~vicamo/+git/ubuntu-kernel:bug-1818490/for-xenial

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

08837e2... by Arvind Sankar <email address hidden> on 2019-03-02

igb: Fix WARN_ONCE on runtime suspend

The runtime_suspend device callbacks are not supposed to save
configuration state or change the power state. Commit fb29f76cc566
("igb: Fix an issue that PME is not enabled during runtime suspend")
changed the driver to not save configuration state during runtime
suspend, however the driver callback still put the device into a
low-power state. This causes a warning in the pci pm core and results in
pci_pm_runtime_suspend not calling pci_save_state or pci_finish_runtime_suspend.

Fix this by not changing the power state either, leaving that to pci pm
core, and make the same change for suspend callback as well.

Also move a couple of defines into the appropriate header file instead
of inline in the .c file.

Fixes: fb29f76cc566 ("igb: Fix an issue that PME is not enabled during runtime suspend")
Signed-off-by: Arvind Sankar <email address hidden>
Reviewed-by: Kai-Heng Feng <email address hidden>
Tested-by: Aaron Brown <email address hidden>
Signed-off-by: Jeff Kirsher <email address hidden>
(cherry picked from commit dabb8338be533c18f50255cf39ff4f66d4dabdbe)
Signed-off-by: You-Sheng Yang <email address hidden>

4540b78... by Andrea Righi on 2019-04-05

openvswitch: fix flow actions reallocation

BugLink: https://bugs.launchpad.net/bugs/1813244

The flow action buffer can be resized if it's not big enough to contain
all the requested flow actions. However, this resize doesn't take into
account the new requested size, the buffer is only increased by a factor
of 2x. This might be not enough to contain the new data, causing a
buffer overflow, for example:

[ 42.044472] =============================================================================
[ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten
[ 42.046415] -----------------------------------------------------------------------------

[ 42.047715] Disabling lock debugging due to kernel taint
[ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc
[ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101
[ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb

[ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........
[ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l...
[ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x...
[ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ...............
[ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 ....
[ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ

Fix by making sure the new buffer is properly resized to contain all the
requested data.

BugLink: https://bugs.launchpad.net/bugs/1813244
Signed-off-by: Andrea Righi <email address hidden>
Acked-by: Pravin B Shelar <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

(cherry picked from commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb)
Signed-off-by: Andrea Righi <email address hidden>
Acked-by: Juerg Haefliger <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Juerg Haefliger <email address hidden>

caa1996... by Khaled El Mously on 2019-04-03

UBUNTU: Ubuntu-4.4.0-146.172

Signed-off-by: Khalid Elmously <email address hidden>

9541268... by Khaled El Mously on 2019-04-03

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/1822834
Signed-off-by: Khalid Elmously <email address hidden>

d68777a... by Khaled El Mously on 2019-04-03

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Khalid Elmously <email address hidden>

dda2cc1... by Khaled El Mously on 2019-04-03

UBUNTU: [Packaging] resync retpoline extraction

BugLink: http://bugs.launchpad.net/bugs/1786013
Signed-off-by: Khalid Elmously <email address hidden>

8d44123... by Khaled El Mously on 2019-04-03

UBUNTU: [Packaging] update helper scripts

BugLink: http://bugs.launchpad.net/bugs/1786013
Signed-off-by: Khalid Elmously <email address hidden>

c6a89c4... by Andrea Righi on 2019-03-28

btrfs: raid56: properly unmap parity page in finish_parity_scrub()

Buglink: https://bugs.launchpad.net/bugs/1812845

Parity page is incorrectly unmapped in finish_parity_scrub(), triggering
a reference counter bug on i386, i.e.:

 [ 157.662401] kernel BUG at mm/highmem.c:349!
 [ 157.666725] invalid opcode: 0000 [#1] SMP PTI

The reason is that kunmap(p_page) was completely left out, so we never
did an unmap for the p_page and the loop unmapping the rbio page was
iterating over the wrong number of stripes: unmapping should be done
with nr_data instead of rbio->real_stripes.

Test case to reproduce the bug:

 - create a raid5 btrfs filesystem:
   # mkfs.btrfs -m raid5 -d raid5 /dev/sdb /dev/sdc /dev/sdd /dev/sde

 - mount it:
   # mount /dev/sdb /mnt

 - run btrfs scrub in a loop:
   # while :; do btrfs scrub start -BR /mnt; done

BugLink: https://bugs.launchpad.net/bugs/1812845
Fixes: 5a6ac9eacb49 ("Btrfs, raid56: support parity scrub on raid56")
CC: <email address hidden> # 4.4+
Reviewed-by: Johannes Thumshirn <email address hidden>
Signed-off-by: Andrea Righi <email address hidden>
Reviewed-by: David Sterba <email address hidden>
Signed-off-by: David Sterba <email address hidden>
(cherry picked from commit 3897b6f0a859288c22fb793fad11ec2327e60fcd)
Signed-off-by: Andrea Righi <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

f723d96... by Greg Kroah-Hartman <email address hidden> on 2019-03-23

Linux 4.4.177

BugLink: https://bugs.launchpad.net/bugs/1822271

Signed-off-by: Stefan Bader <email address hidden>
Acked-by: Juerg Haefliger <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

9dc8740... by Wanpeng Li <email address hidden> on 2017-08-10

KVM: X86: Fix residual mmio emulation request to userspace

BugLink: https://bugs.launchpad.net/bugs/1822271

commit bbeac2830f4de270bb48141681cb730aadf8dce1 upstream.

Reported by syzkaller:

The kvm-intel.unrestricted_guest=0

   WARNING: CPU: 5 PID: 1014 at /home/kernel/data/kvm/arch/x86/kvm//x86.c:7227 kvm_arch_vcpu_ioctl_run+0x38b/0x1be0 [kvm]
   CPU: 5 PID: 1014 Comm: warn_test Tainted: G W OE 4.13.0-rc3+ #8
   RIP: 0010:kvm_arch_vcpu_ioctl_run+0x38b/0x1be0 [kvm]
   Call Trace:
    ? put_pid+0x3a/0x50
    ? rcu_read_lock_sched_held+0x79/0x80
    ? kmem_cache_free+0x2f2/0x350
    kvm_vcpu_ioctl+0x340/0x700 [kvm]
    ? kvm_vcpu_ioctl+0x340/0x700 [kvm]
    ? __fget+0xfc/0x210
    do_vfs_ioctl+0xa4/0x6a0
    ? __fget+0x11d/0x210
    SyS_ioctl+0x79/0x90
    entry_SYSCALL_64_fastpath+0x23/0xc2
    ? __this_cpu_preempt_check+0x13/0x20

The syszkaller folks reported a residual mmio emulation request to userspace
due to vm86 fails to emulate inject real mode interrupt(fails to read CS) and
incurs a triple fault. The vCPU returns to userspace with vcpu->mmio_needed == true
and KVM_EXIT_SHUTDOWN exit reason. However, the syszkaller testcase constructs
several threads to launch the same vCPU, the thread which lauch this vCPU after
the thread whichs get the vcpu->mmio_needed == true and KVM_EXIT_SHUTDOWN will
trigger the warning.

   #define _GNU_SOURCE
   #include <pthread.h>
   #include <stdio.h>
   #include <stdlib.h>
   #include <string.h>
   #include <sys/wait.h>
   #include <sys/types.h>
   #include <sys/stat.h>
   #include <sys/mman.h>
   #include <fcntl.h>
   #include <unistd.h>
   #include <linux/kvm.h>
   #include <stdio.h>

   int kvmcpu;
   struct kvm_run *run;

   void* thr(void* arg)
   {
     int res;
     res = ioctl(kvmcpu, KVM_RUN, 0);
     printf("ret1=%d exit_reason=%d suberror=%d\n",
         res, run->exit_reason, run->internal.suberror);
     return 0;
   }

   void test()
   {
     int i, kvm, kvmvm;
     pthread_t th[4];

     kvm = open("/dev/kvm", O_RDWR);
     kvmvm = ioctl(kvm, KVM_CREATE_VM, 0);
     kvmcpu = ioctl(kvmvm, KVM_CREATE_VCPU, 0);
     run = (struct kvm_run*)mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, kvmcpu, 0);
     srand(getpid());
     for (i = 0; i < 4; i++) {
       pthread_create(&th[i], 0, thr, 0);
       usleep(rand() % 10000);
     }
     for (i = 0; i < 4; i++)
       pthread_join(th[i], 0);
   }

   int main()
   {
     for (;;) {
       int pid = fork();
       if (pid < 0)
         exit(1);
       if (pid == 0) {
         test();
         exit(0);
       }
       int status;
       while (waitpid(pid, &status, __WALL) != pid) {}
     }
     return 0;
   }

This patch fixes it by resetting the vcpu->mmio_needed once we receive
the triple fault to avoid the residue.

Reported-by: Dmitry Vyukov <email address hidden>
Tested-by: Dmitry Vyukov <email address hidden>
Cc: Paolo Bonzini <email address hidden>
Cc: Radim Krčmář <email address hidden>
Cc: Dmitry Vyukov <email address hidden>
Signed-off-by: Wanpeng Li <email address hidden>
Signed-off-by: Paolo Bonzini <email address hidden>
Cc: Zubin Mithra <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
Acked-by: Juerg Haefliger <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>