From 92dcd6112452924a3def8560609a63a448d32267 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 21 Dec 2018 20:26:37 -0500 Subject: [PATCH] patches for 4.14 Signed-off-by: Sasha Levin --- ...-component-pointer-in-private-struct.patch | 41 ++++++++++++ ...ard-submissions-into-the-user-define.patch | 45 ++++++++++++++ ...te-loop-if-the-device-loses-discard-.patch | 55 ++++++++++++++++ ...fs-integer-overflow-in-in-smb2_ioctl.patch | 46 ++++++++++++++ ...se-after-free-in-__srpt_close_all_ch.patch | 56 +++++++++++++++++ ...hesize-features-before-events-in-pip.patch | 62 +++++++++++++++++++ queue-4.14/series | 7 +++ ...ectory-size-calculation-for-symlinks.patch | 44 +++++++++++++ 8 files changed, 356 insertions(+) create mode 100644 queue-4.14/asoc-sta32x-set-component-pointer-in-private-struct.patch create mode 100644 queue-4.14/block-break-discard-submissions-into-the-user-define.patch create mode 100644 queue-4.14/block-fix-infinite-loop-if-the-device-loses-discard-.patch create mode 100644 queue-4.14/cifs-integer-overflow-in-in-smb2_ioctl.patch create mode 100644 queue-4.14/ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch create mode 100644 queue-4.14/perf-record-synthesize-features-before-events-in-pip.patch create mode 100644 queue-4.14/series create mode 100644 queue-4.14/ubifs-fix-directory-size-calculation-for-symlinks.patch diff --git a/queue-4.14/asoc-sta32x-set-component-pointer-in-private-struct.patch b/queue-4.14/asoc-sta32x-set-component-pointer-in-private-struct.patch new file mode 100644 index 00000000000..b1bbde12671 --- /dev/null +++ b/queue-4.14/asoc-sta32x-set-component-pointer-in-private-struct.patch @@ -0,0 +1,41 @@ +From fed69888831c62f15713f25e890e41967a912518 Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Thu, 11 Oct 2018 20:32:05 +0200 +Subject: ASoC: sta32x: set ->component pointer in private struct + +commit 747df19747bc9752cd40b9cce761e17a033aa5c2 upstream + +The ESD watchdog code in sta32x_watchdog() dereferences the pointer +which is never assigned. + +This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct +regmap API usage.") which went unnoticed since nobody seems to use that ESD +workaround. + +Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.") +Signed-off-by: Daniel Mack +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Sudip Mukherjee +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/sta32x.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/codecs/sta32x.c b/sound/soc/codecs/sta32x.c +index 5b888476d9ff..b728140c79a9 100644 +--- a/sound/soc/codecs/sta32x.c ++++ b/sound/soc/codecs/sta32x.c +@@ -879,6 +879,9 @@ static int sta32x_probe(struct snd_soc_codec *codec) + struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec); + struct sta32x_platform_data *pdata = sta32x->pdata; + int i, ret = 0, thermal = 0; ++ ++ sta32x->codec = codec; ++ + ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies), + sta32x->supplies); + if (ret != 0) { +-- +2.19.1 + diff --git a/queue-4.14/block-break-discard-submissions-into-the-user-define.patch b/queue-4.14/block-break-discard-submissions-into-the-user-define.patch new file mode 100644 index 00000000000..89dea700f64 --- /dev/null +++ b/queue-4.14/block-break-discard-submissions-into-the-user-define.patch @@ -0,0 +1,45 @@ +From 5a00f191357bd8e890ffd5e89b3cda9669b283b9 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 8 May 2018 15:09:41 -0600 +Subject: block: break discard submissions into the user defined size + +[ Upstream commit af097f5d199e2aa3ab3ef777f0716e487b8f7b08 ] + +Don't build discards bigger than what the user asked for, if the +user decided to limit the size by writing to 'discard_max_bytes'. + +Reviewed-by: Darrick J. Wong +Reviewed-by: Omar Sandoval +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-lib.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/block/blk-lib.c b/block/blk-lib.c +index 2bc544ce3d2e..53a45663e688 100644 +--- a/block/blk-lib.c ++++ b/block/blk-lib.c +@@ -59,10 +59,16 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector, + unsigned int req_sects; + sector_t end_sect, tmp; + +- /* Make sure bi_size doesn't overflow */ +- req_sects = min_t(sector_t, nr_sects, UINT_MAX >> 9); ++ /* ++ * Issue in chunks of the user defined max discard setting, ++ * ensuring that bi_size doesn't overflow ++ */ ++ req_sects = min_t(sector_t, nr_sects, ++ q->limits.max_discard_sectors); ++ if (req_sects > UINT_MAX >> 9) ++ req_sects = UINT_MAX >> 9; + +- /** ++ /* + * If splitting a request, and the next starting sector would be + * misaligned, stop the discard at the previous aligned sector. + */ +-- +2.19.1 + diff --git a/queue-4.14/block-fix-infinite-loop-if-the-device-loses-discard-.patch b/queue-4.14/block-fix-infinite-loop-if-the-device-loses-discard-.patch new file mode 100644 index 00000000000..ecde0e2b4f7 --- /dev/null +++ b/queue-4.14/block-fix-infinite-loop-if-the-device-loses-discard-.patch @@ -0,0 +1,55 @@ +From e272ad9ad5704fd33041f49e21cfc96bf26859a9 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 3 Jul 2018 13:34:22 -0400 +Subject: block: fix infinite loop if the device loses discard capability + +[ Upstream commit b88aef36b87c9787a4db724923ec4f57dfd513f3 ] + +If __blkdev_issue_discard is in progress and a device mapper device is +reloaded with a table that doesn't support discard, +q->limits.max_discard_sectors is set to zero. This results in infinite +loop in __blkdev_issue_discard. + +This patch checks if max_discard_sectors is zero and aborts with +-EOPNOTSUPP. + +Signed-off-by: Mikulas Patocka +Tested-by: Zdenek Kabelac +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-lib.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/block/blk-lib.c b/block/blk-lib.c +index 53a45663e688..0bdc77888dc5 100644 +--- a/block/blk-lib.c ++++ b/block/blk-lib.c +@@ -65,6 +65,8 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector, + */ + req_sects = min_t(sector_t, nr_sects, + q->limits.max_discard_sectors); ++ if (!req_sects) ++ goto fail; + if (req_sects > UINT_MAX >> 9) + req_sects = UINT_MAX >> 9; + +@@ -102,6 +104,14 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector, + + *biop = bio; + return 0; ++ ++fail: ++ if (bio) { ++ submit_bio_wait(bio); ++ bio_put(bio); ++ } ++ *biop = NULL; ++ return -EOPNOTSUPP; + } + EXPORT_SYMBOL(__blkdev_issue_discard); + +-- +2.19.1 + diff --git a/queue-4.14/cifs-integer-overflow-in-in-smb2_ioctl.patch b/queue-4.14/cifs-integer-overflow-in-in-smb2_ioctl.patch new file mode 100644 index 00000000000..9a6238a1a62 --- /dev/null +++ b/queue-4.14/cifs-integer-overflow-in-in-smb2_ioctl.patch @@ -0,0 +1,46 @@ +From 7383229f1bd7910f79ff73721fab7dd6e32a74fa Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 10 Sep 2018 14:12:07 +0300 +Subject: cifs: integer overflow in in SMB2_ioctl() + +commit 2d204ee9d671327915260071c19350d84344e096 upstream + +The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and +wrap around to a smaller value which looks like it would lead to an +information leak. + +Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +CC: Stable +Signed-off-by: Sudip Mukherjee +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 69309538ffb8..1581e8668b09 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2020,14 +2020,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, + /* We check for obvious errors in the output buffer length and offset */ + if (*plen == 0) + goto ioctl_exit; /* server returned no data */ +- else if (*plen > 0xFF00) { ++ else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) { + cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen); + *plen = 0; + rc = -EIO; + goto ioctl_exit; + } + +- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) { ++ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) { + cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen, + le32_to_cpu(rsp->OutputOffset)); + *plen = 0; +-- +2.19.1 + diff --git a/queue-4.14/ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch b/queue-4.14/ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch new file mode 100644 index 00000000000..685f864ddab --- /dev/null +++ b/queue-4.14/ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch @@ -0,0 +1,56 @@ +From 01eed54d031486826fe26456b783c481056d41b0 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 2 Jul 2018 14:08:45 -0700 +Subject: ib_srpt: Fix a use-after-free in __srpt_close_all_ch() + +commit 14d15c2b278011056482eb015dff89f9cbf2b841 upstream + +BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt] +Read of size 4 at addr ffff8801269d23f8 by task check/29726 + +CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0xa4/0xf5 + print_address_description+0x6f/0x270 + kasan_report+0x241/0x360 + __asan_load4+0x78/0x80 + srpt_set_enabled+0x1a9/0x1e0 [ib_srpt] + srpt_tpg_enable_store+0xb8/0x120 [ib_srpt] + configfs_write_file+0x14e/0x1d0 [configfs] + __vfs_write+0xd2/0x3b0 + vfs_write+0x101/0x270 + ksys_write+0xab/0x120 + __x64_sys_write+0x43/0x50 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7f235cfe6154 + +Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably") +Signed-off-by: Bart Van Assche +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sudip Mukherjee +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c +index 60105ba77889..47f3f562d86f 100644 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -1775,8 +1775,8 @@ static void __srpt_close_all_ch(struct srpt_device *sdev) + + list_for_each_entry(ch, &sdev->rch_list, list) { + if (srpt_disconnect_ch(ch) >= 0) +- pr_info("Closing channel %s-%d because target %s has been disabled\n", +- ch->sess_name, ch->qp->qp_num, ++ pr_info("Closing channel %s because target %s has been disabled\n", ++ ch->sess_name, + sdev->device->name); + srpt_close_ch(ch); + } +-- +2.19.1 + diff --git a/queue-4.14/perf-record-synthesize-features-before-events-in-pip.patch b/queue-4.14/perf-record-synthesize-features-before-events-in-pip.patch new file mode 100644 index 00000000000..548936b4b75 --- /dev/null +++ b/queue-4.14/perf-record-synthesize-features-before-events-in-pip.patch @@ -0,0 +1,62 @@ +From ed953fc889a5d818dc5c0914dea42b17955ba4cc Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Wed, 14 Mar 2018 10:22:04 +0100 +Subject: perf record: Synthesize features before events in pipe mode + +[ Upstream commit a2015516c5c0be932a69e1d3405c2fb03b4eacf1 ] + +We need to synthesize events first, because some features works on top +of them (on report side). + +Signed-off-by: Jiri Olsa +Tested-by: Stephane Eranian +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180314092205.23291-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-record.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c +index b205c1340456..5e53cafe6cf9 100644 +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -800,13 +800,10 @@ static int record__synthesize(struct record *rec, bool tail) + return 0; + + if (file->is_pipe) { +- err = perf_event__synthesize_features( +- tool, session, rec->evlist, process_synthesized_event); +- if (err < 0) { +- pr_err("Couldn't synthesize features.\n"); +- return err; +- } +- ++ /* ++ * We need to synthesize events first, because some ++ * features works on top of them (on report side). ++ */ + err = perf_event__synthesize_attrs(tool, session, + process_synthesized_event); + if (err < 0) { +@@ -814,6 +811,13 @@ static int record__synthesize(struct record *rec, bool tail) + goto out; + } + ++ err = perf_event__synthesize_features(tool, session, rec->evlist, ++ process_synthesized_event); ++ if (err < 0) { ++ pr_err("Couldn't synthesize features.\n"); ++ return err; ++ } ++ + if (have_tracepoints(&rec->evlist->entries)) { + /* + * FIXME err <= 0 here actually means that +-- +2.19.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..5b54399db0d --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,7 @@ +block-break-discard-submissions-into-the-user-define.patch +block-fix-infinite-loop-if-the-device-loses-discard-.patch +asoc-sta32x-set-component-pointer-in-private-struct.patch +ubifs-fix-directory-size-calculation-for-symlinks.patch +ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch +perf-record-synthesize-features-before-events-in-pip.patch +cifs-integer-overflow-in-in-smb2_ioctl.patch diff --git a/queue-4.14/ubifs-fix-directory-size-calculation-for-symlinks.patch b/queue-4.14/ubifs-fix-directory-size-calculation-for-symlinks.patch new file mode 100644 index 00000000000..d1b4f0dacbd --- /dev/null +++ b/queue-4.14/ubifs-fix-directory-size-calculation-for-symlinks.patch @@ -0,0 +1,44 @@ +From beb7d7fa2ad93076c29c868730e867579a3508fd Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 11 Jun 2018 23:41:09 +0200 +Subject: ubifs: Fix directory size calculation for symlinks + +commit 00ee8b60102862f4daf0814d12a2ea2744fc0b9b upstream + +We have to account the name of the symlink and not the target length. + +Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks") +Cc: +Signed-off-by: Richard Weinberger +Signed-off-by: Sudip Mukherjee +Signed-off-by: Sasha Levin +--- + fs/ubifs/dir.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c +index ef820f803176..4e6e32c0c08a 100644 +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -1147,8 +1147,7 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry, + struct ubifs_inode *ui; + struct ubifs_inode *dir_ui = ubifs_inode(dir); + struct ubifs_info *c = dir->i_sb->s_fs_info; +- int err, len = strlen(symname); +- int sz_change = CALC_DENT_SIZE(len); ++ int err, sz_change, len = strlen(symname); + struct fscrypt_str disk_link = FSTR_INIT((char *)symname, len + 1); + struct fscrypt_symlink_data *sd = NULL; + struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1, +@@ -1189,6 +1188,8 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry, + if (err) + goto out_budg; + ++ sz_change = CALC_DENT_SIZE(fname_len(&nm)); ++ + inode = ubifs_new_inode(c, dir, S_IFLNK | S_IRWXUGO); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); +-- +2.19.1 + -- 2.47.3