You-Sheng Yang

~vicamo/+git/ubuntu-kernel:bug-1824453/fix-wb-not-correctly-freed/bionic

Git
lp:~vicamo/+git/ubuntu-kernel
bug-1824453/fix-wb-not-correctly-free...

Last commit made on 2019-04-17

Get this branch:: git clone -b bug-1824453/fix-wb-not-correctly-freed/bionic https://git.launchpad.net/~vicamo/+git/ubuntu-kernel

Only You-Sheng Yang can upload to this branch. If you are You-Sheng Yang please log in for upload directions.

Branch merges

You will only be able to propose a merge to another personal repository with the same name.

Branch information

Name:: bug-1824453/fix-wb-not-correctly-freed/bionic

Repository:: lp:~vicamo/+git/ubuntu-kernel

Recent commits

d27ee1d... by Monk Liu <email address hidden> on 2017-12-29

drm/amdgpu: fix&cleanups for wb_clear

fix:
should do right shift on wb before clearing

cleanups:
1,should memset all wb buffer
2,set max wb number to 128 (total 4KB) is big enough

Signed-off-by: Monk Liu <email address hidden>
Acked-by: Alex Deucher <email address hidden>
Signed-off-by: Alex Deucher <email address hidden>
(cherry picked from commit 73469585510d5161368c899b7eacd58c824b2b24)
Signed-off-by: You-Sheng Yang <email address hidden>

33684a3... by Josef Bacik <email address hidden> on 2019-04-02

nbd: fix how we set bd_invalidated

BugLink: https://bugs.launchpad.net/bugs/1822247

bd_invalidated is kind of a pain wrt partitions as it really only
triggers the partition rescan if it is set after bd_ops->open() runs, so
setting it when we reset the device isn't useful. We also sporadically
would still have partitions left over in some disconnect cases, so fix
this by always setting bd_invalidated on open if there's no
configuration or if we've had a disconnect action happen, that way the
partition table gets invalidated and rescanned properly.

Signed-off-by: Josef Bacik <email address hidden>
Signed-off-by: Jens Axboe <email address hidden>
(cherry picked from fe1f9e6659ca6124f500a0f829202c7c902fab0c)
Signed-off-by: Colin Ian King <email address hidden>
Acked-by: Po-Hsu Lin <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

85abbb0... by Peng Hao <email address hidden> on 2019-04-02

kvmclock: fix TSC calibration for nested guests

BugLink: https://bugs.launchpad.net/bugs/1822821

Inside a nested guest, access to hardware can be slow enough that
tsc_read_refs always return ULLONG_MAX, causing tsc_refine_calibration_work
to be called periodically and the nested guest to spend a lot of time
reading the ACPI timer.

However, if the TSC frequency is available from the pvclock page,
we can just set X86_FEATURE_TSC_KNOWN_FREQ and avoid the recalibration.
'refine' operation.

Suggested-by: Peter Zijlstra <email address hidden>
Signed-off-by: Peng Hao <email address hidden>
[Commit message rewritten. - Paolo]
Signed-off-by: Paolo Bonzini <email address hidden>
(cherry picked from commit e10f7805032365cc11c739a97f226ebb48aee042)
Signed-off-by: Heitor R. Alves de Siqueira <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

ae47081... by Julian Anastasov <email address hidden> on 2019-04-09

ipvs: fix refcount usage for conns in ops mode

BugLink: https://bugs.launchpad.net/bugs/1819786

Connections in One-packet scheduling mode (-o, --ops) are
removed with refcnt=0 because they are not hashed in conn table.
To avoid refcount_dec reporting this as error, change them to be
removed with refcount_dec_if_one as all other connections.

refcount_t hit zero at ip_vs_conn_put+0x31/0x40 [ip_vs]
in sh[15519], uid/euid: 497/497
WARNING: CPU: 0 PID: 15519 at ../kernel/panic.c:657
refcount_error_report+0x94/0x9e
Modules linked in: ip_vs_rr cirrus ttm sb_edac
edac_core drm_kms_helper crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel pcbc mousedev drm aesni_intel aes_x86_64
crypto_simd glue_helper cryptd psmouse evdev input_leds led_class
intel_agp fb_sys_fops syscopyarea sysfillrect intel_rapl_perf mac_hid
intel_gtt serio_raw sysimgblt agpgart i2c_piix4 i2c_core ata_generic
pata_acpi floppy cfg80211 rfkill button loop macvlan ip_vs
nf_conntrack libcrc32c crc32c_generic ip_tables x_tables ipv6
crc_ccitt autofs4 ext4 crc16 mbcache jbd2 fscrypto ata_piix libata
atkbd libps2 scsi_mod crc32c_intel i8042 rtc_cmos serio af_packet
dm_mod dax fuse xen_netfront xen_blkfront
CPU: 0 PID: 15519 Comm: sh Tainted: G W
4.15.17 #1-NixOS
Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006
RIP: 0010:refcount_error_report+0x94/0x9e
RSP: 0000:ffffa344dde039c8 EFLAGS: 00010296
RAX: 0000000000000057 RBX: ffffffff92f20e06 RCX: 0000000000000006
RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffffa344dde165c0
RBP: ffffa344dde03b08 R08: 0000000000000218 R09: 0000000000000004
R10: ffffffff93006a80 R11: 0000000000000001 R12: ffffa344d68cd100
R13: 00000000000001f1 R14: ffffffff92f12fb0 R15: 0000000000000004
FS: 00007fc9d2040fc0(0000) GS:ffffa344dde00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000262a000 CR3: 0000000016a0c004 CR4: 00000000001606f0
Call Trace:
<IRQ>
ex_handler_refcount+0x4e/0x80
fixup_exception+0x33/0x40
do_trap+0x83/0x140
do_error_trap+0x83/0xf0
? ip_vs_conn_drop_conntrack+0x120/0x1a5 [ip_vs]
? ip_finish_output2+0x29c/0x390
? ip_finish_output2+0x1a2/0x390
invalid_op+0x1b/0x40
RIP: 0010:ip_vs_conn_put+0x31/0x40 [ip_vs]
RSP: 0000:ffffa344dde03bb8 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffffa344df31cf00 RCX: ffffa344d7450198
RDX: 0000000000000003 RSI: 00000000fffffe01 RDI: ffffa344d7450140
RBP: 0000000000000002 R08: 0000000000000476 R09: 0000000000000000
R10: ffffa344dde03b28 R11: ffffa344df200000 R12: ffffa344d7d09000
R13: ffffa344def3a980 R14: ffffffffc04f6e20 R15: 0000000000000008
ip_vs_in.part.29.constprop.36+0x34f/0x640 [ip_vs]
? ip_vs_conn_out_get+0xe0/0xe0 [ip_vs]
ip_vs_remote_request4+0x47/0xa0 [ip_vs]
? ip_vs_in.part.29.constprop.36+0x640/0x640 [ip_vs]
nf_hook_slow+0x43/0xc0
ip_local_deliver+0xac/0xc0
? ip_rcv_finish+0x400/0x400
ip_rcv+0x26c/0x380
__netif_receive_skb_core+0x3a0/0xb10
? inet_gro_receive+0x23c/0x2b0
? netif_receive_skb_internal+0x24/0xb0
netif_receive_skb_internal+0x24/0xb0
napi_gro_receive+0xb8/0xe0
xennet_poll+0x676/0xb40 [xen_netfront]
net_rx_action+0x139/0x3a0
__do_softirq+0xde/0x2b4
irq_exit+0xae/0xb0
xen_evtchn_do_upcall+0x2c/0x40
xen_hvm_callback_vector+0x7d/0x90
</IRQ>
RIP: 0033:0x7fc9d11c91f9
RSP: 002b:00007ffebe8a2ea0 EFLAGS: 00000202 ORIG_RAX:
ffffffffffffff0c
RAX: 00000000ffffffff RBX: 0000000002609808 RCX: 0000000000000054
RDX: 0000000000000001 RSI: 0000000002605440 RDI: 00000000025f940e
RBP: 00000000025f940e R08: 000000000260213d R09: 1999999999999999
R10: 000000000262a808 R11: 00000000025f942d R12: 00000000025f940e
R13: 00007fc9d1301e20 R14: 00000000025f9408 R15: 00007fc9d1302720
Code: 48 8b 95 80 00 00 00 41 55 49 8d 8c 24 e0 05 00
00 45 8b 84 24 38 04 00 00 41 89 c1 48 89 de 48 c7 c7 a8 2f f2 92 e8
7c fa ff ff <0f> 0b 58 5b 5d 41 5c 41 5d c3 0f 1f 44 00 00 55 48 89 e5
41 56

Reported-by: Net Filter <email address hidden>
Fixes: b54ab92b84b6 ("netfilter: refcounter conversions")
Signed-off-by: Julian Anastasov <email address hidden>
Acked-by: Simon Horman <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(cherry picked from commit a050d345cef0dc6249263540da1e902bba617e43)
Signed-off-by: Kai-Heng Feng <email address hidden>
Acked-by: You-Sheng Yang <email address hidden>
Acked-by: Po-Hsu Lin <email address hidden>
Signed-off-by: Khalid Elmously <email address hidden>

5f1ee11... by Andrea Righi on 2019-04-05

openvswitch: fix flow actions reallocation

BugLink: https://bugs.launchpad.net/bugs/1813244

The flow action buffer can be resized if it's not big enough to contain
all the requested flow actions. However, this resize doesn't take into
account the new requested size, the buffer is only increased by a factor
of 2x. This might be not enough to contain the new data, causing a
buffer overflow, for example:

[ 42.044472] =============================================================================
[ 42.045608] BUG kmalloc-96 (Not tainted): Redzone overwritten
[ 42.046415] -----------------------------------------------------------------------------

[ 42.047715] Disabling lock debugging due to kernel taint
[ 42.047716] INFO: 0x8bf2c4a5-0x720c0928. First byte 0x0 instead of 0xcc
[ 42.048677] INFO: Slab 0xbc6d2040 objects=29 used=18 fp=0xdc07dec4 flags=0x2808101
[ 42.049743] INFO: Object 0xd53a3464 @offset=2528 fp=0xccdcdebb

[ 42.050747] Redzone 76f1b237: cc cc cc cc cc cc cc cc ........
[ 42.051839] Object d53a3464: 6b 6b 6b 6b 6b 6b 6b 6b 0c 00 00 00 6c 00 00 00 kkkkkkkk....l...
[ 42.053015] Object f49a30cc: 6c 00 0c 00 00 00 00 00 00 00 00 03 78 a3 15 f6 l...........x...
[ 42.054203] Object acfe4220: 20 00 02 00 ff ff ff ff 00 00 00 00 00 00 00 00 ...............
[ 42.055370] Object 21024e91: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.056541] Object 070e04c3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.057797] Object 948a777a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 42.059061] Redzone 8bf2c4a5: 00 00 00 00 ....
[ 42.060189] Padding a681b46e: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ

Fix by making sure the new buffer is properly resized to contain all the
requested data.

BugLink: https://bugs.launchpad.net/bugs/1813244
Signed-off-by: Andrea Righi <email address hidden>
Acked-by: Pravin B Shelar <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

(cherry picked from commit f28cd2af22a0c134e4aa1c64a70f70d815d473fb)
Signed-off-by: Andrea Righi <email address hidden>
Acked-by: Juerg Haefliger <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Juerg Haefliger <email address hidden>

c50532b... by Andrea Righi on 2019-04-02