fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/9p-acl-fix-uninitialized-iattr-access.patch b/queue-4.14/9p-acl-fix-uninitialized-iattr-access.patch
new file mode 100644 (file)
index 0000000..8c9a536
--- /dev/null
+++ b/queue-4.14/9p-acl-fix-uninitialized-iattr-access.patch
@@ -0,0 +1,35 @@
+From dfe591b050d1fed6af608e02248cf88a29bd7af2 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Sat, 8 Sep 2018 00:10:57 +0900
+Subject: 9p: acl: fix uninitialized iattr access
+
+[ Upstream commit e02a53d92e197706cad1627bd84705d4aa20a145 ]
+
+iattr is passed to v9fs_vfs_setattr_dotl which does send various
+values from iattr over the wire, even if it tells the server to
+only look at iattr.ia_valid fields this could leak some stack data.
+
+Link: http://lkml.kernel.org/r/1536339057-21974-2-git-send-email-asmadeus@codewreck.org
+Addresses-Coverity-ID: 1195601 ("Uninitalized scalar variable")
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/9p/acl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/9p/acl.c b/fs/9p/acl.c
+index 082d227fa56b..6261719f6f2a 100644
+--- a/fs/9p/acl.c
++++ b/fs/9p/acl.c
+@@ -276,7 +276,7 @@ static int v9fs_xattr_set_acl(const struct xattr_handler *handler,
+       switch (handler->flags) {
+       case ACL_TYPE_ACCESS:
+               if (acl) {
+-                      struct iattr iattr;
++                      struct iattr iattr = { 0 };
+                       struct posix_acl *old_acl = acl;
+ 
+                       retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+-- 
+2.20.1
+

diff --git a/queue-4.14/9p-p9dirent_read-check-network-provided-name-length.patch b/queue-4.14/9p-p9dirent_read-check-network-provided-name-length.patch
new file mode 100644 (file)
index 0000000..82081da
--- /dev/null
+++ b/queue-4.14/9p-p9dirent_read-check-network-provided-name-length.patch
@@ -0,0 +1,52 @@
+From f28f6f36ed0da90b925e605eca48db835a7efc40 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Sat, 8 Sep 2018 00:36:08 +0900
+Subject: 9p: p9dirent_read: check network-provided name length
+
+[ Upstream commit ef5305f1f72eb1cfcda25c382bb0368509c0385b ]
+
+strcpy to dirent->d_name could overflow the buffer, use strscpy to check
+the provided string length and error out if the size was too big.
+
+While we are here, make the function return an error when the pdu
+parsing failed, instead of returning the pdu offset as if it had been a
+success...
+
+Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org
+Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer")
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/protocol.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/9p/protocol.c b/net/9p/protocol.c
+index 766d1ef4640a..1885403c9a3e 100644
+--- a/net/9p/protocol.c
++++ b/net/9p/protocol.c
+@@ -622,13 +622,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len,
+       if (ret) {
+               p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret);
+               trace_9p_protocol_dump(clnt, &fake_pdu);
+-              goto out;
++              return ret;
+       }
+ 
+-      strcpy(dirent->d_name, nameptr);
++      ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name));
++      if (ret < 0) {
++              p9_debug(P9_DEBUG_ERROR,
++                       "On the wire dirent name too long: %s\n",
++                       nameptr);
++              kfree(nameptr);
++              return ret;
++      }
+       kfree(nameptr);
+ 
+-out:
+       return fake_pdu.offset;
+ }
+ EXPORT_SYMBOL(p9dirent_read);
+-- 
+2.20.1
+

diff --git a/queue-4.14/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch b/queue-4.14/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch
new file mode 100644 (file)
index 0000000..1c06f20
--- /dev/null
+++ b/queue-4.14/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch
@@ -0,0 +1,45 @@
+From 7d53fb8b382a9d09b526a0e5c0b6875728926d50 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Thu, 30 Aug 2018 19:29:36 +0900
+Subject: 9p/rdma: do not disconnect on down_interruptible EAGAIN
+
+[ Upstream commit 8b894adb2b7e1d1e64b8954569c761eaf3d51ab5 ]
+
+9p/rdma would sometimes drop the connection and display errors in
+recv_done when the user does ^C.
+The errors were caused by recv buffers that were posted at the time
+of disconnect, and we just do not want to disconnect when
+down_interruptible is... interrupted.
+
+Link: http://lkml.kernel.org/r/1535625307-18019-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_rdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
+index f58467a49090..b7648b12bb1a 100644
+--- a/net/9p/trans_rdma.c
++++ b/net/9p/trans_rdma.c
+@@ -476,7 +476,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
+ 
+       err = post_recv(client, rpl_context);
+       if (err) {
+-              p9_debug(P9_DEBUG_FCALL, "POST RECV failed\n");
++              p9_debug(P9_DEBUG_ERROR, "POST RECV failed: %d\n", err);
+               goto recv_error;
+       }
+       /* remove posted receive buffer from request structure */
+@@ -545,7 +545,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
+  recv_error:
+       kfree(rpl_context);
+       spin_lock_irqsave(&rdma->req_lock, flags);
+-      if (rdma->state < P9_RDMA_CLOSING) {
++      if (err != -EINTR && rdma->state < P9_RDMA_CLOSING) {
+               rdma->state = P9_RDMA_CLOSING;
+               spin_unlock_irqrestore(&rdma->req_lock, flags);
+               rdma_disconnect(rdma->cm_id);
+-- 
+2.20.1
+

diff --git a/queue-4.14/9p-rdma-remove-useless-check-in-cm_event_handler.patch b/queue-4.14/9p-rdma-remove-useless-check-in-cm_event_handler.patch
new file mode 100644 (file)
index 0000000..a2ea735
--- /dev/null
+++ b/queue-4.14/9p-rdma-remove-useless-check-in-cm_event_handler.patch
@@ -0,0 +1,36 @@
+From 02506de8fc35ae351e606e140451a7ad340bf411 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Sat, 8 Sep 2018 00:26:50 +0900
+Subject: 9p/rdma: remove useless check in cm_event_handler
+
+[ Upstream commit 473c7dd1d7b59ff8f88a5154737e3eac78a96e5b ]
+
+the client c is always dereferenced to get the rdma struct, so c has to
+be a valid pointer at this point.
+Gcc would optimize that away but let's make coverity happy...
+
+Link: http://lkml.kernel.org/r/1536339057-21974-3-git-send-email-asmadeus@codewreck.org
+Addresses-Coverity-ID: 102778 ("Dereference before null check")
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_rdma.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
+index b7648b12bb1a..16a4a31f16e0 100644
+--- a/net/9p/trans_rdma.c
++++ b/net/9p/trans_rdma.c
+@@ -276,8 +276,7 @@ p9_cm_event_handler(struct rdma_cm_id *id, struct rdma_cm_event *event)
+       case RDMA_CM_EVENT_DISCONNECTED:
+               if (rdma)
+                       rdma->state = P9_RDMA_CLOSED;
+-              if (c)
+-                      c->status = Disconnected;
++              c->status = Disconnected;
+               break;
+ 
+       case RDMA_CM_EVENT_TIMEWAIT_EXIT:
+-- 
+2.20.1
+

diff --git a/queue-4.14/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch b/queue-4.14/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch
new file mode 100644 (file)
index 0000000..f3c891f
--- /dev/null
+++ b/queue-4.14/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch
@@ -0,0 +1,43 @@
+From d7b14a086d552df90133e02691e60b103acd14b8 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Tue, 14 Aug 2018 02:43:48 +0000
+Subject: 9p/xen: fix check for xenbus_read error in front_probe
+
+[ Upstream commit 2f9ad0ac947ccbe3ffe7c6229c9330f2a7755f64 ]
+
+If the xen bus exists but does not expose the proper interface, it is
+possible to get a non-zero length but still some error, leading to
+strcmp failing trying to load invalid memory addresses e.g.
+fffffffffffffffe.
+
+There is then no need to check length when there is no error, as the
+xenbus driver guarantees that the string is nul-terminated.
+
+Link: http://lkml.kernel.org/r/1534236007-10170-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_xen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index c10bdf63eae7..389eb635ec2c 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -392,8 +392,8 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
+       unsigned int max_rings, max_ring_order, len = 0;
+ 
+       versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len);
+-      if (!len)
+-              return -EINVAL;
++      if (IS_ERR(versions))
++              return PTR_ERR(versions);
+       if (strcmp(versions, "1")) {
+               kfree(versions);
+               return -EINVAL;
+-- 
+2.20.1
+

diff --git a/queue-4.14/net-9p-include-trans_common.h-to-fix-missing-prototy.patch b/queue-4.14/net-9p-include-trans_common.h-to-fix-missing-prototy.patch
new file mode 100644 (file)
index 0000000..c6f7b4c
--- /dev/null
+++ b/queue-4.14/net-9p-include-trans_common.h-to-fix-missing-prototy.patch
@@ -0,0 +1,35 @@
+From caa15b67ea031dc963a1c5041ef7729217ebfb27 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Adeodato=20Sim=C3=B3?= <dato@net.com.org.es>
+Date: Tue, 13 Nov 2018 03:28:53 -0300
+Subject: net/9p: include trans_common.h to fix missing prototype warning.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 52ad259eaac0454c1ac7123e7148cf8d6e6f5301 ]
+
+This silences -Wmissing-prototypes when defining p9_release_pages.
+
+Link: http://lkml.kernel.org/r/b1c4df8f21689b10d451c28fe38e860722d20e71.1542089696.git.dato@net.com.org.es
+Signed-off-by: Adeodato Simó <dato@net.com.org.es>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
+index 38aa6345bdfa..9c0c894b56f8 100644
+--- a/net/9p/trans_common.c
++++ b/net/9p/trans_common.c
+@@ -14,6 +14,7 @@
+ 
+ #include <linux/mm.h>
+ #include <linux/module.h>
++#include "trans_common.h"
+ 
+ /**
+  *  p9_release_req_pages - Release pages after the transaction.
+-- 
+2.20.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index 3fe3123e809368e08125ab0bfd2bbb5acc2d91e3..4f2078f58a9ab11ec046e1556d7a6cfec57423cf 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -5,3 +5,9 @@ revert-x86-uaccess-ftrace-fix-ftrace_likely_update-v.patch
 ib-hfi1-close-psm-sdma_progress-sleep-window.patch
 block-add-a-lower-level-bio_add_page-interface.patch
 block-bio_iov_iter_get_pages-pin-more-pages-for-mult.patch
+9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch
+9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch
+9p-acl-fix-uninitialized-iattr-access.patch
+9p-rdma-remove-useless-check-in-cm_event_handler.patch
+9p-p9dirent_read-check-network-provided-name-length.patch
+net-9p-include-trans_common.h-to-fix-missing-prototy.patch