From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 Apr 2022 10:02:58 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.9.312~83
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=203a15fa4b1e6db41c398ef4e04bbc3e4757a3c4;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	can-usb_8dev-usb_8dev_start_xmit-fix-double-dev_kfree_skb-in-error-path.patch
	dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch
	tracing-dump-stacktrace-trigger-to-the-corresponding-instance.patch
---

diff --git a/queue-4.19/can-usb_8dev-usb_8dev_start_xmit-fix-double-dev_kfree_skb-in-error-path.patch b/queue-4.19/can-usb_8dev-usb_8dev_start_xmit-fix-double-dev_kfree_skb-in-error-path.patch
new file mode 100644
index 00000000000..76cfaafc4c3
--- /dev/null
+++ b/queue-4.19/can-usb_8dev-usb_8dev_start_xmit-fix-double-dev_kfree_skb-in-error-path.patch
@@ -0,0 +1,71 @@
+From 3d3925ff6433f98992685a9679613a2cc97f3ce2 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Fri, 11 Mar 2022 16:06:14 +0800
+Subject: can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 3d3925ff6433f98992685a9679613a2cc97f3ce2 upstream.
+
+There is no need to call dev_kfree_skb() when usb_submit_urb() fails
+because can_put_echo_skb() deletes original skb and
+can_free_echo_skb() deletes the cloned skb.
+
+Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
+Link: https://lore.kernel.org/all/20220311080614.45229-1-hbh25y@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+[DP: adjusted params of can_free_echo_skb() for 4.19 stable]
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/usb_8dev.c |   30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -681,9 +681,20 @@ static netdev_tx_t usb_8dev_start_xmit(s
+ 	atomic_inc(&priv->active_tx_urbs);
+ 
+ 	err = usb_submit_urb(urb, GFP_ATOMIC);
+-	if (unlikely(err))
+-		goto failed;
+-	else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
++	if (unlikely(err)) {
++		can_free_echo_skb(netdev, context->echo_index);
++
++		usb_unanchor_urb(urb);
++		usb_free_coherent(priv->udev, size, buf, urb->transfer_dma);
++
++		atomic_dec(&priv->active_tx_urbs);
++
++		if (err == -ENODEV)
++			netif_device_detach(netdev);
++		else
++			netdev_warn(netdev, "failed tx_urb %d\n", err);
++		stats->tx_dropped++;
++	} else if (atomic_read(&priv->active_tx_urbs) >= MAX_TX_URBS)
+ 		/* Slow down tx path */
+ 		netif_stop_queue(netdev);
+ 
+@@ -702,19 +713,6 @@ nofreecontext:
+ 
+ 	return NETDEV_TX_BUSY;
+ 
+-failed:
+-	can_free_echo_skb(netdev, context->echo_index);
+-
+-	usb_unanchor_urb(urb);
+-	usb_free_coherent(priv->udev, size, buf, urb->transfer_dma);
+-
+-	atomic_dec(&priv->active_tx_urbs);
+-
+-	if (err == -ENODEV)
+-		netif_device_detach(netdev);
+-	else
+-		netdev_warn(netdev, "failed tx_urb %d\n", err);
+-
+ nomembuf:
+ 	usb_free_urb(urb);
+ 
diff --git a/queue-4.19/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch b/queue-4.19/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch
new file mode 100644
index 00000000000..a6ad1dd9226
--- /dev/null
+++ b/queue-4.19/dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch
@@ -0,0 +1,53 @@
+From 08c1af8f1c13bbf210f1760132f4df24d0ed46d6 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 3 Apr 2022 14:38:22 -0400
+Subject: dm integrity: fix memory corruption when tag_size is less than digest size
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 08c1af8f1c13bbf210f1760132f4df24d0ed46d6 upstream.
+
+It is possible to set up dm-integrity in such a way that the
+"tag_size" parameter is less than the actual digest size. In this
+situation, a part of the digest beyond tag_size is ignored.
+
+In this case, dm-integrity would write beyond the end of the
+ic->recalc_tags array and corrupt memory. The corruption happened in
+integrity_recalc->integrity_sector_checksum->crypto_shash_final.
+
+Fix this corruption by increasing the tags array so that it has enough
+padding at the end to accomodate the loop in integrity_recalc() being
+able to write a full digest size for the last member of the tags
+array.
+
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-integrity.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -3504,6 +3504,7 @@ try_smaller_buffer:
+ 	}
+ 
+ 	if (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING)) {
++		size_t recalc_tags_size;
+ 		if (!ic->internal_hash) {
+ 			r = -EINVAL;
+ 			ti->error = "Recalculate is only valid with internal hash";
+@@ -3522,8 +3523,10 @@ try_smaller_buffer:
+ 			r = -ENOMEM;
+ 			goto bad;
+ 		}
+-		ic->recalc_tags = kvmalloc_array(RECALC_SECTORS >> ic->sb->log2_sectors_per_block,
+-						 ic->tag_size, GFP_KERNEL);
++		recalc_tags_size = (RECALC_SECTORS >> ic->sb->log2_sectors_per_block) * ic->tag_size;
++		if (crypto_shash_digestsize(ic->internal_hash) > ic->tag_size)
++			recalc_tags_size += crypto_shash_digestsize(ic->internal_hash) - ic->tag_size;
++		ic->recalc_tags = kvmalloc(recalc_tags_size, GFP_KERNEL);
+ 		if (!ic->recalc_tags) {
+ 			ti->error = "Cannot allocate tags for recalculating";
+ 			r = -ENOMEM;
diff --git a/queue-4.19/series b/queue-4.19/series
index 74c2566da6a..18fcb532ec4 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -1,2 +1,5 @@
 etherdevice-adjust-ether_addr-prototypes-to-silence-wstringop-overead.patch
 mm-page_alloc-fix-building-error-on-werror-array-compare.patch
+tracing-dump-stacktrace-trigger-to-the-corresponding-instance.patch
+can-usb_8dev-usb_8dev_start_xmit-fix-double-dev_kfree_skb-in-error-path.patch
+dm-integrity-fix-memory-corruption-when-tag_size-is-less-than-digest-size.patch
diff --git a/queue-4.19/tracing-dump-stacktrace-trigger-to-the-corresponding-instance.patch b/queue-4.19/tracing-dump-stacktrace-trigger-to-the-corresponding-instance.patch
new file mode 100644
index 00000000000..f409369d668
--- /dev/null
+++ b/queue-4.19/tracing-dump-stacktrace-trigger-to-the-corresponding-instance.patch
@@ -0,0 +1,47 @@
+From ce33c845b030c9cf768370c951bc699470b09fa7 Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+Date: Sun, 20 Feb 2022 23:49:57 +0100
+Subject: tracing: Dump stacktrace trigger to the corresponding instance
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+commit ce33c845b030c9cf768370c951bc699470b09fa7 upstream.
+
+The stacktrace event trigger is not dumping the stacktrace to the instance
+where it was enabled, but to the global "instance."
+
+Use the private_data, pointing to the trigger file, to figure out the
+corresponding trace instance, and use it in the trigger action, like
+snapshot_trigger does.
+
+Link: https://lkml.kernel.org/r/afbb0b4f18ba92c276865bc97204d438473f4ebc.1645396236.git.bristot@kernel.org
+
+Cc: stable@vger.kernel.org
+Fixes: ae63b31e4d0e2 ("tracing: Separate out trace events from global variables")
+Reviewed-by: Tom Zanussi <zanussi@kernel.org>
+Tested-by: Tom Zanussi <zanussi@kernel.org>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_trigger.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -1212,7 +1212,14 @@ static void
+ stacktrace_trigger(struct event_trigger_data *data, void *rec,
+ 		   struct ring_buffer_event *event)
+ {
+-	trace_dump_stack(STACK_SKIP);
++	struct trace_event_file *file = data->private_data;
++	unsigned long flags;
++
++	if (file) {
++		local_save_flags(flags);
++		__trace_stack(file->tr, flags, STACK_SKIP, preempt_count());
++	} else
++		trace_dump_stack(STACK_SKIP);
+ }
+ 
+ static void