From: Greg Kroah-Hartman Date: Fri, 11 Feb 2022 09:18:25 +0000 (+0100) Subject: 5.16-stable patches X-Git-Tag: v4.9.302~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3b1e9470531b29b9d8df1bf0f5c9c6a3b34346e6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.16-stable patches added patches: --- diff --git a/queue-5.16/audit-don-t-deref-the-syscall-args-when-checking-the-openat2-open_how-flags.patch b/queue-5.16/audit-don-t-deref-the-syscall-args-when-checking-the-openat2-open_how-flags.patch new file mode 100644 index 00000000000..c5e97263792 --- /dev/null +++ b/queue-5.16/audit-don-t-deref-the-syscall-args-when-checking-the-openat2-open_how-flags.patch @@ -0,0 +1,38 @@ +From 7a82f89de92aac5a244d3735b2bd162c1147620c Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Wed, 9 Feb 2022 14:49:38 -0500 +Subject: audit: don't deref the syscall args when checking the openat2 open_how::flags + +From: Paul Moore + +commit 7a82f89de92aac5a244d3735b2bd162c1147620c upstream. + +As reported by Jeff, dereferencing the openat2 syscall argument in +audit_match_perm() to obtain the open_how::flags can result in an +oops/page-fault. This patch fixes this by using the open_how struct +that we store in the audit_context with audit_openat2_how(). + +Independent of this patch, Richard Guy Briggs posted a similar patch +to the audit mailing list roughly 40 minutes after this patch was +posted. + +Cc: stable@vger.kernel.org +Fixes: 1c30e3af8a79 ("audit: add support for the openat2 syscall") +Reported-by: Jeff Mahoney +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -185,7 +185,7 @@ static int audit_match_perm(struct audit + case AUDITSC_EXECVE: + return mask & AUDIT_PERM_EXEC; + case AUDITSC_OPENAT2: +- return mask & ACC_MODE((u32)((struct open_how *)ctx->argv[2])->flags); ++ return mask & ACC_MODE((u32)ctx->openat2.flags); + default: + return 0; + } diff --git a/queue-5.16/can-isotp-fix-error-path-in-isotp_sendmsg-to-unlock-wait-queue.patch b/queue-5.16/can-isotp-fix-error-path-in-isotp_sendmsg-to-unlock-wait-queue.patch new file mode 100644 index 00000000000..1fc4a15c9f3 --- /dev/null +++ b/queue-5.16/can-isotp-fix-error-path-in-isotp_sendmsg-to-unlock-wait-queue.patch @@ -0,0 +1,86 @@ +From 8375dfac4f683e1b2c5956d919d36aeedad46699 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Wed, 9 Feb 2022 08:36:01 +0100 +Subject: can: isotp: fix error path in isotp_sendmsg() to unlock wait queue + +From: Oliver Hartkopp + +commit 8375dfac4f683e1b2c5956d919d36aeedad46699 upstream. + +Commit 43a08c3bdac4 ("can: isotp: isotp_sendmsg(): fix TX buffer concurrent +access in isotp_sendmsg()") introduced a new locking scheme that may render +the userspace application in a locking state when an error is detected. +This issue shows up under high load on simultaneously running isotp channels +with identical configuration which is against the ISO specification and +therefore breaks any reasonable PDU communication anyway. + +Fixes: 43a08c3bdac4 ("can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()") +Link: https://lore.kernel.org/all/20220209073601.25728-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Cc: Ziyang Xuan +Signed-off-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -887,7 +887,7 @@ static int isotp_sendmsg(struct socket * + + if (!size || size > MAX_MSG_LENGTH) { + err = -EINVAL; +- goto err_out; ++ goto err_out_drop; + } + + /* take care of a potential SF_DL ESC offset for TX_DL > 8 */ +@@ -897,24 +897,24 @@ static int isotp_sendmsg(struct socket * + if ((so->opt.flags & CAN_ISOTP_SF_BROADCAST) && + (size > so->tx.ll_dl - SF_PCI_SZ4 - ae - off)) { + err = -EINVAL; +- goto err_out; ++ goto err_out_drop; + } + + err = memcpy_from_msg(so->tx.buf, msg, size); + if (err < 0) +- goto err_out; ++ goto err_out_drop; + + dev = dev_get_by_index(sock_net(sk), so->ifindex); + if (!dev) { + err = -ENXIO; +- goto err_out; ++ goto err_out_drop; + } + + skb = sock_alloc_send_skb(sk, so->ll.mtu + sizeof(struct can_skb_priv), + msg->msg_flags & MSG_DONTWAIT, &err); + if (!skb) { + dev_put(dev); +- goto err_out; ++ goto err_out_drop; + } + + can_skb_reserve(skb); +@@ -976,7 +976,7 @@ static int isotp_sendmsg(struct socket * + if (err) { + pr_notice_once("can-isotp: %s: can_send_ret %pe\n", + __func__, ERR_PTR(err)); +- goto err_out; ++ goto err_out_drop; + } + + if (wait_tx_done) { +@@ -989,6 +989,9 @@ static int isotp_sendmsg(struct socket * + + return size; + ++err_out_drop: ++ /* drop this PDU and unlock a potential wait queue */ ++ old_state = ISOTP_IDLE; + err_out: + so->tx.state = old_state; + if (so->tx.state == ISOTP_IDLE) diff --git a/queue-5.16/can-isotp-fix-potential-can-frame-reception-race-in-isotp_rcv.patch b/queue-5.16/can-isotp-fix-potential-can-frame-reception-race-in-isotp_rcv.patch new file mode 100644 index 00000000000..adb8527fbde --- /dev/null +++ b/queue-5.16/can-isotp-fix-potential-can-frame-reception-race-in-isotp_rcv.patch @@ -0,0 +1,109 @@ +From 7c759040c1dd03954f650f147ae7175476d51314 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Tue, 8 Feb 2022 21:00:26 +0100 +Subject: can: isotp: fix potential CAN frame reception race in isotp_rcv() + +From: Oliver Hartkopp + +commit 7c759040c1dd03954f650f147ae7175476d51314 upstream. + +When receiving a CAN frame the current code logic does not consider +concurrently receiving processes which do not show up in real world +usage. + +Ziyang Xuan writes: + +The following syz problem is one of the scenarios. so->rx.len is +changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals +0 before alloc_skb() and equals 4096 after alloc_skb(). That will +trigger skb_over_panic() in skb_put(). + +======================================================= +CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 +RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 +Call Trace: + + skb_over_panic net/core/skbuff.c:118 [inline] + skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 + isotp_rcv_cf net/can/isotp.c:570 [inline] + isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 + deliver net/can/af_can.c:574 [inline] + can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 + can_receive+0x31d/0x580 net/can/af_can.c:665 + can_rcv+0x120/0x1c0 net/can/af_can.c:696 + __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 + __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 + +Therefore we make sure the state changes and data structures stay +consistent at CAN frame reception time by adding a spin_lock in +isotp_rcv(). This fixes the issue reported by syzkaller but does not +affect real world operation. + +Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") +Link: https://lore.kernel.org/linux-can/d7e69278-d741-c706-65e1-e87623d9a8e8@huawei.com/T/ +Link: https://lore.kernel.org/all/20220208200026.13783-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Reported-by: syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com +Reported-by: Ziyang Xuan +Signed-off-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -56,6 +56,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -145,6 +146,7 @@ struct isotp_sock { + struct tpcon rx, tx; + struct list_head notifier; + wait_queue_head_t wait; ++ spinlock_t rx_lock; /* protect single thread state machine */ + }; + + static LIST_HEAD(isotp_notifier_list); +@@ -615,11 +617,17 @@ static void isotp_rcv(struct sk_buff *sk + + n_pci_type = cf->data[ae] & 0xF0; + ++ /* Make sure the state changes and data structures stay consistent at ++ * CAN frame reception time. This locking is not needed in real world ++ * use cases but the inconsistency can be triggered with syzkaller. ++ */ ++ spin_lock(&so->rx_lock); ++ + if (so->opt.flags & CAN_ISOTP_HALF_DUPLEX) { + /* check rx/tx path half duplex expectations */ + if ((so->tx.state != ISOTP_IDLE && n_pci_type != N_PCI_FC) || + (so->rx.state != ISOTP_IDLE && n_pci_type == N_PCI_FC)) +- return; ++ goto out_unlock; + } + + switch (n_pci_type) { +@@ -668,6 +676,9 @@ static void isotp_rcv(struct sk_buff *sk + isotp_rcv_cf(sk, cf, ae, skb); + break; + } ++ ++out_unlock: ++ spin_unlock(&so->rx_lock); + } + + static void isotp_fill_dataframe(struct canfd_frame *cf, struct isotp_sock *so, +@@ -1444,6 +1455,7 @@ static int isotp_init(struct sock *sk) + so->txtimer.function = isotp_tx_timer_handler; + + init_waitqueue_head(&so->wait); ++ spin_lock_init(&so->rx_lock); + + spin_lock(&isotp_notifier_lock); + list_add_tail(&so->notifier, &isotp_notifier_list); diff --git a/queue-5.16/ima-allow-template-selection-with-ima_template-after-ima_hash.patch b/queue-5.16/ima-allow-template-selection-with-ima_template-after-ima_hash.patch new file mode 100644 index 00000000000..963cf57a77f --- /dev/null +++ b/queue-5.16/ima-allow-template-selection-with-ima_template-after-ima_hash.patch @@ -0,0 +1,84 @@ +From bb8e52e4906f148c2faf6656b5106cf7233e9301 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Mon, 31 Jan 2022 18:11:39 +0100 +Subject: ima: Allow template selection with ima_template[_fmt]= after ima_hash= + +From: Roberto Sassu + +commit bb8e52e4906f148c2faf6656b5106cf7233e9301 upstream. + +Commit c2426d2ad5027 ("ima: added support for new kernel cmdline parameter +ima_template_fmt") introduced an additional check on the ima_template +variable to avoid multiple template selection. + +Unfortunately, ima_template could be also set by the setup function of the +ima_hash= parameter, when it calls ima_template_desc_current(). This causes +attempts to choose a new template with ima_template= or with +ima_template_fmt=, after ima_hash=, to be ignored. + +Achieve the goal of the commit mentioned with the new static variable +template_setup_done, so that template selection requests after ima_hash= +are not ignored. + +Finally, call ima_init_template_list(), if not already done, to initialize +the list of templates before lookup_template_desc() is called. + +Reported-by: Guo Zihua +Signed-off-by: Roberto Sassu +Cc: stable@vger.kernel.org +Fixes: c2426d2ad5027 ("ima: added support for new kernel cmdline parameter ima_template_fmt") +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_template.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/security/integrity/ima/ima_template.c ++++ b/security/integrity/ima/ima_template.c +@@ -29,6 +29,7 @@ static struct ima_template_desc builtin_ + + static LIST_HEAD(defined_templates); + static DEFINE_SPINLOCK(template_list); ++static int template_setup_done; + + static const struct ima_template_field supported_fields[] = { + {.field_id = "d", .field_init = ima_eventdigest_init, +@@ -101,10 +102,11 @@ static int __init ima_template_setup(cha + struct ima_template_desc *template_desc; + int template_len = strlen(str); + +- if (ima_template) ++ if (template_setup_done) + return 1; + +- ima_init_template_list(); ++ if (!ima_template) ++ ima_init_template_list(); + + /* + * Verify that a template with the supplied name exists. +@@ -128,6 +130,7 @@ static int __init ima_template_setup(cha + } + + ima_template = template_desc; ++ template_setup_done = 1; + return 1; + } + __setup("ima_template=", ima_template_setup); +@@ -136,7 +139,7 @@ static int __init ima_template_fmt_setup + { + int num_templates = ARRAY_SIZE(builtin_templates); + +- if (ima_template) ++ if (template_setup_done) + return 1; + + if (template_desc_init_fields(str, NULL, NULL) < 0) { +@@ -147,6 +150,7 @@ static int __init ima_template_fmt_setup + + builtin_templates[num_templates - 1].fmt = str; + ima_template = builtin_templates + num_templates - 1; ++ template_setup_done = 1; + + return 1; + } diff --git a/queue-5.16/ima-do-not-print-policy-rule-with-inactive-lsm-labels.patch b/queue-5.16/ima-do-not-print-policy-rule-with-inactive-lsm-labels.patch new file mode 100644 index 00000000000..2e395931619 --- /dev/null +++ b/queue-5.16/ima-do-not-print-policy-rule-with-inactive-lsm-labels.patch @@ -0,0 +1,41 @@ +From 89677197ae709eb1ab3646952c44f6a171c9e74c Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 1 Feb 2022 15:37:10 -0500 +Subject: ima: Do not print policy rule with inactive LSM labels + +From: Stefan Berger + +commit 89677197ae709eb1ab3646952c44f6a171c9e74c upstream. + +Before printing a policy rule scan for inactive LSM labels in the policy +rule. Inactive LSM labels are identified by args_p != NULL and +rule == NULL. + +Fixes: 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") +Signed-off-by: Stefan Berger +Cc: # v5.6+ +Acked-by: Christian Brauner +[zohar@linux.ibm.com: Updated "Fixes" tag] +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_policy.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -1967,6 +1967,14 @@ int ima_policy_show(struct seq_file *m, + + rcu_read_lock(); + ++ /* Do not print rules with inactive LSM labels */ ++ for (i = 0; i < MAX_LSM_RULES; i++) { ++ if (entry->lsm[i].args_p && !entry->lsm[i].rule) { ++ rcu_read_unlock(); ++ return 0; ++ } ++ } ++ + if (entry->action & MEASURE) + seq_puts(m, pt(Opt_measure)); + if (entry->action & DONT_MEASURE) diff --git a/queue-5.16/ima-fix-reference-leak-in-asymmetric_verify.patch b/queue-5.16/ima-fix-reference-leak-in-asymmetric_verify.patch new file mode 100644 index 00000000000..7c25c129b67 --- /dev/null +++ b/queue-5.16/ima-fix-reference-leak-in-asymmetric_verify.patch @@ -0,0 +1,56 @@ +From 926fd9f23b27ca6587492c3f58f4c7f4cd01dad5 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 13 Jan 2022 11:44:38 -0800 +Subject: ima: fix reference leak in asymmetric_verify() + +From: Eric Biggers + +commit 926fd9f23b27ca6587492c3f58f4c7f4cd01dad5 upstream. + +Don't leak a reference to the key if its algorithm is unknown. + +Fixes: 947d70597236 ("ima: Support EC keys for signature verification") +Cc: # v5.13+ +Signed-off-by: Eric Biggers +Reviewed-by: Stefan Berger +Reviewed-by: Tianjia Zhang +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/digsig_asymmetric.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/security/integrity/digsig_asymmetric.c ++++ b/security/integrity/digsig_asymmetric.c +@@ -109,22 +109,25 @@ int asymmetric_verify(struct key *keyrin + + pk = asymmetric_key_public_key(key); + pks.pkey_algo = pk->pkey_algo; +- if (!strcmp(pk->pkey_algo, "rsa")) ++ if (!strcmp(pk->pkey_algo, "rsa")) { + pks.encoding = "pkcs1"; +- else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) ++ } else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) { + /* edcsa-nist-p192 etc. */ + pks.encoding = "x962"; +- else if (!strcmp(pk->pkey_algo, "ecrdsa") || +- !strcmp(pk->pkey_algo, "sm2")) ++ } else if (!strcmp(pk->pkey_algo, "ecrdsa") || ++ !strcmp(pk->pkey_algo, "sm2")) { + pks.encoding = "raw"; +- else +- return -ENOPKG; ++ } else { ++ ret = -ENOPKG; ++ goto out; ++ } + + pks.digest = (u8 *)data; + pks.digest_size = datalen; + pks.s = hdr->sig; + pks.s_size = siglen; + ret = verify_signature(key, &pks); ++out: + key_put(key); + pr_debug("%s() = %d\n", __func__, ret); + return ret; diff --git a/queue-5.16/ima-remove-ima_policy-file-before-directory.patch b/queue-5.16/ima-remove-ima_policy-file-before-directory.patch new file mode 100644 index 00000000000..21a3884327d --- /dev/null +++ b/queue-5.16/ima-remove-ima_policy-file-before-directory.patch @@ -0,0 +1,38 @@ +From f7333b9572d0559e00352a926c92f29f061b4569 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 25 Jan 2022 17:46:23 -0500 +Subject: ima: Remove ima_policy file before directory + +From: Stefan Berger + +commit f7333b9572d0559e00352a926c92f29f061b4569 upstream. + +The removal of ima_dir currently fails since ima_policy still exists, so +remove the ima_policy file before removing the directory. + +Fixes: 4af4662fa4a9 ("integrity: IMA policy") +Signed-off-by: Stefan Berger +Cc: +Acked-by: Christian Brauner +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/integrity/ima/ima_fs.c ++++ b/security/integrity/ima/ima_fs.c +@@ -496,12 +496,12 @@ int __init ima_fs_init(void) + + return 0; + out: ++ securityfs_remove(ima_policy); + securityfs_remove(violations); + securityfs_remove(runtime_measurements_count); + securityfs_remove(ascii_runtime_measurements); + securityfs_remove(binary_runtime_measurements); + securityfs_remove(ima_symlink); + securityfs_remove(ima_dir); +- securityfs_remove(ima_policy); + return -1; + } diff --git a/queue-5.16/integrity-check-the-return-value-of-audit_log_start.patch b/queue-5.16/integrity-check-the-return-value-of-audit_log_start.patch new file mode 100644 index 00000000000..f8a6a2c7e46 --- /dev/null +++ b/queue-5.16/integrity-check-the-return-value-of-audit_log_start.patch @@ -0,0 +1,33 @@ +From 83230351c523b04ff8a029a4bdf97d881ecb96fc Mon Sep 17 00:00:00 2001 +From: Xiaoke Wang +Date: Sat, 15 Jan 2022 09:11:11 +0800 +Subject: integrity: check the return value of audit_log_start() + +From: Xiaoke Wang + +commit 83230351c523b04ff8a029a4bdf97d881ecb96fc upstream. + +audit_log_start() returns audit_buffer pointer on success or NULL on +error, so it is better to check the return value of it. + +Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider") +Signed-off-by: Xiaoke Wang +Cc: +Reviewed-by: Paul Moore +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/integrity_audit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/security/integrity/integrity_audit.c ++++ b/security/integrity/integrity_audit.c +@@ -45,6 +45,8 @@ void integrity_audit_message(int audit_m + return; + + ab = audit_log_start(audit_context(), GFP_KERNEL, audit_msgno); ++ if (!ab) ++ return; + audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u", + task_pid_nr(current), + from_kuid(&init_user_ns, current_uid()), diff --git a/queue-5.16/mmc-core-wait-for-command-setting-power-off-notification-bit-to-complete.patch b/queue-5.16/mmc-core-wait-for-command-setting-power-off-notification-bit-to-complete.patch new file mode 100644 index 00000000000..cd9f3eda17e --- /dev/null +++ b/queue-5.16/mmc-core-wait-for-command-setting-power-off-notification-bit-to-complete.patch @@ -0,0 +1,62 @@ +From 379f56c24e698f14242f532b1d0a0f1747725e08 Mon Sep 17 00:00:00 2001 +From: Andrey Skvortsov +Date: Sat, 15 Jan 2022 15:14:46 +0300 +Subject: mmc: core: Wait for command setting 'Power Off Notification' bit to complete + +From: Andrey Skvortsov + +commit 379f56c24e698f14242f532b1d0a0f1747725e08 upstream. + +SD card is allowed to signal busy on DAT0 up to 1s after the +CMD49. According to SD spec (version 6.0 section 5.8.1.3) first host +waits until busy of CMD49 is released and only then polls Power +Management Status register up to 1s until the card indicates ready to +power off. + +Without waiting for busy before polling status register sometimes card +becomes unresponsive and system fails to suspend: + + [ 205.907459] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. + [ 206.421274] sunxi-mmc 1c0f000.mmc: data error, sending stop command + [ 206.421321] sunxi-mmc 1c0f000.mmc: send stop command failed + [ 206.421347] mmc0: error -110 reading status reg of PM func + [ 206.421366] PM: dpm_run_callback(): mmc_bus_suspend+0x0/0x74 returns -110 + [ 206.421402] mmcblk mmc0:aaaa: PM: failed to suspend async: error -110 + [ 206.437064] PM: Some devices failed to suspend, or early wake event detected + +Tested with Sandisk Extreme PRO A2 64GB on Allwinner A64 system. + +Signed-off-by: Andrey Skvortsov +Fixes: 2c5d42769038 ("mmc: core: Add support for Power Off Notification for SD cards") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220115121447.641524-1-andrej.skvortzov@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sd.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -67,7 +67,7 @@ static const unsigned int sd_au_size[] = + __res & __mask; \ + }) + +-#define SD_POWEROFF_NOTIFY_TIMEOUT_MS 2000 ++#define SD_POWEROFF_NOTIFY_TIMEOUT_MS 1000 + #define SD_WRITE_EXTR_SINGLE_TIMEOUT_MS 1000 + + struct sd_busy_data { +@@ -1664,6 +1664,12 @@ static int sd_poweroff_notify(struct mmc + goto out; + } + ++ /* Find out when the command is completed. */ ++ err = mmc_poll_for_busy(card, SD_WRITE_EXTR_SINGLE_TIMEOUT_MS, false, ++ MMC_BUSY_EXTR_SINGLE); ++ if (err) ++ goto out; ++ + cb_data.card = card; + cb_data.reg_buf = reg_buf; + err = __mmc_poll_for_busy(card, SD_POWEROFF_NOTIFY_TIMEOUT_MS, diff --git a/queue-5.16/mmc-sdhci-of-esdhc-check-for-error-num-after-setting-mask.patch b/queue-5.16/mmc-sdhci-of-esdhc-check-for-error-num-after-setting-mask.patch new file mode 100644 index 00000000000..5cd7ff38b05 --- /dev/null +++ b/queue-5.16/mmc-sdhci-of-esdhc-check-for-error-num-after-setting-mask.patch @@ -0,0 +1,48 @@ +From 40c67c291a93f8846c4a972c9ef1b7ba4544c8d0 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 12 Jan 2022 16:31:56 +0800 +Subject: mmc: sdhci-of-esdhc: Check for error num after setting mask + +From: Jiasheng Jiang + +commit 40c67c291a93f8846c4a972c9ef1b7ba4544c8d0 upstream. + +Because of the possible failure of the dma_supported(), the +dma_set_mask_and_coherent() may return error num. +Therefore, it should be better to check it and return the error if +fails. +And since the sdhci_setup_host() has already checked the return value of +the enable_dma, we need not check it in sdhci_resume_host() again. + +Fixes: 5552d7ad596c ("mmc: sdhci-of-esdhc: set proper dma mask for ls104x chips") +Signed-off-by: Jiasheng Jiang +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220112083156.1124782-1-jiasheng@iscas.ac.cn +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-esdhc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -524,12 +524,16 @@ static void esdhc_of_adma_workaround(str + + static int esdhc_of_enable_dma(struct sdhci_host *host) + { ++ int ret; + u32 value; + struct device *dev = mmc_dev(host->mmc); + + if (of_device_is_compatible(dev->of_node, "fsl,ls1043a-esdhc") || +- of_device_is_compatible(dev->of_node, "fsl,ls1046a-esdhc")) +- dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40)); ++ of_device_is_compatible(dev->of_node, "fsl,ls1046a-esdhc")) { ++ ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40)); ++ if (ret) ++ return ret; ++ } + + value = sdhci_readl(host, ESDHC_DMA_SYSCTL); + diff --git a/queue-5.16/mmc-sh_mmcif-check-for-null-res-pointer.patch b/queue-5.16/mmc-sh_mmcif-check-for-null-res-pointer.patch new file mode 100644 index 00000000000..df733d24aec --- /dev/null +++ b/queue-5.16/mmc-sh_mmcif-check-for-null-res-pointer.patch @@ -0,0 +1,35 @@ +From 4d315357b3d6c315a7260420c6c6fc076e58d14b Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 19 Jan 2022 20:00:06 +0800 +Subject: mmc: sh_mmcif: Check for null res pointer + +From: Jiasheng Jiang + +commit 4d315357b3d6c315a7260420c6c6fc076e58d14b upstream. + +If there is no suitable resource, platform_get_resource() will return +NULL. +Therefore in order to avoid the dereference of the NULL pointer, it +should be better to check the 'res'. + +Signed-off-by: Jiasheng Jiang +Cc: stable@vger.kernel.org # v5.16+ +Link: https://lore.kernel.org/r/20220119120006.1426964-1-jiasheng@iscas.ac.cn +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sh_mmcif.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/sh_mmcif.c ++++ b/drivers/mmc/host/sh_mmcif.c +@@ -405,6 +405,9 @@ static int sh_mmcif_dma_slave_config(str + struct dma_slave_config cfg = { 0, }; + + res = platform_get_resource(host->pd, IORESOURCE_MEM, 0); ++ if (!res) ++ return -EINVAL; ++ + cfg.direction = direction; + + if (direction == DMA_DEV_TO_MEM) { diff --git a/queue-5.16/net-phy-marvell-fix-mdi-x-polarity-setting-in-88e1118-compatible-phys.patch b/queue-5.16/net-phy-marvell-fix-mdi-x-polarity-setting-in-88e1118-compatible-phys.patch new file mode 100644 index 00000000000..70558b8be36 --- /dev/null +++ b/queue-5.16/net-phy-marvell-fix-mdi-x-polarity-setting-in-88e1118-compatible-phys.patch @@ -0,0 +1,51 @@ +From aec12836e7196e4d360b2cbf20cf7aa5139ad2ec Mon Sep 17 00:00:00 2001 +From: Pavel Parkhomenko +Date: Sun, 6 Feb 2022 00:49:51 +0300 +Subject: net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs + +From: Pavel Parkhomenko + +commit aec12836e7196e4d360b2cbf20cf7aa5139ad2ec upstream. + +When setting up autonegotiation for 88E1118R and compatible PHYs, +a software reset of PHY is issued before setting up polarity. +This is incorrect as changes of MDI Crossover Mode bits are +disruptive to the normal operation and must be followed by a +software reset to take effect. Let's patch m88e1118_config_aneg() +to fix the issue mentioned before by invoking software reset +of the PHY just after setting up MDI-x polarity. + +Fixes: 605f196efbf8 ("phy: Add support for Marvell 88E1118 PHY") +Signed-off-by: Pavel Parkhomenko +Reviewed-by: Serge Semin +Suggested-by: Andrew Lunn +Cc: stable@vger.kernel.org +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1215,16 +1215,15 @@ static int m88e1118_config_aneg(struct p + { + int err; + +- err = genphy_soft_reset(phydev); ++ err = marvell_set_polarity(phydev, phydev->mdix_ctrl); + if (err < 0) + return err; + +- err = marvell_set_polarity(phydev, phydev->mdix_ctrl); ++ err = genphy_config_aneg(phydev); + if (err < 0) + return err; + +- err = genphy_config_aneg(phydev); +- return 0; ++ return genphy_soft_reset(phydev); + } + + static int m88e1118_config_init(struct phy_device *phydev) diff --git a/queue-5.16/net-phy-marvell-fix-rgmii-tx-rx-delays-setting-in-88e1121-compatible-phys.patch b/queue-5.16/net-phy-marvell-fix-rgmii-tx-rx-delays-setting-in-88e1121-compatible-phys.patch new file mode 100644 index 00000000000..7c36bb4ccbe --- /dev/null +++ b/queue-5.16/net-phy-marvell-fix-rgmii-tx-rx-delays-setting-in-88e1121-compatible-phys.patch @@ -0,0 +1,65 @@ +From fe4f57bf7b585dca58f1496c4e2481ecbae18126 Mon Sep 17 00:00:00 2001 +From: Pavel Parkhomenko +Date: Sat, 5 Feb 2022 23:39:32 +0300 +Subject: net: phy: marvell: Fix RGMII Tx/Rx delays setting in 88e1121-compatible PHYs + +From: Pavel Parkhomenko + +commit fe4f57bf7b585dca58f1496c4e2481ecbae18126 upstream. + +It is mandatory for a software to issue a reset upon modifying RGMII +Receive Timing Control and RGMII Transmit Timing Control bit fields of MAC +Specific Control register 2 (page 2, register 21) otherwise the changes +won't be perceived by the PHY (the same is applicable for a lot of other +registers). Not setting the RGMII delays on the platforms that imply it' +being done on the PHY side will consequently cause the traffic loss. We +discovered that the denoted soft-reset is missing in the +m88e1121_config_aneg() method for the case if the RGMII delays are +modified but the MDIx polarity isn't changed or the auto-negotiation is +left enabled, thus causing the traffic loss on our platform with Marvell +Alaska 88E1510 installed. Let's fix that by issuing the soft-reset if the +delays have been actually set in the m88e1121_config_aneg_rgmii_delays() +method. + +Cc: stable@vger.kernel.org +Fixes: d6ab93364734 ("net: phy: marvell: Avoid unnecessary soft reset") +Signed-off-by: Pavel Parkhomenko +Reviewed-by: Russell King (Oracle) +Reviewed-by: Serge Semin +Link: https://lore.kernel.org/r/20220205203932.26899-1-Pavel.Parkhomenko@baikalelectronics.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -553,9 +553,9 @@ static int m88e1121_config_aneg_rgmii_de + else + mscr = 0; + +- return phy_modify_paged(phydev, MII_MARVELL_MSCR_PAGE, +- MII_88E1121_PHY_MSCR_REG, +- MII_88E1121_PHY_MSCR_DELAY_MASK, mscr); ++ return phy_modify_paged_changed(phydev, MII_MARVELL_MSCR_PAGE, ++ MII_88E1121_PHY_MSCR_REG, ++ MII_88E1121_PHY_MSCR_DELAY_MASK, mscr); + } + + static int m88e1121_config_aneg(struct phy_device *phydev) +@@ -569,11 +569,13 @@ static int m88e1121_config_aneg(struct p + return err; + } + ++ changed = err; ++ + err = marvell_set_polarity(phydev, phydev->mdix_ctrl); + if (err < 0) + return err; + +- changed = err; ++ changed |= err; + + err = genphy_config_aneg(phydev); + if (err < 0) diff --git a/queue-5.16/nfs-fix-initialisation-of-nfs_client-cl_flags-field.patch b/queue-5.16/nfs-fix-initialisation-of-nfs_client-cl_flags-field.patch new file mode 100644 index 00000000000..90ab8c623d2 --- /dev/null +++ b/queue-5.16/nfs-fix-initialisation-of-nfs_client-cl_flags-field.patch @@ -0,0 +1,41 @@ +From 468d126dab45718feeb728319be20bd869a5eaa7 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 2 Feb 2022 18:52:01 -0500 +Subject: NFS: Fix initialisation of nfs_client cl_flags field + +From: Trond Myklebust + +commit 468d126dab45718feeb728319be20bd869a5eaa7 upstream. + +For some long forgotten reason, the nfs_client cl_flags field is +initialised in nfs_get_client() instead of being initialised at +allocation time. This quirk was harmless until we moved the call to +nfs_create_rpc_client(). + +Fixes: dd99e9f98fbf ("NFSv4: Initialise connection to the server in nfs4_alloc_client()") +Cc: stable@vger.kernel.org # 4.8.x +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -177,6 +177,7 @@ struct nfs_client *nfs_alloc_client(cons + INIT_LIST_HEAD(&clp->cl_superblocks); + clp->cl_rpcclient = ERR_PTR(-EINVAL); + ++ clp->cl_flags = cl_init->init_flags; + clp->cl_proto = cl_init->proto; + clp->cl_nconnect = cl_init->nconnect; + clp->cl_max_connect = cl_init->max_connect ? cl_init->max_connect : 1; +@@ -427,7 +428,6 @@ struct nfs_client *nfs_get_client(const + list_add_tail(&new->cl_share_link, + &nn->nfs_client_list); + spin_unlock(&nn->nfs_client_lock); +- new->cl_flags = cl_init->init_flags; + return rpc_ops->init_client(new, cl_init); + } + diff --git a/queue-5.16/nfsd-clamp-write-offsets.patch b/queue-5.16/nfsd-clamp-write-offsets.patch new file mode 100644 index 00000000000..43595cd101a --- /dev/null +++ b/queue-5.16/nfsd-clamp-write-offsets.patch @@ -0,0 +1,51 @@ +From 6260d9a56ab352b54891ec66ab0eced57d55abc6 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 25 Jan 2022 16:36:22 -0500 +Subject: NFSD: Clamp WRITE offsets + +From: Chuck Lever + +commit 6260d9a56ab352b54891ec66ab0eced57d55abc6 upstream. + +Ensure that a client cannot specify a WRITE range that falls in a +byte range outside what the kernel's internal types (such as loff_t, +which is signed) can represent. The kiocb iterators, invoked in +nfsd_vfs_write(), should properly limit write operations to within +the underlying file system's s_maxbytes. + +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs3proc.c | 5 +++++ + fs/nfsd/nfs4proc.c | 5 +++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -199,6 +199,11 @@ nfsd3_proc_write(struct svc_rqst *rqstp) + (unsigned long long) argp->offset, + argp->stable? " stable" : ""); + ++ resp->status = nfserr_fbig; ++ if (argp->offset > (u64)OFFSET_MAX || ++ argp->offset + argp->len > (u64)OFFSET_MAX) ++ return rpc_success; ++ + fh_copy(&resp->fh, &argp->fh); + resp->committed = argp->stable; + nvecs = svc_fill_write_vector(rqstp, &argp->payload); +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1018,8 +1018,9 @@ nfsd4_write(struct svc_rqst *rqstp, stru + unsigned long cnt; + int nvecs; + +- if (write->wr_offset >= OFFSET_MAX) +- return nfserr_inval; ++ if (write->wr_offset > (u64)OFFSET_MAX || ++ write->wr_offset + write->wr_buflen > (u64)OFFSET_MAX) ++ return nfserr_fbig; + + cnt = write->wr_buflen; + trace_nfsd_write_start(rqstp, &cstate->current_fh, diff --git a/queue-5.16/nfsd-fix-ia_size-underflow.patch b/queue-5.16/nfsd-fix-ia_size-underflow.patch new file mode 100644 index 00000000000..a3f7876a33c --- /dev/null +++ b/queue-5.16/nfsd-fix-ia_size-underflow.patch @@ -0,0 +1,39 @@ +From e6faac3f58c7c4176b66f63def17a34232a17b0e Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Mon, 31 Jan 2022 13:01:53 -0500 +Subject: NFSD: Fix ia_size underflow + +From: Chuck Lever + +commit e6faac3f58c7c4176b66f63def17a34232a17b0e upstream. + +iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and +NFSv4 both define file size as an unsigned 64-bit type. Thus there +is a range of valid file size values an NFS client can send that is +already larger than Linux can handle. + +Currently decode_fattr4() dumps a full u64 value into ia_size. If +that value happens to be larger than S64_MAX, then ia_size +underflows. I'm about to fix up the NFSv3 behavior as well, so let's +catch the underflow in the common code path: nfsd_setattr(). + +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/vfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -434,6 +434,10 @@ nfsd_setattr(struct svc_rqst *rqstp, str + .ia_size = iap->ia_size, + }; + ++ host_err = -EFBIG; ++ if (iap->ia_size < 0) ++ goto out_unlock; ++ + host_err = notify_change(&init_user_ns, dentry, &size_attr, NULL); + if (host_err) + goto out_unlock; diff --git a/queue-5.16/nfsd-fix-nfsv3-setattr-create-s-handling-of-large-file-sizes.patch b/queue-5.16/nfsd-fix-nfsv3-setattr-create-s-handling-of-large-file-sizes.patch new file mode 100644 index 00000000000..e5df0447a8e --- /dev/null +++ b/queue-5.16/nfsd-fix-nfsv3-setattr-create-s-handling-of-large-file-sizes.patch @@ -0,0 +1,39 @@ +From a648fdeb7c0e17177a2280344d015dba3fbe3314 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Tue, 25 Jan 2022 15:59:57 -0500 +Subject: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes + +From: Chuck Lever + +commit a648fdeb7c0e17177a2280344d015dba3fbe3314 upstream. + +iattr::ia_size is a loff_t, so these NFSv3 procedures must be +careful to deal with incoming client size values that are larger +than s64_max without corrupting the value. + +Silently capping the value results in storing a different value +than the client passed in which is unexpected behavior, so remove +the min_t() check in decode_sattr3(). + +Note that RFC 1813 permits only the WRITE procedure to return +NFS3ERR_FBIG. We believe that NFSv3 reference implementations +also return NFS3ERR_FBIG when ia_size is too large. + +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs3xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -254,7 +254,7 @@ svcxdr_decode_sattr3(struct svc_rqst *rq + if (xdr_stream_decode_u64(xdr, &newsize) < 0) + return false; + iap->ia_valid |= ATTR_SIZE; +- iap->ia_size = min_t(u64, newsize, NFS_OFFSET_MAX); ++ iap->ia_size = newsize; + } + if (xdr_stream_decode_u32(xdr, &set_it) < 0) + return false; diff --git a/queue-5.16/nfsd-fix-offset-type-in-i-o-trace-points.patch b/queue-5.16/nfsd-fix-offset-type-in-i-o-trace-points.patch new file mode 100644 index 00000000000..a3861da4d27 --- /dev/null +++ b/queue-5.16/nfsd-fix-offset-type-in-i-o-trace-points.patch @@ -0,0 +1,59 @@ +From 6a4d333d540041d244b2fca29b8417bfde20af81 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 4 Feb 2022 17:05:24 -0500 +Subject: NFSD: Fix offset type in I/O trace points + +From: Chuck Lever + +commit 6a4d333d540041d244b2fca29b8417bfde20af81 upstream. + +NFSv3 and NFSv4 use u64 offset values on the wire. Record these values +verbatim without the implicit type case to loff_t. + +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/trace.h | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/nfsd/trace.h ++++ b/fs/nfsd/trace.h +@@ -320,14 +320,14 @@ TRACE_EVENT(nfsd_export_update, + DECLARE_EVENT_CLASS(nfsd_io_class, + TP_PROTO(struct svc_rqst *rqstp, + struct svc_fh *fhp, +- loff_t offset, +- unsigned long len), ++ u64 offset, ++ u32 len), + TP_ARGS(rqstp, fhp, offset, len), + TP_STRUCT__entry( + __field(u32, xid) + __field(u32, fh_hash) +- __field(loff_t, offset) +- __field(unsigned long, len) ++ __field(u64, offset) ++ __field(u32, len) + ), + TP_fast_assign( + __entry->xid = be32_to_cpu(rqstp->rq_xid); +@@ -335,7 +335,7 @@ DECLARE_EVENT_CLASS(nfsd_io_class, + __entry->offset = offset; + __entry->len = len; + ), +- TP_printk("xid=0x%08x fh_hash=0x%08x offset=%lld len=%lu", ++ TP_printk("xid=0x%08x fh_hash=0x%08x offset=%llu len=%u", + __entry->xid, __entry->fh_hash, + __entry->offset, __entry->len) + ) +@@ -344,8 +344,8 @@ DECLARE_EVENT_CLASS(nfsd_io_class, + DEFINE_EVENT(nfsd_io_class, nfsd_##name, \ + TP_PROTO(struct svc_rqst *rqstp, \ + struct svc_fh *fhp, \ +- loff_t offset, \ +- unsigned long len), \ ++ u64 offset, \ ++ u32 len), \ + TP_ARGS(rqstp, fhp, offset, len)) + + DEFINE_NFSD_IO_EVENT(read_start); diff --git a/queue-5.16/nfsd-fix-the-behavior-of-read-near-offset_max.patch b/queue-5.16/nfsd-fix-the-behavior-of-read-near-offset_max.patch new file mode 100644 index 00000000000..5911caa43ec --- /dev/null +++ b/queue-5.16/nfsd-fix-the-behavior-of-read-near-offset_max.patch @@ -0,0 +1,113 @@ +From 0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 4 Feb 2022 15:19:34 -0500 +Subject: NFSD: Fix the behavior of READ near OFFSET_MAX + +From: Chuck Lever + +commit 0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 upstream. + +Dan Aloni reports: +> Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to +> the RPC read layers") on the client, a read of 0xfff is aligned up +> to server rsize of 0x1000. +> +> As a result, in a test where the server has a file of size +> 0x7fffffffffffffff, and the client tries to read from the offset +> 0x7ffffffffffff000, the read causes loff_t overflow in the server +> and it returns an NFS code of EINVAL to the client. The client as +> a result indefinitely retries the request. + +The Linux NFS client does not handle NFS?ERR_INVAL, even though all +NFS specifications permit servers to return that status code for a +READ. + +Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed +and return a short result. Set the EOF flag in the result to prevent +the client from retrying the READ request. This behavior appears to +be consistent with Solaris NFS servers. + +Note that NFSv3 and NFSv4 use u64 offset values on the wire. These +must be converted to loff_t internally before use -- an implicit +type cast is not adequate for this purpose. Otherwise VFS checks +against sb->s_maxbytes do not work properly. + +Reported-by: Dan Aloni +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs3proc.c | 8 ++++++-- + fs/nfsd/nfs4proc.c | 8 ++++++-- + fs/nfsd/nfs4xdr.c | 8 ++------ + 3 files changed, 14 insertions(+), 10 deletions(-) + +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -150,13 +150,17 @@ nfsd3_proc_read(struct svc_rqst *rqstp) + unsigned int len; + int v; + +- argp->count = min_t(u32, argp->count, max_blocksize); +- + dprintk("nfsd: READ(3) %s %lu bytes at %Lu\n", + SVCFH_fmt(&argp->fh), + (unsigned long) argp->count, + (unsigned long long) argp->offset); + ++ argp->count = min_t(u32, argp->count, max_blocksize); ++ if (argp->offset > (u64)OFFSET_MAX) ++ argp->offset = (u64)OFFSET_MAX; ++ if (argp->offset + argp->count > (u64)OFFSET_MAX) ++ argp->count = (u64)OFFSET_MAX - argp->offset; ++ + v = 0; + len = argp->count; + resp->pages = rqstp->rq_next_page; +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -782,12 +782,16 @@ nfsd4_read(struct svc_rqst *rqstp, struc + __be32 status; + + read->rd_nf = NULL; +- if (read->rd_offset >= OFFSET_MAX) +- return nfserr_inval; + + trace_nfsd_read_start(rqstp, &cstate->current_fh, + read->rd_offset, read->rd_length); + ++ read->rd_length = min_t(u32, read->rd_length, svc_max_payload(rqstp)); ++ if (read->rd_offset > (u64)OFFSET_MAX) ++ read->rd_offset = (u64)OFFSET_MAX; ++ if (read->rd_offset + read->rd_length > (u64)OFFSET_MAX) ++ read->rd_length = (u64)OFFSET_MAX - read->rd_offset; ++ + /* + * If we do a zero copy read, then a client will see read data + * that reflects the state of the file *after* performing the +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3997,10 +3997,8 @@ nfsd4_encode_read(struct nfsd4_compoundr + } + xdr_commit_encode(xdr); + +- maxcount = svc_max_payload(resp->rqstp); +- maxcount = min_t(unsigned long, maxcount, ++ maxcount = min_t(unsigned long, read->rd_length, + (xdr->buf->buflen - xdr->buf->len)); +- maxcount = min_t(unsigned long, maxcount, read->rd_length); + + if (file->f_op->splice_read && + test_bit(RQ_SPLICE_OK, &resp->rqstp->rq_flags)) +@@ -4837,10 +4835,8 @@ nfsd4_encode_read_plus(struct nfsd4_comp + return nfserr_resource; + xdr_commit_encode(xdr); + +- maxcount = svc_max_payload(resp->rqstp); +- maxcount = min_t(unsigned long, maxcount, ++ maxcount = min_t(unsigned long, read->rd_length, + (xdr->buf->buflen - xdr->buf->len)); +- maxcount = min_t(unsigned long, maxcount, read->rd_length); + count = maxcount; + + eof = read->rd_offset >= i_size_read(file_inode(file)); diff --git a/queue-5.16/series b/queue-5.16/series new file mode 100644 index 00000000000..1d8701b98c6 --- /dev/null +++ b/queue-5.16/series @@ -0,0 +1,19 @@ +integrity-check-the-return-value-of-audit_log_start.patch +audit-don-t-deref-the-syscall-args-when-checking-the-openat2-open_how-flags.patch +ima-fix-reference-leak-in-asymmetric_verify.patch +ima-remove-ima_policy-file-before-directory.patch +ima-allow-template-selection-with-ima_template-after-ima_hash.patch +ima-do-not-print-policy-rule-with-inactive-lsm-labels.patch +mmc-sdhci-of-esdhc-check-for-error-num-after-setting-mask.patch +mmc-core-wait-for-command-setting-power-off-notification-bit-to-complete.patch +mmc-sh_mmcif-check-for-null-res-pointer.patch +can-isotp-fix-potential-can-frame-reception-race-in-isotp_rcv.patch +can-isotp-fix-error-path-in-isotp_sendmsg-to-unlock-wait-queue.patch +net-phy-marvell-fix-rgmii-tx-rx-delays-setting-in-88e1121-compatible-phys.patch +net-phy-marvell-fix-mdi-x-polarity-setting-in-88e1118-compatible-phys.patch +nfs-fix-initialisation-of-nfs_client-cl_flags-field.patch +nfsd-fix-nfsv3-setattr-create-s-handling-of-large-file-sizes.patch +nfsd-fix-ia_size-underflow.patch +nfsd-clamp-write-offsets.patch +nfsd-fix-offset-type-in-i-o-trace-points.patch +nfsd-fix-the-behavior-of-read-near-offset_max.patch