From 1086ecb81c752fd4adf3390952a0561c87279055 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Sep 2017 12:45:34 +0200 Subject: [PATCH] 3.18-stable patches added patches: cifs-fix-maximum-smb2-header-size.patch cifs-remove-endian-related-sparse-warning.patch cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch wl1251-add-a-missing-spin_lock_init.patch xfrm-policy-check-policy-direction-value.patch --- .../cifs-fix-maximum-smb2-header-size.patch | 37 ++++++++++ ...remove-endian-related-sparse-warning.patch | 32 +++++++++ ..._node-on-non-numa-multi-node-configs.patch | 51 ++++++++++++++ ...rror-when-fail-to-get-pages-for-pool.patch | 37 ++++++++++ queue-3.18/series | 6 ++ .../wl1251-add-a-missing-spin_lock_init.patch | 67 +++++++++++++++++++ ...-policy-check-policy-direction-value.patch | 44 ++++++++++++ queue-4.13/series | 3 + 8 files changed, 277 insertions(+) create mode 100644 queue-3.18/cifs-fix-maximum-smb2-header-size.patch create mode 100644 queue-3.18/cifs-remove-endian-related-sparse-warning.patch create mode 100644 queue-3.18/cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch create mode 100644 queue-3.18/drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch create mode 100644 queue-3.18/wl1251-add-a-missing-spin_lock_init.patch create mode 100644 queue-3.18/xfrm-policy-check-policy-direction-value.patch create mode 100644 queue-4.13/series diff --git a/queue-3.18/cifs-fix-maximum-smb2-header-size.patch b/queue-3.18/cifs-fix-maximum-smb2-header-size.patch new file mode 100644 index 00000000000..cf7d421b05e --- /dev/null +++ b/queue-3.18/cifs-fix-maximum-smb2-header-size.patch @@ -0,0 +1,37 @@ +From 9e37b1784f2be9397a903307574ee565bbadfd75 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Thu, 24 Aug 2017 15:16:40 -0700 +Subject: CIFS: Fix maximum SMB2 header size + +From: Pavel Shilovsky + +commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream. + +Currently the maximum size of SMB2/3 header is set incorrectly which +leads to hanging of directory listing operations on encrypted SMB3 +connections. Fix this by setting the maximum size to 170 bytes that +is calculated as RFC1002 length field size (4) + transform header +size (52) + SMB2 header size (64) + create response size (56). + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Acked-by: Sachin Prabhu +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -82,8 +82,8 @@ + + #define NUMBER_OF_SMB2_COMMANDS 0x0013 + +-/* BB FIXME - analyze following length BB */ +-#define MAX_SMB2_HDR_SIZE 0x78 /* 4 len + 64 hdr + (2*24 wct) + 2 bct + 2 pad */ ++/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */ ++#define MAX_SMB2_HDR_SIZE 0x00b0 + + #define SMB2_PROTO_NUMBER __constant_cpu_to_le32(0x424d53fe) + diff --git a/queue-3.18/cifs-remove-endian-related-sparse-warning.patch b/queue-3.18/cifs-remove-endian-related-sparse-warning.patch new file mode 100644 index 00000000000..f3d279c6545 --- /dev/null +++ b/queue-3.18/cifs-remove-endian-related-sparse-warning.patch @@ -0,0 +1,32 @@ +From 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 27 Aug 2017 16:56:08 -0500 +Subject: CIFS: remove endian related sparse warning + +From: Steve French + +commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream. + +Recent patch had an endian warning ie +cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() + +Signed-off-by: Steve French +CC: Ronnie Sahlberg +Acked-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -194,7 +194,7 @@ check_name(struct dentry *direntry, stru + int i; + + if (unlikely(direntry->d_name.len > +- tcon->fsAttrInfo.MaxPathNameComponentLength)) ++ le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength))) + return -ENAMETOOLONG; + + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) { diff --git a/queue-3.18/cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch b/queue-3.18/cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch new file mode 100644 index 00000000000..2a9dd070581 --- /dev/null +++ b/queue-3.18/cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch @@ -0,0 +1,51 @@ +From b339752d054fb32863418452dff350a1086885b1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 28 Aug 2017 14:51:27 -0700 +Subject: cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs + +From: Tejun Heo + +commit b339752d054fb32863418452dff350a1086885b1 upstream. + +When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of +@node. The assumption seems that if !NUMA, there shouldn't be more than +one node and thus reporting cpu_online_mask regardless of @node is +correct. However, that assumption was broken years ago to support +DISCONTIGMEM and whether a system has multiple nodes or not is +separately controlled by NEED_MULTIPLE_NODES. + +This means that, on a system with !NUMA && NEED_MULTIPLE_NODES, +cpumask_of_node() will report cpu_online_mask for all possible nodes, +indicating that the CPUs are associated with multiple nodes which is an +impossible configuration. + +This bug has been around forever but doesn't look like it has caused any +noticeable symptoms. However, it triggers a WARN recently added to +workqueue to verify NUMA affinity configuration. + +Fix it by reporting empty cpumask on non-zero nodes if !NUMA. + +Signed-off-by: Tejun Heo +Reported-and-tested-by: Geert Uytterhoeven +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-generic/topology.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/include/asm-generic/topology.h ++++ b/include/asm-generic/topology.h +@@ -48,7 +48,11 @@ + #define parent_node(node) ((void)(node),0) + #endif + #ifndef cpumask_of_node +-#define cpumask_of_node(node) ((void)node, cpu_online_mask) ++ #ifdef CONFIG_NEED_MULTIPLE_NODES ++ #define cpumask_of_node(node) ((node) == 0 ? cpu_online_mask : cpu_none_mask) ++ #else ++ #define cpumask_of_node(node) ((void)node, cpu_online_mask) ++ #endif + #endif + #ifndef pcibus_to_node + #define pcibus_to_node(bus) ((void)(bus), -1) diff --git a/queue-3.18/drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch b/queue-3.18/drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch new file mode 100644 index 00000000000..37e17cff770 --- /dev/null +++ b/queue-3.18/drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch @@ -0,0 +1,37 @@ +From 9afae2719273fa1d406829bf3498f82dbdba71c7 Mon Sep 17 00:00:00 2001 +From: "Xiangliang.Yu" +Date: Wed, 16 Aug 2017 14:25:51 +0800 +Subject: drm/ttm: Fix accounting error when fail to get pages for pool +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xiangliang.Yu + +commit 9afae2719273fa1d406829bf3498f82dbdba71c7 upstream. + +When fail to get needed page for pool, need to put allocated pages +into pool. But current code has a miscalculation of allocated pages, +correct it. + +Signed-off-by: Xiangliang.Yu +Reviewed-by: Christian König +Reviewed-by: Monk Liu +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ttm/ttm_page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c ++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c +@@ -612,7 +612,7 @@ static void ttm_page_pool_fill_locked(st + } else { + pr_err("Failed to fill pool (%p)\n", pool); + /* If we have any pages left put them to the pool. */ +- list_for_each_entry(p, &pool->list, lru) { ++ list_for_each_entry(p, &new_pages, lru) { + ++cpages; + } + list_splice(&new_pages, &pool->list); diff --git a/queue-3.18/series b/queue-3.18/series index ab352444844..11358e5ee69 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1,2 +1,8 @@ i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch +cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch +cifs-fix-maximum-smb2-header-size.patch +cifs-remove-endian-related-sparse-warning.patch +wl1251-add-a-missing-spin_lock_init.patch +xfrm-policy-check-policy-direction-value.patch +drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch diff --git a/queue-3.18/wl1251-add-a-missing-spin_lock_init.patch b/queue-3.18/wl1251-add-a-missing-spin_lock_init.patch new file mode 100644 index 00000000000..0c5a4d69b06 --- /dev/null +++ b/queue-3.18/wl1251-add-a-missing-spin_lock_init.patch @@ -0,0 +1,67 @@ +From f581a0dd744fe32b0a8805e279c59ec1ac676d60 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Thu, 31 Aug 2017 16:47:43 +0200 +Subject: wl1251: add a missing spin_lock_init() + +From: Cong Wang + +commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream. + +wl1251: add a missing spin_lock_init() + +This fixes the following kernel warning: + + [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745 + [ 5668.771850] lock: 0xce63ef20, .magic: 00000000, .owner: /-1, + .owner_cpu: 0 + [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W + 4.12.0-03002-gec979a4-dirty #40 + [ 5668.772796] Hardware name: Nokia RX-51 board + [ 5668.773071] Workqueue: phy1 wl1251_irq_work + [ 5668.773345] [] (unwind_backtrace) from [] + (show_stack+0x10/0x14) + [ 5668.773803] [] (show_stack) from [] + (do_raw_spin_lock+0x6c/0xa0) + [ 5668.774230] [] (do_raw_spin_lock) from [] + (_raw_spin_lock_irqsave+0x10/0x18) + [ 5668.774658] [] (_raw_spin_lock_irqsave) from [] + (wl1251_op_tx+0x38/0x5c) + [ 5668.775115] [] (wl1251_op_tx) from [] + (ieee80211_tx_frags+0x188/0x1c0) + [ 5668.775543] [] (ieee80211_tx_frags) from [] + (__ieee80211_tx+0x6c/0x130) + [ 5668.775970] [] (__ieee80211_tx) from [] + (ieee80211_tx+0xdc/0x104) + [ 5668.776367] [] (ieee80211_tx) from [] + (__ieee80211_subif_start_xmit+0x454/0x8c8) + [ 5668.776824] [] (__ieee80211_subif_start_xmit) from + [] (ieee80211_subif_start_xmit+0x30/0x2fc) + [ 5668.777343] [] (ieee80211_subif_start_xmit) from + [] (dev_hard_start_xmit+0x80/0x118) +... + + by adding the missing spin_lock_init(). + +Reported-by: Pavel Machek +Cc: Kalle Valo +Signed-off-by: Cong Wang +Acked-by: Pavel Machek +Signed-off-by: Kalle Valo +Signed-off-by: Pavel Machek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wl1251/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ti/wl1251/main.c ++++ b/drivers/net/wireless/ti/wl1251/main.c +@@ -1572,6 +1572,7 @@ struct ieee80211_hw *wl1251_alloc_hw(voi + + wl->state = WL1251_STATE_OFF; + mutex_init(&wl->mutex); ++ spin_lock_init(&wl->wl_lock); + + wl->tx_mgmt_frm_rate = DEFAULT_HW_GEN_TX_RATE; + wl->tx_mgmt_frm_mod = DEFAULT_HW_GEN_MODULATION_TYPE; diff --git a/queue-3.18/xfrm-policy-check-policy-direction-value.patch b/queue-3.18/xfrm-policy-check-policy-direction-value.patch new file mode 100644 index 00000000000..cd556089ac1 --- /dev/null +++ b/queue-3.18/xfrm-policy-check-policy-direction-value.patch @@ -0,0 +1,44 @@ +From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Wed, 2 Aug 2017 19:50:14 +0200 +Subject: xfrm: policy: check policy direction value + +From: Vladis Dronov + +commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream. + +The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used +as an array index. This can lead to an out-of-bound access, kernel lockup and +DoS. Add a check for the 'dir' value. + +This fixes CVE-2017-11600. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928 +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Reported-by: "bo Zhang" +Signed-off-by: Vladis Dronov +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_policy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3248,9 +3248,15 @@ int xfrm_migrate(const struct xfrm_selec + struct xfrm_state *x_new[XFRM_MAX_DEPTH]; + struct xfrm_migrate *mp; + ++ /* Stage 0 - sanity checks */ + if ((err = xfrm_migrate_check(m, num_migrate)) < 0) + goto out; + ++ if (dir >= XFRM_POLICY_MAX) { ++ err = -EINVAL; ++ goto out; ++ } ++ + /* Stage 1 - find policy */ + if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { + err = -ENOENT; diff --git a/queue-4.13/series b/queue-4.13/series new file mode 100644 index 00000000000..87567c1f913 --- /dev/null +++ b/queue-4.13/series @@ -0,0 +1,3 @@ +drm-vgem-pin-our-pages-for-dmabuf-exports.patch +drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch +drm-dp-mst-handle-errors-from-drm_atomic_get_private_obj_state-correctly.patch -- 2.47.3