linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.9 00/14] 4.9.193-stable review
@ 2019-09-13 13:06 Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 01/14] ALSA: hda - Fix potential endless loop at applying quirks Greg Kroah-Hartman
                   ` (19 more replies)
  0 siblings, 20 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.9.193 release.
There are 14 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.9.193-rc1

yongduan <yongduan@tencent.com>
    vhost: make sure log_num < in_num

Michael S. Tsirkin <mst@redhat.com>
    vhost: block speculation of translated descriptors

Nathan Chancellor <natechancellor@gmail.com>
    clk: s2mps11: Add used attribute to s2mps11_dt_match

Nicolas Boichat <drinkcat@chromium.org>
    scripts/decode_stacktrace: match basepath using shell prefix operator, not regex

Sven Eckelmann <sven@narfation.org>
    batman-adv: Only read OGM tvlv_len after buffer len check

Eric Dumazet <edumazet@google.com>
    batman-adv: fix uninit-value in batadv_netlink_get_ifindex()

Tiwei Bie <tiwei.bie@intel.com>
    vhost/test: fix build for vhost test

Eric Dumazet <edumazet@google.com>
    ip6: fix skb leak in ip6frag_expire_frag_queue()

Cong Wang <xiyou.wangcong@gmail.com>
    xfrm: clean up xfrm protocol checks

Gustavo Romero <gromero@linux.ibm.com>
    powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction

Dan Carpenter <dan.carpenter@oracle.com>
    drm/vmwgfx: Fix double free in vmw_recv_msg()

Liangyan <liangyan.peng@linux.alibaba.com>
    sched/fair: Don't assign runtime for throttled cfs_rq

Takashi Iwai <tiwai@suse.de>
    ALSA: hda/realtek - Fix overridden device-specific initialization

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix potential endless loop at applying quirks


-------------

Diffstat:

 Makefile                            |  4 ++--
 arch/powerpc/kernel/process.c       |  3 ++-
 drivers/clk/clk-s2mps11.c           |  2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_msg.c |  8 +++-----
 drivers/vhost/test.c                | 13 +++++++++----
 drivers/vhost/vhost.c               | 10 ++++++----
 include/net/ipv6_frag.h             |  1 -
 include/net/xfrm.h                  | 17 +++++++++++++++++
 kernel/sched/fair.c                 |  5 +++++
 net/batman-adv/bat_iv_ogm.c         | 20 +++++++++++++-------
 net/batman-adv/netlink.c            |  2 +-
 net/key/af_key.c                    |  4 +++-
 net/xfrm/xfrm_state.c               |  2 +-
 net/xfrm/xfrm_user.c                | 14 +-------------
 scripts/decode_stacktrace.sh        |  2 +-
 sound/pci/hda/hda_auto_parser.c     |  4 ++--
 sound/pci/hda/hda_generic.c         |  3 ++-
 sound/pci/hda/hda_generic.h         |  1 +
 sound/pci/hda/patch_realtek.c       |  2 ++
 19 files changed, 72 insertions(+), 45 deletions(-)



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 01/14] ALSA: hda - Fix potential endless loop at applying quirks
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
@ 2019-09-13 13:06 ` Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 02/14] ALSA: hda/realtek - Fix overridden device-specific initialization Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:06 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 333f31436d3db19f4286f8862a00ea1d8d8420a1 upstream.

Since the chained quirks via chained_before flag is applied before the
depth check, it may lead to the endless recursive calls, when the
chain were set up incorrectly.  Fix it by moving the depth check at
the beginning of the loop.

Fixes: 1f57825077dc ("ALSA: hda - Add chained_before flag to the fixup entry")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_auto_parser.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/hda_auto_parser.c
+++ b/sound/pci/hda/hda_auto_parser.c
@@ -827,6 +827,8 @@ static void apply_fixup(struct hda_codec
 	while (id >= 0) {
 		const struct hda_fixup *fix = codec->fixup_list + id;
 
+		if (++depth > 10)
+			break;
 		if (fix->chained_before)
 			apply_fixup(codec, fix->chain_id, action, depth + 1);
 
@@ -866,8 +868,6 @@ static void apply_fixup(struct hda_codec
 		}
 		if (!fix->chained || fix->chained_before)
 			break;
-		if (++depth > 10)
-			break;
 		id = fix->chain_id;
 	}
 }



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 02/14] ALSA: hda/realtek - Fix overridden device-specific initialization
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 01/14] ALSA: hda - Fix potential endless loop at applying quirks Greg Kroah-Hartman
@ 2019-09-13 13:06 ` Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 03/14] sched/fair: Dont assign runtime for throttled cfs_rq Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:06 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 89781d0806c2c4f29072d3f00cb2dd4274aabc3d upstream.

The recent change to shuffle the codec initialization procedure for
Realtek via commit 607ca3bd220f ("ALSA: hda/realtek - EAPD turn on
later") caused the silent output on some machines.  This change was
supposed to be safe, but it isn't actually; some devices have quirk
setups to override the EAPD via COEF or BTL in the additional verb
table, which is applied at the beginning of snd_hda_gen_init().  And
this EAPD setup is again overridden in alc_auto_init_amp().

For recovering from the regression, tell snd_hda_gen_init() not to
apply the verbs there by a new flag, then apply the verbs in
alc_init().

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204727
Fixes: 607ca3bd220f ("ALSA: hda/realtek - EAPD turn on later")
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_generic.c   |    3 ++-
 sound/pci/hda/hda_generic.h   |    1 +
 sound/pci/hda/patch_realtek.c |    2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/hda_generic.c
+++ b/sound/pci/hda/hda_generic.c
@@ -5807,7 +5807,8 @@ int snd_hda_gen_init(struct hda_codec *c
 	if (spec->init_hook)
 		spec->init_hook(codec);
 
-	snd_hda_apply_verbs(codec);
+	if (!spec->skip_verbs)
+		snd_hda_apply_verbs(codec);
 
 	init_multi_out(codec);
 	init_extra_out(codec);
--- a/sound/pci/hda/hda_generic.h
+++ b/sound/pci/hda/hda_generic.h
@@ -236,6 +236,7 @@ struct hda_gen_spec {
 	unsigned int indep_hp_enabled:1; /* independent HP enabled */
 	unsigned int have_aamix_ctl:1;
 	unsigned int hp_mic_jack_modes:1;
+	unsigned int skip_verbs:1; /* don't apply verbs at snd_hda_gen_init() */
 
 	/* additional mute flags (only effective with auto_mute_via_amp=1) */
 	u64 mute_bits;
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -773,9 +773,11 @@ static int alc_init(struct hda_codec *co
 	if (spec->init_hook)
 		spec->init_hook(codec);
 
+	spec->gen.skip_verbs = 1; /* applied in below */
 	snd_hda_gen_init(codec);
 	alc_fix_pll(codec);
 	alc_auto_init_amp(codec, spec->init_amp);
+	snd_hda_apply_verbs(codec); /* apply verbs here after own init */
 
 	snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT);
 



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 03/14] sched/fair: Dont assign runtime for throttled cfs_rq
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 01/14] ALSA: hda - Fix potential endless loop at applying quirks Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 02/14] ALSA: hda/realtek - Fix overridden device-specific initialization Greg Kroah-Hartman
@ 2019-09-13 13:06 ` Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 04/14] drm/vmwgfx: Fix double free in vmw_recv_msg() Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liangyan, Peter Zijlstra (Intel),
	Valentin Schneider, Ben Segall, Linus Torvalds, Thomas Gleixner,
	shanpeic, xlpang, Ingo Molnar

From: Liangyan <liangyan.peng@linux.alibaba.com>

commit 5e2d2cc2588bd3307ce3937acbc2ed03c830a861 upstream.

do_sched_cfs_period_timer() will refill cfs_b runtime and call
distribute_cfs_runtime to unthrottle cfs_rq, sometimes cfs_b->runtime
will allocate all quota to one cfs_rq incorrectly, then other cfs_rqs
attached to this cfs_b can't get runtime and will be throttled.

We find that one throttled cfs_rq has non-negative
cfs_rq->runtime_remaining and cause an unexpetced cast from s64 to u64
in snippet:

  distribute_cfs_runtime() {
    runtime = -cfs_rq->runtime_remaining + 1;
  }

The runtime here will change to a large number and consume all
cfs_b->runtime in this cfs_b period.

According to Ben Segall, the throttled cfs_rq can have
account_cfs_rq_runtime called on it because it is throttled before
idle_balance, and the idle_balance calls update_rq_clock to add time
that is accounted to the task.

This commit prevents cfs_rq to be assgined new runtime if it has been
throttled until that distribute_cfs_runtime is called.

Signed-off-by: Liangyan <liangyan.peng@linux.alibaba.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
Reviewed-by: Ben Segall <bsegall@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: shanpeic@linux.alibaba.com
Cc: stable@vger.kernel.org
Cc: xlpang@linux.alibaba.com
Fixes: d3d9dc330236 ("sched: Throttle entities exceeding their allowed bandwidth")
Link: https://lkml.kernel.org/r/20190826121633.6538-1-liangyan.peng@linux.alibaba.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sched/fair.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3882,6 +3882,8 @@ static void __account_cfs_rq_runtime(str
 	if (likely(cfs_rq->runtime_remaining > 0))
 		return;
 
+	if (cfs_rq->throttled)
+		return;
 	/*
 	 * if we're unable to extend our runtime we resched so that the active
 	 * hierarchy can be throttled
@@ -4077,6 +4079,9 @@ static u64 distribute_cfs_runtime(struct
 		if (!cfs_rq_throttled(cfs_rq))
 			goto next;
 
+		/* By the above check, this should never be true */
+		SCHED_WARN_ON(cfs_rq->runtime_remaining > 0);
+
 		runtime = -cfs_rq->runtime_remaining + 1;
 		if (runtime > remaining)
 			runtime = remaining;



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 04/14] drm/vmwgfx: Fix double free in vmw_recv_msg()
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-09-13 13:06 ` [PATCH 4.9 03/14] sched/fair: Dont assign runtime for throttled cfs_rq Greg Kroah-Hartman
@ 2019-09-13 13:06 ` Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 05/14] powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:06 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Thomas Hellstrom

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 08b0c891605acf727e43e3e03a25857d3e789b61 upstream.

We recently added a kfree() after the end of the loop:

	if (retries == RETRIES) {
		kfree(reply);
		return -EINVAL;
	}

There are two problems.  First the test is wrong and because retries
equals RETRIES if we succeed on the last iteration through the loop.
Second if we fail on the last iteration through the loop then the kfree
is a double free.

When you're reading this code, please note the break statement at the
end of the while loop.  This patch changes the loop so that if it's not
successful then "reply" is NULL and we can test for that afterward.

Cc: <stable@vger.kernel.org>
Fixes: 6b7c3b86f0b6 ("drm/vmwgfx: fix memory leak when too many retries have occurred")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/vmwgfx_msg.c |    8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
@@ -264,7 +264,7 @@ static int vmw_recv_msg(struct rpc_chann
 
 		if ((HIGH_WORD(ebx) & MESSAGE_STATUS_SUCCESS) == 0) {
 			kfree(reply);
-
+			reply = NULL;
 			if ((HIGH_WORD(ebx) & MESSAGE_STATUS_CPT) != 0) {
 				/* A checkpoint occurred. Retry. */
 				continue;
@@ -288,7 +288,7 @@ static int vmw_recv_msg(struct rpc_chann
 
 		if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0) {
 			kfree(reply);
-
+			reply = NULL;
 			if ((HIGH_WORD(ecx) & MESSAGE_STATUS_CPT) != 0) {
 				/* A checkpoint occurred. Retry. */
 				continue;
@@ -300,10 +300,8 @@ static int vmw_recv_msg(struct rpc_chann
 		break;
 	}
 
-	if (retries == RETRIES) {
-		kfree(reply);
+	if (!reply)
 		return -EINVAL;
-	}
 
 	*msg_len = reply_len;
 	*msg     = reply;



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 05/14] powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-09-13 13:06 ` [PATCH 4.9 04/14] drm/vmwgfx: Fix double free in vmw_recv_msg() Greg Kroah-Hartman
@ 2019-09-13 13:06 ` Greg Kroah-Hartman
  2019-09-13 13:06 ` [PATCH 4.9 06/14] xfrm: clean up xfrm protocol checks Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo Romero, Michael Neuling,
	Michael Ellerman

From: Gustavo Romero <gromero@linux.ibm.com>

commit 8205d5d98ef7f155de211f5e2eb6ca03d95a5a60 upstream.

When we take an FP unavailable exception in a transaction we have to
account for the hardware FP TM checkpointed registers being
incorrect. In this case for this process we know the current and
checkpointed FP registers must be the same (since FP wasn't used
inside the transaction) hence in the thread_struct we copy the current
FP registers to the checkpointed ones.

This copy is done in tm_reclaim_thread(). We use thread->ckpt_regs.msr
to determine if FP was on when in userspace. thread->ckpt_regs.msr
represents the state of the MSR when exiting userspace. This is setup
by check_if_tm_restore_required().

Unfortunatley there is an optimisation in giveup_all() which returns
early if tsk->thread.regs->msr (via local variable `usermsr`) has
FP=VEC=VSX=SPE=0. This optimisation means that
check_if_tm_restore_required() is not called and hence
thread->ckpt_regs.msr is not updated and will contain an old value.

This can happen if due to load_fp=255 we start a userspace process
with MSR FP=1 and then we are context switched out. In this case
thread->ckpt_regs.msr will contain FP=1. If that same process is then
context switched in and load_fp overflows, MSR will have FP=0. If that
process now enters a transaction and does an FP instruction, the FP
unavailable will not update thread->ckpt_regs.msr (the bug) and MSR
FP=1 will be retained in thread->ckpt_regs.msr.  tm_reclaim_thread()
will then not perform the required memcpy and the checkpointed FP regs
in the thread struct will contain the wrong values.

The code path for this happening is:

       Userspace:                      Kernel
                   Start userspace
                    with MSR FP/VEC/VSX/SPE=0 TM=1
                      < -----
       ...
       tbegin
       bne
       fp instruction
                   FP unavailable
                       ---- >
                                        fp_unavailable_tm()
					  tm_reclaim_current()
					    tm_reclaim_thread()
					      giveup_all()
					        return early since FP/VMX/VSX=0
						/* ckpt MSR not updated (Incorrect) */
					      tm_reclaim()
					        /* thread_struct ckpt FP regs contain junk (OK) */
                                              /* Sees ckpt MSR FP=1 (Incorrect) */
					      no memcpy() performed
					        /* thread_struct ckpt FP regs not fixed (Incorrect) */
					  tm_recheckpoint()
					     /* Put junk in hardware checkpoint FP regs */
                                         ....
                      < -----
                   Return to userspace
                     with MSR TM=1 FP=1
                     with junk in the FP TM checkpoint
       TM rollback
       reads FP junk

This is a data integrity problem for the current process as the FP
registers are corrupted. It's also a security problem as the FP
registers from one process may be leaked to another.

This patch moves up check_if_tm_restore_required() in giveup_all() to
ensure thread->ckpt_regs.msr is updated correctly.

A simple testcase to replicate this will be posted to
tools/testing/selftests/powerpc/tm/tm-poison.c

Similarly for VMX.

This fixes CVE-2019-15030.

Fixes: f48e91e87e67 ("powerpc/tm: Fix FP and VMX register corruption")
Cc: stable@vger.kernel.org # 4.12+
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20190904045529.23002-1-gromero@linux.vnet.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/process.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -476,13 +476,14 @@ void giveup_all(struct task_struct *tsk)
 	if (!tsk->thread.regs)
 		return;
 
+	check_if_tm_restore_required(tsk);
+
 	usermsr = tsk->thread.regs->msr;
 
 	if ((usermsr & msr_all_available) == 0)
 		return;
 
 	msr_check_and_set(msr_all_available);
-	check_if_tm_restore_required(tsk);
 
 #ifdef CONFIG_PPC_FPU
 	if (usermsr & MSR_FP)



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 06/14] xfrm: clean up xfrm protocol checks
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-09-13 13:06 ` [PATCH 4.9 05/14] powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction Greg Kroah-Hartman
@ 2019-09-13 13:06 ` Greg Kroah-Hartman
  2019-09-13 13:07 ` [PATCH 4.9 07/14] ip6: fix skb leak in ip6frag_expire_frag_queue() Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+0bf0519d6e0de15914fe,
	Steffen Klassert, Herbert Xu, Cong Wang, Zubin Mithra

From: Cong Wang <xiyou.wangcong@gmail.com>

commit dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399 upstream.

In commit 6a53b7593233 ("xfrm: check id proto in validate_tmpl()")
I introduced a check for xfrm protocol, but according to Herbert
IPSEC_PROTO_ANY should only be used as a wildcard for lookup, so
it should be removed from validate_tmpl().

And, IPSEC_PROTO_ANY is expected to only match 3 IPSec-specific
protocols, this is why xfrm_state_flush() could still miss
IPPROTO_ROUTING, which leads that those entries are left in
net->xfrm.state_all before exit net. Fix this by replacing
IPSEC_PROTO_ANY with zero.

This patch also extracts the check from validate_tmpl() to
xfrm_id_proto_valid() and uses it in parse_ipsecrequest().
With this, no other protocols should be added into xfrm.

Fixes: 6a53b7593233 ("xfrm: check id proto in validate_tmpl()")
Reported-by: syzbot+0bf0519d6e0de15914fe@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/net/xfrm.h    |   17 +++++++++++++++++
 net/key/af_key.c      |    4 +++-
 net/xfrm/xfrm_state.c |    2 +-
 net/xfrm/xfrm_user.c  |   14 +-------------
 4 files changed, 22 insertions(+), 15 deletions(-)

--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1297,6 +1297,23 @@ static inline int xfrm_state_kern(const
 	return atomic_read(&x->tunnel_users);
 }
 
+static inline bool xfrm_id_proto_valid(u8 proto)
+{
+	switch (proto) {
+	case IPPROTO_AH:
+	case IPPROTO_ESP:
+	case IPPROTO_COMP:
+#if IS_ENABLED(CONFIG_IPV6)
+	case IPPROTO_ROUTING:
+	case IPPROTO_DSTOPTS:
+#endif
+		return true;
+	default:
+		return false;
+	}
+}
+
+/* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
 {
 	return (!userproto || proto == userproto ||
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1969,8 +1969,10 @@ parse_ipsecrequest(struct xfrm_policy *x
 
 	if (rq->sadb_x_ipsecrequest_mode == 0)
 		return -EINVAL;
+	if (!xfrm_id_proto_valid(rq->sadb_x_ipsecrequest_proto))
+		return -EINVAL;
 
-	t->id.proto = rq->sadb_x_ipsecrequest_proto; /* XXX check proto */
+	t->id.proto = rq->sadb_x_ipsecrequest_proto;
 	if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0)
 		return -EINVAL;
 	t->mode = mode;
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2168,7 +2168,7 @@ void xfrm_state_fini(struct net *net)
 	unsigned int sz;
 
 	flush_work(&net->xfrm.state_hash_work);
-	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+	xfrm_state_flush(net, 0, false);
 	flush_work(&xfrm_state_gc_work);
 
 	WARN_ON(!list_empty(&net->xfrm.state_all));
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1452,20 +1452,8 @@ static int validate_tmpl(int nr, struct
 			return -EINVAL;
 		}
 
-		switch (ut[i].id.proto) {
-		case IPPROTO_AH:
-		case IPPROTO_ESP:
-		case IPPROTO_COMP:
-#if IS_ENABLED(CONFIG_IPV6)
-		case IPPROTO_ROUTING:
-		case IPPROTO_DSTOPTS:
-#endif
-		case IPSEC_PROTO_ANY:
-			break;
-		default:
+		if (!xfrm_id_proto_valid(ut[i].id.proto))
 			return -EINVAL;
-		}
-
 	}
 
 	return 0;



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 07/14] ip6: fix skb leak in ip6frag_expire_frag_queue()
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-09-13 13:06 ` [PATCH 4.9 06/14] xfrm: clean up xfrm protocol checks Greg Kroah-Hartman
@ 2019-09-13 13:07 ` Greg Kroah-Hartman
  2019-09-13 13:07 ` [PATCH 4.9 08/14] vhost/test: fix build for vhost test Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Stefan Bader,
	Peter Oskolkov, Florian Westphal, David S. Miller, Baolin Wang

From: Eric Dumazet <edumazet@google.com>

commit 47d3d7fdb10a21c223036b58bd70ffdc24a472c4 upstream.

Since ip6frag_expire_frag_queue() now pulls the head skb
from frag queue, we should no longer use skb_get(), since
this leads to an skb leak.

Stefan Bader initially reported a problem in 4.4.stable [1] caused
by the skb_get(), so this patch should also fix this issue.

296583.091021] kernel BUG at /build/linux-6VmqmP/linux-4.4.0/net/core/skbuff.c:1207!
[296583.091734] Call Trace:
[296583.091749]  [<ffffffff81740e50>] __pskb_pull_tail+0x50/0x350
[296583.091764]  [<ffffffff8183939a>] _decode_session6+0x26a/0x400
[296583.091779]  [<ffffffff817ec719>] __xfrm_decode_session+0x39/0x50
[296583.091795]  [<ffffffff818239d0>] icmpv6_route_lookup+0xf0/0x1c0
[296583.091809]  [<ffffffff81824421>] icmp6_send+0x5e1/0x940
[296583.091823]  [<ffffffff81753238>] ? __netif_receive_skb+0x18/0x60
[296583.091838]  [<ffffffff817532b2>] ? netif_receive_skb_internal+0x32/0xa0
[296583.091858]  [<ffffffffc0199f74>] ? ixgbe_clean_rx_irq+0x594/0xac0 [ixgbe]
[296583.091876]  [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
[296583.091893]  [<ffffffff8183d431>] icmpv6_send+0x21/0x30
[296583.091906]  [<ffffffff8182b500>] ip6_expire_frag_queue+0xe0/0x120
[296583.091921]  [<ffffffffc04eb27f>] nf_ct_frag6_expire+0x1f/0x30 [nf_defrag_ipv6]
[296583.091938]  [<ffffffff810f3b57>] call_timer_fn+0x37/0x140
[296583.091951]  [<ffffffffc04eb260>] ? nf_ct_net_exit+0x50/0x50 [nf_defrag_ipv6]
[296583.091968]  [<ffffffff810f5464>] run_timer_softirq+0x234/0x330
[296583.091982]  [<ffffffff8108a339>] __do_softirq+0x109/0x2b0

Fixes: d4289fcc9b16 ("net: IP6 defrag: use rbtrees for IPv6 defrag")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Stefan Bader <stefan.bader@canonical.com>
Cc: Peter Oskolkov <posk@google.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/net/ipv6_frag.h |    1 -
 1 file changed, 1 deletion(-)

--- a/include/net/ipv6_frag.h
+++ b/include/net/ipv6_frag.h
@@ -94,7 +94,6 @@ ip6frag_expire_frag_queue(struct net *ne
 		goto out;
 
 	head->dev = dev;
-	skb_get(head);
 	spin_unlock(&fq->q.lock);
 
 	icmpv6_send(head, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0);



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 08/14] vhost/test: fix build for vhost test
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-09-13 13:07 ` [PATCH 4.9 07/14] ip6: fix skb leak in ip6frag_expire_frag_queue() Greg Kroah-Hartman
@ 2019-09-13 13:07 ` Greg Kroah-Hartman
  2019-09-13 13:07 ` [PATCH 4.9 09/14] batman-adv: fix uninit-value in batadv_netlink_get_ifindex() Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tiwei Bie, Michael S. Tsirkin, Jason Wang

From: Tiwei Bie <tiwei.bie@intel.com>

commit 264b563b8675771834419057cbe076c1a41fb666 upstream.

Since vhost_exceeds_weight() was introduced, callers need to specify
the packet weight and byte weight in vhost_dev_init(). Note that, the
packet weight isn't counted in this patch to keep the original behavior
unchanged.

Fixes: e82b9b0727ff ("vhost: introduce vhost_exceeds_weight()")
Cc: stable@vger.kernel.org
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/vhost/test.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/vhost/test.c
+++ b/drivers/vhost/test.c
@@ -23,6 +23,12 @@
  * Using this limit prevents one virtqueue from starving others. */
 #define VHOST_TEST_WEIGHT 0x80000
 
+/* Max number of packets transferred before requeueing the job.
+ * Using this limit prevents one virtqueue from starving others with
+ * pkts.
+ */
+#define VHOST_TEST_PKT_WEIGHT 256
+
 enum {
 	VHOST_TEST_VQ = 0,
 	VHOST_TEST_VQ_MAX = 1,
@@ -81,10 +87,8 @@ static void handle_vq(struct vhost_test
 		}
 		vhost_add_used_and_signal(&n->dev, vq, head, 0);
 		total_len += len;
-		if (unlikely(total_len >= VHOST_TEST_WEIGHT)) {
-			vhost_poll_queue(&vq->poll);
+		if (unlikely(vhost_exceeds_weight(vq, 0, total_len)))
 			break;
-		}
 	}
 
 	mutex_unlock(&vq->mutex);
@@ -116,7 +120,8 @@ static int vhost_test_open(struct inode
 	dev = &n->dev;
 	vqs[VHOST_TEST_VQ] = &n->vqs[VHOST_TEST_VQ];
 	n->vqs[VHOST_TEST_VQ].handle_kick = handle_vq_kick;
-	vhost_dev_init(dev, vqs, VHOST_TEST_VQ_MAX);
+	vhost_dev_init(dev, vqs, VHOST_TEST_VQ_MAX,
+		       VHOST_TEST_PKT_WEIGHT, VHOST_TEST_WEIGHT);
 
 	f->private_data = n;
 



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 09/14] batman-adv: fix uninit-value in batadv_netlink_get_ifindex()
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-09-13 13:07 ` [PATCH 4.9 08/14] vhost/test: fix build for vhost test Greg Kroah-Hartman
@ 2019-09-13 13:07 ` Greg Kroah-Hartman
  2019-09-13 13:07 ` [PATCH 4.9 10/14] batman-adv: Only read OGM tvlv_len after buffer len check Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, Sven Eckelmann,
	Simon Wunderlich

From: Eric Dumazet <edumazet@google.com>

commit 3ee1bb7aae97324ec9078da1f00cb2176919563f upstream.

batadv_netlink_get_ifindex() needs to make sure user passed
a correct u32 attribute.

syzbot reported :
BUG: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
CPU: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x191/0x1f0 lib/dump_stack.c:113
 kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
 __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
 batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
 genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482
 netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253
 __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361
 genl_family_rcv_msg net/netlink/genetlink.c:550 [inline]
 genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627
 netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486
 genl_rcv+0x63/0x80 net/netlink/genetlink.c:638
 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
 netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337
 netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:661 [inline]
 ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260
 __sys_sendmsg net/socket.c:2298 [inline]
 __do_sys_sendmsg net/socket.c:2307 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2305
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x440209

Fixes: b60620cf567b ("batman-adv: netlink: hardif query")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/batman-adv/netlink.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/batman-adv/netlink.c
+++ b/net/batman-adv/netlink.c
@@ -114,7 +114,7 @@ batadv_netlink_get_ifindex(const struct
 {
 	struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype);
 
-	return attr ? nla_get_u32(attr) : 0;
+	return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0;
 }
 
 /**



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 10/14] batman-adv: Only read OGM tvlv_len after buffer len check
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-09-13 13:07 ` [PATCH 4.9 09/14] batman-adv: fix uninit-value in batadv_netlink_get_ifindex() Greg Kroah-Hartman
@ 2019-09-13 13:07 ` Greg Kroah-Hartman
  2019-09-13 13:07 ` [PATCH 4.9 11/14] scripts/decode_stacktrace: match basepath using shell prefix operator, not regex Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+355cab184197dbbfa384,
	Sven Eckelmann, Antonio Quartulli, Simon Wunderlich

From: Sven Eckelmann <sven@narfation.org>

commit a15d56a60760aa9dbe26343b9a0ac5228f35d445 upstream.

Multiple batadv_ogm_packet can be stored in an skbuff. The functions
batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use
batadv_iv_ogm_aggr_packet() to check if there is another additional
batadv_ogm_packet in the skb or not before they continue processing the
packet.

The length for such an OGM is BATADV_OGM_HLEN +
batadv_ogm_packet->tvlv_len. The check must first check that at least
BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is
part of the header. Otherwise it might try read outside of the currently
available skbuff to get the content of tvlv_len.

Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/batman-adv/bat_iv_ogm.c |   20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -450,17 +450,23 @@ static u8 batadv_hop_penalty(u8 tq, cons
  * batadv_iv_ogm_aggr_packet - checks if there is another OGM attached
  * @buff_pos: current position in the skb
  * @packet_len: total length of the skb
- * @tvlv_len: tvlv length of the previously considered OGM
+ * @ogm_packet: potential OGM in buffer
  *
  * Return: true if there is enough space for another OGM, false otherwise.
  */
-static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
-				      __be16 tvlv_len)
+static bool
+batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
+			  const struct batadv_ogm_packet *ogm_packet)
 {
 	int next_buff_pos = 0;
 
-	next_buff_pos += buff_pos + BATADV_OGM_HLEN;
-	next_buff_pos += ntohs(tvlv_len);
+	/* check if there is enough space for the header */
+	next_buff_pos += buff_pos + sizeof(*ogm_packet);
+	if (next_buff_pos > packet_len)
+		return false;
+
+	/* check if there is enough space for the optional TVLV */
+	next_buff_pos += ntohs(ogm_packet->tvlv_len);
 
 	return (next_buff_pos <= packet_len) &&
 	       (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
@@ -488,7 +494,7 @@ static void batadv_iv_ogm_send_to_if(str
 
 	/* adjust all flags and log packets */
 	while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
-					 batadv_ogm_packet->tvlv_len)) {
+					 batadv_ogm_packet)) {
 		/* we might have aggregated direct link packets with an
 		 * ordinary base packet
 		 */
@@ -1841,7 +1847,7 @@ static int batadv_iv_ogm_receive(struct
 
 	/* unpack the aggregated packets and process them one by one */
 	while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
-					 ogm_packet->tvlv_len)) {
+					 ogm_packet)) {
 		batadv_iv_ogm_process(skb, ogm_offset, if_incoming);
 
 		ogm_offset += BATADV_OGM_HLEN;



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 11/14] scripts/decode_stacktrace: match basepath using shell prefix operator, not regex
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-09-13 13:07 ` [PATCH 4.9 10/14] batman-adv: Only read OGM tvlv_len after buffer len check Greg Kroah-Hartman
@ 2019-09-13 13:07 ` Greg Kroah-Hartman
  2019-09-13 13:07 ` [PATCH 4.9 12/14] clk: s2mps11: Add used attribute to s2mps11_dt_match Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Boichat, Stephen Boyd,
	Andrew Morton, Linus Torvalds, Sasha Levin

[ Upstream commit 31013836a71e07751a6827f9d2ad41ef502ddaff ]

The basepath may contain special characters, which would confuse the regex
matcher.  ${var#prefix} does the right thing.

Link: http://lkml.kernel.org/r/20190518055946.181563-1-drinkcat@chromium.org
Fixes: 67a28de47faa8358 ("scripts/decode_stacktrace: only strip base path when a prefix of the path")
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/decode_stacktrace.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh
index 381acfc4c59dd..98cf6343afcd7 100755
--- a/scripts/decode_stacktrace.sh
+++ b/scripts/decode_stacktrace.sh
@@ -77,7 +77,7 @@ parse_symbol() {
 	fi
 
 	# Strip out the base of the path
-	code=${code//^$basepath/""}
+	code=${code#$basepath/}
 
 	# In the case of inlines, move everything to same line
 	code=${code//$'\n'/' '}
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 29+ messages in thread

* [PATCH 4.9 12/14] clk: s2mps11: Add used attribute to s2mps11_dt_match
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-09-13 13:07 ` [PATCH 4.9 11/14] scripts/decode_stacktrace: match basepath using shell prefix operator, not regex Greg Kroah-Hartman
@ 2019-09-13 13:07 ` Greg Kroah-Hartman
  2019-09-13 13:07 ` [PATCH 4.9 13/14] vhost: block speculation of translated descriptors Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Stephen Boyd, Sasha Levin

[ Upstream commit 9c940bbe2bb47e03ca5e937d30b6a50bf9c0e671 ]

Clang warns after commit 8985167ecf57 ("clk: s2mps11: Fix matching when
built as module and DT node contains compatible"):

drivers/clk/clk-s2mps11.c:242:34: warning: variable 's2mps11_dt_match'
is not needed and will not be emitted [-Wunneeded-internal-declaration]
static const struct of_device_id s2mps11_dt_match[] = {
                                 ^
1 warning generated.

This warning happens when a variable is used in some construct that
doesn't require a reference to that variable to be emitted in the symbol
table; in this case, it's MODULE_DEVICE_TABLE, which only needs to hold
the data of the variable, not the variable itself.

$ nm -S drivers/clk/clk-s2mps11.o | rg s2mps11_dt_match
00000078 000003d4 R __mod_of__s2mps11_dt_match_device_table

Normally, with device ID table variables, it means that the variable
just needs to be tied to the device declaration at the bottom of the
file, like s2mps11_clk_id:

$ nm -S drivers/clk/clk-s2mps11.o | rg s2mps11_clk_id
00000000 00000078 R __mod_platform__s2mps11_clk_id_device_table
00000000 00000078 r s2mps11_clk_id

However, because the comment above this deliberately doesn't want this
variable added to .of_match_table, we need to mark s2mps11_dt_match as
__used to silence this warning. This makes it clear to Clang that the
variable is used for something, even if a reference to it isn't being
emitted.

Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Fixes: 8985167ecf57 ("clk: s2mps11: Fix matching when built as module and DT node contains compatible")
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/clk-s2mps11.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clk/clk-s2mps11.c b/drivers/clk/clk-s2mps11.c
index 14071a57c9262..f5d74e8db4327 100644
--- a/drivers/clk/clk-s2mps11.c
+++ b/drivers/clk/clk-s2mps11.c
@@ -255,7 +255,7 @@ MODULE_DEVICE_TABLE(platform, s2mps11_clk_id);
  * This requires of_device_id table.  In the same time this will not change the
  * actual *device* matching so do not add .of_match_table.
  */
-static const struct of_device_id s2mps11_dt_match[] = {
+static const struct of_device_id s2mps11_dt_match[] __used = {
 	{
 		.compatible = "samsung,s2mps11-clk",
 		.data = (void *)S2MPS11X,
-- 
2.20.1




^ permalink raw reply related	[flat|nested] 29+ messages in thread

* [PATCH 4.9 13/14] vhost: block speculation of translated descriptors
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-09-13 13:07 ` [PATCH 4.9 12/14] clk: s2mps11: Add used attribute to s2mps11_dt_match Greg Kroah-Hartman
@ 2019-09-13 13:07 ` Greg Kroah-Hartman
  2019-09-13 13:07 ` [PATCH 4.9 14/14] vhost: make sure log_num < in_num Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael S. Tsirkin, Jason Wang

From: Michael S. Tsirkin <mst@redhat.com>

commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream.

iovec addresses coming from vhost are assumed to be
pre-validated, but in fact can be speculated to a value
out of range.

Userspace address are later validated with array_index_nospec so we can
be sure kernel info does not leak through these addresses, but vhost
must also not leak userspace info outside the allowed memory table to
guests.

Following the defence in depth principle, make sure
the address is not validated out of node range.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Acked-by: Jason Wang <jasowang@redhat.com>
Tested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/vhost/vhost.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1874,8 +1874,10 @@ static int translate_desc(struct vhost_v
 		_iov = iov + ret;
 		size = node->size - addr + node->start;
 		_iov->iov_len = min((u64)len - s, size);
-		_iov->iov_base = (void __user *)(unsigned long)
-			(node->userspace_addr + addr - node->start);
+		_iov->iov_base = (void __user *)
+			((unsigned long)node->userspace_addr +
+			 array_index_nospec((unsigned long)(addr - node->start),
+					    node->size));
 		s += size;
 		addr += size;
 		++ret;



^ permalink raw reply	[flat|nested] 29+ messages in thread

* [PATCH 4.9 14/14] vhost: make sure log_num < in_num
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-09-13 13:07 ` [PATCH 4.9 13/14] vhost: block speculation of translated descriptors Greg Kroah-Hartman
@ 2019-09-13 13:07 ` Greg Kroah-Hartman
  2019-09-13 20:19 ` [PATCH 4.9 00/14] 4.9.193-stable review kernelci.org bot
                   ` (5 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-13 13:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lidong Chen, ruippan, yongduan,
	Michael S. Tsirkin, Tyler Hicks

From: yongduan <yongduan@tencent.com>

commit 060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 upstream.

The code assumes log_num < in_num everywhere, and that is true as long as
in_num is incremented by descriptor iov count, and log_num by 1. However
this breaks if there's a zero sized descriptor.

As a result, if a malicious guest creates a vring desc with desc.len = 0,
it may cause the host kernel to crash by overflowing the log array. This
bug can be triggered during the VM migration.

There's no need to log when desc.len = 0, so just don't increment log_num
in this case.

Fixes: 3a4d5c94e959 ("vhost_net: a kernel-level virtio server")
Cc: stable@vger.kernel.org
Reviewed-by: Lidong Chen <lidongchen@tencent.com>
Signed-off-by: ruippan <ruippan@tencent.com>
Signed-off-by: yongduan <yongduan@tencent.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/vhost/vhost.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1989,7 +1989,7 @@ static int get_indirect(struct vhost_vir
 		/* If this is an input descriptor, increment that count. */
 		if (access == VHOST_ACCESS_WO) {
 			*in_num += ret;
-			if (unlikely(log)) {
+			if (unlikely(log && ret)) {
 				log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
 				log[*log_num].len = vhost32_to_cpu(vq, desc.len);
 				++*log_num;
@@ -2125,7 +2125,7 @@ int vhost_get_vq_desc(struct vhost_virtq
 			/* If this is an input descriptor,
 			 * increment that count. */
 			*in_num += ret;
-			if (unlikely(log)) {
+			if (unlikely(log && ret)) {
 				log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
 				log[*log_num].len = vhost32_to_cpu(vq, desc.len);
 				++*log_num;



^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-09-13 13:07 ` [PATCH 4.9 14/14] vhost: make sure log_num < in_num Greg Kroah-Hartman
@ 2019-09-13 20:19 ` kernelci.org bot
  2019-09-14  3:58 ` Naresh Kamboju
                   ` (4 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: kernelci.org bot @ 2019-09-13 20:19 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

stable-rc/linux-4.9.y boot: 115 boots: 0 failed, 105 passed with 10 offline (v4.9.192-15-g8e25fc1750f0)

Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.9.y/kernel/v4.9.192-15-g8e25fc1750f0/
Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.9.y/kernel/v4.9.192-15-g8e25fc1750f0/

Tree: stable-rc
Branch: linux-4.9.y
Git Describe: v4.9.192-15-g8e25fc1750f0
Git Commit: 8e25fc1750f0dd9f378c153ecda509a578059b81
Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Tested: 55 unique boards, 22 SoC families, 14 builds out of 196

Offline Platforms:

arm64:

    defconfig:
        gcc-8
            apq8016-sbc: 1 offline lab

arm:

    multi_v7_defconfig:
        gcc-8
            qcom-apq8064-cm-qs600: 1 offline lab
            qcom-apq8064-ifc6410: 1 offline lab
            sun5i-r8-chip: 1 offline lab
            sun7i-a20-bananapi: 1 offline lab

    davinci_all_defconfig:
        gcc-8
            dm365evm,legacy: 1 offline lab

    qcom_defconfig:
        gcc-8
            qcom-apq8064-cm-qs600: 1 offline lab
            qcom-apq8064-ifc6410: 1 offline lab

    sunxi_defconfig:
        gcc-8
            sun5i-r8-chip: 1 offline lab
            sun7i-a20-bananapi: 1 offline lab

---
For more info write to <info@kernelci.org>

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-09-13 20:19 ` [PATCH 4.9 00/14] 4.9.193-stable review kernelci.org bot
@ 2019-09-14  3:58 ` Naresh Kamboju
  2019-09-14  8:28 ` Guenter Roeck
                   ` (3 subsequent siblings)
  19 siblings, 0 replies; 29+ messages in thread
From: Naresh Kamboju @ 2019-09-14  3:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Fri, 13 Sep 2019 at 09:09, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.9.193 release.
> There are 14 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.9.193-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.9.y
git commit: 8e25fc1750f0dd9f378c153ecda509a578059b81
git describe: v4.9.192-15-g8e25fc1750f0
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.9-oe/build/v4.9.192-15-g8e25fc1750f0


No regressions (compared to build v4.9.192)

No fixes (compared to build v4.9.192)


Ran 23550 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* network-basic-tests
* ltp-open-posix-tests
* kvm-unit-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
* prep-tmp-disk
* ssuite

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-09-14  3:58 ` Naresh Kamboju
@ 2019-09-14  8:28 ` Guenter Roeck
  2019-09-14  8:31   ` Greg Kroah-Hartman
  2019-09-14 14:16 ` Guenter Roeck
                   ` (2 subsequent siblings)
  19 siblings, 1 reply; 29+ messages in thread
From: Guenter Roeck @ 2019-09-14  8:28 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage,
	stable, Michael S. Tsirkin, Jason Wang

On 9/13/19 6:06 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.193 release.
> There are 14 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> Anything received after that time might be too late.
> 

Is it really only me seeing this ?

drivers/vhost/vhost.c: In function 'translate_desc':
include/linux/compiler.h:549:38: error: call to '__compiletime_assert_1879' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)

i386:allyesconfig, mips:allmodconfig and others, everywhere including
mainline. Culprit is commit a89db445fbd7f1 ("vhost: block speculation
of translated descriptors").

Guenter

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-14  8:28 ` Guenter Roeck
@ 2019-09-14  8:31   ` Greg Kroah-Hartman
  2019-09-14  8:39     ` Guenter Roeck
  2019-09-15  0:49     ` Guenter Roeck
  0 siblings, 2 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-14  8:31 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable, Michael S. Tsirkin, Jason Wang

On Sat, Sep 14, 2019 at 01:28:39AM -0700, Guenter Roeck wrote:
> On 9/13/19 6:06 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.9.193 release.
> > There are 14 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> > Anything received after that time might be too late.
> > 
> 
> Is it really only me seeing this ?
> 
> drivers/vhost/vhost.c: In function 'translate_desc':
> include/linux/compiler.h:549:38: error: call to '__compiletime_assert_1879' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
> 
> i386:allyesconfig, mips:allmodconfig and others, everywhere including
> mainline. Culprit is commit a89db445fbd7f1 ("vhost: block speculation
> of translated descriptors").

Nope, I just got another report of this on 5.2.y.  Problem is also in
Linus's tree :(

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-14  8:31   ` Greg Kroah-Hartman
@ 2019-09-14  8:39     ` Guenter Roeck
  2019-09-15  0:49     ` Guenter Roeck
  1 sibling, 0 replies; 29+ messages in thread
From: Guenter Roeck @ 2019-09-14  8:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable, Michael S. Tsirkin, Jason Wang

On 9/14/19 1:31 AM, Greg Kroah-Hartman wrote:
> On Sat, Sep 14, 2019 at 01:28:39AM -0700, Guenter Roeck wrote:
>> On 9/13/19 6:06 AM, Greg Kroah-Hartman wrote:
>>> This is the start of the stable review cycle for the 4.9.193 release.
>>> There are 14 patches in this series, all will be posted as a response
>>> to this one.  If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
>>> Anything received after that time might be too late.
>>>
>>
>> Is it really only me seeing this ?
>>
>> drivers/vhost/vhost.c: In function 'translate_desc':
>> include/linux/compiler.h:549:38: error: call to '__compiletime_assert_1879' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
>>
>> i386:allyesconfig, mips:allmodconfig and others, everywhere including
>> mainline. Culprit is commit a89db445fbd7f1 ("vhost: block speculation
>> of translated descriptors").
> 
> Nope, I just got another report of this on 5.2.y.  Problem is also in
> Linus's tree :(
> 

Sending a fix in a minute. I'll copy you and Linus.

Guenter

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-09-14  8:28 ` Guenter Roeck
@ 2019-09-14 14:16 ` Guenter Roeck
  2019-09-15 13:35 ` Greg Kroah-Hartman
  2019-09-16  9:17 ` Jon Hunter
  19 siblings, 0 replies; 29+ messages in thread
From: Guenter Roeck @ 2019-09-14 14:16 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, ben.hutchings, lkft-triage, stable

On 9/13/19 6:06 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.193 release.
> There are 14 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> Anything received after that time might be too late.
> 

Build results:
	total: 172 pass: 168 fail: 4
Failed builds:
	arm:allmodconfig
	i386:allyesconfig
	i386:allmodconfig
	mips:allmodconfig
Qemu test results:
	total: 356 pass: 356 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-14  8:31   ` Greg Kroah-Hartman
  2019-09-14  8:39     ` Guenter Roeck
@ 2019-09-15  0:49     ` Guenter Roeck
  2019-09-15 12:58       ` Greg Kroah-Hartman
  1 sibling, 1 reply; 29+ messages in thread
From: Guenter Roeck @ 2019-09-15  0:49 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable, Michael S. Tsirkin, Jason Wang

Hi Greg,

On 9/14/19 1:31 AM, Greg Kroah-Hartman wrote:
> On Sat, Sep 14, 2019 at 01:28:39AM -0700, Guenter Roeck wrote:
>> On 9/13/19 6:06 AM, Greg Kroah-Hartman wrote:
>>> This is the start of the stable review cycle for the 4.9.193 release.
>>> There are 14 patches in this series, all will be posted as a response
>>> to this one.  If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
>>> Anything received after that time might be too late.
>>>
>>
>> Is it really only me seeing this ?
>>
>> drivers/vhost/vhost.c: In function 'translate_desc':
>> include/linux/compiler.h:549:38: error: call to '__compiletime_assert_1879' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
>>
>> i386:allyesconfig, mips:allmodconfig and others, everywhere including
>> mainline. Culprit is commit a89db445fbd7f1 ("vhost: block speculation
>> of translated descriptors").
> 
> Nope, I just got another report of this on 5.2.y.  Problem is also in
> Linus's tree :(
> 

Please apply upstream commit 0d4a3f2abbef ("Revert "vhost: block speculation
of translated descriptors") to v4.9.y-queue and later to fix the build problems.
Or maybe just drop the offending commit from the stable release queues.

Thanks,
Guenter

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-15  0:49     ` Guenter Roeck
@ 2019-09-15 12:58       ` Greg Kroah-Hartman
  2019-09-15 16:09         ` Guenter Roeck
  0 siblings, 1 reply; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-15 12:58 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable, Michael S. Tsirkin, Jason Wang

On Sat, Sep 14, 2019 at 05:49:32PM -0700, Guenter Roeck wrote:
> Hi Greg,
> 
> On 9/14/19 1:31 AM, Greg Kroah-Hartman wrote:
> > On Sat, Sep 14, 2019 at 01:28:39AM -0700, Guenter Roeck wrote:
> > > On 9/13/19 6:06 AM, Greg Kroah-Hartman wrote:
> > > > This is the start of the stable review cycle for the 4.9.193 release.
> > > > There are 14 patches in this series, all will be posted as a response
> > > > to this one.  If anyone has any issues with these being applied, please
> > > > let me know.
> > > > 
> > > > Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> > > > Anything received after that time might be too late.
> > > > 
> > > 
> > > Is it really only me seeing this ?
> > > 
> > > drivers/vhost/vhost.c: In function 'translate_desc':
> > > include/linux/compiler.h:549:38: error: call to '__compiletime_assert_1879' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
> > > 
> > > i386:allyesconfig, mips:allmodconfig and others, everywhere including
> > > mainline. Culprit is commit a89db445fbd7f1 ("vhost: block speculation
> > > of translated descriptors").
> > 
> > Nope, I just got another report of this on 5.2.y.  Problem is also in
> > Linus's tree :(
> > 
> 
> Please apply upstream commit 0d4a3f2abbef ("Revert "vhost: block speculation
> of translated descriptors") to v4.9.y-queue and later to fix the build problems.
> Or maybe just drop the offending commit from the stable release queues.

I'm just going to drop the offending commit from everywhere and push out
new -rcs in a bit...

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-09-14 14:16 ` Guenter Roeck
@ 2019-09-15 13:35 ` Greg Kroah-Hartman
  2019-09-16 10:44   ` Naresh Kamboju
  2019-09-16  9:17 ` Jon Hunter
  19 siblings, 1 reply; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-15 13:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Fri, Sep 13, 2019 at 02:06:53PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.193 release.
> There are 14 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.

I have released -rc2 to resolve a reported build issue:
 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc2.gz

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-15 12:58       ` Greg Kroah-Hartman
@ 2019-09-15 16:09         ` Guenter Roeck
  2019-09-16  6:07           ` Greg Kroah-Hartman
  0 siblings, 1 reply; 29+ messages in thread
From: Guenter Roeck @ 2019-09-15 16:09 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable, Michael S. Tsirkin, Jason Wang

On 9/15/19 5:58 AM, Greg Kroah-Hartman wrote:
> On Sat, Sep 14, 2019 at 05:49:32PM -0700, Guenter Roeck wrote:
>> Hi Greg,
>>
>> On 9/14/19 1:31 AM, Greg Kroah-Hartman wrote:
>>> On Sat, Sep 14, 2019 at 01:28:39AM -0700, Guenter Roeck wrote:
>>>> On 9/13/19 6:06 AM, Greg Kroah-Hartman wrote:
>>>>> This is the start of the stable review cycle for the 4.9.193 release.
>>>>> There are 14 patches in this series, all will be posted as a response
>>>>> to this one.  If anyone has any issues with these being applied, please
>>>>> let me know.
>>>>>
>>>>> Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
>>>>> Anything received after that time might be too late.
>>>>>
>>>>
>>>> Is it really only me seeing this ?
>>>>
>>>> drivers/vhost/vhost.c: In function 'translate_desc':
>>>> include/linux/compiler.h:549:38: error: call to '__compiletime_assert_1879' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
>>>>
>>>> i386:allyesconfig, mips:allmodconfig and others, everywhere including
>>>> mainline. Culprit is commit a89db445fbd7f1 ("vhost: block speculation
>>>> of translated descriptors").
>>>
>>> Nope, I just got another report of this on 5.2.y.  Problem is also in
>>> Linus's tree :(
>>>
>>
>> Please apply upstream commit 0d4a3f2abbef ("Revert "vhost: block speculation
>> of translated descriptors") to v4.9.y-queue and later to fix the build problems.
>> Or maybe just drop the offending commit from the stable release queues.
> 
> I'm just going to drop the offending commit from everywhere and push out
> new -rcs in a bit...
> 

A quick rebuild of previously failed builds now passes, so looks like we are good.

Guenter

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-15 16:09         ` Guenter Roeck
@ 2019-09-16  6:07           ` Greg Kroah-Hartman
  0 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-16  6:07 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable, Michael S. Tsirkin, Jason Wang

On Sun, Sep 15, 2019 at 09:09:24AM -0700, Guenter Roeck wrote:
> On 9/15/19 5:58 AM, Greg Kroah-Hartman wrote:
> > On Sat, Sep 14, 2019 at 05:49:32PM -0700, Guenter Roeck wrote:
> > > Hi Greg,
> > > 
> > > On 9/14/19 1:31 AM, Greg Kroah-Hartman wrote:
> > > > On Sat, Sep 14, 2019 at 01:28:39AM -0700, Guenter Roeck wrote:
> > > > > On 9/13/19 6:06 AM, Greg Kroah-Hartman wrote:
> > > > > > This is the start of the stable review cycle for the 4.9.193 release.
> > > > > > There are 14 patches in this series, all will be posted as a response
> > > > > > to this one.  If anyone has any issues with these being applied, please
> > > > > > let me know.
> > > > > > 
> > > > > > Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> > > > > > Anything received after that time might be too late.
> > > > > > 
> > > > > 
> > > > > Is it really only me seeing this ?
> > > > > 
> > > > > drivers/vhost/vhost.c: In function 'translate_desc':
> > > > > include/linux/compiler.h:549:38: error: call to '__compiletime_assert_1879' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
> > > > > 
> > > > > i386:allyesconfig, mips:allmodconfig and others, everywhere including
> > > > > mainline. Culprit is commit a89db445fbd7f1 ("vhost: block speculation
> > > > > of translated descriptors").
> > > > 
> > > > Nope, I just got another report of this on 5.2.y.  Problem is also in
> > > > Linus's tree :(
> > > > 
> > > 
> > > Please apply upstream commit 0d4a3f2abbef ("Revert "vhost: block speculation
> > > of translated descriptors") to v4.9.y-queue and later to fix the build problems.
> > > Or maybe just drop the offending commit from the stable release queues.
> > 
> > I'm just going to drop the offending commit from everywhere and push out
> > new -rcs in a bit...
> > 
> 
> A quick rebuild of previously failed builds now passes, so looks like we are good.

Wonderful, thanks for checking!

greg k-h

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-09-15 13:35 ` Greg Kroah-Hartman
@ 2019-09-16  9:17 ` Jon Hunter
  19 siblings, 0 replies; 29+ messages in thread
From: Jon Hunter @ 2019-09-16  9:17 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 13/09/2019 14:06, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.193 release.
> There are 14 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests passing for Tegra ...

Test results for stable-v4.9:
    8 builds:	8 pass, 0 fail
    16 boots:	16 pass, 0 fail
    24 tests:	24 pass, 0 fail

Linux version:	4.9.193-rc2-g61edd63129ae
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-15 13:35 ` Greg Kroah-Hartman
@ 2019-09-16 10:44   ` Naresh Kamboju
  2019-09-16 10:45     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 29+ messages in thread
From: Naresh Kamboju @ 2019-09-16 10:44 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Sun, 15 Sep 2019 at 09:35, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Fri, Sep 13, 2019 at 02:06:53PM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.9.193 release.
> > There are 14 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >       https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc1.gz
> > or in the git tree and branch at:
> >       git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> > and the diffstat can be found below.
>
> I have released -rc2 to resolve a reported build issue:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc2.gz

-rc2 looks good.

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.9.193-rc2
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.9.y
git commit: 61edd63129aea7800898aec66b9a420f765883c4
git describe: v4.9.192-14-g61edd63129ae
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.9-oe/build/v4.9.192-14-g61edd63129ae


No regressions (compared to build v4.9.192-15-g8e25fc1750f0)


No fixes (compared to build v4.9.192-15-g8e25fc1750f0)

Ran 23432 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* network-basic-tests
* ltp-open-posix-tests
* kvm-unit-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
* prep-tmp-disk
* ssuite


-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 29+ messages in thread

* Re: [PATCH 4.9 00/14] 4.9.193-stable review
  2019-09-16 10:44   ` Naresh Kamboju
@ 2019-09-16 10:45     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 29+ messages in thread
From: Greg Kroah-Hartman @ 2019-09-16 10:45 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Mon, Sep 16, 2019 at 06:44:34AM -0400, Naresh Kamboju wrote:
> On Sun, 15 Sep 2019 at 09:35, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Fri, Sep 13, 2019 at 02:06:53PM +0100, Greg Kroah-Hartman wrote:
> > > This is the start of the stable review cycle for the 4.9.193 release.
> > > There are 14 patches in this series, all will be posted as a response
> > > to this one.  If anyone has any issues with these being applied, please
> > > let me know.
> > >
> > > Responses should be made by Sun 15 Sep 2019 01:03:32 PM UTC.
> > > Anything received after that time might be too late.
> > >
> > > The whole patch series can be found in one patch at:
> > >       https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc1.gz
> > > or in the git tree and branch at:
> > >       git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> > > and the diffstat can be found below.
> >
> > I have released -rc2 to resolve a reported build issue:
> >         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.193-rc2.gz
> 
> -rc2 looks good.
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.

Wonderful, thanks for testing!

greg k-h

^ permalink raw reply	[flat|nested] 29+ messages in thread

end of thread, other threads:[~2019-09-16 10:46 UTC | newest]

Thread overview: 29+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-13 13:06 [PATCH 4.9 00/14] 4.9.193-stable review Greg Kroah-Hartman
2019-09-13 13:06 ` [PATCH 4.9 01/14] ALSA: hda - Fix potential endless loop at applying quirks Greg Kroah-Hartman
2019-09-13 13:06 ` [PATCH 4.9 02/14] ALSA: hda/realtek - Fix overridden device-specific initialization Greg Kroah-Hartman
2019-09-13 13:06 ` [PATCH 4.9 03/14] sched/fair: Dont assign runtime for throttled cfs_rq Greg Kroah-Hartman
2019-09-13 13:06 ` [PATCH 4.9 04/14] drm/vmwgfx: Fix double free in vmw_recv_msg() Greg Kroah-Hartman
2019-09-13 13:06 ` [PATCH 4.9 05/14] powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction Greg Kroah-Hartman
2019-09-13 13:06 ` [PATCH 4.9 06/14] xfrm: clean up xfrm protocol checks Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 4.9 07/14] ip6: fix skb leak in ip6frag_expire_frag_queue() Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 4.9 08/14] vhost/test: fix build for vhost test Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 4.9 09/14] batman-adv: fix uninit-value in batadv_netlink_get_ifindex() Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 4.9 10/14] batman-adv: Only read OGM tvlv_len after buffer len check Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 4.9 11/14] scripts/decode_stacktrace: match basepath using shell prefix operator, not regex Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 4.9 12/14] clk: s2mps11: Add used attribute to s2mps11_dt_match Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 4.9 13/14] vhost: block speculation of translated descriptors Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 4.9 14/14] vhost: make sure log_num < in_num Greg Kroah-Hartman
2019-09-13 20:19 ` [PATCH 4.9 00/14] 4.9.193-stable review kernelci.org bot
2019-09-14  3:58 ` Naresh Kamboju
2019-09-14  8:28 ` Guenter Roeck
2019-09-14  8:31   ` Greg Kroah-Hartman
2019-09-14  8:39     ` Guenter Roeck
2019-09-15  0:49     ` Guenter Roeck
2019-09-15 12:58       ` Greg Kroah-Hartman
2019-09-15 16:09         ` Guenter Roeck
2019-09-16  6:07           ` Greg Kroah-Hartman
2019-09-14 14:16 ` Guenter Roeck
2019-09-15 13:35 ` Greg Kroah-Hartman
2019-09-16 10:44   ` Naresh Kamboju
2019-09-16 10:45     ` Greg Kroah-Hartman
2019-09-16  9:17 ` Jon Hunter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).