Two small fixes scheduled for stable trees

A tracepoint fix that's been reading past the end of messages forever,
 but semi-recently also went over the end of the buffer.
 And a potential incorrectly freeing garbage in pdu parsing error path
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE/IPbcYBuWt0zoYhOq06b7GqY5nAFAmWE4HEACgkQq06b7GqY
 5nBiaw//VKYbPnx+4wtyT17BnvamwEQH88kdIFLjcmGfCKJyBL1UrBfNoV+azzUa
 x4ob+M82zkRgfsQ0bDW1A4OWmRWXWngr/VJ53HpQA0FYff6dFGULXzHwQnz2Sn16
 Lhn7D0FhZZ12skIcCCDRADZIT9ydh7fEfaI3F2goDuvwopwAoOZnYQjIwVhjNuVo
 EIHO3VJShHh/sDMxdyurCkiv+PszIqUgeVW3FH9KNlFC/8hdKpMPGzVHpd1S72wP
 9rex+9yIWb5+o6zpxIB4K6lRWJg0itPKMRDGbey3BR1U7YAQlsGXJ54I6lMRSJ8N
 penT0ztpBSEVWauPvWt0cmkb/ccBFWml4uncT9WK47ExwtbmOhqsk/wOWon8Jho/
 i09lB/Uk5jHSvjong6BbKZ8rYhHdOK9lXfr8UWoJ+jWAilMHqt6Yxb61MRizfe60
 nsVNExBNr78gP/k2U0Fd1++27nB48jvvXN07lVM6uWqyjzaLXahVAb6moz9O7/PD
 ntZVocPCL+XLoByOhRrLNgpyrWiR3ClurpQCsR8d4AE3H7D0CyKLbdLBUBH6fkul
 RErrolev90AKNYthOf6MFWpZuyWnTpK4RooaB0D6KNsIfMUOhfAaIqaM2u50RK/T
 B7hWbFCSPfXkpAM9XcYayVnaJp2dj9MBu6ioQIns4DqqHB//M8U=
 =jdEx
 -----END PGP SIGNATURE-----

Merge tag '9p-for-6.7-rc7' of https://github.com/martinetd/linux

Pull 9p fixes from Dominique Martinet:
 "Two small fixes scheduled for stable trees:

  A tracepoint fix that's been reading past the end of messages forever,
  but semi-recently also went over the end of the buffer. And a
  potential incorrectly freeing garbage in pdu parsing error path"

* tag '9p-for-6.7-rc7' of https://github.com/martinetd/linux:
  net: 9p: avoid freeing uninit memory in p9pdu_vreadf
  9p: prevent read overrun in protocol dump tracepoint

include/trace/events/9p.h

@@ -178,18 +178,21 @@ TRACE_EVENT(9p_protocol_dump,
 		    __field(	void *,		clnt				)
 		    __field(	__u8,		type				)
 		    __field(	__u16,		tag				)
-		    __array(	unsigned char,	line,	P9_PROTO_DUMP_SZ	)
+		    __dynamic_array(unsigned char, line,
+				min_t(size_t, pdu->capacity, P9_PROTO_DUMP_SZ))
 		    ),
 
 	    TP_fast_assign(
 		    __entry->clnt   =  clnt;
 		    __entry->type   =  pdu->id;
 		    __entry->tag    =  pdu->tag;
-		    memcpy(__entry->line, pdu->sdata, P9_PROTO_DUMP_SZ);
+		    memcpy(__get_dynamic_array(line), pdu->sdata,
+				__get_dynamic_array_len(line));
 		    ),
-	    TP_printk("clnt %lu %s(tag = %d)\n%.3x: %16ph\n%.3x: %16ph\n",
+	    TP_printk("clnt %lu %s(tag = %d)\n%*ph\n",
 		      (unsigned long)__entry->clnt, show_9p_op(__entry->type),
-		      __entry->tag, 0, __entry->line, 16, __entry->line + 16)
+		      __entry->tag, __get_dynamic_array_len(line),
+		      __get_dynamic_array(line))
  );
 
 

net/9p/protocol.c

@@ -394,6 +394,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
 				uint16_t *nwname = va_arg(ap, uint16_t *);
 				char ***wnames = va_arg(ap, char ***);
 
+				*wnames = NULL;
+
 				errcode = p9pdu_readf(pdu, proto_version,
 								"w", nwname);
 				if (!errcode) {
@@ -403,6 +405,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
 							  GFP_NOFS);
 					if (!*wnames)
 						errcode = -ENOMEM;
+					else
+						(*wnames)[0] = NULL;
 				}
 
 				if (!errcode) {
@@ -414,8 +418,10 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
 								proto_version,
 								"s",
 								&(*wnames)[i]);
-						if (errcode)
+						if (errcode) {
+							(*wnames)[i] = NULL;
 							break;
+						}
 					}
 				}
 
@@ -423,11 +429,14 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
 					if (*wnames) {
 						int i;
 
-						for (i = 0; i < *nwname; i++)
+						for (i = 0; i < *nwname; i++) {
+							if (!(*wnames)[i])
+								break;
 							kfree((*wnames)[i]);
+						}
+						kfree(*wnames);
+						*wnames = NULL;
 					}
-					kfree(*wnames);
-					*wnames = NULL;
 				}
 			}
 			break;