From: Greg Kroah-Hartman Date: Sun, 27 Oct 2019 16:00:48 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.198~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5972b37f05eb1986aa5388f82b78a25340d331d9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch cifs-avoid-using-mid-0xffff.patch cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch pci-pm-fix-pci_power_up.patch xen-netback-fix-error-path-of-xenvif_connect_data.patch --- diff --git a/queue-4.4/btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch b/queue-4.4/btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch new file mode 100644 index 00000000000..dccb387a14f --- /dev/null +++ b/queue-4.4/btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch @@ -0,0 +1,42 @@ +From 4b654acdae850f48b8250b9a578a4eaa518c7a6f Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 10 Oct 2019 10:39:26 +0800 +Subject: btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() + +From: Qu Wenruo + +commit 4b654acdae850f48b8250b9a578a4eaa518c7a6f upstream. + +In btrfs_read_block_groups(), if we have an invalid block group which +has mixed type (DATA|METADATA) while the fs doesn't have MIXED_GROUPS +feature, we error out without freeing the block group cache. + +This patch will add the missing btrfs_put_block_group() to prevent +memory leak. + +Note for stable backports: the file to patch in versions <= 5.3 is +fs/btrfs/extent-tree.c + +Fixes: 49303381f19a ("Btrfs: bail out if block group has different mixed flag") +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Anand Jain +Reviewed-by: Johannes Thumshirn +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -9905,6 +9905,7 @@ int btrfs_read_block_groups(struct btrfs + btrfs_err(info, + "bg %llu is a mixed block group but filesystem hasn't enabled mixed block groups", + cache->key.objectid); ++ btrfs_put_block_group(cache); + ret = -EINVAL; + goto error; + } diff --git a/queue-4.4/cifs-avoid-using-mid-0xffff.patch b/queue-4.4/cifs-avoid-using-mid-0xffff.patch new file mode 100644 index 00000000000..09428923d06 --- /dev/null +++ b/queue-4.4/cifs-avoid-using-mid-0xffff.patch @@ -0,0 +1,38 @@ +From 03d9a9fe3f3aec508e485dd3dcfa1e99933b4bdb Mon Sep 17 00:00:00 2001 +From: Roberto Bergantinos Corpas +Date: Mon, 14 Oct 2019 10:59:23 +0200 +Subject: CIFS: avoid using MID 0xFFFF + +From: Roberto Bergantinos Corpas + +commit 03d9a9fe3f3aec508e485dd3dcfa1e99933b4bdb upstream. + +According to MS-CIFS specification MID 0xFFFF should not be used by the +CIFS client, but we actually do. Besides, this has proven to cause races +leading to oops between SendReceive2/cifs_demultiplex_thread. On SMB1, +MID is a 2 byte value easy to reach in CurrentMid which may conflict with +an oplock break notification request coming from server + +Signed-off-by: Roberto Bergantinos Corpas +Reviewed-by: Ronnie Sahlberg +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb1ops.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -180,6 +180,9 @@ cifs_get_next_mid(struct TCP_Server_Info + /* we do not want to loop forever */ + last_mid = cur_mid; + cur_mid++; ++ /* avoid 0xFFFF MID */ ++ if (cur_mid == 0xffff) ++ cur_mid++; + + /* + * This nested loop looks more expensive than it is. diff --git a/queue-4.4/cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch b/queue-4.4/cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch new file mode 100644 index 00000000000..1fb2a211a51 --- /dev/null +++ b/queue-4.4/cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch @@ -0,0 +1,88 @@ +From 65650b35133ff20f0c9ef0abd5c3c66dbce3ae57 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 9 Oct 2019 01:29:10 +0200 +Subject: cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafael J. Wysocki + +commit 65650b35133ff20f0c9ef0abd5c3c66dbce3ae57 upstream. + +It is incorrect to set the cpufreq syscore shutdown callback pointer +to cpufreq_suspend(), because that function cannot be run in the +syscore stage of system shutdown for two reasons: (a) it may attempt +to carry out actions depending on devices that have already been shut +down at that point and (b) the RCU synchronization carried out by it +may not be able to make progress then. + +The latter issue has been present since commit 45975c7d21a1 ("rcu: +Define RCU-sched API in terms of RCU for Tree RCU PREEMPT builds"), +but the former one has been there since commit 90de2a4aa9f3 ("cpufreq: +suspend cpufreq governors on shutdown") regardless. + +Fix that by dropping cpufreq_syscore_ops altogether and making +device_shutdown() call cpufreq_suspend() directly before shutting +down devices, which is along the lines of what system-wide power +management does. + +Fixes: 45975c7d21a1 ("rcu: Define RCU-sched API in terms of RCU for Tree RCU PREEMPT builds") +Fixes: 90de2a4aa9f3 ("cpufreq: suspend cpufreq governors on shutdown") +Reported-by: Ville Syrjälä +Tested-by: Ville Syrjälä +Signed-off-by: Rafael J. Wysocki +Acked-by: Viresh Kumar +Cc: 4.0+ # 4.0+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 3 +++ + drivers/cpufreq/cpufreq.c | 10 ---------- + 2 files changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -10,6 +10,7 @@ + * + */ + ++#include + #include + #include + #include +@@ -2124,6 +2125,8 @@ void device_shutdown(void) + { + struct device *dev, *parent; + ++ cpufreq_suspend(); ++ + spin_lock(&devices_kset->list_lock); + /* + * Walk the devices list backward, shutting down each in turn. +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2512,14 +2512,6 @@ int cpufreq_unregister_driver(struct cpu + } + EXPORT_SYMBOL_GPL(cpufreq_unregister_driver); + +-/* +- * Stop cpufreq at shutdown to make sure it isn't holding any locks +- * or mutexes when secondary CPUs are halted. +- */ +-static struct syscore_ops cpufreq_syscore_ops = { +- .shutdown = cpufreq_suspend, +-}; +- + struct kobject *cpufreq_global_kobject; + EXPORT_SYMBOL(cpufreq_global_kobject); + +@@ -2531,8 +2523,6 @@ static int __init cpufreq_core_init(void + cpufreq_global_kobject = kobject_create_and_add("cpufreq", &cpu_subsys.dev_root->kobj); + BUG_ON(!cpufreq_global_kobject); + +- register_syscore_ops(&cpufreq_syscore_ops); +- + return 0; + } + core_initcall(cpufreq_core_init); diff --git a/queue-4.4/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch b/queue-4.4/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch new file mode 100644 index 00000000000..f27d62277f6 --- /dev/null +++ b/queue-4.4/memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch @@ -0,0 +1,35 @@ +From 28c9fac09ab0147158db0baeec630407a5e9b892 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 5 Oct 2019 13:21:01 +0200 +Subject: memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' + +From: Christophe JAILLET + +commit 28c9fac09ab0147158db0baeec630407a5e9b892 upstream. + +If 'jmb38x_ms_count_slots()' returns 0, we must undo the previous +'pci_request_regions()' call. + +Goto 'err_out_int' to fix it. + +Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe JAILLET +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memstick/host/jmb38x_ms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/memstick/host/jmb38x_ms.c ++++ b/drivers/memstick/host/jmb38x_ms.c +@@ -947,7 +947,7 @@ static int jmb38x_ms_probe(struct pci_de + if (!cnt) { + rc = -ENODEV; + pci_dev_busy = 1; +- goto err_out; ++ goto err_out_int; + } + + jm = kzalloc(sizeof(struct jmb38x_ms) diff --git a/queue-4.4/net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch b/queue-4.4/net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch new file mode 100644 index 00000000000..284c6bafb91 --- /dev/null +++ b/queue-4.4/net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch @@ -0,0 +1,64 @@ +From 98c8f125fd8a6240ea343c1aa50a1be9047791b8 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sat, 25 Aug 2018 22:58:01 -0700 +Subject: net: sched: Fix memory exposure from short TCA_U32_SEL + +From: Kees Cook + +commit 98c8f125fd8a6240ea343c1aa50a1be9047791b8 upstream. + +Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink +policy, so max length isn't enforced, only minimum. This means nkeys +(from userspace) was being trusted without checking the actual size of +nla_len(), which could lead to a memory over-read, and ultimately an +exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within +a namespace. + +Reported-by: Al Viro +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Cc: "David S. Miller" +Cc: netdev@vger.kernel.org +Signed-off-by: Kees Cook +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Zubin Mithra +Signed-off-by: Greg Kroah-Hartman + +--- + net/sched/cls_u32.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -734,6 +734,7 @@ static int u32_change(struct net *net, s + struct nlattr *opt = tca[TCA_OPTIONS]; + struct nlattr *tb[TCA_U32_MAX + 1]; + u32 htid; ++ size_t sel_size; + int err; + #ifdef CONFIG_CLS_U32_PERF + size_t size; +@@ -827,8 +828,11 @@ static int u32_change(struct net *net, s + return -EINVAL; + + s = nla_data(tb[TCA_U32_SEL]); ++ sel_size = sizeof(*s) + sizeof(*s->keys) * s->nkeys; ++ if (nla_len(tb[TCA_U32_SEL]) < sel_size) ++ return -EINVAL; + +- n = kzalloc(sizeof(*n) + s->nkeys*sizeof(struct tc_u32_key), GFP_KERNEL); ++ n = kzalloc(offsetof(typeof(*n), sel) + sel_size, GFP_KERNEL); + if (n == NULL) + return -ENOBUFS; + +@@ -841,7 +845,7 @@ static int u32_change(struct net *net, s + } + #endif + +- memcpy(&n->sel, s, sizeof(*s) + s->nkeys*sizeof(struct tc_u32_key)); ++ memcpy(&n->sel, s, sel_size); + RCU_INIT_POINTER(n->ht_up, ht); + n->handle = handle; + n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0; diff --git a/queue-4.4/pci-pm-fix-pci_power_up.patch b/queue-4.4/pci-pm-fix-pci_power_up.patch new file mode 100644 index 00000000000..f158b50faf3 --- /dev/null +++ b/queue-4.4/pci-pm-fix-pci_power_up.patch @@ -0,0 +1,81 @@ +From 45144d42f299455911cc29366656c7324a3a7c97 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Mon, 14 Oct 2019 13:25:00 +0200 +Subject: PCI: PM: Fix pci_power_up() + +From: Rafael J. Wysocki + +commit 45144d42f299455911cc29366656c7324a3a7c97 upstream. + +There is an arbitrary difference between the system resume and +runtime resume code paths for PCI devices regarding the delay to +apply when switching the devices from D3cold to D0. + +Namely, pci_restore_standard_config() used in the runtime resume +code path calls pci_set_power_state() which in turn invokes +__pci_start_power_transition() to power up the device through the +platform firmware and that function applies the transition delay +(as per PCI Express Base Specification Revision 2.0, Section 6.6.1). +However, pci_pm_default_resume_early() used in the system resume +code path calls pci_power_up() which doesn't apply the delay at +all and that causes issues to occur during resume from +suspend-to-idle on some systems where the delay is required. + +Since there is no reason for that difference to exist, modify +pci_power_up() to follow pci_set_power_state() more closely and +invoke __pci_start_power_transition() from there to call the +platform firmware to power up the device (in case that's necessary). + +Fixes: db288c9c5f9d ("PCI / PM: restore the original behavior of pci_set_power_state()") +Reported-by: Daniel Drake +Tested-by: Daniel Drake +Link: https://lore.kernel.org/linux-pm/CAD8Lp44TYxrMgPLkHCqF9hv6smEurMXvmmvmtyFhZ6Q4SE+dig@mail.gmail.com/T/#m21be74af263c6a34f36e0fc5c77c5449d9406925 +Signed-off-by: Rafael J. Wysocki +Acked-by: Bjorn Helgaas +Cc: 3.10+ # 3.10+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -704,19 +704,6 @@ void pci_update_current_state(struct pci + } + + /** +- * pci_power_up - Put the given device into D0 forcibly +- * @dev: PCI device to power up +- */ +-void pci_power_up(struct pci_dev *dev) +-{ +- if (platform_pci_power_manageable(dev)) +- platform_pci_set_power_state(dev, PCI_D0); +- +- pci_raw_set_power_state(dev, PCI_D0); +- pci_update_current_state(dev, PCI_D0); +-} +- +-/** + * pci_platform_power_transition - Use platform to change device power state + * @dev: PCI device to handle. + * @state: State to put the device into. +@@ -892,6 +879,17 @@ int pci_set_power_state(struct pci_dev * + EXPORT_SYMBOL(pci_set_power_state); + + /** ++ * pci_power_up - Put the given device into D0 forcibly ++ * @dev: PCI device to power up ++ */ ++void pci_power_up(struct pci_dev *dev) ++{ ++ __pci_start_power_transition(dev, PCI_D0); ++ pci_raw_set_power_state(dev, PCI_D0); ++ pci_update_current_state(dev, PCI_D0); ++} ++ ++/** + * pci_choose_state - Choose the power state of a PCI device + * @dev: PCI device to be suspended + * @state: target sleep state for the whole system. This is the value diff --git a/queue-4.4/series b/queue-4.4/series index 58e6b00a85a..7b3110a0e54 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -31,3 +31,10 @@ scsi-zfcp-fix-reaction-on-bit-error-threshold-notifi.patch mm-slub-fix-a-deadlock-in-show_slab_objects.patch xtensa-drop-export_symbol-for-outs-ins.patch parisc-fix-vmap-memory-leak-in-ioremap-iounmap.patch +cifs-avoid-using-mid-0xffff.patch +btrfs-block-group-fix-a-memory-leak-due-to-missing-btrfs_put_block_group.patch +memstick-jmb38x_ms-fix-an-error-handling-path-in-jmb38x_ms_probe.patch +cpufreq-avoid-cpufreq_suspend-deadlock-on-system-shutdown.patch +xen-netback-fix-error-path-of-xenvif_connect_data.patch +pci-pm-fix-pci_power_up.patch +net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch diff --git a/queue-4.4/xen-netback-fix-error-path-of-xenvif_connect_data.patch b/queue-4.4/xen-netback-fix-error-path-of-xenvif_connect_data.patch new file mode 100644 index 00000000000..8c054694cd5 --- /dev/null +++ b/queue-4.4/xen-netback-fix-error-path-of-xenvif_connect_data.patch @@ -0,0 +1,36 @@ +From 3d5c1a037d37392a6859afbde49be5ba6a70a6b3 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 18 Oct 2019 09:45:49 +0200 +Subject: xen/netback: fix error path of xenvif_connect_data() + +From: Juergen Gross + +commit 3d5c1a037d37392a6859afbde49be5ba6a70a6b3 upstream. + +xenvif_connect_data() calls module_put() in case of error. This is +wrong as there is no related module_get(). + +Remove the superfluous module_put(). + +Fixes: 279f438e36c0a7 ("xen-netback: Don't destroy the netdev until the vif is shut down") +Cc: # 3.12 +Signed-off-by: Juergen Gross +Reviewed-by: Paul Durrant +Reviewed-by: Wei Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netback/interface.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -620,7 +620,6 @@ err_tx_unbind: + err_unmap: + xenvif_unmap_frontend_rings(queue); + err: +- module_put(THIS_MODULE); + return err; + } +