more patches

6 files changed, 325 insertions, 0 deletions

diff --git a/ethtool-fix-potential-userspace-buffer-overflow.patch b/ethtool-fix-potential-userspace-buffer-overflow.patch
new file mode 100644
index 0000000..38843a2
--- /dev/null
+++ b/ethtool-fix-potential-userspace-buffer-overflow.patch
@@ -0,0 +1,54 @@
+From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST
+From: Vivien Didelot <vivien.didelot@gmail.com>
+Date: Mon, 3 Jun 2019 16:57:13 -0400
+Subject: ethtool: fix potential userspace buffer overflow
+
+From: Vivien Didelot <vivien.didelot@gmail.com>
+
+[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ]
+
+ethtool_get_regs() allocates a buffer of size ops->get_regs_len(),
+and pass it to the kernel driver via ops->get_regs() for filling.
+
+There is no restriction about what the kernel drivers can or cannot do
+with the open ethtool_regs structure. They usually set regs->version
+and ignore regs->len or set it to the same size as ops->get_regs_len().
+
+But if userspace allocates a smaller buffer for the registers dump,
+we would cause a userspace buffer overflow in the final copy_to_user()
+call, which uses the regs.len value potentially reset by the driver.
+
+To fix this, make this case obvious and store regs.len before calling
+ops->get_regs(), to only copy as much data as requested by userspace,
+up to the value returned by ops->get_regs_len().
+
+While at it, remove the redundant check for non-null regbuf.
+
+Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/ethtool.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -863,13 +863,16 @@ static int ethtool_get_regs(struct net_d
+ 	if (reglen && !regbuf)
+ 		return -ENOMEM;
+ 
++	if (regs.len < reglen)
++		reglen = regs.len;
++
+ 	ops->get_regs(dev, &regs, regbuf);
+ 
+ 	ret = -EFAULT;
+ 	if (copy_to_user(useraddr, &regs, sizeof(regs)))
+ 		goto out;
+ 	useraddr += offsetof(struct ethtool_regs, data);
+-	if (regbuf && copy_to_user(useraddr, regbuf, regs.len))
++	if (copy_to_user(useraddr, regbuf, reglen))
+ 		goto out;
+ 	ret = 0;
+ 
diff --git a/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch b/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch
new file mode 100644
index 0000000..aac3153
--- /dev/null
+++ b/media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch
@@ -0,0 +1,39 @@
+From 89dd34caf73e28018c58cd193751e41b1f8bdc56 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Mon, 4 Jun 2018 09:47:13 -0400
+Subject: media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
+
+From: Nadav Amit <namit@vmware.com>
+
+commit 89dd34caf73e28018c58cd193751e41b1f8bdc56 upstream.
+
+The use of ALIGN() in uvc_alloc_entity() is incorrect, since the size of
+(entity->pads) is not a power of two. As a stop-gap, until a better
+solution is adapted, use roundup() instead.
+
+Found by a static assertion. Compile-tested only.
+
+Fixes: 4ffc2d89f38a ("uvcvideo: Register subdevices for each entity")
+
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Cc: Doug Anderson <dianders@chromium.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_driver.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -826,7 +826,7 @@ static struct uvc_entity *uvc_alloc_enti
+ 	unsigned int size;
+ 	unsigned int i;
+ 
+-	extra_size = ALIGN(extra_size, sizeof(*entity->pads));
++	extra_size = roundup(extra_size, sizeof(*entity->pads));
+ 	num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1;
+ 	size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads
+ 	     + num_inputs;
diff --git a/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch b/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch
new file mode 100644
index 0000000..fc62a11
--- /dev/null
+++ b/net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch
@@ -0,0 +1,90 @@
+From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+Date: Thu, 6 Jun 2019 04:00:03 -0400
+Subject: net: rds: fix memory leak in rds_ib_flush_mr_pool
+
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+
+[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ]
+
+When the following tests last for several hours, the problem will occur.
+
+Server:
+    rds-stress -r 1.1.1.16 -D 1M
+Client:
+    rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30
+
+The following will occur.
+
+"
+Starting up....
+tsks   tx/s   rx/s  tx+rx K/s    mbi K/s    mbo K/s tx us/c   rtt us cpu
+%
+  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
+  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
+  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
+  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
+"
+>From vmcore, we can find that clean_list is NULL.
+
+>From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker.
+Then rds_ib_mr_pool_flush_worker calls
+"
+ rds_ib_flush_mr_pool(pool, 0, NULL);
+"
+Then in function
+"
+int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool,
+                         int free_all, struct rds_ib_mr **ibmr_ret)
+"
+ibmr_ret is NULL.
+
+In the source code,
+"
+...
+list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
+if (ibmr_ret)
+        *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
+
+/* more than one entry in llist nodes */
+if (clean_nodes->next)
+        llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
+...
+"
+When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next
+instead of clean_nodes is added in clean_list.
+So clean_nodes is discarded. It can not be used again.
+The workqueue is executed periodically. So more and more clean_nodes are
+discarded. Finally the clean_list is NULL.
+Then this problem will occur.
+
+Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist")
+Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_rdma.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/rds/ib_rdma.c
++++ b/net/rds/ib_rdma.c
+@@ -663,12 +663,14 @@ static int rds_ib_flush_mr_pool(struct r
+ 		wait_clean_list_grace();
+ 
+ 		list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
+-		if (ibmr_ret)
++		if (ibmr_ret) {
+ 			*ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
+-
++			clean_nodes = clean_nodes->next;
++		}
+ 		/* more than one entry in llist nodes */
+-		if (clean_nodes->next)
+-			llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
++		if (clean_nodes)
++			llist_add_batch(clean_nodes, clean_tail,
++					&pool->clean_list);
+ 
+ 	}
+ 
diff --git a/pktgen-do-not-sleep-with-the-thread-lock-held.patch b/pktgen-do-not-sleep-with-the-thread-lock-held.patch
new file mode 100644
index 0000000..c1b803c
--- /dev/null
+++ b/pktgen-do-not-sleep-with-the-thread-lock-held.patch
@@ -0,0 +1,96 @@
+From foo@baz Sun 09 Jun 2019 10:11:59 AM CEST
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 6 Jun 2019 15:45:03 +0200
+Subject: pktgen: do not sleep with the thread lock held.
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ]
+
+Currently, the process issuing a "start" command on the pktgen procfs
+interface, acquires the pktgen thread lock and never release it, until
+all pktgen threads are completed. The above can blocks indefinitely any
+other pktgen command and any (even unrelated) netdevice removal - as
+the pktgen netdev notifier acquires the same lock.
+
+The issue is demonstrated by the following script, reported by Matteo:
+
+ip -b - <<'EOF'
+	link add type dummy
+	link add type veth
+	link set dummy0 up
+EOF
+modprobe pktgen
+echo reset >/proc/net/pktgen/pgctrl
+{
+	echo rem_device_all
+	echo add_device dummy0
+} >/proc/net/pktgen/kpktgend_0
+echo count 0 >/proc/net/pktgen/dummy0
+echo start >/proc/net/pktgen/pgctrl &
+sleep 1
+rmmod veth
+
+Fix the above releasing the thread lock around the sleep call.
+
+Additionally we must prevent racing with forcefull rmmod - as the
+thread lock no more protects from them. Instead, acquire a self-reference
+before waiting for any thread. As a side effect, running
+
+rmmod pktgen
+
+while some thread is running now fails with "module in use" error,
+before this patch such command hanged indefinitely.
+
+Note: the issue predates the commit reported in the fixes tag, but
+this fix can't be applied before the mentioned commit.
+
+v1 -> v2:
+ - no need to check for thread existence after flipping the lock,
+   pktgen threads are freed only at net exit time
+ -
+
+Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.")
+Reported-and-tested-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/pktgen.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -3089,7 +3089,13 @@ static int pktgen_wait_thread_run(struct
+ {
+ 	while (thread_is_running(t)) {
+ 
++		/* note: 't' will still be around even after the unlock/lock
++		 * cycle because pktgen_thread threads are only cleared at
++		 * net exit
++		 */
++		mutex_unlock(&pktgen_thread_lock);
+ 		msleep_interruptible(100);
++		mutex_lock(&pktgen_thread_lock);
+ 
+ 		if (signal_pending(current))
+ 			goto signal;
+@@ -3104,6 +3110,10 @@ static int pktgen_wait_all_threads_run(s
+ 	struct pktgen_thread *t;
+ 	int sig = 1;
+ 
++	/* prevent from racing with rmmod */
++	if (!try_module_get(THIS_MODULE))
++		return sig;
++
+ 	mutex_lock(&pktgen_thread_lock);
+ 
+ 	list_for_each_entry(t, &pn->pktgen_threads, th_list) {
+@@ -3117,6 +3127,7 @@ static int pktgen_wait_all_threads_run(s
+ 			t->control |= (T_STOP);
+ 
+ 	mutex_unlock(&pktgen_thread_lock);
++	module_put(THIS_MODULE);
+ 	return sig;
+ }
+ 
diff --git a/series b/series
index 911b729..3f4daab 100644
--- a/series
+++ b/series
@@ -62,5 +62,10 @@ btrfs-fix-race-updating-log-root-item-during-fsync.patch
 tty-max310x-fix-external-crystal-register-setup.patch
 kernel-signal.c-trace_signal_deliver-when-signal_group_exit.patch
 cifs-cifs_read_allocate_pages-don-t-iterate-through-whole-page-array-on-enomem.patch
+usb-gadget-fix-request-length-error-for-isoc-transfer.patch
+media-uvcvideo-fix-uvc_alloc_entity-allocation-alignment.patch
+ethtool-fix-potential-userspace-buffer-overflow.patch
+net-rds-fix-memory-leak-in-rds_ib_flush_mr_pool.patch
+pktgen-do-not-sleep-with-the-thread-lock-held.patch
 crypto-gcm-fix-error-return-code-in-crypto_gcm_create_common.patch
 crypto-gcm-fix-incompatibility-between-gcm-and-gcm_base.patch
diff --git a/usb-gadget-fix-request-length-error-for-isoc-transfer.patch b/usb-gadget-fix-request-length-error-for-isoc-transfer.patch
new file mode 100644
index 0000000..b4d3db5
--- /dev/null
+++ b/usb-gadget-fix-request-length-error-for-isoc-transfer.patch
@@ -0,0 +1,41 @@
+From 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Tue, 8 Nov 2016 10:08:24 +0800
+Subject: usb: gadget: fix request length error for isoc transfer
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 upstream.
+
+For isoc endpoint descriptor, the wMaxPacketSize is not real max packet
+size (see Table 9-13. Standard Endpoint Descriptor, USB 2.0 specifcation),
+it may contain the number of packet, so the real max packet should be
+ep->desc->wMaxPacketSize && 0x7ff.
+
+Cc: Felipe F. Tonello <eu@felipetonello.com>
+Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
+Fixes: 16b114a6d797 ("usb: gadget: fix usb_ep_align_maybe
+  endianness and new usb_ep_aligna")
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/usb/gadget.h |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/linux/usb/gadget.h
++++ b/include/linux/usb/gadget.h
+@@ -590,7 +590,9 @@ static inline struct usb_gadget *dev_to_
+  */
+ static inline size_t usb_ep_align(struct usb_ep *ep, size_t len)
+ {
+-	return round_up(len, (size_t)le16_to_cpu(ep->desc->wMaxPacketSize));
++	int max_packet_size = (size_t)usb_endpoint_maxp(ep->desc) & 0x7ff;
++
++	return round_up(len, max_packet_size);
+ }
+ 
+ /**