From 1b2312bbd85df57a9560f44eb3b162d949e3696e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Aug 2021 11:58:13 +0200 Subject: [PATCH] 4.19-stable patches added patches: ext4-fix-potential-htree-corruption-when-growing-large_dir-directories.patch media-rtl28xxu-fix-zero-length-control-request.patch pipe-increase-minimum-default-pipe-size-to-2-pages.patch staging-rtl8723bs-fix-a-resource-leak-in-sd_int_dpc.patch --- ...n-when-growing-large_dir-directories.patch | 38 ++++++++++ ...8xxu-fix-zero-length-control-request.patch | 58 ++++++++++++++ ...minimum-default-pipe-size-to-2-pages.patch | 75 +++++++++++++++++++ queue-4.19/series | 4 + ...bs-fix-a-resource-leak-in-sd_int_dpc.patch | 33 ++++++++ 5 files changed, 208 insertions(+) create mode 100644 queue-4.19/ext4-fix-potential-htree-corruption-when-growing-large_dir-directories.patch create mode 100644 queue-4.19/media-rtl28xxu-fix-zero-length-control-request.patch create mode 100644 queue-4.19/pipe-increase-minimum-default-pipe-size-to-2-pages.patch create mode 100644 queue-4.19/staging-rtl8723bs-fix-a-resource-leak-in-sd_int_dpc.patch diff --git a/queue-4.19/ext4-fix-potential-htree-corruption-when-growing-large_dir-directories.patch b/queue-4.19/ext4-fix-potential-htree-corruption-when-growing-large_dir-directories.patch new file mode 100644 index 00000000000..167b151ef52 --- /dev/null +++ b/queue-4.19/ext4-fix-potential-htree-corruption-when-growing-large_dir-directories.patch @@ -0,0 +1,38 @@ +From 877ba3f729fd3d8ef0e29bc2a55e57cfa54b2e43 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 4 Aug 2021 14:23:55 -0400 +Subject: ext4: fix potential htree corruption when growing large_dir directories +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Theodore Ts'o + +commit 877ba3f729fd3d8ef0e29bc2a55e57cfa54b2e43 upstream. + +Commit b5776e7524af ("ext4: fix potential htree index checksum +corruption) removed a required restart when multiple levels of index +nodes need to be split. Fix this to avoid directory htree corruptions +when using the large_dir feature. + +Cc: stable@kernel.org # v5.11 +Cc: Благодаренко Артём +Fixes: b5776e7524af ("ext4: fix potential htree index checksum corruption) +Reported-by: Denis +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2317,7 +2317,7 @@ again: + goto journal_error; + err = ext4_handle_dirty_dx_node(handle, dir, + frame->bh); +- if (err) ++ if (restart || err) + goto journal_error; + } else { + struct dx_root *dxroot; diff --git a/queue-4.19/media-rtl28xxu-fix-zero-length-control-request.patch b/queue-4.19/media-rtl28xxu-fix-zero-length-control-request.patch new file mode 100644 index 00000000000..698b8241fcd --- /dev/null +++ b/queue-4.19/media-rtl28xxu-fix-zero-length-control-request.patch @@ -0,0 +1,58 @@ +From 76f22c93b209c811bd489950f17f8839adb31901 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 23 Jun 2021 10:45:21 +0200 +Subject: media: rtl28xxu: fix zero-length control request + +From: Johan Hovold + +commit 76f22c93b209c811bd489950f17f8839adb31901 upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Control transfers without a data stage are treated as OUT requests by +the USB stack and should be using usb_sndctrlpipe(). Failing to do so +will now trigger a warning. + +The driver uses a zero-length i2c-read request for type detection so +update the control-request code to use usb_sndctrlpipe() in this case. + +Note that actually trying to read the i2c register in question does not +work as the register might not exist (e.g. depending on the demodulator) +as reported by Eero Lehtinen . + +Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com +Reported-by: Eero Lehtinen +Tested-by: Eero Lehtinen +Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") +Cc: stable@vger.kernel.org # 4.0 +Cc: Antti Palosaari +Signed-off-by: Johan Hovold +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +@@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_ + } else { + /* read */ + requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); +- pipe = usb_rcvctrlpipe(d->udev, 0); ++ ++ /* ++ * Zero-length transfers must use usb_sndctrlpipe() and ++ * rtl28xxu_identify_state() uses a zero-length i2c read ++ * command to determine the chip type. ++ */ ++ if (req->size) ++ pipe = usb_rcvctrlpipe(d->udev, 0); ++ else ++ pipe = usb_sndctrlpipe(d->udev, 0); + } + + ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value, diff --git a/queue-4.19/pipe-increase-minimum-default-pipe-size-to-2-pages.patch b/queue-4.19/pipe-increase-minimum-default-pipe-size-to-2-pages.patch new file mode 100644 index 00000000000..65def1ff8a6 --- /dev/null +++ b/queue-4.19/pipe-increase-minimum-default-pipe-size-to-2-pages.patch @@ -0,0 +1,75 @@ +From 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 Mon Sep 17 00:00:00 2001 +From: "Alex Xu (Hello71)" +Date: Thu, 5 Aug 2021 10:40:47 -0400 +Subject: pipe: increase minimum default pipe size to 2 pages + +From: Alex Xu (Hello71) + +commit 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 upstream. + +This program always prints 4096 and hangs before the patch, and always +prints 8192 and exits successfully after: + + int main() + { + int pipefd[2]; + for (int i = 0; i < 1025; i++) + if (pipe(pipefd) == -1) + return 1; + size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ); + printf("%zd\n", bufsz); + char *buf = calloc(bufsz, 1); + write(pipefd[1], buf, bufsz); + read(pipefd[0], buf, bufsz-1); + write(pipefd[1], buf, 1); + } + +Note that you may need to increase your RLIMIT_NOFILE before running the +program. + +Fixes: 759c01142a ("pipe: limit the per-user amount of pages allocated in pipes") +Cc: +Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/ +Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/ +Signed-off-by: Alex Xu (Hello71) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/pipe.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -30,6 +30,21 @@ + #include "internal.h" + + /* ++ * New pipe buffers will be restricted to this size while the user is exceeding ++ * their pipe buffer quota. The general pipe use case needs at least two ++ * buffers: one for data yet to be read, and one for new data. If this is less ++ * than two, then a write to a non-empty pipe may block even if the pipe is not ++ * full. This can occur with GNU make jobserver or similar uses of pipes as ++ * semaphores: multiple processes may be waiting to write tokens back to the ++ * pipe before reading tokens: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/. ++ * ++ * Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their ++ * own risk, namely: pipe writes to non-full pipes may block until the pipe is ++ * emptied. ++ */ ++#define PIPE_MIN_DEF_BUFFERS 2 ++ ++/* + * The max size that a non-root user is allowed to grow the pipe. Can + * be set by root in /proc/sys/fs/pipe-max-size + */ +@@ -654,8 +669,8 @@ struct pipe_inode_info *alloc_pipe_info( + user_bufs = account_pipe_buffers(user, 0, pipe_bufs); + + if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) { +- user_bufs = account_pipe_buffers(user, pipe_bufs, 1); +- pipe_bufs = 1; ++ user_bufs = account_pipe_buffers(user, pipe_bufs, PIPE_MIN_DEF_BUFFERS); ++ pipe_bufs = PIPE_MIN_DEF_BUFFERS; + } + + if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user()) diff --git a/queue-4.19/series b/queue-4.19/series index e125794a411..cb13d85b918 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -34,3 +34,7 @@ tracing-histogram-give-calculation-hist_fields-a-size.patch tracing-histogram-rename-cpu-to-common_cpu.patch optee-clear-stale-cache-entries-during-initialization.patch tee-add-tee_shm_alloc_kernel_buf.patch +staging-rtl8723bs-fix-a-resource-leak-in-sd_int_dpc.patch +media-rtl28xxu-fix-zero-length-control-request.patch +pipe-increase-minimum-default-pipe-size-to-2-pages.patch +ext4-fix-potential-htree-corruption-when-growing-large_dir-directories.patch diff --git a/queue-4.19/staging-rtl8723bs-fix-a-resource-leak-in-sd_int_dpc.patch b/queue-4.19/staging-rtl8723bs-fix-a-resource-leak-in-sd_int_dpc.patch new file mode 100644 index 00000000000..681ee7f98c4 --- /dev/null +++ b/queue-4.19/staging-rtl8723bs-fix-a-resource-leak-in-sd_int_dpc.patch @@ -0,0 +1,33 @@ +From 990e4ad3ddcb72216caeddd6e62c5f45a21e8121 Mon Sep 17 00:00:00 2001 +From: Xiangyang Zhang +Date: Mon, 28 Jun 2021 23:22:39 +0800 +Subject: staging: rtl8723bs: Fix a resource leak in sd_int_dpc + +From: Xiangyang Zhang + +commit 990e4ad3ddcb72216caeddd6e62c5f45a21e8121 upstream. + +The "c2h_evt" variable is not freed when function call +"c2h_evt_read_88xx" failed + +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Reviewed-by: Hans de Goede +Signed-off-by: Xiangyang Zhang +Cc: stable +Link: https://lore.kernel.org/r/20210628152239.5475-1-xyz.sun.ok@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/hal/sdio_ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/rtl8723bs/hal/sdio_ops.c ++++ b/drivers/staging/rtl8723bs/hal/sdio_ops.c +@@ -1077,6 +1077,8 @@ void sd_int_dpc(struct adapter *adapter) + } else { + rtw_c2h_wk_cmd(adapter, (u8 *)c2h_evt); + } ++ } else { ++ kfree(c2h_evt); + } + } else { + /* Error handling for malloc fail */ -- 2.47.3