--- /dev/null
+From 113fe1f02bb1cc78c47f3a7a539d8190af5e520c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 10:16:27 -0500
+Subject: alpha: Send stop IPI to send to online CPUs
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+[ Upstream commit caace6ca4e06f09413fb8f8a63319594cfb7d47d ]
+
+This issue was noticed while debugging a shutdown issue where some
+secondary CPUs are not being shutdown correctly. A fix for that [1] requires
+that secondary cpus be offlined using the cpu_online_mask so that the
+stop operation is a no-op if CPU HOTPLUG is disabled. I, like the author in
+[1] looked at the architectures and found that alpha is one of two
+architectures that executes smp_send_stop() on all possible CPUs.
+
+On alpha, smp_send_stop() sends an IPI to all possible CPUs but only needs
+to send them to online CPUs.
+
+Send the stop IPI to only the online CPUs.
+
+[1] https://lkml.org/lkml/2020/1/10/250
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/kernel/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c
+index 2f24447fef92..1543b571bd99 100644
+--- a/arch/alpha/kernel/smp.c
++++ b/arch/alpha/kernel/smp.c
+@@ -584,7 +584,7 @@ void
+ smp_send_stop(void)
+ {
+ cpumask_t to_whom;
+- cpumask_copy(&to_whom, cpu_possible_mask);
++ cpumask_copy(&to_whom, cpu_online_mask);
+ cpumask_clear_cpu(smp_processor_id(), &to_whom);
+ #ifdef DEBUG_IPI_MSG
+ if (hard_smp_processor_id() != boot_cpu_id)
+--
+2.30.2
+
--- /dev/null
+From 410c1d301906bc1f989f5d03119185c466912359 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 21:45:12 +0800
+Subject: net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and
+ ql_adapter_reset
+
+From: Letu Ren <fantasquex@gmail.com>
+
+[ Upstream commit 92766c4628ea349c8ddab0cd7bd0488f36e5c4ce ]
+
+When calling the 'ql_wait_for_drvr_lock' and 'ql_adapter_reset', the driver
+has already acquired the spin lock, so the driver should not call 'ssleep'
+in atomic context.
+
+This bug can be fixed by using 'mdelay' instead of 'ssleep'.
+
+Reported-by: Letu Ren <fantasquex@gmail.com>
+Signed-off-by: Letu Ren <fantasquex@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
+index 192950a112c9..cb9d43c871c4 100644
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -155,7 +155,7 @@ static int ql_wait_for_drvr_lock(struct ql3_adapter *qdev)
+ "driver lock acquired\n");
+ return 1;
+ }
+- ssleep(1);
++ mdelay(1000);
+ } while (++i < 10);
+
+ netdev_err(qdev->ndev, "Timed out waiting for driver lock...\n");
+@@ -3287,7 +3287,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev)
+ if ((value & ISP_CONTROL_SR) == 0)
+ break;
+
+- ssleep(1);
++ mdelay(1000);
+ } while ((--max_wait_time));
+
+ /*
+@@ -3323,7 +3323,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev)
+ ispControlStatus);
+ if ((value & ISP_CONTROL_FSR) == 0)
+ break;
+- ssleep(1);
++ mdelay(1000);
+ } while ((--max_wait_time));
+ }
+ if (max_wait_time == 0)
+--
+2.30.2
+
--- /dev/null
+From dc1bd6dd8834a93fe41697702e993116f2cea727 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 12:07:43 +0800
+Subject: reiserfs: add check for root_inode in reiserfs_fill_super
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ]
+
+Our syzcaller report a NULL pointer dereference:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0
+Oops: 0010 [#1] SMP KASAN
+CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
+RSP: 0018:ffff888114e779b8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa
+RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0
+RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001
+R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00
+R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0
+FS: 00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __lookup_slow+0x116/0x2d0
+ ? page_put_link+0x120/0x120
+ ? __d_lookup+0xfc/0x320
+ ? d_lookup+0x49/0x90
+ lookup_one_len+0x13c/0x170
+ ? __lookup_slow+0x2d0/0x2d0
+ ? reiserfs_schedule_old_flush+0x31/0x130
+ reiserfs_lookup_privroot+0x64/0x150
+ reiserfs_fill_super+0x158c/0x1b90
+ ? finish_unfinished+0xb10/0xb10
+ ? bprintf+0xe0/0xe0
+ ? __mutex_lock_slowpath+0x30/0x30
+ ? __kasan_check_write+0x20/0x30
+ ? up_write+0x51/0xb0
+ ? set_blocksize+0x9f/0x1f0
+ mount_bdev+0x27c/0x2d0
+ ? finish_unfinished+0xb10/0xb10
+ ? reiserfs_kill_sb+0x120/0x120
+ get_super_block+0x19/0x30
+ legacy_get_tree+0x76/0xf0
+ vfs_get_tree+0x49/0x160
+ ? capable+0x1d/0x30
+ path_mount+0xacc/0x1380
+ ? putname+0x97/0xd0
+ ? finish_automount+0x450/0x450
+ ? kmem_cache_free+0xf8/0x5a0
+ ? putname+0x97/0xd0
+ do_mount+0xe2/0x110
+ ? path_mount+0x1380/0x1380
+ ? copy_mount_options+0x69/0x140
+ __x64_sys_mount+0xf0/0x190
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+This is because 'root_inode' is initialized with wrong mode, and
+it's i_op is set to 'reiserfs_special_inode_operations'. Thus add
+check for 'root_inode' to fix the problem.
+
+Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/super.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
+index 503d8c06e0d9..2ffcbe451202 100644
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -2050,6 +2050,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
+ unlock_new_inode(root_inode);
+ }
+
++ if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) ||
++ !root_inode->i_size) {
++ SWARN(silent, s, "", "corrupt root inode, run fsck");
++ iput(root_inode);
++ errval = -EUCLEAN;
++ goto error;
++ }
++
+ s->s_root = d_make_root(root_inode);
+ if (!s->s_root)
+ goto error;
+--
+2.30.2
+
--- /dev/null
+From 1d299d1b1bfb02ce9d0203deeb387f057635d4eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 20:59:29 +0530
+Subject: reiserfs: check directory items on read from disk
+
+From: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
+
+[ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ]
+
+While verifying the leaf item that we read from the disk, reiserfs
+doesn't check the directory items, this could cause a crash when we
+read a directory item from the disk that has an invalid deh_location.
+
+This patch adds a check to the directory items read from the disk that
+does a bounds check on deh_location for the directory entries. Any
+directory entry header with a directory entry offset greater than the
+item length is considered invalid.
+
+Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com
+Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
+Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
+index 33b78ee9fb9e..13322c39e6cc 100644
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -386,6 +386,24 @@ void pathrelse(struct treepath *search_path)
+ search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
+ }
+
++static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
++{
++ struct reiserfs_de_head *deh;
++ int i;
++
++ deh = B_I_DEH(bh, ih);
++ for (i = 0; i < ih_entry_count(ih); i++) {
++ if (deh_location(&deh[i]) > ih_item_len(ih)) {
++ reiserfs_warning(NULL, "reiserfs-5094",
++ "directory entry location seems wrong %h",
++ &deh[i]);
++ return 0;
++ }
++ }
++
++ return 1;
++}
++
+ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
+ {
+ struct block_head *blkh;
+@@ -453,11 +471,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
+ "(second one): %h", ih);
+ return 0;
+ }
+- if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
+- reiserfs_warning(NULL, "reiserfs-5093",
+- "item entry count seems wrong %h",
+- ih);
+- return 0;
++ if (is_direntry_le_ih(ih)) {
++ if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
++ reiserfs_warning(NULL, "reiserfs-5093",
++ "item entry count seems wrong %h",
++ ih);
++ return 0;
++ }
++ return has_valid_deh_location(bh, ih);
+ }
+ prev_location = ih_location(ih);
+ }
+--
+2.30.2
+
serial-8250-mask-out-floating-16-32-bit-bus-bits.patch
mips-malta-do-not-byte-swap-accesses-to-the-cbus-uart.patch
pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch
+reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch
+reiserfs-check-directory-items-on-read-from-disk.patch
+alpha-send-stop-ipi-to-send-to-online-cpus.patch
+net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
