4.9-stable patches

added patches:
	sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch
	sctp-not-bind-the-socket-in-sctp_connect.patch
	xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch

diff --git a/queue-4.9/sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch b/queue-4.9/sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch
new file mode 100644 (file)
index 0000000..3d75dde
--- /dev/null
+++ b/queue-4.9/sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch
@@ -0,0 +1,214 @@
+From 644fbdeacf1d3edd366e44b8ba214de9d1dd66a9 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 20 May 2018 16:39:10 +0800
+Subject: sctp: fix the issue that flags are ignored when using kernel_connect
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 644fbdeacf1d3edd366e44b8ba214de9d1dd66a9 upstream.
+
+Now sctp uses inet_dgram_connect as its proto_ops .connect, and the flags
+param can't be passed into its proto .connect where this flags is really
+needed.
+
+sctp works around it by getting flags from socket file in __sctp_connect.
+It works for connecting from userspace, as inherently the user sock has
+socket file and it passes f_flags as the flags param into the proto_ops
+.connect.
+
+However, the sock created by sock_create_kern doesn't have a socket file,
+and it passes the flags (like O_NONBLOCK) by using the flags param in
+kernel_connect, which calls proto_ops .connect later.
+
+So to fix it, this patch defines a new proto_ops .connect for sctp,
+sctp_inet_connect, which calls __sctp_connect() directly with this
+flags param. After this, the sctp's proto .connect can be removed.
+
+Note that sctp_inet_connect doesn't need to do some checks that are not
+needed for sctp, which makes thing better than with inet_dgram_connect.
+
+Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/sctp/sctp.h |    2 +
+ net/sctp/ipv6.c         |    2 -
+ net/sctp/protocol.c     |    2 -
+ net/sctp/socket.c       |   56 ++++++++++++++++++++++++++++++++----------------
+ 4 files changed, 42 insertions(+), 20 deletions(-)
+
+--- a/include/net/sctp/sctp.h
++++ b/include/net/sctp/sctp.h
+@@ -103,6 +103,8 @@ void sctp_addr_wq_mgmt(struct net *, str
+ /*
+  * sctp/socket.c
+  */
++int sctp_inet_connect(struct socket *sock, struct sockaddr *uaddr,
++                    int addr_len, int flags);
+ int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb);
+ int sctp_inet_listen(struct socket *sock, int backlog);
+ void sctp_write_space(struct sock *sk);
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -973,7 +973,7 @@ static const struct proto_ops inet6_seqp
+       .owner             = THIS_MODULE,
+       .release           = inet6_release,
+       .bind              = inet6_bind,
+-      .connect           = inet_dgram_connect,
++      .connect           = sctp_inet_connect,
+       .socketpair        = sock_no_socketpair,
+       .accept            = inet_accept,
+       .getname           = sctp_getname,
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -1014,7 +1014,7 @@ static const struct proto_ops inet_seqpa
+       .owner             = THIS_MODULE,
+       .release           = inet_release,      /* Needs to be wrapped... */
+       .bind              = inet_bind,
+-      .connect           = inet_dgram_connect,
++      .connect           = sctp_inet_connect,
+       .socketpair        = sock_no_socketpair,
+       .accept            = inet_accept,
+       .getname           = inet_getname,      /* Semantics are different.  */
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1074,7 +1074,7 @@ out:
+  */
+ static int __sctp_connect(struct sock *sk,
+                         struct sockaddr *kaddrs,
+-                        int addrs_size,
++                        int addrs_size, int flags,
+                         sctp_assoc_t *assoc_id)
+ {
+       struct net *net = sock_net(sk);
+@@ -1092,7 +1092,6 @@ static int __sctp_connect(struct sock *s
+       union sctp_addr *sa_addr = NULL;
+       void *addr_buf;
+       unsigned short port;
+-      unsigned int f_flags = 0;
+ 
+       sp = sctp_sk(sk);
+       ep = sp->ep;
+@@ -1240,13 +1239,7 @@ static int __sctp_connect(struct sock *s
+       sp->pf->to_sk_daddr(sa_addr, sk);
+       sk->sk_err = 0;
+ 
+-      /* in-kernel sockets don't generally have a file allocated to them
+-       * if all they do is call sock_create_kern().
+-       */
+-      if (sk->sk_socket->file)
+-              f_flags = sk->sk_socket->file->f_flags;
+-
+-      timeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK);
++      timeo = sock_sndtimeo(sk, flags & O_NONBLOCK);
+ 
+       if (assoc_id)
+               *assoc_id = asoc->assoc_id;
+@@ -1341,7 +1334,7 @@ static int __sctp_setsockopt_connectx(st
+ {
+       struct sockaddr *kaddrs;
+       gfp_t gfp = GFP_KERNEL;
+-      int err = 0;
++      int err = 0, flags = 0;
+ 
+       pr_debug("%s: sk:%p addrs:%p addrs_size:%d\n",
+                __func__, sk, addrs, addrs_size);
+@@ -1361,11 +1354,18 @@ static int __sctp_setsockopt_connectx(st
+               return -ENOMEM;
+ 
+       if (__copy_from_user(kaddrs, addrs, addrs_size)) {
+-              err = -EFAULT;
+-      } else {
+-              err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id);
++              kfree(kaddrs);
++              return -EFAULT;
+       }
+ 
++      /* in-kernel sockets don't generally have a file allocated to them
++       * if all they do is call sock_create_kern().
++       */
++      if (sk->sk_socket->file)
++              flags = sk->sk_socket->file->f_flags;
++
++      err = __sctp_connect(sk, kaddrs, addrs_size, flags, assoc_id);
++
+       kfree(kaddrs);
+ 
+       return err;
+@@ -3979,16 +3979,26 @@ out_nounlock:
+  * len: the size of the address.
+  */
+ static int sctp_connect(struct sock *sk, struct sockaddr *addr,
+-                      int addr_len)
++                      int addr_len, int flags)
+ {
+-      int err = 0;
++      struct inet_sock *inet = inet_sk(sk);
+       struct sctp_af *af;
++      int err = 0;
+ 
+       lock_sock(sk);
+ 
+       pr_debug("%s: sk:%p, sockaddr:%p, addr_len:%d\n", __func__, sk,
+                addr, addr_len);
+ 
++      /* We may need to bind the socket. */
++      if (!inet->inet_num) {
++              if (sk->sk_prot->get_port(sk, 0)) {
++                      release_sock(sk);
++                      return -EAGAIN;
++              }
++              inet->inet_sport = htons(inet->inet_num);
++      }
++
+       /* Validate addr_len before calling common connect/connectx routine. */
+       af = sctp_get_af_specific(addr->sa_family);
+       if (!af || addr_len < af->sockaddr_len) {
+@@ -3997,13 +4007,25 @@ static int sctp_connect(struct sock *sk,
+               /* Pass correct addr len to common routine (so it knows there
+                * is only one address being passed.
+                */
+-              err = __sctp_connect(sk, addr, af->sockaddr_len, NULL);
++              err = __sctp_connect(sk, addr, af->sockaddr_len, flags, NULL);
+       }
+ 
+       release_sock(sk);
+       return err;
+ }
+ 
++int sctp_inet_connect(struct socket *sock, struct sockaddr *uaddr,
++                    int addr_len, int flags)
++{
++      if (addr_len < sizeof(uaddr->sa_family))
++              return -EINVAL;
++
++      if (uaddr->sa_family == AF_UNSPEC)
++              return -EOPNOTSUPP;
++
++      return sctp_connect(sock->sk, uaddr, addr_len, flags);
++}
++
+ /* FIXME: Write comments. */
+ static int sctp_disconnect(struct sock *sk, int flags)
+ {
+@@ -7896,7 +7918,6 @@ struct proto sctp_prot = {
+       .name        =  "SCTP",
+       .owner       =  THIS_MODULE,
+       .close       =  sctp_close,
+-      .connect     =  sctp_connect,
+       .disconnect  =  sctp_disconnect,
+       .accept      =  sctp_accept,
+       .ioctl       =  sctp_ioctl,
+@@ -7935,7 +7956,6 @@ struct proto sctpv6_prot = {
+       .name           = "SCTPv6",
+       .owner          = THIS_MODULE,
+       .close          = sctp_close,
+-      .connect        = sctp_connect,
+       .disconnect     = sctp_disconnect,
+       .accept         = sctp_accept,
+       .ioctl          = sctp_ioctl,

diff --git a/queue-4.9/sctp-not-bind-the-socket-in-sctp_connect.patch b/queue-4.9/sctp-not-bind-the-socket-in-sctp_connect.patch
new file mode 100644 (file)
index 0000000..d35c0c7
--- /dev/null
+++ b/queue-4.9/sctp-not-bind-the-socket-in-sctp_connect.patch
@@ -0,0 +1,72 @@
+From 9b6c08878e23adb7cc84bdca94d8a944b03f099e Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 26 Jun 2019 16:31:39 +0800
+Subject: sctp: not bind the socket in sctp_connect
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 9b6c08878e23adb7cc84bdca94d8a944b03f099e upstream.
+
+Now when sctp_connect() is called with a wrong sa_family, it binds
+to a port but doesn't set bp->port, then sctp_get_af_specific will
+return NULL and sctp_connect() returns -EINVAL.
+
+Then if sctp_bind() is called to bind to another port, the last
+port it has bound will leak due to bp->port is NULL by then.
+
+sctp_connect() doesn't need to bind ports, as later __sctp_connect
+will do it if bp->port is NULL. So remove it from sctp_connect().
+While at it, remove the unnecessary sockaddr.sa_family len check
+as it's already done in sctp_inet_connect.
+
+Fixes: 644fbdeacf1d ("sctp: fix the issue that flags are ignored when using kernel_connect")
+Reported-by: syzbot+079bf326b38072f849d9@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/sctp/socket.c |   21 ++-------------------
+ 1 file changed, 2 insertions(+), 19 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -3981,34 +3981,17 @@ out_nounlock:
+ static int sctp_connect(struct sock *sk, struct sockaddr *addr,
+                       int addr_len, int flags)
+ {
+-      struct inet_sock *inet = inet_sk(sk);
+       struct sctp_af *af;
+-      int err = 0;
++      int err = -EINVAL;
+ 
+       lock_sock(sk);
+-
+       pr_debug("%s: sk:%p, sockaddr:%p, addr_len:%d\n", __func__, sk,
+                addr, addr_len);
+ 
+-      /* We may need to bind the socket. */
+-      if (!inet->inet_num) {
+-              if (sk->sk_prot->get_port(sk, 0)) {
+-                      release_sock(sk);
+-                      return -EAGAIN;
+-              }
+-              inet->inet_sport = htons(inet->inet_num);
+-      }
+-
+       /* Validate addr_len before calling common connect/connectx routine. */
+       af = sctp_get_af_specific(addr->sa_family);
+-      if (!af || addr_len < af->sockaddr_len) {
+-              err = -EINVAL;
+-      } else {
+-              /* Pass correct addr len to common routine (so it knows there
+-               * is only one address being passed.
+-               */
++      if (af && addr_len >= af->sockaddr_len)
+               err = __sctp_connect(sk, addr, af->sockaddr_len, flags, NULL);
+-      }
+ 
+       release_sock(sk);
+       return err;

diff --git a/queue-4.9/series b/queue-4.9/series
index b09254ba944881cbb9e7bc3f0179bdb012583f9f..96c3e53c0aff47710f4a921336bde80b21af7411 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -53,3 +53,6 @@ llc-fix-sk_buff-leak-in-llc_conn_service.patch
 bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch
 net-usb-sr9800-fix-uninitialized-local-variable.patch
 sch_netem-fix-rcu-splat-in-netem_enqueue.patch
+sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch
+sctp-not-bind-the-socket-in-sctp_connect.patch
+xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch

diff --git a/queue-4.9/xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch b/queue-4.9/xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch
new file mode 100644 (file)
index 0000000..9e80c55
--- /dev/null
+++ b/queue-4.9/xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch
@@ -0,0 +1,42 @@
+From 19957a181608d25c8f4136652d0ea00b3738972d Mon Sep 17 00:00:00 2001
+From: Vratislav Bendel <vbendel@redhat.com>
+Date: Tue, 6 Mar 2018 17:07:44 -0800
+Subject: xfs: Correctly invert xfs_buftarg LRU isolation logic
+
+From: Vratislav Bendel <vbendel@redhat.com>
+
+commit 19957a181608d25c8f4136652d0ea00b3738972d upstream.
+
+Due to an inverted logic mistake in xfs_buftarg_isolate()
+the xfs_buffers with zero b_lru_ref will take another trip
+around LRU, while isolating buffers with non-zero b_lru_ref.
+
+Additionally those isolated buffers end up right back on the LRU
+once they are released, because b_lru_ref remains elevated.
+
+Fix that circuitous route by leaving them on the LRU
+as originally intended.
+
+Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Alex Lyakas <alex@zadara.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_buf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -1674,7 +1674,7 @@ xfs_buftarg_isolate(
+        * zero. If the value is already zero, we need to reclaim the
+        * buffer, otherwise it gets another trip through the LRU.
+        */
+-      if (!atomic_add_unless(&bp->b_lru_ref, -1, 0)) {
++      if (atomic_add_unless(&bp->b_lru_ref, -1, 0)) {
+               spin_unlock(&bp->b_lock);
+               return LRU_ROTATE;
+       }