From: Greg Kroah-Hartman Date: Mon, 18 Jan 2021 10:10:21 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.169~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=92c74be2fbe412996a4d70463c0752ebed830042;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-fireface-fix-integer-overflow-in-transmit_midi_msg.patch alsa-firewire-tascam-fix-integer-overflow-in-midi_port_work.patch asoc-intel-fix-error-code-cnl_set_dsp_d0.patch dm-eliminate-potential-source-of-excessive-kernel-log-noise.patch dump_common_audit_data-fix-racy-accesses-to-d_name.patch ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch netfilter-conntrack-fix-reading-nf_conntrack_buckets.patch nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch nfs4-fix-use-after-free-in-trace_event_raw_event_nfs4_set_lock.patch pnfs-mark-layout-for-return-if-return-on-close-was-not-sent.patch rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch --- diff --git a/queue-4.14/alsa-fireface-fix-integer-overflow-in-transmit_midi_msg.patch b/queue-4.14/alsa-fireface-fix-integer-overflow-in-transmit_midi_msg.patch new file mode 100644 index 00000000000..9bfa4585169 --- /dev/null +++ b/queue-4.14/alsa-fireface-fix-integer-overflow-in-transmit_midi_msg.patch @@ -0,0 +1,41 @@ +From e7c22eeaff8565d9a8374f320238c251ca31480b Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 11 Jan 2021 14:02:50 +0100 +Subject: ALSA: fireface: Fix integer overflow in transmit_midi_msg() + +From: Geert Uytterhoeven + +commit e7c22eeaff8565d9a8374f320238c251ca31480b upstream. + +As snd_ff.rx_bytes[] is unsigned int, and NSEC_PER_SEC is 1000000000L, +the second multiplication in + + ff->rx_bytes[port] * 8 * NSEC_PER_SEC / 31250 + +always overflows on 32-bit platforms, truncating the result. Fix this +by precalculating "NSEC_PER_SEC / 31250", which is an integer constant. + +Note that this assumes ff->rx_bytes[port] <= 16777. + +Fixes: 19174295788de77d ("ALSA: fireface: add transaction support") +Reviewed-by: Takashi Sakamoto +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20210111130251.361335-2-geert+renesas@glider.be +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/fireface/ff-transaction.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/fireface/ff-transaction.c ++++ b/sound/firewire/fireface/ff-transaction.c +@@ -99,7 +99,7 @@ static void transmit_midi_msg(struct snd + + /* Set interval to next transaction. */ + ff->next_ktime[port] = ktime_add_ns(ktime_get(), +- len * 8 * NSEC_PER_SEC / 31250); ++ len * 8 * (NSEC_PER_SEC / 31250)); + ff->rx_bytes[port] = len; + + /* diff --git a/queue-4.14/alsa-firewire-tascam-fix-integer-overflow-in-midi_port_work.patch b/queue-4.14/alsa-firewire-tascam-fix-integer-overflow-in-midi_port_work.patch new file mode 100644 index 00000000000..06ff5132cf9 --- /dev/null +++ b/queue-4.14/alsa-firewire-tascam-fix-integer-overflow-in-midi_port_work.patch @@ -0,0 +1,41 @@ +From 9f65df9c589f249435255da37a5dd11f1bc86f4d Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 11 Jan 2021 14:02:51 +0100 +Subject: ALSA: firewire-tascam: Fix integer overflow in midi_port_work() + +From: Geert Uytterhoeven + +commit 9f65df9c589f249435255da37a5dd11f1bc86f4d upstream. + +As snd_fw_async_midi_port.consume_bytes is unsigned int, and +NSEC_PER_SEC is 1000000000L, the second multiplication in + + port->consume_bytes * 8 * NSEC_PER_SEC / 31250 + +always overflows on 32-bit platforms, truncating the result. Fix this +by precalculating "NSEC_PER_SEC / 31250", which is an integer constant. + +Note that this assumes port->consume_bytes <= 16777. + +Fixes: 531f471834227d03 ("ALSA: firewire-lib/firewire-tascam: localize async midi port") +Reviewed-by: Takashi Sakamoto +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20210111130251.361335-3-geert+renesas@glider.be +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/tascam/tascam-transaction.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/tascam/tascam-transaction.c ++++ b/sound/firewire/tascam/tascam-transaction.c +@@ -210,7 +210,7 @@ static void midi_port_work(struct work_s + + /* Set interval to next transaction. */ + port->next_ktime = ktime_add_ns(ktime_get(), +- port->consume_bytes * 8 * NSEC_PER_SEC / 31250); ++ port->consume_bytes * 8 * (NSEC_PER_SEC / 31250)); + + /* Start this transaction. */ + port->idling = false; diff --git a/queue-4.14/asoc-intel-fix-error-code-cnl_set_dsp_d0.patch b/queue-4.14/asoc-intel-fix-error-code-cnl_set_dsp_d0.patch new file mode 100644 index 00000000000..e6b122dc3ec --- /dev/null +++ b/queue-4.14/asoc-intel-fix-error-code-cnl_set_dsp_d0.patch @@ -0,0 +1,33 @@ +From f373a811fd9a69fc8bafb9bcb41d2cfa36c62665 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 11 Dec 2020 13:06:52 +0300 +Subject: ASoC: Intel: fix error code cnl_set_dsp_D0() + +From: Dan Carpenter + +commit f373a811fd9a69fc8bafb9bcb41d2cfa36c62665 upstream. + +Return -ETIMEDOUT if the dsp boot times out instead of returning +success. + +Fixes: cb6a55284629 ("ASoC: Intel: cnl: Add sst library functions for cnl platform") +Signed-off-by: Dan Carpenter +Reviewed-by: Cezary Rojewski +Link: https://lore.kernel.org/r/X9NEvCzuN+IObnTN@mwanda +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/skylake/cnl-sst.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/intel/skylake/cnl-sst.c ++++ b/sound/soc/intel/skylake/cnl-sst.c +@@ -212,6 +212,7 @@ static int cnl_set_dsp_D0(struct sst_dsp + "dsp boot timeout, status=%#x error=%#x\n", + sst_dsp_shim_read(ctx, CNL_ADSP_FW_STATUS), + sst_dsp_shim_read(ctx, CNL_ADSP_ERROR_CODE)); ++ ret = -ETIMEDOUT; + goto err; + } + } else { diff --git a/queue-4.14/dm-eliminate-potential-source-of-excessive-kernel-log-noise.patch b/queue-4.14/dm-eliminate-potential-source-of-excessive-kernel-log-noise.patch new file mode 100644 index 00000000000..5fe935a4c37 --- /dev/null +++ b/queue-4.14/dm-eliminate-potential-source-of-excessive-kernel-log-noise.patch @@ -0,0 +1,35 @@ +From 0378c625afe80eb3f212adae42cc33c9f6f31abf Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Wed, 6 Jan 2021 18:19:05 -0500 +Subject: dm: eliminate potential source of excessive kernel log noise + +From: Mike Snitzer + +commit 0378c625afe80eb3f212adae42cc33c9f6f31abf upstream. + +There wasn't ever a real need to log an error in the kernel log for +ioctls issued with insufficient permissions. Simply return an error +and if an admin/user is sufficiently motivated they can enable DM's +dynamic debugging to see an explanation for why the ioctls were +disallowed. + +Reported-by: Nir Soffer +Fixes: e980f62353c6 ("dm: don't allow ioctls to targets that don't map to whole devices") +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -472,7 +472,7 @@ static int dm_blk_ioctl(struct block_dev + * subset of the parent bdev; require extra privileges. + */ + if (!capable(CAP_SYS_RAWIO)) { +- DMWARN_LIMIT( ++ DMDEBUG_LIMIT( + "%s: sending ioctl %x to DM device without required privilege.", + current->comm, cmd); + r = -ENOIOCTLCMD; diff --git a/queue-4.14/dump_common_audit_data-fix-racy-accesses-to-d_name.patch b/queue-4.14/dump_common_audit_data-fix-racy-accesses-to-d_name.patch new file mode 100644 index 00000000000..c87b3c7cfb0 --- /dev/null +++ b/queue-4.14/dump_common_audit_data-fix-racy-accesses-to-d_name.patch @@ -0,0 +1,45 @@ +From d36a1dd9f77ae1e72da48f4123ed35627848507d Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 5 Jan 2021 14:43:46 -0500 +Subject: dump_common_audit_data(): fix racy accesses to ->d_name + +From: Al Viro + +commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. + +We are not guaranteed the locking environment that would prevent +dentry getting renamed right under us. And it's possible for +old long name to be freed after rename, leading to UAF here. + +Cc: stable@kernel.org # v2.6.2+ +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + security/lsm_audit.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/security/lsm_audit.c ++++ b/security/lsm_audit.c +@@ -277,7 +277,9 @@ static void dump_common_audit_data(struc + struct inode *inode; + + audit_log_format(ab, " name="); ++ spin_lock(&a->u.dentry->d_lock); + audit_log_untrustedstring(ab, a->u.dentry->d_name.name); ++ spin_unlock(&a->u.dentry->d_lock); + + inode = d_backing_inode(a->u.dentry); + if (inode) { +@@ -295,8 +297,9 @@ static void dump_common_audit_data(struc + dentry = d_find_alias(inode); + if (dentry) { + audit_log_format(ab, " name="); +- audit_log_untrustedstring(ab, +- dentry->d_name.name); ++ spin_lock(&dentry->d_lock); ++ audit_log_untrustedstring(ab, dentry->d_name.name); ++ spin_unlock(&dentry->d_lock); + dput(dentry); + } + audit_log_format(ab, " dev="); diff --git a/queue-4.14/ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch b/queue-4.14/ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch new file mode 100644 index 00000000000..98e8f7be103 --- /dev/null +++ b/queue-4.14/ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch @@ -0,0 +1,38 @@ +From dfd56c2c0c0dbb11be939b804ddc8d5395ab3432 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 16 Dec 2020 11:18:43 +0100 +Subject: ext4: fix superblock checksum failure when setting password salt + +From: Jan Kara + +commit dfd56c2c0c0dbb11be939b804ddc8d5395ab3432 upstream. + +When setting password salt in the superblock, we forget to recompute the +superblock checksum so it will not match until the next superblock +modification which recomputes the checksum. Fix it. + +CC: Michael Halcrow +Reported-by: Andreas Dilger +Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20201216101844.22917-8-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -1032,7 +1032,10 @@ resizefs_out: + err = ext4_journal_get_write_access(handle, sbi->s_sbh); + if (err) + goto pwsalt_err_journal; ++ lock_buffer(sbi->s_sbh); + generate_random_uuid(sbi->s_es->s_encrypt_pw_salt); ++ ext4_superblock_csum_set(sb); ++ unlock_buffer(sbi->s_sbh); + err = ext4_handle_dirty_metadata(handle, NULL, + sbi->s_sbh); + pwsalt_err_journal: diff --git a/queue-4.14/mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch b/queue-4.14/mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch new file mode 100644 index 00000000000..f264e782084 --- /dev/null +++ b/queue-4.14/mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch @@ -0,0 +1,47 @@ +From 8ff60eb052eeba95cfb3efe16b08c9199f8121cf Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 12 Jan 2021 15:49:04 -0800 +Subject: mm, slub: consider rest of partial list if acquire_slab() fails + +From: Jann Horn + +commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf upstream. + +acquire_slab() fails if there is contention on the freelist of the page +(probably because some other CPU is concurrently freeing an object from +the page). In that case, it might make sense to look for a different page +(since there might be more remote frees to the page from other CPUs, and +we don't want contention on struct page). + +However, the current code accidentally stops looking at the partial list +completely in that case. Especially on kernels without CONFIG_NUMA set, +this means that get_partial() fails and new_slab_objects() falls back to +new_slab(), allocating new pages. This could lead to an unnecessary +increase in memory fragmentation. + +Link: https://lkml.kernel.org/r/20201228130853.1871516-1-jannh@google.com +Fixes: 7ced37197196 ("slub: Acquire_slab() avoid loop") +Signed-off-by: Jann Horn +Acked-by: David Rientjes +Acked-by: Joonsoo Kim +Cc: Christoph Lameter +Cc: Pekka Enberg +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1846,7 +1846,7 @@ static void *get_partial_node(struct kme + + t = acquire_slab(s, n, page, object == NULL, &objects); + if (!t) +- break; ++ continue; /* cmpxchg raced */ + + available += objects; + if (!object) { diff --git a/queue-4.14/net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch b/queue-4.14/net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch new file mode 100644 index 00000000000..1ec2be6f5d4 --- /dev/null +++ b/queue-4.14/net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch @@ -0,0 +1,47 @@ +From 86b53fbf08f48d353a86a06aef537e78e82ba721 Mon Sep 17 00:00:00 2001 +From: "j.nixdorf@avm.de" +Date: Tue, 5 Jan 2021 15:17:01 +0100 +Subject: net: sunrpc: interpret the return value of kstrtou32 correctly + +From: j.nixdorf@avm.de + +commit 86b53fbf08f48d353a86a06aef537e78e82ba721 upstream. + +A return value of 0 means success. This is documented in lib/kstrtox.c. + +This was found by trying to mount an NFS share from a link-local IPv6 +address with the interface specified by its index: + + mount("[fe80::1%1]:/srv/nfs", "/mnt", "nfs", 0, "nolock,addr=fe80::1%1") + +Before this commit this failed with EINVAL and also caused the following +message in dmesg: + + [...] NFS: bad IP address specified: addr=fe80::1%1 + +The syscall using the same address based on the interface name instead +of its index succeeds. + +Credits for this patch go to my colleague Christian Speich, who traced +the origin of this bug to this line of code. + +Signed-off-by: Johannes Nixdorf +Fixes: 00cfaa943ec3 ("replace strict_strto calls") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/addr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/addr.c ++++ b/net/sunrpc/addr.c +@@ -184,7 +184,7 @@ static int rpc_parse_scope_id(struct net + scope_id = dev->ifindex; + dev_put(dev); + } else { +- if (kstrtou32(p, 10, &scope_id) == 0) { ++ if (kstrtou32(p, 10, &scope_id) != 0) { + kfree(p); + return 0; + } diff --git a/queue-4.14/netfilter-conntrack-fix-reading-nf_conntrack_buckets.patch b/queue-4.14/netfilter-conntrack-fix-reading-nf_conntrack_buckets.patch new file mode 100644 index 00000000000..bcdf6df97ff --- /dev/null +++ b/queue-4.14/netfilter-conntrack-fix-reading-nf_conntrack_buckets.patch @@ -0,0 +1,47 @@ +From f6351c3f1c27c80535d76cac2299aec44c36291e Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Fri, 8 Jan 2021 12:44:33 +0100 +Subject: netfilter: conntrack: fix reading nf_conntrack_buckets + +From: Jesper Dangaard Brouer + +commit f6351c3f1c27c80535d76cac2299aec44c36291e upstream. + +The old way of changing the conntrack hashsize runtime was through changing +the module param via file /sys/module/nf_conntrack/parameters/hashsize. This +was extended to sysctl change in commit 3183ab8997a4 ("netfilter: conntrack: +allow increasing bucket size via sysctl too"). + +The commit introduced second "user" variable nf_conntrack_htable_size_user +which shadow actual variable nf_conntrack_htable_size. When hashsize is +changed via module param this "user" variable isn't updated. This results in +sysctl net/netfilter/nf_conntrack_buckets shows the wrong value when users +update via the old way. + +This patch fix the issue by always updating "user" variable when reading the +proc file. This will take care of changes to the actual variable without +sysctl need to be aware. + +Fixes: 3183ab8997a4 ("netfilter: conntrack: allow increasing bucket size via sysctl too") +Reported-by: Yoel Caspersen +Signed-off-by: Jesper Dangaard Brouer +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_standalone.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -537,6 +537,9 @@ nf_conntrack_hash_sysctl(struct ctl_tabl + { + int ret; + ++ /* module_param hashsize could have changed value */ ++ nf_conntrack_htable_size_user = nf_conntrack_htable_size; ++ + ret = proc_dointvec(table, write, buffer, lenp, ppos); + if (ret < 0 || !write) + return ret; diff --git a/queue-4.14/nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch b/queue-4.14/nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch new file mode 100644 index 00000000000..939fa77af22 --- /dev/null +++ b/queue-4.14/nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch @@ -0,0 +1,43 @@ +From 896567ee7f17a8a736cda8a28cc987228410a2ac Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 10 Jan 2021 15:58:08 -0500 +Subject: NFS: nfs_igrab_and_active must first reference the superblock + +From: Trond Myklebust + +commit 896567ee7f17a8a736cda8a28cc987228410a2ac upstream. + +Before referencing the inode, we must ensure that the superblock can be +referenced. Otherwise, we can end up with iput() calling superblock +operations that are no longer valid or accessible. + +Fixes: ea7c38fef0b7 ("NFSv4: Ensure we reference the inode for return-on-close in delegreturn") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/internal.h | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -575,12 +575,14 @@ extern int nfs4_test_session_trunk(struc + + static inline struct inode *nfs_igrab_and_active(struct inode *inode) + { +- inode = igrab(inode); +- if (inode != NULL && !nfs_sb_active(inode->i_sb)) { +- iput(inode); +- inode = NULL; ++ struct super_block *sb = inode->i_sb; ++ ++ if (sb && nfs_sb_active(sb)) { ++ if (igrab(inode)) ++ return inode; ++ nfs_sb_deactive(sb); + } +- return inode; ++ return NULL; + } + + static inline void nfs_iput_and_deactive(struct inode *inode) diff --git a/queue-4.14/nfs4-fix-use-after-free-in-trace_event_raw_event_nfs4_set_lock.patch b/queue-4.14/nfs4-fix-use-after-free-in-trace_event_raw_event_nfs4_set_lock.patch new file mode 100644 index 00000000000..6631a32c9af --- /dev/null +++ b/queue-4.14/nfs4-fix-use-after-free-in-trace_event_raw_event_nfs4_set_lock.patch @@ -0,0 +1,34 @@ +From 3d1a90ab0ed93362ec8ac85cf291243c87260c21 Mon Sep 17 00:00:00 2001 +From: Dave Wysochanski +Date: Fri, 11 Dec 2020 05:12:51 -0500 +Subject: NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock + +From: Dave Wysochanski + +commit 3d1a90ab0ed93362ec8ac85cf291243c87260c21 upstream. + +It is only safe to call the tracepoint before rpc_put_task() because +'data' is freed inside nfs4_lock_release (rpc_release). + +Fixes: 48c9579a1afe ("Adding stateid information to tracepoints") +Signed-off-by: Dave Wysochanski +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -6395,9 +6395,9 @@ static int _nfs4_do_setlk(struct nfs4_st + data->arg.new_lock_owner, ret); + } else + data->cancelled = true; ++ trace_nfs4_set_lock(fl, state, &data->res.stateid, cmd, ret); + rpc_put_task(task); + dprintk("%s: done, ret = %d!\n", __func__, ret); +- trace_nfs4_set_lock(fl, state, &data->res.stateid, cmd, ret); + return ret; + } + diff --git a/queue-4.14/pnfs-mark-layout-for-return-if-return-on-close-was-not-sent.patch b/queue-4.14/pnfs-mark-layout-for-return-if-return-on-close-was-not-sent.patch new file mode 100644 index 00000000000..4614c681b92 --- /dev/null +++ b/queue-4.14/pnfs-mark-layout-for-return-if-return-on-close-was-not-sent.patch @@ -0,0 +1,41 @@ +From 67bbceedc9bb8ad48993a8bd6486054756d711f4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 4 Jan 2021 13:35:46 -0500 +Subject: pNFS: Mark layout for return if return-on-close was not sent + +From: Trond Myklebust + +commit 67bbceedc9bb8ad48993a8bd6486054756d711f4 upstream. + +If the layout return-on-close failed because the layoutreturn was never +sent, then we should mark the layout for return again. + +Fixes: 9c47b18cf722 ("pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pnfs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1328,12 +1328,18 @@ void pnfs_roc_release(struct nfs4_layout + int ret) + { + struct pnfs_layout_hdr *lo = args->layout; ++ struct inode *inode = args->inode; + const nfs4_stateid *arg_stateid = NULL; + const nfs4_stateid *res_stateid = NULL; + struct nfs4_xdr_opaque_data *ld_private = args->ld_private; + + switch (ret) { + case -NFS4ERR_NOMATCHING_LAYOUT: ++ spin_lock(&inode->i_lock); ++ if (pnfs_layout_is_valid(lo) && ++ nfs4_stateid_match_other(&args->stateid, &lo->plh_stateid)) ++ pnfs_set_plh_return_info(lo, args->range.iomode, 0); ++ spin_unlock(&inode->i_lock); + break; + case 0: + if (res->lrs_present) diff --git a/queue-4.14/rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch b/queue-4.14/rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch new file mode 100644 index 00000000000..71dd68bbf53 --- /dev/null +++ b/queue-4.14/rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch @@ -0,0 +1,42 @@ +From a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Sat, 26 Dec 2020 15:42:48 +0800 +Subject: RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp + +From: Dinghao Liu + +commit a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 upstream. + +If usnic_ib_qp_grp_create() fails at the first call, dev_list +will not be freed on error, which leads to memleak. + +Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") +Link: https://lore.kernel.org/r/20201226074248.2893-1-dinghao.liu@zju.edu.cn +Signed-off-by: Dinghao Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c ++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +@@ -188,6 +188,7 @@ find_free_vf_and_create_qp_grp(struct us + + } + usnic_uiom_free_dev_list(dev_list); ++ dev_list = NULL; + } + + /* Try to find resources on an unused vf */ +@@ -212,6 +213,8 @@ find_free_vf_and_create_qp_grp(struct us + qp_grp_check: + if (IS_ERR_OR_NULL(qp_grp)) { + usnic_err("Failed to allocate qp_grp\n"); ++ if (usnic_ib_share_vf) ++ usnic_uiom_free_dev_list(dev_list); + return ERR_PTR(qp_grp ? PTR_ERR(qp_grp) : -ENOMEM); + } + return qp_grp; diff --git a/queue-4.14/series b/queue-4.14/series index b9ee9971205..03508f7ced2 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -17,3 +17,16 @@ misdn-dsp-select-config_bitreverse.patch net-ethernet-fs_enet-add-missing-module_license.patch acpi-scan-add-stub-acpi_create_platform_device-for-c.patch arm-picoxcell-fix-missing-interrupt-parent-propertie.patch +dump_common_audit_data-fix-racy-accesses-to-d_name.patch +asoc-intel-fix-error-code-cnl_set_dsp_d0.patch +nfs4-fix-use-after-free-in-trace_event_raw_event_nfs4_set_lock.patch +pnfs-mark-layout-for-return-if-return-on-close-was-not-sent.patch +nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch +ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch +rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch +mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch +net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch +dm-eliminate-potential-source-of-excessive-kernel-log-noise.patch +alsa-firewire-tascam-fix-integer-overflow-in-midi_port_work.patch +alsa-fireface-fix-integer-overflow-in-transmit_midi_msg.patch +netfilter-conntrack-fix-reading-nf_conntrack_buckets.patch