From: Sasha Levin Date: Thu, 27 Jun 2019 23:11:59 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v5.1.16~46 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e653e91a19a5667b8904097e8fc16462fb3a0f3;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/9p-acl-fix-uninitialized-iattr-access.patch b/queue-4.14/9p-acl-fix-uninitialized-iattr-access.patch new file mode 100644 index 00000000000..8c9a536e320 --- /dev/null +++ b/queue-4.14/9p-acl-fix-uninitialized-iattr-access.patch @@ -0,0 +1,35 @@ +From dfe591b050d1fed6af608e02248cf88a29bd7af2 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:10:57 +0900 +Subject: 9p: acl: fix uninitialized iattr access + +[ Upstream commit e02a53d92e197706cad1627bd84705d4aa20a145 ] + +iattr is passed to v9fs_vfs_setattr_dotl which does send various +values from iattr over the wire, even if it tells the server to +only look at iattr.ia_valid fields this could leak some stack data. + +Link: http://lkml.kernel.org/r/1536339057-21974-2-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 1195601 ("Uninitalized scalar variable") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + fs/9p/acl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/9p/acl.c b/fs/9p/acl.c +index 082d227fa56b..6261719f6f2a 100644 +--- a/fs/9p/acl.c ++++ b/fs/9p/acl.c +@@ -276,7 +276,7 @@ static int v9fs_xattr_set_acl(const struct xattr_handler *handler, + switch (handler->flags) { + case ACL_TYPE_ACCESS: + if (acl) { +- struct iattr iattr; ++ struct iattr iattr = { 0 }; + struct posix_acl *old_acl = acl; + + retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl); +-- +2.20.1 + diff --git a/queue-4.14/9p-p9dirent_read-check-network-provided-name-length.patch b/queue-4.14/9p-p9dirent_read-check-network-provided-name-length.patch new file mode 100644 index 00000000000..82081da5ccb --- /dev/null +++ b/queue-4.14/9p-p9dirent_read-check-network-provided-name-length.patch @@ -0,0 +1,52 @@ +From f28f6f36ed0da90b925e605eca48db835a7efc40 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:36:08 +0900 +Subject: 9p: p9dirent_read: check network-provided name length + +[ Upstream commit ef5305f1f72eb1cfcda25c382bb0368509c0385b ] + +strcpy to dirent->d_name could overflow the buffer, use strscpy to check +the provided string length and error out if the size was too big. + +While we are here, make the function return an error when the pdu +parsing failed, instead of returning the pdu offset as if it had been a +success... + +Link: http://lkml.kernel.org/r/1536339057-21974-4-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 139133 ("Copy into fixed size buffer") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/protocol.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/9p/protocol.c b/net/9p/protocol.c +index 766d1ef4640a..1885403c9a3e 100644 +--- a/net/9p/protocol.c ++++ b/net/9p/protocol.c +@@ -622,13 +622,19 @@ int p9dirent_read(struct p9_client *clnt, char *buf, int len, + if (ret) { + p9_debug(P9_DEBUG_9P, "<<< p9dirent_read failed: %d\n", ret); + trace_9p_protocol_dump(clnt, &fake_pdu); +- goto out; ++ return ret; + } + +- strcpy(dirent->d_name, nameptr); ++ ret = strscpy(dirent->d_name, nameptr, sizeof(dirent->d_name)); ++ if (ret < 0) { ++ p9_debug(P9_DEBUG_ERROR, ++ "On the wire dirent name too long: %s\n", ++ nameptr); ++ kfree(nameptr); ++ return ret; ++ } + kfree(nameptr); + +-out: + return fake_pdu.offset; + } + EXPORT_SYMBOL(p9dirent_read); +-- +2.20.1 + diff --git a/queue-4.14/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch b/queue-4.14/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch new file mode 100644 index 00000000000..1c06f20ae1b --- /dev/null +++ b/queue-4.14/9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch @@ -0,0 +1,45 @@ +From 7d53fb8b382a9d09b526a0e5c0b6875728926d50 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Thu, 30 Aug 2018 19:29:36 +0900 +Subject: 9p/rdma: do not disconnect on down_interruptible EAGAIN + +[ Upstream commit 8b894adb2b7e1d1e64b8954569c761eaf3d51ab5 ] + +9p/rdma would sometimes drop the connection and display errors in +recv_done when the user does ^C. +The errors were caused by recv buffers that were posted at the time +of disconnect, and we just do not want to disconnect when +down_interruptible is... interrupted. + +Link: http://lkml.kernel.org/r/1535625307-18019-1-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_rdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c +index f58467a49090..b7648b12bb1a 100644 +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -476,7 +476,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req) + + err = post_recv(client, rpl_context); + if (err) { +- p9_debug(P9_DEBUG_FCALL, "POST RECV failed\n"); ++ p9_debug(P9_DEBUG_ERROR, "POST RECV failed: %d\n", err); + goto recv_error; + } + /* remove posted receive buffer from request structure */ +@@ -545,7 +545,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req) + recv_error: + kfree(rpl_context); + spin_lock_irqsave(&rdma->req_lock, flags); +- if (rdma->state < P9_RDMA_CLOSING) { ++ if (err != -EINTR && rdma->state < P9_RDMA_CLOSING) { + rdma->state = P9_RDMA_CLOSING; + spin_unlock_irqrestore(&rdma->req_lock, flags); + rdma_disconnect(rdma->cm_id); +-- +2.20.1 + diff --git a/queue-4.14/9p-rdma-remove-useless-check-in-cm_event_handler.patch b/queue-4.14/9p-rdma-remove-useless-check-in-cm_event_handler.patch new file mode 100644 index 00000000000..a2ea735c4ec --- /dev/null +++ b/queue-4.14/9p-rdma-remove-useless-check-in-cm_event_handler.patch @@ -0,0 +1,36 @@ +From 02506de8fc35ae351e606e140451a7ad340bf411 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 8 Sep 2018 00:26:50 +0900 +Subject: 9p/rdma: remove useless check in cm_event_handler + +[ Upstream commit 473c7dd1d7b59ff8f88a5154737e3eac78a96e5b ] + +the client c is always dereferenced to get the rdma struct, so c has to +be a valid pointer at this point. +Gcc would optimize that away but let's make coverity happy... + +Link: http://lkml.kernel.org/r/1536339057-21974-3-git-send-email-asmadeus@codewreck.org +Addresses-Coverity-ID: 102778 ("Dereference before null check") +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_rdma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c +index b7648b12bb1a..16a4a31f16e0 100644 +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -276,8 +276,7 @@ p9_cm_event_handler(struct rdma_cm_id *id, struct rdma_cm_event *event) + case RDMA_CM_EVENT_DISCONNECTED: + if (rdma) + rdma->state = P9_RDMA_CLOSED; +- if (c) +- c->status = Disconnected; ++ c->status = Disconnected; + break; + + case RDMA_CM_EVENT_TIMEWAIT_EXIT: +-- +2.20.1 + diff --git a/queue-4.14/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch b/queue-4.14/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch new file mode 100644 index 00000000000..f3c891f4a66 --- /dev/null +++ b/queue-4.14/9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch @@ -0,0 +1,43 @@ +From d7b14a086d552df90133e02691e60b103acd14b8 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Tue, 14 Aug 2018 02:43:48 +0000 +Subject: 9p/xen: fix check for xenbus_read error in front_probe + +[ Upstream commit 2f9ad0ac947ccbe3ffe7c6229c9330f2a7755f64 ] + +If the xen bus exists but does not expose the proper interface, it is +possible to get a non-zero length but still some error, leading to +strcmp failing trying to load invalid memory addresses e.g. +fffffffffffffffe. + +There is then no need to check length when there is no error, as the +xenbus driver guarantees that the string is nul-terminated. + +Link: http://lkml.kernel.org/r/1534236007-10170-1-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Reviewed-by: Stefano Stabellini +Cc: Eric Van Hensbergen +Cc: Latchesar Ionkov +Signed-off-by: Sasha Levin +--- + net/9p/trans_xen.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index c10bdf63eae7..389eb635ec2c 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -392,8 +392,8 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev, + unsigned int max_rings, max_ring_order, len = 0; + + versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len); +- if (!len) +- return -EINVAL; ++ if (IS_ERR(versions)) ++ return PTR_ERR(versions); + if (strcmp(versions, "1")) { + kfree(versions); + return -EINVAL; +-- +2.20.1 + diff --git a/queue-4.14/net-9p-include-trans_common.h-to-fix-missing-prototy.patch b/queue-4.14/net-9p-include-trans_common.h-to-fix-missing-prototy.patch new file mode 100644 index 00000000000..c6f7b4cb11a --- /dev/null +++ b/queue-4.14/net-9p-include-trans_common.h-to-fix-missing-prototy.patch @@ -0,0 +1,35 @@ +From caa15b67ea031dc963a1c5041ef7729217ebfb27 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adeodato=20Sim=C3=B3?= +Date: Tue, 13 Nov 2018 03:28:53 -0300 +Subject: net/9p: include trans_common.h to fix missing prototype warning. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 52ad259eaac0454c1ac7123e7148cf8d6e6f5301 ] + +This silences -Wmissing-prototypes when defining p9_release_pages. + +Link: http://lkml.kernel.org/r/b1c4df8f21689b10d451c28fe38e860722d20e71.1542089696.git.dato@net.com.org.es +Signed-off-by: Adeodato Simó +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c +index 38aa6345bdfa..9c0c894b56f8 100644 +--- a/net/9p/trans_common.c ++++ b/net/9p/trans_common.c +@@ -14,6 +14,7 @@ + + #include + #include ++#include "trans_common.h" + + /** + * p9_release_req_pages - Release pages after the transaction. +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 3fe3123e809..4f2078f58a9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -5,3 +5,9 @@ revert-x86-uaccess-ftrace-fix-ftrace_likely_update-v.patch ib-hfi1-close-psm-sdma_progress-sleep-window.patch block-add-a-lower-level-bio_add_page-interface.patch block-bio_iov_iter_get_pages-pin-more-pages-for-mult.patch +9p-xen-fix-check-for-xenbus_read-error-in-front_prob.patch +9p-rdma-do-not-disconnect-on-down_interruptible-eaga.patch +9p-acl-fix-uninitialized-iattr-access.patch +9p-rdma-remove-useless-check-in-cm_event_handler.patch +9p-p9dirent_read-check-network-provided-name-length.patch +net-9p-include-trans_common.h-to-fix-missing-prototy.patch