add CVE id for CVE-2019-15218 --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index 4e108317c..c7e793a24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -852,6 +852,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - USB: rio500: refuse more than one device at a time (CVE-2019-15212) - USB: rio500: fix memory leak in close after disconnect - media: usb: siano: Fix general protection fault in smsusb + (CVE-2019-15218) - media: usb: siano: Fix false-positive "uninitialized variable" warning - media: smsusb: better handle optional alignment - brcmfmac: fix NULL pointer derefence during USB disconnect From 0cde12d3b164b5e85e14590a14326c9355e45e28 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:24:12 +0200 Subject: [PATCH 04/10] Add CVE id for CVE-2019-15219 --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index c7e793a24..36ccbb781 100644 --- a/debian/changelog +++ b/debian/changelog @@ -847,7 +847,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - usbip: usbip_host: fix BUG: sleeping function called from invalid context - usbip: usbip_host: fix stub_dev lock context imbalance regression - USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor - - USB: sisusbvga: fix oops in error path of sisusb_probe + - USB: sisusbvga: fix oops in error path of sisusb_probe (CVE-2019-15219) - USB: Add LPM quirk for Surface Dock GigE adapter - USB: rio500: refuse more than one device at a time (CVE-2019-15212) - USB: rio500: fix memory leak in close after disconnect From 37487d12f3ebad718d4b45fc6c55d278fa3a070e Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:24:47 +0200 Subject: [PATCH 05/10] Add CVE id for CVE-2019-15223 --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index 36ccbb781..0633be614 100644 --- a/debian/changelog +++ b/debian/changelog @@ -872,6 +872,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium interrupts - [ppc64el] perf: Fix MMCRA corruption by bhrb_filter - ALSA: line6: Assure canceling delayed work at disconnection + (CVE-2019-15223) - ALSA: hda/realtek - Set default power save node to 0 - [s390x] KVM: Do not report unusabled IDs via KVM_CAP_MAX_VCPU_ID - drm/nouveau/i2c: Disable i2c bus access after ->fini() From d5720146aec9492fd0be1990359251a823faff8d Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:27:23 +0200 Subject: [PATCH 06/10] Add CVE id for CVE-2019-15221 --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 0633be614..6ed065886 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1372,7 +1372,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - crypto: cryptd - Fix skcipher instance memory leak - ALSA: seq: fix incorrect order of dest_client/dest_ports arguments - ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages - - ALSA: line6: Fix write on zero-sized buffer + - ALSA: line6: Fix write on zero-sized buffer (CVE-2019-15221) - ALSA: usb-audio: fix sign unintended sign extension on left shifts - [x86] ALSA: hda/realtek: Add quirks for several Clevo notebook barebones - [x86] ALSA: hda/realtek - Change front mic location for Lenovo M710q From 71253bf60469b25c484738b2048da0e01cced4bb Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:28:17 +0200 Subject: [PATCH 07/10] Add CVE id for CVE-2019-15220 --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index 6ed065886..24d4d5cbb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1463,6 +1463,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - USB: serial: option: add support for GosunCn ME3630 RNDIS mode - Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" - p54usb: Fix race between disconnect and firmware loading + (CVE-2019-15220) - usb: gadget: ether: Fix race between gether_disconnect and rx_submit - [armhf,arm64] usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset() From 2de12d5f21db149a1b57e983f86a13014db0a636 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:29:45 +0200 Subject: [PATCH 08/10] Add CVE id for CVE-2019-15211 --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 24d4d5cbb..020d60d69 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1922,7 +1922,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - media: cpia2_usb: first wake up, then free in disconnect - media: pvrusb2: use a different format for warnings - NFS: Cleanup if nfs_match_client is interrupted - - media: radio-raremono: change devm_k*alloc to k*alloc + - media: radio-raremono: change devm_k*alloc to k*alloc (CVE-2019-15211) - [x86] iommu/vt-d: Don't queue_iova() if there is no flush queue - vhost: introduce vhost_exceeds_weight() - vhost_net: fix possible infinite loop (CVE-2019-3900) From 8d3b3b09b9131d2d91c9da105ce8449508632f11 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:30:17 +0200 Subject: [PATCH 09/10] Add CVE id for CVE-2019-15215 --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index 020d60d69..f93d88397 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1920,6 +1920,7 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - media: au0828: fix null dereference in error path - ath10k: Change the warning message string - media: cpia2_usb: first wake up, then free in disconnect + (CVE-2019-15215) - media: pvrusb2: use a different format for warnings - NFS: Cleanup if nfs_match_client is interrupted - media: radio-raremono: change devm_k*alloc to k*alloc (CVE-2019-15211) From 9bf2130b629cd0332aae1c17c7cc87214ff2e6f0 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 21 Aug 2019 21:39:21 +0200 Subject: [PATCH 10/10] dm: disable DISCARD if the underlying storage no longer supports it Closes: #934331 --- debian/changelog | 4 + ...rlying-storage-no-longer-supports-it.patch | 120 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 125 insertions(+) create mode 100644 debian/patches/bugfix/all/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch diff --git a/debian/changelog b/debian/changelog index f93d88397..f986ce2cd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2185,6 +2185,10 @@ linux (4.19.67-1) UNRELEASED; urgency=medium - mm/zswap: Do not disable preemption in zswap_frontswap_store() * Bump ABI to 6 + [ Salvatore Bonaccorso ] + * dm: disable DISCARD if the underlying storage no longer supports it + (Closes: #934331) + -- Salvatore Bonaccorso Sun, 23 Jun 2019 16:15:17 +0200 linux (4.19.37-5+deb10u2) buster-security; urgency=high diff --git a/debian/patches/bugfix/all/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch b/debian/patches/bugfix/all/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch new file mode 100644 index 000000000..1e7d14946 --- /dev/null +++ b/debian/patches/bugfix/all/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch @@ -0,0 +1,120 @@ +From: Mike Snitzer +Date: Wed, 3 Apr 2019 12:23:11 -0400 +Subject: dm: disable DISCARD if the underlying storage no longer supports it +Origin: https://git.kernel.org/linus/bcb44433bba5eaff293888ef22ffa07f1f0347d6 +Bug-Debian: https://bugs.debian.org/934331 + +Storage devices which report supporting discard commands like +WRITE_SAME_16 with unmap, but reject discard commands sent to the +storage device. This is a clear storage firmware bug but it doesn't +change the fact that should a program cause discards to be sent to a +multipath device layered on this buggy storage, all paths can end up +failed at the same time from the discards, causing possible I/O loss. + +The first discard to a path will fail with Illegal Request, Invalid +field in cdb, e.g.: + kernel: sd 8:0:8:19: [sdfn] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE + kernel: sd 8:0:8:19: [sdfn] tag#0 Sense Key : Illegal Request [current] + kernel: sd 8:0:8:19: [sdfn] tag#0 Add. Sense: Invalid field in cdb + kernel: sd 8:0:8:19: [sdfn] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 a0 08 00 00 00 80 00 00 00 + kernel: blk_update_request: critical target error, dev sdfn, sector 10487808 + +The SCSI layer converts this to the BLK_STS_TARGET error number, the sd +device disables its support for discard on this path, and because of the +BLK_STS_TARGET error multipath fails the discard without failing any +path or retrying down a different path. But subsequent discards can +cause path failures. Any discards sent to the path which already failed +a discard ends up failing with EIO from blk_cloned_rq_check_limits with +an "over max size limit" error since the discard limit was set to 0 by +the sd driver for the path. As the error is EIO, this now fails the +path and multipath tries to send the discard down the next path. This +cycle continues as discards are sent until all paths fail. + +Fix this by training DM core to disable DISCARD if the underlying +storage already did so. + +Also, fix branching in dm_done() and clone_endio() to reflect the +mutually exclussive nature of the IO operations in question. + +Cc: stable@vger.kernel.org +Reported-by: David Jeffery +Signed-off-by: Mike Snitzer +[Salvatore Bonaccorso: backported to 4.19: Adjust for context changes in +drivers/md/dm-core.h] +Signed-off-by: Salvatore Bonaccorso +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-core.h | 1 + + drivers/md/dm-rq.c | 11 +++++++---- + drivers/md/dm.c | 20 ++++++++++++++++---- + 3 files changed, 24 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-core.h ++++ b/drivers/md/dm-core.h +@@ -130,6 +130,7 @@ struct mapped_device { + }; + + int md_in_flight(struct mapped_device *md); ++void disable_discard(struct mapped_device *md); + void disable_write_same(struct mapped_device *md); + void disable_write_zeroes(struct mapped_device *md); + +--- a/drivers/md/dm-rq.c ++++ b/drivers/md/dm-rq.c +@@ -295,11 +295,14 @@ static void dm_done(struct request *clon + } + + if (unlikely(error == BLK_STS_TARGET)) { +- if (req_op(clone) == REQ_OP_WRITE_SAME && +- !clone->q->limits.max_write_same_sectors) ++ if (req_op(clone) == REQ_OP_DISCARD && ++ !clone->q->limits.max_discard_sectors) ++ disable_discard(tio->md); ++ else if (req_op(clone) == REQ_OP_WRITE_SAME && ++ !clone->q->limits.max_write_same_sectors) + disable_write_same(tio->md); +- if (req_op(clone) == REQ_OP_WRITE_ZEROES && +- !clone->q->limits.max_write_zeroes_sectors) ++ else if (req_op(clone) == REQ_OP_WRITE_ZEROES && ++ !clone->q->limits.max_write_zeroes_sectors) + disable_write_zeroes(tio->md); + } + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -910,6 +910,15 @@ static void dec_pending(struct dm_io *io + } + } + ++void disable_discard(struct mapped_device *md) ++{ ++ struct queue_limits *limits = dm_get_queue_limits(md); ++ ++ /* device doesn't really support DISCARD, disable it */ ++ limits->max_discard_sectors = 0; ++ blk_queue_flag_clear(QUEUE_FLAG_DISCARD, md->queue); ++} ++ + void disable_write_same(struct mapped_device *md) + { + struct queue_limits *limits = dm_get_queue_limits(md); +@@ -935,11 +944,14 @@ static void clone_endio(struct bio *bio) + dm_endio_fn endio = tio->ti->type->end_io; + + if (unlikely(error == BLK_STS_TARGET) && md->type != DM_TYPE_NVME_BIO_BASED) { +- if (bio_op(bio) == REQ_OP_WRITE_SAME && +- !bio->bi_disk->queue->limits.max_write_same_sectors) ++ if (bio_op(bio) == REQ_OP_DISCARD && ++ !bio->bi_disk->queue->limits.max_discard_sectors) ++ disable_discard(md); ++ else if (bio_op(bio) == REQ_OP_WRITE_SAME && ++ !bio->bi_disk->queue->limits.max_write_same_sectors) + disable_write_same(md); +- if (bio_op(bio) == REQ_OP_WRITE_ZEROES && +- !bio->bi_disk->queue->limits.max_write_zeroes_sectors) ++ else if (bio_op(bio) == REQ_OP_WRITE_ZEROES && ++ !bio->bi_disk->queue->limits.max_write_zeroes_sectors) + disable_write_zeroes(md); + } + diff --git a/debian/patches/series b/debian/patches/series index f16fdecea..5496f8b54 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -103,6 +103,7 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch debian/revert-objtool-fix-config_stack_validation-y-warning.patch bugfix/all/mt76-use-the-correct-hweight8-function.patch bugfix/all/rtc-s35390a-set-uie_unsupported.patch +bugfix/all/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch # Miscellaneous features