From: Greg Kroah-Hartman Date: Mon, 18 Jan 2021 10:03:27 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.19.169~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d2816cf613d7d7e30f5c0a15351b38c0341b9fd9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: dump_common_audit_data-fix-racy-accesses-to-d_name.patch ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch input-uinput-avoid-ff-flush-when-destroying-device.patch mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch --- diff --git a/queue-4.4/dump_common_audit_data-fix-racy-accesses-to-d_name.patch b/queue-4.4/dump_common_audit_data-fix-racy-accesses-to-d_name.patch new file mode 100644 index 00000000000..7ab0b5a3541 --- /dev/null +++ b/queue-4.4/dump_common_audit_data-fix-racy-accesses-to-d_name.patch @@ -0,0 +1,45 @@ +From d36a1dd9f77ae1e72da48f4123ed35627848507d Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 5 Jan 2021 14:43:46 -0500 +Subject: dump_common_audit_data(): fix racy accesses to ->d_name + +From: Al Viro + +commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream. + +We are not guaranteed the locking environment that would prevent +dentry getting renamed right under us. And it's possible for +old long name to be freed after rename, leading to UAF here. + +Cc: stable@kernel.org # v2.6.2+ +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + security/lsm_audit.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/security/lsm_audit.c ++++ b/security/lsm_audit.c +@@ -264,7 +264,9 @@ static void dump_common_audit_data(struc + struct inode *inode; + + audit_log_format(ab, " name="); ++ spin_lock(&a->u.dentry->d_lock); + audit_log_untrustedstring(ab, a->u.dentry->d_name.name); ++ spin_unlock(&a->u.dentry->d_lock); + + inode = d_backing_inode(a->u.dentry); + if (inode) { +@@ -282,8 +284,9 @@ static void dump_common_audit_data(struc + dentry = d_find_alias(inode); + if (dentry) { + audit_log_format(ab, " name="); +- audit_log_untrustedstring(ab, +- dentry->d_name.name); ++ spin_lock(&dentry->d_lock); ++ audit_log_untrustedstring(ab, dentry->d_name.name); ++ spin_unlock(&dentry->d_lock); + dput(dentry); + } + audit_log_format(ab, " dev="); diff --git a/queue-4.4/ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch b/queue-4.4/ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch new file mode 100644 index 00000000000..edc9e579e83 --- /dev/null +++ b/queue-4.4/ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch @@ -0,0 +1,38 @@ +From dfd56c2c0c0dbb11be939b804ddc8d5395ab3432 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 16 Dec 2020 11:18:43 +0100 +Subject: ext4: fix superblock checksum failure when setting password salt + +From: Jan Kara + +commit dfd56c2c0c0dbb11be939b804ddc8d5395ab3432 upstream. + +When setting password salt in the superblock, we forget to recompute the +superblock checksum so it will not match until the next superblock +modification which recomputes the checksum. Fix it. + +CC: Michael Halcrow +Reported-by: Andreas Dilger +Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20201216101844.22917-8-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -675,7 +675,10 @@ encryption_policy_out: + err = ext4_journal_get_write_access(handle, sbi->s_sbh); + if (err) + goto pwsalt_err_journal; ++ lock_buffer(sbi->s_sbh); + generate_random_uuid(sbi->s_es->s_encrypt_pw_salt); ++ ext4_superblock_csum_set(sb); ++ unlock_buffer(sbi->s_sbh); + err = ext4_handle_dirty_metadata(handle, NULL, + sbi->s_sbh); + pwsalt_err_journal: diff --git a/queue-4.4/input-uinput-avoid-ff-flush-when-destroying-device.patch b/queue-4.4/input-uinput-avoid-ff-flush-when-destroying-device.patch new file mode 100644 index 00000000000..8506499c715 --- /dev/null +++ b/queue-4.4/input-uinput-avoid-ff-flush-when-destroying-device.patch @@ -0,0 +1,148 @@ +From e8b95728f724797f958912fd9b765a695595d3a6 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 1 Sep 2017 17:13:43 -0700 +Subject: Input: uinput - avoid FF flush when destroying device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Torokhov + +commit e8b95728f724797f958912fd9b765a695595d3a6 upstream. + +Normally, when input device supporting force feedback effects is being +destroyed, we try to "flush" currently playing effects, so that the +physical device does not continue vibrating (or executing other effects). +Unfortunately this does not work well for uinput as flushing of the effects +deadlocks with the destroy action: + +- if device is being destroyed because the file descriptor is being closed, + then there is noone to even service FF requests; + +- if device is being destroyed because userspace sent UI_DEV_DESTROY, + while theoretically it could be possible to service FF requests, + userspace is unlikely to do so (they'd need to make sure FF handling + happens on a separate thread) even if kernel solves the issue with FF + ioctls deadlocking with UI_DEV_DESTROY ioctl on udev->mutex. + +To avoid lockups like the one below, let's install a custom input device +flush handler, and avoid trying to flush force feedback effects when we +destroying the device, and instead rely on uinput to shut off the device +properly. + +NMI watchdog: Watchdog detected hard LOCKUP on cpu 3 +... + <> [] _raw_spin_lock_irqsave+0x37/0x40 + [] complete+0x1d/0x50 + [] uinput_request_done+0x3c/0x40 [uinput] + [] uinput_request_submit.part.7+0x47/0xb0 [uinput] + [] uinput_dev_erase_effect+0x5b/0x76 [uinput] + [] erase_effect+0xad/0xf0 + [] flush_effects+0x4d/0x90 + [] input_flush_device+0x40/0x60 + [] evdev_cleanup+0xac/0xc0 + [] evdev_disconnect+0x2b/0x60 + [] __input_unregister_device+0xac/0x150 + [] input_unregister_device+0x47/0x70 + [] uinput_destroy_device+0xb5/0xc0 [uinput] + [] uinput_ioctl_handler.isra.9+0x65e/0x740 [uinput] + [] ? do_futex+0x12b/0xad0 + [] uinput_ioctl+0x18/0x20 [uinput] + [] do_vfs_ioctl+0x298/0x480 + [] ? security_file_ioctl+0x43/0x60 + [] SyS_ioctl+0x79/0x90 + [] entry_SYSCALL_64_fastpath+0x12/0x71 + +Reported-by: Rodrigo Rivas Costa +Reported-by: Clément VUCHENER +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=193741 +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/ff-core.c | 13 ++++++++++--- + drivers/input/misc/uinput.c | 18 ++++++++++++++++++ + include/linux/input.h | 1 + + 3 files changed, 29 insertions(+), 3 deletions(-) + +--- a/drivers/input/ff-core.c ++++ b/drivers/input/ff-core.c +@@ -237,9 +237,15 @@ int input_ff_erase(struct input_dev *dev + EXPORT_SYMBOL_GPL(input_ff_erase); + + /* +- * flush_effects - erase all effects owned by a file handle ++ * input_ff_flush - erase all effects owned by a file handle ++ * @dev: input device to erase effect from ++ * @file: purported owner of the effects ++ * ++ * This function erases all force-feedback effects associated with ++ * the given owner from specified device. Note that @file may be %NULL, ++ * in which case all effects will be erased. + */ +-static int flush_effects(struct input_dev *dev, struct file *file) ++int input_ff_flush(struct input_dev *dev, struct file *file) + { + struct ff_device *ff = dev->ff; + int i; +@@ -255,6 +261,7 @@ static int flush_effects(struct input_de + + return 0; + } ++EXPORT_SYMBOL_GPL(input_ff_flush); + + /** + * input_ff_event() - generic handler for force-feedback events +@@ -343,7 +350,7 @@ int input_ff_create(struct input_dev *de + mutex_init(&ff->mutex); + + dev->ff = ff; +- dev->flush = flush_effects; ++ dev->flush = input_ff_flush; + dev->event = input_ff_event; + __set_bit(EV_FF, dev->evbit); + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -230,6 +230,18 @@ static int uinput_dev_erase_effect(struc + return uinput_request_submit(udev, &request); + } + ++static int uinput_dev_flush(struct input_dev *dev, struct file *file) ++{ ++ /* ++ * If we are called with file == NULL that means we are tearing ++ * down the device, and therefore we can not handle FF erase ++ * requests: either we are handling UI_DEV_DESTROY (and holding ++ * the udev->mutex), or the file descriptor is closed and there is ++ * nobody on the other side anymore. ++ */ ++ return file ? input_ff_flush(dev, file) : 0; ++} ++ + static void uinput_destroy_device(struct uinput_device *udev) + { + const char *name, *phys; +@@ -273,6 +285,12 @@ static int uinput_create_device(struct u + dev->ff->playback = uinput_dev_playback; + dev->ff->set_gain = uinput_dev_set_gain; + dev->ff->set_autocenter = uinput_dev_set_autocenter; ++ /* ++ * The standard input_ff_flush() implementation does ++ * not quite work for uinput as we can't reasonably ++ * handle FF requests during device teardown. ++ */ ++ dev->flush = uinput_dev_flush; + } + + error = input_register_device(udev->dev); +--- a/include/linux/input.h ++++ b/include/linux/input.h +@@ -529,6 +529,7 @@ int input_ff_event(struct input_dev *dev + + int input_ff_upload(struct input_dev *dev, struct ff_effect *effect, struct file *file); + int input_ff_erase(struct input_dev *dev, int effect_id, struct file *file); ++int input_ff_flush(struct input_dev *dev, struct file *file); + + int input_ff_create_memless(struct input_dev *dev, void *data, + int (*play_effect)(struct input_dev *, void *, struct ff_effect *)); diff --git a/queue-4.4/mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch b/queue-4.4/mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch new file mode 100644 index 00000000000..a0799b60399 --- /dev/null +++ b/queue-4.4/mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch @@ -0,0 +1,47 @@ +From 8ff60eb052eeba95cfb3efe16b08c9199f8121cf Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 12 Jan 2021 15:49:04 -0800 +Subject: mm, slub: consider rest of partial list if acquire_slab() fails + +From: Jann Horn + +commit 8ff60eb052eeba95cfb3efe16b08c9199f8121cf upstream. + +acquire_slab() fails if there is contention on the freelist of the page +(probably because some other CPU is concurrently freeing an object from +the page). In that case, it might make sense to look for a different page +(since there might be more remote frees to the page from other CPUs, and +we don't want contention on struct page). + +However, the current code accidentally stops looking at the partial list +completely in that case. Especially on kernels without CONFIG_NUMA set, +this means that get_partial() fails and new_slab_objects() falls back to +new_slab(), allocating new pages. This could lead to an unnecessary +increase in memory fragmentation. + +Link: https://lkml.kernel.org/r/20201228130853.1871516-1-jannh@google.com +Fixes: 7ced37197196 ("slub: Acquire_slab() avoid loop") +Signed-off-by: Jann Horn +Acked-by: David Rientjes +Acked-by: Joonsoo Kim +Cc: Christoph Lameter +Cc: Pekka Enberg +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1682,7 +1682,7 @@ static void *get_partial_node(struct kme + + t = acquire_slab(s, n, page, object == NULL, &objects); + if (!t) +- break; ++ continue; /* cmpxchg raced */ + + available += objects; + if (!object) { diff --git a/queue-4.4/net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch b/queue-4.4/net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch new file mode 100644 index 00000000000..1ec2be6f5d4 --- /dev/null +++ b/queue-4.4/net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch @@ -0,0 +1,47 @@ +From 86b53fbf08f48d353a86a06aef537e78e82ba721 Mon Sep 17 00:00:00 2001 +From: "j.nixdorf@avm.de" +Date: Tue, 5 Jan 2021 15:17:01 +0100 +Subject: net: sunrpc: interpret the return value of kstrtou32 correctly + +From: j.nixdorf@avm.de + +commit 86b53fbf08f48d353a86a06aef537e78e82ba721 upstream. + +A return value of 0 means success. This is documented in lib/kstrtox.c. + +This was found by trying to mount an NFS share from a link-local IPv6 +address with the interface specified by its index: + + mount("[fe80::1%1]:/srv/nfs", "/mnt", "nfs", 0, "nolock,addr=fe80::1%1") + +Before this commit this failed with EINVAL and also caused the following +message in dmesg: + + [...] NFS: bad IP address specified: addr=fe80::1%1 + +The syscall using the same address based on the interface name instead +of its index succeeds. + +Credits for this patch go to my colleague Christian Speich, who traced +the origin of this bug to this line of code. + +Signed-off-by: Johannes Nixdorf +Fixes: 00cfaa943ec3 ("replace strict_strto calls") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/addr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/addr.c ++++ b/net/sunrpc/addr.c +@@ -184,7 +184,7 @@ static int rpc_parse_scope_id(struct net + scope_id = dev->ifindex; + dev_put(dev); + } else { +- if (kstrtou32(p, 10, &scope_id) == 0) { ++ if (kstrtou32(p, 10, &scope_id) != 0) { + kfree(p); + return 0; + } diff --git a/queue-4.4/nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch b/queue-4.4/nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch new file mode 100644 index 00000000000..3ca202db182 --- /dev/null +++ b/queue-4.4/nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch @@ -0,0 +1,43 @@ +From 896567ee7f17a8a736cda8a28cc987228410a2ac Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 10 Jan 2021 15:58:08 -0500 +Subject: NFS: nfs_igrab_and_active must first reference the superblock + +From: Trond Myklebust + +commit 896567ee7f17a8a736cda8a28cc987228410a2ac upstream. + +Before referencing the inode, we must ensure that the superblock can be +referenced. Otherwise, we can end up with iput() calling superblock +operations that are no longer valid or accessible. + +Fixes: ea7c38fef0b7 ("NFSv4: Ensure we reference the inode for return-on-close in delegreturn") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/internal.h | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -534,12 +534,14 @@ extern int nfs41_walk_client_list(struct + + static inline struct inode *nfs_igrab_and_active(struct inode *inode) + { +- inode = igrab(inode); +- if (inode != NULL && !nfs_sb_active(inode->i_sb)) { +- iput(inode); +- inode = NULL; ++ struct super_block *sb = inode->i_sb; ++ ++ if (sb && nfs_sb_active(sb)) { ++ if (igrab(inode)) ++ return inode; ++ nfs_sb_deactive(sb); + } +- return inode; ++ return NULL; + } + + static inline void nfs_iput_and_deactive(struct inode *inode) diff --git a/queue-4.4/rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch b/queue-4.4/rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch new file mode 100644 index 00000000000..a767087ca96 --- /dev/null +++ b/queue-4.4/rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch @@ -0,0 +1,42 @@ +From a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Sat, 26 Dec 2020 15:42:48 +0800 +Subject: RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp + +From: Dinghao Liu + +commit a306aba9c8d869b1fdfc8ad9237f1ed718ea55e6 upstream. + +If usnic_ib_qp_grp_create() fails at the first call, dev_list +will not be freed on error, which leads to memleak. + +Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") +Link: https://lore.kernel.org/r/20201226074248.2893-1-dinghao.liu@zju.edu.cn +Signed-off-by: Dinghao Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c ++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +@@ -180,6 +180,7 @@ find_free_vf_and_create_qp_grp(struct us + + } + usnic_uiom_free_dev_list(dev_list); ++ dev_list = NULL; + } + + if (!found) { +@@ -207,6 +208,8 @@ find_free_vf_and_create_qp_grp(struct us + spin_unlock(&vf->lock); + if (IS_ERR_OR_NULL(qp_grp)) { + usnic_err("Failed to allocate qp_grp\n"); ++ if (usnic_ib_share_vf) ++ usnic_uiom_free_dev_list(dev_list); + return ERR_PTR(qp_grp ? PTR_ERR(qp_grp) : -ENOMEM); + } + diff --git a/queue-4.4/series b/queue-4.4/series index 3797ada1bc0..27d83017f39 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,3 +9,10 @@ misdn-dsp-select-config_bitreverse.patch net-ethernet-fs_enet-add-missing-module_license.patch acpi-scan-add-stub-acpi_create_platform_device-for-c.patch arm-picoxcell-fix-missing-interrupt-parent-propertie.patch +input-uinput-avoid-ff-flush-when-destroying-device.patch +dump_common_audit_data-fix-racy-accesses-to-d_name.patch +nfs-nfs_igrab_and_active-must-first-reference-the-superblock.patch +ext4-fix-superblock-checksum-failure-when-setting-password-salt.patch +rdma-usnic-fix-memleak-in-find_free_vf_and_create_qp_grp.patch +mm-slub-consider-rest-of-partial-list-if-acquire_slab-fails.patch +net-sunrpc-interpret-the-return-value-of-kstrtou32-correctly.patch