--- /dev/null
+From foo@baz Fri Nov 19 03:21:54 PM CET 2021
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Tue, 16 Nov 2021 09:08:19 +0800
+Subject: erofs: fix unsafe pagevec reuse of hooked pclusters
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: linux-erofs@lists.ozlabs.org, Gao Xiang <hsiangkao@linux.alibaba.com>, Chao Yu <chao@kernel.org>
+Message-ID: <20211116010819.122905-2-hsiangkao@linux.alibaba.com>
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+commit 86432a6dca9bed79111990851df5756d3eb5f57c upstream.
+
+There are pclusters in runtime marked with Z_EROFS_PCLUSTER_TAIL
+before actual I/O submission. Thus, the decompression chain can be
+extended if the following pcluster chain hooks such tail pcluster.
+
+As the related comment mentioned, if some page is made of a hooked
+pcluster and another followed pcluster, it can be reused for in-place
+I/O (since I/O should be submitted anyway):
+ _______________________________________________________________
+| tail (partial) page | head (partial) page |
+|_____PRIMARY_HOOKED___|____________PRIMARY_FOLLOWED____________|
+
+However, it's by no means safe to reuse as pagevec since if such
+PRIMARY_HOOKED pclusters finally move into bypass chain without I/O
+submission. It's somewhat hard to reproduce with LZ4 and I just found
+it (general protection fault) by ro_fsstressing a LZMA image for long
+time.
+
+I'm going to actively clean up related code together with multi-page
+folio adaption in the next few months. Let's address it directly for
+easier backporting for now.
+
+Call trace for reference:
+ z_erofs_decompress_pcluster+0x10a/0x8a0 [erofs]
+ z_erofs_decompress_queue.isra.36+0x3c/0x60 [erofs]
+ z_erofs_runqueue+0x5f3/0x840 [erofs]
+ z_erofs_readahead+0x1e8/0x320 [erofs]
+ read_pages+0x91/0x270
+ page_cache_ra_unbounded+0x18b/0x240
+ filemap_get_pages+0x10a/0x5f0
+ filemap_read+0xa9/0x330
+ new_sync_read+0x11b/0x1a0
+ vfs_read+0xf1/0x190
+
+Link: https://lore.kernel.org/r/20211103182006.4040-1-xiang@kernel.org
+Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
+Cc: <stable@vger.kernel.org> # 4.19+
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/zdata.c | 13 +++++++------
+ fs/erofs/zpvec.h | 13 ++++++++++---
+ 2 files changed, 17 insertions(+), 9 deletions(-)
+
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -278,8 +278,8 @@ static inline bool z_erofs_try_inplace_i
+
+ /* callers must be with collection lock held */
+ static int z_erofs_attach_page(struct z_erofs_collector *clt,
+- struct page *page,
+- enum z_erofs_page_type type)
++ struct page *page, enum z_erofs_page_type type,
++ bool pvec_safereuse)
+ {
+ int ret;
+
+@@ -289,9 +289,9 @@ static int z_erofs_attach_page(struct z_
+ z_erofs_try_inplace_io(clt, page))
+ return 0;
+
+- ret = z_erofs_pagevec_enqueue(&clt->vector, page, type);
++ ret = z_erofs_pagevec_enqueue(&clt->vector, page, type,
++ pvec_safereuse);
+ clt->cl->vcnt += (unsigned int)ret;
+-
+ return ret ? 0 : -EAGAIN;
+ }
+
+@@ -645,7 +645,8 @@ hitted:
+ tight &= (clt->mode >= COLLECT_PRIMARY_FOLLOWED);
+
+ retry:
+- err = z_erofs_attach_page(clt, page, page_type);
++ err = z_erofs_attach_page(clt, page, page_type,
++ clt->mode >= COLLECT_PRIMARY_FOLLOWED);
+ /* should allocate an additional staging page for pagevec */
+ if (err == -EAGAIN) {
+ struct page *const newpage =
+@@ -653,7 +654,7 @@ retry:
+
+ newpage->mapping = Z_EROFS_MAPPING_STAGING;
+ err = z_erofs_attach_page(clt, newpage,
+- Z_EROFS_PAGE_TYPE_EXCLUSIVE);
++ Z_EROFS_PAGE_TYPE_EXCLUSIVE, true);
+ if (!err)
+ goto retry;
+ }
+--- a/fs/erofs/zpvec.h
++++ b/fs/erofs/zpvec.h
+@@ -107,11 +107,18 @@ static inline void z_erofs_pagevec_ctor_
+
+ static inline bool z_erofs_pagevec_enqueue(struct z_erofs_pagevec_ctor *ctor,
+ struct page *page,
+- enum z_erofs_page_type type)
++ enum z_erofs_page_type type,
++ bool pvec_safereuse)
+ {
+- if (!ctor->next && type)
+- if (ctor->index + 1 == ctor->nr)
++ if (!ctor->next) {
++ /* some pages cannot be reused as pvec safely without I/O */
++ if (type == Z_EROFS_PAGE_TYPE_EXCLUSIVE && !pvec_safereuse)
++ type = Z_EROFS_VLE_PAGE_TYPE_TAIL_SHARED;
++
++ if (type != Z_EROFS_PAGE_TYPE_EXCLUSIVE &&
++ ctor->index + 1 == ctor->nr)
+ return false;
++ }
+
+ if (ctor->index >= ctor->nr)
+ z_erofs_pagevec_ctor_pagedown(ctor, false);
--- /dev/null
+From foo@baz Fri Nov 19 03:21:54 PM CET 2021
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Tue, 16 Nov 2021 09:08:18 +0800
+Subject: erofs: remove the occupied parameter from z_erofs_pagevec_enqueue()
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: linux-erofs@lists.ozlabs.org, Yue Hu <huyue2@yulong.com>, Gao Xiang <xiang@kernel.org>, Gao Xiang <hsiangkao@linux.alibaba.com>
+Message-ID: <20211116010819.122905-1-hsiangkao@linux.alibaba.com>
+
+From: Yue Hu <huyue2@yulong.com>
+
+commit 7dea3de7d384f4c8156e8bd93112ba6db1eb276c upstream.
+
+No any behavior to variable occupied in z_erofs_attach_page() which
+is only caller to z_erofs_pagevec_enqueue().
+
+Link: https://lore.kernel.org/r/20210419102623.2015-1-zbestahu@gmail.com
+Signed-off-by: Yue Hu <huyue2@yulong.com>
+Reviewed-by: Gao Xiang <xiang@kernel.org>
+Signed-off-by: Gao Xiang <xiang@kernel.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/zdata.c | 4 +---
+ fs/erofs/zpvec.h | 5 +----
+ 2 files changed, 2 insertions(+), 7 deletions(-)
+
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -282,7 +282,6 @@ static int z_erofs_attach_page(struct z_
+ enum z_erofs_page_type type)
+ {
+ int ret;
+- bool occupied;
+
+ /* give priority for inplaceio */
+ if (clt->mode >= COLLECT_PRIMARY &&
+@@ -290,8 +289,7 @@ static int z_erofs_attach_page(struct z_
+ z_erofs_try_inplace_io(clt, page))
+ return 0;
+
+- ret = z_erofs_pagevec_enqueue(&clt->vector,
+- page, type, &occupied);
++ ret = z_erofs_pagevec_enqueue(&clt->vector, page, type);
+ clt->cl->vcnt += (unsigned int)ret;
+
+ return ret ? 0 : -EAGAIN;
+--- a/fs/erofs/zpvec.h
++++ b/fs/erofs/zpvec.h
+@@ -107,10 +107,8 @@ static inline void z_erofs_pagevec_ctor_
+
+ static inline bool z_erofs_pagevec_enqueue(struct z_erofs_pagevec_ctor *ctor,
+ struct page *page,
+- enum z_erofs_page_type type,
+- bool *occupied)
++ enum z_erofs_page_type type)
+ {
+- *occupied = false;
+ if (!ctor->next && type)
+ if (ctor->index + 1 == ctor->nr)
+ return false;
+@@ -125,7 +123,6 @@ static inline bool z_erofs_pagevec_enque
+ /* should remind that collector->next never equal to 1, 2 */
+ if (type == (uintptr_t)ctor->next) {
+ ctor->next = page;
+- *occupied = true;
+ }
+ ctor->pages[ctor->index++] = tagptr_fold(erofs_vtptr_t, page, type);
+ return true;
--- /dev/null
+From 4716023a8f6a0f4a28047f14dd7ebdc319606b84 Mon Sep 17 00:00:00 2001
+From: Greg Thelen <gthelen@google.com>
+Date: Wed, 10 Nov 2021 18:18:14 -0800
+Subject: perf/core: Avoid put_page() when GUP fails
+
+From: Greg Thelen <gthelen@google.com>
+
+commit 4716023a8f6a0f4a28047f14dd7ebdc319606b84 upstream.
+
+PEBS PERF_SAMPLE_PHYS_ADDR events use perf_virt_to_phys() to convert PMU
+sampled virtual addresses to physical using get_user_page_fast_only()
+and page_to_phys().
+
+Some get_user_page_fast_only() error cases return false, indicating no
+page reference, but still initialize the output page pointer with an
+unreferenced page. In these error cases perf_virt_to_phys() calls
+put_page(). This causes page reference count underflow, which can lead
+to unintentional page sharing.
+
+Fix perf_virt_to_phys() to only put_page() if get_user_page_fast_only()
+returns a referenced page.
+
+Fixes: fc7ce9c74c3ad ("perf/core, x86: Add PERF_SAMPLE_PHYS_ADDR")
+Signed-off-by: Greg Thelen <gthelen@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20211111021814.757086-1-gthelen@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7036,7 +7036,6 @@ void perf_output_sample(struct perf_outp
+ static u64 perf_virt_to_phys(u64 virt)
+ {
+ u64 phys_addr = 0;
+- struct page *p = NULL;
+
+ if (!virt)
+ return 0;
+@@ -7055,14 +7054,15 @@ static u64 perf_virt_to_phys(u64 virt)
+ * If failed, leave phys_addr as 0.
+ */
+ if (current->mm != NULL) {
++ struct page *p;
++
+ pagefault_disable();
+- if (get_user_page_fast_only(virt, 0, &p))
++ if (get_user_page_fast_only(virt, 0, &p)) {
+ phys_addr = page_to_phys(p) + virt % PAGE_SIZE;
++ put_page(p);
++ }
+ pagefault_enable();
+ }
+-
+- if (p)
+- put_page(p);
+ }
+
+ return phys_addr;
--- /dev/null
+From nathan@kernel.org Fri Nov 19 15:27:39 2021
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 15 Nov 2021 09:43:23 -0700
+Subject: scripts/lld-version.sh: Rewrite based on upstream ld-version.sh
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>, stable@vger.kernel.org, llvm@lists.linux.dev, Nathan Chancellor <nathan@kernel.org>
+Message-ID: <20211115164322.560965-1-nathan@kernel.org>
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+This patch is for linux-5.10.y only.
+
+When scripts/lld-version.sh was initially written, it did not account
+for the LLD_VENDOR cmake flag, which changes the output of ld.lld's
+--version flag slightly.
+
+Without LLD_VENDOR:
+
+$ ld.lld --version
+LLD 14.0.0 (compatible with GNU linkers)
+
+With LLD_VENDOR:
+
+$ ld.lld --version
+Debian LLD 14.0.0 (compatible with GNU linkers)
+
+As a result, CONFIG_LLD_VERSION is messed up and configuration values
+that are dependent on it cannot be selected:
+
+scripts/lld-version.sh: 20: printf: LLD: expected numeric value
+scripts/lld-version.sh: 20: printf: LLD: expected numeric value
+scripts/lld-version.sh: 20: printf: LLD: expected numeric value
+init/Kconfig:52:warning: 'LLD_VERSION': number is invalid
+.config:11:warning: symbol value '00000' invalid for LLD_VERSION
+.config:8800:warning: override: CPU_BIG_ENDIAN changes choice state
+
+This was fixed upstream by commit 1f09af062556 ("kbuild: Fix
+ld-version.sh script if LLD was built with LLD_VENDOR") in 5.12 but that
+was done to ld-version.sh after it was massively rewritten in
+commit 02aff8592204 ("kbuild: check the minimum linker version in
+Kconfig").
+
+To avoid bringing in that change plus its prerequisites and fixes, just
+modify lld-version.sh to make it similar to the upstream ld-version.sh,
+which handles ld.lld with or without LLD_VENDOR and ld.bfd without any
+errors.
+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/lld-version.sh | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+--- a/scripts/lld-version.sh
++++ b/scripts/lld-version.sh
+@@ -6,15 +6,32 @@
+ # Print the linker version of `ld.lld' in a 5 or 6-digit form
+ # such as `100001' for ld.lld 10.0.1 etc.
+
+-linker_string="$($* --version)"
++set -e
+
+-if ! ( echo $linker_string | grep -q LLD ); then
++# Convert the version string x.y.z to a canonical 5 or 6-digit form.
++get_canonical_version()
++{
++ IFS=.
++ set -- $1
++
++ # If the 2nd or 3rd field is missing, fill it with a zero.
++ echo $((10000 * $1 + 100 * ${2:-0} + ${3:-0}))
++}
++
++# Get the first line of the --version output.
++IFS='
++'
++set -- $(LC_ALL=C "$@" --version)
++
++# Split the line on spaces.
++IFS=' '
++set -- $1
++
++while [ $# -gt 1 -a "$1" != "LLD" ]; do
++ shift
++done
++if [ "$1" = LLD ]; then
++ echo $(get_canonical_version ${2%-*})
++else
+ echo 0
+- exit 1
+ fi
+-
+-VERSION=$(echo $linker_string | cut -d ' ' -f 2)
+-MAJOR=$(echo $VERSION | cut -d . -f 1)
+-MINOR=$(echo $VERSION | cut -d . -f 2)
+-PATCHLEVEL=$(echo $VERSION | cut -d . -f 3)
+-printf "%d%02d%02d\\n" $MAJOR $MINOR $PATCHLEVEL
pci-msi-destroy-sysfs-before-freeing-entries.patch
pci-msi-deal-with-devices-lying-about-their-msi-mask-capability.patch
pci-add-msi-masking-quirk-for-nvidia-ion-ahci.patch
+erofs-remove-the-occupied-parameter-from-z_erofs_pagevec_enqueue.patch
+erofs-fix-unsafe-pagevec-reuse-of-hooked-pclusters.patch
+scripts-lld-version.sh-rewrite-based-on-upstream-ld-version.sh.patch
+perf-core-avoid-put_page-when-gup-fails.patch
+thermal-fix-null-pointer-dereferences-in-of_thermal_-functions.patch
--- /dev/null
+From 96cfe05051fd8543cdedd6807ec59a0e6c409195 Mon Sep 17 00:00:00 2001
+From: Subbaraman Narayanamurthy <quic_subbaram@quicinc.com>
+Date: Thu, 4 Nov 2021 16:57:07 -0700
+Subject: thermal: Fix NULL pointer dereferences in of_thermal_ functions
+
+From: Subbaraman Narayanamurthy <quic_subbaram@quicinc.com>
+
+commit 96cfe05051fd8543cdedd6807ec59a0e6c409195 upstream.
+
+of_parse_thermal_zones() parses the thermal-zones node and registers a
+thermal_zone device for each subnode. However, if a thermal zone is
+consuming a thermal sensor and that thermal sensor device hasn't probed
+yet, an attempt to set trip_point_*_temp for that thermal zone device
+can cause a NULL pointer dereference. Fix it.
+
+ console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp
+ ...
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
+ ...
+ Call trace:
+ of_thermal_set_trip_temp+0x40/0xc4
+ trip_point_temp_store+0xc0/0x1dc
+ dev_attr_store+0x38/0x88
+ sysfs_kf_write+0x64/0xc0
+ kernfs_fop_write_iter+0x108/0x1d0
+ vfs_write+0x2f4/0x368
+ ksys_write+0x7c/0xec
+ __arm64_sys_write+0x20/0x30
+ el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc
+ do_el0_svc+0x28/0xa0
+ el0_svc+0x14/0x24
+ el0_sync_handler+0x88/0xec
+ el0_sync+0x1c0/0x200
+
+While at it, fix the possible NULL pointer dereference in other
+functions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(),
+of_thermal_get_trend().
+
+Suggested-by: David Collins <quic_collinsd@quicinc.com>
+Signed-off-by: Subbaraman Narayanamurthy <quic_subbaram@quicinc.com>
+Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/thermal_of.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/thermal/thermal_of.c
++++ b/drivers/thermal/thermal_of.c
+@@ -89,7 +89,7 @@ static int of_thermal_get_temp(struct th
+ {
+ struct __thermal_zone *data = tz->devdata;
+
+- if (!data->ops->get_temp)
++ if (!data->ops || !data->ops->get_temp)
+ return -EINVAL;
+
+ return data->ops->get_temp(data->sensor_data, temp);
+@@ -186,6 +186,9 @@ static int of_thermal_set_emul_temp(stru
+ {
+ struct __thermal_zone *data = tz->devdata;
+
++ if (!data->ops || !data->ops->set_emul_temp)
++ return -EINVAL;
++
+ return data->ops->set_emul_temp(data->sensor_data, temp);
+ }
+
+@@ -194,7 +197,7 @@ static int of_thermal_get_trend(struct t
+ {
+ struct __thermal_zone *data = tz->devdata;
+
+- if (!data->ops->get_trend)
++ if (!data->ops || !data->ops->get_trend)
+ return -EINVAL;
+
+ return data->ops->get_trend(data->sensor_data, trip, trend);
+@@ -301,7 +304,7 @@ static int of_thermal_set_trip_temp(stru
+ if (trip >= data->ntrips || trip < 0)
+ return -EDOM;
+
+- if (data->ops->set_trip_temp) {
++ if (data->ops && data->ops->set_trip_temp) {
+ int ret;
+
+ ret = data->ops->set_trip_temp(data->sensor_data, trip, temp);
projects / thirdparty / kernel / stable-queue.git / commitdiff
