From 27951d8b7e06bf96a5662128c8bd522fe3f35f90 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 3 Aug 2015 21:08:32 -0400 Subject: [PATCH] Fix i386 boot bug correctly (rhbz 1247382) --- ...-dm-fix-casting-bug-in-dm_merge_bvec.patch | 55 ------------ ...ge_bvec-regression-on-32-bit-systems.patch | 83 +++++++++++++++++++ kernel.spec | 5 +- 3 files changed, 86 insertions(+), 57 deletions(-) delete mode 100644 0001-Revert-dm-fix-casting-bug-in-dm_merge_bvec.patch create mode 100644 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch diff --git a/0001-Revert-dm-fix-casting-bug-in-dm_merge_bvec.patch b/0001-Revert-dm-fix-casting-bug-in-dm_merge_bvec.patch deleted file mode 100644 index 5247e776c..000000000 --- a/0001-Revert-dm-fix-casting-bug-in-dm_merge_bvec.patch +++ /dev/null @@ -1,55 +0,0 @@ -From ee8289a2953c2d345c7d56f77e93edc18f4b7ad9 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 31 Jul 2015 15:26:05 -0400 -Subject: [PATCH] Revert "dm: fix casting bug in dm_merge_bvec()" - -This reverts commit 1c220c69ce0dcc0f234a9f263ad9c0864f971852. ---- - drivers/md/dm.c | 17 +++++------------ - 1 file changed, 5 insertions(+), 12 deletions(-) - -diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index ab37ae114e94..bd5ad54919ab 100644 ---- a/drivers/md/dm.c -+++ b/drivers/md/dm.c -@@ -1729,7 +1729,8 @@ static int dm_merge_bvec(struct request_queue *q, - struct mapped_device *md = q->queuedata; - struct dm_table *map = dm_get_live_table_fast(md); - struct dm_target *ti; -- sector_t max_sectors, max_size = 0; -+ sector_t max_sectors; -+ int max_size = 0; - - if (unlikely(!map)) - goto out; -@@ -1744,16 +1745,8 @@ static int dm_merge_bvec(struct request_queue *q, - max_sectors = min(max_io_len(bvm->bi_sector, ti), - (sector_t) queue_max_sectors(q)); - max_size = (max_sectors << SECTOR_SHIFT) - bvm->bi_size; -- -- /* -- * FIXME: this stop-gap fix _must_ be cleaned up (by passing a sector_t -- * to the targets' merge function since it holds sectors not bytes). -- * Just doing this as an interim fix for stable@ because the more -- * comprehensive cleanup of switching to sector_t will impact every -- * DM target that implements a ->merge hook. -- */ -- if (max_size > INT_MAX) -- max_size = INT_MAX; -+ if (unlikely(max_size < 0)) /* this shouldn't _ever_ happen */ -+ max_size = 0; - - /* - * merge_bvec_fn() returns number of bytes -@@ -1761,7 +1754,7 @@ static int dm_merge_bvec(struct request_queue *q, - * max is precomputed maximal io size - */ - if (max_size && ti->type->merge) -- max_size = ti->type->merge(ti, bvm, biovec, (int) max_size); -+ max_size = ti->type->merge(ti, bvm, biovec, max_size); - /* - * If the target doesn't support merge method and some of the devices - * provided their merge_bvec method (we know this by looking for the --- -2.4.3 - diff --git a/0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch b/0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch new file mode 100644 index 000000000..621a2f2f2 --- /dev/null +++ b/0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch @@ -0,0 +1,83 @@ +From c9de2830476185f839e6cf3f9a0e5d258a534d5d Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Mon, 3 Aug 2015 09:54:58 -0400 +Subject: [PATCH] dm: fix dm_merge_bvec regression on 32 bit systems + +A DM regression on 32 bit systems was reported against v4.2-rc3 here: +https://lkml.org/lkml/2015/7/29/401 + +Fix this by reverting both commit 1c220c69 ("dm: fix casting bug in +dm_merge_bvec()") and 148e51ba ("dm: improve documentation and code +clarity in dm_merge_bvec"). This combined revert is done to eliminate +the possibility of a partial revert in stable@ kernels. + +In hindsight the correct fix, at the time 1c220c69 was applied to fix +the regression that 148e51ba introduced, should've been to simply revert +148e51ba. + +Reported-by: Josh Boyer +Acked-by: Joe Thornber +Signed-off-by: Mike Snitzer +Cc: stable@vger.kernel.org # 3.19+ +--- + drivers/md/dm.c | 27 ++++++++++----------------- + 1 file changed, 10 insertions(+), 17 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index ab37ae114e94..0d7ab20c58df 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1729,7 +1729,8 @@ static int dm_merge_bvec(struct request_queue *q, + struct mapped_device *md = q->queuedata; + struct dm_table *map = dm_get_live_table_fast(md); + struct dm_target *ti; +- sector_t max_sectors, max_size = 0; ++ sector_t max_sectors; ++ int max_size = 0; + + if (unlikely(!map)) + goto out; +@@ -1742,18 +1743,10 @@ static int dm_merge_bvec(struct request_queue *q, + * Find maximum amount of I/O that won't need splitting + */ + max_sectors = min(max_io_len(bvm->bi_sector, ti), +- (sector_t) queue_max_sectors(q)); ++ (sector_t) BIO_MAX_SECTORS); + max_size = (max_sectors << SECTOR_SHIFT) - bvm->bi_size; +- +- /* +- * FIXME: this stop-gap fix _must_ be cleaned up (by passing a sector_t +- * to the targets' merge function since it holds sectors not bytes). +- * Just doing this as an interim fix for stable@ because the more +- * comprehensive cleanup of switching to sector_t will impact every +- * DM target that implements a ->merge hook. +- */ +- if (max_size > INT_MAX) +- max_size = INT_MAX; ++ if (max_size < 0) ++ max_size = 0; + + /* + * merge_bvec_fn() returns number of bytes +@@ -1761,13 +1754,13 @@ static int dm_merge_bvec(struct request_queue *q, + * max is precomputed maximal io size + */ + if (max_size && ti->type->merge) +- max_size = ti->type->merge(ti, bvm, biovec, (int) max_size); ++ max_size = ti->type->merge(ti, bvm, biovec, max_size); + /* + * If the target doesn't support merge method and some of the devices +- * provided their merge_bvec method (we know this by looking for the +- * max_hw_sectors that dm_set_device_limits may set), then we can't +- * allow bios with multiple vector entries. So always set max_size +- * to 0, and the code below allows just one page. ++ * provided their merge_bvec method (we know this by looking at ++ * queue_max_hw_sectors), then we can't allow bios with multiple vector ++ * entries. So always set max_size to 0, and the code below allows ++ * just one page. + */ + else if (queue_max_hw_sectors(q) <= PAGE_SIZE >> 9) + max_size = 0; +-- +2.4.3 + diff --git a/kernel.spec b/kernel.spec index 4f908544f..32d084fdd 100644 --- a/kernel.spec +++ b/kernel.spec @@ -40,7 +40,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -582,7 +582,7 @@ Patch502: firmware-Drop-WARN-from-usermodehelper_read_trylock-.patch Patch503: drm-i915-turn-off-wc-mmaps.patch -Patch505: 0001-Revert-dm-fix-casting-bug-in-dm_merge_bvec.patch +Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch # CVE-2015-5697 (rhbz 1249011 1249013) Patch506: md-use-kzalloc-when-bitmap-is-disabled.patch @@ -2025,6 +2025,7 @@ fi # %changelog * Mon Aug 03 2015 Josh Boyer +- Fix i386 boot bug correctly (rhbz 1247382) - CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013) * Mon Aug 03 2015 Josh Boyer - 4.2.0-0.rc5.git0.1