--- /dev/null
+From f4b3ee3c85551d2d343a3ba159304066523f730f Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Thu, 9 Dec 2021 11:46:07 -0500
+Subject: audit: improve robustness of the audit queue handling
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit f4b3ee3c85551d2d343a3ba159304066523f730f upstream.
+
+If the audit daemon were ever to get stuck in a stopped state the
+kernel's kauditd_thread() could get blocked attempting to send audit
+records to the userspace audit daemon. With the kernel thread
+blocked it is possible that the audit queue could grow unbounded as
+certain audit record generating events must be exempt from the queue
+limits else the system enter a deadlock state.
+
+This patch resolves this problem by lowering the kernel thread's
+socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks
+the kauditd_send_queue() function to better manage the various audit
+queues when connection problems occur between the kernel and the
+audit daemon. With this patch, the backlog may temporarily grow
+beyond the defined limits when the audit daemon is stopped and the
+system is under heavy audit pressure, but kauditd_thread() will
+continue to make progress and drain the queues as it would for other
+connection problems. For example, with the audit daemon put into a
+stopped state and the system configured to audit every syscall it
+was still possible to shutdown the system without a kernel panic,
+deadlock, etc.; granted, the system was slow to shutdown but that is
+to be expected given the extreme pressure of recording every syscall.
+
+The timeout value of HZ/10 was chosen primarily through
+experimentation and this developer's "gut feeling". There is likely
+no one perfect value, but as this scenario is limited in scope (root
+privileges would be needed to send SIGSTOP to the audit daemon), it
+is likely not worth exposing this as a tunable at present. This can
+always be done at a later date if it proves necessary.
+
+Cc: stable@vger.kernel.org
+Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking")
+Reported-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Tested-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -712,7 +712,7 @@ static int kauditd_send_queue(struct soc
+ {
+ int rc = 0;
+ struct sk_buff *skb;
+- static unsigned int failed = 0;
++ unsigned int failed = 0;
+
+ /* NOTE: kauditd_thread takes care of all our locking, we just use
+ * the netlink info passed to us (e.g. sk and portid) */
+@@ -729,32 +729,30 @@ static int kauditd_send_queue(struct soc
+ continue;
+ }
+
++retry:
+ /* grab an extra skb reference in case of error */
+ skb_get(skb);
+ rc = netlink_unicast(sk, skb, portid, 0);
+ if (rc < 0) {
+- /* fatal failure for our queue flush attempt? */
++ /* send failed - try a few times unless fatal error */
+ if (++failed >= retry_limit ||
+ rc == -ECONNREFUSED || rc == -EPERM) {
+- /* yes - error processing for the queue */
+ sk = NULL;
+ if (err_hook)
+ (*err_hook)(skb);
+- if (!skb_hook)
+- goto out;
+- /* keep processing with the skb_hook */
++ if (rc == -EAGAIN)
++ rc = 0;
++ /* continue to drain the queue */
+ continue;
+ } else
+- /* no - requeue to preserve ordering */
+- skb_queue_head(queue, skb);
++ goto retry;
+ } else {
+- /* it worked - drop the extra reference and continue */
++ /* skb sent - drop the extra reference and continue */
+ consume_skb(skb);
+ failed = 0;
+ }
+ }
+
+-out:
+ return (rc >= 0 ? 0 : rc);
+ }
+
+@@ -1557,7 +1555,8 @@ static int __net_init audit_net_init(str
+ audit_panic("cannot initialize netlink socket in namespace");
+ return -ENOMEM;
+ }
+- aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
++ /* limit the timeout in case auditd is blocked/stopped */
++ aunet->sk->sk_sndtimeo = HZ / 10;
+
+ return 0;
+ }
--- /dev/null
+From 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Wed, 24 Nov 2021 12:07:39 -0500
+Subject: dm btree remove: fix use after free in rebalance_children()
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da upstream.
+
+Move dm_tm_unlock() after dm_tm_dec().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/persistent-data/dm-btree-remove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree-remove.c
++++ b/drivers/md/persistent-data/dm-btree-remove.c
+@@ -423,9 +423,9 @@ static int rebalance_children(struct sha
+
+ memcpy(n, dm_block_data(child),
+ dm_bm_block_size(dm_tm_get_bm(info->tm)));
+- dm_tm_unlock(info->tm, child);
+
+ dm_tm_dec(info->tm, dm_block_location(child));
++ dm_tm_unlock(info->tm, child);
+ return 0;
+ }
+
--- /dev/null
+From f711f28e71e965c0d1141c830fa7131b41abbe75 Mon Sep 17 00:00:00 2001
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Date: Fri, 22 Oct 2021 14:19:29 +0200
+Subject: iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda
+
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+
+commit f711f28e71e965c0d1141c830fa7131b41abbe75 upstream.
+
+Some I/Os are connected to ADC input channels, when the corresponding bit
+in PCSEL register are set on STM32H7 and STM32MP15. This is done in the
+prepare routine of stm32-adc driver.
+There are constraints here, as PCSEL shouldn't be set when VDDA supply
+is disabled. Enabling/disabling of VDDA supply in done via stm32-adc-core
+runtime PM routines (before/after ADC is enabled/disabled).
+
+Currently, PCSEL remains set when disabling ADC. Later on, PM runtime
+can disable the VDDA supply. This creates some conditions on I/Os that
+can start to leak current.
+So PCSEL needs to be cleared when disabling the ADC.
+
+Fixes: 95e339b6e85d ("iio: adc: stm32: add support for STM32H7")
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Reviewed-by: Olivier Moysan <olivier.moysan@foss.st.com>
+Link: https://lore.kernel.org/r/1634905169-23762-1-git-send-email-fabrice.gasnier@foss.st.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/stm32-adc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/stm32-adc.c
++++ b/drivers/iio/adc/stm32-adc.c
+@@ -933,6 +933,7 @@ pwr_dwn:
+
+ static void stm32h7_adc_unprepare(struct stm32_adc *adc)
+ {
++ stm32_adc_writel(adc, STM32H7_ADC_PCSEL, 0);
+ stm32h7_adc_disable(adc);
+ stm32h7_adc_enter_pwr_down(adc);
+ }
--- /dev/null
+From 548ec0805c399c65ed66c6641be467f717833ab5 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 29 Nov 2021 15:08:00 -0500
+Subject: nfsd: fix use-after-free due to delegation race
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 548ec0805c399c65ed66c6641be467f717833ab5 upstream.
+
+A delegation break could arrive as soon as we've called vfs_setlease. A
+delegation break runs a callback which immediately (in
+nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we
+then exit nfs4_set_delegation without hashing the delegation, it will be
+freed as soon as the callback is done with it, without ever being
+removed from del_recall_lru.
+
+Symptoms show up later as use-after-free or list corruption warnings,
+usually in the laundromat thread.
+
+I suspect aba2072f4523 "nfsd: grant read delegations to clients holding
+writes" made this bug easier to hit, but I looked as far back as v3.0
+and it looks to me it already had the same problem. So I'm not sure
+where the bug was introduced; it may have been there from the beginning.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+[Salvatore Bonaccorso: Backport for context changes to versions which do
+not have 20b7d86f29d3 ("nfsd: use boottime for lease expiry calculation")]
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1041,6 +1041,11 @@ hash_delegation_locked(struct nfs4_deleg
+ return 0;
+ }
+
++static bool delegation_hashed(struct nfs4_delegation *dp)
++{
++ return !(list_empty(&dp->dl_perfile));
++}
++
+ static bool
+ unhash_delegation_locked(struct nfs4_delegation *dp)
+ {
+@@ -1048,7 +1053,7 @@ unhash_delegation_locked(struct nfs4_del
+
+ lockdep_assert_held(&state_lock);
+
+- if (list_empty(&dp->dl_perfile))
++ if (!delegation_hashed(dp))
+ return false;
+
+ dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID;
+@@ -4406,7 +4411,7 @@ static void nfsd4_cb_recall_prepare(stru
+ * queued for a lease break. Don't queue it again.
+ */
+ spin_lock(&state_lock);
+- if (dp->dl_time == 0) {
++ if (delegation_hashed(dp) && dp->dl_time == 0) {
+ dp->dl_time = get_seconds();
+ list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru);
+ }
--- /dev/null
+From 85bf17b28f97ca2749968d8786dc423db320d9c2 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Fri, 10 Dec 2021 10:38:27 +0100
+Subject: recordmcount.pl: look for jgnop instruction as well as bcrl on s390
+
+From: Jerome Marchand <jmarchan@redhat.com>
+
+commit 85bf17b28f97ca2749968d8786dc423db320d9c2 upstream.
+
+On s390, recordmcount.pl is looking for "bcrl 0,<xxx>" instructions in
+the objdump -d outpout. However since binutils 2.37, objdump -d
+display "jgnop <xxx>" for the same instruction. Update the
+mcount_regex so that it accepts both.
+
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211210093827.1623286-1-jmarchan@redhat.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/recordmcount.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -252,7 +252,7 @@ if ($arch eq "x86_64") {
+
+ } elsif ($arch eq "s390" && $bits == 64) {
+ if ($cc =~ /-DCC_USING_HOTPATCH/) {
+- $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*brcl\\s*0,[0-9a-f]+ <([^\+]*)>\$";
++ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*(bcrl\\s*0,|jgnop\\s*)[0-9a-f]+ <([^\+]*)>\$";
+ $mcount_adjust = 0;
+ } else {
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*R_390_(PC|PLT)32DBL\\s+_mcount\\+0x2\$";
mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch
mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch
firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
+virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch
+recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch
+dm-btree-remove-fix-use-after-free-in-rebalance_children.patch
+audit-improve-robustness-of-the-audit-queue-handling.patch
+iio-adc-stm32-fix-a-current-leak-by-resetting-pcsel-before-disabling-vdda.patch
+nfsd-fix-use-after-free-due-to-delegation-race.patch
--- /dev/null
+From 817fc978b5a29b039db0418a91072b31c9aab152 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Wed, 1 Dec 2021 11:20:18 +0000
+Subject: virtio_ring: Fix querying of maximum DMA mapping size for virtio device
+
+From: Will Deacon <will@kernel.org>
+
+commit 817fc978b5a29b039db0418a91072b31c9aab152 upstream.
+
+virtio_max_dma_size() returns the maximum DMA mapping size of the virtio
+device by querying dma_max_mapping_size() for the device when the DMA
+API is in use for the vring. Unfortunately, the device passed is
+initialised by register_virtio_device() and does not inherit the DMA
+configuration from its parent, resulting in SWIOTLB errors when bouncing
+is enabled and the default 256K mapping limit (IO_TLB_SEGSIZE) is not
+respected:
+
+ | virtio-pci 0000:00:01.0: swiotlb buffer is full (sz: 294912 bytes), total 1024 (slots), used 725 (slots)
+
+Follow the pattern used elsewhere in the virtio_ring code when calling
+into the DMA layer and pass the parent device to dma_max_mapping_size()
+instead.
+
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Quentin Perret <qperret@google.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20211201112018.25276-1-will@kernel.org
+Acked-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Fixes: e6d6dd6c875e ("virtio: Introduce virtio_max_dma_size()")
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/virtio_ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -263,7 +263,7 @@ size_t virtio_max_dma_size(struct virtio
+ size_t max_segment_size = SIZE_MAX;
+
+ if (vring_use_dma_api(vdev))
+- max_segment_size = dma_max_mapping_size(&vdev->dev);
++ max_segment_size = dma_max_mapping_size(vdev->dev.parent);
+
+ return max_segment_size;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
