From: Sasha Levin Date: Mon, 15 Mar 2021 03:01:12 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.262~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f5cda44845a7ebd469d13b372d40fc1cb06b1547;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch b/queue-4.4/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch new file mode 100644 index 00000000000..d1f1c1a0fcd --- /dev/null +++ b/queue-4.4/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch @@ -0,0 +1,39 @@ +From 8f7a7848c123b1782b885a595ba8daecac621970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 19:30:17 -0800 +Subject: block: rsxx: fix error return code of rsxx_pci_probe() + +From: Jia-Ju Bai + +[ Upstream commit df66617bfe87487190a60783d26175b65d2502ce ] + +When create_singlethread_workqueue returns NULL to card->event_wq, no +error return code of rsxx_pci_probe() is assigned. + +To fix this bug, st is assigned with -ENOMEM in this case. + +Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20210310033017.4023-1-baijiaju1990@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rsxx/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c +index 0d9137408e3c..a53271acc2a2 100644 +--- a/drivers/block/rsxx/core.c ++++ b/drivers/block/rsxx/core.c +@@ -895,6 +895,7 @@ static int rsxx_pci_probe(struct pci_dev *dev, + card->event_wq = create_singlethread_workqueue(DRIVER_NAME"_event"); + if (!card->event_wq) { + dev_err(CARD_TO_DEV(card), "Failed card event setup.\n"); ++ st = -ENOMEM; + goto failed_event_handler; + } + +-- +2.30.1 + diff --git a/queue-4.4/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch b/queue-4.4/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch new file mode 100644 index 00000000000..37ef9e103be --- /dev/null +++ b/queue-4.4/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch @@ -0,0 +1,43 @@ +From 94c66f8fd96dc81ebac6185577fdaea61bcc2e8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 18:43:56 +0100 +Subject: NFSv4.2: fix return value of _nfs4_get_security_label() + +From: Ondrej Mosnacek + +[ Upstream commit 53cb245454df5b13d7063162afd7a785aed6ebf2 ] + +An xattr 'get' handler is expected to return the length of the value on +success, yet _nfs4_get_security_label() (and consequently also +nfs4_xattr_get_nfs4_label(), which is used as an xattr handler) returns +just 0 on success. + +Fix this by returning label.len instead, which contains the length of +the result. + +Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: James Morris +Reviewed-by: Paul Moore +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 3c15291ba1aa..0c9386978d9d 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4922,7 +4922,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, + return ret; + if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL)) + return -ENOENT; +- return 0; ++ return label.len; + } + + static int nfs4_get_security_label(struct inode *inode, void *buf, +-- +2.30.1 + diff --git a/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch new file mode 100644 index 00000000000..ce8a7909adf --- /dev/null +++ b/queue-4.4/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch @@ -0,0 +1,45 @@ +From 6c68e2f8d2f09af655f81c176bf6e5100a34a8da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Mar 2021 23:51:14 +0300 +Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak + +From: Alexey Dobriyan + +[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] + +Doing a + + prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); + +will copy 1 byte from userspace to (quite big) on-stack array +and then stash everything to mm->saved_auxv. +AT_NULL terminator will be inserted at the very end. + +/proc/*/auxv handler will find that AT_NULL terminator +and copy original stack contents to userspace. + +This devious scheme requires CAP_SYS_RESOURCE. + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sys.c b/kernel/sys.c +index e98664039cb2..8ac977df4dd4 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1910,7 +1910,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, + * up to the caller to provide sane values here, otherwise userspace + * tools which use this vector might be unhappy. + */ +- unsigned long user_auxv[AT_VECTOR_SIZE]; ++ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; + + if (len > sizeof(user_auxv)) + return -EINVAL; +-- +2.30.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 3a7890ee031..57cb3ea1e08 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -55,3 +55,6 @@ staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch +nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch +block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch +prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch