5.7-stable patches

added patches:
	libtraceevent-fix-build-with-binutils-2.35.patch
	rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch

diff --git a/queue-5.7/libtraceevent-fix-build-with-binutils-2.35.patch b/queue-5.7/libtraceevent-fix-build-with-binutils-2.35.patch
new file mode 100644 (file)
index 0000000..45ef681
--- /dev/null
+++ b/queue-5.7/libtraceevent-fix-build-with-binutils-2.35.patch
@@ -0,0 +1,37 @@
+From 39efdd94e314336f4acbac4c07e0f37bdc3bef71 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 25 Jul 2020 02:06:23 +0100
+Subject: libtraceevent: Fix build with binutils 2.35
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 39efdd94e314336f4acbac4c07e0f37bdc3bef71 upstream.
+
+In binutils 2.35, 'nm -D' changed to show symbol versions along with
+symbol names, with the usual @@ separator.  When generating
+libtraceevent-dynamic-list we need just the names, so strip off the
+version suffix if present.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Tested-by: Salvatore Bonaccorso <carnil@debian.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: linux-trace-devel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/traceevent/plugins/Makefile |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/lib/traceevent/plugins/Makefile
++++ b/tools/lib/traceevent/plugins/Makefile
+@@ -197,7 +197,7 @@ define do_generate_dynamic_list_file
+       xargs echo "U w W" | tr 'w ' 'W\n' | sort -u | xargs echo`;\
+       if [ "$$symbol_type" = "U W" ];then                             \
+               (echo '{';                                              \
+-              $(NM) -u -D $1 | awk 'NF>1 {print "\t"$$2";"}' | sort -u;\
++              $(NM) -u -D $1 | awk 'NF>1 {sub("@.*", "", $$2); print "\t"$$2";"}' | sort -u;\
+               echo '};';                                              \
+               ) > $2;                                                 \
+       else                                                            \

diff --git a/queue-5.7/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch b/queue-5.7/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
new file mode 100644 (file)
index 0000000..85fd470
--- /dev/null
+++ b/queue-5.7/rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
@@ -0,0 +1,47 @@
+From bbc8a99e952226c585ac17477a85ef1194501762 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Thu, 30 Jul 2020 15:20:26 -0400
+Subject: rds: Prevent kernel-infoleak in rds_notify_queue_get()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit bbc8a99e952226c585ac17477a85ef1194501762 upstream.
+
+rds_notify_queue_get() is potentially copying uninitialized kernel stack
+memory to userspace since the compiler may leave a 4-byte hole at the end
+of `cmsg`.
+
+In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which
+unfortunately does not always initialize that 4-byte hole. Fix it by using
+memset() instead.
+
+Cc: stable@vger.kernel.org
+Fixes: f037590fff30 ("rds: fix a leak of kernel memory")
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/recv.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -450,12 +450,13 @@ static int rds_still_queued(struct rds_s
+ int rds_notify_queue_get(struct rds_sock *rs, struct msghdr *msghdr)
+ {
+       struct rds_notifier *notifier;
+-      struct rds_rdma_notify cmsg = { 0 }; /* fill holes with zero */
++      struct rds_rdma_notify cmsg;
+       unsigned int count = 0, max_messages = ~0U;
+       unsigned long flags;
+       LIST_HEAD(copy);
+       int err = 0;
+ 
++      memset(&cmsg, 0, sizeof(cmsg)); /* fill holes with zero */
+ 
+       /* put_cmsg copies to user space and thus may sleep. We can't do this
+        * with rs_lock held, so first grab as many notifications as we can stuff

diff --git a/queue-5.7/series b/queue-5.7/series
index 4bbf17068d473c3fd59bb19eb7d1a5001075afd8..e0005df7ee17e9a7604b3d2ce5e63716d0b8ef1c 100644 (file)
--- a/queue-5.7/series
+++ b/queue-5.7/series
@@ -29,3 +29,5 @@ drm-hold-gem-reference-until-object-is-no-longer-accessed.patch
 drm-of-fix-double-free-bug.patch
 random-fix-circular-include-dependency-on-arm64-after-addition-of-percpu.h.patch
 random32-remove-net_rand_state-from-the-latent-entropy-gcc-plugin.patch
+rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
+libtraceevent-fix-build-with-binutils-2.35.patch