From: Greg Kroah-Hartman Date: Mon, 29 Apr 2019 08:18:19 +0000 (+0200) Subject: 5.0-stable patches X-Git-Tag: v4.9.172~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=65a46afe8fecb86fc88461c455c4fc98a0190efa;p=thirdparty%2Fkernel%2Fstable-queue.git 5.0-stable patches added patches: cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch cifs-fix-page-reference-leak-with-readv-writev.patch tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch --- diff --git a/queue-5.0/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch b/queue-5.0/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch new file mode 100644 index 00000000000..1202583ac93 --- /dev/null +++ b/queue-5.0/cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch @@ -0,0 +1,38 @@ +From 652727bbe1b17993636346716ae5867627793647 Mon Sep 17 00:00:00 2001 +From: Frank Sorenson +Date: Tue, 16 Apr 2019 08:37:27 -0500 +Subject: cifs: do not attempt cifs operation on smb2+ rename error + +From: Frank Sorenson + +commit 652727bbe1b17993636346716ae5867627793647 upstream. + +A path-based rename returning EBUSY will incorrectly try opening +the file with a cifs (NT Create AndX) operation on an smb2+ mount, +which causes the server to force a session close. + +If the mount is smb2+, skip the fallback. + +Signed-off-by: Frank Sorenson +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -1735,6 +1735,10 @@ cifs_do_rename(const unsigned int xid, s + if (rc == 0 || rc != -EBUSY) + goto do_rename_exit; + ++ /* Don't fall back to using SMB on SMB 2+ mount */ ++ if (server->vals->protocol_id != 0) ++ goto do_rename_exit; ++ + /* open-file renames don't work across directories */ + if (to_dentry->d_parent != from_dentry->d_parent) + goto do_rename_exit; diff --git a/queue-5.0/cifs-fix-page-reference-leak-with-readv-writev.patch b/queue-5.0/cifs-fix-page-reference-leak-with-readv-writev.patch new file mode 100644 index 00000000000..d4b80b5fa6c --- /dev/null +++ b/queue-5.0/cifs-fix-page-reference-leak-with-readv-writev.patch @@ -0,0 +1,121 @@ +From 13f5938d8264b5501368523c4513ff26608a33e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= +Date: Wed, 10 Apr 2019 15:37:47 -0400 +Subject: cifs: fix page reference leak with readv/writev +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jérôme Glisse + +commit 13f5938d8264b5501368523c4513ff26608a33e8 upstream. + +CIFS can leak pages reference gotten through GUP (get_user_pages*() +through iov_iter_get_pages()). This happen if cifs_send_async_read() +or cifs_write_from_iter() calls fail from within __cifs_readv() and +__cifs_writev() respectively. This patch move page unreference to +cifs_aio_ctx_release() which will happens on all code paths this is +all simpler to follow for correctness. + +Signed-off-by: Jérôme Glisse +Cc: Steve French +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Cc: Alexander Viro +Cc: linux-fsdevel@vger.kernel.org +Cc: Linus Torvalds +Cc: Stable +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 15 +-------------- + fs/cifs/misc.c | 23 ++++++++++++++++++++++- + 2 files changed, 23 insertions(+), 15 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2796,7 +2796,6 @@ static void collect_uncached_write_data( + struct cifs_tcon *tcon; + struct cifs_sb_info *cifs_sb; + struct dentry *dentry = ctx->cfile->dentry; +- unsigned int i; + int rc; + + tcon = tlink_tcon(ctx->cfile->tlink); +@@ -2860,10 +2859,6 @@ restart_loop: + kref_put(&wdata->refcount, cifs_uncached_writedata_release); + } + +- if (!ctx->direct_io) +- for (i = 0; i < ctx->npages; i++) +- put_page(ctx->bv[i].bv_page); +- + cifs_stats_bytes_written(tcon, ctx->total_len); + set_bit(CIFS_INO_INVALID_MAPPING, &CIFS_I(dentry->d_inode)->flags); + +@@ -3472,7 +3467,6 @@ collect_uncached_read_data(struct cifs_a + struct iov_iter *to = &ctx->iter; + struct cifs_sb_info *cifs_sb; + struct cifs_tcon *tcon; +- unsigned int i; + int rc; + + tcon = tlink_tcon(ctx->cfile->tlink); +@@ -3556,15 +3550,8 @@ again: + kref_put(&rdata->refcount, cifs_uncached_readdata_release); + } + +- if (!ctx->direct_io) { +- for (i = 0; i < ctx->npages; i++) { +- if (ctx->should_dirty) +- set_page_dirty(ctx->bv[i].bv_page); +- put_page(ctx->bv[i].bv_page); +- } +- ++ if (!ctx->direct_io) + ctx->total_len = ctx->len - iov_iter_count(to); +- } + + cifs_stats_bytes_read(tcon, ctx->total_len); + +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -789,6 +789,11 @@ cifs_aio_ctx_alloc(void) + { + struct cifs_aio_ctx *ctx; + ++ /* ++ * Must use kzalloc to initialize ctx->bv to NULL and ctx->direct_io ++ * to false so that we know when we have to unreference pages within ++ * cifs_aio_ctx_release() ++ */ + ctx = kzalloc(sizeof(struct cifs_aio_ctx), GFP_KERNEL); + if (!ctx) + return NULL; +@@ -807,7 +812,23 @@ cifs_aio_ctx_release(struct kref *refcou + struct cifs_aio_ctx, refcount); + + cifsFileInfo_put(ctx->cfile); +- kvfree(ctx->bv); ++ ++ /* ++ * ctx->bv is only set if setup_aio_ctx_iter() was call successfuly ++ * which means that iov_iter_get_pages() was a success and thus that ++ * we have taken reference on pages. ++ */ ++ if (ctx->bv) { ++ unsigned i; ++ ++ for (i = 0; i < ctx->npages; i++) { ++ if (ctx->should_dirty) ++ set_page_dirty(ctx->bv[i].bv_page); ++ put_page(ctx->bv[i].bv_page); ++ } ++ kvfree(ctx->bv); ++ } ++ + kfree(ctx); + } + diff --git a/queue-5.0/series b/queue-5.0/series index 389b5419858..bcb7950173f 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -6,3 +6,6 @@ alsa-hda-realtek-move-to-act_init-state.patch fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch block-bfq-fix-use-after-free-in-bfq_bfqq_expire.patch cifs-fix-memory-leak-in-smb2_read.patch +cifs-fix-page-reference-leak-with-readv-writev.patch +cifs-do-not-attempt-cifs-operation-on-smb2-rename-error.patch +tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch diff --git a/queue-5.0/tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch b/queue-5.0/tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch new file mode 100644 index 00000000000..db2db6c33dd --- /dev/null +++ b/queue-5.0/tracing-fix-a-memory-leak-by-early-error-exit-in-trace_pid_write.patch @@ -0,0 +1,52 @@ +From 91862cc7867bba4ee5c8fcf0ca2f1d30427b6129 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Fri, 19 Apr 2019 21:22:59 -0500 +Subject: tracing: Fix a memory leak by early error exit in trace_pid_write() + +From: Wenwen Wang + +commit 91862cc7867bba4ee5c8fcf0ca2f1d30427b6129 upstream. + +In trace_pid_write(), the buffer for trace parser is allocated through +kmalloc() in trace_parser_get_init(). Later on, after the buffer is used, +it is then freed through kfree() in trace_parser_put(). However, it is +possible that trace_pid_write() is terminated due to unexpected errors, +e.g., ENOMEM. In that case, the allocated buffer will not be freed, which +is a memory leak bug. + +To fix this issue, free the allocated buffer when an error is encountered. + +Link: http://lkml.kernel.org/r/1555726979-15633-1-git-send-email-wang6495@umn.edu + +Fixes: f4d34a87e9c10 ("tracing: Use pid bitmap instead of a pid array for set_event_pid") +Cc: stable@vger.kernel.org +Signed-off-by: Wenwen Wang +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -496,8 +496,10 @@ int trace_pid_write(struct trace_pid_lis + * not modified. + */ + pid_list = kmalloc(sizeof(*pid_list), GFP_KERNEL); +- if (!pid_list) ++ if (!pid_list) { ++ trace_parser_put(&parser); + return -ENOMEM; ++ } + + pid_list->pid_max = READ_ONCE(pid_max); + +@@ -507,6 +509,7 @@ int trace_pid_write(struct trace_pid_lis + + pid_list->pids = vzalloc((pid_list->pid_max + 7) >> 3); + if (!pid_list->pids) { ++ trace_parser_put(&parser); + kfree(pid_list); + return -ENOMEM; + }