From: Greg Kroah-Hartman Date: Wed, 12 Nov 2014 01:07:22 +0000 (+0900) Subject: 3.10-stable patches X-Git-Tag: v3.10.60~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4701b822238fb74559a28a657990b26de9ff75be;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: btrfs-fix-kfree-on-list_head-in-btrfs_lookup_csums_range-error-cleanup.patch libceph-ceph-msgr-workqueue-needs-a-resque-worker.patch of-fix-overflow-bug-in-string-property-parsing-functions.patch --- diff --git a/queue-3.10/btrfs-fix-kfree-on-list_head-in-btrfs_lookup_csums_range-error-cleanup.patch b/queue-3.10/btrfs-fix-kfree-on-list_head-in-btrfs_lookup_csums_range-error-cleanup.patch new file mode 100644 index 00000000000..cc3da212f3b --- /dev/null +++ b/queue-3.10/btrfs-fix-kfree-on-list_head-in-btrfs_lookup_csums_range-error-cleanup.patch @@ -0,0 +1,36 @@ +From 6e5aafb27419f32575b27ef9d6a31e5d54661aca Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Tue, 4 Nov 2014 06:59:04 -0800 +Subject: Btrfs: fix kfree on list_head in btrfs_lookup_csums_range error cleanup + +From: Chris Mason + +commit 6e5aafb27419f32575b27ef9d6a31e5d54661aca upstream. + +If we hit any errors in btrfs_lookup_csums_range, we'll loop through all +the csums we allocate and free them. But the code was using list_entry +incorrectly, and ended up trying to free the on-stack list_head instead. + +This bug came from commit 0678b6185 + +btrfs: Don't BUG_ON kzalloc error in btrfs_lookup_csums_range() + +Signed-off-by: Chris Mason +Reported-by: Erik Berg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/file-item.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/file-item.c ++++ b/fs/btrfs/file-item.c +@@ -403,7 +403,7 @@ int btrfs_lookup_csums_range(struct btrf + ret = 0; + fail: + while (ret < 0 && !list_empty(&tmplist)) { +- sums = list_entry(&tmplist, struct btrfs_ordered_sum, list); ++ sums = list_entry(tmplist.next, struct btrfs_ordered_sum, list); + list_del(&sums->list); + kfree(sums); + } diff --git a/queue-3.10/libceph-ceph-msgr-workqueue-needs-a-resque-worker.patch b/queue-3.10/libceph-ceph-msgr-workqueue-needs-a-resque-worker.patch new file mode 100644 index 00000000000..1623911260e --- /dev/null +++ b/queue-3.10/libceph-ceph-msgr-workqueue-needs-a-resque-worker.patch @@ -0,0 +1,34 @@ +From f9865f06f7f18c6661c88d0511f05c48612319cc Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Fri, 10 Oct 2014 16:39:05 +0400 +Subject: libceph: ceph-msgr workqueue needs a resque worker + +From: Ilya Dryomov + +commit f9865f06f7f18c6661c88d0511f05c48612319cc upstream. + +Commit f363e45fd118 ("net/ceph: make ceph_msgr_wq non-reentrant") +effectively removed WQ_MEM_RECLAIM flag from ceph_msgr_wq. This is +wrong - libceph is very much a memory reclaim path, so restore it. + +Signed-off-by: Ilya Dryomov +Tested-by: Micha Krause +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/messenger.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -290,7 +290,8 @@ int ceph_msgr_init(void) + if (ceph_msgr_slab_init()) + return -ENOMEM; + +- ceph_msgr_wq = alloc_workqueue("ceph-msgr", WQ_NON_REENTRANT, 0); ++ ceph_msgr_wq = alloc_workqueue("ceph-msgr", ++ WQ_NON_REENTRANT | WQ_MEM_RECLAIM, 0); + if (ceph_msgr_wq) + return 0; + diff --git a/queue-3.10/of-fix-overflow-bug-in-string-property-parsing-functions.patch b/queue-3.10/of-fix-overflow-bug-in-string-property-parsing-functions.patch new file mode 100644 index 00000000000..0f87d74abe9 --- /dev/null +++ b/queue-3.10/of-fix-overflow-bug-in-string-property-parsing-functions.patch @@ -0,0 +1,360 @@ +From a87fa1d81a9fb5e9adca9820e16008c40ad09f33 Mon Sep 17 00:00:00 2001 +From: Grant Likely +Date: Mon, 3 Nov 2014 15:15:35 +0000 +Subject: of: Fix overflow bug in string property parsing functions + +From: Grant Likely + +commit a87fa1d81a9fb5e9adca9820e16008c40ad09f33 upstream. + +The string property read helpers will run off the end of the buffer if +it is handed a malformed string property. Rework the parsers to make +sure that doesn't happen. At the same time add new test cases to make +sure the functions behave themselves. + +The original implementations of of_property_read_string_index() and +of_property_count_strings() both open-coded the same block of parsing +code, each with it's own subtly different bugs. The fix here merges +functions into a single helper and makes the original functions static +inline wrappers around the helper. + +One non-bugfix aspect of this patch is the addition of a new wrapper, +of_property_read_string_array(). The new wrapper is needed by the +device_properties feature that Rafael is working on and planning to +merge for v3.19. The implementation is identical both with and without +the new static inline wrapper, so it just got left in to reduce the +churn on the header file. + +Signed-off-by: Grant Likely +Cc: Rafael J. Wysocki +Cc: Mika Westerberg +Cc: Rob Herring +Cc: Arnd Bergmann +Cc: Darren Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 88 ++++++++++++-------------------------------------- + drivers/of/selftest.c | 64 +++++++++++++++++++++++++++++++++--- + include/linux/of.h | 84 +++++++++++++++++++++++++++++++++++++++-------- + 3 files changed, 151 insertions(+), 85 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -963,52 +963,6 @@ int of_property_read_string(struct devic + EXPORT_SYMBOL_GPL(of_property_read_string); + + /** +- * of_property_read_string_index - Find and read a string from a multiple +- * strings property. +- * @np: device node from which the property value is to be read. +- * @propname: name of the property to be searched. +- * @index: index of the string in the list of strings +- * @out_string: pointer to null terminated return string, modified only if +- * return value is 0. +- * +- * Search for a property in a device tree node and retrieve a null +- * terminated string value (pointer to data, not a copy) in the list of strings +- * contained in that property. +- * Returns 0 on success, -EINVAL if the property does not exist, -ENODATA if +- * property does not have a value, and -EILSEQ if the string is not +- * null-terminated within the length of the property data. +- * +- * The out_string pointer is modified only if a valid string can be decoded. +- */ +-int of_property_read_string_index(struct device_node *np, const char *propname, +- int index, const char **output) +-{ +- struct property *prop = of_find_property(np, propname, NULL); +- int i = 0; +- size_t l = 0, total = 0; +- const char *p; +- +- if (!prop) +- return -EINVAL; +- if (!prop->value) +- return -ENODATA; +- if (strnlen(prop->value, prop->length) >= prop->length) +- return -EILSEQ; +- +- p = prop->value; +- +- for (i = 0; total < prop->length; total += l, p += l) { +- l = strlen(p) + 1; +- if (i++ == index) { +- *output = p; +- return 0; +- } +- } +- return -ENODATA; +-} +-EXPORT_SYMBOL_GPL(of_property_read_string_index); +- +-/** + * of_property_match_string() - Find string in a list and return index + * @np: pointer to node containing string list property + * @propname: string list property name +@@ -1034,7 +988,7 @@ int of_property_match_string(struct devi + end = p + prop->length; + + for (i = 0; p < end; i++, p += l) { +- l = strlen(p) + 1; ++ l = strnlen(p, end - p) + 1; + if (p + l > end) + return -EILSEQ; + pr_debug("comparing %s with %s\n", string, p); +@@ -1046,39 +1000,41 @@ int of_property_match_string(struct devi + EXPORT_SYMBOL_GPL(of_property_match_string); + + /** +- * of_property_count_strings - Find and return the number of strings from a +- * multiple strings property. ++ * of_property_read_string_util() - Utility helper for parsing string properties + * @np: device node from which the property value is to be read. + * @propname: name of the property to be searched. ++ * @out_strs: output array of string pointers. ++ * @sz: number of array elements to read. ++ * @skip: Number of strings to skip over at beginning of list. + * +- * Search for a property in a device tree node and retrieve the number of null +- * terminated string contain in it. Returns the number of strings on +- * success, -EINVAL if the property does not exist, -ENODATA if property +- * does not have a value, and -EILSEQ if the string is not null-terminated +- * within the length of the property data. ++ * Don't call this function directly. It is a utility helper for the ++ * of_property_read_string*() family of functions. + */ +-int of_property_count_strings(struct device_node *np, const char *propname) ++int of_property_read_string_helper(struct device_node *np, const char *propname, ++ const char **out_strs, size_t sz, int skip) + { + struct property *prop = of_find_property(np, propname, NULL); +- int i = 0; +- size_t l = 0, total = 0; +- const char *p; ++ int l = 0, i = 0; ++ const char *p, *end; + + if (!prop) + return -EINVAL; + if (!prop->value) + return -ENODATA; +- if (strnlen(prop->value, prop->length) >= prop->length) +- return -EILSEQ; +- + p = prop->value; ++ end = p + prop->length; + +- for (i = 0; total < prop->length; total += l, p += l, i++) +- l = strlen(p) + 1; +- +- return i; ++ for (i = 0; p < end && (!out_strs || i < skip + sz); i++, p += l) { ++ l = strnlen(p, end - p) + 1; ++ if (p + l > end) ++ return -EILSEQ; ++ if (out_strs && i >= skip) ++ *out_strs++ = p; ++ } ++ i -= skip; ++ return i <= 0 ? -ENODATA : i; + } +-EXPORT_SYMBOL_GPL(of_property_count_strings); ++EXPORT_SYMBOL_GPL(of_property_read_string_helper); + + /** + * of_parse_phandle - Resolve a phandle property to a device_node pointer +--- a/drivers/of/selftest.c ++++ b/drivers/of/selftest.c +@@ -126,8 +126,9 @@ static void __init of_selftest_parse_pha + selftest(rc == -EINVAL, "expected:%i got:%i\n", -EINVAL, rc); + } + +-static void __init of_selftest_property_match_string(void) ++static void __init of_selftest_property_string(void) + { ++ const char *strings[4]; + struct device_node *np; + int rc; + +@@ -145,13 +146,66 @@ static void __init of_selftest_property_ + rc = of_property_match_string(np, "phandle-list-names", "third"); + selftest(rc == 2, "third expected:0 got:%i\n", rc); + rc = of_property_match_string(np, "phandle-list-names", "fourth"); +- selftest(rc == -ENODATA, "unmatched string; rc=%i", rc); ++ selftest(rc == -ENODATA, "unmatched string; rc=%i\n", rc); + rc = of_property_match_string(np, "missing-property", "blah"); +- selftest(rc == -EINVAL, "missing property; rc=%i", rc); ++ selftest(rc == -EINVAL, "missing property; rc=%i\n", rc); + rc = of_property_match_string(np, "empty-property", "blah"); +- selftest(rc == -ENODATA, "empty property; rc=%i", rc); ++ selftest(rc == -ENODATA, "empty property; rc=%i\n", rc); + rc = of_property_match_string(np, "unterminated-string", "blah"); +- selftest(rc == -EILSEQ, "unterminated string; rc=%i", rc); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ ++ /* of_property_count_strings() tests */ ++ rc = of_property_count_strings(np, "string-property"); ++ selftest(rc == 1, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "phandle-list-names"); ++ selftest(rc == 3, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "unterminated-string"); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ rc = of_property_count_strings(np, "unterminated-string-list"); ++ selftest(rc == -EILSEQ, "unterminated string array; rc=%i\n", rc); ++ ++ /* of_property_read_string_index() tests */ ++ rc = of_property_read_string_index(np, "string-property", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "foobar"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "string-property", 1, strings); ++ selftest(rc == -ENODATA && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "first"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 1, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "second"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "phandle-list-names", 2, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "third"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "phandle-list-names", 3, strings); ++ selftest(rc == -ENODATA && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "unterminated-string", 0, strings); ++ selftest(rc == -EILSEQ && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ rc = of_property_read_string_index(np, "unterminated-string-list", 0, strings); ++ selftest(rc == 0 && !strcmp(strings[0], "first"), "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[0] = NULL; ++ rc = of_property_read_string_index(np, "unterminated-string-list", 2, strings); /* should fail */ ++ selftest(rc == -EILSEQ && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc); ++ strings[1] = NULL; ++ ++ /* of_property_read_string_array() tests */ ++ rc = of_property_read_string_array(np, "string-property", strings, 4); ++ selftest(rc == 1, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_read_string_array(np, "phandle-list-names", strings, 4); ++ selftest(rc == 3, "Incorrect string count; rc=%i\n", rc); ++ rc = of_property_read_string_array(np, "unterminated-string", strings, 4); ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc); ++ /* -- An incorrectly formed string should cause a failure */ ++ rc = of_property_read_string_array(np, "unterminated-string-list", strings, 4); ++ selftest(rc == -EILSEQ, "unterminated string array; rc=%i\n", rc); ++ /* -- parsing the correctly formed strings should still work: */ ++ strings[2] = NULL; ++ rc = of_property_read_string_array(np, "unterminated-string-list", strings, 2); ++ selftest(rc == 2 && strings[2] == NULL, "of_property_read_string_array() failure; rc=%i\n", rc); ++ strings[1] = NULL; ++ rc = of_property_read_string_array(np, "phandle-list-names", strings, 1); ++ selftest(rc == 1 && strings[1] == NULL, "Overwrote end of string array; rc=%i, str='%s'\n", rc, strings[1]); + } + + static int __init of_selftest(void) +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -252,14 +252,12 @@ extern int of_property_read_u64(const st + extern int of_property_read_string(struct device_node *np, + const char *propname, + const char **out_string); +-extern int of_property_read_string_index(struct device_node *np, +- const char *propname, +- int index, const char **output); + extern int of_property_match_string(struct device_node *np, + const char *propname, + const char *string); +-extern int of_property_count_strings(struct device_node *np, +- const char *propname); ++extern int of_property_read_string_helper(struct device_node *np, ++ const char *propname, ++ const char **out_strs, size_t sz, int index); + extern int of_device_is_compatible(const struct device_node *device, + const char *); + extern int of_device_is_available(const struct device_node *device); +@@ -439,15 +437,9 @@ static inline int of_property_read_strin + return -ENOSYS; + } + +-static inline int of_property_read_string_index(struct device_node *np, +- const char *propname, int index, +- const char **out_string) +-{ +- return -ENOSYS; +-} +- +-static inline int of_property_count_strings(struct device_node *np, +- const char *propname) ++static inline int of_property_read_string_helper(struct device_node *np, ++ const char *propname, ++ const char **out_strs, size_t sz, int index) + { + return -ENOSYS; + } +@@ -523,6 +515,70 @@ static inline int of_node_to_nid(struct + #endif + + /** ++ * of_property_read_string_array() - Read an array of strings from a multiple ++ * strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @out_strs: output array of string pointers. ++ * @sz: number of array elements to read. ++ * ++ * Search for a property in a device tree node and retrieve a list of ++ * terminated string values (pointer to data, not a copy) in that property. ++ * ++ * If @out_strs is NULL, the number of strings in the property is returned. ++ */ ++static inline int of_property_read_string_array(struct device_node *np, ++ const char *propname, const char **out_strs, ++ size_t sz) ++{ ++ return of_property_read_string_helper(np, propname, out_strs, sz, 0); ++} ++ ++/** ++ * of_property_count_strings() - Find and return the number of strings from a ++ * multiple strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * ++ * Search for a property in a device tree node and retrieve the number of null ++ * terminated string contain in it. Returns the number of strings on ++ * success, -EINVAL if the property does not exist, -ENODATA if property ++ * does not have a value, and -EILSEQ if the string is not null-terminated ++ * within the length of the property data. ++ */ ++static inline int of_property_count_strings(struct device_node *np, ++ const char *propname) ++{ ++ return of_property_read_string_helper(np, propname, NULL, 0, 0); ++} ++ ++/** ++ * of_property_read_string_index() - Find and read a string from a multiple ++ * strings property. ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @index: index of the string in the list of strings ++ * @out_string: pointer to null terminated return string, modified only if ++ * return value is 0. ++ * ++ * Search for a property in a device tree node and retrieve a null ++ * terminated string value (pointer to data, not a copy) in the list of strings ++ * contained in that property. ++ * Returns 0 on success, -EINVAL if the property does not exist, -ENODATA if ++ * property does not have a value, and -EILSEQ if the string is not ++ * null-terminated within the length of the property data. ++ * ++ * The out_string pointer is modified only if a valid string can be decoded. ++ */ ++static inline int of_property_read_string_index(struct device_node *np, ++ const char *propname, ++ int index, const char **output) ++{ ++ int rc = of_property_read_string_helper(np, propname, output, 1, index); ++ return rc < 0 ? rc : 0; ++} ++ ++/** + * of_property_read_bool - Findfrom a property + * @np: device node from which the property value is to be read. + * @propname: name of the property to be searched. diff --git a/queue-3.10/series b/queue-3.10/series index ecafe33c0c9..10a79afed3c 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -118,3 +118,6 @@ rbd-fix-error-recovery-in-rbd_obj_read_sync.patch acer-wmi-add-acpi_backlight-video-quirk-for-the-acer-kav80.patch i2c-at91-don-t-account-as-iowait.patch sysfs-driver-core-fix-glue-dir-race-condition-by-gdp_mutex.patch +of-fix-overflow-bug-in-string-property-parsing-functions.patch +btrfs-fix-kfree-on-list_head-in-btrfs_lookup_csums_range-error-cleanup.patch +libceph-ceph-msgr-workqueue-needs-a-resque-worker.patch