--- /dev/null
+From c35d489401314e57fc52b3b3c610ce5f7bede75e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 10:16:27 -0500
+Subject: alpha: Send stop IPI to send to online CPUs
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+[ Upstream commit caace6ca4e06f09413fb8f8a63319594cfb7d47d ]
+
+This issue was noticed while debugging a shutdown issue where some
+secondary CPUs are not being shutdown correctly. A fix for that [1] requires
+that secondary cpus be offlined using the cpu_online_mask so that the
+stop operation is a no-op if CPU HOTPLUG is disabled. I, like the author in
+[1] looked at the architectures and found that alpha is one of two
+architectures that executes smp_send_stop() on all possible CPUs.
+
+On alpha, smp_send_stop() sends an IPI to all possible CPUs but only needs
+to send them to online CPUs.
+
+Send the stop IPI to only the online CPUs.
+
+[1] https://lkml.org/lkml/2020/1/10/250
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/kernel/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c
+index d0dccae53ba9..8a89b9adb4fe 100644
+--- a/arch/alpha/kernel/smp.c
++++ b/arch/alpha/kernel/smp.c
+@@ -585,7 +585,7 @@ void
+ smp_send_stop(void)
+ {
+ cpumask_t to_whom;
+- cpumask_copy(&to_whom, cpu_possible_mask);
++ cpumask_copy(&to_whom, cpu_online_mask);
+ cpumask_clear_cpu(smp_processor_id(), &to_whom);
+ #ifdef DEBUG_IPI_MSG
+ if (hard_smp_processor_id() != boot_cpu_id)
+--
+2.30.2
+
--- /dev/null
+From 659e1d158380c62dd1110f91b0bc135e0353efec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 15:02:37 +0200
+Subject: libata: fix ata_pio_sector for CONFIG_HIGHMEM
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit ecef6a9effe49e8e2635c839020b9833b71e934c ]
+
+Data transfers are not required to be block aligned in memory, so they
+span two pages. Fix this by splitting the call to >sff_data_xfer into
+two for that case.
+
+This has been broken since the initial libata import before the damn
+of git, but was uncovered by the legacy ide driver removal.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20210709130237.3730959-1-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-sff.c | 35 +++++++++++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
+index 7057630ccf52..1b4297ec3e87 100644
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -657,6 +657,20 @@ unsigned int ata_sff_data_xfer32(struct ata_queued_cmd *qc, unsigned char *buf,
+ }
+ EXPORT_SYMBOL_GPL(ata_sff_data_xfer32);
+
++static void ata_pio_xfer(struct ata_queued_cmd *qc, struct page *page,
++ unsigned int offset, size_t xfer_size)
++{
++ bool do_write = (qc->tf.flags & ATA_TFLAG_WRITE);
++ unsigned char *buf;
++
++ buf = kmap_atomic(page);
++ qc->ap->ops->sff_data_xfer(qc, buf + offset, xfer_size, do_write);
++ kunmap_atomic(buf);
++
++ if (!do_write && !PageSlab(page))
++ flush_dcache_page(page);
++}
++
+ /**
+ * ata_sff_data_xfer_noirq - Transfer data by PIO
+ * @qc: queued command
+@@ -698,11 +712,9 @@ EXPORT_SYMBOL_GPL(ata_sff_data_xfer_noirq);
+ */
+ static void ata_pio_sector(struct ata_queued_cmd *qc)
+ {
+- int do_write = (qc->tf.flags & ATA_TFLAG_WRITE);
+ struct ata_port *ap = qc->ap;
+ struct page *page;
+ unsigned int offset;
+- unsigned char *buf;
+
+ if (!qc->cursg) {
+ qc->curbytes = qc->nbytes;
+@@ -720,13 +732,20 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
+
+ DPRINTK("data %s\n", qc->tf.flags & ATA_TFLAG_WRITE ? "write" : "read");
+
+- /* do the actual data transfer */
+- buf = kmap_atomic(page);
+- ap->ops->sff_data_xfer(qc, buf + offset, qc->sect_size, do_write);
+- kunmap_atomic(buf);
++ /*
++ * Split the transfer when it splits a page boundary. Note that the
++ * split still has to be dword aligned like all ATA data transfers.
++ */
++ WARN_ON_ONCE(offset % 4);
++ if (offset + qc->sect_size > PAGE_SIZE) {
++ unsigned int split_len = PAGE_SIZE - offset;
+
+- if (!do_write && !PageSlab(page))
+- flush_dcache_page(page);
++ ata_pio_xfer(qc, page, offset, split_len);
++ ata_pio_xfer(qc, nth_page(page, 1), 0,
++ qc->sect_size - split_len);
++ } else {
++ ata_pio_xfer(qc, page, offset, qc->sect_size);
++ }
+
+ qc->curbytes += qc->sect_size;
+ qc->cursg_ofs += qc->sect_size;
+--
+2.30.2
+
--- /dev/null
+From ce1075bbbfbbccf3db9f72364e38047737a2f5d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 21:45:12 +0800
+Subject: net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and
+ ql_adapter_reset
+
+From: Letu Ren <fantasquex@gmail.com>
+
+[ Upstream commit 92766c4628ea349c8ddab0cd7bd0488f36e5c4ce ]
+
+When calling the 'ql_wait_for_drvr_lock' and 'ql_adapter_reset', the driver
+has already acquired the spin lock, so the driver should not call 'ssleep'
+in atomic context.
+
+This bug can be fixed by using 'mdelay' instead of 'ssleep'.
+
+Reported-by: Letu Ren <fantasquex@gmail.com>
+Signed-off-by: Letu Ren <fantasquex@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
+index a8bb061e1a8a..36c7d78ba780 100644
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -155,7 +155,7 @@ static int ql_wait_for_drvr_lock(struct ql3_adapter *qdev)
+ "driver lock acquired\n");
+ return 1;
+ }
+- ssleep(1);
++ mdelay(1000);
+ } while (++i < 10);
+
+ netdev_err(qdev->ndev, "Timed out waiting for driver lock...\n");
+@@ -3291,7 +3291,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev)
+ if ((value & ISP_CONTROL_SR) == 0)
+ break;
+
+- ssleep(1);
++ mdelay(1000);
+ } while ((--max_wait_time));
+
+ /*
+@@ -3327,7 +3327,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev)
+ ispControlStatus);
+ if ((value & ISP_CONTROL_FSR) == 0)
+ break;
+- ssleep(1);
++ mdelay(1000);
+ } while ((--max_wait_time));
+ }
+ if (max_wait_time == 0)
+--
+2.30.2
+
--- /dev/null
+From e3c95f84b0992c11b36c35cff71ef4724442a1ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 12:07:43 +0800
+Subject: reiserfs: add check for root_inode in reiserfs_fill_super
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ]
+
+Our syzcaller report a NULL pointer dereference:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0
+Oops: 0010 [#1] SMP KASAN
+CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
+RSP: 0018:ffff888114e779b8 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa
+RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0
+RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001
+R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00
+R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0
+FS: 00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __lookup_slow+0x116/0x2d0
+ ? page_put_link+0x120/0x120
+ ? __d_lookup+0xfc/0x320
+ ? d_lookup+0x49/0x90
+ lookup_one_len+0x13c/0x170
+ ? __lookup_slow+0x2d0/0x2d0
+ ? reiserfs_schedule_old_flush+0x31/0x130
+ reiserfs_lookup_privroot+0x64/0x150
+ reiserfs_fill_super+0x158c/0x1b90
+ ? finish_unfinished+0xb10/0xb10
+ ? bprintf+0xe0/0xe0
+ ? __mutex_lock_slowpath+0x30/0x30
+ ? __kasan_check_write+0x20/0x30
+ ? up_write+0x51/0xb0
+ ? set_blocksize+0x9f/0x1f0
+ mount_bdev+0x27c/0x2d0
+ ? finish_unfinished+0xb10/0xb10
+ ? reiserfs_kill_sb+0x120/0x120
+ get_super_block+0x19/0x30
+ legacy_get_tree+0x76/0xf0
+ vfs_get_tree+0x49/0x160
+ ? capable+0x1d/0x30
+ path_mount+0xacc/0x1380
+ ? putname+0x97/0xd0
+ ? finish_automount+0x450/0x450
+ ? kmem_cache_free+0xf8/0x5a0
+ ? putname+0x97/0xd0
+ do_mount+0xe2/0x110
+ ? path_mount+0x1380/0x1380
+ ? copy_mount_options+0x69/0x140
+ __x64_sys_mount+0xf0/0x190
+ do_syscall_64+0x35/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+This is because 'root_inode' is initialized with wrong mode, and
+it's i_op is set to 'reiserfs_special_inode_operations'. Thus add
+check for 'root_inode' to fix the problem.
+
+Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/super.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
+index fbae5f4eea09..7dfdc503e601 100644
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -2085,6 +2085,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
+ unlock_new_inode(root_inode);
+ }
+
++ if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) ||
++ !root_inode->i_size) {
++ SWARN(silent, s, "", "corrupt root inode, run fsck");
++ iput(root_inode);
++ errval = -EUCLEAN;
++ goto error;
++ }
++
+ s->s_root = d_make_root(root_inode);
+ if (!s->s_root)
+ goto error;
+--
+2.30.2
+
--- /dev/null
+From d8f91f4803f8d560ce561fcbed1782cc92889bba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 20:59:29 +0530
+Subject: reiserfs: check directory items on read from disk
+
+From: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
+
+[ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ]
+
+While verifying the leaf item that we read from the disk, reiserfs
+doesn't check the directory items, this could cause a crash when we
+read a directory item from the disk that has an invalid deh_location.
+
+This patch adds a check to the directory items read from the disk that
+does a bounds check on deh_location for the directory entries. Any
+directory entry header with a directory entry offset greater than the
+item length is considered invalid.
+
+Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com
+Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
+Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
+index 5229038852ca..4ebad6781b0e 100644
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
+ search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
+ }
+
++static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
++{
++ struct reiserfs_de_head *deh;
++ int i;
++
++ deh = B_I_DEH(bh, ih);
++ for (i = 0; i < ih_entry_count(ih); i++) {
++ if (deh_location(&deh[i]) > ih_item_len(ih)) {
++ reiserfs_warning(NULL, "reiserfs-5094",
++ "directory entry location seems wrong %h",
++ &deh[i]);
++ return 0;
++ }
++ }
++
++ return 1;
++}
++
+ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
+ {
+ struct block_head *blkh;
+@@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
+ "(second one): %h", ih);
+ return 0;
+ }
+- if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
+- reiserfs_warning(NULL, "reiserfs-5093",
+- "item entry count seems wrong %h",
+- ih);
+- return 0;
++ if (is_direntry_le_ih(ih)) {
++ if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
++ reiserfs_warning(NULL, "reiserfs-5093",
++ "item entry count seems wrong %h",
++ ih);
++ return 0;
++ }
++ return has_valid_deh_location(bh, ih);
+ }
+ prev_location = ih_location(ih);
+ }
+--
+2.30.2
+
spi-meson-spicc-fix-memory-leak-in-meson_spicc_remove.patch
perf-x86-amd-don-t-touch-the-amd64_eventsel_hostonly-bit-inside-the-guest.patch
qmi_wwan-add-network-device-usage-statistics-for-qmimux-devices.patch
+libata-fix-ata_pio_sector-for-config_highmem.patch
+reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch
+reiserfs-check-directory-items-on-read-from-disk.patch
+alpha-send-stop-ipi-to-send-to-online-cpus.patch
+net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
