From: Greg Kroah-Hartman Date: Sun, 12 Dec 2021 14:56:19 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.295~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c9442fe990fb991875b10fd43927a23e465f2c54;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch net-altera-set-a-couple-error-code-in-probe.patch net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch qede-validate-non-lso-skb-length.patch tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch --- diff --git a/queue-4.14/block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch b/queue-4.14/block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch new file mode 100644 index 00000000000..94b3ec6bc3b --- /dev/null +++ b/queue-4.14/block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch @@ -0,0 +1,43 @@ +From e6a59aac8a8713f335a37d762db0dbe80e7f6d38 Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Fri, 10 Dec 2021 10:20:58 -0800 +Subject: block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) + +From: Davidlohr Bueso + +commit e6a59aac8a8713f335a37d762db0dbe80e7f6d38 upstream. + +do_each_pid_thread(PIDTYPE_PGID) can race with a concurrent +change_pid(PIDTYPE_PGID) that can move the task from one hlist +to another while iterating. Serialize ioprio_get to take +the tasklist_lock in this case, just like it's set counterpart. + +Fixes: d69b78ba1de (ioprio: grab rcu_read_lock in sys_ioprio_{set,get}()) +Acked-by: Oleg Nesterov +Signed-off-by: Davidlohr Bueso +Link: https://lore.kernel.org/r/20211210182058.43417-1-dave@stgolabs.net +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/ioprio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/ioprio.c ++++ b/block/ioprio.c +@@ -196,6 +196,7 @@ SYSCALL_DEFINE2(ioprio_get, int, which, + pgrp = task_pgrp(current); + else + pgrp = find_vpid(who); ++ read_lock(&tasklist_lock); + do_each_pid_thread(pgrp, PIDTYPE_PGID, p) { + tmpio = get_task_ioprio(p); + if (tmpio < 0) +@@ -205,6 +206,8 @@ SYSCALL_DEFINE2(ioprio_get, int, which, + else + ret = ioprio_best(ret, tmpio); + } while_each_pid_thread(pgrp, PIDTYPE_PGID, p); ++ read_unlock(&tasklist_lock); ++ + break; + case IOPRIO_WHO_USER: + uid = make_kuid(current_user_ns(), who); diff --git a/queue-4.14/net-altera-set-a-couple-error-code-in-probe.patch b/queue-4.14/net-altera-set-a-couple-error-code-in-probe.patch new file mode 100644 index 00000000000..2123c236d9c --- /dev/null +++ b/queue-4.14/net-altera-set-a-couple-error-code-in-probe.patch @@ -0,0 +1,45 @@ +From badd7857f5c933a3dc34942a2c11d67fdbdc24de Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 3 Dec 2021 13:11:28 +0300 +Subject: net: altera: set a couple error code in probe() + +From: Dan Carpenter + +commit badd7857f5c933a3dc34942a2c11d67fdbdc24de upstream. + +There are two error paths which accidentally return success instead of +a negative error code. + +Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/altera/altera_tse_main.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -1445,16 +1445,19 @@ static int altera_tse_probe(struct platf + priv->rxdescmem_busaddr = dma_res->start; + + } else { ++ ret = -ENODEV; + goto err_free_netdev; + } + +- if (!dma_set_mask(priv->device, DMA_BIT_MASK(priv->dmaops->dmamask))) ++ if (!dma_set_mask(priv->device, DMA_BIT_MASK(priv->dmaops->dmamask))) { + dma_set_coherent_mask(priv->device, + DMA_BIT_MASK(priv->dmaops->dmamask)); +- else if (!dma_set_mask(priv->device, DMA_BIT_MASK(32))) ++ } else if (!dma_set_mask(priv->device, DMA_BIT_MASK(32))) { + dma_set_coherent_mask(priv->device, DMA_BIT_MASK(32)); +- else ++ } else { ++ ret = -EIO; + goto err_free_netdev; ++ } + + /* MAC address space */ + ret = request_and_map(pdev, "control_port", &control_port, diff --git a/queue-4.14/net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch b/queue-4.14/net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch new file mode 100644 index 00000000000..3efe5bfe12b --- /dev/null +++ b/queue-4.14/net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch @@ -0,0 +1,73 @@ +From 2be6d4d16a0849455a5c22490e3c5983495fed00 Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Thu, 2 Dec 2021 14:34:37 +0000 +Subject: net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lee Jones + +commit 2be6d4d16a0849455a5c22490e3c5983495fed00 upstream. + +Currently, due to the sequential use of min_t() and clamp_t() macros, +in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is not set, the logic +sets tx_max to 0. This is then used to allocate the data area of the +SKB requested later in cdc_ncm_fill_tx_frame(). + +This does not cause an issue presently because when memory is +allocated during initialisation phase of SKB creation, more memory +(512b) is allocated than is required for the SKB headers alone (320b), +leaving some space (512b - 320b = 192b) for CDC data (172b). + +However, if more elements (for example 3 x u64 = [24b]) were added to +one of the SKB header structs, say 'struct skb_shared_info', +increasing its original size (320b [320b aligned]) to something larger +(344b [384b aligned]), then suddenly the CDC data (172b) no longer +fits in the spare SKB data area (512b - 384b = 128b). + +Consequently the SKB bounds checking semantics fails and panics: + + skbuff: skb_over_panic: text:ffffffff830a5b5f len:184 put:172 \ + head:ffff888119227c00 data:ffff888119227c00 tail:0xb8 end:0x80 dev: + + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:110! + RIP: 0010:skb_panic+0x14f/0x160 net/core/skbuff.c:106 + + Call Trace: + + skb_over_panic+0x2c/0x30 net/core/skbuff.c:115 + skb_put+0x205/0x210 net/core/skbuff.c:1877 + skb_put_zero include/linux/skbuff.h:2270 [inline] + cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1116 [inline] + cdc_ncm_fill_tx_frame+0x127f/0x3d50 drivers/net/usb/cdc_ncm.c:1293 + cdc_ncm_tx_fixup+0x98/0xf0 drivers/net/usb/cdc_ncm.c:1514 + +By overriding the max value with the default CDC_NCM_NTB_MAX_SIZE_TX +when not offered through the system provided params, we ensure enough +data space is allocated to handle the CDC data, meaning no crash will +occur. + +Cc: Oliver Neukum +Fixes: 289507d3364f9 ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning") +Signed-off-by: Lee Jones +Reviewed-by: Bjørn Mork +Link: https://lore.kernel.org/r/20211202143437.1411410-1-lee.jones@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -177,6 +177,8 @@ static u32 cdc_ncm_check_tx_max(struct u + /* clamp new_tx to sane values */ + min = ctx->max_datagram_size + ctx->max_ndp_size + sizeof(struct usb_cdc_ncm_nth16); + max = min_t(u32, CDC_NCM_NTB_MAX_SIZE_TX, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize)); ++ if (max == 0) ++ max = CDC_NCM_NTB_MAX_SIZE_TX; /* dwNtbOutMaxSize not set */ + + /* some devices set dwNtbOutMaxSize too low for the above default */ + min = min(min, max); diff --git a/queue-4.14/net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch b/queue-4.14/net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch new file mode 100644 index 00000000000..74b65e23830 --- /dev/null +++ b/queue-4.14/net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch @@ -0,0 +1,61 @@ +From b5bd95d17102b6719e3531d627875b9690371383 Mon Sep 17 00:00:00 2001 +From: Joakim Zhang +Date: Mon, 6 Dec 2021 21:54:57 +0800 +Subject: net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() + +From: Joakim Zhang + +commit b5bd95d17102b6719e3531d627875b9690371383 upstream. + +Background: +We have a customer is running a Profinet stack on the 8MM which receives and +responds PNIO packets every 4ms and PNIO-CM packets every 40ms. However, from +time to time the received PNIO-CM package is "stock" and is only handled when +receiving a new PNIO-CM or DCERPC-Ping packet (tcpdump shows the PNIO-CM and +the DCERPC-Ping packet at the same time but the PNIO-CM HW timestamp is from +the expected 40 ms and not the 2s delay of the DCERPC-Ping). + +After debugging, we noticed PNIO, PNIO-CM and DCERPC-Ping packets would +be handled by different RX queues. + +The root cause should be driver ack all queues' interrupt when handle a +specific queue in fec_enet_rx_queue(). The blamed patch is introduced to +receive as much packets as possible once to avoid interrupt flooding. +But it's unreasonable to clear other queues'interrupt when handling one +queue, this patch tries to fix it. + +Fixes: ed63f1dcd578 (net: fec: clear receive interrupts before processing a packet) +Cc: Russell King +Reported-by: Nicolas Diaz +Signed-off-by: Joakim Zhang +Link: https://lore.kernel.org/r/20211206135457.15946-1-qiangqing.zhang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec.h | 3 +++ + drivers/net/ethernet/freescale/fec_main.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/fec.h ++++ b/drivers/net/ethernet/freescale/fec.h +@@ -372,6 +372,9 @@ struct bufdesc_ex { + #define FEC_ENET_WAKEUP ((uint)0x00020000) /* Wakeup request */ + #define FEC_ENET_TXF (FEC_ENET_TXF_0 | FEC_ENET_TXF_1 | FEC_ENET_TXF_2) + #define FEC_ENET_RXF (FEC_ENET_RXF_0 | FEC_ENET_RXF_1 | FEC_ENET_RXF_2) ++#define FEC_ENET_RXF_GET(X) (((X) == 0) ? FEC_ENET_RXF_0 : \ ++ (((X) == 1) ? FEC_ENET_RXF_1 : \ ++ FEC_ENET_RXF_2)) + #define FEC_ENET_TS_AVAIL ((uint)0x00010000) + #define FEC_ENET_TS_TIMER ((uint)0x00008000) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1385,7 +1385,7 @@ fec_enet_rx_queue(struct net_device *nde + break; + pkt_received++; + +- writel(FEC_ENET_RXF, fep->hwp + FEC_IEVENT); ++ writel(FEC_ENET_RXF_GET(queue_id), fep->hwp + FEC_IEVENT); + + /* Check for errors. */ + status ^= BD_ENET_RX_LAST; diff --git a/queue-4.14/net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch b/queue-4.14/net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch new file mode 100644 index 00000000000..655e57b4e80 --- /dev/null +++ b/queue-4.14/net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch @@ -0,0 +1,93 @@ +From e195e9b5dee6459d8c8e6a314cc71a644a0537fd Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 6 Dec 2021 08:53:29 -0800 +Subject: net, neigh: clear whole pneigh_entry at alloc time + +From: Eric Dumazet + +commit e195e9b5dee6459d8c8e6a314cc71a644a0537fd upstream. + +Commit 2c611ad97a82 ("net, neigh: Extend neigh->flags to 32 bit +to allow for extensions") enables a new KMSAM warning [1] + +I think the bug is actually older, because the following intruction +only occurred if ndm->ndm_flags had NTF_PROXY set. + + pn->flags = ndm->ndm_flags; + +Let's clear all pneigh_entry fields at alloc time. + +[1] +BUG: KMSAN: uninit-value in pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593 + pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593 + pneigh_dump_table net/core/neighbour.c:2715 [inline] + neigh_dump_info+0x1e3f/0x2c60 net/core/neighbour.c:2832 + netlink_dump+0xaca/0x16a0 net/netlink/af_netlink.c:2265 + __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370 + netlink_dump_start include/linux/netlink.h:254 [inline] + rtnetlink_rcv_msg+0x181b/0x18c0 net/core/rtnetlink.c:5534 + netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5589 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916 + sock_sendmsg_nosec net/socket.c:704 [inline] + sock_sendmsg net/socket.c:724 [inline] + sock_write_iter+0x594/0x690 net/socket.c:1057 + call_write_iter include/linux/fs.h:2162 [inline] + new_sync_write fs/read_write.c:503 [inline] + vfs_write+0x1318/0x2030 fs/read_write.c:590 + ksys_write+0x28c/0x520 fs/read_write.c:643 + __do_sys_write fs/read_write.c:655 [inline] + __se_sys_write fs/read_write.c:652 [inline] + __x64_sys_write+0xdb/0x120 fs/read_write.c:652 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + slab_alloc mm/slub.c:3259 [inline] + __kmalloc+0xc3c/0x12d0 mm/slub.c:4437 + kmalloc include/linux/slab.h:595 [inline] + pneigh_lookup+0x60f/0xd70 net/core/neighbour.c:766 + arp_req_set_public net/ipv4/arp.c:1016 [inline] + arp_req_set+0x430/0x10a0 net/ipv4/arp.c:1032 + arp_ioctl+0x8d4/0xb60 net/ipv4/arp.c:1232 + inet_ioctl+0x4ef/0x820 net/ipv4/af_inet.c:947 + sock_do_ioctl net/socket.c:1118 [inline] + sock_ioctl+0xa3f/0x13e0 net/socket.c:1235 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:874 [inline] + __se_sys_ioctl+0x2df/0x4a0 fs/ioctl.c:860 + __x64_sys_ioctl+0xd8/0x110 fs/ioctl.c:860 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +CPU: 1 PID: 20001 Comm: syz-executor.0 Not tainted 5.16.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 62dd93181aaa ("[IPV6] NDISC: Set per-entry is_router flag in Proxy NA.") +Signed-off-by: Eric Dumazet +Cc: Roopa Prabhu +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20211206165329.1049835-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -633,7 +633,7 @@ struct pneigh_entry * pneigh_lookup(stru + + ASSERT_RTNL(); + +- n = kmalloc(sizeof(*n) + key_len, GFP_KERNEL); ++ n = kzalloc(sizeof(*n) + key_len, GFP_KERNEL); + if (!n) + goto out; + diff --git a/queue-4.14/net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch b/queue-4.14/net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch new file mode 100644 index 00000000000..cf434f81096 --- /dev/null +++ b/queue-4.14/net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch @@ -0,0 +1,57 @@ +From d17b9737c2bc09b4ac6caf469826e5a7ce3ffab7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 7 Dec 2021 11:24:16 +0300 +Subject: net/qla3xxx: fix an error code in ql_adapter_up() + +From: Dan Carpenter + +commit d17b9737c2bc09b4ac6caf469826e5a7ce3ffab7 upstream. + +The ql_wait_for_drvr_lock() fails and returns false, then this +function should return an error code instead of returning success. + +The other problem is that the success path prints an error message +netdev_err(ndev, "Releasing driver lock\n"); Delete that and +re-order the code a little to make it more clear. + +Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211207082416.GA16110@kili +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -3495,20 +3495,19 @@ static int ql_adapter_up(struct ql3_adap + + spin_lock_irqsave(&qdev->hw_lock, hw_flags); + +- err = ql_wait_for_drvr_lock(qdev); +- if (err) { +- err = ql_adapter_initialize(qdev); +- if (err) { +- netdev_err(ndev, "Unable to initialize adapter\n"); +- goto err_init; +- } +- netdev_err(ndev, "Releasing driver lock\n"); +- ql_sem_unlock(qdev, QL_DRVR_SEM_MASK); +- } else { ++ if (!ql_wait_for_drvr_lock(qdev)) { + netdev_err(ndev, "Could not acquire driver lock\n"); ++ err = -ENODEV; + goto err_lock; + } + ++ err = ql_adapter_initialize(qdev); ++ if (err) { ++ netdev_err(ndev, "Unable to initialize adapter\n"); ++ goto err_init; ++ } ++ ql_sem_unlock(qdev, QL_DRVR_SEM_MASK); ++ + spin_unlock_irqrestore(&qdev->hw_lock, hw_flags); + + set_bit(QL_ADAPTER_UP, &qdev->flags); diff --git a/queue-4.14/qede-validate-non-lso-skb-length.patch b/queue-4.14/qede-validate-non-lso-skb-length.patch new file mode 100644 index 00000000000..1b31d1b2c3f --- /dev/null +++ b/queue-4.14/qede-validate-non-lso-skb-length.patch @@ -0,0 +1,50 @@ +From 8e227b198a55859bf790dc7f4b1e30c0859c6756 Mon Sep 17 00:00:00 2001 +From: Manish Chopra +Date: Fri, 3 Dec 2021 09:44:13 -0800 +Subject: qede: validate non LSO skb length + +From: Manish Chopra + +commit 8e227b198a55859bf790dc7f4b1e30c0859c6756 upstream. + +Although it is unlikely that stack could transmit a non LSO +skb with length > MTU, however in some cases or environment such +occurrences actually resulted into firmware asserts due to packet +length being greater than the max supported by the device (~9700B). + +This patch adds the safeguard for such odd cases to avoid firmware +asserts. + +v2: Added "Fixes" tag with one of the initial driver commit + which enabled the TX traffic actually (as this was probably + day1 issue which was discovered recently by some customer + environment) + +Fixes: a2ec6172d29c ("qede: Add support for link") +Signed-off-by: Manish Chopra +Signed-off-by: Alok Prasad +Signed-off-by: Prabhakar Kushwaha +Signed-off-by: Ariel Elior +Link: https://lore.kernel.org/r/20211203174413.13090-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -1580,6 +1580,13 @@ netdev_tx_t qede_start_xmit(struct sk_bu + data_split = true; + } + } else { ++ if (unlikely(skb->len > ETH_TX_MAX_NON_LSO_PKT_LEN)) { ++ DP_ERR(edev, "Unexpected non LSO skb length = 0x%x\n", skb->len); ++ qede_free_failed_tx_pkt(txq, first_bd, 0, false); ++ qede_update_tx_producer(txq); ++ return NETDEV_TX_OK; ++ } ++ + val |= ((skb->len & ETH_TX_DATA_1ST_BD_PKT_LEN_MASK) << + ETH_TX_DATA_1ST_BD_PKT_LEN_SHIFT); + } diff --git a/queue-4.14/series b/queue-4.14/series index 2068188c4c2..df520cbc3a8 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -23,3 +23,11 @@ libata-add-horkage-for-asmedia-1092.patch wait-add-wake_up_pollfree.patch binder-use-wake_up_pollfree.patch signalfd-use-wake_up_pollfree.patch +tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch +block-fix-ioprio_get-ioprio_who_pgrp-vs-setuid-2.patch +qede-validate-non-lso-skb-length.patch +net-cdc_ncm-allow-for-dwntboutmaxsize-to-be-unset-or-zero.patch +net-altera-set-a-couple-error-code-in-probe.patch +net-fec-only-clear-interrupt-of-handling-queue-in-fec_enet_rx_queue.patch +net-neigh-clear-whole-pneigh_entry-at-alloc-time.patch +net-qla3xxx-fix-an-error-code-in-ql_adapter_up.patch diff --git a/queue-4.14/tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch b/queue-4.14/tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch new file mode 100644 index 00000000000..3c818efb128 --- /dev/null +++ b/queue-4.14/tracefs-set-all-files-to-the-same-group-ownership-as-the-mount-option.patch @@ -0,0 +1,146 @@ +From 48b27b6b5191e2e1f2798cd80877b6e4ef47c351 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Tue, 7 Dec 2021 17:17:29 -0500 +Subject: tracefs: Set all files to the same group ownership as the mount option + +From: Steven Rostedt (VMware) + +commit 48b27b6b5191e2e1f2798cd80877b6e4ef47c351 upstream. + +As people have been asking to allow non-root processes to have access to +the tracefs directory, it was considered best to only allow groups to have +access to the directory, where it is easier to just set the tracefs file +system to a specific group (as other would be too dangerous), and that way +the admins could pick which processes would have access to tracefs. + +Unfortunately, this broke tooling on Android that expected the other bit +to be set. For some special cases, for non-root tools to trace the system, +tracefs would be mounted and change the permissions of the top level +directory which gave access to all running tasks permission to the +tracing directory. Even though this would be dangerous to do in a +production environment, for testing environments this can be useful. + +Now with the new changes to not allow other (which is still the proper +thing to do), it breaks the testing tooling. Now more code needs to be +loaded on the system to change ownership of the tracing directory. + +The real solution is to have tracefs honor the gid=xxx option when +mounting. That is, + +(tracing group tracing has value 1003) + + mount -t tracefs -o gid=1003 tracefs /sys/kernel/tracing + +should have it that all files in the tracing directory should be of the +given group. + +Copy the logic from d_walk() from dcache.c and simplify it for the mount +case of tracefs if gid is set. All the files in tracefs will be walked and +their group will be set to the value passed in. + +Link: https://lkml.kernel.org/r/20211207171729.2a54e1b3@gandalf.local.home + +Cc: Ingo Molnar +Cc: Kees Cook +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: linux-fsdevel@vger.kernel.org +Cc: Al Viro +Cc: Greg Kroah-Hartman +Reported-by: Kalesh Singh +Reported-by: Yabin Cui +Fixes: 49d67e445742 ("tracefs: Have tracefs directories not set OTH permission bits by default") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/inode.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 72 insertions(+) + +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -162,6 +162,77 @@ struct tracefs_fs_info { + struct tracefs_mount_opts mount_opts; + }; + ++static void change_gid(struct dentry *dentry, kgid_t gid) ++{ ++ if (!dentry->d_inode) ++ return; ++ dentry->d_inode->i_gid = gid; ++} ++ ++/* ++ * Taken from d_walk, but without he need for handling renames. ++ * Nothing can be renamed while walking the list, as tracefs ++ * does not support renames. This is only called when mounting ++ * or remounting the file system, to set all the files to ++ * the given gid. ++ */ ++static void set_gid(struct dentry *parent, kgid_t gid) ++{ ++ struct dentry *this_parent; ++ struct list_head *next; ++ ++ this_parent = parent; ++ spin_lock(&this_parent->d_lock); ++ ++ change_gid(this_parent, gid); ++repeat: ++ next = this_parent->d_subdirs.next; ++resume: ++ while (next != &this_parent->d_subdirs) { ++ struct list_head *tmp = next; ++ struct dentry *dentry = list_entry(tmp, struct dentry, d_child); ++ next = tmp->next; ++ ++ spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED); ++ ++ change_gid(dentry, gid); ++ ++ if (!list_empty(&dentry->d_subdirs)) { ++ spin_unlock(&this_parent->d_lock); ++ spin_release(&dentry->d_lock.dep_map, 1, _RET_IP_); ++ this_parent = dentry; ++ spin_acquire(&this_parent->d_lock.dep_map, 0, 1, _RET_IP_); ++ goto repeat; ++ } ++ spin_unlock(&dentry->d_lock); ++ } ++ /* ++ * All done at this level ... ascend and resume the search. ++ */ ++ rcu_read_lock(); ++ascend: ++ if (this_parent != parent) { ++ struct dentry *child = this_parent; ++ this_parent = child->d_parent; ++ ++ spin_unlock(&child->d_lock); ++ spin_lock(&this_parent->d_lock); ++ ++ /* go into the first sibling still alive */ ++ do { ++ next = child->d_child.next; ++ if (next == &this_parent->d_subdirs) ++ goto ascend; ++ child = list_entry(next, struct dentry, d_child); ++ } while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED)); ++ rcu_read_unlock(); ++ goto resume; ++ } ++ rcu_read_unlock(); ++ spin_unlock(&this_parent->d_lock); ++ return; ++} ++ + static int tracefs_parse_options(char *data, struct tracefs_mount_opts *opts) + { + substring_t args[MAX_OPT_ARGS]; +@@ -194,6 +265,7 @@ static int tracefs_parse_options(char *d + if (!gid_valid(gid)) + return -EINVAL; + opts->gid = gid; ++ set_gid(tracefs_mount->mnt_root, gid); + break; + case Opt_mode: + if (match_octal(&args[0], &option))