diff --git a/blk-mq-fix-corruption-with-direct-issue.patch b/blk-mq-fix-corruption-with-direct-issue.patch deleted file mode 100644 index 71b9da110..000000000 --- a/blk-mq-fix-corruption-with-direct-issue.patch +++ /dev/null @@ -1,99 +0,0 @@ -From ffe81d45322cc3cb140f0db080a4727ea284661e Mon Sep 17 00:00:00 2001 -From: Jens Axboe -Date: Tue, 4 Dec 2018 20:06:48 -0700 -Subject: [PATCH] blk-mq: fix corruption with direct issue - -If we attempt a direct issue to a SCSI device, and it returns BUSY, then -we queue the request up normally. However, the SCSI layer may have -already setup SG tables etc for this particular command. If we later -merge with this request, then the old tables are no longer valid. Once -we issue the IO, we only read/write the original part of the request, -not the new state of it. - -This causes data corruption, and is most often noticed with the file -system complaining about the just read data being invalid: - -[ 235.934465] EXT4-fs error (device sda1): ext4_iget:4831: inode #7142: comm dpkg-query: bad extra_isize 24937 (inode size 256) - -because most of it is garbage... - -This doesn't happen from the normal issue path, as we will simply defer -the request to the hardware queue dispatch list if we fail. Once it's on -the dispatch list, we never merge with it. - -Fix this from the direct issue path by flagging the request as -REQ_NOMERGE so we don't change the size of it before issue. - -See also: - https://bugzilla.kernel.org/show_bug.cgi?id=201685 - -Tested-by: Guenter Roeck -Fixes: 6ce3dd6eec1 ("blk-mq: issue directly if hw queue isn't busy in case of 'none'") -Cc: stable@vger.kernel.org -Signed-off-by: Jens Axboe -Signed-off-by: Jeremy Cline ---- - block/blk-mq.c | 26 +++++++++++++++++++++++++- - 1 file changed, 25 insertions(+), 1 deletion(-) - -diff --git a/block/blk-mq.c b/block/blk-mq.c -index 3f91c6e5b17a..3262d83b9e07 100644 ---- a/block/blk-mq.c -+++ b/block/blk-mq.c -@@ -1715,6 +1715,15 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx, - break; - case BLK_STS_RESOURCE: - case BLK_STS_DEV_RESOURCE: -+ /* -+ * If direct dispatch fails, we cannot allow any merging on -+ * this IO. Drivers (like SCSI) may have set up permanent state -+ * for this request, like SG tables and mappings, and if we -+ * merge to it later on then we'll still only do IO to the -+ * original part. -+ */ -+ rq->cmd_flags |= REQ_NOMERGE; -+ - blk_mq_update_dispatch_busy(hctx, true); - __blk_mq_requeue_request(rq); - break; -@@ -1727,6 +1736,18 @@ static blk_status_t __blk_mq_issue_directly(struct blk_mq_hw_ctx *hctx, - return ret; - } - -+/* -+ * Don't allow direct dispatch of anything but regular reads/writes, -+ * as some of the other commands can potentially share request space -+ * with data we need for the IO scheduler. If we attempt a direct dispatch -+ * on those and fail, we can't safely add it to the scheduler afterwards -+ * without potentially overwriting data that the driver has already written. -+ */ -+static bool blk_rq_can_direct_dispatch(struct request *rq) -+{ -+ return req_op(rq) == REQ_OP_READ || req_op(rq) == REQ_OP_WRITE; -+} -+ - static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx, - struct request *rq, - blk_qc_t *cookie, -@@ -1748,7 +1769,7 @@ static blk_status_t __blk_mq_try_issue_directly(struct blk_mq_hw_ctx *hctx, - goto insert; - } - -- if (q->elevator && !bypass_insert) -+ if (!blk_rq_can_direct_dispatch(rq) || (q->elevator && !bypass_insert)) - goto insert; - - if (!blk_mq_get_dispatch_budget(hctx)) -@@ -1810,6 +1831,9 @@ void blk_mq_try_issue_list_directly(struct blk_mq_hw_ctx *hctx, - struct request *rq = list_first_entry(list, struct request, - queuelist); - -+ if (!blk_rq_can_direct_dispatch(rq)) -+ break; -+ - list_del_init(&rq->queuelist); - ret = blk_mq_request_issue_directly(rq); - if (ret != BLK_STS_OK) { --- -2.19.2 - diff --git a/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch b/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch deleted file mode 100644 index 88ae57dc3..000000000 --- a/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch +++ /dev/null @@ -1,106 +0,0 @@ -From afca3f41dc386e9020ab560937d52bb6f19bb6d4 Mon Sep 17 00:00:00 2001 -From: Sergio Correia -Date: Thu, 22 Nov 2018 02:33:29 -0300 -Subject: [PATCH] drm: set is_master to 0 upon drm_new_set_master() failure - -When drm_new_set_master() fails, set is_master to 0, to prevent a -possible NULL pointer deref. - -Here is a problematic flow: we check is_master in drm_is_current_master(), -then proceed to call drm_lease_owner() passing master. If we do not restore -is_master status when drm_new_set_master() fails, we may have a situation -in which is_master will be 1 and master itself, NULL, leading to the deref -of a NULL pointer in drm_lease_owner(). - -This fixes the following OOPS, observed on an ArchLinux running a 4.19.2 -kernel: - -[ 97.804282] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 -[ 97.807224] PGD 0 P4D 0 -[ 97.807224] Oops: 0000 [#1] PREEMPT SMP NOPTI -[ 97.807224] CPU: 0 PID: 1348 Comm: xfwm4 Tainted: P OE 4.19.2-arch1-1-ARCH #1 -[ 97.807224] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./AB350 Pro4, BIOS P5.10 10/16/2018 -[ 97.807224] RIP: 0010:drm_lease_owner+0xd/0x20 [drm] -[ 97.807224] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44 -[ 97.807224] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202 -[ 97.807224] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88 -[ 97.807224] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000 -[ 97.807224] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000 -[ 97.807224] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888 -[ 97.807224] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8 -[ 97.807224] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000 -[ 97.807224] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 97.807224] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0 -[ 97.807224] Call Trace: -[ 97.807224] drm_is_current_master+0x1a/0x30 [drm] -[ 97.807224] drm_master_release+0x3e/0x130 [drm] -[ 97.807224] drm_file_free.part.0+0x2be/0x2d0 [drm] -[ 97.807224] drm_open+0x1ba/0x1e0 [drm] -[ 97.807224] drm_stub_open+0xaf/0xe0 [drm] -[ 97.807224] chrdev_open+0xa3/0x1b0 -[ 97.807224] ? cdev_put.part.0+0x20/0x20 -[ 97.807224] do_dentry_open+0x132/0x340 -[ 97.807224] path_openat+0x2d1/0x14e0 -[ 97.807224] ? mem_cgroup_commit_charge+0x7a/0x520 -[ 97.807224] do_filp_open+0x93/0x100 -[ 97.807224] ? __check_object_size+0x102/0x189 -[ 97.807224] ? _raw_spin_unlock+0x16/0x30 -[ 97.807224] do_sys_open+0x186/0x210 -[ 97.807224] do_syscall_64+0x5b/0x170 -[ 97.807224] entry_SYSCALL_64_after_hwframe+0x44/0xa9 -[ 97.807224] RIP: 0033:0x7f4147b07976 -[ 97.807224] Code: 89 54 24 08 e8 7b f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f2 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 30 44 89 c7 89 44 24 08 e8 a6 f4 ff ff 8b 44 -[ 97.807224] RSP: 002b:00007ffcced96ca0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 -[ 97.807224] RAX: ffffffffffffffda RBX: 00005619d5037f80 RCX: 00007f4147b07976 -[ 97.807224] RDX: 0000000000000002 RSI: 00005619d46b969c RDI: 00000000ffffff9c -[ 98.040039] RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000000 -[ 98.040039] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000024 -[ 98.040039] R13: 0000000000000012 R14: 00005619d5035950 R15: 0000000000000012 -[ 98.040039] Modules linked in: nct6775 hwmon_vid algif_skcipher af_alg nls_iso8859_1 nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common arc4 videodev media snd_usb_audio snd_hda_codec_hdmi snd_usbmidi_lib snd_rawmidi snd_seq_device mousedev input_leds iwlmvm mac80211 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec edac_mce_amd kvm_amd snd_hda_core kvm iwlwifi snd_hwdep r8169 wmi_bmof cfg80211 snd_pcm irqbypass snd_timer snd libphy soundcore pinctrl_amd rfkill pcspkr sp5100_tco evdev gpio_amdpt k10temp mac_hid i2c_piix4 wmi pcc_cpufreq acpi_cpufreq vboxnetflt(OE) vboxnetadp(OE) vboxpci(OE) vboxdrv(OE) msr sg crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto uas usb_storage dm_crypt hid_generic usbhid hid -[ 98.040039] dm_mod raid1 md_mod sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc ahci libahci aesni_intel aes_x86_64 libata crypto_simd cryptd glue_helper ccp xhci_pci rng_core scsi_mod xhci_hcd nvidia_drm(POE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart nvidia_uvm(POE) nvidia_modeset(POE) nvidia(POE) ipmi_devintf ipmi_msghandler -[ 98.040039] CR2: 0000000000000080 -[ 98.040039] ---[ end trace 3b65093b6fe62b2f ]--- -[ 98.040039] RIP: 0010:drm_lease_owner+0xd/0x20 [drm] -[ 98.040039] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44 -[ 98.040039] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202 -[ 98.040039] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88 -[ 98.040039] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000 -[ 98.040039] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000 -[ 98.040039] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888 -[ 98.040039] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8 -[ 98.040039] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000 -[ 98.040039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 98.040039] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0 - -Signed-off-by: Sergio Correia -Cc: stable@vger.kernel.org -Signed-off-by: Daniel Vetter -Link: https://patchwork.freedesktop.org/patch/msgid/20181122053329.2692-1-sergio@correia.cc -Signed-off-by: Jeremy Cline ---- - drivers/gpu/drm/drm_auth.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c -index d9c0f7573905..1669c42c40ed 100644 ---- a/drivers/gpu/drm/drm_auth.c -+++ b/drivers/gpu/drm/drm_auth.c -@@ -142,6 +142,7 @@ static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv) - - lockdep_assert_held_once(&dev->master_mutex); - -+ WARN_ON(fpriv->is_master); - old_master = fpriv->master; - fpriv->master = drm_master_create(dev); - if (!fpriv->master) { -@@ -170,6 +171,7 @@ static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv) - /* drop references and restore old master on failure */ - drm_master_put(&fpriv->master); - fpriv->master = old_master; -+ fpriv->is_master = 0; - - return ret; - } --- -2.19.1 - diff --git a/kernel.spec b/kernel.spec index 7f0b4f8db..799b6a709 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -624,9 +624,6 @@ Patch507: 0001-HID-i2c-hid-override-HID-descriptors-for-certain-dev.patch # rhbz 1526312 (accelerometer part of the bug), patches pending upstream Patch510: iio-accel-kxcjk1013-Add-more-hardware-ids.patch -# rhbz 1650224, patch in subsystem tree and Cc'd for stable -Patch511: drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch - # rhbz 1645070 patch queued upstream for merging into 4.21 Patch516: asus-fx503-keyb.patch @@ -636,9 +633,6 @@ Patch517: ALSA-hda-realtek-Fix-speaker-output-regression-on-Thinkpad.patch # CVE-2018-19824 rhbz 1655816 1655817 Patch518: alsa-usb-audio-fix-UAF-decrement-if-card-has-no-live.patch -# https://bugzilla.kernel.org/show_bug.cgi?id=201685 -Patch519: blk-mq-fix-corruption-with-direct-issue.patch - # END OF PATCH DEFINITIONS %endif @@ -1890,7 +1884,10 @@ fi # # %changelog -* Wed Dec 05 2018 Jeremy Cline - 4.19.7-300 +* Mon Dec 10 2018 Jeremy Cline - 4.19.8-200 +- Linux v4.19.8 + +* Wed Dec 05 2018 Jeremy Cline - 4.19.7-200 - Linux v4.19.7 - Fix CVE-2018-19406 (rhbz 1652650 1653346) diff --git a/sources b/sources index d02a4dc1c..29c5ee70b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-4.19.tar.xz) = ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4 -SHA512 (patch-4.19.7.xz) = e27fdf83e5ae71f4eb2e49660877107d032e9bd51aafff99a1861a5cb18c3e6006164ffb11faf5cdaf0fa3a8afc0c1ab34abb0855d0858730ffb49261ad5b0ed +SHA512 (patch-4.19.8.xz) = c53092846a7f9a3d34eaf42085d2b404fd85e1acebe11b3f18c98123ce317012ec71d51fb5cb0f5db865f3a46a82f026db5ea02032f579c20cbea7dc15b5e145