--- /dev/null
+From 565333a1554d704789e74205989305c811fd9c7a Mon Sep 17 00:00:00 2001
+From: yangerkun <yangerkun@huawei.com>
+Date: Thu, 19 Sep 2019 14:35:08 +0800
+Subject: ext4: fix a bug in ext4_wait_for_tail_page_commit
+
+From: yangerkun <yangerkun@huawei.com>
+
+commit 565333a1554d704789e74205989305c811fd9c7a upstream.
+
+No need to wait for any commit once the page is fully truncated.
+Besides, it may confuse e.g. concurrent ext4_writepage() with the page
+still be dirty (will be cleared by truncate_pagecache() in
+ext4_setattr()) but buffers has been freed; and then trigger a bug
+show as below:
+
+[ 26.057508] ------------[ cut here ]------------
+[ 26.058531] kernel BUG at fs/ext4/inode.c:2134!
+...
+[ 26.088130] Call trace:
+[ 26.088695] ext4_writepage+0x914/0xb28
+[ 26.089541] writeout.isra.4+0x1b4/0x2b8
+[ 26.090409] move_to_new_page+0x3b0/0x568
+[ 26.091338] __unmap_and_move+0x648/0x988
+[ 26.092241] unmap_and_move+0x48c/0xbb8
+[ 26.093096] migrate_pages+0x220/0xb28
+[ 26.093945] kernel_mbind+0x828/0xa18
+[ 26.094791] __arm64_sys_mbind+0xc8/0x138
+[ 26.095716] el0_svc_common+0x190/0x490
+[ 26.096571] el0_svc_handler+0x60/0xd0
+[ 26.097423] el0_svc+0x8/0xc
+
+Run the procedure (generate by syzkaller) parallel with ext3.
+
+void main()
+{
+ int fd, fd1, ret;
+ void *addr;
+ size_t length = 4096;
+ int flags;
+ off_t offset = 0;
+ char *str = "12345";
+
+ fd = open("a", O_RDWR | O_CREAT);
+ assert(fd >= 0);
+
+ /* Truncate to 4k */
+ ret = ftruncate(fd, length);
+ assert(ret == 0);
+
+ /* Journal data mode */
+ flags = 0xc00f;
+ ret = ioctl(fd, _IOW('f', 2, long), &flags);
+ assert(ret == 0);
+
+ /* Truncate to 0 */
+ fd1 = open("a", O_TRUNC | O_NOATIME);
+ assert(fd1 >= 0);
+
+ addr = mmap(NULL, length, PROT_WRITE | PROT_READ,
+ MAP_SHARED, fd, offset);
+ assert(addr != (void *)-1);
+
+ memcpy(addr, str, 5);
+ mbind(addr, length, 0, 0, 0, MPOL_MF_MOVE);
+}
+
+And the bug will be triggered once we seen the below order.
+
+reproduce1 reproduce2
+
+... | ...
+truncate to 4k |
+change to journal data mode |
+ | memcpy(set page dirty)
+truncate to 0: |
+ext4_setattr: |
+... |
+ext4_wait_for_tail_page_commit |
+ | mbind(trigger bug)
+truncate_pagecache(clean dirty)| ...
+... |
+
+mbind will call ext4_writepage() since the page still be dirty, and then
+report the bug since the buffers has been free. Fix it by return
+directly once offset equals to 0 which means the page has been fully
+truncated.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Link: https://lore.kernel.org/r/20190919063508.1045-1-yangerkun@huawei.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5493,11 +5493,15 @@ static void ext4_wait_for_tail_page_comm
+
+ offset = inode->i_size & (PAGE_SIZE - 1);
+ /*
+- * All buffers in the last page remain valid? Then there's nothing to
+- * do. We do the check mainly to optimize the common PAGE_SIZE ==
+- * blocksize case
++ * If the page is fully truncated, we don't need to wait for any commit
++ * (and we even should not as __ext4_journalled_invalidatepage() may
++ * strip all buffers from the page but keep the page dirty which can then
++ * confuse e.g. concurrent ext4_writepage() seeing dirty page without
++ * buffers). Also we don't need to wait for any commit if all buffers in
++ * the page remain valid. This is most beneficial for the common case of
++ * blocksize == PAGESIZE.
+ */
+- if (offset > PAGE_SIZE - i_blocksize(inode))
++ if (!offset || offset > (PAGE_SIZE - i_blocksize(inode)))
+ return;
+ while (1) {
+ page = find_lock_page(inode->i_mapping,
--- /dev/null
+From aa71ecd8d86500da6081a72da6b0b524007e0627 Mon Sep 17 00:00:00 2001
+From: Chen Jun <chenjun102@huawei.com>
+Date: Sat, 30 Nov 2019 17:58:11 -0800
+Subject: mm/shmem.c: cast the type of unmap_start to u64
+
+From: Chen Jun <chenjun102@huawei.com>
+
+commit aa71ecd8d86500da6081a72da6b0b524007e0627 upstream.
+
+In 64bit system. sb->s_maxbytes of shmem filesystem is MAX_LFS_FILESIZE,
+which equal LLONG_MAX.
+
+If offset > LLONG_MAX - PAGE_SIZE, offset + len < LLONG_MAX in
+shmem_fallocate, which will pass the checking in vfs_fallocate.
+
+ /* Check for wrap through zero too */
+ if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0))
+ return -EFBIG;
+
+loff_t unmap_start = round_up(offset, PAGE_SIZE) in shmem_fallocate
+causes a overflow.
+
+Syzkaller reports a overflow problem in mm/shmem:
+
+ UBSAN: Undefined behaviour in mm/shmem.c:2014:10
+ signed integer overflow: '9223372036854775807 + 1' cannot be represented in type 'long long int'
+ CPU: 0 PID:17076 Comm: syz-executor0 Not tainted 4.1.46+ #1
+ Hardware name: linux, dummy-virt (DT)
+ Call trace:
+ dump_backtrace+0x0/0x2c8 arch/arm64/kernel/traps.c:100
+ show_stack+0x20/0x30 arch/arm64/kernel/traps.c:238
+ __dump_stack lib/dump_stack.c:15 [inline]
+ ubsan_epilogue+0x18/0x70 lib/ubsan.c:164
+ handle_overflow+0x158/0x1b0 lib/ubsan.c:195
+ shmem_fallocate+0x6d0/0x820 mm/shmem.c:2104
+ vfs_fallocate+0x238/0x428 fs/open.c:312
+ SYSC_fallocate fs/open.c:335 [inline]
+ SyS_fallocate+0x54/0xc8 fs/open.c:239
+
+The highest bit of unmap_start will be appended with sign bit 1
+(overflow) when calculate shmem_falloc.start:
+
+ shmem_falloc.start = unmap_start >> PAGE_SHIFT.
+
+Fix it by casting the type of unmap_start to u64, when right shifted.
+
+This bug is found in LTS Linux 4.1. It also seems to exist in mainline.
+
+Link: http://lkml.kernel.org/r/1573867464-5107-1-git-send-email-chenjun102@huawei.com
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Qian Cai <cai@lca.pw>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/shmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2730,7 +2730,7 @@ static long shmem_fallocate(struct file
+ }
+
+ shmem_falloc.waitq = &shmem_falloc_waitq;
+- shmem_falloc.start = unmap_start >> PAGE_SHIFT;
++ shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT;
+ shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
+ spin_lock(&inode->i_lock);
+ inode->i_private = &shmem_falloc;
--- /dev/null
+From 7e7c005b4b1f1f169bcc4b2c3a40085ecc663df2 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Mon, 21 Oct 2019 01:13:20 +0200
+Subject: rtc: disable uie before setting time and enable after
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+commit 7e7c005b4b1f1f169bcc4b2c3a40085ecc663df2 upstream.
+
+When setting the time in the future with the uie timer enabled,
+rtc_timer_do_work will loop for a while because the expiration of the uie
+timer was way before the current RTC time and a new timer will be enqueued
+until the current rtc time is reached.
+
+If the uie timer is enabled, disable it before setting the time and enable
+it after expiring current timers (which may actually be an alarm).
+
+This is the safest thing to do to ensure the uie timer is still
+synchronized with the RTC, especially in the UIE emulation case.
+
+Reported-by: syzbot+08116743f8ad6f9a6de7@syzkaller.appspotmail.com
+Fixes: 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events")
+Link: https://lore.kernel.org/r/20191020231320.8191-1-alexandre.belloni@bootlin.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/interface.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -125,7 +125,7 @@ EXPORT_SYMBOL_GPL(rtc_read_time);
+
+ int rtc_set_time(struct rtc_device *rtc, struct rtc_time *tm)
+ {
+- int err;
++ int err, uie;
+
+ err = rtc_valid_tm(tm);
+ if (err != 0)
+@@ -137,6 +137,17 @@ int rtc_set_time(struct rtc_device *rtc,
+
+ rtc_subtract_offset(rtc, tm);
+
++#ifdef CONFIG_RTC_INTF_DEV_UIE_EMUL
++ uie = rtc->uie_rtctimer.enabled || rtc->uie_irq_active;
++#else
++ uie = rtc->uie_rtctimer.enabled;
++#endif
++ if (uie) {
++ err = rtc_update_irq_enable(rtc, 0);
++ if (err)
++ return err;
++ }
++
+ err = mutex_lock_interruptible(&rtc->ops_lock);
+ if (err)
+ return err;
+@@ -153,6 +164,12 @@ int rtc_set_time(struct rtc_device *rtc,
+ /* A timer might have just expired */
+ schedule_work(&rtc->irqwork);
+
++ if (uie) {
++ err = rtc_update_irq_enable(rtc, 1);
++ if (err)
++ return err;
++ }
++
+ trace_rtc_set_time(rtc_tm_to_time64(tm), err);
+ return err;
+ }
firmware-qcom-scm-ensure-a0-status-code-is-treated-as-signed.patch
s390-smp-vdso-fix-asce-handling.patch
s390-kaslr-store-kaslr-offset-for-early-dumps.patch
+mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch
+rtc-disable-uie-before-setting-time-and-enable-after.patch
+splice-only-read-in-as-much-information-as-there-is-pipe-buffer-space.patch
+ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch
--- /dev/null
+From 3253d9d093376d62b4a56e609f15d2ec5085ac73 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 15 Oct 2019 08:44:32 -0700
+Subject: splice: only read in as much information as there is pipe buffer space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit 3253d9d093376d62b4a56e609f15d2ec5085ac73 upstream.
+
+Andreas Grünbacher reports that on the two filesystems that support
+iomap directio, it's possible for splice() to return -EAGAIN (instead of
+a short splice) if the pipe being written to has less space available in
+its pipe buffers than the length supplied by the calling process.
+
+Months ago we fixed splice_direct_to_actor to clamp the length of the
+read request to the size of the splice pipe. Do the same to do_splice.
+
+Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
+Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
+Reported-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
+Reviewed-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/splice.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -945,12 +945,13 @@ ssize_t splice_direct_to_actor(struct fi
+ WARN_ON_ONCE(pipe->nrbufs != 0);
+
+ while (len) {
++ unsigned int pipe_pages;
+ size_t read_len;
+ loff_t pos = sd->pos, prev_pos = pos;
+
+ /* Don't try to read more the pipe has space for. */
+- read_len = min_t(size_t, len,
+- (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
++ pipe_pages = pipe->buffers - pipe->nrbufs;
++ read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
+ ret = do_splice_to(in, &pos, pipe, read_len, flags);
+ if (unlikely(ret <= 0))
+ goto out_release;
+@@ -1180,8 +1181,15 @@ static long do_splice(struct file *in, l
+
+ pipe_lock(opipe);
+ ret = wait_for_space(opipe, flags);
+- if (!ret)
++ if (!ret) {
++ unsigned int pipe_pages;
++
++ /* Don't try to read more the pipe has space for. */
++ pipe_pages = opipe->buffers - opipe->nrbufs;
++ len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
++
+ ret = do_splice_to(in, &offset, opipe, len, flags);
++ }
+ pipe_unlock(opipe);
+ if (ret > 0)
+ wakeup_pipe_readers(opipe);
projects / thirdparty / kernel / stable-queue.git / commitdiff
