From: Sasha Levin Date: Thu, 27 Jun 2019 23:11:59 +0000 (-0400) Subject: fixes for 4.4 X-Git-Tag: v5.1.16~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e83a4549b3625e80b65f22c12d0128d1e6cf79b;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/9p-acl-fix-uninitialized-iattr-access.patch b/queue-4.4/9p-acl-fix-uninitialized-iattr-access.patch new file mode 100644 index 00000000000..0eb59e84163 --- /dev/null +++ b/queue-4.4/9p-acl-fix-uninitialized-iattr-access.patch @@ -0,0 +1,35 @@ +From 04ffc0b9d792ee2022115fa7f25edbcd8b21ed9b Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:10:57 +0900 +Subject: 9p: acl: fix uninitialized iattr access + +[ Upstream commit e02a53d92e197706cad1627bd84705d4aa20a145 ] + +iattr is passed to v9fs_vfs_setattr_dotl which does send various +values from iattr over the wire, even if it tells the server to +only look at iattr.ia_valid fields this could leak some stack data. + +Link: http://lkml.kernel.org/r/1536339057-21974-2-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 1195601 ("Uninitalized scalar variable") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + fs/9p/acl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/9p/acl.c b/fs/9p/acl.c +index c30c6ceac2c4..d02ee4026e32 100644 +--- a/fs/9p/acl.c ++++ b/fs/9p/acl.c +@@ -282,7 +282,7 @@ static int v9fs_xattr_set_acl(const struct xattr_handler *handler, + switch (handler->flags) { + case ACL_TYPE_ACCESS: + if (acl) { +- struct iattr iattr; ++ struct iattr iattr = { 0 }; + struct posix_acl *old_acl = acl; + + retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl); +-- +2.20.1 + diff --git a/queue-4.4/9p-p9dirent_read-check-network-provided-name-length.patch b/queue-4.4/9p-p9dirent_read-check-network-provided-name-length.patch new file mode 100644 index 00000000000..8f8d250859f --- /dev/null +++ b/queue-4.4/9p-p9dirent_read-check-network-provided-name-length.patch @@ -0,0 +1,52 @@ +From 5160e5d4f8f1f5e1ec667995ed73f86abdefee45 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:36:08 +0900 +Subject: 9p: p9dirent_read: check network-provided name length + +[ Upstream commit ef5305f1f72eb1cfcda25c382bb0368509c0385b ] + +strcpy to dirent->d_name could overflow the buffer, use strscpy to check +the provided string length and error out if the size was too big. + +While we are here, make the function return an error when the pdu +parsing failed, instead of returning the pdu offset as if it had been a +success... + +Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/protocol.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/9p/protocol.c b/net/9p/protocol.c +index 7f1b45c082c9..ed1e39ccaebf 100644 +--- a/net/9p/protocol.c ++++ b/net/9p/protocol.c +@@ -622,13 +622,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len, + if (ret) { + p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret); + trace_9p_protocol_dump(clnt, &fake_pdu); +- goto out; ++ return ret; + } + +- strcpy(dirent->d_name, nameptr); ++ ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name)); ++ if (ret < 0) { ++ p9_debug(P9_DEBUG_ERROR, ++ "On the wire dirent name too long: %s\n", ++ nameptr); ++ kfree(nameptr); ++ return ret; ++ } + kfree(nameptr); + +-out: + return fake_pdu.offset; + } + EXPORT_SYMBOL(p9dirent_read); +-- +2.20.1 + diff --git a/queue-4.4/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch b/queue-4.4/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch new file mode 100644 index 00000000000..c24c9935793 --- /dev/null +++ b/queue-4.4/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch @@ -0,0 +1,45 @@ +From e0b5b42e461f20ac90a41031d68e10ff0373474b Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Thu, 30 Aug 2018 19:29:36 +0900 +Subject: 9p/rdma: do not disconnect on down_interruptible EAGAIN + +[ Upstream commit 8b894adb2b7e1d1e64b8954569c761eaf3d51ab5 ] + +9p/rdma would sometimes drop the connection and display errors in +recv_done when the user does ^C. +The errors were caused by recv buffers that were posted at the time +of disconnect, and we just do not want to disconnect when +down_interruptible is... interrupted. + +Link: http://lkml.kernel.org/r/1535625307-18019-1-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_rdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c +index f42550dd3560..f3a9254b6df9 100644 +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -476,7 +476,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req) + + err = post_recv(client, rpl_context); + if (err) { +- p9_debug(P9_DEBUG_FCALL, "POST RECV failed\n"); ++ p9_debug(P9_DEBUG_ERROR, "POST RECV failed: %d\n", err); + goto recv_error; + } + /* remove posted receive buffer from request structure */ +@@ -544,7 +544,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req) + recv_error: + kfree(rpl_context); + spin_lock_irqsave(&rdma->req_lock, flags); +- if (rdma->state < P9_RDMA_CLOSING) { ++ if (err != -EINTR && rdma->state < P9_RDMA_CLOSING) { + rdma->state = P9_RDMA_CLOSING; + spin_unlock_irqrestore(&rdma->req_lock, flags); + rdma_disconnect(rdma->cm_id); +-- +2.20.1 + diff --git a/queue-4.4/9p-rdma-remove-useless-check-in-cm_event_handler.patch b/queue-4.4/9p-rdma-remove-useless-check-in-cm_event_handler.patch new file mode 100644 index 00000000000..35d87d2ce29 --- /dev/null +++ b/queue-4.4/9p-rdma-remove-useless-check-in-cm_event_handler.patch @@ -0,0 +1,36 @@ +From 6d6c9437ef9299c946e16c2b428359fa641aec69 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:26:50 +0900 +Subject: 9p/rdma: remove useless check in cm_event_handler + +[ Upstream commit 473c7dd1d7b59ff8f88a5154737e3eac78a96e5b ] + +the client c is always dereferenced to get the rdma struct, so c has to +be a valid pointer at this point. +Gcc would optimize that away but let's make coverity happy... + +Link: http://lkml.kernel.org/r/1536339057-21974-3-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 102778 ("Dereference before null check") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_rdma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c +index f3a9254b6df9..83d2e7722ebf 100644 +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -255,8 +255,7 @@ p9_cm_event_handler(struct rdma_cm_id *id, struct rdma_cm_event *event) + case RDMA_CM_EVENT_DISCONNECTED: + if (rdma) + rdma->state = P9_RDMA_CLOSED; +- if (c) +- c->status = Disconnected; ++ c->status = Disconnected; + break; + + case RDMA_CM_EVENT_TIMEWAIT_EXIT: +-- +2.20.1 + diff --git a/queue-4.4/net-9p-include-trans_common.h-to-fix-missing-prototy.patch b/queue-4.4/net-9p-include-trans_common.h-to-fix-missing-prototy.patch new file mode 100644 index 00000000000..7db77a4813b --- /dev/null +++ b/queue-4.4/net-9p-include-trans_common.h-to-fix-missing-prototy.patch @@ -0,0 +1,35 @@ +From 40a6f8fa6461aed8c87da34f74c3e9ef2f30c82b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adeodato=20Sim=C3=B3?= +Date: Tue, 13 Nov 2018 03:28:53 -0300 +Subject: net/9p: include trans_common.h to fix missing prototype warning. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 52ad259eaac0454c1ac7123e7148cf8d6e6f5301 ] + +This silences -Wmissing-prototypes when defining p9_release_pages. + +Link: http://lkml.kernel.org/r/b1c4df8f21689b10d451c28fe38e860722d20e71.1542089696.git.dato@net.com.org.es +Signed-off-by: Adeodato Simó +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c +index 38aa6345bdfa..9c0c894b56f8 100644 +--- a/net/9p/trans_common.c ++++ b/net/9p/trans_common.c +@@ -14,6 +14,7 @@ + + #include + #include ++#include "trans_common.h" + + /** + * p9_release_req_pages - Release pages after the transaction. +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 81d6829c903..e47efe0d4e4 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -25,3 +25,8 @@ cfg80211-fix-memory-leak-of-wiphy-device-name.patch mac80211-drop-robust-management-frames-from-unknown-ta.patch perf-ui-helpline-use-strlcpy-as-a-shorter-form-of-strncpy-explicit-set-nul.patch perf-help-remove-needless-use-of-strncpy.patch +9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch +9p-acl-fix-uninitialized-iattr-access.patch +9p-rdma-remove-useless-check-in-cm_event_handler.patch +9p-p9dirent_read-check-network-provided-name-length.patch +net-9p-include-trans_common.h-to-fix-missing-prototy.patch