From: Greg Kroah-Hartman Date: Sun, 30 Apr 2017 14:11:41 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.66~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b55b0efb13666273a63ce5f1872ffcb24f2bfa5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-firewire-lib-fix-inappropriate-assignment-between-signed-unsigned-type.patch alsa-oxfw-fix-regression-to-handle-stanton-scs.1m-1d.patch alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch arc-fix-build-error.patch arcv2-save-r30-on-kernel-entry-as-gcc-uses-it-for-code-gen.patch asoc-intel-fix-pm-and-non-atomic-crash-in-bytcr-drivers.patch ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch macsec-avoid-heap-overflow-in-skb_to_sgvec.patch mips-avoid-bug-warning-in-arch_check_elf.patch mips-cevt-r4k-fix-out-of-bounds-array-access.patch mips-kgdb-use-kernel-context-for-sleeping-threads.patch net-can-usb-gs_usb-fix-buffer-on-stack.patch nfsd-check-for-oversized-nfsv2-v3-arguments.patch nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch p9_client_readdir-fix.patch --- diff --git a/queue-4.9/alsa-firewire-lib-fix-inappropriate-assignment-between-signed-unsigned-type.patch b/queue-4.9/alsa-firewire-lib-fix-inappropriate-assignment-between-signed-unsigned-type.patch new file mode 100644 index 00000000000..95e1224199f --- /dev/null +++ b/queue-4.9/alsa-firewire-lib-fix-inappropriate-assignment-between-signed-unsigned-type.patch @@ -0,0 +1,40 @@ +From dfb00a56935186171abb5280b3407c3f910011f1 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Fri, 14 Apr 2017 12:43:01 +0900 +Subject: ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type + +From: Takashi Sakamoto + +commit dfb00a56935186171abb5280b3407c3f910011f1 upstream. + +An abstraction of asynchronous transaction for transmission of MIDI +messages was introduced in Linux v4.4. Each driver can utilize this +abstraction to transfer MIDI messages via fixed-length payload of +transaction to a certain unit address. Filling payload of the transaction +is done by callback. In this callback, each driver can return negative +error code, however current implementation assigns the return value to +unsigned variable. + +This commit changes type of the variable to fix the bug. + +Reported-by: Julia Lawall +Fixes: 585d7cba5e1f ("ALSA: firewire-lib: add helper functions for asynchronous transactions to transfer MIDI messages") +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/lib.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/lib.h ++++ b/sound/firewire/lib.h +@@ -45,7 +45,7 @@ struct snd_fw_async_midi_port { + + struct snd_rawmidi_substream *substream; + snd_fw_async_midi_port_fill fill; +- unsigned int consume_bytes; ++ int consume_bytes; + }; + + int snd_fw_async_midi_port_init(struct snd_fw_async_midi_port *port, diff --git a/queue-4.9/alsa-oxfw-fix-regression-to-handle-stanton-scs.1m-1d.patch b/queue-4.9/alsa-oxfw-fix-regression-to-handle-stanton-scs.1m-1d.patch new file mode 100644 index 00000000000..c109a26d70d --- /dev/null +++ b/queue-4.9/alsa-oxfw-fix-regression-to-handle-stanton-scs.1m-1d.patch @@ -0,0 +1,43 @@ +From 3d016d57fdc5e6caa4cd67896f4b081bccad6e2c Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Mon, 3 Apr 2017 21:13:40 +0900 +Subject: ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d + +From: Takashi Sakamoto + +commit 3d016d57fdc5e6caa4cd67896f4b081bccad6e2c upstream. + +At a commit 6c29230e2a5f ("ALSA: oxfw: delayed registration of sound +card"), ALSA oxfw driver fails to handle SCS.1m/1d, due to -EBUSY at a call +of snd_card_register(). The cause is that the driver manages to register +two rawmidi instances with the same device number 0. This is a regression +introduced since kernel 4.7. + +This commit fixes the regression, by fixing up device property after +discovering stream formats. + +Fixes: 6c29230e2a5f ("ALSA: oxfw: delayed registration of sound card") +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/oxfw/oxfw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/firewire/oxfw/oxfw.c ++++ b/sound/firewire/oxfw/oxfw.c +@@ -226,11 +226,11 @@ static void do_registration(struct work_ + if (err < 0) + goto error; + +- err = detect_quirks(oxfw); ++ err = snd_oxfw_stream_discover(oxfw); + if (err < 0) + goto error; + +- err = snd_oxfw_stream_discover(oxfw); ++ err = detect_quirks(oxfw); + if (err < 0) + goto error; + diff --git a/queue-4.9/alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch b/queue-4.9/alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch new file mode 100644 index 00000000000..d79e5f90c27 --- /dev/null +++ b/queue-4.9/alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch @@ -0,0 +1,57 @@ +From 4e7655fd4f47c23e5249ea260dc802f909a64611 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 9 Apr 2017 10:41:27 +0200 +Subject: ALSA: seq: Don't break snd_use_lock_sync() loop by timeout + +From: Takashi Iwai + +commit 4e7655fd4f47c23e5249ea260dc802f909a64611 upstream. + +The snd_use_lock_sync() (thus its implementation +snd_use_lock_sync_helper()) has the 5 seconds timeout to break out of +the sync loop. It was introduced from the beginning, just to be +"safer", in terms of avoiding the stupid bugs. + +However, as Ben Hutchings suggested, this timeout rather introduces a +potential leak or use-after-free that was apparently fixed by the +commit 2d7d54002e39 ("ALSA: seq: Fix race during FIFO resize"): +for example, snd_seq_fifo_event_in() -> snd_seq_event_dup() -> +copy_from_user() could block for a long time, and snd_use_lock_sync() +goes timeout and still leaves the cell at releasing the pool. + +For fixing such a problem, we remove the break by the timeout while +still keeping the warning. + +Suggested-by: Ben Hutchings +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_lock.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/sound/core/seq/seq_lock.c ++++ b/sound/core/seq/seq_lock.c +@@ -28,19 +28,16 @@ + /* wait until all locks are released */ + void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line) + { +- int max_count = 5 * HZ; ++ int warn_count = 5 * HZ; + + if (atomic_read(lockp) < 0) { + pr_warn("ALSA: seq_lock: lock trouble [counter = %d] in %s:%d\n", atomic_read(lockp), file, line); + return; + } + while (atomic_read(lockp) > 0) { +- if (max_count == 0) { +- pr_warn("ALSA: seq_lock: timeout [%d left] in %s:%d\n", atomic_read(lockp), file, line); +- break; +- } ++ if (warn_count-- == 0) ++ pr_warn("ALSA: seq_lock: waiting [%d left] in %s:%d\n", atomic_read(lockp), file, line); + schedule_timeout_uninterruptible(1); +- max_count--; + } + } + diff --git a/queue-4.9/arc-fix-build-error.patch b/queue-4.9/arc-fix-build-error.patch new file mode 100644 index 00000000000..1d53fbd06f2 --- /dev/null +++ b/queue-4.9/arc-fix-build-error.patch @@ -0,0 +1,34 @@ +From 6492f09e864417d382e22b922ae30693a7ce2982 Mon Sep 17 00:00:00 2001 +From: Noam Camus +Date: Tue, 4 Apr 2017 11:00:41 +0300 +Subject: ARC: [plat-eznps] Fix build error + +From: Noam Camus + +commit 6492f09e864417d382e22b922ae30693a7ce2982 upstream. + +Make ATOMIC_INIT available for all ARC platforms (including plat-eznps) + +Signed-off-by: Noam Camus +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/atomic.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arc/include/asm/atomic.h ++++ b/arch/arc/include/asm/atomic.h +@@ -17,10 +17,11 @@ + #include + #include + ++#define ATOMIC_INIT(i) { (i) } ++ + #ifndef CONFIG_ARC_PLAT_EZNPS + + #define atomic_read(v) READ_ONCE((v)->counter) +-#define ATOMIC_INIT(i) { (i) } + + #ifdef CONFIG_ARC_HAS_LLSC + diff --git a/queue-4.9/arcv2-save-r30-on-kernel-entry-as-gcc-uses-it-for-code-gen.patch b/queue-4.9/arcv2-save-r30-on-kernel-entry-as-gcc-uses-it-for-code-gen.patch new file mode 100644 index 00000000000..907f16d140c --- /dev/null +++ b/queue-4.9/arcv2-save-r30-on-kernel-entry-as-gcc-uses-it-for-code-gen.patch @@ -0,0 +1,49 @@ +From ecd43afdbe72017aefe48080631eb625e177ef4d Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Sun, 8 Jan 2017 19:45:48 -0800 +Subject: ARCv2: save r30 on kernel entry as gcc uses it for code-gen + +From: Vineet Gupta + +commit ecd43afdbe72017aefe48080631eb625e177ef4d upstream. + +This is not exposed to userspace debugers yet, which can be done +independently as a seperate patch ! + +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/entry-arcv2.h | 2 ++ + arch/arc/include/asm/ptrace.h | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -16,6 +16,7 @@ + ; + ; Now manually save: r12, sp, fp, gp, r25 + ++ PUSH r30 + PUSH r12 + + ; Saving pt_regs->sp correctly requires some extra work due to the way +@@ -72,6 +73,7 @@ + POPAX AUX_USER_SP + 1: + POP r12 ++ POP r30 + + .endm + +--- a/arch/arc/include/asm/ptrace.h ++++ b/arch/arc/include/asm/ptrace.h +@@ -84,7 +84,7 @@ struct pt_regs { + unsigned long fp; + unsigned long sp; /* user/kernel sp depending on where we came from */ + +- unsigned long r12; ++ unsigned long r12, r30; + + /*------- Below list auto saved by h/w -----------*/ + unsigned long r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11; diff --git a/queue-4.9/asoc-intel-fix-pm-and-non-atomic-crash-in-bytcr-drivers.patch b/queue-4.9/asoc-intel-fix-pm-and-non-atomic-crash-in-bytcr-drivers.patch new file mode 100644 index 00000000000..9081db5853f --- /dev/null +++ b/queue-4.9/asoc-intel-fix-pm-and-non-atomic-crash-in-bytcr-drivers.patch @@ -0,0 +1,90 @@ +From 6e4cac23c5a648d50b107d1b53e9c4e1120c7943 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 24 Apr 2017 14:09:55 +0200 +Subject: ASoC: intel: Fix PM and non-atomic crash in bytcr drivers + +From: Takashi Iwai + +commit 6e4cac23c5a648d50b107d1b53e9c4e1120c7943 upstream. + +The FE setups of Intel SST bytcr_rt5640 and bytcr_rt5651 drivers carry +the ignore_suspend flag, and this prevents the suspend/resume working +properly while the stream is running, since SST core code has the +check of the running streams and returns -EBUSY. Drop these +superfluous flags for fixing the behavior. + +Also, the bytcr_rt5640 driver lacks of nonatomic flag in some FE +definitions, which leads to the kernel Oops at suspend/resume like: + + BUG: scheduling while atomic: systemd-sleep/3144/0x00000003 + Call Trace: + dump_stack+0x5c/0x7a + __schedule_bug+0x55/0x70 + __schedule+0x63c/0x8c0 + schedule+0x3d/0x90 + schedule_timeout+0x16b/0x320 + ? del_timer_sync+0x50/0x50 + ? sst_wait_timeout+0xa9/0x170 [snd_intel_sst_core] + ? sst_wait_timeout+0xa9/0x170 [snd_intel_sst_core] + ? remove_wait_queue+0x60/0x60 + ? sst_prepare_and_post_msg+0x275/0x960 [snd_intel_sst_core] + ? sst_pause_stream+0x9b/0x110 [snd_intel_sst_core] + .... + +This patch addresses these appropriately, too. + +Signed-off-by: Takashi Iwai +Acked-by: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/boards/bytcr_rt5640.c | 4 ++-- + sound/soc/intel/boards/bytcr_rt5651.c | 2 -- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -621,7 +621,7 @@ static struct snd_soc_dai_link byt_rt564 + .codec_dai_name = "snd-soc-dummy-dai", + .codec_name = "snd-soc-dummy", + .platform_name = "sst-mfld-platform", +- .ignore_suspend = 1, ++ .nonatomic = true, + .dynamic = 1, + .dpcm_playback = 1, + .dpcm_capture = 1, +@@ -634,7 +634,6 @@ static struct snd_soc_dai_link byt_rt564 + .codec_dai_name = "snd-soc-dummy-dai", + .codec_name = "snd-soc-dummy", + .platform_name = "sst-mfld-platform", +- .ignore_suspend = 1, + .nonatomic = true, + .dynamic = 1, + .dpcm_playback = 1, +@@ -661,6 +660,7 @@ static struct snd_soc_dai_link byt_rt564 + | SND_SOC_DAIFMT_CBS_CFS, + .be_hw_params_fixup = byt_rt5640_codec_fixup, + .ignore_suspend = 1, ++ .nonatomic = true, + .dpcm_playback = 1, + .dpcm_capture = 1, + .init = byt_rt5640_init, +--- a/sound/soc/intel/boards/bytcr_rt5651.c ++++ b/sound/soc/intel/boards/bytcr_rt5651.c +@@ -235,7 +235,6 @@ static struct snd_soc_dai_link byt_rt565 + .codec_dai_name = "snd-soc-dummy-dai", + .codec_name = "snd-soc-dummy", + .platform_name = "sst-mfld-platform", +- .ignore_suspend = 1, + .nonatomic = true, + .dynamic = 1, + .dpcm_playback = 1, +@@ -249,7 +248,6 @@ static struct snd_soc_dai_link byt_rt565 + .codec_dai_name = "snd-soc-dummy-dai", + .codec_name = "snd-soc-dummy", + .platform_name = "sst-mfld-platform", +- .ignore_suspend = 1, + .nonatomic = true, + .dynamic = 1, + .dpcm_playback = 1, diff --git a/queue-4.9/ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch b/queue-4.9/ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch new file mode 100644 index 00000000000..2096a1b1a8a --- /dev/null +++ b/queue-4.9/ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch @@ -0,0 +1,78 @@ +From 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Wed, 19 Apr 2017 10:01:48 +0800 +Subject: ceph: fix recursion between ceph_set_acl() and __ceph_setattr() + +From: Yan, Zheng + +commit 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 upstream. + +ceph_set_acl() calls __ceph_setattr() if the setacl operation needs +to modify inode's i_mode. __ceph_setattr() updates inode's i_mode, +then calls posix_acl_chmod(). + +The problem is that __ceph_setattr() calls posix_acl_chmod() before +sending the setattr request. The get_acl() call in posix_acl_chmod() +can trigger a getxattr request. The reply of the getxattr request +can restore inode's i_mode to its old value. The set_acl() call in +posix_acl_chmod() sees old value of inode's i_mode, so it calls +__ceph_setattr() again. + +Link: http://tracker.ceph.com/issues/19688 +Reported-by: Jerry Lee +Signed-off-by: "Yan, Zheng" +Reviewed-by: Jeff Layton +Tested-by: Luis Henriques +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/inode.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -2080,11 +2080,6 @@ int __ceph_setattr(struct inode *inode, + if (inode_dirty_flags) + __mark_inode_dirty(inode, inode_dirty_flags); + +- if (ia_valid & ATTR_MODE) { +- err = posix_acl_chmod(inode, attr->ia_mode); +- if (err) +- goto out_put; +- } + + if (mask) { + req->r_inode = inode; +@@ -2098,13 +2093,11 @@ int __ceph_setattr(struct inode *inode, + ceph_cap_string(dirtied), mask); + + ceph_mdsc_put_request(req); +- if (mask & CEPH_SETATTR_SIZE) +- __ceph_do_pending_vmtruncate(inode); +- ceph_free_cap_flush(prealloc_cf); +- return err; +-out_put: +- ceph_mdsc_put_request(req); + ceph_free_cap_flush(prealloc_cf); ++ ++ if (err >= 0 && (mask & CEPH_SETATTR_SIZE)) ++ __ceph_do_pending_vmtruncate(inode); ++ + return err; + } + +@@ -2123,7 +2116,12 @@ int ceph_setattr(struct dentry *dentry, + if (err != 0) + return err; + +- return __ceph_setattr(inode, attr); ++ err = __ceph_setattr(inode, attr); ++ ++ if (err >= 0 && (attr->ia_valid & ATTR_MODE)) ++ err = posix_acl_chmod(inode, attr->ia_mode); ++ ++ return err; + } + + /* diff --git a/queue-4.9/input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch b/queue-4.9/input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch new file mode 100644 index 00000000000..3715687f03a --- /dev/null +++ b/queue-4.9/input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch @@ -0,0 +1,41 @@ +From 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 13 Apr 2017 15:36:31 -0700 +Subject: Input: i8042 - add Clevo P650RS to the i8042 reset list +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Torokhov + +commit 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 upstream. + +Clevo P650RS and other similar devices require i8042 to be reset in order +to detect Synaptics touchpad. + +Reported-by: Paweł Bylica +Tested-by: Ed Bordin +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301 +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -685,6 +685,13 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_NAME, "20046"), + }, + }, ++ { ++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"), ++ }, ++ }, + { } + }; + diff --git a/queue-4.9/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch b/queue-4.9/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch new file mode 100644 index 00000000000..b573becda28 --- /dev/null +++ b/queue-4.9/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch @@ -0,0 +1,72 @@ +From 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Fri, 21 Apr 2017 23:14:48 +0200 +Subject: macsec: avoid heap overflow in skb_to_sgvec + +From: Jason A. Donenfeld + +commit 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee upstream. + +While this may appear as a humdrum one line change, it's actually quite +important. An sk_buff stores data in three places: + +1. A linear chunk of allocated memory in skb->data. This is the easiest + one to work with, but it precludes using scatterdata since the memory + must be linear. +2. The array skb_shinfo(skb)->frags, which is of maximum length + MAX_SKB_FRAGS. This is nice for scattergather, since these fragments + can point to different pages. +3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff, + which in turn can have data in either (1) or (2). + +The first two are rather easy to deal with, since they're of a fixed +maximum length, while the third one is not, since there can be +potentially limitless chains of fragments. Fortunately dealing with +frag_list is opt-in for drivers, so drivers don't actually have to deal +with this mess. For whatever reason, macsec decided it wanted pain, and +so it explicitly specified NETIF_F_FRAGLIST. + +Because dealing with (1), (2), and (3) is insane, most users of sk_buff +doing any sort of crypto or paging operation calls a convenient function +called skb_to_sgvec (which happens to be recursive if (3) is in use!). +This takes a sk_buff as input, and writes into its output pointer an +array of scattergather list items. Sometimes people like to declare a +fixed size scattergather list on the stack; othertimes people like to +allocate a fixed size scattergather list on the heap. However, if you're +doing it in a fixed-size fashion, you really shouldn't be using +NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its +frag_list children arent't shared and then you check the number of +fragments in total required.) + +Macsec specifically does this: + + size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1); + tmp = kmalloc(size, GFP_ATOMIC); + *sg = (struct scatterlist *)(tmp + sg_offset); + ... + sg_init_table(sg, MAX_SKB_FRAGS + 1); + skb_to_sgvec(skb, sg, 0, skb->len); + +Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're +using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will +overflow the heap, and disaster ensues. + +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/macsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2709,7 +2709,7 @@ static netdev_tx_t macsec_start_xmit(str + } + + #define MACSEC_FEATURES \ +- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST) ++ (NETIF_F_SG | NETIF_F_HIGHDMA) + static struct lock_class_key macsec_netdev_addr_lock_key; + + static int macsec_dev_init(struct net_device *dev) diff --git a/queue-4.9/mips-avoid-bug-warning-in-arch_check_elf.patch b/queue-4.9/mips-avoid-bug-warning-in-arch_check_elf.patch new file mode 100644 index 00000000000..d5b4bda8a96 --- /dev/null +++ b/queue-4.9/mips-avoid-bug-warning-in-arch_check_elf.patch @@ -0,0 +1,46 @@ +From c46f59e90226fa5bfcc83650edebe84ae47d454b Mon Sep 17 00:00:00 2001 +From: James Cowgill +Date: Tue, 11 Apr 2017 13:51:07 +0100 +Subject: MIPS: Avoid BUG warning in arch_check_elf + +From: James Cowgill + +commit c46f59e90226fa5bfcc83650edebe84ae47d454b upstream. + +arch_check_elf contains a usage of current_cpu_data that will call +smp_processor_id() with preemption enabled and therefore triggers a +"BUG: using smp_processor_id() in preemptible" warning when an fpxx +executable is loaded. + +As a follow-up to commit b244614a60ab ("MIPS: Avoid a BUG warning during +prctl(PR_SET_FP_MODE, ...)"), apply the same fix to arch_check_elf by +using raw_current_cpu_data instead. The rationale quoted from the previous +commit: + +"It is assumed throughout the kernel that if any CPU has an FPU, then +all CPUs would have an FPU as well, so it is safe to perform the check +with preemption enabled - change the code to use raw_ variant of the +check to avoid the warning." + +Fixes: 46490b572544 ("MIPS: kernel: elf: Improve the overall ABI and FPU mode checks") +Signed-off-by: James Cowgill +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15951/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/elf.c ++++ b/arch/mips/kernel/elf.c +@@ -257,7 +257,7 @@ int arch_check_elf(void *_ehdr, bool has + else if ((prog_req.fr1 && prog_req.frdefault) || + (prog_req.single && !prog_req.frdefault)) + /* Make sure 64-bit MIPS III/IV/64R1 will not pick FR1 */ +- state->overall_fp_mode = ((current_cpu_data.fpu_id & MIPS_FPIR_F64) && ++ state->overall_fp_mode = ((raw_current_cpu_data.fpu_id & MIPS_FPIR_F64) && + cpu_has_mips_r2_r6) ? + FP_FR1 : FP_FR0; + else if (prog_req.fr1) diff --git a/queue-4.9/mips-cevt-r4k-fix-out-of-bounds-array-access.patch b/queue-4.9/mips-cevt-r4k-fix-out-of-bounds-array-access.patch new file mode 100644 index 00000000000..3ff60d2e1c1 --- /dev/null +++ b/queue-4.9/mips-cevt-r4k-fix-out-of-bounds-array-access.patch @@ -0,0 +1,88 @@ +From 9d7f29cdb4ca53506115cf1d7a02ce6013894df0 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 5 Apr 2017 16:32:45 +0100 +Subject: MIPS: cevt-r4k: Fix out-of-bounds array access + +From: James Hogan + +commit 9d7f29cdb4ca53506115cf1d7a02ce6013894df0 upstream. + +calculate_min_delta() may incorrectly access a 4th element of buf2[] +which only has 3 elements. This may trigger undefined behaviour and has +been reported to cause strange crashes in start_kernel() sometime after +timer initialization when built with GCC 5.3, possibly due to +register/stack corruption: + +sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns +CPU 0 Unable to handle kernel paging request at virtual address ffffb0aa, epc == 8067daa8, ra == 8067da84 +Oops[#1]: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.18 #51 +task: 8065e3e0 task.stack: 80644000 +$ 0 : 00000000 00000001 00000000 00000000 +$ 4 : 8065b4d0 00000000 805d0000 00000010 +$ 8 : 00000010 80321400 fffff000 812de408 +$12 : 00000000 00000000 00000000 ffffffff +$16 : 00000002 ffffffff 80660000 806a666c +$20 : 806c0000 00000000 00000000 00000000 +$24 : 00000000 00000010 +$28 : 80644000 80645ed0 00000000 8067da84 +Hi : 00000000 +Lo : 00000000 +epc : 8067daa8 start_kernel+0x33c/0x500 +ra : 8067da84 start_kernel+0x318/0x500 +Status: 11000402 KERNEL EXL +Cause : 4080040c (ExcCode 03) +BadVA : ffffb0aa +PrId : 0501992c (MIPS 1004Kc) +Modules linked in: +Process swapper/0 (pid: 0, threadinfo=80644000, task=8065e3e0, tls=00000000) +Call Trace: +[<8067daa8>] start_kernel+0x33c/0x500 +Code: 24050240 0c0131f9 24849c64 41606020 000000c0 0c1a45e6 00000000 0c1a5f44 + +UBSAN also detects the same issue: + +================================================================ +UBSAN: Undefined behaviour in arch/mips/kernel/cevt-r4k.c:85:41 +load of address 80647e4c with insufficient space +for an object of type 'unsigned int' +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.18 #47 +Call Trace: +[<80028f70>] show_stack+0x88/0xa4 +[<80312654>] dump_stack+0x84/0xc0 +[<8034163c>] ubsan_epilogue+0x14/0x50 +[<803417d8>] __ubsan_handle_type_mismatch+0x160/0x168 +[<8002dab0>] r4k_clockevent_init+0x544/0x764 +[<80684d34>] time_init+0x18/0x90 +[<8067fa5c>] start_kernel+0x2f0/0x500 +================================================================= + +buf2[] is intentionally only 3 elements so that the last element is the +median once 5 samples have been inserted, so explicitly prevent the +possibility of comparing against the 4th element rather than extending +the array. + +Fixes: 1fa405552e33f2 ("MIPS: cevt-r4k: Dynamically calculate min_delta_ns") +Reported-by: Rabin Vincent +Signed-off-by: James Hogan +Tested-by: Rabin Vincent +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15892/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/cevt-r4k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/cevt-r4k.c ++++ b/arch/mips/kernel/cevt-r4k.c +@@ -80,7 +80,7 @@ static unsigned int calculate_min_delta( + } + + /* Sorted insert of 75th percentile into buf2 */ +- for (k = 0; k < i; ++k) { ++ for (k = 0; k < i && k < ARRAY_SIZE(buf2); ++k) { + if (buf1[ARRAY_SIZE(buf1) - 1] < buf2[k]) { + l = min_t(unsigned int, + i, ARRAY_SIZE(buf2) - 1); diff --git a/queue-4.9/mips-kgdb-use-kernel-context-for-sleeping-threads.patch b/queue-4.9/mips-kgdb-use-kernel-context-for-sleeping-threads.patch new file mode 100644 index 00000000000..22f985ab3f9 --- /dev/null +++ b/queue-4.9/mips-kgdb-use-kernel-context-for-sleeping-threads.patch @@ -0,0 +1,125 @@ +From 162b270c664dca2e0944308e92f9fcc887151a72 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 30 Mar 2017 16:06:02 +0100 +Subject: MIPS: KGDB: Use kernel context for sleeping threads + +From: James Hogan + +commit 162b270c664dca2e0944308e92f9fcc887151a72 upstream. + +KGDB is a kernel debug stub and it can't be used to debug userland as it +can only safely access kernel memory. + +On MIPS however KGDB has always got the register state of sleeping +processes from the userland register context at the beginning of the +kernel stack. This is meaningless for kernel threads (which never enter +userland), and for user threads it prevents the user seeing what it is +doing while in the kernel: + +(gdb) info threads + Id Target Id Frame + ... + 3 Thread 2 (kthreadd) 0x0000000000000000 in ?? () + 2 Thread 1 (init) 0x000000007705c4b4 in ?? () + 1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201 + +Get the register state instead from the (partial) kernel register +context stored in the task's thread_struct for resume() to restore. All +threads now correctly appear to be in context_switch(): + +(gdb) info threads + Id Target Id Frame + ... + 3 Thread 2 (kthreadd) context_switch (rq=, cookie=..., next=, prev=0x0) at kernel/sched/core.c:2903 + 2 Thread 1 (init) context_switch (rq=, cookie=..., next=, prev=0x0) at kernel/sched/core.c:2903 + 1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201 + +Call clobbered registers which aren't saved and exception registers +(BadVAddr & Cause) which can't be easily determined without stack +unwinding are reported as 0. The PC is taken from the return address, +such that the state presented matches that found immediately after +returning from resume(). + +Fixes: 8854700115ec ("[MIPS] kgdb: add arch support for the kernel's kgdb core") +Signed-off-by: James Hogan +Cc: Jason Wessel +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15829/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/kgdb.c | 48 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +--- a/arch/mips/kernel/kgdb.c ++++ b/arch/mips/kernel/kgdb.c +@@ -244,9 +244,6 @@ static int compute_signal(int tt) + void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p) + { + int reg; +- struct thread_info *ti = task_thread_info(p); +- unsigned long ksp = (unsigned long)ti + THREAD_SIZE - 32; +- struct pt_regs *regs = (struct pt_regs *)ksp - 1; + #if (KGDB_GDB_REG_SIZE == 32) + u32 *ptr = (u32 *)gdb_regs; + #else +@@ -254,25 +251,46 @@ void sleeping_thread_to_gdb_regs(unsigne + #endif + + for (reg = 0; reg < 16; reg++) +- *(ptr++) = regs->regs[reg]; ++ *(ptr++) = 0; + + /* S0 - S7 */ +- for (reg = 16; reg < 24; reg++) +- *(ptr++) = regs->regs[reg]; ++ *(ptr++) = p->thread.reg16; ++ *(ptr++) = p->thread.reg17; ++ *(ptr++) = p->thread.reg18; ++ *(ptr++) = p->thread.reg19; ++ *(ptr++) = p->thread.reg20; ++ *(ptr++) = p->thread.reg21; ++ *(ptr++) = p->thread.reg22; ++ *(ptr++) = p->thread.reg23; + + for (reg = 24; reg < 28; reg++) + *(ptr++) = 0; + + /* GP, SP, FP, RA */ +- for (reg = 28; reg < 32; reg++) +- *(ptr++) = regs->regs[reg]; +- +- *(ptr++) = regs->cp0_status; +- *(ptr++) = regs->lo; +- *(ptr++) = regs->hi; +- *(ptr++) = regs->cp0_badvaddr; +- *(ptr++) = regs->cp0_cause; +- *(ptr++) = regs->cp0_epc; ++ *(ptr++) = (long)p; ++ *(ptr++) = p->thread.reg29; ++ *(ptr++) = p->thread.reg30; ++ *(ptr++) = p->thread.reg31; ++ ++ *(ptr++) = p->thread.cp0_status; ++ ++ /* lo, hi */ ++ *(ptr++) = 0; ++ *(ptr++) = 0; ++ ++ /* ++ * BadVAddr, Cause ++ * Ideally these would come from the last exception frame up the stack ++ * but that requires unwinding, otherwise we can't know much for sure. ++ */ ++ *(ptr++) = 0; ++ *(ptr++) = 0; ++ ++ /* ++ * PC ++ * use return address (RA), i.e. the moment after return from resume() ++ */ ++ *(ptr++) = p->thread.reg31; + } + + void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc) diff --git a/queue-4.9/net-can-usb-gs_usb-fix-buffer-on-stack.patch b/queue-4.9/net-can-usb-gs_usb-fix-buffer-on-stack.patch new file mode 100644 index 00000000000..0905dbd72da --- /dev/null +++ b/queue-4.9/net-can-usb-gs_usb-fix-buffer-on-stack.patch @@ -0,0 +1,59 @@ +From b05c73bd1e3ec60357580eb042ee932a5ed754d5 Mon Sep 17 00:00:00 2001 +From: Maksim Salau +Date: Sun, 23 Apr 2017 20:31:40 +0300 +Subject: net: can: usb: gs_usb: Fix buffer on stack + +From: Maksim Salau + +commit b05c73bd1e3ec60357580eb042ee932a5ed754d5 upstream. + +Allocate buffers on HEAP instead of STACK for local structures +that are to be sent using usb_control_msg(). + +Signed-off-by: Maksim Salau +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/gs_usb.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -740,13 +740,18 @@ static const struct net_device_ops gs_us + static int gs_usb_set_identify(struct net_device *netdev, bool do_identify) + { + struct gs_can *dev = netdev_priv(netdev); +- struct gs_identify_mode imode; ++ struct gs_identify_mode *imode; + int rc; + ++ imode = kmalloc(sizeof(*imode), GFP_KERNEL); ++ ++ if (!imode) ++ return -ENOMEM; ++ + if (do_identify) +- imode.mode = GS_CAN_IDENTIFY_ON; ++ imode->mode = GS_CAN_IDENTIFY_ON; + else +- imode.mode = GS_CAN_IDENTIFY_OFF; ++ imode->mode = GS_CAN_IDENTIFY_OFF; + + rc = usb_control_msg(interface_to_usbdev(dev->iface), + usb_sndctrlpipe(interface_to_usbdev(dev->iface), +@@ -756,10 +761,12 @@ static int gs_usb_set_identify(struct ne + USB_RECIP_INTERFACE, + dev->channel, + 0, +- &imode, +- sizeof(imode), ++ imode, ++ sizeof(*imode), + 100); + ++ kfree(imode); ++ + return (rc > 0) ? 0 : rc; + } + diff --git a/queue-4.9/nfsd-check-for-oversized-nfsv2-v3-arguments.patch b/queue-4.9/nfsd-check-for-oversized-nfsv2-v3-arguments.patch new file mode 100644 index 00000000000..8c51481d9bc --- /dev/null +++ b/queue-4.9/nfsd-check-for-oversized-nfsv2-v3-arguments.patch @@ -0,0 +1,103 @@ +From e6838a29ecb484c97e4efef9429643b9851fba6e Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 21 Apr 2017 16:10:18 -0400 +Subject: nfsd: check for oversized NFSv2/v3 arguments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: J. Bruce Fields + +commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream. + +A client can append random data to the end of an NFSv2 or NFSv3 RPC call +without our complaining; we'll just stop parsing at the end of the +expected data and ignore the rest. + +Encoded arguments and replies are stored together in an array of pages, +and if a call is too large it could leave inadequate space for the +reply. This is normally OK because NFS RPC's typically have either +short arguments and long replies (like READ) or long arguments and short +replies (like WRITE). But a client that sends an incorrectly long reply +can violate those assumptions. This was observed to cause crashes. + +Also, several operations increment rq_next_page in the decode routine +before checking the argument size, which can leave rq_next_page pointing +well past the end of the page array, causing trouble later in +svc_free_pages. + +So, following a suggestion from Neil Brown, add a central check to +enforce our expectation that no NFSv2/v3 call has both a large call and +a large reply. + +As followup we may also want to rewrite the encoding routines to check +more carefully that they aren't running off the end of the page array. + +We may also consider rejecting calls that have any extra garbage +appended. That would be safer, and within our rights by spec, but given +the age of our server and the NFS protocol, and the fact that we've +never enforced this before, we may need to balance that against the +possibility of breaking some oddball client. + +Reported-by: Tuomas Haanpää +Reported-by: Ari Kauppi +Reviewed-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -733,6 +733,37 @@ static __be32 map_new_errors(u32 vers, _ + return nfserr; + } + ++/* ++ * A write procedure can have a large argument, and a read procedure can ++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and ++ * reply that can both be larger than a page. The xdr code has taken ++ * advantage of this assumption to be a sloppy about bounds checking in ++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that ++ * problem, we enforce these assumptions here: ++ */ ++static bool nfs_request_too_big(struct svc_rqst *rqstp, ++ struct svc_procedure *proc) ++{ ++ /* ++ * The ACL code has more careful bounds-checking and is not ++ * susceptible to this problem: ++ */ ++ if (rqstp->rq_prog != NFS_PROGRAM) ++ return false; ++ /* ++ * Ditto NFSv4 (which can in theory have argument and reply both ++ * more than a page): ++ */ ++ if (rqstp->rq_vers >= 4) ++ return false; ++ /* The reply will be small, we're OK: */ ++ if (proc->pc_xdrressize > 0 && ++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE)) ++ return false; ++ ++ return rqstp->rq_arg.len > PAGE_SIZE; ++} ++ + int + nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) + { +@@ -745,6 +776,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __ + rqstp->rq_vers, rqstp->rq_proc); + proc = rqstp->rq_procinfo; + ++ if (nfs_request_too_big(rqstp, proc)) { ++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers); ++ *statp = rpc_garbage_args; ++ return 1; ++ } + /* + * Give the xdr decoder a chance to change this if it wants + * (necessary in the NFSv4.0 compound case) diff --git a/queue-4.9/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch b/queue-4.9/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch new file mode 100644 index 00000000000..d8b072a1b34 --- /dev/null +++ b/queue-4.9/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch @@ -0,0 +1,60 @@ +From 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 21 Apr 2017 15:26:30 -0400 +Subject: nfsd: stricter decoding of write-like NFSv2/v3 ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: J. Bruce Fields + +commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 upstream. + +The NFSv2/v3 code does not systematically check whether we decode past +the end of the buffer. This generally appears to be harmless, but there +are a few places where we do arithmetic on the pointers involved and +don't account for the possibility that a length could be negative. Add +checks to catch these. + +Reported-by: Tuomas Haanpää +Reported-by: Ari Kauppi +Reviewed-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs3xdr.c | 4 ++++ + fs/nfsd/nfsxdr.c | 2 ++ + 2 files changed, 6 insertions(+) + +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst + args->count = ntohl(*p++); + args->stable = ntohl(*p++); + len = args->len = ntohl(*p++); ++ if ((void *)p > head->iov_base + head->iov_len) ++ return 0; + /* + * The count must equal the amount of data passed. + */ +@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rq + /* first copy and check from the first page */ + old = (char*)p; + vec = &rqstp->rq_arg.head[0]; ++ if ((void *)old > vec->iov_base + vec->iov_len) ++ return 0; + avail = vec->iov_len - (old - (char*)vec->iov_base); + while (len && avail && *old) { + *new++ = *old++; +--- a/fs/nfsd/nfsxdr.c ++++ b/fs/nfsd/nfsxdr.c +@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst + * bytes. + */ + hdr = (void*)p - head->iov_base; ++ if (hdr > head->iov_len) ++ return 0; + dlen = head->iov_len + rqstp->rq_arg.page_len - hdr; + + /* diff --git a/queue-4.9/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch b/queue-4.9/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch new file mode 100644 index 00000000000..979901d2285 --- /dev/null +++ b/queue-4.9/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch @@ -0,0 +1,82 @@ +From db44bac41bbfc0c0d9dd943092d8bded3c9db19b Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 25 Apr 2017 16:21:34 -0400 +Subject: nfsd4: minor NFSv2/v3 write decoding cleanup + +From: J. Bruce Fields + +commit db44bac41bbfc0c0d9dd943092d8bded3c9db19b upstream. + +Use a couple shortcuts that will simplify a following bugfix. + +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs3xdr.c | 9 +++++---- + fs/nfsd/nfsxdr.c | 8 ++++---- + 2 files changed, 9 insertions(+), 8 deletions(-) + +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -358,6 +358,8 @@ nfs3svc_decode_writeargs(struct svc_rqst + { + unsigned int len, v, hdr, dlen; + u32 max_blocksize = svc_max_payload(rqstp); ++ struct kvec *head = rqstp->rq_arg.head; ++ struct kvec *tail = rqstp->rq_arg.tail; + + p = decode_fh(p, &args->fh); + if (!p) +@@ -377,9 +379,8 @@ nfs3svc_decode_writeargs(struct svc_rqst + * Check to make sure that we got the right number of + * bytes. + */ +- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; +- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len +- + rqstp->rq_arg.tail[0].iov_len - hdr; ++ hdr = (void*)p - head->iov_base; ++ dlen = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len - hdr; + /* + * Round the length of the data which was specified up to + * the next multiple of XDR units and then compare that +@@ -396,7 +397,7 @@ nfs3svc_decode_writeargs(struct svc_rqst + len = args->len = max_blocksize; + } + rqstp->rq_vec[0].iov_base = (void*)p; +- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr; ++ rqstp->rq_vec[0].iov_len = head->iov_len - hdr; + v = 0; + while (len > rqstp->rq_vec[v].iov_len) { + len -= rqstp->rq_vec[v].iov_len; +--- a/fs/nfsd/nfsxdr.c ++++ b/fs/nfsd/nfsxdr.c +@@ -280,6 +280,7 @@ nfssvc_decode_writeargs(struct svc_rqst + struct nfsd_writeargs *args) + { + unsigned int len, hdr, dlen; ++ struct kvec *head = rqstp->rq_arg.head; + int v; + + p = decode_fh(p, &args->fh); +@@ -300,9 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst + * Check to make sure that we got the right number of + * bytes. + */ +- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base; +- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len +- - hdr; ++ hdr = (void*)p - head->iov_base; ++ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr; + + /* + * Round the length of the data which was specified up to +@@ -316,7 +316,7 @@ nfssvc_decode_writeargs(struct svc_rqst + return 0; + + rqstp->rq_vec[0].iov_base = (void*)p; +- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr; ++ rqstp->rq_vec[0].iov_len = head->iov_len - hdr; + v = 0; + while (len > rqstp->rq_vec[v].iov_len) { + len -= rqstp->rq_vec[v].iov_len; diff --git a/queue-4.9/p9_client_readdir-fix.patch b/queue-4.9/p9_client_readdir-fix.patch new file mode 100644 index 00000000000..b82f59e0a43 --- /dev/null +++ b/queue-4.9/p9_client_readdir-fix.patch @@ -0,0 +1,32 @@ +From 71d6ad08379304128e4bdfaf0b4185d54375423e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 14 Apr 2017 17:22:18 -0400 +Subject: p9_client_readdir() fix + +From: Al Viro + +commit 71d6ad08379304128e4bdfaf0b4185d54375423e upstream. + +Don't assume that server is sane and won't return more data than +asked for. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -2101,6 +2101,10 @@ int p9_client_readdir(struct p9_fid *fid + trace_9p_protocol_dump(clnt, req->rc); + goto free_and_error; + } ++ if (rsize < count) { ++ pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize); ++ count = rsize; ++ } + + p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count); + diff --git a/queue-4.9/series b/queue-4.9/series index 0fbdba19df5..3fcd0b916f4 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -34,3 +34,20 @@ net-phy-fix-auto-negotiation-stall-due-to-unavailable-interrupt.patch ipv6-check-skb-protocol-before-lookup-for-nexthop.patch tcp-memset-ca_priv-data-to-0-properly.patch ipv6-check-raw-payload-size-correctly-in-ioctl.patch +alsa-oxfw-fix-regression-to-handle-stanton-scs.1m-1d.patch +alsa-firewire-lib-fix-inappropriate-assignment-between-signed-unsigned-type.patch +alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch +arc-fix-build-error.patch +mips-kgdb-use-kernel-context-for-sleeping-threads.patch +mips-cevt-r4k-fix-out-of-bounds-array-access.patch +mips-avoid-bug-warning-in-arch_check_elf.patch +p9_client_readdir-fix.patch +asoc-intel-fix-pm-and-non-atomic-crash-in-bytcr-drivers.patch +input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch +nfsd-check-for-oversized-nfsv2-v3-arguments.patch +nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch +nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch +ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch +macsec-avoid-heap-overflow-in-skb_to_sgvec.patch +net-can-usb-gs_usb-fix-buffer-on-stack.patch +arcv2-save-r30-on-kernel-entry-as-gcc-uses-it-for-code-gen.patch