Some vulnerabilities had been reported in kernel. The fixes have
been backported to version 4.9.111
Change-Id: Icb9917056873342cf09fefb487dc595faa308b70
Signed-off-by: srinidhira0 <srinidhir@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5350
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,148 @@ |
0 |
+From 34ec80907c239ae294ed85da2958ecf287986009 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: "Chao Yu Date: Wed, 22 Mar 2017 14:45:05 +0800" <yuchao0@huawei.com> |
|
2 |
+Date: Mon, 16 Jul 2018 20:11:52 +0530 |
|
3 |
+Subject: [PATCH 1/2] f2fs: fix race condition in between free nid |
|
4 |
+ allocator/initializer |
|
5 |
+ |
|
6 |
+In below concurrent case, allocated nid can be loaded into free nid cache |
|
7 |
+and be allocated again. |
|
8 |
+ |
|
9 |
+Thread A Thread B |
|
10 |
+- f2fs_create |
|
11 |
+ - f2fs_new_inode |
|
12 |
+ - alloc_nid |
|
13 |
+ - __insert_nid_to_list(ALLOC_NID_LIST) |
|
14 |
+ - f2fs_balance_fs_bg |
|
15 |
+ - build_free_nids |
|
16 |
+ - __build_free_nids |
|
17 |
+ - scan_nat_page |
|
18 |
+ - add_free_nid |
|
19 |
+ - __lookup_nat_cache |
|
20 |
+ - f2fs_add_link |
|
21 |
+ - init_inode_metadata |
|
22 |
+ - new_inode_page |
|
23 |
+ - new_node_page |
|
24 |
+ - set_node_addr |
|
25 |
+ - alloc_nid_done |
|
26 |
+ - __remove_nid_from_list(ALLOC_NID_LIST) |
|
27 |
+ - __insert_nid_to_list(FREE_NID_LIST) |
|
28 |
+ |
|
29 |
+This patch makes nat cache lookup and free nid list operation being atomical |
|
30 |
+to avoid this race condition. |
|
31 |
+ |
|
32 |
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> |
|
33 |
+Signed-off-by: Chao Yu <yuchao0@huawei.com> |
|
34 |
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> |
|
35 |
+ |
|
36 |
+[ Srinidhi Rao : Backported this fix to 4.9 ] |
|
37 |
+Signed-off-by: srinidhira0 <srinidhir@vmware.com> |
|
38 |
+--- |
|
39 |
+ fs/f2fs/node.c | 75 ++++++++++++++++++++++++++++++++++++++++++---------------- |
|
40 |
+ 1 file changed, 54 insertions(+), 21 deletions(-) |
|
41 |
+ |
|
42 |
+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c |
|
43 |
+index 01177ec..653461e 100644 |
|
44 |
+--- a/fs/f2fs/node.c |
|
45 |
+@@ -1702,8 +1702,10 @@ static void __del_from_free_nid_list(struct f2fs_nm_info *nm_i, |
|
46 |
+ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build) |
|
47 |
+ { |
|
48 |
+ struct f2fs_nm_info *nm_i = NM_I(sbi); |
|
49 |
+- struct free_nid *i; |
|
50 |
++ struct free_nid *i, *e; |
|
51 |
+ struct nat_entry *ne; |
|
52 |
++ int err = -EINVAL; |
|
53 |
++ int ret = 0; |
|
54 |
+ |
|
55 |
+ if (!available_free_memory(sbi, FREE_NIDS)) |
|
56 |
+ return -1; |
|
57 |
+@@ -1712,35 +1714,66 @@ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build) |
|
58 |
+ if (unlikely(nid == 0)) |
|
59 |
+ return 0; |
|
60 |
+ |
|
61 |
+- if (build) { |
|
62 |
+- /* do not add allocated nids */ |
|
63 |
+- ne = __lookup_nat_cache(nm_i, nid); |
|
64 |
+- if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) || |
|
65 |
+- nat_get_blkaddr(ne) != NULL_ADDR)) |
|
66 |
+- return 0; |
|
67 |
+- } |
|
68 |
+- |
|
69 |
+ i = f2fs_kmem_cache_alloc(free_nid_slab, GFP_NOFS); |
|
70 |
+ i->nid = nid; |
|
71 |
+ i->state = NID_NEW; |
|
72 |
+ |
|
73 |
+- if (radix_tree_preload(GFP_NOFS)) { |
|
74 |
+- kmem_cache_free(free_nid_slab, i); |
|
75 |
+- return 0; |
|
76 |
+- } |
|
77 |
++ if (radix_tree_preload(GFP_NOFS)) |
|
78 |
++ goto err; |
|
79 |
+ |
|
80 |
+ spin_lock(&nm_i->free_nid_list_lock); |
|
81 |
+- if (radix_tree_insert(&nm_i->free_nid_root, i->nid, i)) { |
|
82 |
+- spin_unlock(&nm_i->free_nid_list_lock); |
|
83 |
+- radix_tree_preload_end(); |
|
84 |
+- kmem_cache_free(free_nid_slab, i); |
|
85 |
+- return 0; |
|
86 |
++ |
|
87 |
++ if (build) { |
|
88 |
++ |
|
89 |
++ /* |
|
90 |
++ * Thread A Thread B |
|
91 |
++ * - f2fs_create |
|
92 |
++ * - f2fs_new_inode |
|
93 |
++ * - alloc_nid |
|
94 |
++ * - __insert_nid_to_list(ALLOC_NID_LIST) |
|
95 |
++ * - f2fs_balance_fs_bg |
|
96 |
++ * - build_free_nids |
|
97 |
++ * - __build_free_nids |
|
98 |
++ * - scan_nat_page |
|
99 |
++ * - add_free_nid |
|
100 |
++ * - __lookup_nat_cache |
|
101 |
++ * - f2fs_add_link |
|
102 |
++ * - init_inode_metadata |
|
103 |
++ * - new_inode_page |
|
104 |
++ * - new_node_page |
|
105 |
++ * - set_node_addr |
|
106 |
++ * - alloc_nid_done |
|
107 |
++ * - __remove_nid_from_list(ALLOC_NID_LIST) |
|
108 |
++ * - __insert_nid_to_list(FREE_NID_LIST) |
|
109 |
++ */ |
|
110 |
++ ne = __lookup_nat_cache(nm_i, nid); |
|
111 |
++ if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) || |
|
112 |
++ nat_get_blkaddr(ne) != NULL_ADDR)) |
|
113 |
++ goto err_out; |
|
114 |
++ |
|
115 |
++ e = __lookup_free_nid_list(nm_i, nid); |
|
116 |
++ if (e) { |
|
117 |
++ if (e->state == NID_NEW) |
|
118 |
++ ret = 1; |
|
119 |
++ goto err_out; |
|
120 |
++ } |
|
121 |
+ } |
|
122 |
+- list_add_tail(&i->list, &nm_i->free_nid_list); |
|
123 |
+- nm_i->fcnt++; |
|
124 |
++ ret = 1; |
|
125 |
++ |
|
126 |
++ err = radix_tree_insert(&nm_i->free_nid_root, i->nid, i); |
|
127 |
++ if (!err) { |
|
128 |
++ list_add_tail(&i->list, &nm_i->free_nid_list); |
|
129 |
++ nm_i->fcnt++; |
|
130 |
++ |
|
131 |
++ } |
|
132 |
++err_out: |
|
133 |
+ spin_unlock(&nm_i->free_nid_list_lock); |
|
134 |
+ radix_tree_preload_end(); |
|
135 |
+- return 1; |
|
136 |
++err: |
|
137 |
++ if (err) |
|
138 |
++ kmem_cache_free(free_nid_slab, i); |
|
139 |
++ |
|
140 |
++ return ret; |
|
141 |
+ } |
|
142 |
+ |
|
143 |
+ static void remove_free_nid(struct f2fs_nm_info *nm_i, nid_t nid) |
|
144 |
+-- |
|
145 |
+2.7.4 |
|
146 |
+ |
0 | 147 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,300 @@ |
0 |
+From 0558f33c06bb910e2879e355192227a8e8f0219d Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Jason Yan <yanaijie@huawei.com> |
|
2 |
+Date: Fri, 8 Dec 2017 17:42:09 +0800 |
|
3 |
+Subject: [PATCH] scsi: libsas: direct call probe and destruct |
|
4 |
+ |
|
5 |
+In commit 87c8331fcf72 ("[SCSI] libsas: prevent domain rediscovery |
|
6 |
+competing with ata error handling") introduced disco mutex to prevent |
|
7 |
+rediscovery competing with ata error handling and put the whole |
|
8 |
+revalidation in the mutex. But the rphy add/remove needs to wait for the |
|
9 |
+error handling which also grabs the disco mutex. This may leads to dead |
|
10 |
+lock.So the probe and destruct event were introduce to do the rphy |
|
11 |
+add/remove asynchronously and out of the lock. |
|
12 |
+ |
|
13 |
+The asynchronously processed workers makes the whole discovery process |
|
14 |
+not atomic, the other events may interrupt the process. For example, |
|
15 |
+if a loss of signal event inserted before the probe event, the |
|
16 |
+sas_deform_port() is called and the port will be deleted. |
|
17 |
+ |
|
18 |
+And sas_port_delete() may run before the destruct event, but the |
|
19 |
+port-x:x is the top parent of end device or expander. This leads to |
|
20 |
+a kernel WARNING such as: |
|
21 |
+ |
|
22 |
+[ 82.042979] sysfs group 'power' not found for kobject 'phy-1:0:22' |
|
23 |
+[ 82.042983] ------------[ cut here ]------------ |
|
24 |
+[ 82.042986] WARNING: CPU: 54 PID: 1714 at fs/sysfs/group.c:237 |
|
25 |
+sysfs_remove_group+0x94/0xa0 |
|
26 |
+[ 82.043059] Call trace: |
|
27 |
+[ 82.043082] [<ffff0000082e7624>] sysfs_remove_group+0x94/0xa0 |
|
28 |
+[ 82.043085] [<ffff00000864e320>] dpm_sysfs_remove+0x60/0x70 |
|
29 |
+[ 82.043086] [<ffff00000863ee10>] device_del+0x138/0x308 |
|
30 |
+[ 82.043089] [<ffff00000869a2d0>] sas_phy_delete+0x38/0x60 |
|
31 |
+[ 82.043091] [<ffff00000869a86c>] do_sas_phy_delete+0x6c/0x80 |
|
32 |
+[ 82.043093] [<ffff00000863dc20>] device_for_each_child+0x58/0xa0 |
|
33 |
+[ 82.043095] [<ffff000008696f80>] sas_remove_children+0x40/0x50 |
|
34 |
+[ 82.043100] [<ffff00000869d1bc>] sas_destruct_devices+0x64/0xa0 |
|
35 |
+[ 82.043102] [<ffff0000080e93bc>] process_one_work+0x1fc/0x4b0 |
|
36 |
+[ 82.043104] [<ffff0000080e96c0>] worker_thread+0x50/0x490 |
|
37 |
+[ 82.043105] [<ffff0000080f0364>] kthread+0xfc/0x128 |
|
38 |
+[ 82.043107] [<ffff0000080836c0>] ret_from_fork+0x10/0x50 |
|
39 |
+ |
|
40 |
+Make probe and destruct a direct call in the disco and revalidate function, |
|
41 |
+but put them outside the lock. The whole discovery or revalidate won't |
|
42 |
+be interrupted by other events. And the DISCE_PROBE and DISCE_DESTRUCT |
|
43 |
+event are deleted as a result of the direct call. |
|
44 |
+ |
|
45 |
+Introduce a new list to destruct the sas_port and put the port delete after |
|
46 |
+the destruct. This makes sure the right order of destroying the sysfs |
|
47 |
+kobject and fix the warning above. |
|
48 |
+ |
|
49 |
+In sas_ex_revalidate_domain() have a loop to find all broadcasted |
|
50 |
+device, and sometimes we have a chance to find the same expander twice. |
|
51 |
+Because the sas_port will be deleted at the end of the whole revalidate |
|
52 |
+process, sas_port with the same name cannot be added before this. |
|
53 |
+Otherwise the sysfs will complain of creating duplicate filename. Since |
|
54 |
+the LLDD will send broadcast for every device change, we can only |
|
55 |
+process one expander's revalidation. |
|
56 |
+ |
|
57 |
+[mkp: kbuild test robot warning] |
|
58 |
+ |
|
59 |
+Signed-off-by: Jason Yan <yanaijie@huawei.com> |
|
60 |
+CC: John Garry <john.garry@huawei.com> |
|
61 |
+CC: Johannes Thumshirn <jthumshirn@suse.de> |
|
62 |
+CC: Ewan Milne <emilne@redhat.com> |
|
63 |
+CC: Christoph Hellwig <hch@lst.de> |
|
64 |
+CC: Tomas Henzl <thenzl@redhat.com> |
|
65 |
+CC: Dan Williams <dan.j.williams@intel.com> |
|
66 |
+Reviewed-by: Hannes Reinecke <hare@suse.com> |
|
67 |
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> |
|
68 |
+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu> |
|
69 |
+--- |
|
70 |
+ drivers/scsi/libsas/sas_ata.c | 1 - |
|
71 |
+ drivers/scsi/libsas/sas_discover.c | 32 ++++++++++++++++++-------------- |
|
72 |
+ drivers/scsi/libsas/sas_expander.c | 8 +++----- |
|
73 |
+ drivers/scsi/libsas/sas_internal.h | 1 + |
|
74 |
+ drivers/scsi/libsas/sas_port.c | 3 +++ |
|
75 |
+ include/scsi/libsas.h | 3 +-- |
|
76 |
+ include/scsi/scsi_transport_sas.h | 1 + |
|
77 |
+ 7 files changed, 27 insertions(+), 22 deletions(-) |
|
78 |
+ |
|
79 |
+diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c |
|
80 |
+index 6f5e272..e018e76 100644 |
|
81 |
+--- a/drivers/scsi/libsas/sas_ata.c |
|
82 |
+@@ -732,7 +732,6 @@ int sas_discover_sata(struct domain_device *dev) |
|
83 |
+ if (res) |
|
84 |
+ return res; |
|
85 |
+ |
|
86 |
+- sas_discover_event(dev->port, DISCE_PROBE); |
|
87 |
+ return 0; |
|
88 |
+ } |
|
89 |
+ |
|
90 |
+diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c |
|
91 |
+index 60de662..487d734 100644 |
|
92 |
+--- a/drivers/scsi/libsas/sas_discover.c |
|
93 |
+@@ -212,13 +212,9 @@ void sas_notify_lldd_dev_gone(struct domain_device *dev) |
|
94 |
+ } |
|
95 |
+ } |
|
96 |
+ |
|
97 |
+-static void sas_probe_devices(struct work_struct *work) |
|
98 |
++static void sas_probe_devices(struct asd_sas_port *port) |
|
99 |
+ { |
|
100 |
+ struct domain_device *dev, *n; |
|
101 |
+- struct sas_discovery_event *ev = to_sas_discovery_event(work); |
|
102 |
+- struct asd_sas_port *port = ev->port; |
|
103 |
+- |
|
104 |
+- clear_bit(DISCE_PROBE, &port->disc.pending); |
|
105 |
+ |
|
106 |
+ /* devices must be domain members before link recovery and probe */ |
|
107 |
+ list_for_each_entry(dev, &port->disco_list, disco_list_node) { |
|
108 |
+@@ -294,7 +290,6 @@ int sas_discover_end_dev(struct domain_device *dev) |
|
109 |
+ res = sas_notify_lldd_dev_found(dev); |
|
110 |
+ if (res) |
|
111 |
+ return res; |
|
112 |
+- sas_discover_event(dev->port, DISCE_PROBE); |
|
113 |
+ |
|
114 |
+ return 0; |
|
115 |
+ } |
|
116 |
+@@ -353,13 +348,9 @@ static void sas_unregister_common_dev(struct asd_sas_port *port, struct domain_d |
|
117 |
+ sas_put_device(dev); |
|
118 |
+ } |
|
119 |
+ |
|
120 |
+-static void sas_destruct_devices(struct work_struct *work) |
|
121 |
++void sas_destruct_devices(struct asd_sas_port *port) |
|
122 |
+ { |
|
123 |
+ struct domain_device *dev, *n; |
|
124 |
+- struct sas_discovery_event *ev = to_sas_discovery_event(work); |
|
125 |
+- struct asd_sas_port *port = ev->port; |
|
126 |
+- |
|
127 |
+- clear_bit(DISCE_DESTRUCT, &port->disc.pending); |
|
128 |
+ |
|
129 |
+ list_for_each_entry_safe(dev, n, &port->destroy_list, disco_list_node) { |
|
130 |
+ list_del_init(&dev->disco_list_node); |
|
131 |
+@@ -370,6 +361,16 @@ static void sas_destruct_devices(struct work_struct *work) |
|
132 |
+ } |
|
133 |
+ } |
|
134 |
+ |
|
135 |
++static void sas_destruct_ports(struct asd_sas_port *port) |
|
136 |
++{ |
|
137 |
++ struct sas_port *sas_port, *p; |
|
138 |
++ |
|
139 |
++ list_for_each_entry_safe(sas_port, p, &port->sas_port_del_list, del_list) { |
|
140 |
++ list_del_init(&sas_port->del_list); |
|
141 |
++ sas_port_delete(sas_port); |
|
142 |
++ } |
|
143 |
++} |
|
144 |
++ |
|
145 |
+ void sas_unregister_dev(struct asd_sas_port *port, struct domain_device *dev) |
|
146 |
+ { |
|
147 |
+ if (!test_bit(SAS_DEV_DESTROY, &dev->state) && |
|
148 |
+@@ -384,7 +385,6 @@ void sas_unregister_dev(struct asd_sas_port *port, struct domain_device *dev) |
|
149 |
+ if (!test_and_set_bit(SAS_DEV_DESTROY, &dev->state)) { |
|
150 |
+ sas_rphy_unlink(dev->rphy); |
|
151 |
+ list_move_tail(&dev->disco_list_node, &port->destroy_list); |
|
152 |
+- sas_discover_event(dev->port, DISCE_DESTRUCT); |
|
153 |
+ } |
|
154 |
+ } |
|
155 |
+ |
|
156 |
+@@ -490,6 +490,8 @@ static void sas_discover_domain(struct work_struct *work) |
|
157 |
+ port->port_dev = NULL; |
|
158 |
+ } |
|
159 |
+ |
|
160 |
++ sas_probe_devices(port); |
|
161 |
++ |
|
162 |
+ SAS_DPRINTK("DONE DISCOVERY on port %d, pid:%d, result:%d\n", port->id, |
|
163 |
+ task_pid_nr(current), error); |
|
164 |
+ } |
|
165 |
+@@ -523,6 +525,10 @@ static void sas_revalidate_domain(struct work_struct *work) |
|
166 |
+ port->id, task_pid_nr(current), res); |
|
167 |
+ out: |
|
168 |
+ mutex_unlock(&ha->disco_mutex); |
|
169 |
++ |
|
170 |
++ sas_destruct_devices(port); |
|
171 |
++ sas_destruct_ports(port); |
|
172 |
++ sas_probe_devices(port); |
|
173 |
+ } |
|
174 |
+ |
|
175 |
+ /* ---------- Events ---------- */ |
|
176 |
+@@ -578,10 +584,8 @@ void sas_init_disc(struct sas_discovery *disc, struct asd_sas_port *port) |
|
177 |
+ static const work_func_t sas_event_fns[DISC_NUM_EVENTS] = { |
|
178 |
+ [DISCE_DISCOVER_DOMAIN] = sas_discover_domain, |
|
179 |
+ [DISCE_REVALIDATE_DOMAIN] = sas_revalidate_domain, |
|
180 |
+- [DISCE_PROBE] = sas_probe_devices, |
|
181 |
+ [DISCE_SUSPEND] = sas_suspend_devices, |
|
182 |
+ [DISCE_RESUME] = sas_resume_devices, |
|
183 |
+- [DISCE_DESTRUCT] = sas_destruct_devices, |
|
184 |
+ }; |
|
185 |
+ |
|
186 |
+ disc->pending = 0; |
|
187 |
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c |
|
188 |
+index 12886f9..8d7a769 100644 |
|
189 |
+--- a/drivers/scsi/libsas/sas_expander.c |
|
190 |
+@@ -1905,7 +1905,8 @@ static void sas_unregister_devs_sas_addr(struct domain_device *parent, |
|
191 |
+ sas_port_delete_phy(phy->port, phy->phy); |
|
192 |
+ sas_device_set_phy(found, phy->port); |
|
193 |
+ if (phy->port->num_phys == 0) |
|
194 |
+- sas_port_delete(phy->port); |
|
195 |
++ list_add_tail(&phy->port->del_list, |
|
196 |
++ &parent->port->sas_port_del_list); |
|
197 |
+ phy->port = NULL; |
|
198 |
+ } |
|
199 |
+ } |
|
200 |
+@@ -2113,7 +2114,7 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev) |
|
201 |
+ struct domain_device *dev = NULL; |
|
202 |
+ |
|
203 |
+ res = sas_find_bcast_dev(port_dev, &dev); |
|
204 |
+- while (res == 0 && dev) { |
|
205 |
++ if (res == 0 && dev) { |
|
206 |
+ struct expander_device *ex = &dev->ex_dev; |
|
207 |
+ int i = 0, phy_id; |
|
208 |
+ |
|
209 |
+@@ -2125,9 +2126,6 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev) |
|
210 |
+ res = sas_rediscover(dev, phy_id); |
|
211 |
+ i = phy_id + 1; |
|
212 |
+ } while (i < ex->num_phys); |
|
213 |
+- |
|
214 |
+- dev = NULL; |
|
215 |
+- res = sas_find_bcast_dev(port_dev, &dev); |
|
216 |
+ } |
|
217 |
+ return res; |
|
218 |
+ } |
|
219 |
+diff --git a/drivers/scsi/libsas/sas_internal.h b/drivers/scsi/libsas/sas_internal.h |
|
220 |
+index 9cf0bc2..2cbbd11 100644 |
|
221 |
+--- a/drivers/scsi/libsas/sas_internal.h |
|
222 |
+@@ -98,6 +98,7 @@ int sas_try_ata_reset(struct asd_sas_phy *phy); |
|
223 |
+ void sas_hae_reset(struct work_struct *work); |
|
224 |
+ |
|
225 |
+ void sas_free_device(struct kref *kref); |
|
226 |
++void sas_destruct_devices(struct asd_sas_port *port); |
|
227 |
+ |
|
228 |
+ #ifdef CONFIG_SCSI_SAS_HOST_SMP |
|
229 |
+ extern int sas_smp_host_handler(struct Scsi_Host *shost, struct request *req, |
|
230 |
+diff --git a/drivers/scsi/libsas/sas_port.c b/drivers/scsi/libsas/sas_port.c |
|
231 |
+index d3c5297..5d3244c 100644 |
|
232 |
+--- a/drivers/scsi/libsas/sas_port.c |
|
233 |
+@@ -66,6 +66,7 @@ static void sas_resume_port(struct asd_sas_phy *phy) |
|
234 |
+ rc = sas_notify_lldd_dev_found(dev); |
|
235 |
+ if (rc) { |
|
236 |
+ sas_unregister_dev(port, dev); |
|
237 |
++ sas_destruct_devices(port); |
|
238 |
+ continue; |
|
239 |
+ } |
|
240 |
+ |
|
241 |
+@@ -219,6 +220,7 @@ void sas_deform_port(struct asd_sas_phy *phy, int gone) |
|
242 |
+ |
|
243 |
+ if (port->num_phys == 1) { |
|
244 |
+ sas_unregister_domain_devices(port, gone); |
|
245 |
++ sas_destruct_devices(port); |
|
246 |
+ sas_port_delete(port->port); |
|
247 |
+ port->port = NULL; |
|
248 |
+ } else { |
|
249 |
+@@ -323,6 +325,7 @@ static void sas_init_port(struct asd_sas_port *port, |
|
250 |
+ INIT_LIST_HEAD(&port->dev_list); |
|
251 |
+ INIT_LIST_HEAD(&port->disco_list); |
|
252 |
+ INIT_LIST_HEAD(&port->destroy_list); |
|
253 |
++ INIT_LIST_HEAD(&port->sas_port_del_list); |
|
254 |
+ spin_lock_init(&port->phy_list_lock); |
|
255 |
+ INIT_LIST_HEAD(&port->phy_list); |
|
256 |
+ port->ha = sas_ha; |
|
257 |
+diff --git a/include/scsi/libsas.h b/include/scsi/libsas.h |
|
258 |
+index 706a701..8a27e35 100644 |
|
259 |
+--- a/include/scsi/libsas.h |
|
260 |
+@@ -87,10 +87,8 @@ enum discover_event { |
|
261 |
+ DISCE_DISCOVER_DOMAIN = 0U, |
|
262 |
+ DISCE_REVALIDATE_DOMAIN = 1, |
|
263 |
+ DISCE_PORT_GONE = 2, |
|
264 |
+- DISCE_PROBE = 3, |
|
265 |
+ DISCE_SUSPEND = 4, |
|
266 |
+ DISCE_RESUME = 5, |
|
267 |
+- DISCE_DESTRUCT = 6, |
|
268 |
+ DISC_NUM_EVENTS = 7, |
|
269 |
+ }; |
|
270 |
+ |
|
271 |
+@@ -269,6 +267,7 @@ struct asd_sas_port { |
|
272 |
+ struct list_head dev_list; |
|
273 |
+ struct list_head disco_list; |
|
274 |
+ struct list_head destroy_list; |
|
275 |
++ struct list_head sas_port_del_list; |
|
276 |
+ enum sas_linkrate linkrate; |
|
277 |
+ |
|
278 |
+ struct sas_work work; |
|
279 |
+diff --git a/include/scsi/scsi_transport_sas.h b/include/scsi/scsi_transport_sas.h |
|
280 |
+index 0bd71e2..e6c7ff5 100644 |
|
281 |
+--- a/include/scsi/scsi_transport_sas.h |
|
282 |
+@@ -145,6 +145,7 @@ struct sas_port { |
|
283 |
+ |
|
284 |
+ struct mutex phy_list_mutex; |
|
285 |
+ struct list_head phy_list; |
|
286 |
++ struct list_head del_list; /* libsas only */ |
|
287 |
+ }; |
|
288 |
+ |
|
289 |
+ #define dev_to_sas_port(d) \ |
|
290 |
+-- |
|
291 |
+2.7.4 |
|
292 |
+ |
0 | 293 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,50 @@ |
0 |
+From ed5525ebec6548b92f7c6f026f5a23001e25f74e Mon Sep 17 00:00:00 2001 |
|
1 |
+From: "Eric Sandeen Date: Mon, 16 Apr 2018 23:07:27 -0700" |
|
2 |
+ <sandeen@redhat.com> |
|
3 |
+Date: Mon, 16 Jul 2018 20:13:54 +0530 |
|
4 |
+Subject: [PATCH] xfs: set format back to extents if xfs_bmap_extents_to_btree |
|
5 |
+ |
|
6 |
+If xfs_bmap_extents_to_btree fails in a mode where we call |
|
7 |
+xfs_iroot_realloc(-1) to de-allocate the root, set the |
|
8 |
+format back to extents. |
|
9 |
+ |
|
10 |
+Otherwise we can assume we can dereference ifp->if_broot |
|
11 |
+based on the XFS_DINODE_FMT_BTREE format, and crash. |
|
12 |
+ |
|
13 |
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423 |
|
14 |
+Signed-off-by: Eric Sandeen <sandeen@redhat.com> |
|
15 |
+Reviewed-by: Christoph Hellwig <hch@lst.de> |
|
16 |
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> |
|
17 |
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> |
|
18 |
+[ Srinidhi Rao : Backported this fix to 4.9 ] |
|
19 |
+Signed-off-by: srinidhira0 <srinidhir@vmware.com> |
|
20 |
+ |
|
21 |
+--- |
|
22 |
+ fs/xfs/libxfs/xfs_bmap.c | 4 ++++ |
|
23 |
+ 1 file changed, 4 insertions(+) |
|
24 |
+ |
|
25 |
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c |
|
26 |
+index 8ad65d4..356385f 100644 |
|
27 |
+--- a/fs/xfs/libxfs/xfs_bmap.c |
|
28 |
+@@ -781,6 +781,8 @@ xfs_bmap_extents_to_btree( |
|
29 |
+ *logflagsp = 0; |
|
30 |
+ if ((error = xfs_alloc_vextent(&args))) { |
|
31 |
+ xfs_iroot_realloc(ip, -1, whichfork); |
|
32 |
++ ASSERT(ifp->if_broot == NULL); |
|
33 |
++ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS); |
|
34 |
+ xfs_btree_del_cursor(cur, XFS_BTREE_ERROR); |
|
35 |
+ return error; |
|
36 |
+ } |
|
37 |
+@@ -801,6 +803,8 @@ xfs_bmap_extents_to_btree( |
|
38 |
+ } |
|
39 |
+ if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) { |
|
40 |
+ xfs_iroot_realloc(ip, -1, whichfork); |
|
41 |
++ ASSERT(ifp->if_broot == NULL); |
|
42 |
++ XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS); |
|
43 |
+ xfs_btree_del_cursor(cur, XFS_BTREE_ERROR); |
|
44 |
+ return -ENOSPC; |
|
45 |
+ } |
|
46 |
+-- |
|
47 |
+2.7.4 |
|
48 |
+ |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-aws |
4 | 4 |
Version: 4.9.111 |
5 |
-Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 3%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -59,6 +59,12 @@ Patch40: 0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch |
59 | 59 |
# Fix for CVE-2017-18224 |
60 | 60 |
Patch41: 0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch |
61 | 61 |
Patch42: 0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
62 |
+# Fix for CVE-2017-18232 |
|
63 |
+Patch43: 0001-scsi-libsas-direct-call-probe-and-destruct.patch |
|
64 |
+# Fix for CVE-2017-18249 |
|
65 |
+Patch44: 0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch |
|
66 |
+# Fix for CVE-2018-10323 |
|
67 |
+Patch45: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
|
62 | 68 |
|
63 | 69 |
# For Spectre |
64 | 70 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
... | ... |
@@ -231,6 +237,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
231 | 231 |
%patch40 -p1 |
232 | 232 |
%patch41 -p1 |
233 | 233 |
%patch42 -p1 |
234 |
+%patch43 -p1 |
|
235 |
+%patch44 -p1 |
|
236 |
+%patch45 -p1 |
|
234 | 237 |
|
235 | 238 |
%patch52 -p1 |
236 | 239 |
%patch53 -p1 |
... | ... |
@@ -451,6 +460,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
451 | 451 |
/usr/share/doc/* |
452 | 452 |
|
453 | 453 |
%changelog |
454 |
+* Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-3 |
|
455 |
+- Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323 |
|
454 | 456 |
* Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.111-2 |
455 | 457 |
- Enable and use AppArmor security module by default. |
456 | 458 |
* Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.9.111 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -56,6 +56,12 @@ Patch40: 0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch |
56 | 56 |
# Fix for CVE-2017-18224 |
57 | 57 |
Patch41: 0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch |
58 | 58 |
Patch42: 0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
59 |
+# Fix for CVE-2017-18232 |
|
60 |
+Patch43: 0001-scsi-libsas-direct-call-probe-and-destruct.patch |
|
61 |
+# Fix for CVE-2017-18249 |
|
62 |
+Patch44: 0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch |
|
63 |
+# Fix for CVE-2018-10323 |
|
64 |
+Patch45: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
|
59 | 65 |
|
60 | 66 |
# For Spectre |
61 | 67 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
... | ... |
@@ -147,6 +153,9 @@ The Linux package contains the Linux kernel doc files |
147 | 147 |
%patch40 -p1 |
148 | 148 |
%patch41 -p1 |
149 | 149 |
%patch42 -p1 |
150 |
+%patch43 -p1 |
|
151 |
+%patch44 -p1 |
|
152 |
+%patch45 -p1 |
|
150 | 153 |
|
151 | 154 |
%patch52 -p1 |
152 | 155 |
%patch53 -p1 |
... | ... |
@@ -259,6 +268,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
259 | 259 |
/usr/src/linux-headers-%{uname_r} |
260 | 260 |
|
261 | 261 |
%changelog |
262 |
+* Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-2 |
|
263 |
+- Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323 |
|
262 | 264 |
* Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1 |
263 | 265 |
- Update to version 4.9.111. |
264 | 266 |
- .config: use =y for vmxnet3 instead of =m, use lz4 for bzImage. |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.9.111 |
5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -65,6 +65,12 @@ Patch42: 0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch |
65 | 65 |
# Fix for CVE-2017-18224 |
66 | 66 |
Patch43: 0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch |
67 | 67 |
Patch44: 0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
68 |
+# Fix for CVE-2017-18232 |
|
69 |
+Patch45: 0001-scsi-libsas-direct-call-probe-and-destruct.patch |
|
70 |
+# Fix for CVE-2017-18249 |
|
71 |
+Patch46: 0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch |
|
72 |
+# Fix for CVE-2018-10323 |
|
73 |
+Patch47: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
|
68 | 74 |
|
69 | 75 |
# For Spectre |
70 | 76 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
... | ... |
@@ -199,6 +205,9 @@ EOF |
199 | 199 |
%patch42 -p1 |
200 | 200 |
%patch43 -p1 |
201 | 201 |
%patch44 -p1 |
202 |
+%patch45 -p1 |
|
203 |
+%patch46 -p1 |
|
204 |
+%patch47 -p1 |
|
202 | 205 |
|
203 | 206 |
# spectre |
204 | 207 |
%patch52 -p1 |
... | ... |
@@ -346,6 +355,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
346 | 346 |
/usr/src/linux-headers-%{uname_r} |
347 | 347 |
|
348 | 348 |
%changelog |
349 |
+* Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-2 |
|
350 |
+- Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323 |
|
349 | 351 |
* Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1 |
350 | 352 |
- Update to version 4.9.111 |
351 | 353 |
* Wed Jun 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.109-2 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.9.111 |
5 |
-Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 3%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -63,6 +63,12 @@ Patch40: 0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch |
63 | 63 |
# Fix for CVE-2017-18224 |
64 | 64 |
Patch41: 0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch |
65 | 65 |
Patch42: 0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
66 |
+# Fix for CVE-2017-18232 |
|
67 |
+Patch43: 0001-scsi-libsas-direct-call-probe-and-destruct.patch |
|
68 |
+# Fix for CVE-2017-18249 |
|
69 |
+Patch44: 0001-f2fs-fix-race-condition-in-between-free-nid-allocator-initializer.patch |
|
70 |
+# Fix for CVE-2018-10323 |
|
71 |
+Patch45: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch |
|
66 | 72 |
|
67 | 73 |
# For Spectre |
68 | 74 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
... | ... |
@@ -190,6 +196,9 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
190 | 190 |
%patch40 -p1 |
191 | 191 |
%patch41 -p1 |
192 | 192 |
%patch42 -p1 |
193 |
+%patch43 -p1 |
|
194 |
+%patch44 -p1 |
|
195 |
+%patch45 -p1 |
|
193 | 196 |
|
194 | 197 |
%patch52 -p1 |
195 | 198 |
%patch53 -p1 |
... | ... |
@@ -373,6 +382,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
373 | 373 |
/usr/share/doc/* |
374 | 374 |
|
375 | 375 |
%changelog |
376 |
+* Thu Jul 12 2018 Srinidhi Rao <srinidhir@vmware.com> 4.9.111-3 |
|
377 |
+- Fix CVE-2017-18232, CVE-2017-18249 and CVE-2018-10323 |
|
376 | 378 |
* Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.111-2 |
377 | 379 |
- Enable and use AppArmor security module by default. |
378 | 380 |
* Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1 |