From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 29 May 2021 13:55:10 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.271~126
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cf7868c30d6c048eeb7789aab0ff18a8a3316b7d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	cifs-set-server-cipher_type-to-aes-128-ccm-for-smb3.0.patch
	iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
	nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
---

diff --git a/queue-4.19/cifs-set-server-cipher_type-to-aes-128-ccm-for-smb3.0.patch b/queue-4.19/cifs-set-server-cipher_type-to-aes-128-ccm-for-smb3.0.patch
new file mode 100644
index 00000000000..3e34ec88b06
--- /dev/null
+++ b/queue-4.19/cifs-set-server-cipher_type-to-aes-128-ccm-for-smb3.0.patch
@@ -0,0 +1,48 @@
+From 6d2fcfe6b517fe7cbf2687adfb0a16cdcd5d9243 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Fri, 21 May 2021 17:19:27 +0200
+Subject: cifs: set server->cipher_type to AES-128-CCM for SMB3.0
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit 6d2fcfe6b517fe7cbf2687adfb0a16cdcd5d9243 upstream.
+
+SMB3.0 doesn't have encryption negotiate context but simply uses
+the SMB2_GLOBAL_CAP_ENCRYPTION flag.
+
+When that flag is present in the neg response cifs.ko uses AES-128-CCM
+which is the only cipher available in this context.
+
+cipher_type was set to the server cipher only when parsing encryption
+negotiate context (SMB3.1.1).
+
+For SMB3.0 it was set to 0. This means cipher_type value can be 0 or 1
+for AES-128-CCM.
+
+Fix this by checking for SMB3.0 and encryption capability and setting
+cipher_type appropriately.
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -791,6 +791,13 @@ SMB2_negotiate(const unsigned int xid, s
+ 	/* Internal types */
+ 	server->capabilities |= SMB2_NT_FIND | SMB2_LARGE_FILES;
+ 
++	/*
++	 * SMB3.0 supports only 1 cipher and doesn't have a encryption neg context
++	 * Set the cipher type manually.
++	 */
++	if (server->dialect == SMB30_PROT_ID && (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION))
++		server->cipher_type = SMB2_ENCRYPTION_AES128_CCM;
++
+ 	security_blob = smb2_get_data_area_len(&blob_offset, &blob_length,
+ 					       (struct smb2_sync_hdr *)rsp);
+ 	/*
diff --git a/queue-4.19/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch b/queue-4.19/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
new file mode 100644
index 00000000000..1b790c34a64
--- /dev/null
+++ b/queue-4.19/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch
@@ -0,0 +1,44 @@
+From 0ee74d5a48635c848c20f152d0d488bf84641304 Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eb@emlix.com>
+Date: Tue, 25 May 2021 15:08:02 +0800
+Subject: iommu/vt-d: Fix sysfs leak in alloc_iommu()
+
+From: Rolf Eike Beer <eb@emlix.com>
+
+commit 0ee74d5a48635c848c20f152d0d488bf84641304 upstream.
+
+iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent
+errors.
+
+Fixes: 39ab9555c2411 ("iommu: Add sysfs bindings for struct iommu_device")
+Cc: stable@vger.kernel.org # 4.11.x
+Signed-off-by: Rolf Eike Beer <eb@emlix.com>
+Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/17411490.HIIP88n32C@mobilepool36.emlix.com
+Link: https://lore.kernel.org/r/20210525070802.361755-2-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/dmar.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -1119,7 +1119,7 @@ static int alloc_iommu(struct dmar_drhd_
+ 
+ 		err = iommu_device_register(&iommu->iommu);
+ 		if (err)
+-			goto err_unmap;
++			goto err_sysfs;
+ 	}
+ 
+ 	drhd->iommu = iommu;
+@@ -1127,6 +1127,8 @@ static int alloc_iommu(struct dmar_drhd_
+ 
+ 	return 0;
+ 
++err_sysfs:
++	iommu_device_sysfs_remove(&iommu->iommu);
+ err_unmap:
+ 	unmap_iommu(iommu);
+ error_free_seq_id:
diff --git a/queue-4.19/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch b/queue-4.19/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
new file mode 100644
index 00000000000..b7bdb3447bf
--- /dev/null
+++ b/queue-4.19/nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
@@ -0,0 +1,60 @@
+From a421d218603ffa822a0b8045055c03eae394a7eb Mon Sep 17 00:00:00 2001
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Date: Wed, 19 May 2021 12:54:51 -0400
+Subject: NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+commit a421d218603ffa822a0b8045055c03eae394a7eb upstream.
+
+Commit de144ff4234f changes _pnfs_return_layout() to call
+pnfs_mark_matching_lsegs_return() passing NULL as the struct
+pnfs_layout_range argument. Unfortunately,
+pnfs_mark_matching_lsegs_return() doesn't check if we have a value here
+before dereferencing it, causing an oops.
+
+I'm able to hit this crash consistently when running connectathon basic
+tests on NFS v4.1/v4.2 against Ontap.
+
+Fixes: de144ff4234f ("NFSv4: Don't discard segments marked for return in _pnfs_return_layout()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1268,6 +1268,11 @@ _pnfs_return_layout(struct inode *ino)
+ {
+ 	struct pnfs_layout_hdr *lo = NULL;
+ 	struct nfs_inode *nfsi = NFS_I(ino);
++	struct pnfs_layout_range range = {
++		.iomode		= IOMODE_ANY,
++		.offset		= 0,
++		.length		= NFS4_MAX_UINT64,
++	};
+ 	LIST_HEAD(tmp_list);
+ 	nfs4_stateid stateid;
+ 	int status = 0;
+@@ -1294,16 +1299,10 @@ _pnfs_return_layout(struct inode *ino)
+ 	}
+ 	valid_layout = pnfs_layout_is_valid(lo);
+ 	pnfs_clear_layoutcommit(ino, &tmp_list);
+-	pnfs_mark_matching_lsegs_return(lo, &tmp_list, NULL, 0);
++	pnfs_mark_matching_lsegs_return(lo, &tmp_list, &range, 0);
+ 
+-	if (NFS_SERVER(ino)->pnfs_curr_ld->return_range) {
+-		struct pnfs_layout_range range = {
+-			.iomode		= IOMODE_ANY,
+-			.offset		= 0,
+-			.length		= NFS4_MAX_UINT64,
+-		};
++	if (NFS_SERVER(ino)->pnfs_curr_ld->return_range)
+ 		NFS_SERVER(ino)->pnfs_curr_ld->return_range(lo, &range);
+-	}
+ 
+ 	/* Don't send a LAYOUTRETURN if list was initially empty */
+ 	if (!test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags) ||
diff --git a/queue-4.19/series b/queue-4.19/series
index 2e9c5e3838d..023fd6eed7f 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -1,3 +1,6 @@
 mm-vmstat-drop-zone-lock-in-proc-pagetypeinfo.patch
 usb-dwc3-gadget-enable-suspend-events.patch
 nfc-nci-fix-memory-leak-in-nci_allocate_device.patch
+cifs-set-server-cipher_type-to-aes-128-ccm-for-smb3.0.patch
+nfsv4-fix-a-null-pointer-dereference-in-pnfs_mark_matching_lsegs_return.patch
+iommu-vt-d-fix-sysfs-leak-in-alloc_iommu.patch