--- /dev/null
+From 652727bbe1b17993636346716ae5867627793647 Mon Sep 17 00:00:00 2001
+From: Frank Sorenson <sorenson@redhat.com>
+Date: Tue, 16 Apr 2019 08:37:27 -0500
+Subject: cifs: do not attempt cifs operation on smb2+ rename error
+
+From: Frank Sorenson <sorenson@redhat.com>
+
+commit 652727bbe1b17993636346716ae5867627793647 upstream.
+
+A path-based rename returning EBUSY will incorrectly try opening
+the file with a cifs (NT Create AndX) operation on an smb2+ mount,
+which causes the server to force a session close.
+
+If the mount is smb2+, skip the fallback.
+
+Signed-off-by: Frank Sorenson <sorenson@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -1735,6 +1735,10 @@ cifs_do_rename(const unsigned int xid, s
+ if (rc == 0 || rc != -EBUSY)
+ goto do_rename_exit;
+
++ /* Don't fall back to using SMB on SMB 2+ mount */
++ if (server->vals->protocol_id != 0)
++ goto do_rename_exit;
++
+ /* open-file renames don't work across directories */
+ if (to_dentry->d_parent != from_dentry->d_parent)
+ goto do_rename_exit;
--- /dev/null
+From 13f5938d8264b5501368523c4513ff26608a33e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= <jglisse@redhat.com>
+Date: Wed, 10 Apr 2019 15:37:47 -0400
+Subject: cifs: fix page reference leak with readv/writev
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jérôme Glisse <jglisse@redhat.com>
+
+commit 13f5938d8264b5501368523c4513ff26608a33e8 upstream.
+
+CIFS can leak pages reference gotten through GUP (get_user_pages*()
+through iov_iter_get_pages()). This happen if cifs_send_async_read()
+or cifs_write_from_iter() calls fail from within __cifs_readv() and
+__cifs_writev() respectively. This patch move page unreference to
+cifs_aio_ctx_release() which will happens on all code paths this is
+all simpler to follow for correctness.
+
+Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
+Cc: Steve French <sfrench@samba.org>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: linux-fsdevel@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c | 15 +--------------
+ fs/cifs/misc.c | 23 ++++++++++++++++++++++-
+ 2 files changed, 23 insertions(+), 15 deletions(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -2796,7 +2796,6 @@ static void collect_uncached_write_data(
+ struct cifs_tcon *tcon;
+ struct cifs_sb_info *cifs_sb;
+ struct dentry *dentry = ctx->cfile->dentry;
+- unsigned int i;
+ int rc;
+
+ tcon = tlink_tcon(ctx->cfile->tlink);
+@@ -2860,10 +2859,6 @@ restart_loop:
+ kref_put(&wdata->refcount, cifs_uncached_writedata_release);
+ }
+
+- if (!ctx->direct_io)
+- for (i = 0; i < ctx->npages; i++)
+- put_page(ctx->bv[i].bv_page);
+-
+ cifs_stats_bytes_written(tcon, ctx->total_len);
+ set_bit(CIFS_INO_INVALID_MAPPING, &CIFS_I(dentry->d_inode)->flags);
+
+@@ -3472,7 +3467,6 @@ collect_uncached_read_data(struct cifs_a
+ struct iov_iter *to = &ctx->iter;
+ struct cifs_sb_info *cifs_sb;
+ struct cifs_tcon *tcon;
+- unsigned int i;
+ int rc;
+
+ tcon = tlink_tcon(ctx->cfile->tlink);
+@@ -3556,15 +3550,8 @@ again:
+ kref_put(&rdata->refcount, cifs_uncached_readdata_release);
+ }
+
+- if (!ctx->direct_io) {
+- for (i = 0; i < ctx->npages; i++) {
+- if (ctx->should_dirty)
+- set_page_dirty(ctx->bv[i].bv_page);
+- put_page(ctx->bv[i].bv_page);
+- }
+-
++ if (!ctx->direct_io)
+ ctx->total_len = ctx->len - iov_iter_count(to);
+- }
+
+ cifs_stats_bytes_read(tcon, ctx->total_len);
+
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -789,6 +789,11 @@ cifs_aio_ctx_alloc(void)
+ {
+ struct cifs_aio_ctx *ctx;
+
++ /*
++ * Must use kzalloc to initialize ctx->bv to NULL and ctx->direct_io
++ * to false so that we know when we have to unreference pages within
++ * cifs_aio_ctx_release()
++ */
+ ctx = kzalloc(sizeof(struct cifs_aio_ctx), GFP_KERNEL);
+ if (!ctx)
+ return NULL;
+@@ -807,7 +812,23 @@ cifs_aio_ctx_release(struct kref *refcou
+ struct cifs_aio_ctx, refcount);
+
+ cifsFileInfo_put(ctx->cfile);
+- kvfree(ctx->bv);
++
++ /*
++ * ctx->bv is only set if setup_aio_ctx_iter() was call successfuly
++ * which means that iov_iter_get_pages() was a success and thus that
++ * we have taken reference on pages.
++ */
++ if (ctx->bv) {
++ unsigned i;
++
++ for (i = 0; i < ctx->npages; i++) {
++ if (ctx->should_dirty)
++ set_page_dirty(ctx->bv[i].bv_page);
++ put_page(ctx->bv[i].bv_page);
++ }
++ kvfree(ctx->bv);
++ }
++
+ kfree(ctx);
+ }
+
--- /dev/null
+From 91862cc7867bba4ee5c8fcf0ca2f1d30427b6129 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 19 Apr 2019 21:22:59 -0500
+Subject: tracing: Fix a memory leak by early error exit in trace_pid_write()
+
+From: Wenwen Wang <wang6495@umn.edu>
+
+commit 91862cc7867bba4ee5c8fcf0ca2f1d30427b6129 upstream.
+
+In trace_pid_write(), the buffer for trace parser is allocated through
+kmalloc() in trace_parser_get_init(). Later on, after the buffer is used,
+it is then freed through kfree() in trace_parser_put(). However, it is
+possible that trace_pid_write() is terminated due to unexpected errors,
+e.g., ENOMEM. In that case, the allocated buffer will not be freed, which
+is a memory leak bug.
+
+To fix this issue, free the allocated buffer when an error is encountered.
+
+Link: http://lkml.kernel.org/r/1555726979-15633-1-git-send-email-wang6495@umn.edu
+
+Fixes: f4d34a87e9c10 ("tracing: Use pid bitmap instead of a pid array for set_event_pid")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -496,8 +496,10 @@ int trace_pid_write(struct trace_pid_lis
+ * not modified.
+ */
+ pid_list = kmalloc(sizeof(*pid_list), GFP_KERNEL);
+- if (!pid_list)
++ if (!pid_list) {
++ trace_parser_put(&parser);
+ return -ENOMEM;
++ }
+
+ pid_list->pid_max = READ_ONCE(pid_max);
+
+@@ -507,6 +509,7 @@ int trace_pid_write(struct trace_pid_lis
+
+ pid_list->pids = vzalloc((pid_list->pid_max + 7) >> 3);
+ if (!pid_list->pids) {
++ trace_parser_put(&parser);
+ kfree(pid_list);
+ return -ENOMEM;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
