Linux v4.19.8
This commit is contained in:
Jeremy Cline
parent
656f847bd0
commit
c3e8a1971c
4 changed files with 6 additions and 214 deletions
|
|
@ -1,99 +0,0 @@
|
|||
From ffe81d45322cc3cb140f0db080a4727ea284661e Mon Sep 17 00:00:00 2001
|
||||
From: Jens Axboe <axboe@kernel.dk>
|
||||
Date: Tue, 4 Dec 2018 20:06:48 -0700
|
||||
Subject: [PATCH] blk-mq: fix corruption with direct issue
|
||||
|
||||
If we attempt a direct issue to a SCSI device, and it returns BUSY, then
|
||||
we queue the request up normally. However, the SCSI layer may have
|
||||
already setup SG tables etc for this particular command. If we later
|
||||
merge with this request, then the old tables are no longer valid. Once
|
||||
we issue the IO, we only read/write the original part of the request,
|
||||
not the new state of it.
|
||||
|
||||
This causes data corruption, and is most often noticed with the file
|
||||
system complaining about the just read data being invalid:
|
||||
|
||||
[ 235.934465] EXT4-fs error (device sda1): ext4_iget:4831: inode #7142: comm dpkg-query: bad extra_isize 24937 (inode size 256)
|
||||
|
||||
because most of it is garbage...
|
||||
|
||||
This doesn't happen from the normal issue path, as we will simply defer
|
||||
the request to the hardware queue dispatch list if we fail. Once it's on
|
||||
the dispatch list, we never merge with it.
|
||||
|
||||
Fix this from the direct issue path by flagging the request as
|
||||
REQ_NOMERGE so we don't change the size of it before issue.
|
||||
|
||||
See also:
|
||||
https://bugzilla.kernel.org/show_bug.cgi?id=201685
|
||||
|
||||
Tested-by: Guenter Roeck <linux@roeck-us.net>
|
||||
Fixes: 6ce3dd6eec1 ("blk-mq: issue directly if hw queue isn't busy in case of 'none'")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||
Signed-off-by: Jeremy Cline <jcline@redhat.com>
|
||||
---
|
||||
block/blk-mq.c | 26 +++++++++++++++++++++++++-
|
||||
1 file changed, 25 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/block/blk-mq.c b/block/blk-mq.c
|
||||
index 3f91c6e5b17a..3262d83b9e07 100644
|
||||
--- a/block/blk-mq.c
|
||||
+++ b/block/blk-mq.c
|
||||
@@ -1715,6 +1715,15 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx,
|
||||
break;
|
||||
case BLK_STS_RESOURCE:
|
||||
case BLK_STS_DEV_RESOURCE:
|
||||
+ /*
|
||||
+ * If direct dispatch fails, we cannot allow any merging on
|
||||
+ * this IO. Drivers (like SCSI) may have set up permanent state
|
||||
+ * for this request, like SG tables and mappings, and if we
|
||||
+ * merge to it later on then we'll still only do IO to the
|
||||
+ * original part.
|
||||
+ */
|
||||
+ rq->cmd_flags |= REQ_NOMERGE;
|
||||
+
|
||||
blk_mq_update_dispatch_busy(hctx, true);
|
||||
__blk_mq_requeue_request(rq);
|
||||
break;
|
||||
@@ -1727,6 +1736,18 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Don't allow direct dispatch of anything but regular reads/writes,
|
||||
+ * as some of the other commands can potentially share request space
|
||||
+ * with data we need for the IO scheduler. If we attempt a direct dispatch
|
||||
+ * on those and fail, we can't safely add it to the scheduler afterwards
|
||||
+ * without potentially overwriting data that the driver has already written.
|
||||
+ */
|
||||
+static bool blk_rq_can_direct_dispatch(struct request *rq)
|
||||
+{
|
||||
+ return req_op(rq) == REQ_OP_READ || req_op(rq) == REQ_OP_WRITE;
|
||||
+}
|
||||
+
|
||||
static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx,
|
||||
struct request *rq,
|
||||
blk_qc_t *cookie,
|
||||
@@ -1748,7 +1769,7 @@ static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx,
|
||||
goto insert;
|
||||
}
|
||||
|
||||
- if (q->elevator && !bypass_insert)
|
||||
+ if (!blk_rq_can_direct_dispatch(rq) || (q->elevator && !bypass_insert))
|
||||
goto insert;
|
||||
|
||||
if (!blk_mq_get_dispatch_budget(hctx))
|
||||
@@ -1810,6 +1831,9 @@ void blk_mq_try_issue_list_directly(struct blk_mq_hw_ctx *hctx,
|
||||
struct request *rq = list_first_entry(list, struct request,
|
||||
queuelist);
|
||||
|
||||
+ if (!blk_rq_can_direct_dispatch(rq))
|
||||
+ break;
|
||||
+
|
||||
list_del_init(&rq->queuelist);
|
||||
ret = blk_mq_request_issue_directly(rq);
|
||||
if (ret != BLK_STS_OK) {
|
||||
--
|
||||
2.19.2
|
||||
|
||||
|
|
@ -1,106 +0,0 @@
|
|||
From afca3f41dc386e9020ab560937d52bb6f19bb6d4 Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <sergio@correia.cc>
|
||||
Date: Thu, 22 Nov 2018 02:33:29 -0300
|
||||
Subject: [PATCH] drm: set is_master to 0 upon drm_new_set_master() failure
|
||||
|
||||
When drm_new_set_master() fails, set is_master to 0, to prevent a
|
||||
possible NULL pointer deref.
|
||||
|
||||
Here is a problematic flow: we check is_master in drm_is_current_master(),
|
||||
then proceed to call drm_lease_owner() passing master. If we do not restore
|
||||
is_master status when drm_new_set_master() fails, we may have a situation
|
||||
in which is_master will be 1 and master itself, NULL, leading to the deref
|
||||
of a NULL pointer in drm_lease_owner().
|
||||
|
||||
This fixes the following OOPS, observed on an ArchLinux running a 4.19.2
|
||||
kernel:
|
||||
|
||||
[ 97.804282] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
|
||||
[ 97.807224] PGD 0 P4D 0
|
||||
[ 97.807224] Oops: 0000 [#1] PREEMPT SMP NOPTI
|
||||
[ 97.807224] CPU: 0 PID: 1348 Comm: xfwm4 Tainted: P OE 4.19.2-arch1-1-ARCH #1
|
||||
[ 97.807224] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./AB350 Pro4, BIOS P5.10 10/16/2018
|
||||
[ 97.807224] RIP: 0010:drm_lease_owner+0xd/0x20 [drm]
|
||||
[ 97.807224] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44
|
||||
[ 97.807224] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202
|
||||
[ 97.807224] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88
|
||||
[ 97.807224] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000
|
||||
[ 97.807224] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000
|
||||
[ 97.807224] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888
|
||||
[ 97.807224] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8
|
||||
[ 97.807224] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000
|
||||
[ 97.807224] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 97.807224] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0
|
||||
[ 97.807224] Call Trace:
|
||||
[ 97.807224] drm_is_current_master+0x1a/0x30 [drm]
|
||||
[ 97.807224] drm_master_release+0x3e/0x130 [drm]
|
||||
[ 97.807224] drm_file_free.part.0+0x2be/0x2d0 [drm]
|
||||
[ 97.807224] drm_open+0x1ba/0x1e0 [drm]
|
||||
[ 97.807224] drm_stub_open+0xaf/0xe0 [drm]
|
||||
[ 97.807224] chrdev_open+0xa3/0x1b0
|
||||
[ 97.807224] ? cdev_put.part.0+0x20/0x20
|
||||
[ 97.807224] do_dentry_open+0x132/0x340
|
||||
[ 97.807224] path_openat+0x2d1/0x14e0
|
||||
[ 97.807224] ? mem_cgroup_commit_charge+0x7a/0x520
|
||||
[ 97.807224] do_filp_open+0x93/0x100
|
||||
[ 97.807224] ? __check_object_size+0x102/0x189
|
||||
[ 97.807224] ? _raw_spin_unlock+0x16/0x30
|
||||
[ 97.807224] do_sys_open+0x186/0x210
|
||||
[ 97.807224] do_syscall_64+0x5b/0x170
|
||||
[ 97.807224] entry_SYSCALL_64_after_hwframe+0x44/0xa9
|
||||
[ 97.807224] RIP: 0033:0x7f4147b07976
|
||||
[ 97.807224] Code: 89 54 24 08 e8 7b f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f2 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 30 44 89 c7 89 44 24 08 e8 a6 f4 ff ff 8b 44
|
||||
[ 97.807224] RSP: 002b:00007ffcced96ca0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
|
||||
[ 97.807224] RAX: ffffffffffffffda RBX: 00005619d5037f80 RCX: 00007f4147b07976
|
||||
[ 97.807224] RDX: 0000000000000002 RSI: 00005619d46b969c RDI: 00000000ffffff9c
|
||||
[ 98.040039] RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000000
|
||||
[ 98.040039] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000024
|
||||
[ 98.040039] R13: 0000000000000012 R14: 00005619d5035950 R15: 0000000000000012
|
||||
[ 98.040039] Modules linked in: nct6775 hwmon_vid algif_skcipher af_alg nls_iso8859_1 nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common arc4 videodev media snd_usb_audio snd_hda_codec_hdmi snd_usbmidi_lib snd_rawmidi snd_seq_device mousedev input_leds iwlmvm mac80211 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec edac_mce_amd kvm_amd snd_hda_core kvm iwlwifi snd_hwdep r8169 wmi_bmof cfg80211 snd_pcm irqbypass snd_timer snd libphy soundcore pinctrl_amd rfkill pcspkr sp5100_tco evdev gpio_amdpt k10temp mac_hid i2c_piix4 wmi pcc_cpufreq acpi_cpufreq vboxnetflt(OE) vboxnetadp(OE) vboxpci(OE) vboxdrv(OE) msr sg crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto uas usb_storage dm_crypt hid_generic usbhid hid
|
||||
[ 98.040039] dm_mod raid1 md_mod sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc ahci libahci aesni_intel aes_x86_64 libata crypto_simd cryptd glue_helper ccp xhci_pci rng_core scsi_mod xhci_hcd nvidia_drm(POE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart nvidia_uvm(POE) nvidia_modeset(POE) nvidia(POE) ipmi_devintf ipmi_msghandler
|
||||
[ 98.040039] CR2: 0000000000000080
|
||||
[ 98.040039] ---[ end trace 3b65093b6fe62b2f ]---
|
||||
[ 98.040039] RIP: 0010:drm_lease_owner+0xd/0x20 [drm]
|
||||
[ 98.040039] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44
|
||||
[ 98.040039] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202
|
||||
[ 98.040039] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88
|
||||
[ 98.040039] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000
|
||||
[ 98.040039] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000
|
||||
[ 98.040039] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888
|
||||
[ 98.040039] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8
|
||||
[ 98.040039] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000
|
||||
[ 98.040039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
[ 98.040039] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0
|
||||
|
||||
Signed-off-by: Sergio Correia <sergio@correia.cc>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
|
||||
Link: https://patchwork.freedesktop.org/patch/msgid/20181122053329.2692-1-sergio@correia.cc
|
||||
Signed-off-by: Jeremy Cline <jcline@redhat.com>
|
||||
---
|
||||
drivers/gpu/drm/drm_auth.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
|
||||
index d9c0f7573905..1669c42c40ed 100644
|
||||
--- a/drivers/gpu/drm/drm_auth.c
|
||||
+++ b/drivers/gpu/drm/drm_auth.c
|
||||
@@ -142,6 +142,7 @@ static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv)
|
||||
|
||||
lockdep_assert_held_once(&dev->master_mutex);
|
||||
|
||||
+ WARN_ON(fpriv->is_master);
|
||||
old_master = fpriv->master;
|
||||
fpriv->master = drm_master_create(dev);
|
||||
if (!fpriv->master) {
|
||||
@@ -170,6 +171,7 @@ static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv)
|
||||
/* drop references and restore old master on failure */
|
||||
drm_master_put(&fpriv->master);
|
||||
fpriv->master = old_master;
|
||||
+ fpriv->is_master = 0;
|
||||
|
||||
return ret;
|
||||
}
|
||||
--
|
||||
2.19.1
|
||||
|
||||
13
kernel.spec
13
kernel.spec
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 7
|
||||
%define stable_update 8
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -624,9 +624,6 @@ Patch507: 0001-HID-i2c-hid-override-HID-descriptors-for-certain-dev.patch
|
|||
# rhbz 1526312 (accelerometer part of the bug), patches pending upstream
|
||||
Patch510: iio-accel-kxcjk1013-Add-more-hardware-ids.patch
|
||||
|
||||
# rhbz 1650224, patch in subsystem tree and Cc'd for stable
|
||||
Patch511: drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch
|
||||
|
||||
# rhbz 1645070 patch queued upstream for merging into 4.21
|
||||
Patch516: asus-fx503-keyb.patch
|
||||
|
||||
|
|
@ -636,9 +633,6 @@ Patch517: ALSA-hda-realtek-Fix-speaker-output-regression-on-Thinkpad.patch
|
|||
# CVE-2018-19824 rhbz 1655816 1655817
|
||||
Patch518: alsa-usb-audio-fix-UAF-decrement-if-card-has-no-live.patch
|
||||
|
||||
# https://bugzilla.kernel.org/show_bug.cgi?id=201685
|
||||
Patch519: blk-mq-fix-corruption-with-direct-issue.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1890,7 +1884,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Dec 05 2018 Jeremy Cline <jcline@redhat.com> - 4.19.7-300
|
||||
* Mon Dec 10 2018 Jeremy Cline <jcline@redhat.com> - 4.19.8-200
|
||||
- Linux v4.19.8
|
||||
|
||||
* Wed Dec 05 2018 Jeremy Cline <jcline@redhat.com> - 4.19.7-200
|
||||
- Linux v4.19.7
|
||||
- Fix CVE-2018-19406 (rhbz 1652650 1653346)
|
||||
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.19.tar.xz) = ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4
|
||||
SHA512 (patch-4.19.7.xz) = e27fdf83e5ae71f4eb2e49660877107d032e9bd51aafff99a1861a5cb18c3e6006164ffb11faf5cdaf0fa3a8afc0c1ab34abb0855d0858730ffb49261ad5b0ed
|
||||
SHA512 (patch-4.19.8.xz) = c53092846a7f9a3d34eaf42085d2b404fd85e1acebe11b3f18c98123ce317012ec71d51fb5cb0f5db865f3a46a82f026db5ea02032f579c20cbea7dc15b5e145
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue