[linux] 02/02: Add regression fixes pending for 3.2.73
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Nov 15 12:37:26 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy
in repository linux.
commit 4bc727a6ce9b0f91c4f5eacb952f565faac52141
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Nov 15 12:25:39 2015 +0000
Add regression fixes pending for 3.2.73
---
debian/changelog | 7 ++
...9xxx-don-t-unmap-bounce-buffered-commands.patch | 98 +++++++++++++++++
...-file-is-opened-wronly-and-server-reboots.patch | 39 +++++++
...ument-to-skb_copy_and_csum_datagram_iovec.patch | 116 +++++++++++++++++++++
...kvm-mmu-fix-validation-of-mmio-page-fault.patch | 94 +++++++++++++++++
debian/patches/series | 4 +
6 files changed, 358 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index e97da86..7b79f97 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -86,6 +86,13 @@ linux (3.2.72-1) UNRELEASED; urgency=medium
[ Ben Hutchings ]
* [rt] Update to 3.2.72-rt105 (no functional change)
+ * net: add length argument to skb_copy_and_csum_datagram_iovec
+ (regression in 3.2.72) (CVE-2015-8019)
+ * [x86] Revert "KVM: MMU: fix validation of mmio page fault", wrongly
+ included in 3.2.72
+ * 3w-9xxx: don't unmap bounce buffered commands (regression in 3.2.70)
+ * nfs: Failing to send a CLOSE if file is opened WRONLY and server reboots
+ on a 4.x mount (regression in 3.2.71)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 14 Oct 2015 01:11:17 +0100
diff --git a/debian/patches/bugfix/all/3w-9xxx-don-t-unmap-bounce-buffered-commands.patch b/debian/patches/bugfix/all/3w-9xxx-don-t-unmap-bounce-buffered-commands.patch
new file mode 100644
index 0000000..cc805ab
--- /dev/null
+++ b/debian/patches/bugfix/all/3w-9xxx-don-t-unmap-bounce-buffered-commands.patch
@@ -0,0 +1,98 @@
+From: Christoph Hellwig <hch at lst.de>
+Date: Sat, 3 Oct 2015 19:16:07 +0200
+Subject: 3w-9xxx: don't unmap bounce buffered commands
+Origin: https://git.kernel.org/linus/15e3d5a285ab9283136dba34bbf72886d9146706
+
+3w controller don't dma map small single SGL entry commands but instead
+bounce buffer them. Add a helper to identify these commands and don't
+call scsi_dma_unmap for them.
+
+Based on an earlier patch from James Bottomley.
+
+Fixes: 118c85 ("3w-9xxx: fix command completion race")
+Reported-by: Tóth Attila <atoth at atoth.sote.hu>
+Tested-by: Tóth Attila <atoth at atoth.sote.hu>
+Signed-off-by: Christoph Hellwig <hch at lst.de>
+Acked-by: Adam Radford <aradford at gmail.com>
+Signed-off-by: James Bottomley <JBottomley at Odin.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/3w-9xxx.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/scsi/3w-9xxx.c
++++ b/drivers/scsi/3w-9xxx.c
+@@ -225,6 +225,17 @@ static const struct file_operations twa_
+ .llseek = noop_llseek,
+ };
+
++/*
++ * The controllers use an inline buffer instead of a mapped SGL for small,
++ * single entry buffers. Note that we treat a zero-length transfer like
++ * a mapped SGL.
++ */
++static bool twa_command_mapped(struct scsi_cmnd *cmd)
++{
++ return scsi_sg_count(cmd) != 1 ||
++ scsi_bufflen(cmd) >= TW_MIN_SGL_LENGTH;
++}
++
+ /* This function will complete an aen request from the isr */
+ static int twa_aen_complete(TW_Device_Extension *tw_dev, int request_id)
+ {
+@@ -1351,7 +1362,8 @@ static irqreturn_t twa_interrupt(int irq
+ }
+
+ /* Now complete the io */
+- scsi_dma_unmap(cmd);
++ if (twa_command_mapped(cmd))
++ scsi_dma_unmap(cmd);
+ cmd->scsi_done(cmd);
+ tw_dev->state[request_id] = TW_S_COMPLETED;
+ twa_free_request_id(tw_dev, request_id);
+@@ -1594,7 +1606,8 @@ static int twa_reset_device_extension(TW
+ struct scsi_cmnd *cmd = tw_dev->srb[i];
+
+ cmd->result = (DID_RESET << 16);
+- scsi_dma_unmap(cmd);
++ if (twa_command_mapped(cmd))
++ scsi_dma_unmap(cmd);
+ cmd->scsi_done(cmd);
+ }
+ }
+@@ -1777,12 +1790,14 @@ static int twa_scsi_queue_lck(struct scs
+ retval = twa_scsiop_execute_scsi(tw_dev, request_id, NULL, 0, NULL);
+ switch (retval) {
+ case SCSI_MLQUEUE_HOST_BUSY:
+- scsi_dma_unmap(SCpnt);
++ if (twa_command_mapped(SCpnt))
++ scsi_dma_unmap(SCpnt);
+ twa_free_request_id(tw_dev, request_id);
+ break;
+ case 1:
+ SCpnt->result = (DID_ERROR << 16);
+- scsi_dma_unmap(SCpnt);
++ if (twa_command_mapped(SCpnt))
++ scsi_dma_unmap(SCpnt);
+ done(SCpnt);
+ tw_dev->state[request_id] = TW_S_COMPLETED;
+ twa_free_request_id(tw_dev, request_id);
+@@ -1843,8 +1858,7 @@ static int twa_scsiop_execute_scsi(TW_De
+ /* Map sglist from scsi layer to cmd packet */
+
+ if (scsi_sg_count(srb)) {
+- if ((scsi_sg_count(srb) == 1) &&
+- (scsi_bufflen(srb) < TW_MIN_SGL_LENGTH)) {
++ if (!twa_command_mapped(srb)) {
+ if (srb->sc_data_direction == DMA_TO_DEVICE ||
+ srb->sc_data_direction == DMA_BIDIRECTIONAL)
+ scsi_sg_copy_to_buffer(srb,
+@@ -1917,7 +1931,7 @@ static void twa_scsiop_execute_scsi_comp
+ {
+ struct scsi_cmnd *cmd = tw_dev->srb[request_id];
+
+- if (scsi_bufflen(cmd) < TW_MIN_SGL_LENGTH &&
++ if (!twa_command_mapped(cmd) &&
+ (cmd->sc_data_direction == DMA_FROM_DEVICE ||
+ cmd->sc_data_direction == DMA_BIDIRECTIONAL)) {
+ if (scsi_sg_count(cmd) == 1) {
diff --git a/debian/patches/bugfix/all/failing-to-send-a-close-if-file-is-opened-wronly-and-server-reboots.patch b/debian/patches/bugfix/all/failing-to-send-a-close-if-file-is-opened-wronly-and-server-reboots.patch
new file mode 100644
index 0000000..471f0ef
--- /dev/null
+++ b/debian/patches/bugfix/all/failing-to-send-a-close-if-file-is-opened-wronly-and-server-reboots.patch
@@ -0,0 +1,39 @@
+From: Olga Kornievskaia <aglo at umich.edu>
+Date: Mon, 14 Sep 2015 19:54:36 -0400
+Subject: Failing to send a CLOSE if file is opened WRONLY and server reboots
+ on a 4.x mount
+Origin: https://git.kernel.org/linus/a41cbe86df3afbc82311a1640e20858c0cd7e065
+
+A test case is as the description says:
+open(foobar, O_WRONLY);
+sleep() --> reboot the server
+close(foobar)
+
+The bug is because in nfs4state.c in nfs4_reclaim_open_state() a few
+line before going to restart, there is
+clear_bit(NFS4CLNT_RECLAIM_NOGRACE, &state->flags).
+
+NFS4CLNT_RECLAIM_NOGRACE is a flag for the client states not open
+owner states. Value of NFS4CLNT_RECLAIM_NOGRACE is 4 which is the
+value of NFS_O_WRONLY_STATE in nfs4_state->flags. So clearing it wipes
+out state and when we go to close it, “call_close” doesn’t get set as
+state flag is not set and CLOSE doesn’t go on the wire.
+
+Signed-off-by: Olga Kornievskaia <aglo at umich.edu>
+Signed-off-by: Trond Myklebust <trond.myklebust at primarydata.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/nfs/nfs4state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1192,7 +1192,7 @@ restart:
+ }
+ spin_unlock(&state->state_lock);
+ nfs4_put_open_state(state);
+- clear_bit(NFS4CLNT_RECLAIM_NOGRACE,
++ clear_bit(NFS_STATE_RECLAIM_NOGRACE,
+ &state->flags);
+ goto restart;
+ }
diff --git a/debian/patches/bugfix/all/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch b/debian/patches/bugfix/all/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
new file mode 100644
index 0000000..fb391e0
--- /dev/null
+++ b/debian/patches/bugfix/all/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
@@ -0,0 +1,116 @@
+From: Sabrina Dubroca <sd at queasysnail.net>
+Date: Thu, 15 Oct 2015 14:25:03 +0200
+Subject: net: add length argument to skb_copy_and_csum_datagram_iovec
+Origin: https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-3.2.y-queue.git/tree/queue-3.2/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
+
+Without this length argument, we can read past the end of the iovec in
+memcpy_toiovec because we have no way of knowing the total length of the
+iovec's buffers.
+
+This is needed for stable kernels where 89c22d8c3b27 ("net: Fix skb
+csum races when peeking") has been backported but that don't have the
+ioviter conversion, which is almost all the stable trees <= 3.18.
+
+This also fixes a kernel crash for NFS servers when the client uses
+ -onfsvers=3,proto=udp to mount the export.
+
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Reviewed-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+[bwh: Backported to 3.2: adjust context in include/linux/skbuff.h]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2136,7 +2136,8 @@ extern int skb_copy_datagram_iove
+ int size);
+ extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
+ int hlen,
+- struct iovec *iov);
++ struct iovec *iov,
++ int len);
+ extern int skb_copy_datagram_from_iovec(struct sk_buff *skb,
+ int offset,
+ const struct iovec *from,
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -709,6 +709,7 @@ EXPORT_SYMBOL(__skb_checksum_complete);
+ * @skb: skbuff
+ * @hlen: hardware length
+ * @iov: io vector
++ * @len: amount of data to copy from skb to iov
+ *
+ * Caller _must_ check that skb will fit to this iovec.
+ *
+@@ -718,11 +719,14 @@ EXPORT_SYMBOL(__skb_checksum_complete);
+ * can be modified!
+ */
+ int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
+- int hlen, struct iovec *iov)
++ int hlen, struct iovec *iov, int len)
+ {
+ __wsum csum;
+ int chunk = skb->len - hlen;
+
++ if (chunk > len)
++ chunk = len;
++
+ if (!chunk)
+ return 0;
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5198,7 +5198,7 @@ static int tcp_copy_to_iovec(struct sock
+ err = skb_copy_datagram_iovec(skb, hlen, tp->ucopy.iov, chunk);
+ else
+ err = skb_copy_and_csum_datagram_iovec(skb, hlen,
+- tp->ucopy.iov);
++ tp->ucopy.iov, chunk);
+
+ if (!err) {
+ tp->ucopy.len -= chunk;
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1207,7 +1207,7 @@ try_again:
+ else {
+ err = skb_copy_and_csum_datagram_iovec(skb,
+ sizeof(struct udphdr),
+- msg->msg_iov);
++ msg->msg_iov, copied);
+
+ if (err == -EINVAL)
+ goto csum_copy_err;
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -479,7 +479,7 @@ static int rawv6_recvmsg(struct kiocb *i
+ goto csum_copy_err;
+ err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ } else {
+- err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov);
++ err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ if (err == -EINVAL)
+ goto csum_copy_err;
+ }
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -383,7 +383,8 @@ try_again:
+ err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
+ msg->msg_iov, copied );
+ else {
+- err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov);
++ err = skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
++ msg->msg_iov, copied);
+ if (err == -EINVAL)
+ goto csum_copy_err;
+ }
+--- a/net/rxrpc/ar-recvmsg.c
++++ b/net/rxrpc/ar-recvmsg.c
+@@ -185,7 +185,8 @@ int rxrpc_recvmsg(struct kiocb *iocb, st
+ msg->msg_iov, copy);
+ } else {
+ ret = skb_copy_and_csum_datagram_iovec(skb, offset,
+- msg->msg_iov);
++ msg->msg_iov,
++ copy);
+ if (ret == -EINVAL)
+ goto csum_copy_error;
+ }
diff --git a/debian/patches/bugfix/x86/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch b/debian/patches/bugfix/x86/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch
new file mode 100644
index 0000000..e90a484
--- /dev/null
+++ b/debian/patches/bugfix/x86/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch
@@ -0,0 +1,94 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 15 Oct 2015 01:20:29 +0100
+Subject: Revert "KVM: MMU: fix validation of mmio page fault"
+Origin: https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-3.2.y-queue.git/tree/queue-3.2/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch
+
+This reverts commit 41e3025eacd6daafc40c3e7850fbcabc8b847805, which
+was commit 6f691251c0350ac52a007c54bf3ef62e9d8cdc5e upstream.
+
+The fix is only needed after commit f8f559422b6c ("KVM: MMU: fast
+invalidate all mmio sptes"), included in Linux 3.11.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kvm/mmu.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
+index cac7b2b..4a949c7 100644
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -326,6 +326,12 @@ static u64 __get_spte_lockless(u64 *sptep)
+ {
+ return ACCESS_ONCE(*sptep);
+ }
++
++static bool __check_direct_spte_mmio_pf(u64 spte)
++{
++ /* It is valid if the spte is zapped. */
++ return spte == 0ull;
++}
+ #else
+ union split_spte {
+ struct {
+@@ -430,6 +436,23 @@ retry:
+
+ return spte.spte;
+ }
++
++static bool __check_direct_spte_mmio_pf(u64 spte)
++{
++ union split_spte sspte = (union split_spte)spte;
++ u32 high_mmio_mask = shadow_mmio_mask >> 32;
++
++ /* It is valid if the spte is zapped. */
++ if (spte == 0ull)
++ return true;
++
++ /* It is valid if the spte is being zapped. */
++ if (sspte.spte_low == 0ull &&
++ (sspte.spte_high & high_mmio_mask) == high_mmio_mask)
++ return true;
++
++ return false;
++}
+ #endif
+
+ static bool spte_has_volatile_bits(u64 spte)
+@@ -2872,6 +2895,21 @@ static bool quickly_check_mmio_pf(struct kvm_vcpu *vcpu, u64 addr, bool direct)
+ return vcpu_match_mmio_gva(vcpu, addr);
+ }
+
++
++/*
++ * On direct hosts, the last spte is only allows two states
++ * for mmio page fault:
++ * - It is the mmio spte
++ * - It is zapped or it is being zapped.
++ *
++ * This function completely checks the spte when the last spte
++ * is not the mmio spte.
++ */
++static bool check_direct_spte_mmio_pf(u64 spte)
++{
++ return __check_direct_spte_mmio_pf(spte);
++}
++
+ static u64 walk_shadow_page_get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr)
+ {
+ struct kvm_shadow_walk_iterator iterator;
+@@ -2913,6 +2951,13 @@ int handle_mmio_page_fault_common(struct kvm_vcpu *vcpu, u64 addr, bool direct)
+ }
+
+ /*
++ * It's ok if the gva is remapped by other cpus on shadow guest,
++ * it's a BUG if the gfn is not a mmio page.
++ */
++ if (direct && !check_direct_spte_mmio_pf(spte))
++ return -1;
++
++ /*
+ * If the page table is zapped by other cpus, let CPU fault again on
+ * the address.
+ */
+
diff --git a/debian/patches/series b/debian/patches/series
index 2e218d0..82c04c5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1166,3 +1166,7 @@ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
+bugfix/all/net-add-length-argument-to-skb_copy_and_csum_datagram_iovec.patch
+bugfix/x86/revert-kvm-mmu-fix-validation-of-mmio-page-fault.patch
+bugfix/all/3w-9xxx-don-t-unmap-bounce-buffered-commands.patch
+bugfix/all/failing-to-send-a-close-if-file-is-opened-wronly-and-server-reboots.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list