From: Sasha Levin Date: Thu, 27 Jun 2019 23:11:59 +0000 (-0400) Subject: fixes for 4.9 X-Git-Tag: v5.1.16~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3160d6836b32af6cae7f1694296650bf3977166c;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/9p-acl-fix-uninitialized-iattr-access.patch b/queue-4.9/9p-acl-fix-uninitialized-iattr-access.patch new file mode 100644 index 00000000000..0bf4d463e37 --- /dev/null +++ b/queue-4.9/9p-acl-fix-uninitialized-iattr-access.patch @@ -0,0 +1,35 @@ +From a9cf6a40da7eca4d6335a0d074b229663a9fa441 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:10:57 +0900 +Subject: 9p: acl: fix uninitialized iattr access + +[ Upstream commit e02a53d92e197706cad1627bd84705d4aa20a145 ] + +iattr is passed to v9fs_vfs_setattr_dotl which does send various +values from iattr over the wire, even if it tells the server to +only look at iattr.ia_valid fields this could leak some stack data. + +Link: http://lkml.kernel.org/r/1536339057-21974-2-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 1195601 ("Uninitalized scalar variable") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + fs/9p/acl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/9p/acl.c b/fs/9p/acl.c +index 082d227fa56b..6261719f6f2a 100644 +--- a/fs/9p/acl.c ++++ b/fs/9p/acl.c +@@ -276,7 +276,7 @@ static int v9fs_xattr_set_acl(const struct xattr_handler *handler, + switch (handler->flags) { + case ACL_TYPE_ACCESS: + if (acl) { +- struct iattr iattr; ++ struct iattr iattr = { 0 }; + struct posix_acl *old_acl = acl; + + retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl); +-- +2.20.1 + diff --git a/queue-4.9/9p-p9dirent_read-check-network-provided-name-length.patch b/queue-4.9/9p-p9dirent_read-check-network-provided-name-length.patch new file mode 100644 index 00000000000..df615e3b5cc --- /dev/null +++ b/queue-4.9/9p-p9dirent_read-check-network-provided-name-length.patch @@ -0,0 +1,52 @@ +From a253589f7cd77f5bda72b325a26f923ec4a12740 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:36:08 +0900 +Subject: 9p: p9dirent_read: check network-provided name length + +[ Upstream commit ef5305f1f72eb1cfcda25c382bb0368509c0385b ] + +strcpy to dirent->d_name could overflow the buffer, use strscpy to check +the provided string length and error out if the size was too big. + +While we are here, make the function return an error when the pdu +parsing failed, instead of returning the pdu offset as if it had been a +success... + +Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/protocol.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/9p/protocol.c b/net/9p/protocol.c +index 7f1b45c082c9..ed1e39ccaebf 100644 +--- a/net/9p/protocol.c ++++ b/net/9p/protocol.c +@@ -622,13 +622,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len, + if (ret) { + p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret); + trace_9p_protocol_dump(clnt, &fake_pdu); +- goto out; ++ return ret; + } + +- strcpy(dirent->d_name, nameptr); ++ ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name)); ++ if (ret < 0) { ++ p9_debug(P9_DEBUG_ERROR, ++ "On the wire dirent name too long: %s\n", ++ nameptr); ++ kfree(nameptr); ++ return ret; ++ } + kfree(nameptr); + +-out: + return fake_pdu.offset; + } + EXPORT_SYMBOL(p9dirent_read); +-- +2.20.1 + diff --git a/queue-4.9/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch b/queue-4.9/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch new file mode 100644 index 00000000000..f9d71fa631a --- /dev/null +++ b/queue-4.9/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch @@ -0,0 +1,45 @@ +From d3d0f0bcf0fe94ee3bc3f9e9dba1f8a3434be141 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Thu, 30 Aug 2018 19:29:36 +0900 +Subject: 9p/rdma: do not disconnect on down_interruptible EAGAIN + +[ Upstream commit 8b894adb2b7e1d1e64b8954569c761eaf3d51ab5 ] + +9p/rdma would sometimes drop the connection and display errors in +recv_done when the user does ^C. +The errors were caused by recv buffers that were posted at the time +of disconnect, and we just do not want to disconnect when +down_interruptible is... interrupted. + +Link: http://lkml.kernel.org/r/1535625307-18019-1-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_rdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c +index 5a2ad4707463..9662c2747be7 100644 +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -454,7 +454,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req) + + err = post_recv(client, rpl_context); + if (err) { +- p9_debug(P9_DEBUG_FCALL, "POST RECV failed\n"); ++ p9_debug(P9_DEBUG_ERROR, "POST RECV failed: %d\n", err); + goto recv_error; + } + /* remove posted receive buffer from request structure */ +@@ -523,7 +523,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req) + recv_error: + kfree(rpl_context); + spin_lock_irqsave(&rdma->req_lock, flags); +- if (rdma->state < P9_RDMA_CLOSING) { ++ if (err != -EINTR && rdma->state < P9_RDMA_CLOSING) { + rdma->state = P9_RDMA_CLOSING; + spin_unlock_irqrestore(&rdma->req_lock, flags); + rdma_disconnect(rdma->cm_id); +-- +2.20.1 + diff --git a/queue-4.9/9p-rdma-remove-useless-check-in-cm_event_handler.patch b/queue-4.9/9p-rdma-remove-useless-check-in-cm_event_handler.patch new file mode 100644 index 00000000000..a45ced98314 --- /dev/null +++ b/queue-4.9/9p-rdma-remove-useless-check-in-cm_event_handler.patch @@ -0,0 +1,36 @@ +From c402266cace7169f24217def43ff07e8880cd7e7 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:26:50 +0900 +Subject: 9p/rdma: remove useless check in cm_event_handler + +[ Upstream commit 473c7dd1d7b59ff8f88a5154737e3eac78a96e5b ] + +the client c is always dereferenced to get the rdma struct, so c has to +be a valid pointer at this point. +Gcc would optimize that away but let's make coverity happy... + +Link: http://lkml.kernel.org/r/1536339057-21974-3-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 102778 ("Dereference before null check") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_rdma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c +index 9662c2747be7..8e4313ad3f02 100644 +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -254,8 +254,7 @@ p9_cm_event_handler(struct rdma_cm_id *id, struct rdma_cm_event *event) + case RDMA_CM_EVENT_DISCONNECTED: + if (rdma) + rdma->state = P9_RDMA_CLOSED; +- if (c) +- c->status = Disconnected; ++ c->status = Disconnected; + break; + + case RDMA_CM_EVENT_TIMEWAIT_EXIT: +-- +2.20.1 + diff --git a/queue-4.9/net-9p-include-trans_common.h-to-fix-missing-prototy.patch b/queue-4.9/net-9p-include-trans_common.h-to-fix-missing-prototy.patch new file mode 100644 index 00000000000..f2c77bc72aa --- /dev/null +++ b/queue-4.9/net-9p-include-trans_common.h-to-fix-missing-prototy.patch @@ -0,0 +1,35 @@ +From a2b08f43a2cca01a4c71de35081e35ac99cb1fbc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adeodato=20Sim=C3=B3?= +Date: Tue, 13 Nov 2018 03:28:53 -0300 +Subject: net/9p: include trans_common.h to fix missing prototype warning. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 52ad259eaac0454c1ac7123e7148cf8d6e6f5301 ] + +This silences -Wmissing-prototypes when defining p9_release_pages. + +Link: http://lkml.kernel.org/r/b1c4df8f21689b10d451c28fe38e860722d20e71.1542089696.git.dato@net.com.org.es +Signed-off-by: Adeodato Simó +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c +index 38aa6345bdfa..9c0c894b56f8 100644 +--- a/net/9p/trans_common.c ++++ b/net/9p/trans_common.c +@@ -14,6 +14,7 @@ + + #include + #include ++#include "trans_common.h" + + /** + * p9_release_req_pages - Release pages after the transaction. +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index ecda3b9cdcb..282f8941314 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -37,3 +37,8 @@ ib-hfi1-avoid-hardlockup-with-flushlist_lock.patch perf-ui-helpline-use-strlcpy-as-a-shorter-form-of-strncpy-explicit-set-nul.patch perf-help-remove-needless-use-of-strncpy.patch perf-header-fix-unchecked-usage-of-strncpy.patch +9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch +9p-acl-fix-uninitialized-iattr-access.patch +9p-rdma-remove-useless-check-in-cm_event_handler.patch +9p-p9dirent_read-check-network-provided-name-length.patch +net-9p-include-trans_common.h-to-fix-missing-prototy.patch