From: Greg Kroah-Hartman Date: Wed, 5 Oct 2016 13:20:18 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.8.1~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a9eef173e0ac0eb94407cab51b78c5ad40b9ecfc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch asoc-omap-mcpdm-fix-irq-resource-handling.patch brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch nfs-don-t-drop-cb-requests-with-invalid-principals.patch pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch sysctl-handle-error-writing-uint_max-to-u32-fields.patch --- diff --git a/queue-4.4/asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch b/queue-4.4/asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch new file mode 100644 index 00000000000..2df855aa332 --- /dev/null +++ b/queue-4.4/asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch @@ -0,0 +1,36 @@ +From 979cf59acc9d634cc140aadd0d2915947ab303cc Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Fri, 12 Aug 2016 11:45:18 +0000 +Subject: ASoC: Intel: Skylake: Fix error return code in skl_probe() + +From: Wei Yongjun + +commit 979cf59acc9d634cc140aadd0d2915947ab303cc upstream. + +Fix to return error code -ENODEV from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 87b2bdf02278 ("ASoC: Intel: Skylake: Initialize NHLT table") +Signed-off-by: Wei Yongjun +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/skylake/skl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/soc/intel/skylake/skl.c ++++ b/sound/soc/intel/skylake/skl.c +@@ -464,8 +464,10 @@ static int skl_probe(struct pci_dev *pci + + skl->nhlt = skl_nhlt_init(bus->dev); + +- if (skl->nhlt == NULL) ++ if (skl->nhlt == NULL) { ++ err = -ENODEV; + goto out_free; ++ } + + pci_set_drvdata(skl->pci, ebus); + diff --git a/queue-4.4/asoc-omap-mcpdm-fix-irq-resource-handling.patch b/queue-4.4/asoc-omap-mcpdm-fix-irq-resource-handling.patch new file mode 100644 index 00000000000..995b3be437e --- /dev/null +++ b/queue-4.4/asoc-omap-mcpdm-fix-irq-resource-handling.patch @@ -0,0 +1,45 @@ +From a8719670687c46ed2e904c0d05fa4cd7e4950cd1 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Tue, 23 Aug 2016 10:27:19 +0300 +Subject: ASoC: omap-mcpdm: Fix irq resource handling + +From: Peter Ujfalusi + +commit a8719670687c46ed2e904c0d05fa4cd7e4950cd1 upstream. + +Fixes: ddd17531ad908 ("ASoC: omap-mcpdm: Clean up with devm_* function") + +Managed irq request will not doing any good in ASoC probe level as it is +not going to free up the irq when the driver is unbound from the sound +card. + +Signed-off-by: Peter Ujfalusi +Reported-by: Russell King +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/omap/omap-mcpdm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/omap/omap-mcpdm.c ++++ b/sound/soc/omap/omap-mcpdm.c +@@ -390,8 +390,8 @@ static int omap_mcpdm_probe(struct snd_s + pm_runtime_get_sync(mcpdm->dev); + omap_mcpdm_write(mcpdm, MCPDM_REG_CTRL, 0x00); + +- ret = devm_request_irq(mcpdm->dev, mcpdm->irq, omap_mcpdm_irq_handler, +- 0, "McPDM", (void *)mcpdm); ++ ret = request_irq(mcpdm->irq, omap_mcpdm_irq_handler, 0, "McPDM", ++ (void *)mcpdm); + + pm_runtime_put_sync(mcpdm->dev); + +@@ -416,6 +416,7 @@ static int omap_mcpdm_remove(struct snd_ + { + struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai); + ++ free_irq(mcpdm->irq, (void *)mcpdm); + pm_runtime_disable(mcpdm->dev); + + return 0; diff --git a/queue-4.4/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch b/queue-4.4/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch new file mode 100644 index 00000000000..9d47374de9a --- /dev/null +++ b/queue-4.4/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch @@ -0,0 +1,38 @@ +From 3bdae810721b33061d2e541bd78a70f86ca42af3 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 18 Jul 2016 16:24:34 -0700 +Subject: brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain + +From: Florian Fainelli + +commit 3bdae810721b33061d2e541bd78a70f86ca42af3 upstream. + +In case brcmf_sdiod_recv_chain() cannot complete a succeful call to +brcmf_sdiod_buffrw, we would be leaking glom_skb and not free it as we +should, fix this. + +Reported-by: coverity (CID 1164856) +Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support") +Signed-off-by: Florian Fainelli +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c +@@ -726,8 +726,10 @@ int brcmf_sdiod_recv_chain(struct brcmf_ + return -ENOMEM; + err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr, + glom_skb); +- if (err) ++ if (err) { ++ brcmu_pkt_buf_free_skb(glom_skb); + goto done; ++ } + + skb_queue_walk(pktq, skb) { + memcpy(skb->data, glom_skb->data, skb->len); diff --git a/queue-4.4/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch b/queue-4.4/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch new file mode 100644 index 00000000000..c2a07761857 --- /dev/null +++ b/queue-4.4/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch @@ -0,0 +1,37 @@ +From 5c5fa1f464ac954982df1d96b9f9a5103d21aedd Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 18 Jul 2016 16:24:35 -0700 +Subject: brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill + +From: Florian Fainelli + +commit 5c5fa1f464ac954982df1d96b9f9a5103d21aedd upstream. + +In case dma_mapping_error() returns an error in dma_rxfill, we would be +leaking a packet that we allocated with brcmu_pkt_buf_get_skb(). + +Reported-by: coverity (CID 1081819) +Fixes: 67d0cf50bd32 ("brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()") +Signed-off-by: Florian Fainelli +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmsmac/dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/brcm80211/brcmsmac/dma.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/dma.c +@@ -1079,8 +1079,10 @@ bool dma_rxfill(struct dma_pub *pub) + + pa = dma_map_single(di->dmadev, p->data, di->rxbufsize, + DMA_FROM_DEVICE); +- if (dma_mapping_error(di->dmadev, pa)) ++ if (dma_mapping_error(di->dmadev, pa)) { ++ brcmu_pkt_buf_free_skb(p); + return false; ++ } + + /* save the free packet pointer */ + di->rxp[rxout] = p; diff --git a/queue-4.4/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch b/queue-4.4/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch new file mode 100644 index 00000000000..a6d5e777cc3 --- /dev/null +++ b/queue-4.4/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch @@ -0,0 +1,36 @@ +From f823a2aa8f4674c095a5413b9e3ba12d82df06f2 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 18 Jul 2016 16:24:37 -0700 +Subject: brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get() + +From: Florian Fainelli + +commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream. + +wlc_phy_txpower_get_current() does a logical OR of power->flags, which +presumes that power.flags was initiliazed earlier by the caller, +unfortunately, this is not the case, so make sure we zero out the struct +tx_power before calling into wlc_phy_txpower_get_current(). + +Reported-by: coverity (CID 146011) +Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers") +Signed-off-by: Florian Fainelli +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmsmac/stf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/brcm80211/brcmsmac/stf.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/stf.c +@@ -87,7 +87,7 @@ void + brcms_c_stf_ss_algo_channel_get(struct brcms_c_info *wlc, u16 *ss_algo_channel, + u16 chanspec) + { +- struct tx_power power; ++ struct tx_power power = { }; + u8 siso_mcs_id, cdd_mcs_id, stbc_mcs_id; + + /* Clear previous settings */ diff --git a/queue-4.4/nfs-don-t-drop-cb-requests-with-invalid-principals.patch b/queue-4.4/nfs-don-t-drop-cb-requests-with-invalid-principals.patch new file mode 100644 index 00000000000..16a5797e5ce --- /dev/null +++ b/queue-4.4/nfs-don-t-drop-cb-requests-with-invalid-principals.patch @@ -0,0 +1,63 @@ +From a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 29 Jun 2016 13:55:22 -0400 +Subject: NFS: Don't drop CB requests with invalid principals + +From: Chuck Lever + +commit a4e187d83d88eeaba6252aac0a2ffe5eaa73a818 upstream. + +Before commit 778be232a207 ("NFS do not find client in NFSv4 +pg_authenticate"), the Linux callback server replied with +RPC_AUTH_ERROR / RPC_AUTH_BADCRED, instead of dropping the CB +request. Let's restore that behavior so the server has a chance to +do something useful about it, and provide a warning that helps +admins correct the problem. + +Fixes: 778be232a207 ("NFS do not find client in NFSv4 ...") +Signed-off-by: Chuck Lever +Tested-by: Steve Wise +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/callback_xdr.c | 6 +++++- + net/sunrpc/svc.c | 5 +++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -912,7 +912,7 @@ static __be32 nfs4_callback_compound(str + if (hdr_arg.minorversion == 0) { + cps.clp = nfs4_find_client_ident(SVC_NET(rqstp), hdr_arg.cb_ident); + if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) +- return rpc_drop_reply; ++ goto out_invalidcred; + } + + cps.minorversion = hdr_arg.minorversion; +@@ -940,6 +940,10 @@ static __be32 nfs4_callback_compound(str + nfs_put_client(cps.clp); + dprintk("%s: done, status = %u\n", __func__, ntohl(status)); + return rpc_success; ++ ++out_invalidcred: ++ pr_warn_ratelimited("NFS: NFSv4 callback contains invalid cred\n"); ++ return rpc_autherr_badcred; + } + + /* +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1194,6 +1194,11 @@ svc_process_common(struct svc_rqst *rqst + procp->pc_release(rqstp, NULL, rqstp->rq_resp); + goto dropit; + } ++ if (*statp == rpc_autherr_badcred) { ++ if (procp->pc_release) ++ procp->pc_release(rqstp, NULL, rqstp->rq_resp); ++ goto err_bad_auth; ++ } + if (*statp == rpc_success && + (xdr = procp->pc_encode) && + !xdr(rqstp, resv->iov_base+resv->iov_len, rqstp->rq_resp)) { diff --git a/queue-4.4/pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch b/queue-4.4/pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch new file mode 100644 index 00000000000..50afd9ff7b4 --- /dev/null +++ b/queue-4.4/pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch @@ -0,0 +1,33 @@ +From 73e6c5d854d3f7f75e8b46d3e54aeb5d83fe6b1f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 26 Jun 2016 12:27:25 -0400 +Subject: pNFS/files: Fix layoutcommit after a commit to DS + +From: Trond Myklebust + +commit 73e6c5d854d3f7f75e8b46d3e54aeb5d83fe6b1f upstream. + +According to the errata +https://www.rfc-editor.org/errata_search.php?rfc=5661&eid=2751 +we should always send layout commit after a commit to DS. + +Fixes: bc7d4b8fd091 ("nfs/filelayout: set layoutcommit...") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/filelayout/filelayout.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfs/filelayout/filelayout.c ++++ b/fs/nfs/filelayout/filelayout.c +@@ -374,8 +374,7 @@ static int filelayout_commit_done_cb(str + return -EAGAIN; + } + +- if (data->verf.committed == NFS_UNSTABLE) +- pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb); ++ pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb); + + return 0; + } diff --git a/queue-4.4/pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch b/queue-4.4/pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch new file mode 100644 index 00000000000..14a49abcb25 --- /dev/null +++ b/queue-4.4/pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch @@ -0,0 +1,32 @@ +From c001c87a63aa2f35358e33eb05e45e4cbcb34f54 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 26 Jun 2016 12:39:49 -0400 +Subject: pNFS/flexfiles: Fix layoutcommit after a commit to DS + +From: Trond Myklebust + +commit c001c87a63aa2f35358e33eb05e45e4cbcb34f54 upstream. + +We should always do a layoutcommit after commit to DS, except if +the layout segment we're using has set FF_FLAGS_NO_LAYOUTCOMMIT. + +Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -1414,8 +1414,7 @@ static int ff_layout_commit_done_cb(stru + return -EAGAIN; + } + +- if (data->verf.committed == NFS_UNSTABLE +- && ff_layout_need_layoutcommit(data->lseg)) ++ if (ff_layout_need_layoutcommit(data->lseg)) + pnfs_set_layoutcommit(data->inode, data->lseg, data->lwb); + + return 0; diff --git a/queue-4.4/powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch b/queue-4.4/powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch new file mode 100644 index 00000000000..4366e323c99 --- /dev/null +++ b/queue-4.4/powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch @@ -0,0 +1,71 @@ +From 66443efa83dc73775100b7442962ce2cb0d4472e Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Fri, 12 Aug 2016 21:45:52 +1000 +Subject: powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support + +From: Michael Ellerman + +commit 66443efa83dc73775100b7442962ce2cb0d4472e upstream. + +When booting from an OpenFirmware which supports it, we use the +"ibm,client-architecture-support" firmware call to communicate +our capabilities to firmware. + +The format of the structure we pass to firmware is specified in +PAPR (Power Architecture Platform Requirements), or the public version +LoPAPR (Linux on Power Architecture Platform Reference). + +Referring to table 244 in LoPAPR v1.1, option vector 5 contains a 4 byte +field at bytes 17-20 for the "Platform Facilities Enable". This is +followed by a 1 byte field at byte 21 for "Sub-Processor Represenation +Level". + +Comparing to the code, there we have the Platform Facilities +options (OV5_PFO_*) at byte 17, but we fail to pad that field out to its +full width of 4 bytes. This means the OV5_SUB_PROCESSORS option is +incorrectly placed at byte 18. + +Fix it by adding zero bytes for bytes 18, 19, 20, and comment the bytes +to hopefully make it clearer in future. + +As far as I'm aware nothing actually consumes this value at this time, +so the effect of this bug is nil in practice. + +It does mean we've been incorrectly setting bit 15 of the "Platform +Facilities Enable" option for the past ~3 1/2 years, so we should avoid +allocating that bit to anything else in future. + +Fixes: df77c7992029 ("powerpc/pseries: Update ibm,architecture.vec for PAPR 2.7/POWER8") +Signed-off-by: Michael Ellerman +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/prom_init.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -694,7 +694,7 @@ unsigned char ibm_architecture_vec[] = { + OV4_MIN_ENT_CAP, /* minimum VP entitled capacity */ + + /* option vector 5: PAPR/OF options */ +- VECTOR_LENGTH(18), /* length */ ++ VECTOR_LENGTH(21), /* length */ + 0, /* don't ignore, don't halt */ + OV5_FEAT(OV5_LPAR) | OV5_FEAT(OV5_SPLPAR) | OV5_FEAT(OV5_LARGE_PAGES) | + OV5_FEAT(OV5_DRCONF_MEMORY) | OV5_FEAT(OV5_DONATE_DEDICATE_CPU) | +@@ -725,8 +725,11 @@ unsigned char ibm_architecture_vec[] = { + 0, + 0, + OV5_FEAT(OV5_PFO_HW_RNG) | OV5_FEAT(OV5_PFO_HW_ENCR) | +- OV5_FEAT(OV5_PFO_HW_842), +- OV5_FEAT(OV5_SUB_PROCESSORS), ++ OV5_FEAT(OV5_PFO_HW_842), /* Byte 17 */ ++ 0, /* Byte 18 */ ++ 0, /* Byte 19 */ ++ 0, /* Byte 20 */ ++ OV5_FEAT(OV5_SUB_PROCESSORS), /* Byte 21 */ + + /* option vector 6: IBM PAPR hints */ + VECTOR_LENGTH(3), /* length */ diff --git a/queue-4.4/series b/queue-4.4/series index 5c4f3244b0b..cb4b1710ba7 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -59,3 +59,14 @@ ath9k-fix-programming-of-mincca-power-threshold.patch avr32-off-by-one-in-at32_init_pio.patch fnic-pci_dma_mapping_error-doesn-t-return-an-error-code.patch dmaengine-at_xdmac-fix-debug-string.patch +svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch +nfs-don-t-drop-cb-requests-with-invalid-principals.patch +pnfs-files-fix-layoutcommit-after-a-commit-to-ds.patch +pnfs-flexfiles-fix-layoutcommit-after-a-commit-to-ds.patch +asoc-intel-skylake-fix-error-return-code-in-skl_probe.patch +brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch +brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch +brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch +powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch +sysctl-handle-error-writing-uint_max-to-u32-fields.patch +asoc-omap-mcpdm-fix-irq-resource-handling.patch diff --git a/queue-4.4/svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch b/queue-4.4/svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch new file mode 100644 index 00000000000..9aaa6d8fff1 --- /dev/null +++ b/queue-4.4/svc-avoid-garbage-replies-when-pc_func-returns-rpc_drop_reply.patch @@ -0,0 +1,36 @@ +From 0533b13072f4bf35738290d2cf9e299c7bc6c42a Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 29 Jun 2016 13:55:14 -0400 +Subject: svc: Avoid garbage replies when pc_func() returns rpc_drop_reply + +From: Chuck Lever + +commit 0533b13072f4bf35738290d2cf9e299c7bc6c42a upstream. + +If an RPC program does not set vs_dispatch and pc_func() returns +rpc_drop_reply, the server sends a reply anyway containing a single +word containing the value RPC_DROP_REPLY (in network byte-order, of +course). This is a nonsense RPC message. + +Fixes: 9e701c610923 ("svcrpc: simpler request dropping") +Signed-off-by: Chuck Lever +Tested-by: Steve Wise +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/svc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/svc.c ++++ b/net/sunrpc/svc.c +@@ -1188,7 +1188,8 @@ svc_process_common(struct svc_rqst *rqst + *statp = procp->pc_func(rqstp, rqstp->rq_argp, rqstp->rq_resp); + + /* Encode reply */ +- if (test_bit(RQ_DROPME, &rqstp->rq_flags)) { ++ if (*statp == rpc_drop_reply || ++ test_bit(RQ_DROPME, &rqstp->rq_flags)) { + if (procp->pc_release) + procp->pc_release(rqstp, NULL, rqstp->rq_resp); + goto dropit; diff --git a/queue-4.4/sysctl-handle-error-writing-uint_max-to-u32-fields.patch b/queue-4.4/sysctl-handle-error-writing-uint_max-to-u32-fields.patch new file mode 100644 index 00000000000..5e33353f022 --- /dev/null +++ b/queue-4.4/sysctl-handle-error-writing-uint_max-to-u32-fields.patch @@ -0,0 +1,135 @@ +From e7d316a02f683864a12389f8808570e37fb90aa3 Mon Sep 17 00:00:00 2001 +From: Subash Abhinov Kasiviswanathan +Date: Thu, 25 Aug 2016 15:16:51 -0700 +Subject: sysctl: handle error writing UINT_MAX to u32 fields + +From: Subash Abhinov Kasiviswanathan + +commit e7d316a02f683864a12389f8808570e37fb90aa3 upstream. + +We have scripts which write to certain fields on 3.18 kernels but this +seems to be failing on 4.4 kernels. An entry which we write to here is +xfrm_aevent_rseqth which is u32. + + echo 4294967295 > /proc/sys/net/core/xfrm_aevent_rseqth + +Commit 230633d109e3 ("kernel/sysctl.c: detect overflows when converting +to int") prevented writing to sysctl entries when integer overflow +occurs. However, this does not apply to unsigned integers. + +Heinrich suggested that we introduce a new option to handle 64 bit +limits and set min as 0 and max as UINT_MAX. This might not work as it +leads to issues similar to __do_proc_doulongvec_minmax. Alternatively, +we would need to change the datatype of the entry to 64 bit. + + static int __do_proc_doulongvec_minmax(void *data, struct ctl_table + { + i = (unsigned long *) data; //This cast is causing to read beyond the size of data (u32) + vleft = table->maxlen / sizeof(unsigned long); //vleft is 0 because maxlen is sizeof(u32) which is lesser than sizeof(unsigned long) on x86_64. + +Introduce a new proc handler proc_douintvec. Individual proc entries +will need to be updated to use the new handler. + +[akpm@linux-foundation.org: coding-style fixes] +Fixes: 230633d109e3 ("kernel/sysctl.c:detect overflows when converting to int") +Link: http://lkml.kernel.org/r/1471479806-5252-1-git-send-email-subashab@codeaurora.org +Signed-off-by: Subash Abhinov Kasiviswanathan +Cc: Heinrich Schuchardt +Cc: Kees Cook +Cc: "David S. Miller" +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 45 insertions(+), 2 deletions(-) + +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -41,6 +41,8 @@ extern int proc_dostring(struct ctl_tabl + void __user *, size_t *, loff_t *); + extern int proc_dointvec(struct ctl_table *, int, + void __user *, size_t *, loff_t *); ++extern int proc_douintvec(struct ctl_table *, int, ++ void __user *, size_t *, loff_t *); + extern int proc_dointvec_minmax(struct ctl_table *, int, + void __user *, size_t *, loff_t *); + extern int proc_dointvec_jiffies(struct ctl_table *, int, +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2051,6 +2051,21 @@ static int do_proc_dointvec_conv(bool *n + return 0; + } + ++static int do_proc_douintvec_conv(bool *negp, unsigned long *lvalp, ++ int *valp, ++ int write, void *data) ++{ ++ if (write) { ++ if (*negp) ++ return -EINVAL; ++ *valp = *lvalp; ++ } else { ++ unsigned int val = *valp; ++ *lvalp = (unsigned long)val; ++ } ++ return 0; ++} ++ + static const char proc_wspace_sep[] = { ' ', '\t', '\n' }; + + static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, +@@ -2178,8 +2193,27 @@ static int do_proc_dointvec(struct ctl_t + int proc_dointvec(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +- return do_proc_dointvec(table,write,buffer,lenp,ppos, +- NULL,NULL); ++ return do_proc_dointvec(table, write, buffer, lenp, ppos, NULL, NULL); ++} ++ ++/** ++ * proc_douintvec - read a vector of unsigned integers ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) unsigned integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * Returns 0 on success. ++ */ ++int proc_douintvec(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return do_proc_dointvec(table, write, buffer, lenp, ppos, ++ do_proc_douintvec_conv, NULL); + } + + /* +@@ -2792,6 +2826,12 @@ int proc_dointvec(struct ctl_table *tabl + return -ENOSYS; + } + ++int proc_douintvec(struct ctl_table *table, int write, ++ void __user *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_minmax(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +@@ -2837,6 +2877,7 @@ int proc_doulongvec_ms_jiffies_minmax(st + * exception granted :-) + */ + EXPORT_SYMBOL(proc_dointvec); ++EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);