--- /dev/null
+From 399504e21a10be16dd1408ba0147367d9d82a10c Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 6 Jan 2019 11:41:29 -0500
+Subject: fix cgroup_do_mount() handling of failure exits
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 399504e21a10be16dd1408ba0147367d9d82a10c upstream.
+
+same story as with last May fixes in sysfs (7b745a4e4051
+"unfuck sysfs_mount()"); new_sb is left uninitialized
+in case of early errors in kernfs_mount_ns() and papering
+over it by treating any error from kernfs_mount_ns() as
+equivalent to !new_ns ends up conflating the cases when
+objects had never been transferred to a superblock with
+ones when that has happened and resulting new superblock
+had been dropped. Easily fixed (same way as in sysfs
+case). Additionally, there's a superblock leak on
+kernfs_node_dentry() failure *and* a dentry leak inside
+kernfs_node_dentry() itself - the latter on probably
+impossible errors, but the former not impossible to trigger
+(as the matter of fact, injecting allocation failures
+at that point *does* trigger it).
+
+Cc: stable@kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/kernfs/mount.c | 8 ++++++--
+ kernel/cgroup/cgroup.c | 9 ++++++---
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+--- a/fs/kernfs/mount.c
++++ b/fs/kernfs/mount.c
+@@ -196,8 +196,10 @@ struct dentry *kernfs_node_dentry(struct
+ return dentry;
+
+ knparent = find_next_ancestor(kn, NULL);
+- if (WARN_ON(!knparent))
++ if (WARN_ON(!knparent)) {
++ dput(dentry);
+ return ERR_PTR(-EINVAL);
++ }
+
+ do {
+ struct dentry *dtmp;
+@@ -206,8 +208,10 @@ struct dentry *kernfs_node_dentry(struct
+ if (kn == knparent)
+ return dentry;
+ kntmp = find_next_ancestor(kn, knparent);
+- if (WARN_ON(!kntmp))
++ if (WARN_ON(!kntmp)) {
++ dput(dentry);
+ return ERR_PTR(-EINVAL);
++ }
+ dtmp = lookup_one_len_unlocked(kntmp->name, dentry,
+ strlen(kntmp->name));
+ dput(dentry);
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -1942,7 +1942,7 @@ struct dentry *cgroup_do_mount(struct fi
+ struct cgroup_namespace *ns)
+ {
+ struct dentry *dentry;
+- bool new_sb;
++ bool new_sb = false;
+
+ dentry = kernfs_mount(fs_type, flags, root->kf_root, magic, &new_sb);
+
+@@ -1952,6 +1952,7 @@ struct dentry *cgroup_do_mount(struct fi
+ */
+ if (!IS_ERR(dentry) && ns != &init_cgroup_ns) {
+ struct dentry *nsdentry;
++ struct super_block *sb = dentry->d_sb;
+ struct cgroup *cgrp;
+
+ mutex_lock(&cgroup_mutex);
+@@ -1962,12 +1963,14 @@ struct dentry *cgroup_do_mount(struct fi
+ spin_unlock_irq(&css_set_lock);
+ mutex_unlock(&cgroup_mutex);
+
+- nsdentry = kernfs_node_dentry(cgrp->kn, dentry->d_sb);
++ nsdentry = kernfs_node_dentry(cgrp->kn, sb);
+ dput(dentry);
++ if (IS_ERR(nsdentry))
++ deactivate_locked_super(sb);
+ dentry = nsdentry;
+ }
+
+- if (IS_ERR(dentry) || !new_sb)
++ if (!new_sb)
+ cgroup_put(&root->cgrp);
+
+ return dentry;
--- /dev/null
+From 07464e88365e9236febaca9ed1a2e2006d8bc952 Mon Sep 17 00:00:00 2001
+From: Oliver O'Halloran <oohall@gmail.com>
+Date: Wed, 6 Feb 2019 13:04:53 +1100
+Subject: libnvdimm: Fix altmap reservation size calculation
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+commit 07464e88365e9236febaca9ed1a2e2006d8bc952 upstream.
+
+Libnvdimm reserves the first 8K of pfn and devicedax namespaces to
+store a superblock describing the namespace. This 8K reservation
+is contained within the altmap area which the kernel uses for the
+vmemmap backing for the pages within the namespace. The altmap
+allows for some pages at the start of the altmap area to be reserved
+and that mechanism is used to protect the superblock from being
+re-used as vmemmap backing.
+
+The number of PFNs to reserve is calculated using:
+
+ PHYS_PFN(SZ_8K)
+
+Which is implemented as:
+
+ #define PHYS_PFN(x) ((unsigned long)((x) >> PAGE_SHIFT))
+
+So on systems where PAGE_SIZE is greater than 8K the reservation
+size is truncated to zero and the superblock area is re-used as
+vmemmap backing. As a result all the namespace information stored
+in the superblock (i.e. if it's a PFN or DAX namespace) is lost
+and the namespace needs to be re-created to get access to the
+contents.
+
+This patch fixes this by using PFN_UP() rather than PHYS_PFN() to ensure
+that at least one page is reserved. On systems with a 4K pages size this
+patch should have no effect.
+
+Cc: stable@vger.kernel.org
+Cc: Dan Williams <dan.j.williams@intel.com>
+Fixes: ac515c084be9 ("libnvdimm, pmem, pfn: move pfn setup to the core")
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/pfn_devs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -535,7 +535,7 @@ static unsigned long init_altmap_base(re
+
+ static unsigned long init_altmap_reserve(resource_size_t base)
+ {
+- unsigned long reserve = PHYS_PFN(SZ_8K);
++ unsigned long reserve = PFN_UP(SZ_8K);
+ unsigned long base_pfn = PHYS_PFN(base);
+
+ reserve += base_pfn - PFN_SECTION_ALIGN_DOWN(base_pfn);
--- /dev/null
+From 966d23a006ca7b44ac8cf4d0c96b19785e0c3da0 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Tue, 15 Jan 2019 10:47:00 -0800
+Subject: libnvdimm/label: Clear 'updating' flag after label-set update
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 966d23a006ca7b44ac8cf4d0c96b19785e0c3da0 upstream.
+
+The UEFI 2.7 specification sets expectations that the 'updating' flag is
+eventually cleared. To date, the libnvdimm core has never adhered to
+that protocol. The policy of the core matches the policy of other
+multi-device info-block formats like MD-Software-RAID that expect
+administrator intervention on inconsistent info-blocks, not automatic
+invalidation.
+
+However, some pre-boot environments may unfortunately attempt to "clean
+up" the labels and invalidate a set when it fails to find at least one
+"non-updating" label in the set. Clear the updating flag after set
+updates to minimize the window of vulnerability to aggressive pre-boot
+environments.
+
+Ideally implementations would not write to the label area outside of
+creating namespaces.
+
+Note that this only minimizes the window, it does not close it as the
+system can still crash while clearing the flag and the set can be
+subsequently deleted / invalidated by the pre-boot environment.
+
+Fixes: f524bf271a5c ("libnvdimm: write pmem label set")
+Cc: <stable@vger.kernel.org>
+Cc: Kelly Couch <kelly.j.couch@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/label.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/nvdimm/label.c
++++ b/drivers/nvdimm/label.c
+@@ -616,7 +616,7 @@ static const guid_t *to_abstraction_guid
+
+ static int __pmem_label_update(struct nd_region *nd_region,
+ struct nd_mapping *nd_mapping, struct nd_namespace_pmem *nspm,
+- int pos)
++ int pos, unsigned long flags)
+ {
+ struct nd_namespace_common *ndns = &nspm->nsio.common;
+ struct nd_interleave_set *nd_set = nd_region->nd_set;
+@@ -657,7 +657,7 @@ static int __pmem_label_update(struct nd
+ memcpy(nd_label->uuid, nspm->uuid, NSLABEL_UUID_LEN);
+ if (nspm->alt_name)
+ memcpy(nd_label->name, nspm->alt_name, NSLABEL_NAME_LEN);
+- nd_label->flags = __cpu_to_le32(NSLABEL_FLAG_UPDATING);
++ nd_label->flags = __cpu_to_le32(flags);
+ nd_label->nlabel = __cpu_to_le16(nd_region->ndr_mappings);
+ nd_label->position = __cpu_to_le16(pos);
+ nd_label->isetcookie = __cpu_to_le64(cookie);
+@@ -1111,13 +1111,13 @@ static int del_labels(struct nd_mapping
+ int nd_pmem_namespace_label_update(struct nd_region *nd_region,
+ struct nd_namespace_pmem *nspm, resource_size_t size)
+ {
+- int i;
++ int i, rc;
+
+ for (i = 0; i < nd_region->ndr_mappings; i++) {
+ struct nd_mapping *nd_mapping = &nd_region->mapping[i];
+ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
+ struct resource *res;
+- int rc, count = 0;
++ int count = 0;
+
+ if (size == 0) {
+ rc = del_labels(nd_mapping, nspm->uuid);
+@@ -1135,7 +1135,20 @@ int nd_pmem_namespace_label_update(struc
+ if (rc < 0)
+ return rc;
+
+- rc = __pmem_label_update(nd_region, nd_mapping, nspm, i);
++ rc = __pmem_label_update(nd_region, nd_mapping, nspm, i,
++ NSLABEL_FLAG_UPDATING);
++ if (rc)
++ return rc;
++ }
++
++ if (size == 0)
++ return 0;
++
++ /* Clear the UPDATING flag per UEFI 2.7 expectations */
++ for (i = 0; i < nd_region->ndr_mappings; i++) {
++ struct nd_mapping *nd_mapping = &nd_region->mapping[i];
++
++ rc = __pmem_label_update(nd_region, nd_mapping, nspm, i, 0);
+ if (rc)
+ return rc;
+ }
--- /dev/null
+From f101ada7da6551127d192c2f1742c1e9e0f62799 Mon Sep 17 00:00:00 2001
+From: Wei Yang <richardw.yang@linux.intel.com>
+Date: Tue, 22 Jan 2019 10:48:09 +0800
+Subject: libnvdimm, pfn: Fix over-trim in trim_pfn_device()
+
+From: Wei Yang <richardw.yang@linux.intel.com>
+
+commit f101ada7da6551127d192c2f1742c1e9e0f62799 upstream.
+
+When trying to see whether current nd_region intersects with others,
+trim_pfn_device() has already calculated the *size* to be expanded to
+SECTION size.
+
+Do not double append 'adjust' to 'size' when calculating whether the end
+of a region collides with the next pmem region.
+
+Fixes: ae86cbfef381 "libnvdimm, pfn: Pad pfn namespaces relative to other regions"
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Wei Yang <richardw.yang@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/pfn_devs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -618,7 +618,7 @@ static void trim_pfn_device(struct nd_pf
+ if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+ IORES_DESC_NONE) == REGION_MIXED
+ || !IS_ALIGNED(end, nd_pfn->align)
+- || nd_region_conflict(nd_region, start, size + adjust))
++ || nd_region_conflict(nd_region, start, size))
+ *end_trunc = end - phys_pmem_align_down(nd_pfn, end);
+ }
+
--- /dev/null
+From fa7d2e639cd90442d868dfc6ca1d4cc9d8bf206e Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 24 Jan 2019 17:33:06 -0800
+Subject: libnvdimm/pmem: Honor force_raw for legacy pmem regions
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit fa7d2e639cd90442d868dfc6ca1d4cc9d8bf206e upstream.
+
+For recovery, where non-dax access is needed to a given physical address
+range, and testing, allow the 'force_raw' attribute to override the
+default establishment of a dev_pagemap.
+
+Otherwise without this capability it is possible to end up with a
+namespace that can not be activated due to corrupted info-block, and one
+that can not be repaired due to a section collision.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 004f1afbe199 ("libnvdimm, pmem: direct map legacy pmem by default")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/namespace_devs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -138,6 +138,7 @@ bool nd_is_uuid_unique(struct device *de
+ bool pmem_should_map_pages(struct device *dev)
+ {
+ struct nd_region *nd_region = to_nd_region(dev->parent);
++ struct nd_namespace_common *ndns = to_ndns(dev);
+ struct nd_namespace_io *nsio;
+
+ if (!IS_ENABLED(CONFIG_ZONE_DEVICE))
+@@ -149,6 +150,9 @@ bool pmem_should_map_pages(struct device
+ if (is_nd_pfn(dev) || is_nd_btt(dev))
+ return false;
+
++ if (ndns->force_raw)
++ return false;
++
+ nsio = to_nd_namespace_io(dev);
+ if (region_intersects(nsio->res.start, resource_size(&nsio->res),
+ IORESOURCE_SYSTEM_RAM,
net-set-static-variable-an-initial-value-in-atl2_pro.patch
tmpfs-fix-uninitialized-return-value-in-shmem_link.patch
media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch
+stm-class-prevent-division-by-zero.patch
+libnvdimm-label-clear-updating-flag-after-label-set-update.patch
+libnvdimm-pfn-fix-over-trim-in-trim_pfn_device.patch
+libnvdimm-pmem-honor-force_raw-for-legacy-pmem-regions.patch
+libnvdimm-fix-altmap-reservation-size-calculation.patch
+fix-cgroup_do_mount-handling-of-failure-exits.patch
--- /dev/null
+From bf7cbaae0831252b416f375ca9b1027ecd4642dd Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 21 Feb 2019 14:19:17 +0200
+Subject: stm class: Prevent division by zero
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit bf7cbaae0831252b416f375ca9b1027ecd4642dd upstream.
+
+Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM
+device that supplies zero mmio channel size, will trigger a division by
+zero bug in the kernel.
+
+Prevent this by disallowing channel widths other than 1 for such devices.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+CC: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -561,7 +561,7 @@ static int stm_char_policy_set_ioctl(str
+ {
+ struct stm_device *stm = stmf->stm;
+ struct stp_policy_id *id;
+- int ret = -EINVAL;
++ int ret = -EINVAL, wlimit = 1;
+ u32 size;
+
+ if (stmf->output.nr_chans)
+@@ -589,8 +589,10 @@ static int stm_char_policy_set_ioctl(str
+ if (id->__reserved_0 || id->__reserved_1)
+ goto err_free;
+
+- if (id->width < 1 ||
+- id->width > PAGE_SIZE / stm->data->sw_mmiosz)
++ if (stm->data->sw_mmiosz)
++ wlimit = PAGE_SIZE / stm->data->sw_mmiosz;
++
++ if (id->width < 1 || id->width > wlimit)
+ goto err_free;
+
+ ret = stm_file_assign(stmf, id->id, id->width);
projects / thirdparty / kernel / stable-queue.git / commitdiff
