]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 4.19
authorSasha Levin <sashal@kernel.org>
Tue, 8 Oct 2024 06:02:25 +0000 (02:02 -0400)
committerSasha Levin <sashal@kernel.org>
Tue, 8 Oct 2024 06:02:25 +0000 (02:02 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
14 files changed:
queue-4.19/acpi-battery-fix-possible-crash-when-unregistering-a.patch [new file with mode: 0644]
queue-4.19/acpi-battery-simplify-battery-hook-locking.patch [new file with mode: 0644]
queue-4.19/arm64-add-cortex-715-cpu-part-definition.patch [new file with mode: 0644]
queue-4.19/arm64-cputype-add-neoverse-n3-definitions.patch [new file with mode: 0644]
queue-4.19/arm64-errata-expand-speculative-ssbs-workaround-once.patch [new file with mode: 0644]
queue-4.19/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-trun.patch [new file with mode: 0644]
queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch [new file with mode: 0644]
queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch [new file with mode: 0644]
queue-4.19/nfsd-fix-delegation_blocked-to-block-correctly-for-a.patch [new file with mode: 0644]
queue-4.19/nfsd-use-ktime_get_seconds-for-timestamps.patch [new file with mode: 0644]
queue-4.19/rtc-at91sam9-drop-platform_data-support.patch [new file with mode: 0644]
queue-4.19/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch [new file with mode: 0644]
queue-4.19/series
queue-4.19/uprobes-fix-kernel-info-leak-via-uprobes-vma.patch [new file with mode: 0644]

diff --git a/queue-4.19/acpi-battery-fix-possible-crash-when-unregistering-a.patch b/queue-4.19/acpi-battery-fix-possible-crash-when-unregistering-a.patch
new file mode 100644 (file)
index 0000000..af9d4ad
--- /dev/null
@@ -0,0 +1,69 @@
+From 64a744c2464d03598a71e1ac079ae1b21d2e184f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 23:28:34 +0200
+Subject: ACPI: battery: Fix possible crash when unregistering a battery hook
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 76959aff14a0012ad6b984ec7686d163deccdc16 ]
+
+When a battery hook returns an error when adding a new battery, then
+the battery hook is automatically unregistered.
+However the battery hook provider cannot know that, so it will later
+call battery_hook_unregister() on the already unregistered battery
+hook, resulting in a crash.
+
+Fix this by using the list head to mark already unregistered battery
+hooks as already being unregistered so that they can be ignored by
+battery_hook_unregister().
+
+Fixes: fa93854f7a7e ("battery: Add the battery hooking API")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20241001212835.341788-3-W_Armin@gmx.de
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/battery.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
+index b741ed87ab3db..46aa0e5e6f8b6 100644
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -724,7 +724,7 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook)
+       list_for_each_entry(battery, &acpi_battery_list, list) {
+               hook->remove_battery(battery->bat);
+       }
+-      list_del(&hook->list);
++      list_del_init(&hook->list);
+       pr_info("extension unregistered: %s\n", hook->name);
+ }
+@@ -732,7 +732,14 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook)
+ void battery_hook_unregister(struct acpi_battery_hook *hook)
+ {
+       mutex_lock(&hook_mutex);
+-      battery_hook_unregister_unlocked(hook);
++      /*
++       * Ignore already unregistered battery hooks. This might happen
++       * if a battery hook was previously unloaded due to an error when
++       * adding a new battery.
++       */
++      if (!list_empty(&hook->list))
++              battery_hook_unregister_unlocked(hook);
++
+       mutex_unlock(&hook_mutex);
+ }
+ EXPORT_SYMBOL_GPL(battery_hook_unregister);
+@@ -742,7 +749,6 @@ void battery_hook_register(struct acpi_battery_hook *hook)
+       struct acpi_battery *battery;
+       mutex_lock(&hook_mutex);
+-      INIT_LIST_HEAD(&hook->list);
+       list_add(&hook->list, &battery_hook_list);
+       /*
+        * Now that the driver is registered, we need
+-- 
+2.43.0
+
diff --git a/queue-4.19/acpi-battery-simplify-battery-hook-locking.patch b/queue-4.19/acpi-battery-simplify-battery-hook-locking.patch
new file mode 100644 (file)
index 0000000..e5c5227
--- /dev/null
@@ -0,0 +1,95 @@
+From 6d4faab0e669b4e1864c0a535f4956441c8cdc1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 23:28:33 +0200
+Subject: ACPI: battery: Simplify battery hook locking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 86309cbed26139e1caae7629dcca1027d9a28e75 ]
+
+Move the conditional locking from __battery_hook_unregister()
+into battery_hook_unregister() and rename the low-level function
+to simplify the locking during battery hook removal.
+
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20241001212835.341788-2-W_Armin@gmx.de
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: 76959aff14a0 ("ACPI: battery: Fix possible crash when unregistering a battery hook")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/battery.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
+index 88f4040d6c1f2..b741ed87ab3db 100644
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -713,27 +713,27 @@ static LIST_HEAD(acpi_battery_list);
+ static LIST_HEAD(battery_hook_list);
+ static DEFINE_MUTEX(hook_mutex);
+-static void __battery_hook_unregister(struct acpi_battery_hook *hook, int lock)
++static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook)
+ {
+       struct acpi_battery *battery;
++
+       /*
+        * In order to remove a hook, we first need to
+        * de-register all the batteries that are registered.
+        */
+-      if (lock)
+-              mutex_lock(&hook_mutex);
+       list_for_each_entry(battery, &acpi_battery_list, list) {
+               hook->remove_battery(battery->bat);
+       }
+       list_del(&hook->list);
+-      if (lock)
+-              mutex_unlock(&hook_mutex);
++
+       pr_info("extension unregistered: %s\n", hook->name);
+ }
+ void battery_hook_unregister(struct acpi_battery_hook *hook)
+ {
+-      __battery_hook_unregister(hook, 1);
++      mutex_lock(&hook_mutex);
++      battery_hook_unregister_unlocked(hook);
++      mutex_unlock(&hook_mutex);
+ }
+ EXPORT_SYMBOL_GPL(battery_hook_unregister);
+@@ -759,7 +759,7 @@ void battery_hook_register(struct acpi_battery_hook *hook)
+                        * hooks.
+                        */
+                       pr_err("extension failed to load: %s", hook->name);
+-                      __battery_hook_unregister(hook, 0);
++                      battery_hook_unregister_unlocked(hook);
+                       goto end;
+               }
+       }
+@@ -796,7 +796,7 @@ static void battery_hook_add_battery(struct acpi_battery *battery)
+                        */
+                       pr_err("error in extension, unloading: %s",
+                                       hook_node->name);
+-                      __battery_hook_unregister(hook_node, 0);
++                      battery_hook_unregister_unlocked(hook_node);
+               }
+       }
+       mutex_unlock(&hook_mutex);
+@@ -829,7 +829,7 @@ static void __exit battery_hook_exit(void)
+        * need to remove the hooks.
+        */
+       list_for_each_entry_safe(hook, ptr, &battery_hook_list, list) {
+-              __battery_hook_unregister(hook, 1);
++              battery_hook_unregister(hook);
+       }
+       mutex_destroy(&hook_mutex);
+ }
+-- 
+2.43.0
+
diff --git a/queue-4.19/arm64-add-cortex-715-cpu-part-definition.patch b/queue-4.19/arm64-add-cortex-715-cpu-part-definition.patch
new file mode 100644 (file)
index 0000000..8f96267
--- /dev/null
@@ -0,0 +1,51 @@
+From a055a8a6d63cf50f32fd7813219269d591336c9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 13:20:26 +0100
+Subject: arm64: Add Cortex-715 CPU part definition
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+[ Upstream commit 07e39e60bbf0ccd5f895568e1afca032193705c0 ]
+
+Add the CPU Partnumbers for the new Arm designs.
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20221116140915.356601-2-anshuman.khandual@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+[ Mark: Trivial backport ]
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/cputype.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
+index f8be4d7ecde28..e3df8b0c067bf 100644
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -86,6 +86,7 @@
+ #define ARM_CPU_PART_CORTEX_A78               0xD41
+ #define ARM_CPU_PART_CORTEX_X1                0xD44
+ #define ARM_CPU_PART_CORTEX_A710      0xD47
++#define ARM_CPU_PART_CORTEX_A715      0xD4D
+ #define ARM_CPU_PART_CORTEX_X2                0xD48
+ #define ARM_CPU_PART_NEOVERSE_N2      0xD49
+ #define ARM_CPU_PART_CORTEX_A78C      0xD4B
+@@ -130,6 +131,7 @@
+ #define MIDR_CORTEX_A78       MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78)
+ #define MIDR_CORTEX_X1        MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1)
+ #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710)
++#define MIDR_CORTEX_A715 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A715)
+ #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2)
+ #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2)
+ #define MIDR_CORTEX_A78C      MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C)
+-- 
+2.43.0
+
diff --git a/queue-4.19/arm64-cputype-add-neoverse-n3-definitions.patch b/queue-4.19/arm64-cputype-add-neoverse-n3-definitions.patch
new file mode 100644 (file)
index 0000000..da115ec
--- /dev/null
@@ -0,0 +1,52 @@
+From 9be720e437ed90d4be3de949acabcfa31deabe68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 13:20:27 +0100
+Subject: arm64: cputype: Add Neoverse-N3 definitions
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 924725707d80bc2588cefafef76ff3f164d299bc ]
+
+Add cputype definitions for Neoverse-N3. These will be used for errata
+detection in subsequent patches.
+
+These values can be found in Table A-261 ("MIDR_EL1 bit descriptions")
+in issue 02 of the Neoverse-N3 TRM, which can be found at:
+
+  https://developer.arm.com/documentation/107997/0000/?lang=en
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20240930111705.3352047-2-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+[ Mark: trivial backport ]
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/cputype.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
+index e3df8b0c067bf..b8593cebb4ff4 100644
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -98,6 +98,7 @@
+ #define ARM_CPU_PART_NEOVERSE_V3      0xD84
+ #define ARM_CPU_PART_CORTEX_X925      0xD85
+ #define ARM_CPU_PART_CORTEX_A725      0xD87
++#define ARM_CPU_PART_NEOVERSE_N3      0xD8E
+ #define APM_CPU_PART_POTENZA          0x000
+@@ -143,6 +144,7 @@
+ #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
+ #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
+ #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
++#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
+ #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
+ #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
+ #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
+-- 
+2.43.0
+
diff --git a/queue-4.19/arm64-errata-expand-speculative-ssbs-workaround-once.patch b/queue-4.19/arm64-errata-expand-speculative-ssbs-workaround-once.patch
new file mode 100644 (file)
index 0000000..aa2051c
--- /dev/null
@@ -0,0 +1,112 @@
+From 39edc576aca9aede707e262c425e0f85bc10e7be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 13:20:28 +0100
+Subject: arm64: errata: Expand speculative SSBS workaround once more
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 081eb7932c2b244f63317a982c5e3990e2c7fbdd ]
+
+A number of Arm Ltd CPUs suffer from errata whereby an MSR to the SSBS
+special-purpose register does not affect subsequent speculative
+instructions, permitting speculative store bypassing for a window of
+time.
+
+We worked around this for a number of CPUs in commits:
+
+* 7187bb7d0b5c7dfa ("arm64: errata: Add workaround for Arm errata 3194386 and 3312417")
+* 75b3c43eab594bfb ("arm64: errata: Expand speculative SSBS workaround")
+* 145502cac7ea70b5 ("arm64: errata: Expand speculative SSBS workaround (again)")
+
+Since then, a (hopefully final) batch of updates have been published,
+with two more affected CPUs. For the affected CPUs the existing
+mitigation is sufficient, as described in their respective Software
+Developer Errata Notice (SDEN) documents:
+
+* Cortex-A715 (MP148) SDEN v15.0, erratum 3456084
+  https://developer.arm.com/documentation/SDEN-2148827/1500/
+
+* Neoverse-N3 (MP195) SDEN v5.0, erratum 3456111
+  https://developer.arm.com/documentation/SDEN-3050973/0500/
+
+Enable the existing mitigation by adding the relevant MIDRs to
+erratum_spec_ssbs_list, and update silicon-errata.rst and the
+Kconfig text accordingly.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20240930111705.3352047-3-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+[ Mark: fix conflict in silicon-errata.rst, handle move and rename ]
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/arm64/silicon-errata.txt | 2 ++
+ arch/arm64/Kconfig                     | 2 ++
+ arch/arm64/kernel/cpu_errata.c         | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/Documentation/arm64/silicon-errata.txt b/Documentation/arm64/silicon-errata.txt
+index eab3b0cf0dbe9..a67ba12ffa035 100644
+--- a/Documentation/arm64/silicon-errata.txt
++++ b/Documentation/arm64/silicon-errata.txt
+@@ -66,6 +66,7 @@ stable kernels.
+ | ARM            | Cortex-A78      | #3324344        | ARM64_ERRATUM_3194386       |
+ | ARM            | Cortex-A78C     | #3324346,3324347| ARM64_ERRATUM_3194386       |
+ | ARM            | Cortex-A710     | #3324338        | ARM64_ERRATUM_3194386       |
++| ARM            | Cortex-A715     | #3456084        | ARM64_ERRATUM_3194386       |
+ | ARM            | Cortex-A720     | #3456091        | ARM64_ERRATUM_3194386       |
+ | ARM            | Cortex-A725     | #3456106        | ARM64_ERRATUM_3194386       |
+ | ARM            | Cortex-X1       | #3324344        | ARM64_ERRATUM_3194386       |
+@@ -77,6 +78,7 @@ stable kernels.
+ | ARM            | Neoverse-N1     | #1542419        | ARM64_ERRATUM_1542419       |
+ | ARM            | Neoverse-N1     | #3324349        | ARM64_ERRATUM_3194386       |
+ | ARM            | Neoverse-N2     | #3324339        | ARM64_ERRATUM_3194386       |
++| ARM            | Neoverse-N3     | #3456111        | ARM64_ERRATUM_3194386       |
+ | ARM            | Neoverse-V1     | #3324341        | ARM64_ERRATUM_3194386       |
+ | ARM            | Neoverse-V2     | #3324336        | ARM64_ERRATUM_3194386       |
+ | ARM            | Neoverse-V3     | #3312417        | ARM64_ERRATUM_3194386       |
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 15c7a2b6e491e..5fa1b1d3172e9 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -543,6 +543,7 @@ config ARM64_ERRATUM_3194386
+         * ARM Cortex-A78C erratum 3324346
+         * ARM Cortex-A78C erratum 3324347
+         * ARM Cortex-A710 erratam 3324338
++        * ARM Cortex-A715 errartum 3456084
+         * ARM Cortex-A720 erratum 3456091
+         * ARM Cortex-A725 erratum 3456106
+         * ARM Cortex-X1 erratum 3324344
+@@ -553,6 +554,7 @@ config ARM64_ERRATUM_3194386
+         * ARM Cortex-X925 erratum 3324334
+         * ARM Neoverse-N1 erratum 3324349
+         * ARM Neoverse N2 erratum 3324339
++        * ARM Neoverse-N3 erratum 3456111
+         * ARM Neoverse-V1 erratum 3324341
+         * ARM Neoverse V2 erratum 3324336
+         * ARM Neoverse-V3 erratum 3312417
+diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
+index e87f8d60075d7..a92530a8d7fcd 100644
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -714,6 +714,7 @@ static const struct midr_range erratum_spec_ssbs_list[] = {
+       MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+       MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+       MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
++      MIDR_ALL_VERSIONS(MIDR_CORTEX_A715),
+       MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
+       MIDR_ALL_VERSIONS(MIDR_CORTEX_A725),
+       MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+@@ -724,6 +725,7 @@ static const struct midr_range erratum_spec_ssbs_list[] = {
+       MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
+       MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+       MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
++      MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N3),
+       MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+       MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+       MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+-- 
+2.43.0
+
diff --git a/queue-4.19/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-trun.patch b/queue-4.19/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-trun.patch
new file mode 100644 (file)
index 0000000..2301aeb
--- /dev/null
@@ -0,0 +1,172 @@
+From 420c7eabf63d0b0f261e7deea0268fbba6da7b9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 May 2020 10:50:28 -0700
+Subject: ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 73c384c0cdaa8ea9ca9ef2d0cff6a25930f1648e ]
+
+We can't fail in the truncate path without requiring an fsck.
+Add work around for this by using a combination of retry loops
+and the __GFP_NOFAIL flag.
+
+From: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Anna Pendleton <pendleton@google.com>
+Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+Link: https://lore.kernel.org/r/20200507175028.15061-1-pendleton@google.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: c26ab35702f8 ("ext4: fix slab-use-after-free in ext4_split_extent_at()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ext4.h    |  1 +
+ fs/ext4/extents.c | 43 +++++++++++++++++++++++++++++++++----------
+ 2 files changed, 34 insertions(+), 10 deletions(-)
+
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index fa2579abea7df..3871df6b67322 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -629,6 +629,7 @@ enum {
+  */
+ #define EXT4_EX_NOCACHE                               0x40000000
+ #define EXT4_EX_FORCE_CACHE                   0x20000000
++#define EXT4_EX_NOFAIL                                0x10000000
+ /*
+  * Flags used by ext4_free_blocks
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 1762a6330a53c..080a7a401a4e1 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -290,11 +290,14 @@ ext4_force_split_extent_at(handle_t *handle, struct inode *inode,
+ {
+       struct ext4_ext_path *path = *ppath;
+       int unwritten = ext4_ext_is_unwritten(path[path->p_depth].p_ext);
++      int flags = EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO;
++
++      if (nofail)
++              flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL | EXT4_EX_NOFAIL;
+       return ext4_split_extent_at(handle, inode, ppath, lblk, unwritten ?
+                       EXT4_EXT_MARK_UNWRIT1|EXT4_EXT_MARK_UNWRIT2 : 0,
+-                      EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO |
+-                      (nofail ? EXT4_GET_BLOCKS_METADATA_NOFAIL:0));
++                      flags);
+ }
+ /*
+@@ -536,8 +539,12 @@ __read_extent_tree_block(const char *function, unsigned int line,
+ {
+       struct buffer_head              *bh;
+       int                             err;
++      gfp_t                           gfp_flags = __GFP_MOVABLE | GFP_NOFS;
++
++      if (flags & EXT4_EX_NOFAIL)
++              gfp_flags |= __GFP_NOFAIL;
+-      bh = sb_getblk_gfp(inode->i_sb, pblk, __GFP_MOVABLE | GFP_NOFS);
++      bh = sb_getblk_gfp(inode->i_sb, pblk, gfp_flags);
+       if (unlikely(!bh))
+               return ERR_PTR(-ENOMEM);
+@@ -879,6 +886,10 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
+       struct ext4_ext_path *path = orig_path ? *orig_path : NULL;
+       short int depth, i, ppos = 0;
+       int ret;
++      gfp_t gfp_flags = GFP_NOFS;
++
++      if (flags & EXT4_EX_NOFAIL)
++              gfp_flags |= __GFP_NOFAIL;
+       eh = ext_inode_hdr(inode);
+       depth = ext_depth(inode);
+@@ -899,7 +910,7 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
+       if (!path) {
+               /* account possible depth increase */
+               path = kcalloc(depth + 2, sizeof(struct ext4_ext_path),
+-                              GFP_NOFS);
++                              gfp_flags);
+               if (unlikely(!path))
+                       return ERR_PTR(-ENOMEM);
+               path[0].p_maxdepth = depth + 1;
+@@ -1049,9 +1060,13 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+       ext4_fsblk_t newblock, oldblock;
+       __le32 border;
+       ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
++      gfp_t gfp_flags = GFP_NOFS;
+       int err = 0;
+       size_t ext_size = 0;
++      if (flags & EXT4_EX_NOFAIL)
++              gfp_flags |= __GFP_NOFAIL;
++
+       /* make decision: where to split? */
+       /* FIXME: now decision is simplest: at current extent */
+@@ -1085,7 +1100,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode,
+        * We need this to handle errors and free blocks
+        * upon them.
+        */
+-      ablocks = kcalloc(depth, sizeof(ext4_fsblk_t), GFP_NOFS);
++      ablocks = kcalloc(depth, sizeof(ext4_fsblk_t), gfp_flags);
+       if (!ablocks)
+               return -ENOMEM;
+@@ -2075,7 +2090,7 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
+       if (next != EXT_MAX_BLOCKS) {
+               ext_debug("next leaf block - %u\n", next);
+               BUG_ON(npath != NULL);
+-              npath = ext4_find_extent(inode, next, NULL, 0);
++              npath = ext4_find_extent(inode, next, NULL, gb_flags);
+               if (IS_ERR(npath))
+                       return PTR_ERR(npath);
+               BUG_ON(npath->p_depth != path->p_depth);
+@@ -2878,7 +2893,8 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start,
+               ext4_fsblk_t pblk;
+               /* find extent for or closest extent to this block */
+-              path = ext4_find_extent(inode, end, NULL, EXT4_EX_NOCACHE);
++              path = ext4_find_extent(inode, end, NULL,
++                                      EXT4_EX_NOCACHE | EXT4_EX_NOFAIL);
+               if (IS_ERR(path)) {
+                       ext4_journal_stop(handle);
+                       return PTR_ERR(path);
+@@ -2960,7 +2976,7 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start,
+                               le16_to_cpu(path[k].p_hdr->eh_entries)+1;
+       } else {
+               path = kcalloc(depth + 1, sizeof(struct ext4_ext_path),
+-                             GFP_NOFS);
++                             GFP_NOFS | __GFP_NOFAIL);
+               if (path == NULL) {
+                       ext4_journal_stop(handle);
+                       return -ENOMEM;
+@@ -3382,7 +3398,7 @@ static int ext4_split_extent(handle_t *handle,
+        * Update path is required because previous ext4_split_extent_at() may
+        * result in split of original leaf or extent zeroout.
+        */
+-      path = ext4_find_extent(inode, map->m_lblk, ppath, 0);
++      path = ext4_find_extent(inode, map->m_lblk, ppath, flags);
+       if (IS_ERR(path))
+               return PTR_ERR(path);
+       depth = ext_depth(inode);
+@@ -4677,7 +4693,14 @@ int ext4_ext_truncate(handle_t *handle, struct inode *inode)
+       }
+       if (err)
+               return err;
+-      return ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1);
++retry_remove_space:
++      err = ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1);
++      if (err == -ENOMEM) {
++              cond_resched();
++              congestion_wait(BLK_RW_ASYNC, HZ/50);
++              goto retry_remove_space;
++      }
++      return err;
+ }
+ static int ext4_alloc_file_blocks(struct file *file, ext4_lblk_t offset,
+-- 
+2.43.0
+
diff --git a/queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch b/queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch
new file mode 100644 (file)
index 0000000..083fa51
--- /dev/null
@@ -0,0 +1,132 @@
+From 81d34ae8f6382336bb197a710ccbb2fba4fe337f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 10:35:23 +0800
+Subject: ext4: fix slab-use-after-free in ext4_split_extent_at()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f ]
+
+We hit the following use-after-free:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
+Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
+CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
+Call Trace:
+ <TASK>
+ kasan_report+0x93/0xc0
+ ext4_split_extent_at+0xba8/0xcc0
+ ext4_split_extent.isra.0+0x18f/0x500
+ ext4_split_convert_extents+0x275/0x750
+ ext4_ext_handle_unwritten_extents+0x73e/0x1580
+ ext4_ext_map_blocks+0xe20/0x2dc0
+ ext4_map_blocks+0x724/0x1700
+ ext4_do_writepages+0x12d6/0x2a70
+[...]
+
+Allocated by task 40:
+ __kmalloc_noprof+0x1ac/0x480
+ ext4_find_extent+0xf3b/0x1e70
+ ext4_ext_map_blocks+0x188/0x2dc0
+ ext4_map_blocks+0x724/0x1700
+ ext4_do_writepages+0x12d6/0x2a70
+[...]
+
+Freed by task 40:
+ kfree+0xf1/0x2b0
+ ext4_find_extent+0xa71/0x1e70
+ ext4_ext_insert_extent+0xa22/0x3260
+ ext4_split_extent_at+0x3ef/0xcc0
+ ext4_split_extent.isra.0+0x18f/0x500
+ ext4_split_convert_extents+0x275/0x750
+ ext4_ext_handle_unwritten_extents+0x73e/0x1580
+ ext4_ext_map_blocks+0xe20/0x2dc0
+ ext4_map_blocks+0x724/0x1700
+ ext4_do_writepages+0x12d6/0x2a70
+[...]
+==================================================================
+
+The flow of issue triggering is as follows:
+
+ext4_split_extent_at
+  path = *ppath
+  ext4_ext_insert_extent(ppath)
+    ext4_ext_create_new_leaf(ppath)
+      ext4_find_extent(orig_path)
+        path = *orig_path
+        read_extent_tree_block
+          // return -ENOMEM or -EIO
+        ext4_free_ext_path(path)
+          kfree(path)
+        *orig_path = NULL
+  a. If err is -ENOMEM:
+  ext4_ext_dirty(path + path->p_depth)
+  // path use-after-free !!!
+  b. If err is -EIO and we have EXT_DEBUG defined:
+  ext4_ext_show_leaf(path)
+    eh = path[depth].p_hdr
+    // path also use-after-free !!!
+
+So when trying to zeroout or fix the extent length, call ext4_find_extent()
+to update the path.
+
+In addition we use *ppath directly as an ext4_ext_show_leaf() input to
+avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
+unnecessary path updates.
+
+Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code")
+Cc: stable@kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 080a7a401a4e1..c538d09542391 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3294,6 +3294,25 @@ static int ext4_split_extent_at(handle_t *handle,
+       if (err != -ENOSPC && err != -EDQUOT)
+               goto out;
++      /*
++       * Update path is required because previous ext4_ext_insert_extent()
++       * may have freed or reallocated the path. Using EXT4_EX_NOFAIL
++       * guarantees that ext4_find_extent() will not return -ENOMEM,
++       * otherwise -ENOMEM will cause a retry in do_writepages(), and a
++       * WARN_ON may be triggered in ext4_da_update_reserve_space() due to
++       * an incorrect ee_len causing the i_reserved_data_blocks exception.
++       */
++      path = ext4_find_extent(inode, ee_block, ppath,
++                              flags | EXT4_EX_NOFAIL);
++      if (IS_ERR(path)) {
++              EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
++                               split, PTR_ERR(path));
++              return PTR_ERR(path);
++      }
++      depth = ext_depth(inode);
++      ex = path[depth].p_ext;
++      *ppath = path;
++
+       if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
+               if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
+                       if (split_flag & EXT4_EXT_DATA_VALID1) {
+@@ -3342,7 +3361,7 @@ static int ext4_split_extent_at(handle_t *handle,
+       ext4_ext_dirty(handle, inode, path + path->p_depth);
+       return err;
+ out:
+-      ext4_ext_show_leaf(inode, path);
++      ext4_ext_show_leaf(inode, *ppath);
+       return err;
+ }
+-- 
+2.43.0
+
diff --git a/queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch b/queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch
new file mode 100644 (file)
index 0000000..dc0b6d3
--- /dev/null
@@ -0,0 +1,93 @@
+From 46cf36dd9114f4f0aaeaa327b40d141b9306bf82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2024 10:35:25 +0800
+Subject: ext4: update orig_path in ext4_find_extent()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 ]
+
+In ext4_find_extent(), if the path is not big enough, we free it and set
+*orig_path to NULL. But after reallocating and successfully initializing
+the path, we don't update *orig_path, in which case the caller gets a
+valid path but a NULL ppath, and this may cause a NULL pointer dereference
+or a path memory leak. For example:
+
+ext4_split_extent
+  path = *ppath = 2000
+  ext4_find_extent
+    if (depth > path[0].p_maxdepth)
+      kfree(path = 2000);
+      *orig_path = path = NULL;
+      path = kcalloc() = 3000
+  ext4_split_extent_at(*ppath = NULL)
+    path = *ppath;
+    ex = path[depth].p_ext;
+    // NULL pointer dereference!
+
+==================================================================
+BUG: kernel NULL pointer dereference, address: 0000000000000010
+CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
+RIP: 0010:ext4_split_extent_at+0x6d/0x560
+Call Trace:
+ <TASK>
+ ext4_split_extent.isra.0+0xcb/0x1b0
+ ext4_ext_convert_to_initialized+0x168/0x6c0
+ ext4_ext_handle_unwritten_extents+0x325/0x4d0
+ ext4_ext_map_blocks+0x520/0xdb0
+ ext4_map_blocks+0x2b0/0x690
+ ext4_iomap_begin+0x20e/0x2c0
+[...]
+==================================================================
+
+Therefore, *orig_path is updated when the extent lookup succeeds, so that
+the caller can safely use path or *ppath.
+
+Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary")
+Cc: stable@kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20240822023545.1994557-6-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents.c     | 3 ++-
+ fs/ext4/move_extent.c | 1 -
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index c538d09542391..63380c2910077 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -956,6 +956,8 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
+       ext4_ext_show_path(inode, path);
++      if (orig_path)
++              *orig_path = path;
+       return path;
+ err:
+@@ -3311,7 +3313,6 @@ static int ext4_split_extent_at(handle_t *handle,
+       }
+       depth = ext_depth(inode);
+       ex = path[depth].p_ext;
+-      *ppath = path;
+       if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
+               if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
+diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
+index 2c368d67a33ac..1581b48af1fed 100644
+--- a/fs/ext4/move_extent.c
++++ b/fs/ext4/move_extent.c
+@@ -37,7 +37,6 @@ get_ext_path(struct inode *inode, ext4_lblk_t lblock,
+               *ppath = NULL;
+               return -ENODATA;
+       }
+-      *ppath = path;
+       return 0;
+ }
+-- 
+2.43.0
+
diff --git a/queue-4.19/nfsd-fix-delegation_blocked-to-block-correctly-for-a.patch b/queue-4.19/nfsd-fix-delegation_blocked-to-block-correctly-for-a.patch
new file mode 100644 (file)
index 0000000..acccdb3
--- /dev/null
@@ -0,0 +1,65 @@
+From 68b65ac1c11b72f2bb6f74ff40b87aefb6ef4f5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 15:06:36 +1000
+Subject: nfsd: fix delegation_blocked() to block correctly for at least 30
+ seconds
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 45bb63ed20e02ae146336412889fe5450316a84f ]
+
+The pair of bloom filtered used by delegation_blocked() was intended to
+block delegations on given filehandles for between 30 and 60 seconds.  A
+new filehandle would be recorded in the "new" bit set.  That would then
+be switch to the "old" bit set between 0 and 30 seconds later, and it
+would remain as the "old" bit set for 30 seconds.
+
+Unfortunately the code intended to clear the old bit set once it reached
+30 seconds old, preparing it to be the next new bit set, instead cleared
+the *new* bit set before switching it to be the old bit set.  This means
+that the "old" bit set is always empty and delegations are blocked
+between 0 and 30 seconds.
+
+This patch updates bd->new before clearing the set with that index,
+instead of afterwards.
+
+Reported-by: Olga Kornievskaia <okorniev@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 6282cd565553 ("NFSD: Don't hand out delegations for 30 seconds after recalling them.")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index acb43210d2dc5..061694c405ac3 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -743,7 +743,8 @@ static void nfs4_free_deleg(struct nfs4_stid *stid)
+  * When a delegation is recalled, the filehandle is stored in the "new"
+  * filter.
+  * Every 30 seconds we swap the filters and clear the "new" one,
+- * unless both are empty of course.
++ * unless both are empty of course.  This results in delegations for a
++ * given filehandle being blocked for between 30 and 60 seconds.
+  *
+  * Each filter is 256 bits.  We hash the filehandle to 32bit and use the
+  * low 3 bytes as hash-table indices.
+@@ -772,9 +773,9 @@ static int delegation_blocked(struct knfsd_fh *fh)
+               if (ktime_get_seconds() - bd->swap_time > 30) {
+                       bd->entries -= bd->old_entries;
+                       bd->old_entries = bd->entries;
++                      bd->new = 1-bd->new;
+                       memset(bd->set[bd->new], 0,
+                              sizeof(bd->set[0]));
+-                      bd->new = 1-bd->new;
+                       bd->swap_time = ktime_get_seconds();
+               }
+               spin_unlock(&blocked_delegations_lock);
+-- 
+2.43.0
+
diff --git a/queue-4.19/nfsd-use-ktime_get_seconds-for-timestamps.patch b/queue-4.19/nfsd-use-ktime_get_seconds-for-timestamps.patch
new file mode 100644 (file)
index 0000000..76e787a
--- /dev/null
@@ -0,0 +1,64 @@
+From b31c33085bd525bff0c48a945e3f28459f9755a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2017 11:25:34 +0200
+Subject: nfsd: use ktime_get_seconds() for timestamps
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b3f255ef6bffc18a28c3b6295357f2a3380c033f ]
+
+The delegation logic in nfsd uses the somewhat inefficient
+seconds_since_boot() function to record time intervals.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Stable-dep-of: 45bb63ed20e0 ("nfsd: fix delegation_blocked() to block correctly for at least 30 seconds")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 7ac644d64ab1d..acb43210d2dc5 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -755,7 +755,7 @@ static void nfs4_free_deleg(struct nfs4_stid *stid)
+ static DEFINE_SPINLOCK(blocked_delegations_lock);
+ static struct bloom_pair {
+       int     entries, old_entries;
+-      time_t  swap_time;
++      time64_t swap_time;
+       int     new; /* index into 'set' */
+       DECLARE_BITMAP(set[2], 256);
+ } blocked_delegations;
+@@ -767,15 +767,15 @@ static int delegation_blocked(struct knfsd_fh *fh)
+       if (bd->entries == 0)
+               return 0;
+-      if (seconds_since_boot() - bd->swap_time > 30) {
++      if (ktime_get_seconds() - bd->swap_time > 30) {
+               spin_lock(&blocked_delegations_lock);
+-              if (seconds_since_boot() - bd->swap_time > 30) {
++              if (ktime_get_seconds() - bd->swap_time > 30) {
+                       bd->entries -= bd->old_entries;
+                       bd->old_entries = bd->entries;
+                       memset(bd->set[bd->new], 0,
+                              sizeof(bd->set[0]));
+                       bd->new = 1-bd->new;
+-                      bd->swap_time = seconds_since_boot();
++                      bd->swap_time = ktime_get_seconds();
+               }
+               spin_unlock(&blocked_delegations_lock);
+       }
+@@ -805,7 +805,7 @@ static void block_delegations(struct knfsd_fh *fh)
+       __set_bit((hash>>8)&255, bd->set[bd->new]);
+       __set_bit((hash>>16)&255, bd->set[bd->new]);
+       if (bd->entries == 0)
+-              bd->swap_time = seconds_since_boot();
++              bd->swap_time = ktime_get_seconds();
+       bd->entries += 1;
+       spin_unlock(&blocked_delegations_lock);
+ }
+-- 
+2.43.0
+
diff --git a/queue-4.19/rtc-at91sam9-drop-platform_data-support.patch b/queue-4.19/rtc-at91sam9-drop-platform_data-support.patch
new file mode 100644 (file)
index 0000000..6e28637
--- /dev/null
@@ -0,0 +1,118 @@
+From b0ef1a814ae06a714af06243bebb3517c442e2e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Mar 2019 13:40:37 +0100
+Subject: rtc: at91sam9: drop platform_data support
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit 1a76a77c8800a50b98bd38b7b1ffec32fe107bc1 ]
+
+ARCH_AT91 is DT only for a while, drop platform data support.
+
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Stable-dep-of: 73580e2ee6ad ("rtc: at91sam9: fix OF node leak in probe() error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/Kconfig        |  2 +-
+ drivers/rtc/rtc-at91sam9.c | 44 +++++++-------------------------------
+ 2 files changed, 9 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig
+index 199cc39459198..6dedba21683f5 100644
+--- a/drivers/rtc/Kconfig
++++ b/drivers/rtc/Kconfig
+@@ -1404,7 +1404,7 @@ config RTC_DRV_AT91RM9200
+ config RTC_DRV_AT91SAM9
+       tristate "AT91SAM9 RTT as RTC"
+       depends on ARCH_AT91 || COMPILE_TEST
+-      depends on HAS_IOMEM
++      depends on OF && HAS_IOMEM
+       select MFD_SYSCON
+       help
+         Some AT91SAM9 SoCs provide an RTT (Real Time Timer) block which
+diff --git a/drivers/rtc/rtc-at91sam9.c b/drivers/rtc/rtc-at91sam9.c
+index ee71e647fd433..1c8bdf77f6edd 100644
+--- a/drivers/rtc/rtc-at91sam9.c
++++ b/drivers/rtc/rtc-at91sam9.c
+@@ -348,13 +348,6 @@ static const struct rtc_class_ops at91_rtc_ops = {
+       .alarm_irq_enable = at91_rtc_alarm_irq_enable,
+ };
+-static const struct regmap_config gpbr_regmap_config = {
+-      .name = "gpbr",
+-      .reg_bits = 32,
+-      .val_bits = 32,
+-      .reg_stride = 4,
+-};
+-
+ /*
+  * Initialize and install RTC driver
+  */
+@@ -365,6 +358,7 @@ static int at91_rtc_probe(struct platform_device *pdev)
+       int             ret, irq;
+       u32             mr;
+       unsigned int    sclk_rate;
++      struct of_phandle_args args;
+       irq = platform_get_irq(pdev, 0);
+       if (irq < 0) {
+@@ -390,34 +384,14 @@ static int at91_rtc_probe(struct platform_device *pdev)
+       if (IS_ERR(rtc->rtt))
+               return PTR_ERR(rtc->rtt);
+-      if (!pdev->dev.of_node) {
+-              /*
+-               * TODO: Remove this code chunk when removing non DT board
+-               * support. Remember to remove the gpbr_regmap_config
+-               * variable too.
+-               */
+-              void __iomem *gpbr;
+-
+-              r = platform_get_resource(pdev, IORESOURCE_MEM, 1);
+-              gpbr = devm_ioremap_resource(&pdev->dev, r);
+-              if (IS_ERR(gpbr))
+-                      return PTR_ERR(gpbr);
+-
+-              rtc->gpbr = regmap_init_mmio(NULL, gpbr,
+-                                           &gpbr_regmap_config);
+-      } else {
+-              struct of_phandle_args args;
+-
+-              ret = of_parse_phandle_with_fixed_args(pdev->dev.of_node,
+-                                              "atmel,rtt-rtc-time-reg", 1, 0,
+-                                              &args);
+-              if (ret)
+-                      return ret;
+-
+-              rtc->gpbr = syscon_node_to_regmap(args.np);
+-              rtc->gpbr_offset = args.args[0];
+-      }
++      ret = of_parse_phandle_with_fixed_args(pdev->dev.of_node,
++                                      "atmel,rtt-rtc-time-reg", 1, 0,
++                                      &args);
++      if (ret)
++              return ret;
++      rtc->gpbr = syscon_node_to_regmap(args.np);
++      rtc->gpbr_offset = args.args[0];
+       if (IS_ERR(rtc->gpbr)) {
+               dev_err(&pdev->dev, "failed to retrieve gpbr regmap, aborting.\n");
+               return -ENOMEM;
+@@ -569,13 +543,11 @@ static int at91_rtc_resume(struct device *dev)
+ static SIMPLE_DEV_PM_OPS(at91_rtc_pm_ops, at91_rtc_suspend, at91_rtc_resume);
+-#ifdef CONFIG_OF
+ static const struct of_device_id at91_rtc_dt_ids[] = {
+       { .compatible = "atmel,at91sam9260-rtt" },
+       { /* sentinel */ }
+ };
+ MODULE_DEVICE_TABLE(of, at91_rtc_dt_ids);
+-#endif
+ static struct platform_driver at91_rtc_driver = {
+       .probe          = at91_rtc_probe,
+-- 
+2.43.0
+
diff --git a/queue-4.19/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch b/queue-4.19/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch
new file mode 100644 (file)
index 0000000..ca9ac16
--- /dev/null
@@ -0,0 +1,37 @@
+From 8d5cc1d2a28fa93c370839822287867ea3702d10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Aug 2024 20:31:03 +0200
+Subject: rtc: at91sam9: fix OF node leak in probe() error path
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 73580e2ee6adfb40276bd420da3bb1abae204e10 ]
+
+Driver is leaking an OF node reference obtained from
+of_parse_phandle_with_fixed_args().
+
+Fixes: 43e112bb3dea ("rtc: at91sam9: make use of syscon/regmap to access GPBR registers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240825183103.102904-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-at91sam9.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/rtc/rtc-at91sam9.c b/drivers/rtc/rtc-at91sam9.c
+index 1c8bdf77f6edd..4672dde68c782 100644
+--- a/drivers/rtc/rtc-at91sam9.c
++++ b/drivers/rtc/rtc-at91sam9.c
+@@ -391,6 +391,7 @@ static int at91_rtc_probe(struct platform_device *pdev)
+               return ret;
+       rtc->gpbr = syscon_node_to_regmap(args.np);
++      of_node_put(args.np);
+       rtc->gpbr_offset = args.args[0];
+       if (IS_ERR(rtc->gpbr)) {
+               dev_err(&pdev->dev, "failed to retrieve gpbr regmap, aborting.\n");
+-- 
+2.43.0
+
index 46ec4a3babfff622e6464555a0167a8ceb21588a..d838dd465673b65e71979e0c1499dfdff874e994 100644 (file)
@@ -212,3 +212,16 @@ tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch
 input-adp5589-keys-fix-adp5589_gpio_get_value.patch
 btrfs-wait-for-fixup-workers-before-stopping-cleaner-kthread-during-umount.patch
 gpio-davinci-fix-lazy-disable.patch
+ext4-avoid-ext4_error-s-caused-by-enomem-in-the-trun.patch
+ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch
+ext4-update-orig_path-in-ext4_find_extent.patch
+arm64-add-cortex-715-cpu-part-definition.patch
+arm64-cputype-add-neoverse-n3-definitions.patch
+arm64-errata-expand-speculative-ssbs-workaround-once.patch
+uprobes-fix-kernel-info-leak-via-uprobes-vma.patch
+nfsd-use-ktime_get_seconds-for-timestamps.patch
+nfsd-fix-delegation_blocked-to-block-correctly-for-a.patch
+rtc-at91sam9-drop-platform_data-support.patch
+rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch
+acpi-battery-simplify-battery-hook-locking.patch
+acpi-battery-fix-possible-crash-when-unregistering-a.patch
diff --git a/queue-4.19/uprobes-fix-kernel-info-leak-via-uprobes-vma.patch b/queue-4.19/uprobes-fix-kernel-info-leak-via-uprobes-vma.patch
new file mode 100644 (file)
index 0000000..43756f7
--- /dev/null
@@ -0,0 +1,43 @@
+From c6d8d44d9f097a9f97ef9247c13a1af49ebdda79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 19:46:01 +0200
+Subject: uprobes: fix kernel info leak via "[uprobes]" vma
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 34820304cc2cd1804ee1f8f3504ec77813d29c8e upstream.
+
+xol_add_vma() maps the uninitialized page allocated by __create_xol_area()
+into userspace. On some architectures (x86) this memory is readable even
+without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,
+although this doesn't really matter, debugger can read this memory anyway.
+
+Link: https://lore.kernel.org/all/20240929162047.GA12611@redhat.com/
+
+Reported-by: Will Deacon <will@kernel.org>
+Fixes: d4b3b6384f98 ("uprobes/core: Allocate XOL slots for uprobes use")
+Cc: stable@vger.kernel.org
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/uprobes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
+index 3361da45e1db7..3ca91daddc9f5 100644
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -1198,7 +1198,7 @@ static struct xol_area *__create_xol_area(unsigned long vaddr)
+       area->xol_mapping.name = "[uprobes]";
+       area->xol_mapping.pages = area->pages;
+-      area->pages[0] = alloc_page(GFP_HIGHUSER);
++      area->pages[0] = alloc_page(GFP_HIGHUSER | __GFP_ZERO);
+       if (!area->pages[0])
+               goto free_bitmap;
+       area->pages[1] = NULL;
+-- 
+2.43.0
+