From 850f5924a2dbcea01da1f78bbabc429fcf165e0f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Jun 2020 13:41:18 +0200 Subject: [PATCH] 4.19-stable patches added patches: dm-writecache-add-cond_resched-to-loop-in-persistent_memory_claim.patch dm-writecache-correct-uncommitted_block-when-discarding-uncommitted-entry.patch drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch drm-rcar-du-fix-build-error.patch nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch ring-buffer-zero-out-time-extend-if-it-is-nested-and-not-absolute.patch staging-rtl8723bs-prevent-buffer-overflow-in-update_sta_support_rate.patch sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch tracing-fix-event-trigger-to-accept-redundant-spaces.patch --- ...d-to-loop-in-persistent_memory_claim.patch | 33 +++++++ ...ck-when-discarding-uncommitted-entry.patch | 34 +++++++ ..._div-check-in-ni_init_smc_spll_table.patch | 33 +++++++ queue-4.19/drm-rcar-du-fix-build-error.patch | 44 +++++++++ ...ot-waiting-for-direct-io-compeletion.patch | 92 +++++++++++++++++++ ...rruption-if-the-mirror-count-changes.patch | 54 +++++++++++ ...end-if-it-is-nested-and-not-absolute.patch | 71 ++++++++++++++ queue-4.19/series | 11 +++ ...-overflow-in-update_sta_support_rate.patch | 41 +++++++++ ...-rollback-in-rpc_gssd_dummy_populate.patch | 32 +++++++ ...bbuf-parameter-of-xdr_buf_subsegment.patch | 54 +++++++++++ ...t-trigger-to-accept-redundant-spaces.patch | 87 ++++++++++++++++++ 12 files changed, 586 insertions(+) create mode 100644 queue-4.19/dm-writecache-add-cond_resched-to-loop-in-persistent_memory_claim.patch create mode 100644 queue-4.19/dm-writecache-correct-uncommitted_block-when-discarding-uncommitted-entry.patch create mode 100644 queue-4.19/drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch create mode 100644 queue-4.19/drm-rcar-du-fix-build-error.patch create mode 100644 queue-4.19/nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch create mode 100644 queue-4.19/pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch create mode 100644 queue-4.19/ring-buffer-zero-out-time-extend-if-it-is-nested-and-not-absolute.patch create mode 100644 queue-4.19/staging-rtl8723bs-prevent-buffer-overflow-in-update_sta_support_rate.patch create mode 100644 queue-4.19/sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch create mode 100644 queue-4.19/sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch create mode 100644 queue-4.19/tracing-fix-event-trigger-to-accept-redundant-spaces.patch diff --git a/queue-4.19/dm-writecache-add-cond_resched-to-loop-in-persistent_memory_claim.patch b/queue-4.19/dm-writecache-add-cond_resched-to-loop-in-persistent_memory_claim.patch new file mode 100644 index 00000000000..b91de7247c0 --- /dev/null +++ b/queue-4.19/dm-writecache-add-cond_resched-to-loop-in-persistent_memory_claim.patch @@ -0,0 +1,33 @@ +From d35bd764e6899a7bea71958f08d16cea5bfa1919 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 19 Jun 2020 11:51:34 -0400 +Subject: dm writecache: add cond_resched to loop in persistent_memory_claim() + +From: Mikulas Patocka + +commit d35bd764e6899a7bea71958f08d16cea5bfa1919 upstream. + +Add cond_resched() to a loop that fills in the mapper memory area +because the loop can be executed many times. + +Fixes: 48debafe4f2fe ("dm: add writecache target") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -281,6 +281,8 @@ static int persistent_memory_claim(struc + while (daa-- && i < p) { + pages[i++] = pfn_t_to_page(pfn); + pfn.val++; ++ if (!(i & 15)) ++ cond_resched(); + } + } while (i < p); + wc->memory_map = vmap(pages, p, VM_MAP, PAGE_KERNEL); diff --git a/queue-4.19/dm-writecache-correct-uncommitted_block-when-discarding-uncommitted-entry.patch b/queue-4.19/dm-writecache-correct-uncommitted_block-when-discarding-uncommitted-entry.patch new file mode 100644 index 00000000000..ad9a60cd7fe --- /dev/null +++ b/queue-4.19/dm-writecache-correct-uncommitted_block-when-discarding-uncommitted-entry.patch @@ -0,0 +1,34 @@ +From 39495b12ef1cf602e6abd350dce2ef4199906531 Mon Sep 17 00:00:00 2001 +From: Huaisheng Ye +Date: Fri, 12 Jun 2020 23:59:11 +0800 +Subject: dm writecache: correct uncommitted_block when discarding uncommitted entry + +From: Huaisheng Ye + +commit 39495b12ef1cf602e6abd350dce2ef4199906531 upstream. + +When uncommitted entry has been discarded, correct wc->uncommitted_block +for getting the exact number. + +Fixes: 48debafe4f2fe ("dm: add writecache target") +Cc: stable@vger.kernel.org +Signed-off-by: Huaisheng Ye +Acked-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -811,6 +811,8 @@ static void writecache_discard(struct dm + writecache_wait_for_ios(wc, WRITE); + discarded_something = true; + } ++ if (!writecache_entry_is_committed(wc, e)) ++ wc->uncommitted_blocks--; + writecache_free_entry(wc, e); + } + diff --git a/queue-4.19/drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch b/queue-4.19/drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch new file mode 100644 index 00000000000..138882102f6 --- /dev/null +++ b/queue-4.19/drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch @@ -0,0 +1,33 @@ +From 35f760b44b1b9cb16a306bdcc7220fbbf78c4789 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Mon, 22 Jun 2020 23:31:22 +0300 +Subject: drm/radeon: fix fb_div check in ni_init_smc_spll_table() + +From: Denis Efremov + +commit 35f760b44b1b9cb16a306bdcc7220fbbf78c4789 upstream. + +clk_s is checked twice in a row in ni_init_smc_spll_table(). +fb_div should be checked instead. + +Fixes: 69e0b57a91ad ("drm/radeon/kms: add dpm support for cayman (v5)") +Cc: stable@vger.kernel.org +Signed-off-by: Denis Efremov +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/ni_dpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2126,7 +2126,7 @@ static int ni_init_smc_spll_table(struct + if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT)) + ret = -EINVAL; + +- if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT)) ++ if (fb_div & ~(SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_SHIFT)) + ret = -EINVAL; + + if (clk_v & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_SHIFT)) diff --git a/queue-4.19/drm-rcar-du-fix-build-error.patch b/queue-4.19/drm-rcar-du-fix-build-error.patch new file mode 100644 index 00000000000..04d4ceadb33 --- /dev/null +++ b/queue-4.19/drm-rcar-du-fix-build-error.patch @@ -0,0 +1,44 @@ +From 5f9af404eec82981c4345c9943be48422234e7ab Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Mon, 18 May 2020 22:16:46 +0200 +Subject: drm: rcar-du: Fix build error + +From: Daniel Gomez + +commit 5f9af404eec82981c4345c9943be48422234e7ab upstream. + +Select DRM_KMS_HELPER dependency. + +Build error when DRM_KMS_HELPER is not selected: + +drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xd48): undefined reference to `drm_atomic_helper_bridge_duplicate_state' +drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xd50): undefined reference to `drm_atomic_helper_bridge_destroy_state' +drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xd70): undefined reference to `drm_atomic_helper_bridge_reset' +drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xdc8): undefined reference to `drm_atomic_helper_connector_reset' +drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xde0): undefined reference to `drm_helper_probe_single_connector_modes' +drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xe08): undefined reference to `drm_atomic_helper_connector_duplicate_state' +drivers/gpu/drm/rcar-du/rcar_lvds.o:(.rodata+0xe10): undefined reference to `drm_atomic_helper_connector_destroy_state' + +Fixes: c6a27fa41fab ("drm: rcar-du: Convert LVDS encoder code to bridge driver") +Cc: +Signed-off-by: Daniel Gomez +Reviewed-by: Emil Velikov +Reviewed-by: Kieran Bingham +Reviewed-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/rcar-du/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/rcar-du/Kconfig ++++ b/drivers/gpu/drm/rcar-du/Kconfig +@@ -21,6 +21,7 @@ config DRM_RCAR_DW_HDMI + config DRM_RCAR_LVDS + tristate "R-Car DU LVDS Encoder Support" + depends on DRM && DRM_BRIDGE && OF ++ select DRM_KMS_HELPER + select DRM_PANEL + select OF_FLATTREE + select OF_OVERLAY diff --git a/queue-4.19/nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch b/queue-4.19/nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch new file mode 100644 index 00000000000..d01e6338d54 --- /dev/null +++ b/queue-4.19/nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch @@ -0,0 +1,92 @@ +From d03727b248d0dae6199569a8d7b629a681154633 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Wed, 24 Jun 2020 13:54:08 -0400 +Subject: NFSv4 fix CLOSE not waiting for direct IO compeletion + +From: Olga Kornievskaia + +commit d03727b248d0dae6199569a8d7b629a681154633 upstream. + +Figuring out the root case for the REMOVE/CLOSE race and +suggesting the solution was done by Neil Brown. + +Currently what happens is that direct IO calls hold a reference +on the open context which is decremented as an asynchronous task +in the nfs_direct_complete(). Before reference is decremented, +control is returned to the application which is free to close the +file. When close is being processed, it decrements its reference +on the open_context but since directIO still holds one, it doesn't +sent a close on the wire. It returns control to the application +which is free to do other operations. For instance, it can delete a +file. Direct IO is finally releasing its reference and triggering +an asynchronous close. Which races with the REMOVE. On the server, +REMOVE can be processed before the CLOSE, failing the REMOVE with +EACCES as the file is still opened. + +Signed-off-by: Olga Kornievskaia +Suggested-by: Neil Brown +CC: stable@vger.kernel.org +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/direct.c | 13 +++++++++---- + fs/nfs/file.c | 1 + + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -396,8 +396,6 @@ static void nfs_direct_complete(struct n + { + struct inode *inode = dreq->inode; + +- inode_dio_end(inode); +- + if (dreq->iocb) { + long res = (long) dreq->error; + if (dreq->count != 0) { +@@ -409,7 +407,10 @@ static void nfs_direct_complete(struct n + + complete(&dreq->completion); + ++ igrab(inode); + nfs_direct_req_release(dreq); ++ inode_dio_end(inode); ++ iput(inode); + } + + static void nfs_direct_read_completion(struct nfs_pgio_header *hdr) +@@ -539,8 +540,10 @@ static ssize_t nfs_direct_read_schedule_ + * generic layer handle the completion. + */ + if (requested_bytes == 0) { +- inode_dio_end(inode); ++ igrab(inode); + nfs_direct_req_release(dreq); ++ inode_dio_end(inode); ++ iput(inode); + return result < 0 ? result : -EIO; + } + +@@ -957,8 +960,10 @@ static ssize_t nfs_direct_write_schedule + * generic layer handle the completion. + */ + if (requested_bytes == 0) { +- inode_dio_end(inode); ++ igrab(inode); + nfs_direct_req_release(dreq); ++ inode_dio_end(inode); ++ iput(inode); + return result < 0 ? result : -EIO; + } + +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -82,6 +82,7 @@ nfs_file_release(struct inode *inode, st + dprintk("NFS: release(%pD2)\n", filp); + + nfs_inc_stats(inode, NFSIOS_VFSRELEASE); ++ inode_dio_wait(inode); + nfs_file_clear_open_context(filp); + return 0; + } diff --git a/queue-4.19/pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch b/queue-4.19/pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch new file mode 100644 index 00000000000..e8b9391c7f3 --- /dev/null +++ b/queue-4.19/pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch @@ -0,0 +1,54 @@ +From 8b04013737341442ed914b336cde866b902664ae Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 22 Jun 2020 15:04:15 -0400 +Subject: pNFS/flexfiles: Fix list corruption if the mirror count changes + +From: Trond Myklebust + +commit 8b04013737341442ed914b336cde866b902664ae upstream. + +If the mirror count changes in the new layout we pick up inside +ff_layout_pg_init_write(), then we can end up adding the +request to the wrong mirror and corrupting the mirror->pg_list. + +Fixes: d600ad1f2bdb ("NFS41: pop some layoutget errors to application") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -915,9 +915,8 @@ retry: + goto out_mds; + + /* Use a direct mapping of ds_idx to pgio mirror_idx */ +- if (WARN_ON_ONCE(pgio->pg_mirror_count != +- FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg))) +- goto out_mds; ++ if (pgio->pg_mirror_count != FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg)) ++ goto out_eagain; + + for (i = 0; i < pgio->pg_mirror_count; i++) { + ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, i, true); +@@ -936,11 +935,15 @@ retry: + } + + return; +- ++out_eagain: ++ pnfs_generic_pg_cleanup(pgio); ++ pgio->pg_error = -EAGAIN; ++ return; + out_mds: + pnfs_put_lseg(pgio->pg_lseg); + pgio->pg_lseg = NULL; + nfs_pageio_reset_write_mds(pgio); ++ pgio->pg_error = -EAGAIN; + } + + static unsigned int diff --git a/queue-4.19/ring-buffer-zero-out-time-extend-if-it-is-nested-and-not-absolute.patch b/queue-4.19/ring-buffer-zero-out-time-extend-if-it-is-nested-and-not-absolute.patch new file mode 100644 index 00000000000..e5ed7497b3f --- /dev/null +++ b/queue-4.19/ring-buffer-zero-out-time-extend-if-it-is-nested-and-not-absolute.patch @@ -0,0 +1,71 @@ +From 097350d1c6e1f5808cae142006f18a0bbc57018d Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Mon, 22 Jun 2020 15:18:15 -0400 +Subject: ring-buffer: Zero out time extend if it is nested and not absolute + +From: Steven Rostedt (VMware) + +commit 097350d1c6e1f5808cae142006f18a0bbc57018d upstream. + +Currently the ring buffer makes events that happen in interrupts that preempt +another event have a delta of zero. (Hopefully we can change this soon). But +this is to deal with the races of updating a global counter with lockless +and nesting functions updating deltas. + +With the addition of absolute time stamps, the time extend didn't follow +this rule. A time extend can happen if two events happen longer than 2^27 +nanoseconds appart, as the delta time field in each event is only 27 bits. +If that happens, then a time extend is injected with 2^59 bits of +nanoseconds to use (18 years). But if the 2^27 nanoseconds happen between +two events, and as it is writing the event, an interrupt triggers, it will +see the 2^27 difference as well and inject a time extend of its own. But a +recent change made the time extend logic not take into account the nesting, +and this can cause two time extend deltas to happen moving the time stamp +much further ahead than the current time. This gets all reset when the ring +buffer moves to the next page, but that can cause time to appear to go +backwards. + +This was observed in a trace-cmd recording, and since the data is saved in a +file, with trace-cmd report --debug, it was possible to see that this indeed +did happen! + + bash-52501 110d... 81778.908247: sched_switch: bash:52501 [120] S ==> swapper/110:0 [120] [12770284:0x2e8:64] + -0 110d... 81778.908757: sched_switch: swapper/110:0 [120] R ==> bash:52501 [120] [509947:0x32c:64] + TIME EXTEND: delta:306454770 length:0 + bash-52501 110.... 81779.215212: sched_swap_numa: src_pid=52501 src_tgid=52388 src_ngid=52501 src_cpu=110 src_nid=2 dst_pid=52509 dst_tgid=52388 dst_ngid=52501 dst_cpu=49 dst_nid=1 [0:0x378:48] + TIME EXTEND: delta:306458165 length:0 + bash-52501 110dNh. 81779.521670: sched_wakeup: migration/110:565 [0] success=1 CPU:110 [0:0x3b4:40] + +and at the next page, caused the time to go backwards: + + bash-52504 110d... 81779.685411: sched_switch: bash:52504 [120] S ==> swapper/110:0 [120] [8347057:0xfb4:64] +CPU:110 [SUBBUFFER START] [81779379165886:0x1320000] + -0 110dN.. 81779.379166: sched_wakeup: bash:52504 [120] success=1 CPU:110 [0:0x10:40] + -0 110d... 81779.379167: sched_switch: swapper/110:0 [120] R ==> bash:52504 [120] [1168:0x3c:64] + +Link: https://lkml.kernel.org/r/20200622151815.345d1bf5@oasis.local.home + +Cc: Ingo Molnar +Cc: Andrew Morton +Cc: Tom Zanussi +Cc: stable@vger.kernel.org +Fixes: dc4e2801d400b ("ring-buffer: Redefine the unimplemented RINGBUF_TYPE_TIME_STAMP") +Reported-by: Julia Lawall +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2333,7 +2333,7 @@ rb_update_event(struct ring_buffer_per_c + if (unlikely(info->add_timestamp)) { + bool abs = ring_buffer_time_stamp_abs(cpu_buffer->buffer); + +- event = rb_add_time_stamp(event, info->delta, abs); ++ event = rb_add_time_stamp(event, abs ? info->delta : delta, abs); + length -= RB_LEN_TIME_EXTEND; + delta = 0; + } diff --git a/queue-4.19/series b/queue-4.19/series index 7d72a3d51f1..774b56cc521 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -116,3 +116,14 @@ ocfs2-load-global_inode_alloc.patch ocfs2-fix-value-of-ocfs2_invalid_slot.patch ocfs2-fix-panic-on-nfs-server-over-ocfs2.patch arm64-perf-report-the-pc-value-in-regs_abi_32-mode.patch +tracing-fix-event-trigger-to-accept-redundant-spaces.patch +ring-buffer-zero-out-time-extend-if-it-is-nested-and-not-absolute.patch +drm-rcar-du-fix-build-error.patch +drm-radeon-fix-fb_div-check-in-ni_init_smc_spll_table.patch +staging-rtl8723bs-prevent-buffer-overflow-in-update_sta_support_rate.patch +sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch +sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch +pnfs-flexfiles-fix-list-corruption-if-the-mirror-count-changes.patch +nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch +dm-writecache-correct-uncommitted_block-when-discarding-uncommitted-entry.patch +dm-writecache-add-cond_resched-to-loop-in-persistent_memory_claim.patch diff --git a/queue-4.19/staging-rtl8723bs-prevent-buffer-overflow-in-update_sta_support_rate.patch b/queue-4.19/staging-rtl8723bs-prevent-buffer-overflow-in-update_sta_support_rate.patch new file mode 100644 index 00000000000..cbad2ee4496 --- /dev/null +++ b/queue-4.19/staging-rtl8723bs-prevent-buffer-overflow-in-update_sta_support_rate.patch @@ -0,0 +1,41 @@ +From b65a2d8c8614386f7e8d38ea150749f8a862f431 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 3 Jun 2020 13:19:58 +0300 +Subject: Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate() + +From: Dan Carpenter + +commit b65a2d8c8614386f7e8d38ea150749f8a862f431 upstream. + +The "ie_len" variable is in the 0-255 range and it comes from the +network. If it's over NDIS_802_11_LENGTH_RATES_EX (16) then that will +lead to memory corruption. + +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Signed-off-by: Dan Carpenter +Cc: stable +Link: https://lore.kernel.org/r/20200603101958.GA1845750@mwanda +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c ++++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +@@ -1856,12 +1856,14 @@ int update_sta_support_rate(struct adapt + pIE = (struct ndis_80211_var_ie *)rtw_get_ie(pvar_ie, _SUPPORTEDRATES_IE_, &ie_len, var_ie_len); + if (!pIE) + return _FAIL; ++ if (ie_len > sizeof(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates)) ++ return _FAIL; + + memcpy(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates, pIE->data, ie_len); + supportRateNum = ie_len; + + pIE = (struct ndis_80211_var_ie *)rtw_get_ie(pvar_ie, _EXT_SUPPORTEDRATES_IE_, &ie_len, var_ie_len); +- if (pIE) ++ if (pIE && (ie_len <= sizeof(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates) - supportRateNum)) + memcpy((pmlmeinfo->FW_sta_info[cam_idx].SupportedRates + supportRateNum), pIE->data, ie_len); + + return _SUCCESS; diff --git a/queue-4.19/sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch b/queue-4.19/sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch new file mode 100644 index 00000000000..c58d9254fa3 --- /dev/null +++ b/queue-4.19/sunrpc-fixed-rollback-in-rpc_gssd_dummy_populate.patch @@ -0,0 +1,32 @@ +From b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Mon, 1 Jun 2020 11:54:57 +0300 +Subject: sunrpc: fixed rollback in rpc_gssd_dummy_populate() + +From: Vasily Averin + +commit b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 upstream. + +__rpc_depopulate(gssd_dentry) was lost on error path + +cc: stable@vger.kernel.org +Fixes: commit 4b9a445e3eeb ("sunrpc: create a new dummy pipe for gssd to hold open") +Signed-off-by: Vasily Averin +Reviewed-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/rpc_pipe.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -1331,6 +1331,7 @@ rpc_gssd_dummy_populate(struct dentry *r + q.len = strlen(gssd_dummy_clnt_dir[0].name); + clnt_dentry = d_hash_and_lookup(gssd_dentry, &q); + if (!clnt_dentry) { ++ __rpc_depopulate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1); + pipe_dentry = ERR_PTR(-ENOENT); + goto out; + } diff --git a/queue-4.19/sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch b/queue-4.19/sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch new file mode 100644 index 00000000000..0765df28307 --- /dev/null +++ b/queue-4.19/sunrpc-properly-set-the-subbuf-parameter-of-xdr_buf_subsegment.patch @@ -0,0 +1,54 @@ +From 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Thu, 25 Jun 2020 11:32:34 -0400 +Subject: SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() + +From: Chuck Lever + +commit 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 upstream. + +@subbuf is an output parameter of xdr_buf_subsegment(). A survey of +call sites shows that @subbuf is always uninitialized before +xdr_buf_segment() is invoked by callers. + +There are some execution paths through xdr_buf_subsegment() that do +not set all of the fields in @subbuf, leaving some pointer fields +containing garbage addresses. Subsequent processing of that buffer +then results in a page fault. + +Signed-off-by: Chuck Lever +Cc: +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xdr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -1036,6 +1036,7 @@ xdr_buf_subsegment(struct xdr_buf *buf, + base = 0; + } else { + base -= buf->head[0].iov_len; ++ subbuf->head[0].iov_base = buf->head[0].iov_base; + subbuf->head[0].iov_len = 0; + } + +@@ -1048,6 +1049,8 @@ xdr_buf_subsegment(struct xdr_buf *buf, + base = 0; + } else { + base -= buf->page_len; ++ subbuf->pages = buf->pages; ++ subbuf->page_base = 0; + subbuf->page_len = 0; + } + +@@ -1059,6 +1062,7 @@ xdr_buf_subsegment(struct xdr_buf *buf, + base = 0; + } else { + base -= buf->tail[0].iov_len; ++ subbuf->tail[0].iov_base = buf->tail[0].iov_base; + subbuf->tail[0].iov_len = 0; + } + diff --git a/queue-4.19/tracing-fix-event-trigger-to-accept-redundant-spaces.patch b/queue-4.19/tracing-fix-event-trigger-to-accept-redundant-spaces.patch new file mode 100644 index 00000000000..f176738594d --- /dev/null +++ b/queue-4.19/tracing-fix-event-trigger-to-accept-redundant-spaces.patch @@ -0,0 +1,87 @@ +From 6784beada631800f2c5afd567e5628c843362cee Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sat, 20 Jun 2020 12:46:03 +0900 +Subject: tracing: Fix event trigger to accept redundant spaces + +From: Masami Hiramatsu + +commit 6784beada631800f2c5afd567e5628c843362cee upstream. + +Fix the event trigger to accept redundant spaces in +the trigger input. + +For example, these return -EINVAL + +echo " traceon" > events/ftrace/print/trigger +echo "traceon if common_pid == 0" > events/ftrace/print/trigger +echo "disable_event:kmem:kmalloc " > events/ftrace/print/trigger + +But these are hard to find what is wrong. + +To fix this issue, use skip_spaces() to remove spaces +in front of actual tokens, and set NULL if there is no +token. + +Link: http://lkml.kernel.org/r/159262476352.185015.5261566783045364186.stgit@devnote2 + +Cc: Tom Zanussi +Cc: stable@vger.kernel.org +Fixes: 85f2b08268c0 ("tracing: Add basic event trigger framework") +Reviewed-by: Tom Zanussi +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_trigger.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -211,11 +211,17 @@ static int event_trigger_regex_open(stru + + static int trigger_process_regex(struct trace_event_file *file, char *buff) + { +- char *command, *next = buff; ++ char *command, *next; + struct event_command *p; + int ret = -EINVAL; + ++ next = buff = skip_spaces(buff); + command = strsep(&next, ": \t"); ++ if (next) { ++ next = skip_spaces(next); ++ if (!*next) ++ next = NULL; ++ } + command = (command[0] != '!') ? command : command + 1; + + mutex_lock(&trigger_cmd_mutex); +@@ -624,8 +630,14 @@ event_trigger_callback(struct event_comm + int ret; + + /* separate the trigger from the filter (t:n [if filter]) */ +- if (param && isdigit(param[0])) ++ if (param && isdigit(param[0])) { + trigger = strsep(¶m, " \t"); ++ if (param) { ++ param = skip_spaces(param); ++ if (!*param) ++ param = NULL; ++ } ++ } + + trigger_ops = cmd_ops->get_trigger_ops(cmd, trigger); + +@@ -1361,6 +1373,11 @@ int event_enable_trigger_func(struct eve + trigger = strsep(¶m, " \t"); + if (!trigger) + return -EINVAL; ++ if (param) { ++ param = skip_spaces(param); ++ if (!*param) ++ param = NULL; ++ } + + system = strsep(&trigger, ":"); + if (!trigger) -- 2.47.3