Fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.4/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch b/queue-4.4/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch
new file mode 100644 (file)
index 0000000..d1f1c1a
--- /dev/null
+++ b/queue-4.4/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch
@@ -0,0 +1,39 @@
+From 8f7a7848c123b1782b885a595ba8daecac621970 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 19:30:17 -0800
+Subject: block: rsxx: fix error return code of rsxx_pci_probe()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit df66617bfe87487190a60783d26175b65d2502ce ]
+
+When create_singlethread_workqueue returns NULL to card->event_wq, no
+error return code of rsxx_pci_probe() is assigned.
+
+To fix this bug, st is assigned with -ENOMEM in this case.
+
+Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Link: https://lore.kernel.org/r/20210310033017.4023-1-baijiaju1990@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/rsxx/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
+index 0d9137408e3c..a53271acc2a2 100644
+--- a/drivers/block/rsxx/core.c
++++ b/drivers/block/rsxx/core.c
+@@ -895,6 +895,7 @@ static int rsxx_pci_probe(struct pci_dev *dev,
+       card->event_wq = create_singlethread_workqueue(DRIVER_NAME"_event");
+       if (!card->event_wq) {
+               dev_err(CARD_TO_DEV(card), "Failed card event setup.\n");
++              st = -ENOMEM;
+               goto failed_event_handler;
+       }
+ 
+-- 
+2.30.1
+

diff --git a/queue-4.4/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch b/queue-4.4/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch
new file mode 100644 (file)
index 0000000..37ef9e1
--- /dev/null
+++ b/queue-4.4/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch
@@ -0,0 +1,43 @@
+From 94c66f8fd96dc81ebac6185577fdaea61bcc2e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jan 2021 18:43:56 +0100
+Subject: NFSv4.2: fix return value of _nfs4_get_security_label()
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit 53cb245454df5b13d7063162afd7a785aed6ebf2 ]
+
+An xattr 'get' handler is expected to return the length of the value on
+success, yet _nfs4_get_security_label() (and consequently also
+nfs4_xattr_get_nfs4_label(), which is used as an xattr handler) returns
+just 0 on success.
+
+Fix this by returning label.len instead, which contains the length of
+the result.
+
+Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reviewed-by: James Morris <jamorris@linux.microsoft.com>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 3c15291ba1aa..0c9386978d9d 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4922,7 +4922,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf,
+               return ret;
+       if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL))
+               return -ENOENT;
+-      return 0;
++      return label.len;
+ }
+ 
+ static int nfs4_get_security_label(struct inode *inode, void *buf,
+-- 
+2.30.1
+

diff --git a/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch
new file mode 100644 (file)
index 0000000..ce8a790
--- /dev/null
+++ b/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch
@@ -0,0 +1,45 @@
+From 6c68e2f8d2f09af655f81c176bf6e5100a34a8da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Mar 2021 23:51:14 +0300
+Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ]
+
+Doing a
+
+       prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1);
+
+will copy 1 byte from userspace to (quite big) on-stack array
+and then stash everything to mm->saved_auxv.
+AT_NULL terminator will be inserted at the very end.
+
+/proc/*/auxv handler will find that AT_NULL terminator
+and copy original stack contents to userspace.
+
+This devious scheme requires CAP_SYS_RESOURCE.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index e98664039cb2..8ac977df4dd4 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1910,7 +1910,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
+        * up to the caller to provide sane values here, otherwise userspace
+        * tools which use this vector might be unhappy.
+        */
+-      unsigned long user_auxv[AT_VECTOR_SIZE];
++      unsigned long user_auxv[AT_VECTOR_SIZE] = {};
+ 
+       if (len > sizeof(user_auxv))
+               return -EINVAL;
+-- 
+2.30.1
+

diff --git a/queue-4.4/series b/queue-4.4/series
index 3a7890ee031590382d4fcf9f1849fd8b969f8e75..57cb3ea1e081befb86f473b69d7935a9591ad4fa 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -55,3 +55,6 @@ staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch
 staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch
 staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch
 staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch
+nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch
+block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch
+prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch