From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 01:49:22 +0000 (-0800) Subject: 3.18-stable patches X-Git-Tag: v4.19.2~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df98db2117b7f2fc66f99af88c1227f7f131e45f;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch gfs2_meta-mount-can-get-null-dev_name.patch iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch ima-fix-showing-large-violations-or-runtime_measurements_count.patch jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch kbuild-fix-kernel-bounds.c-w-1-warning.patch net-ipv4-defensive-cipso-option-parsing.patch printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch signal-genwqe-fix-sending-of-sigkill.patch smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch --- diff --git a/queue-3.18/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch b/queue-3.18/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch new file mode 100644 index 00000000000..1abba34f05f --- /dev/null +++ b/queue-3.18/crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch @@ -0,0 +1,40 @@ +From fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 13 Sep 2018 10:51:31 +0200 +Subject: crypto: lrw - Fix out-of bounds access on counter overflow + +From: Ondrej Mosnacek + +commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream. + +When the LRW block counter overflows, the current implementation returns +128 as the index to the precomputed multiplication table, which has 128 +entries. This patch fixes it to return the correct value (127). + +Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode") +Cc: # 2.6.20+ +Reported-by: Eric Biggers +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/lrw.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/crypto/lrw.c ++++ b/crypto/lrw.c +@@ -132,7 +132,12 @@ static inline int get_index128(be128 *bl + return x + ffz(val); + } + +- return x; ++ /* ++ * If we get here, then x == 128 and we are incrementing the counter ++ * from all ones to all zeros. This means we must return index 127, i.e. ++ * the one corresponding to key2*{ 1,...,1 }. ++ */ ++ return 127; + } + + static int crypt(struct blkcipher_desc *d, diff --git a/queue-3.18/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch b/queue-3.18/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch new file mode 100644 index 00000000000..9fa1def53f0 --- /dev/null +++ b/queue-3.18/drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch @@ -0,0 +1,64 @@ +From fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Sun, 23 Sep 2018 21:10:43 +0000 +Subject: Drivers: hv: kvp: Fix two "this statement may fall through" warnings + +From: Dexuan Cui + +commit fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d upstream. + +We don't need to call process_ib_ipinfo() if message->kvp_hdr.operation is +KVP_OP_GET_IP_INFO in kvp_send_key(), because here we just need to pass on +the op code from the host to the userspace; when the userspace returns +the info requested by the host, we pass the info on to the host in +kvp_respond_to_host() -> process_ob_ipinfo(). BTW, the current buggy code +actually doesn't cause any harm, because only message->kvp_hdr.operation +is used by the userspace, in the case of KVP_OP_GET_IP_INFO. + +The patch also adds a missing "break;" in kvp_send_key(). BTW, the current +buggy code actually doesn't cause any harm, because in the case of +KVP_OP_SET, the unexpected fall-through corrupts +message->body.kvp_set.data.key_size, but that is not really used: see +the definition of struct hv_kvp_exchg_msg_value. + +Signed-off-by: Dexuan Cui +Cc: K. Y. Srinivasan +Cc: Haiyang Zhang +Cc: Stephen Hemminger +Cc: +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_kvp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/hv/hv_kvp.c ++++ b/drivers/hv/hv_kvp.c +@@ -326,7 +326,6 @@ static void process_ib_ipinfo(void *in_m + + out->body.kvp_ip_val.dhcp_enabled = in->kvp_ip_val.dhcp_enabled; + +- default: + utf16s_to_utf8s((wchar_t *)in->kvp_ip_val.adapter_id, + MAX_ADAPTER_ID_SIZE, + UTF16_LITTLE_ENDIAN, +@@ -379,7 +378,7 @@ kvp_send_key(struct work_struct *dummy) + process_ib_ipinfo(in_msg, message, KVP_OP_SET_IP_INFO); + break; + case KVP_OP_GET_IP_INFO: +- process_ib_ipinfo(in_msg, message, KVP_OP_GET_IP_INFO); ++ /* We only need to pass on message->kvp_hdr.operation. */ + break; + case KVP_OP_SET: + switch (in_msg->body.kvp_set.data.value_type) { +@@ -419,6 +418,9 @@ kvp_send_key(struct work_struct *dummy) + break; + + } ++ ++ break; ++ + case KVP_OP_GET: + message->body.kvp_set.data.key_size = + utf16s_to_utf8s( diff --git a/queue-3.18/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch b/queue-3.18/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch new file mode 100644 index 00000000000..43107abc625 --- /dev/null +++ b/queue-3.18/ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch @@ -0,0 +1,34 @@ +From 625ef8a3acd111d5f496d190baf99d1a815bd03e Mon Sep 17 00:00:00 2001 +From: Lukas Czerner +Date: Tue, 2 Oct 2018 21:18:45 -0400 +Subject: ext4: initialize retries variable in ext4_da_write_inline_data_begin() + +From: Lukas Czerner + +commit 625ef8a3acd111d5f496d190baf99d1a815bd03e upstream. + +Variable retries is not initialized in ext4_da_write_inline_data_begin() +which can lead to nondeterministic number of retries in case we hit +ENOSPC. Initialize retries to zero as we do everywhere else. + +Signed-off-by: Lukas Czerner +Signed-off-by: Theodore Ts'o +Fixes: bc0ca9df3b2a ("ext4: retry allocation when inline->extent conversion failed") +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -850,7 +850,7 @@ int ext4_da_write_inline_data_begin(stru + handle_t *handle; + struct page *page; + struct ext4_iloc iloc; +- int retries; ++ int retries = 0; + + ret = ext4_get_inode_loc(inode, &iloc); + if (ret) diff --git a/queue-3.18/gfs2_meta-mount-can-get-null-dev_name.patch b/queue-3.18/gfs2_meta-mount-can-get-null-dev_name.patch new file mode 100644 index 00000000000..e87e357c1a2 --- /dev/null +++ b/queue-3.18/gfs2_meta-mount-can-get-null-dev_name.patch @@ -0,0 +1,32 @@ +From 3df629d873f8683af6f0d34dfc743f637966d483 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 13 Oct 2018 00:19:13 -0400 +Subject: gfs2_meta: ->mount() can get NULL dev_name + +From: Al Viro + +commit 3df629d873f8683af6f0d34dfc743f637966d483 upstream. + +get in sync with mount_bdev() handling of the same + +Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/ops_fstype.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -1358,6 +1358,9 @@ static struct dentry *gfs2_mount_meta(st + struct path path; + int error; + ++ if (!dev_name || !*dev_name) ++ return ERR_PTR(-EINVAL); ++ + error = kern_path(dev_name, LOOKUP_FOLLOW, &path); + if (error) { + pr_warn("path_lookup on %s returned error %d\n", diff --git a/queue-3.18/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch b/queue-3.18/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch new file mode 100644 index 00000000000..8ee215fc64a --- /dev/null +++ b/queue-3.18/iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch @@ -0,0 +1,39 @@ +From bc1b45326223e7e890053cf6266357adfa61942d Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Mon, 24 Sep 2018 10:51:43 +0300 +Subject: iio: adc: at91: fix acking DRDY irq on simple conversions + +From: Eugen Hristev + +commit bc1b45326223e7e890053cf6266357adfa61942d upstream. + +When doing simple conversions, the driver did not acknowledge the DRDY irq. +If this irq status is not acked, it will be left pending, and as soon as a +trigger is enabled, the irq handler will be called, it doesn't know why +this status has occurred because no channel is pending, and then it will go +int a irq loop and board will hang. +To avoid this situation, read the LCDR after a raw conversion is done. + +Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.") +Cc: Maxime Ripard +Signed-off-by: Eugen Hristev +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -276,6 +276,8 @@ static void handle_adc_eoc_trigger(int i + iio_trigger_poll(idev->trig); + } else { + st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb)); ++ /* Needed to ACK the DRDY interruption */ ++ at91_adc_readl(st, AT91_ADC_LCDR); + st->done = true; + wake_up_interruptible(&st->wq_data_avail); + } diff --git a/queue-3.18/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch b/queue-3.18/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch new file mode 100644 index 00000000000..f91d5f2f595 --- /dev/null +++ b/queue-3.18/iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch @@ -0,0 +1,49 @@ +From aea835f2dc8a682942b859179c49ad1841a6c8b9 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Mon, 24 Sep 2018 10:51:44 +0300 +Subject: iio: adc: at91: fix wrong channel number in triggered buffer mode + +From: Eugen Hristev + +commit aea835f2dc8a682942b859179c49ad1841a6c8b9 upstream. + +When channels are registered, the hardware channel number is not the +actual iio channel number. +This is because the driver is probed with a certain number of accessible +channels. Some pins are routed and some not, depending on the description of +the board in the DT. +Because of that, channels 0,1,2,3 can correspond to hardware channels +2,3,4,5 for example. +In the buffered triggered case, we need to do the translation accordingly. +Fixed the channel number to stop reading the wrong channel. + +Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.") +Cc: Maxime Ripard +Signed-off-by: Eugen Hristev +Acked-by: Ludovic Desroches +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/at91_adc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -245,12 +245,14 @@ static irqreturn_t at91_adc_trigger_hand + struct iio_poll_func *pf = p; + struct iio_dev *idev = pf->indio_dev; + struct at91_adc_state *st = iio_priv(idev); ++ struct iio_chan_spec const *chan; + int i, j = 0; + + for (i = 0; i < idev->masklength; i++) { + if (!test_bit(i, idev->active_scan_mask)) + continue; +- st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i)); ++ chan = idev->channels + i; ++ st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel)); + j++; + } + diff --git a/queue-3.18/ima-fix-showing-large-violations-or-runtime_measurements_count.patch b/queue-3.18/ima-fix-showing-large-violations-or-runtime_measurements_count.patch new file mode 100644 index 00000000000..b802cba7d9d --- /dev/null +++ b/queue-3.18/ima-fix-showing-large-violations-or-runtime_measurements_count.patch @@ -0,0 +1,41 @@ +From 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 7 Sep 2018 14:33:24 -0700 +Subject: ima: fix showing large 'violations' or 'runtime_measurements_count' + +From: Eric Biggers + +commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream. + +The 12 character temporary buffer is not necessarily long enough to hold +a 'long' value. Increase it. + +Signed-off-by: Eric Biggers +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_fs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/security/integrity/ima/ima_fs.c ++++ b/security/integrity/ima/ima_fs.c +@@ -26,14 +26,14 @@ + #include "ima.h" + + static int valid_policy = 1; +-#define TMPBUFLEN 12 ++ + static ssize_t ima_show_htable_value(char __user *buf, size_t count, + loff_t *ppos, atomic_long_t *val) + { +- char tmpbuf[TMPBUFLEN]; ++ char tmpbuf[32]; /* greater than largest 'long' string value */ + ssize_t len; + +- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val)); ++ len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val)); + return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); + } + diff --git a/queue-3.18/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch b/queue-3.18/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch new file mode 100644 index 00000000000..4ea9a3881a2 --- /dev/null +++ b/queue-3.18/jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch @@ -0,0 +1,69 @@ +From ccd3c4373eacb044eb3832966299d13d2631f66f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 5 Oct 2018 18:44:40 -0400 +Subject: jbd2: fix use after free in jbd2_log_do_checkpoint() + +From: Jan Kara + +commit ccd3c4373eacb044eb3832966299d13d2631f66f upstream. + +The code cleaning transaction's lists of checkpoint buffers has a bug +where it increases bh refcount only after releasing +journal->j_list_lock. Thus the following race is possible: + +CPU0 CPU1 +jbd2_log_do_checkpoint() + jbd2_journal_try_to_free_buffers() + __journal_try_to_free_buffer(bh) + ... + while (transaction->t_checkpoint_io_list) + ... + if (buffer_locked(bh)) { + +<-- IO completes now, buffer gets unlocked --> + + spin_unlock(&journal->j_list_lock); + spin_lock(&journal->j_list_lock); + __jbd2_journal_remove_checkpoint(jh); + spin_unlock(&journal->j_list_lock); + try_to_free_buffers(page); + get_bh(bh) <-- accesses freed bh + +Fix the problem by grabbing bh reference before unlocking +journal->j_list_lock. + +Fixes: dc6e8d669cf5 ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()") +Fixes: be1158cc615f ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()") +Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Reviewed-by: Lukas Czerner +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/checkpoint.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -254,8 +254,8 @@ restart: + bh = jh2bh(jh); + + if (buffer_locked(bh)) { +- spin_unlock(&journal->j_list_lock); + get_bh(bh); ++ spin_unlock(&journal->j_list_lock); + wait_on_buffer(bh); + /* the journal_head may have gone by now */ + BUFFER_TRACE(bh, "brelse"); +@@ -336,8 +336,8 @@ restart2: + jh = transaction->t_checkpoint_io_list; + bh = jh2bh(jh); + if (buffer_locked(bh)) { +- spin_unlock(&journal->j_list_lock); + get_bh(bh); ++ spin_unlock(&journal->j_list_lock); + wait_on_buffer(bh); + /* the journal_head may have gone by now */ + BUFFER_TRACE(bh, "brelse"); diff --git a/queue-3.18/kbuild-fix-kernel-bounds.c-w-1-warning.patch b/queue-3.18/kbuild-fix-kernel-bounds.c-w-1-warning.patch new file mode 100644 index 00000000000..e14d87f50fb --- /dev/null +++ b/queue-3.18/kbuild-fix-kernel-bounds.c-w-1-warning.patch @@ -0,0 +1,54 @@ +From 6a32c2469c3fbfee8f25bcd20af647326650a6cf Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 30 Oct 2018 15:07:32 -0700 +Subject: kbuild: fix kernel/bounds.c 'W=1' warning + +From: Arnd Bergmann + +commit 6a32c2469c3fbfee8f25bcd20af647326650a6cf upstream. + +Building any configuration with 'make W=1' produces a warning: + +kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes] + +When also passing -Werror, this prevents us from building any other files. +Nobody ever calls the function, but we can't make it 'static' either +since we want the compiler output. + +Calling it 'main' instead however avoids the warning, because gcc +does not insist on having a declaration for main. + +Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.de +Signed-off-by: Arnd Bergmann +Reported-by: Kieran Bingham +Reviewed-by: Kieran Bingham +Cc: David Laight +Cc: Masahiro Yamada +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bounds.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/bounds.c ++++ b/kernel/bounds.c +@@ -12,7 +12,7 @@ + #include + #include + +-void foo(void) ++int main(void) + { + /* The enum constants to put into include/generated/bounds.h */ + DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS); +@@ -22,4 +22,6 @@ void foo(void) + #endif + DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t)); + /* End of constants */ ++ ++ return 0; + } diff --git a/queue-3.18/net-ipv4-defensive-cipso-option-parsing.patch b/queue-3.18/net-ipv4-defensive-cipso-option-parsing.patch new file mode 100644 index 00000000000..12765b24ac8 --- /dev/null +++ b/queue-3.18/net-ipv4-defensive-cipso-option-parsing.patch @@ -0,0 +1,66 @@ +From 076ed3da0c9b2f88d9157dbe7044a45641ae369e Mon Sep 17 00:00:00 2001 +From: Stefan Nuernberger +Date: Mon, 17 Sep 2018 19:46:53 +0200 +Subject: net/ipv4: defensive cipso option parsing + +From: Stefan Nuernberger + +commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream. + +commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed +a possible infinite loop in the IP option parsing of CIPSO. The fix +assumes that ip_options_compile filtered out all zero length options and +that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist. +While this assumption currently holds true, add explicit checks for zero +length and invalid length options to be safe for the future. Even though +ip_options_compile should have validated the options, the introduction of +new one-byte options can still confuse this code without the additional +checks. + +Signed-off-by: Stefan Nuernberger +Cc: David Woodhouse +Cc: Simon Veith +Cc: stable@vger.kernel.org +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/cipso_ipv4.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1580,7 +1580,7 @@ static int cipso_v4_parsetag_loc(const s + * + * Description: + * Parse the packet's IP header looking for a CIPSO option. Returns a pointer +- * to the start of the CIPSO option on success, NULL if one if not found. ++ * to the start of the CIPSO option on success, NULL if one is not found. + * + */ + unsigned char *cipso_v4_optptr(const struct sk_buff *skb) +@@ -1590,10 +1590,8 @@ unsigned char *cipso_v4_optptr(const str + int optlen; + int taglen; + +- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { ++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) { + switch (optptr[0]) { +- case IPOPT_CIPSO: +- return optptr; + case IPOPT_END: + return NULL; + case IPOPT_NOOP: +@@ -1602,6 +1600,11 @@ unsigned char *cipso_v4_optptr(const str + default: + taglen = optptr[1]; + } ++ if (!taglen || taglen > optlen) ++ return NULL; ++ if (optptr[0] == IPOPT_CIPSO) ++ return optptr; ++ + optlen -= taglen; + optptr += taglen; + } diff --git a/queue-3.18/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch b/queue-3.18/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch new file mode 100644 index 00000000000..d53548c5ab1 --- /dev/null +++ b/queue-3.18/printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch @@ -0,0 +1,65 @@ +From 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Sun, 30 Sep 2018 00:45:50 +0800 +Subject: printk: Fix panic caused by passing log_buf_len to command line + +From: He Zhe + +commit 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 upstream. + +log_buf_len_setup does not check input argument before passing it to +simple_strtoull. The argument would be a NULL pointer if "log_buf_len", +without its value, is set in command line and thus causes the following +panic. + +PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0 +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1 +[ 0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70 +... +[ 0.000000] Call Trace: +[ 0.000000] simple_strtoull+0x29/0x70 +[ 0.000000] memparse+0x26/0x90 +[ 0.000000] log_buf_len_setup+0x17/0x22 +[ 0.000000] do_early_param+0x57/0x8e +[ 0.000000] parse_args+0x208/0x320 +[ 0.000000] ? rdinit_setup+0x30/0x30 +[ 0.000000] parse_early_options+0x29/0x2d +[ 0.000000] ? rdinit_setup+0x30/0x30 +[ 0.000000] parse_early_param+0x36/0x4d +[ 0.000000] setup_arch+0x336/0x99e +[ 0.000000] start_kernel+0x6f/0x4ee +[ 0.000000] x86_64_start_reservations+0x24/0x26 +[ 0.000000] x86_64_start_kernel+0x6f/0x72 +[ 0.000000] secondary_startup_64+0xa4/0xb0 + +This patch adds a check to prevent the panic. + +Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com +Cc: stable@vger.kernel.org +Cc: rostedt@goodmis.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: He Zhe +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -844,7 +844,12 @@ static void __init log_buf_len_update(un + /* save requested log_buf_len since it's too early to process it */ + static int __init log_buf_len_setup(char *str) + { +- unsigned size = memparse(str, &str); ++ unsigned int size; ++ ++ if (!str) ++ return -EINVAL; ++ ++ size = memparse(str, &str); + + log_buf_len_update(size); + diff --git a/queue-3.18/series b/queue-3.18/series index 6fb238d3b4b..04a45745f1f 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -27,3 +27,20 @@ usb-chipidea-prevent-unbalanced-irq-disable.patch uio-ensure-class-is-registered-before-devices.patch scsi-lpfc-correct-soft-lockup-when-running-mds-diagnostics.patch signal-always-deliver-the-kernel-s-sigkill-and-sigstop-to-a-pid-namespace-init.patch +xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch +net-ipv4-defensive-cipso-option-parsing.patch +jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch +gfs2_meta-mount-can-get-null-dev_name.patch +ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch +signal-genwqe-fix-sending-of-sigkill.patch +crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch +ima-fix-showing-large-violations-or-runtime_measurements_count.patch +kbuild-fix-kernel-bounds.c-w-1-warning.patch +iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch +iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch +drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch +w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch +smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch +smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch +smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch +printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch diff --git a/queue-3.18/signal-genwqe-fix-sending-of-sigkill.patch b/queue-3.18/signal-genwqe-fix-sending-of-sigkill.patch new file mode 100644 index 00000000000..d1ebbfe14c9 --- /dev/null +++ b/queue-3.18/signal-genwqe-fix-sending-of-sigkill.patch @@ -0,0 +1,112 @@ +From 0ab93e9c99f8208c0a1a7b7170c827936268c996 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 13 Sep 2018 11:28:01 +0200 +Subject: signal/GenWQE: Fix sending of SIGKILL + +From: Eric W. Biederman + +commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream. + +The genweq_add_file and genwqe_del_file by caching current without +using reference counting embed the assumption that a file descriptor +will never be passed from one process to another. It even embeds the +assumption that the the thread that opened the file will be in +existence when the process terminates. Neither of which are +guaranteed to be true. + +Therefore replace caching the task_struct of the opener with +pid of the openers thread group id. All the knowledge of the +opener is used for is as the target of SIGKILL and a SIGKILL +will kill the entire process group. + +Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary +signal argument, update it's ownly caller, and use kill_pid +instead of force_sig. + +The work force_sig does in changing signal handling state is not +relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess +will be killed just with less work, and less confusion. The work done +by force_sig is really only needed for handling syncrhonous +exceptions. + +It will still be possible to cause genwqe_device_remove to wait +8 seconds by passing a file descriptor to another process but +the possible user after free is fixed. + +Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue") +Cc: stable@vger.kernel.org +Cc: Greg Kroah-Hartman +Cc: Frank Haverkamp +Cc: Joerg-Stephan Vogt +Cc: Michael Jung +Cc: Michael Ruettger +Cc: Kleber Sacilotto de Souza +Cc: Sebastian Ott +Cc: Eberhard S. Amann +Cc: Gabriel Krisman Bertazi +Cc: Guilherme G. Piccoli +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/genwqe/card_base.h | 2 +- + drivers/misc/genwqe/card_dev.c | 9 +++++---- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/misc/genwqe/card_base.h ++++ b/drivers/misc/genwqe/card_base.h +@@ -405,7 +405,7 @@ struct genwqe_file { + struct file *filp; + + struct fasync_struct *async_queue; +- struct task_struct *owner; ++ struct pid *opener; + struct list_head list; /* entry in list of open files */ + + spinlock_t map_lock; /* lock for dma_mappings */ +--- a/drivers/misc/genwqe/card_dev.c ++++ b/drivers/misc/genwqe/card_dev.c +@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq + { + unsigned long flags; + +- cfile->owner = current; ++ cfile->opener = get_pid(task_tgid(current)); + spin_lock_irqsave(&cd->file_lock, flags); + list_add(&cfile->list, &cd->file_list); + spin_unlock_irqrestore(&cd->file_lock, flags); +@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe + spin_lock_irqsave(&cd->file_lock, flags); + list_del(&cfile->list); + spin_unlock_irqrestore(&cd->file_lock, flags); ++ put_pid(cfile->opener); + + return 0; + } +@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen + return files; + } + +-static int genwqe_force_sig(struct genwqe_dev *cd, int sig) ++static int genwqe_terminate(struct genwqe_dev *cd) + { + unsigned int files = 0; + unsigned long flags; +@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq + + spin_lock_irqsave(&cd->file_lock, flags); + list_for_each_entry(cfile, &cd->file_list, list) { +- force_sig(sig, cfile->owner); ++ kill_pid(cfile->opener, SIGKILL, 1); + files++; + } + spin_unlock_irqrestore(&cd->file_lock, flags); +@@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces + dev_warn(&pci_dev->dev, + "[%s] send SIGKILL and wait ...\n", __func__); + +- rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */ ++ rc = genwqe_terminate(cd); + if (rc) { + /* Give kill_timout more seconds to end processes */ + for (i = 0; (i < genwqe_kill_timeout) && diff --git a/queue-3.18/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch b/queue-3.18/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch new file mode 100644 index 00000000000..c4221ea097e --- /dev/null +++ b/queue-3.18/smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch @@ -0,0 +1,34 @@ +From 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sat, 15 Sep 2018 23:04:41 -0500 +Subject: smb3: allow stats which track session and share reconnects to be reset + +From: Steve French + +commit 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 upstream. + +Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats +except the session and share reconnect counts. Fix it to +reset those as well. + +CC: Stable +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_debug.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/cifs/cifs_debug.c ++++ b/fs/cifs/cifs_debug.c +@@ -271,6 +271,9 @@ static ssize_t cifs_stats_proc_write(str + atomic_set(&totBufAllocCount, 0); + atomic_set(&totSmBufAllocCount, 0); + #endif /* CONFIG_CIFS_STATS2 */ ++ atomic_set(&tcpSesReconnectCount, 0); ++ atomic_set(&tconInfoReconnectCount, 0); ++ + spin_lock(&GlobalMid_Lock); + GlobalMaxActiveXid = 0; + GlobalCurrentXid = 0; diff --git a/queue-3.18/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch b/queue-3.18/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch new file mode 100644 index 00000000000..8fb04c8076a --- /dev/null +++ b/queue-3.18/smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch @@ -0,0 +1,45 @@ +From 1e77a8c204c9d1b655c61751b8ad0fde22421dbb Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 19 Oct 2018 00:45:21 -0500 +Subject: smb3: do not attempt cifs operation in smb3 query info error path + +From: Steve French + +commit 1e77a8c204c9d1b655c61751b8ad0fde22421dbb upstream. + +If backupuid mount option is sent, we can incorrectly retry +(on access denied on query info) with a cifs (FindFirst) operation +on an smb3 mount which causes the server to force the session close. + +We set backup intent on open so no need for this fallback. + +See kernel bugzilla 201435 + +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/inode.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -741,7 +741,15 @@ cifs_get_inode_info(struct inode **inode + } else if (rc == -EREMOTE) { + cifs_create_dfs_fattr(&fattr, sb); + rc = 0; +- } else if (rc == -EACCES && backup_cred(cifs_sb)) { ++ } else if ((rc == -EACCES) && backup_cred(cifs_sb) && ++ (strcmp(server->vals->version_string, SMB1_VERSION_STRING) ++ == 0)) { ++ /* ++ * For SMB2 and later the backup intent flag is already ++ * sent if needed on open and there is no path based ++ * FindFirst operation to use to retry with ++ */ ++ + srchinf = kzalloc(sizeof(struct cifs_search_info), + GFP_KERNEL); + if (srchinf == NULL) { diff --git a/queue-3.18/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch b/queue-3.18/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch new file mode 100644 index 00000000000..d90a1430f2d --- /dev/null +++ b/queue-3.18/smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch @@ -0,0 +1,40 @@ +From 926674de6705f0f1dbf29a62fd758d0977f535d6 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 28 Oct 2018 13:13:23 -0500 +Subject: smb3: on kerberos mount if server doesn't specify auth type use krb5 + +From: Steve French + +commit 926674de6705f0f1dbf29a62fd758d0977f535d6 upstream. + +Some servers (e.g. Azure) do not include a spnego blob in the SMB3 +negotiate protocol response, so on kerberos mounts ("sec=krb5") +we can fail, as we expected the server to list its supported +auth types (OIDs in the spnego blob in the negprot response). +Change this so that on krb5 mounts we default to trying krb5 if the +server doesn't list its supported protocol mechanisms. + +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_spnego.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifs_spnego.c ++++ b/fs/cifs/cifs_spnego.c +@@ -147,8 +147,10 @@ cifs_get_spnego_key(struct cifs_ses *ses + sprintf(dp, ";sec=krb5"); + else if (server->sec_mskerberos) + sprintf(dp, ";sec=mskrb5"); +- else +- goto out; ++ else { ++ cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n"); ++ sprintf(dp, ";sec=krb5"); ++ } + + dp = description + strlen(description); + sprintf(dp, ";uid=0x%x", diff --git a/queue-3.18/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch b/queue-3.18/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch new file mode 100644 index 00000000000..35076e80879 --- /dev/null +++ b/queue-3.18/w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch @@ -0,0 +1,65 @@ +From a007734618fee1bf35556c04fa498d41d42c7301 Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Sat, 22 Sep 2018 21:20:54 +0200 +Subject: w1: omap-hdq: fix missing bus unregister at removal + +From: Andreas Kemnade + +commit a007734618fee1bf35556c04fa498d41d42c7301 upstream. + +The bus master was not removed after unloading the module +or unbinding the driver. That lead to oopses like this + +[ 127.842987] Unable to handle kernel paging request at virtual address bf01d04c +[ 127.850646] pgd = 70e3cd9a +[ 127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000 +[ 127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM +[ 127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq] +[ 127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12 +[ 127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree) +[ 127.890441] PC is at 0xbf01d04c +[ 127.893798] LR is at w1_search_process_cb+0x4c/0xfc +[ 127.898956] pc : [] lr : [] psr: a0070013 +[ 127.905609] sp : cf885f48 ip : bf01d04c fp : ddf1e11c +[ 127.911132] r10: cf8fe040 r9 : c05f8d00 r8 : cf8fe040 +[ 127.916656] r7 : 000000f0 r6 : cf8fe02c r5 : cf8fe000 r4 : cf8fe01c +[ 127.923553] r3 : c05f8d00 r2 : 000000f0 r1 : cf8fe000 r0 : dde1ef10 +[ 127.930450] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 127.938018] Control: 10c5387d Table: 8f8f0019 DAC: 00000051 +[ 127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f) +[ 127.951171] Stack: (0xcf885f48 to 0xcf886000) +[ 127.955810] 5f40: cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00 +[ 127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000 +[ 127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000 +[ 127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000 +[ 127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[ 128.007781] [] (w1_search_process_cb) from [] (w1_process+0x6c/0x118) +[ 128.016479] [] (w1_process) from [] (kthread+0x130/0x148) +[ 128.024047] [] (kthread) from [] (ret_from_fork+0x14/0x2c) +[ 128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8) +[ 128.037017] 5fa0: 00000000 00000000 00000000 00000000 +[ 128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +[ 128.061340] Code: bad PC value +[ 128.064697] ---[ end trace af066e33c0e14119 ]--- + +Cc: +Signed-off-by: Andreas Kemnade +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/w1/masters/omap_hdq.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/w1/masters/omap_hdq.c ++++ b/drivers/w1/masters/omap_hdq.c +@@ -622,6 +622,8 @@ static int omap_hdq_remove(struct platfo + /* remove module dependency */ + pm_runtime_disable(&pdev->dev); + ++ w1_remove_master_device(&omap_w1_master); ++ + return 0; + } + diff --git a/queue-3.18/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch b/queue-3.18/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch new file mode 100644 index 00000000000..c05d60d2bde --- /dev/null +++ b/queue-3.18/xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch @@ -0,0 +1,56 @@ +From 7250f422da0480d8512b756640f131b9b893ccda Mon Sep 17 00:00:00 2001 +From: Joe Jin +Date: Tue, 16 Oct 2018 15:21:16 -0700 +Subject: xen-swiotlb: use actually allocated size on check physical continuous + +From: Joe Jin + +commit 7250f422da0480d8512b756640f131b9b893ccda upstream. + +xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the +order of the pages and not size argument (bytes). This is inconsistent with +range_straddles_page_boundary and memset which use the 'size' value, +which may lead to not exchanging memory with Xen (range_straddles_page_boundary() +returned true). And then the call to xen_swiotlb_free_coherent() would +actually try to exchange the memory with Xen, leading to the kernel +hitting an BUG (as the hypercall returned an error). + +This patch fixes it by making the 'size' variable be of the same size +as the amount of memory allocated. + +CC: stable@vger.kernel.org +Signed-off-by: Joe Jin +Cc: Konrad Rzeszutek Wilk +Cc: Boris Ostrovsky +Cc: Christoph Helwig +Cc: Dongli Zhang +Cc: John Sobecki +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/swiotlb-xen.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -314,6 +314,9 @@ xen_swiotlb_alloc_coherent(struct device + if (dma_alloc_from_coherent(hwdev, size, dma_handle, &ret)) + return ret; + ++ /* Convert the size to actually allocated. */ ++ size = 1UL << (order + XEN_PAGE_SHIFT); ++ + /* On ARM this function returns an ioremap'ped virtual address for + * which virt_to_phys doesn't return the corresponding physical + * address. In fact on ARM virt_to_phys only works for kernel direct +@@ -366,6 +369,9 @@ xen_swiotlb_free_coherent(struct device + * physical address */ + phys = xen_bus_to_phys(dev_addr); + ++ /* Convert the size to actually allocated. */ ++ size = 1UL << (order + XEN_PAGE_SHIFT); ++ + if (((dev_addr + size - 1 <= dma_mask)) || + range_straddles_page_boundary(phys, size)) + xen_destroy_contiguous_region(phys, order);