From d6e6de7fe7d21b7a346b9f4a7b188cc9f60f8435 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 21 Jan 2021 14:33:40 +0100 Subject: [PATCH] 5.4-stable patches added patches: bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch spi-npcm-fiu-disable-clock-in-probe-error-path.patch spi-npcm-fiu-simplify-the-return-expression-of-npcm_fiu_probe.patch --- ...mory-in-bpf-getsockopt-when-optlen-0.patch | 43 +++++++++++++++ ...lem_proto-pointing-to-wrong-callback.patch | 36 +++++++++++++ ...us-shouldn-t-return-parent-of-export.patch | 52 +++++++++++++++++++ ...-lpfc-make-lpfc_defer_acc_rsp-static.patch | 8 +-- queue-5.4/series | 5 ++ ...iu-disable-clock-in-probe-error-path.patch | 49 +++++++++++++++++ ...-return-expression-of-npcm_fiu_probe.patch | 43 +++++++++++++++ 7 files changed, 233 insertions(+), 3 deletions(-) create mode 100644 queue-5.4/bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch create mode 100644 queue-5.4/bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch create mode 100644 queue-5.4/nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch create mode 100644 queue-5.4/spi-npcm-fiu-disable-clock-in-probe-error-path.patch create mode 100644 queue-5.4/spi-npcm-fiu-simplify-the-return-expression-of-npcm_fiu_probe.patch diff --git a/queue-5.4/bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch b/queue-5.4/bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch new file mode 100644 index 00000000000..fd9c0e5ae17 --- /dev/null +++ b/queue-5.4/bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch @@ -0,0 +1,43 @@ +From 4be34f3d0731b38a1b24566b37fbb39500aaf3a2 Mon Sep 17 00:00:00 2001 +From: Stanislav Fomichev +Date: Tue, 12 Jan 2021 08:28:29 -0800 +Subject: bpf: Don't leak memory in bpf getsockopt when optlen == 0 + +From: Stanislav Fomichev + +commit 4be34f3d0731b38a1b24566b37fbb39500aaf3a2 upstream. + +optlen == 0 indicates that the kernel should ignore BPF buffer +and use the original one from the user. We, however, forget +to free the temporary buffer that we've allocated for BPF. + +Fixes: d8fe449a9c51 ("bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE") +Reported-by: Martin KaFai Lau +Signed-off-by: Stanislav Fomichev +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20210112162829.775079-1-sdf@google.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/cgroup.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1057,12 +1057,13 @@ int __cgroup_bpf_run_filter_setsockopt(s + if (ctx.optlen != 0) { + *optlen = ctx.optlen; + *kernel_optval = ctx.optval; ++ /* export and don't free sockopt buf */ ++ return 0; + } + } + + out: +- if (ret) +- sockopt_free_buf(&ctx); ++ sockopt_free_buf(&ctx); + return ret; + } + EXPORT_SYMBOL(__cgroup_bpf_run_filter_setsockopt); diff --git a/queue-5.4/bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch b/queue-5.4/bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch new file mode 100644 index 00000000000..eb6c80456a7 --- /dev/null +++ b/queue-5.4/bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch @@ -0,0 +1,36 @@ +From 301a33d51880619d0c5a581b5a48d3a5248fa84b Mon Sep 17 00:00:00 2001 +From: Mircea Cirjaliu +Date: Tue, 19 Jan 2021 21:53:18 +0100 +Subject: bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback + +From: Mircea Cirjaliu + +commit 301a33d51880619d0c5a581b5a48d3a5248fa84b upstream. + +I assume this was obtained by copy/paste. Point it to bpf_map_peek_elem() +instead of bpf_map_pop_elem(). In practice it may have been less likely +hit when under JIT given shielded via 84430d4232c3 ("bpf, verifier: avoid +retpoline for map push/pop/peek operation"). + +Fixes: f1a2e44a3aec ("bpf: add queue and stack maps") +Signed-off-by: Mircea Cirjaliu +Signed-off-by: Daniel Borkmann +Cc: Mauricio Vasquez +Link: https://lore.kernel.org/bpf/AM7PR02MB6082663DFDCCE8DA7A6DD6B1BBA30@AM7PR02MB6082.eurprd02.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/helpers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -105,7 +105,7 @@ BPF_CALL_2(bpf_map_peek_elem, struct bpf + } + + const struct bpf_func_proto bpf_map_peek_elem_proto = { +- .func = bpf_map_pop_elem, ++ .func = bpf_map_peek_elem, + .gpl_only = false, + .ret_type = RET_INTEGER, + .arg1_type = ARG_CONST_MAP_PTR, diff --git a/queue-5.4/nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch b/queue-5.4/nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch new file mode 100644 index 00000000000..b0a677b0ed1 --- /dev/null +++ b/queue-5.4/nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch @@ -0,0 +1,52 @@ +From 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 11 Jan 2021 16:01:29 -0500 +Subject: nfsd4: readdirplus shouldn't return parent of export + +From: J. Bruce Fields + +commit 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 upstream. + +If you export a subdirectory of a filesystem, a READDIRPLUS on the root +of that export will return the filehandle of the parent with the ".." +entry. + +The filehandle is optional, so let's just not return the filehandle for +".." if we're at the root of an export. + +Note that once the client learns one filehandle outside of the export, +they can trivially access the rest of the export using further lookups. + +However, it is also not very difficult to guess filehandles outside of +the export. So exporting a subdirectory of a filesystem should +considered equivalent to providing access to the entire filesystem. To +avoid confusion, we recommend only exporting entire filesystems. + +Reported-by: Youjipeng +Signed-off-by: J. Bruce Fields +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs3xdr.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -857,9 +857,14 @@ compose_entry_fh(struct nfsd3_readdirres + if (isdotent(name, namlen)) { + if (namlen == 2) { + dchild = dget_parent(dparent); +- /* filesystem root - cannot return filehandle for ".." */ ++ /* ++ * Don't return filehandle for ".." if we're at ++ * the filesystem or export root: ++ */ + if (dchild == dparent) + goto out; ++ if (dparent == exp->ex_path.dentry) ++ goto out; + } else + dchild = dget(dparent); + } else diff --git a/queue-5.4/scsi-lpfc-make-lpfc_defer_acc_rsp-static.patch b/queue-5.4/scsi-lpfc-make-lpfc_defer_acc_rsp-static.patch index d1883c72fca..0323fa0bf87 100644 --- a/queue-5.4/scsi-lpfc-make-lpfc_defer_acc_rsp-static.patch +++ b/queue-5.4/scsi-lpfc-make-lpfc_defer_acc_rsp-static.patch @@ -19,11 +19,13 @@ Signed-off-by: YueHaibing Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman -diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c -index 1c46e3adbda2..a024e5a3918f 100644 +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + --- a/drivers/scsi/lpfc/lpfc_nportdisc.c +++ b/drivers/scsi/lpfc/lpfc_nportdisc.c -@@ -340,7 +340,7 @@ lpfc_defer_pt2pt_acc(struct lpfc_hba *phba, LPFC_MBOXQ_t *link_mbox) +@@ -340,7 +340,7 @@ lpfc_defer_pt2pt_acc(struct lpfc_hba *ph * This routine is only called if we are SLI4, acting in target * mode and the remote NPort issues the PLOGI after link up. **/ diff --git a/queue-5.4/series b/queue-5.4/series index b9be1a2c205..c3bf34343cd 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -4,3 +4,8 @@ xen-privcmd-allow-fetching-resource-sizes.patch elfcore-fix-building-with-clang.patch scsi-lpfc-make-function-lpfc_defer_pt2pt_acc-static.patch scsi-lpfc-make-lpfc_defer_acc_rsp-static.patch +spi-npcm-fiu-simplify-the-return-expression-of-npcm_fiu_probe.patch +spi-npcm-fiu-disable-clock-in-probe-error-path.patch +nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch +bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch +bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch diff --git a/queue-5.4/spi-npcm-fiu-disable-clock-in-probe-error-path.patch b/queue-5.4/spi-npcm-fiu-disable-clock-in-probe-error-path.patch new file mode 100644 index 00000000000..65d74382529 --- /dev/null +++ b/queue-5.4/spi-npcm-fiu-disable-clock-in-probe-error-path.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Jan 21 02:23:31 PM CET 2021 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:16 +0100 +Subject: spi: npcm-fiu: Disable clock in probe error path + +From: Lukas Wunner + +commit 234266a5168bbe8220d263e3aa7aa80cf921c483 upstream + +If the call to devm_spi_register_master() fails on probe of the NPCM FIU +SPI driver, the clock "fiu->clk" is erroneously not unprepared and +disabled. Fix it. + +Fixes: ace55c411b11 ("spi: npcm-fiu: add NPCM FIU controller driver") +Signed-off-by: Lukas Wunner +Cc: # v5.4+ +Cc: Tomer Maimon +Link: https://lore.kernel.org/r/9ae62f4e1cfe542bec57ac2743e6fca9f9548f55.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-npcm-fiu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-npcm-fiu.c ++++ b/drivers/spi/spi-npcm-fiu.c +@@ -677,7 +677,7 @@ static int npcm_fiu_probe(struct platfor + struct npcm_fiu_spi *fiu; + void __iomem *regbase; + struct resource *res; +- int id; ++ int id, ret; + + ctrl = devm_spi_alloc_master(dev, sizeof(*fiu)); + if (!ctrl) +@@ -735,7 +735,11 @@ static int npcm_fiu_probe(struct platfor + ctrl->num_chipselect = fiu->info->max_cs; + ctrl->dev.of_node = dev->of_node; + +- return devm_spi_register_master(dev, ctrl); ++ ret = devm_spi_register_master(dev, ctrl); ++ if (ret) ++ clk_disable_unprepare(fiu->clk); ++ ++ return ret; + } + + static int npcm_fiu_remove(struct platform_device *pdev) diff --git a/queue-5.4/spi-npcm-fiu-simplify-the-return-expression-of-npcm_fiu_probe.patch b/queue-5.4/spi-npcm-fiu-simplify-the-return-expression-of-npcm_fiu_probe.patch new file mode 100644 index 00000000000..16ed6ab6760 --- /dev/null +++ b/queue-5.4/spi-npcm-fiu-simplify-the-return-expression-of-npcm_fiu_probe.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Jan 21 02:23:25 PM CET 2021 +From: Qinglang Miao +Date: Mon, 21 Sep 2020 21:11:06 +0800 +Subject: spi: npcm-fiu: simplify the return expression of npcm_fiu_probe() + +From: Qinglang Miao + +commit 4c3a14fbc05a09fc369fb68a86cdbf6f441a29f2 upstream + +Simplify the return expression. + +Signed-off-by: Qinglang Miao +Link: https://lore.kernel.org/r/20200921131106.93228-1-miaoqinglang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-npcm-fiu.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/spi/spi-npcm-fiu.c ++++ b/drivers/spi/spi-npcm-fiu.c +@@ -677,7 +677,6 @@ static int npcm_fiu_probe(struct platfor + struct npcm_fiu_spi *fiu; + void __iomem *regbase; + struct resource *res; +- int ret; + int id; + + ctrl = devm_spi_alloc_master(dev, sizeof(*fiu)); +@@ -736,11 +735,7 @@ static int npcm_fiu_probe(struct platfor + ctrl->num_chipselect = fiu->info->max_cs; + ctrl->dev.of_node = dev->of_node; + +- ret = devm_spi_register_master(dev, ctrl); +- if (ret) +- return ret; +- +- return 0; ++ return devm_spi_register_master(dev, ctrl); + } + + static int npcm_fiu_remove(struct platform_device *pdev) -- 2.47.3