From: Greg Kroah-Hartman Date: Mon, 4 Nov 2019 11:10:07 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.199~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=068225da504d6fd55c0f048d2394a27dbe2fe74d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch sctp-not-bind-the-socket-in-sctp_connect.patch xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch --- diff --git a/queue-4.14/sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch b/queue-4.14/sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch new file mode 100644 index 00000000000..bc5a2858de0 --- /dev/null +++ b/queue-4.14/sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch @@ -0,0 +1,214 @@ +From 644fbdeacf1d3edd366e44b8ba214de9d1dd66a9 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 20 May 2018 16:39:10 +0800 +Subject: sctp: fix the issue that flags are ignored when using kernel_connect + +From: Xin Long + +commit 644fbdeacf1d3edd366e44b8ba214de9d1dd66a9 upstream. + +Now sctp uses inet_dgram_connect as its proto_ops .connect, and the flags +param can't be passed into its proto .connect where this flags is really +needed. + +sctp works around it by getting flags from socket file in __sctp_connect. +It works for connecting from userspace, as inherently the user sock has +socket file and it passes f_flags as the flags param into the proto_ops +.connect. + +However, the sock created by sock_create_kern doesn't have a socket file, +and it passes the flags (like O_NONBLOCK) by using the flags param in +kernel_connect, which calls proto_ops .connect later. + +So to fix it, this patch defines a new proto_ops .connect for sctp, +sctp_inet_connect, which calls __sctp_connect() directly with this +flags param. After this, the sctp's proto .connect can be removed. + +Note that sctp_inet_connect doesn't need to do some checks that are not +needed for sctp, which makes thing better than with inet_dgram_connect. + +Suggested-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Acked-by: Neil Horman +Acked-by: Marcelo Ricardo Leitner +Reviewed-by: Michal Kubecek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/sctp/sctp.h | 2 + + net/sctp/ipv6.c | 2 - + net/sctp/protocol.c | 2 - + net/sctp/socket.c | 56 ++++++++++++++++++++++++++++++++---------------- + 4 files changed, 42 insertions(+), 20 deletions(-) + +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -103,6 +103,8 @@ void sctp_addr_wq_mgmt(struct net *, str + /* + * sctp/socket.c + */ ++int sctp_inet_connect(struct socket *sock, struct sockaddr *uaddr, ++ int addr_len, int flags); + int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb); + int sctp_inet_listen(struct socket *sock, int backlog); + void sctp_write_space(struct sock *sk); +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -974,7 +974,7 @@ static const struct proto_ops inet6_seqp + .owner = THIS_MODULE, + .release = inet6_release, + .bind = inet6_bind, +- .connect = inet_dgram_connect, ++ .connect = sctp_inet_connect, + .socketpair = sock_no_socketpair, + .accept = inet_accept, + .getname = sctp_getname, +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -1019,7 +1019,7 @@ static const struct proto_ops inet_seqpa + .owner = THIS_MODULE, + .release = inet_release, /* Needs to be wrapped... */ + .bind = inet_bind, +- .connect = inet_dgram_connect, ++ .connect = sctp_inet_connect, + .socketpair = sock_no_socketpair, + .accept = inet_accept, + .getname = inet_getname, /* Semantics are different. */ +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1076,7 +1076,7 @@ out: + */ + static int __sctp_connect(struct sock *sk, + struct sockaddr *kaddrs, +- int addrs_size, ++ int addrs_size, int flags, + sctp_assoc_t *assoc_id) + { + struct net *net = sock_net(sk); +@@ -1094,7 +1094,6 @@ static int __sctp_connect(struct sock *s + union sctp_addr *sa_addr = NULL; + void *addr_buf; + unsigned short port; +- unsigned int f_flags = 0; + + sp = sctp_sk(sk); + ep = sp->ep; +@@ -1244,13 +1243,7 @@ static int __sctp_connect(struct sock *s + sp->pf->to_sk_daddr(sa_addr, sk); + sk->sk_err = 0; + +- /* in-kernel sockets don't generally have a file allocated to them +- * if all they do is call sock_create_kern(). +- */ +- if (sk->sk_socket->file) +- f_flags = sk->sk_socket->file->f_flags; +- +- timeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK); ++ timeo = sock_sndtimeo(sk, flags & O_NONBLOCK); + + if (assoc_id) + *assoc_id = asoc->assoc_id; +@@ -1345,7 +1338,7 @@ static int __sctp_setsockopt_connectx(st + { + struct sockaddr *kaddrs; + gfp_t gfp = GFP_KERNEL; +- int err = 0; ++ int err = 0, flags = 0; + + pr_debug("%s: sk:%p addrs:%p addrs_size:%d\n", + __func__, sk, addrs, addrs_size); +@@ -1365,11 +1358,18 @@ static int __sctp_setsockopt_connectx(st + return -ENOMEM; + + if (__copy_from_user(kaddrs, addrs, addrs_size)) { +- err = -EFAULT; +- } else { +- err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id); ++ kfree(kaddrs); ++ return -EFAULT; + } + ++ /* in-kernel sockets don't generally have a file allocated to them ++ * if all they do is call sock_create_kern(). ++ */ ++ if (sk->sk_socket->file) ++ flags = sk->sk_socket->file->f_flags; ++ ++ err = __sctp_connect(sk, kaddrs, addrs_size, flags, assoc_id); ++ + kfree(kaddrs); + + return err; +@@ -4166,16 +4166,26 @@ out_nounlock: + * len: the size of the address. + */ + static int sctp_connect(struct sock *sk, struct sockaddr *addr, +- int addr_len) ++ int addr_len, int flags) + { +- int err = 0; ++ struct inet_sock *inet = inet_sk(sk); + struct sctp_af *af; ++ int err = 0; + + lock_sock(sk); + + pr_debug("%s: sk:%p, sockaddr:%p, addr_len:%d\n", __func__, sk, + addr, addr_len); + ++ /* We may need to bind the socket. */ ++ if (!inet->inet_num) { ++ if (sk->sk_prot->get_port(sk, 0)) { ++ release_sock(sk); ++ return -EAGAIN; ++ } ++ inet->inet_sport = htons(inet->inet_num); ++ } ++ + /* Validate addr_len before calling common connect/connectx routine. */ + af = sctp_get_af_specific(addr->sa_family); + if (!af || addr_len < af->sockaddr_len) { +@@ -4184,13 +4194,25 @@ static int sctp_connect(struct sock *sk, + /* Pass correct addr len to common routine (so it knows there + * is only one address being passed. + */ +- err = __sctp_connect(sk, addr, af->sockaddr_len, NULL); ++ err = __sctp_connect(sk, addr, af->sockaddr_len, flags, NULL); + } + + release_sock(sk); + return err; + } + ++int sctp_inet_connect(struct socket *sock, struct sockaddr *uaddr, ++ int addr_len, int flags) ++{ ++ if (addr_len < sizeof(uaddr->sa_family)) ++ return -EINVAL; ++ ++ if (uaddr->sa_family == AF_UNSPEC) ++ return -EOPNOTSUPP; ++ ++ return sctp_connect(sock->sk, uaddr, addr_len, flags); ++} ++ + /* FIXME: Write comments. */ + static int sctp_disconnect(struct sock *sk, int flags) + { +@@ -8298,7 +8320,6 @@ struct proto sctp_prot = { + .name = "SCTP", + .owner = THIS_MODULE, + .close = sctp_close, +- .connect = sctp_connect, + .disconnect = sctp_disconnect, + .accept = sctp_accept, + .ioctl = sctp_ioctl, +@@ -8337,7 +8358,6 @@ struct proto sctpv6_prot = { + .name = "SCTPv6", + .owner = THIS_MODULE, + .close = sctp_close, +- .connect = sctp_connect, + .disconnect = sctp_disconnect, + .accept = sctp_accept, + .ioctl = sctp_ioctl, diff --git a/queue-4.14/sctp-not-bind-the-socket-in-sctp_connect.patch b/queue-4.14/sctp-not-bind-the-socket-in-sctp_connect.patch new file mode 100644 index 00000000000..cfddb0e7e71 --- /dev/null +++ b/queue-4.14/sctp-not-bind-the-socket-in-sctp_connect.patch @@ -0,0 +1,72 @@ +From 9b6c08878e23adb7cc84bdca94d8a944b03f099e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 26 Jun 2019 16:31:39 +0800 +Subject: sctp: not bind the socket in sctp_connect + +From: Xin Long + +commit 9b6c08878e23adb7cc84bdca94d8a944b03f099e upstream. + +Now when sctp_connect() is called with a wrong sa_family, it binds +to a port but doesn't set bp->port, then sctp_get_af_specific will +return NULL and sctp_connect() returns -EINVAL. + +Then if sctp_bind() is called to bind to another port, the last +port it has bound will leak due to bp->port is NULL by then. + +sctp_connect() doesn't need to bind ports, as later __sctp_connect +will do it if bp->port is NULL. So remove it from sctp_connect(). +While at it, remove the unnecessary sockaddr.sa_family len check +as it's already done in sctp_inet_connect. + +Fixes: 644fbdeacf1d ("sctp: fix the issue that flags are ignored when using kernel_connect") +Reported-by: syzbot+079bf326b38072f849d9@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + + +--- + net/sctp/socket.c | 21 ++------------------- + 1 file changed, 2 insertions(+), 19 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4168,34 +4168,17 @@ out_nounlock: + static int sctp_connect(struct sock *sk, struct sockaddr *addr, + int addr_len, int flags) + { +- struct inet_sock *inet = inet_sk(sk); + struct sctp_af *af; +- int err = 0; ++ int err = -EINVAL; + + lock_sock(sk); +- + pr_debug("%s: sk:%p, sockaddr:%p, addr_len:%d\n", __func__, sk, + addr, addr_len); + +- /* We may need to bind the socket. */ +- if (!inet->inet_num) { +- if (sk->sk_prot->get_port(sk, 0)) { +- release_sock(sk); +- return -EAGAIN; +- } +- inet->inet_sport = htons(inet->inet_num); +- } +- + /* Validate addr_len before calling common connect/connectx routine. */ + af = sctp_get_af_specific(addr->sa_family); +- if (!af || addr_len < af->sockaddr_len) { +- err = -EINVAL; +- } else { +- /* Pass correct addr len to common routine (so it knows there +- * is only one address being passed. +- */ ++ if (af && addr_len >= af->sockaddr_len) + err = __sctp_connect(sk, addr, af->sockaddr_len, flags, NULL); +- } + + release_sock(sk); + return err; diff --git a/queue-4.14/series b/queue-4.14/series index 582caba2142..093667d31bb 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -89,3 +89,6 @@ bonding-fix-potential-null-deref-in-bond_update_slave_arr.patch blackhole_netdev-fix-syzkaller-reported-issue.patch net-usb-sr9800-fix-uninitialized-local-variable.patch sch_netem-fix-rcu-splat-in-netem_enqueue.patch +sctp-fix-the-issue-that-flags-are-ignored-when-using-kernel_connect.patch +sctp-not-bind-the-socket-in-sctp_connect.patch +xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch diff --git a/queue-4.14/xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch b/queue-4.14/xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch new file mode 100644 index 00000000000..44fc7ee94dd --- /dev/null +++ b/queue-4.14/xfs-correctly-invert-xfs_buftarg-lru-isolation-logic.patch @@ -0,0 +1,42 @@ +From 19957a181608d25c8f4136652d0ea00b3738972d Mon Sep 17 00:00:00 2001 +From: Vratislav Bendel +Date: Tue, 6 Mar 2018 17:07:44 -0800 +Subject: xfs: Correctly invert xfs_buftarg LRU isolation logic + +From: Vratislav Bendel + +commit 19957a181608d25c8f4136652d0ea00b3738972d upstream. + +Due to an inverted logic mistake in xfs_buftarg_isolate() +the xfs_buffers with zero b_lru_ref will take another trip +around LRU, while isolating buffers with non-zero b_lru_ref. + +Additionally those isolated buffers end up right back on the LRU +once they are released, because b_lru_ref remains elevated. + +Fix that circuitous route by leaving them on the LRU +as originally intended. + +Signed-off-by: Vratislav Bendel +Reviewed-by: Brian Foster +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Alex Lyakas +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_buf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -1702,7 +1702,7 @@ xfs_buftarg_isolate( + * zero. If the value is already zero, we need to reclaim the + * buffer, otherwise it gets another trip through the LRU. + */ +- if (!atomic_add_unless(&bp->b_lru_ref, -1, 0)) { ++ if (atomic_add_unless(&bp->b_lru_ref, -1, 0)) { + spin_unlock(&bp->b_lock); + return LRU_ROTATE; + }