From: Sasha Levin Date: Tue, 8 Oct 2024 06:02:25 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v6.6.55~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=036bfa74503947fc99bceab8cfaa4dd1681713f3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/acpi-battery-fix-possible-crash-when-unregistering-a.patch b/queue-4.19/acpi-battery-fix-possible-crash-when-unregistering-a.patch new file mode 100644 index 00000000000..af9d4adeaca --- /dev/null +++ b/queue-4.19/acpi-battery-fix-possible-crash-when-unregistering-a.patch @@ -0,0 +1,69 @@ +From 64a744c2464d03598a71e1ac079ae1b21d2e184f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 23:28:34 +0200 +Subject: ACPI: battery: Fix possible crash when unregistering a battery hook + +From: Armin Wolf + +[ Upstream commit 76959aff14a0012ad6b984ec7686d163deccdc16 ] + +When a battery hook returns an error when adding a new battery, then +the battery hook is automatically unregistered. +However the battery hook provider cannot know that, so it will later +call battery_hook_unregister() on the already unregistered battery +hook, resulting in a crash. + +Fix this by using the list head to mark already unregistered battery +hooks as already being unregistered so that they can be ignored by +battery_hook_unregister(). + +Fixes: fa93854f7a7e ("battery: Add the battery hooking API") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20241001212835.341788-3-W_Armin@gmx.de +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index b741ed87ab3db..46aa0e5e6f8b6 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -724,7 +724,7 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook) + list_for_each_entry(battery, &acpi_battery_list, list) { + hook->remove_battery(battery->bat); + } +- list_del(&hook->list); ++ list_del_init(&hook->list); + + pr_info("extension unregistered: %s\n", hook->name); + } +@@ -732,7 +732,14 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook) + void battery_hook_unregister(struct acpi_battery_hook *hook) + { + mutex_lock(&hook_mutex); +- battery_hook_unregister_unlocked(hook); ++ /* ++ * Ignore already unregistered battery hooks. This might happen ++ * if a battery hook was previously unloaded due to an error when ++ * adding a new battery. ++ */ ++ if (!list_empty(&hook->list)) ++ battery_hook_unregister_unlocked(hook); ++ + mutex_unlock(&hook_mutex); + } + EXPORT_SYMBOL_GPL(battery_hook_unregister); +@@ -742,7 +749,6 @@ void battery_hook_register(struct acpi_battery_hook *hook) + struct acpi_battery *battery; + + mutex_lock(&hook_mutex); +- INIT_LIST_HEAD(&hook->list); + list_add(&hook->list, &battery_hook_list); + /* + * Now that the driver is registered, we need +-- +2.43.0 + diff --git a/queue-4.19/acpi-battery-simplify-battery-hook-locking.patch b/queue-4.19/acpi-battery-simplify-battery-hook-locking.patch new file mode 100644 index 00000000000..e5c5227584a --- /dev/null +++ b/queue-4.19/acpi-battery-simplify-battery-hook-locking.patch @@ -0,0 +1,95 @@ +From 6d4faab0e669b4e1864c0a535f4956441c8cdc1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2024 23:28:33 +0200 +Subject: ACPI: battery: Simplify battery hook locking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 86309cbed26139e1caae7629dcca1027d9a28e75 ] + +Move the conditional locking from __battery_hook_unregister() +into battery_hook_unregister() and rename the low-level function +to simplify the locking during battery hook removal. + +Reviewed-by: Ilpo Järvinen +Reviewed-by: Pali Rohár +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20241001212835.341788-2-W_Armin@gmx.de +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: 76959aff14a0 ("ACPI: battery: Fix possible crash when unregistering a battery hook") +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index 88f4040d6c1f2..b741ed87ab3db 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -713,27 +713,27 @@ static LIST_HEAD(acpi_battery_list); + static LIST_HEAD(battery_hook_list); + static DEFINE_MUTEX(hook_mutex); + +-static void __battery_hook_unregister(struct acpi_battery_hook *hook, int lock) ++static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook) + { + struct acpi_battery *battery; ++ + /* + * In order to remove a hook, we first need to + * de-register all the batteries that are registered. + */ +- if (lock) +- mutex_lock(&hook_mutex); + list_for_each_entry(battery, &acpi_battery_list, list) { + hook->remove_battery(battery->bat); + } + list_del(&hook->list); +- if (lock) +- mutex_unlock(&hook_mutex); ++ + pr_info("extension unregistered: %s\n", hook->name); + } + + void battery_hook_unregister(struct acpi_battery_hook *hook) + { +- __battery_hook_unregister(hook, 1); ++ mutex_lock(&hook_mutex); ++ battery_hook_unregister_unlocked(hook); ++ mutex_unlock(&hook_mutex); + } + EXPORT_SYMBOL_GPL(battery_hook_unregister); + +@@ -759,7 +759,7 @@ void battery_hook_register(struct acpi_battery_hook *hook) + * hooks. + */ + pr_err("extension failed to load: %s", hook->name); +- __battery_hook_unregister(hook, 0); ++ battery_hook_unregister_unlocked(hook); + goto end; + } + } +@@ -796,7 +796,7 @@ static void battery_hook_add_battery(struct acpi_battery *battery) + */ + pr_err("error in extension, unloading: %s", + hook_node->name); +- __battery_hook_unregister(hook_node, 0); ++ battery_hook_unregister_unlocked(hook_node); + } + } + mutex_unlock(&hook_mutex); +@@ -829,7 +829,7 @@ static void __exit battery_hook_exit(void) + * need to remove the hooks. + */ + list_for_each_entry_safe(hook, ptr, &battery_hook_list, list) { +- __battery_hook_unregister(hook, 1); ++ battery_hook_unregister(hook); + } + mutex_destroy(&hook_mutex); + } +-- +2.43.0 + diff --git a/queue-4.19/arm64-add-cortex-715-cpu-part-definition.patch b/queue-4.19/arm64-add-cortex-715-cpu-part-definition.patch new file mode 100644 index 00000000000..8f96267ecc2 --- /dev/null +++ b/queue-4.19/arm64-add-cortex-715-cpu-part-definition.patch @@ -0,0 +1,51 @@ +From a055a8a6d63cf50f32fd7813219269d591336c9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 13:20:26 +0100 +Subject: arm64: Add Cortex-715 CPU part definition + +From: Anshuman Khandual + +[ Upstream commit 07e39e60bbf0ccd5f895568e1afca032193705c0 ] + +Add the CPU Partnumbers for the new Arm designs. + +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Suzuki K Poulose +Cc: James Morse +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Acked-by: Catalin Marinas +Signed-off-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20221116140915.356601-2-anshuman.khandual@arm.com +Signed-off-by: Will Deacon +[ Mark: Trivial backport ] +Signed-off-by: Mark Rutland +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index f8be4d7ecde28..e3df8b0c067bf 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -86,6 +86,7 @@ + #define ARM_CPU_PART_CORTEX_A78 0xD41 + #define ARM_CPU_PART_CORTEX_X1 0xD44 + #define ARM_CPU_PART_CORTEX_A710 0xD47 ++#define ARM_CPU_PART_CORTEX_A715 0xD4D + #define ARM_CPU_PART_CORTEX_X2 0xD48 + #define ARM_CPU_PART_NEOVERSE_N2 0xD49 + #define ARM_CPU_PART_CORTEX_A78C 0xD4B +@@ -130,6 +131,7 @@ + #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) + #define MIDR_CORTEX_X1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X1) + #define MIDR_CORTEX_A710 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A710) ++#define MIDR_CORTEX_A715 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A715) + #define MIDR_CORTEX_X2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X2) + #define MIDR_NEOVERSE_N2 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N2) + #define MIDR_CORTEX_A78C MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78C) +-- +2.43.0 + diff --git a/queue-4.19/arm64-cputype-add-neoverse-n3-definitions.patch b/queue-4.19/arm64-cputype-add-neoverse-n3-definitions.patch new file mode 100644 index 00000000000..da115ec594e --- /dev/null +++ b/queue-4.19/arm64-cputype-add-neoverse-n3-definitions.patch @@ -0,0 +1,52 @@ +From 9be720e437ed90d4be3de949acabcfa31deabe68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 13:20:27 +0100 +Subject: arm64: cputype: Add Neoverse-N3 definitions + +From: Mark Rutland + +[ Upstream commit 924725707d80bc2588cefafef76ff3f164d299bc ] + +Add cputype definitions for Neoverse-N3. These will be used for errata +detection in subsequent patches. + +These values can be found in Table A-261 ("MIDR_EL1 bit descriptions") +in issue 02 of the Neoverse-N3 TRM, which can be found at: + + https://developer.arm.com/documentation/107997/0000/?lang=en + +Signed-off-by: Mark Rutland +Cc: James Morse +Cc: Will Deacon +Link: https://lore.kernel.org/r/20240930111705.3352047-2-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +[ Mark: trivial backport ] +Signed-off-by: Mark Rutland +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h +index e3df8b0c067bf..b8593cebb4ff4 100644 +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -98,6 +98,7 @@ + #define ARM_CPU_PART_NEOVERSE_V3 0xD84 + #define ARM_CPU_PART_CORTEX_X925 0xD85 + #define ARM_CPU_PART_CORTEX_A725 0xD87 ++#define ARM_CPU_PART_NEOVERSE_N3 0xD8E + + #define APM_CPU_PART_POTENZA 0x000 + +@@ -143,6 +144,7 @@ + #define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3) + #define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925) + #define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725) ++#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3) + #define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX) + #define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX) + #define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX) +-- +2.43.0 + diff --git a/queue-4.19/arm64-errata-expand-speculative-ssbs-workaround-once.patch b/queue-4.19/arm64-errata-expand-speculative-ssbs-workaround-once.patch new file mode 100644 index 00000000000..aa2051ca87b --- /dev/null +++ b/queue-4.19/arm64-errata-expand-speculative-ssbs-workaround-once.patch @@ -0,0 +1,112 @@ +From 39edc576aca9aede707e262c425e0f85bc10e7be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 13:20:28 +0100 +Subject: arm64: errata: Expand speculative SSBS workaround once more + +From: Mark Rutland + +[ Upstream commit 081eb7932c2b244f63317a982c5e3990e2c7fbdd ] + +A number of Arm Ltd CPUs suffer from errata whereby an MSR to the SSBS +special-purpose register does not affect subsequent speculative +instructions, permitting speculative store bypassing for a window of +time. + +We worked around this for a number of CPUs in commits: + +* 7187bb7d0b5c7dfa ("arm64: errata: Add workaround for Arm errata 3194386 and 3312417") +* 75b3c43eab594bfb ("arm64: errata: Expand speculative SSBS workaround") +* 145502cac7ea70b5 ("arm64: errata: Expand speculative SSBS workaround (again)") + +Since then, a (hopefully final) batch of updates have been published, +with two more affected CPUs. For the affected CPUs the existing +mitigation is sufficient, as described in their respective Software +Developer Errata Notice (SDEN) documents: + +* Cortex-A715 (MP148) SDEN v15.0, erratum 3456084 + https://developer.arm.com/documentation/SDEN-2148827/1500/ + +* Neoverse-N3 (MP195) SDEN v5.0, erratum 3456111 + https://developer.arm.com/documentation/SDEN-3050973/0500/ + +Enable the existing mitigation by adding the relevant MIDRs to +erratum_spec_ssbs_list, and update silicon-errata.rst and the +Kconfig text accordingly. + +Signed-off-by: Mark Rutland +Cc: James Morse +Cc: Will Deacon +Link: https://lore.kernel.org/r/20240930111705.3352047-3-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +[ Mark: fix conflict in silicon-errata.rst, handle move and rename ] +Signed-off-by: Mark Rutland +Signed-off-by: Sasha Levin +--- + Documentation/arm64/silicon-errata.txt | 2 ++ + arch/arm64/Kconfig | 2 ++ + arch/arm64/kernel/cpu_errata.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/Documentation/arm64/silicon-errata.txt b/Documentation/arm64/silicon-errata.txt +index eab3b0cf0dbe9..a67ba12ffa035 100644 +--- a/Documentation/arm64/silicon-errata.txt ++++ b/Documentation/arm64/silicon-errata.txt +@@ -66,6 +66,7 @@ stable kernels. + | ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 | + | ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 | + | ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 | ++| ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 | + | ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 | + | ARM | Cortex-A725 | #3456106 | ARM64_ERRATUM_3194386 | + | ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 | +@@ -77,6 +78,7 @@ stable kernels. + | ARM | Neoverse-N1 | #1542419 | ARM64_ERRATUM_1542419 | + | ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 | + | ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 | ++| ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 | + | ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 | + | ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 | + | ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 | +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 15c7a2b6e491e..5fa1b1d3172e9 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -543,6 +543,7 @@ config ARM64_ERRATUM_3194386 + * ARM Cortex-A78C erratum 3324346 + * ARM Cortex-A78C erratum 3324347 + * ARM Cortex-A710 erratam 3324338 ++ * ARM Cortex-A715 errartum 3456084 + * ARM Cortex-A720 erratum 3456091 + * ARM Cortex-A725 erratum 3456106 + * ARM Cortex-X1 erratum 3324344 +@@ -553,6 +554,7 @@ config ARM64_ERRATUM_3194386 + * ARM Cortex-X925 erratum 3324334 + * ARM Neoverse-N1 erratum 3324349 + * ARM Neoverse N2 erratum 3324339 ++ * ARM Neoverse-N3 erratum 3456111 + * ARM Neoverse-V1 erratum 3324341 + * ARM Neoverse V2 erratum 3324336 + * ARM Neoverse-V3 erratum 3312417 +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index e87f8d60075d7..a92530a8d7fcd 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -714,6 +714,7 @@ static const struct midr_range erratum_spec_ssbs_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A715), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A720), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A725), + MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), +@@ -724,6 +725,7 @@ static const struct midr_range erratum_spec_ssbs_list[] = { + MIDR_ALL_VERSIONS(MIDR_CORTEX_X925), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N3), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3), +-- +2.43.0 + diff --git a/queue-4.19/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-trun.patch b/queue-4.19/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-trun.patch new file mode 100644 index 00000000000..2301aeb96b4 --- /dev/null +++ b/queue-4.19/ext4-avoid-ext4_error-s-caused-by-enomem-in-the-trun.patch @@ -0,0 +1,172 @@ +From 420c7eabf63d0b0f261e7deea0268fbba6da7b9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 10:50:28 -0700 +Subject: ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path + +From: Theodore Ts'o + +[ Upstream commit 73c384c0cdaa8ea9ca9ef2d0cff6a25930f1648e ] + +We can't fail in the truncate path without requiring an fsck. +Add work around for this by using a combination of retry loops +and the __GFP_NOFAIL flag. + +From: Theodore Ts'o +Signed-off-by: Theodore Ts'o +Signed-off-by: Anna Pendleton +Reviewed-by: Harshad Shirwadkar +Link: https://lore.kernel.org/r/20200507175028.15061-1-pendleton@google.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: c26ab35702f8 ("ext4: fix slab-use-after-free in ext4_split_extent_at()") +Signed-off-by: Sasha Levin +--- + fs/ext4/ext4.h | 1 + + fs/ext4/extents.c | 43 +++++++++++++++++++++++++++++++++---------- + 2 files changed, 34 insertions(+), 10 deletions(-) + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index fa2579abea7df..3871df6b67322 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -629,6 +629,7 @@ enum { + */ + #define EXT4_EX_NOCACHE 0x40000000 + #define EXT4_EX_FORCE_CACHE 0x20000000 ++#define EXT4_EX_NOFAIL 0x10000000 + + /* + * Flags used by ext4_free_blocks +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 1762a6330a53c..080a7a401a4e1 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -290,11 +290,14 @@ ext4_force_split_extent_at(handle_t *handle, struct inode *inode, + { + struct ext4_ext_path *path = *ppath; + int unwritten = ext4_ext_is_unwritten(path[path->p_depth].p_ext); ++ int flags = EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO; ++ ++ if (nofail) ++ flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL | EXT4_EX_NOFAIL; + + return ext4_split_extent_at(handle, inode, ppath, lblk, unwritten ? + EXT4_EXT_MARK_UNWRIT1|EXT4_EXT_MARK_UNWRIT2 : 0, +- EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO | +- (nofail ? EXT4_GET_BLOCKS_METADATA_NOFAIL:0)); ++ flags); + } + + /* +@@ -536,8 +539,12 @@ __read_extent_tree_block(const char *function, unsigned int line, + { + struct buffer_head *bh; + int err; ++ gfp_t gfp_flags = __GFP_MOVABLE | GFP_NOFS; ++ ++ if (flags & EXT4_EX_NOFAIL) ++ gfp_flags |= __GFP_NOFAIL; + +- bh = sb_getblk_gfp(inode->i_sb, pblk, __GFP_MOVABLE | GFP_NOFS); ++ bh = sb_getblk_gfp(inode->i_sb, pblk, gfp_flags); + if (unlikely(!bh)) + return ERR_PTR(-ENOMEM); + +@@ -879,6 +886,10 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, + struct ext4_ext_path *path = orig_path ? *orig_path : NULL; + short int depth, i, ppos = 0; + int ret; ++ gfp_t gfp_flags = GFP_NOFS; ++ ++ if (flags & EXT4_EX_NOFAIL) ++ gfp_flags |= __GFP_NOFAIL; + + eh = ext_inode_hdr(inode); + depth = ext_depth(inode); +@@ -899,7 +910,7 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, + if (!path) { + /* account possible depth increase */ + path = kcalloc(depth + 2, sizeof(struct ext4_ext_path), +- GFP_NOFS); ++ gfp_flags); + if (unlikely(!path)) + return ERR_PTR(-ENOMEM); + path[0].p_maxdepth = depth + 1; +@@ -1049,9 +1060,13 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, + ext4_fsblk_t newblock, oldblock; + __le32 border; + ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ ++ gfp_t gfp_flags = GFP_NOFS; + int err = 0; + size_t ext_size = 0; + ++ if (flags & EXT4_EX_NOFAIL) ++ gfp_flags |= __GFP_NOFAIL; ++ + /* make decision: where to split? */ + /* FIXME: now decision is simplest: at current extent */ + +@@ -1085,7 +1100,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, + * We need this to handle errors and free blocks + * upon them. + */ +- ablocks = kcalloc(depth, sizeof(ext4_fsblk_t), GFP_NOFS); ++ ablocks = kcalloc(depth, sizeof(ext4_fsblk_t), gfp_flags); + if (!ablocks) + return -ENOMEM; + +@@ -2075,7 +2090,7 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode, + if (next != EXT_MAX_BLOCKS) { + ext_debug("next leaf block - %u\n", next); + BUG_ON(npath != NULL); +- npath = ext4_find_extent(inode, next, NULL, 0); ++ npath = ext4_find_extent(inode, next, NULL, gb_flags); + if (IS_ERR(npath)) + return PTR_ERR(npath); + BUG_ON(npath->p_depth != path->p_depth); +@@ -2878,7 +2893,8 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, + ext4_fsblk_t pblk; + + /* find extent for or closest extent to this block */ +- path = ext4_find_extent(inode, end, NULL, EXT4_EX_NOCACHE); ++ path = ext4_find_extent(inode, end, NULL, ++ EXT4_EX_NOCACHE | EXT4_EX_NOFAIL); + if (IS_ERR(path)) { + ext4_journal_stop(handle); + return PTR_ERR(path); +@@ -2960,7 +2976,7 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, + le16_to_cpu(path[k].p_hdr->eh_entries)+1; + } else { + path = kcalloc(depth + 1, sizeof(struct ext4_ext_path), +- GFP_NOFS); ++ GFP_NOFS | __GFP_NOFAIL); + if (path == NULL) { + ext4_journal_stop(handle); + return -ENOMEM; +@@ -3382,7 +3398,7 @@ static int ext4_split_extent(handle_t *handle, + * Update path is required because previous ext4_split_extent_at() may + * result in split of original leaf or extent zeroout. + */ +- path = ext4_find_extent(inode, map->m_lblk, ppath, 0); ++ path = ext4_find_extent(inode, map->m_lblk, ppath, flags); + if (IS_ERR(path)) + return PTR_ERR(path); + depth = ext_depth(inode); +@@ -4677,7 +4693,14 @@ int ext4_ext_truncate(handle_t *handle, struct inode *inode) + } + if (err) + return err; +- return ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1); ++retry_remove_space: ++ err = ext4_ext_remove_space(inode, last_block, EXT_MAX_BLOCKS - 1); ++ if (err == -ENOMEM) { ++ cond_resched(); ++ congestion_wait(BLK_RW_ASYNC, HZ/50); ++ goto retry_remove_space; ++ } ++ return err; + } + + static int ext4_alloc_file_blocks(struct file *file, ext4_lblk_t offset, +-- +2.43.0 + diff --git a/queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch b/queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch new file mode 100644 index 00000000000..083fa51a546 --- /dev/null +++ b/queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch @@ -0,0 +1,132 @@ +From 81d34ae8f6382336bb197a710ccbb2fba4fe337f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 10:35:23 +0800 +Subject: ext4: fix slab-use-after-free in ext4_split_extent_at() + +From: Baokun Li + +[ Upstream commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f ] + +We hit the following use-after-free: + +================================================================== +BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 +Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 +CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 +Call Trace: + + kasan_report+0x93/0xc0 + ext4_split_extent_at+0xba8/0xcc0 + ext4_split_extent.isra.0+0x18f/0x500 + ext4_split_convert_extents+0x275/0x750 + ext4_ext_handle_unwritten_extents+0x73e/0x1580 + ext4_ext_map_blocks+0xe20/0x2dc0 + ext4_map_blocks+0x724/0x1700 + ext4_do_writepages+0x12d6/0x2a70 +[...] + +Allocated by task 40: + __kmalloc_noprof+0x1ac/0x480 + ext4_find_extent+0xf3b/0x1e70 + ext4_ext_map_blocks+0x188/0x2dc0 + ext4_map_blocks+0x724/0x1700 + ext4_do_writepages+0x12d6/0x2a70 +[...] + +Freed by task 40: + kfree+0xf1/0x2b0 + ext4_find_extent+0xa71/0x1e70 + ext4_ext_insert_extent+0xa22/0x3260 + ext4_split_extent_at+0x3ef/0xcc0 + ext4_split_extent.isra.0+0x18f/0x500 + ext4_split_convert_extents+0x275/0x750 + ext4_ext_handle_unwritten_extents+0x73e/0x1580 + ext4_ext_map_blocks+0xe20/0x2dc0 + ext4_map_blocks+0x724/0x1700 + ext4_do_writepages+0x12d6/0x2a70 +[...] +================================================================== + +The flow of issue triggering is as follows: + +ext4_split_extent_at + path = *ppath + ext4_ext_insert_extent(ppath) + ext4_ext_create_new_leaf(ppath) + ext4_find_extent(orig_path) + path = *orig_path + read_extent_tree_block + // return -ENOMEM or -EIO + ext4_free_ext_path(path) + kfree(path) + *orig_path = NULL + a. If err is -ENOMEM: + ext4_ext_dirty(path + path->p_depth) + // path use-after-free !!! + b. If err is -EIO and we have EXT_DEBUG defined: + ext4_ext_show_leaf(path) + eh = path[depth].p_hdr + // path also use-after-free !!! + +So when trying to zeroout or fix the extent length, call ext4_find_extent() +to update the path. + +In addition we use *ppath directly as an ext4_ext_show_leaf() input to +avoid possible use-after-free when EXT_DEBUG is defined, and to avoid +unnecessary path updates. + +Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Reviewed-by: Ojaswin Mujoo +Tested-by: Ojaswin Mujoo +Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 080a7a401a4e1..c538d09542391 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3294,6 +3294,25 @@ static int ext4_split_extent_at(handle_t *handle, + if (err != -ENOSPC && err != -EDQUOT) + goto out; + ++ /* ++ * Update path is required because previous ext4_ext_insert_extent() ++ * may have freed or reallocated the path. Using EXT4_EX_NOFAIL ++ * guarantees that ext4_find_extent() will not return -ENOMEM, ++ * otherwise -ENOMEM will cause a retry in do_writepages(), and a ++ * WARN_ON may be triggered in ext4_da_update_reserve_space() due to ++ * an incorrect ee_len causing the i_reserved_data_blocks exception. ++ */ ++ path = ext4_find_extent(inode, ee_block, ppath, ++ flags | EXT4_EX_NOFAIL); ++ if (IS_ERR(path)) { ++ EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld", ++ split, PTR_ERR(path)); ++ return PTR_ERR(path); ++ } ++ depth = ext_depth(inode); ++ ex = path[depth].p_ext; ++ *ppath = path; ++ + if (EXT4_EXT_MAY_ZEROOUT & split_flag) { + if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { + if (split_flag & EXT4_EXT_DATA_VALID1) { +@@ -3342,7 +3361,7 @@ static int ext4_split_extent_at(handle_t *handle, + ext4_ext_dirty(handle, inode, path + path->p_depth); + return err; + out: +- ext4_ext_show_leaf(inode, path); ++ ext4_ext_show_leaf(inode, *ppath); + return err; + } + +-- +2.43.0 + diff --git a/queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch b/queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch new file mode 100644 index 00000000000..dc0b6d34fba --- /dev/null +++ b/queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch @@ -0,0 +1,93 @@ +From 46cf36dd9114f4f0aaeaa327b40d141b9306bf82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2024 10:35:25 +0800 +Subject: ext4: update orig_path in ext4_find_extent() + +From: Baokun Li + +[ Upstream commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 ] + +In ext4_find_extent(), if the path is not big enough, we free it and set +*orig_path to NULL. But after reallocating and successfully initializing +the path, we don't update *orig_path, in which case the caller gets a +valid path but a NULL ppath, and this may cause a NULL pointer dereference +or a path memory leak. For example: + +ext4_split_extent + path = *ppath = 2000 + ext4_find_extent + if (depth > path[0].p_maxdepth) + kfree(path = 2000); + *orig_path = path = NULL; + path = kcalloc() = 3000 + ext4_split_extent_at(*ppath = NULL) + path = *ppath; + ex = path[depth].p_ext; + // NULL pointer dereference! + +================================================================== +BUG: kernel NULL pointer dereference, address: 0000000000000010 +CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847 +RIP: 0010:ext4_split_extent_at+0x6d/0x560 +Call Trace: + + ext4_split_extent.isra.0+0xcb/0x1b0 + ext4_ext_convert_to_initialized+0x168/0x6c0 + ext4_ext_handle_unwritten_extents+0x325/0x4d0 + ext4_ext_map_blocks+0x520/0xdb0 + ext4_map_blocks+0x2b0/0x690 + ext4_iomap_begin+0x20e/0x2c0 +[...] +================================================================== + +Therefore, *orig_path is updated when the extent lookup succeeds, so that +the caller can safely use path or *ppath. + +Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20240822023545.1994557-6-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 3 ++- + fs/ext4/move_extent.c | 1 - + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index c538d09542391..63380c2910077 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -956,6 +956,8 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, + + ext4_ext_show_path(inode, path); + ++ if (orig_path) ++ *orig_path = path; + return path; + + err: +@@ -3311,7 +3313,6 @@ static int ext4_split_extent_at(handle_t *handle, + } + depth = ext_depth(inode); + ex = path[depth].p_ext; +- *ppath = path; + + if (EXT4_EXT_MAY_ZEROOUT & split_flag) { + if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { +diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c +index 2c368d67a33ac..1581b48af1fed 100644 +--- a/fs/ext4/move_extent.c ++++ b/fs/ext4/move_extent.c +@@ -37,7 +37,6 @@ get_ext_path(struct inode *inode, ext4_lblk_t lblock, + *ppath = NULL; + return -ENODATA; + } +- *ppath = path; + return 0; + } + +-- +2.43.0 + diff --git a/queue-4.19/nfsd-fix-delegation_blocked-to-block-correctly-for-a.patch b/queue-4.19/nfsd-fix-delegation_blocked-to-block-correctly-for-a.patch new file mode 100644 index 00000000000..acccdb380cf --- /dev/null +++ b/queue-4.19/nfsd-fix-delegation_blocked-to-block-correctly-for-a.patch @@ -0,0 +1,65 @@ +From 68b65ac1c11b72f2bb6f74ff40b87aefb6ef4f5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 15:06:36 +1000 +Subject: nfsd: fix delegation_blocked() to block correctly for at least 30 + seconds + +From: NeilBrown + +[ Upstream commit 45bb63ed20e02ae146336412889fe5450316a84f ] + +The pair of bloom filtered used by delegation_blocked() was intended to +block delegations on given filehandles for between 30 and 60 seconds. A +new filehandle would be recorded in the "new" bit set. That would then +be switch to the "old" bit set between 0 and 30 seconds later, and it +would remain as the "old" bit set for 30 seconds. + +Unfortunately the code intended to clear the old bit set once it reached +30 seconds old, preparing it to be the next new bit set, instead cleared +the *new* bit set before switching it to be the old bit set. This means +that the "old" bit set is always empty and delegations are blocked +between 0 and 30 seconds. + +This patch updates bd->new before clearing the set with that index, +instead of afterwards. + +Reported-by: Olga Kornievskaia +Cc: stable@vger.kernel.org +Fixes: 6282cd565553 ("NFSD: Don't hand out delegations for 30 seconds after recalling them.") +Signed-off-by: NeilBrown +Reviewed-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index acb43210d2dc5..061694c405ac3 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -743,7 +743,8 @@ static void nfs4_free_deleg(struct nfs4_stid *stid) + * When a delegation is recalled, the filehandle is stored in the "new" + * filter. + * Every 30 seconds we swap the filters and clear the "new" one, +- * unless both are empty of course. ++ * unless both are empty of course. This results in delegations for a ++ * given filehandle being blocked for between 30 and 60 seconds. + * + * Each filter is 256 bits. We hash the filehandle to 32bit and use the + * low 3 bytes as hash-table indices. +@@ -772,9 +773,9 @@ static int delegation_blocked(struct knfsd_fh *fh) + if (ktime_get_seconds() - bd->swap_time > 30) { + bd->entries -= bd->old_entries; + bd->old_entries = bd->entries; ++ bd->new = 1-bd->new; + memset(bd->set[bd->new], 0, + sizeof(bd->set[0])); +- bd->new = 1-bd->new; + bd->swap_time = ktime_get_seconds(); + } + spin_unlock(&blocked_delegations_lock); +-- +2.43.0 + diff --git a/queue-4.19/nfsd-use-ktime_get_seconds-for-timestamps.patch b/queue-4.19/nfsd-use-ktime_get_seconds-for-timestamps.patch new file mode 100644 index 00000000000..76e787a55f2 --- /dev/null +++ b/queue-4.19/nfsd-use-ktime_get_seconds-for-timestamps.patch @@ -0,0 +1,64 @@ +From b31c33085bd525bff0c48a945e3f28459f9755a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2017 11:25:34 +0200 +Subject: nfsd: use ktime_get_seconds() for timestamps + +From: Arnd Bergmann + +[ Upstream commit b3f255ef6bffc18a28c3b6295357f2a3380c033f ] + +The delegation logic in nfsd uses the somewhat inefficient +seconds_since_boot() function to record time intervals. + +Signed-off-by: Arnd Bergmann +Signed-off-by: J. Bruce Fields +Stable-dep-of: 45bb63ed20e0 ("nfsd: fix delegation_blocked() to block correctly for at least 30 seconds") +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 7ac644d64ab1d..acb43210d2dc5 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -755,7 +755,7 @@ static void nfs4_free_deleg(struct nfs4_stid *stid) + static DEFINE_SPINLOCK(blocked_delegations_lock); + static struct bloom_pair { + int entries, old_entries; +- time_t swap_time; ++ time64_t swap_time; + int new; /* index into 'set' */ + DECLARE_BITMAP(set[2], 256); + } blocked_delegations; +@@ -767,15 +767,15 @@ static int delegation_blocked(struct knfsd_fh *fh) + + if (bd->entries == 0) + return 0; +- if (seconds_since_boot() - bd->swap_time > 30) { ++ if (ktime_get_seconds() - bd->swap_time > 30) { + spin_lock(&blocked_delegations_lock); +- if (seconds_since_boot() - bd->swap_time > 30) { ++ if (ktime_get_seconds() - bd->swap_time > 30) { + bd->entries -= bd->old_entries; + bd->old_entries = bd->entries; + memset(bd->set[bd->new], 0, + sizeof(bd->set[0])); + bd->new = 1-bd->new; +- bd->swap_time = seconds_since_boot(); ++ bd->swap_time = ktime_get_seconds(); + } + spin_unlock(&blocked_delegations_lock); + } +@@ -805,7 +805,7 @@ static void block_delegations(struct knfsd_fh *fh) + __set_bit((hash>>8)&255, bd->set[bd->new]); + __set_bit((hash>>16)&255, bd->set[bd->new]); + if (bd->entries == 0) +- bd->swap_time = seconds_since_boot(); ++ bd->swap_time = ktime_get_seconds(); + bd->entries += 1; + spin_unlock(&blocked_delegations_lock); + } +-- +2.43.0 + diff --git a/queue-4.19/rtc-at91sam9-drop-platform_data-support.patch b/queue-4.19/rtc-at91sam9-drop-platform_data-support.patch new file mode 100644 index 00000000000..6e286373c8f --- /dev/null +++ b/queue-4.19/rtc-at91sam9-drop-platform_data-support.patch @@ -0,0 +1,118 @@ +From b0ef1a814ae06a714af06243bebb3517c442e2e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Mar 2019 13:40:37 +0100 +Subject: rtc: at91sam9: drop platform_data support + +From: Alexandre Belloni + +[ Upstream commit 1a76a77c8800a50b98bd38b7b1ffec32fe107bc1 ] + +ARCH_AT91 is DT only for a while, drop platform data support. + +Acked-by: Nicolas Ferre +Signed-off-by: Alexandre Belloni +Stable-dep-of: 73580e2ee6ad ("rtc: at91sam9: fix OF node leak in probe() error path") +Signed-off-by: Sasha Levin +--- + drivers/rtc/Kconfig | 2 +- + drivers/rtc/rtc-at91sam9.c | 44 +++++++------------------------------- + 2 files changed, 9 insertions(+), 37 deletions(-) + +diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig +index 199cc39459198..6dedba21683f5 100644 +--- a/drivers/rtc/Kconfig ++++ b/drivers/rtc/Kconfig +@@ -1404,7 +1404,7 @@ config RTC_DRV_AT91RM9200 + config RTC_DRV_AT91SAM9 + tristate "AT91SAM9 RTT as RTC" + depends on ARCH_AT91 || COMPILE_TEST +- depends on HAS_IOMEM ++ depends on OF && HAS_IOMEM + select MFD_SYSCON + help + Some AT91SAM9 SoCs provide an RTT (Real Time Timer) block which +diff --git a/drivers/rtc/rtc-at91sam9.c b/drivers/rtc/rtc-at91sam9.c +index ee71e647fd433..1c8bdf77f6edd 100644 +--- a/drivers/rtc/rtc-at91sam9.c ++++ b/drivers/rtc/rtc-at91sam9.c +@@ -348,13 +348,6 @@ static const struct rtc_class_ops at91_rtc_ops = { + .alarm_irq_enable = at91_rtc_alarm_irq_enable, + }; + +-static const struct regmap_config gpbr_regmap_config = { +- .name = "gpbr", +- .reg_bits = 32, +- .val_bits = 32, +- .reg_stride = 4, +-}; +- + /* + * Initialize and install RTC driver + */ +@@ -365,6 +358,7 @@ static int at91_rtc_probe(struct platform_device *pdev) + int ret, irq; + u32 mr; + unsigned int sclk_rate; ++ struct of_phandle_args args; + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +@@ -390,34 +384,14 @@ static int at91_rtc_probe(struct platform_device *pdev) + if (IS_ERR(rtc->rtt)) + return PTR_ERR(rtc->rtt); + +- if (!pdev->dev.of_node) { +- /* +- * TODO: Remove this code chunk when removing non DT board +- * support. Remember to remove the gpbr_regmap_config +- * variable too. +- */ +- void __iomem *gpbr; +- +- r = platform_get_resource(pdev, IORESOURCE_MEM, 1); +- gpbr = devm_ioremap_resource(&pdev->dev, r); +- if (IS_ERR(gpbr)) +- return PTR_ERR(gpbr); +- +- rtc->gpbr = regmap_init_mmio(NULL, gpbr, +- &gpbr_regmap_config); +- } else { +- struct of_phandle_args args; +- +- ret = of_parse_phandle_with_fixed_args(pdev->dev.of_node, +- "atmel,rtt-rtc-time-reg", 1, 0, +- &args); +- if (ret) +- return ret; +- +- rtc->gpbr = syscon_node_to_regmap(args.np); +- rtc->gpbr_offset = args.args[0]; +- } ++ ret = of_parse_phandle_with_fixed_args(pdev->dev.of_node, ++ "atmel,rtt-rtc-time-reg", 1, 0, ++ &args); ++ if (ret) ++ return ret; + ++ rtc->gpbr = syscon_node_to_regmap(args.np); ++ rtc->gpbr_offset = args.args[0]; + if (IS_ERR(rtc->gpbr)) { + dev_err(&pdev->dev, "failed to retrieve gpbr regmap, aborting.\n"); + return -ENOMEM; +@@ -569,13 +543,11 @@ static int at91_rtc_resume(struct device *dev) + + static SIMPLE_DEV_PM_OPS(at91_rtc_pm_ops, at91_rtc_suspend, at91_rtc_resume); + +-#ifdef CONFIG_OF + static const struct of_device_id at91_rtc_dt_ids[] = { + { .compatible = "atmel,at91sam9260-rtt" }, + { /* sentinel */ } + }; + MODULE_DEVICE_TABLE(of, at91_rtc_dt_ids); +-#endif + + static struct platform_driver at91_rtc_driver = { + .probe = at91_rtc_probe, +-- +2.43.0 + diff --git a/queue-4.19/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch b/queue-4.19/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..ca9ac163513 --- /dev/null +++ b/queue-4.19/rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch @@ -0,0 +1,37 @@ +From 8d5cc1d2a28fa93c370839822287867ea3702d10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Aug 2024 20:31:03 +0200 +Subject: rtc: at91sam9: fix OF node leak in probe() error path + +From: Krzysztof Kozlowski + +[ Upstream commit 73580e2ee6adfb40276bd420da3bb1abae204e10 ] + +Driver is leaking an OF node reference obtained from +of_parse_phandle_with_fixed_args(). + +Fixes: 43e112bb3dea ("rtc: at91sam9: make use of syscon/regmap to access GPBR registers") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20240825183103.102904-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-at91sam9.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/rtc-at91sam9.c b/drivers/rtc/rtc-at91sam9.c +index 1c8bdf77f6edd..4672dde68c782 100644 +--- a/drivers/rtc/rtc-at91sam9.c ++++ b/drivers/rtc/rtc-at91sam9.c +@@ -391,6 +391,7 @@ static int at91_rtc_probe(struct platform_device *pdev) + return ret; + + rtc->gpbr = syscon_node_to_regmap(args.np); ++ of_node_put(args.np); + rtc->gpbr_offset = args.args[0]; + if (IS_ERR(rtc->gpbr)) { + dev_err(&pdev->dev, "failed to retrieve gpbr regmap, aborting.\n"); +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index 46ec4a3babf..d838dd46567 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -212,3 +212,16 @@ tomoyo-fallback-to-realpath-if-symlink-s-pathname-does-not-exist.patch input-adp5589-keys-fix-adp5589_gpio_get_value.patch btrfs-wait-for-fixup-workers-before-stopping-cleaner-kthread-during-umount.patch gpio-davinci-fix-lazy-disable.patch +ext4-avoid-ext4_error-s-caused-by-enomem-in-the-trun.patch +ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch +ext4-update-orig_path-in-ext4_find_extent.patch +arm64-add-cortex-715-cpu-part-definition.patch +arm64-cputype-add-neoverse-n3-definitions.patch +arm64-errata-expand-speculative-ssbs-workaround-once.patch +uprobes-fix-kernel-info-leak-via-uprobes-vma.patch +nfsd-use-ktime_get_seconds-for-timestamps.patch +nfsd-fix-delegation_blocked-to-block-correctly-for-a.patch +rtc-at91sam9-drop-platform_data-support.patch +rtc-at91sam9-fix-of-node-leak-in-probe-error-path.patch +acpi-battery-simplify-battery-hook-locking.patch +acpi-battery-fix-possible-crash-when-unregistering-a.patch diff --git a/queue-4.19/uprobes-fix-kernel-info-leak-via-uprobes-vma.patch b/queue-4.19/uprobes-fix-kernel-info-leak-via-uprobes-vma.patch new file mode 100644 index 00000000000..43756f76747 --- /dev/null +++ b/queue-4.19/uprobes-fix-kernel-info-leak-via-uprobes-vma.patch @@ -0,0 +1,43 @@ +From c6d8d44d9f097a9f97ef9247c13a1af49ebdda79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Oct 2024 19:46:01 +0200 +Subject: uprobes: fix kernel info leak via "[uprobes]" vma + +From: Oleg Nesterov + +commit 34820304cc2cd1804ee1f8f3504ec77813d29c8e upstream. + +xol_add_vma() maps the uninitialized page allocated by __create_xol_area() +into userspace. On some architectures (x86) this memory is readable even +without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ, +although this doesn't really matter, debugger can read this memory anyway. + +Link: https://lore.kernel.org/all/20240929162047.GA12611@redhat.com/ + +Reported-by: Will Deacon +Fixes: d4b3b6384f98 ("uprobes/core: Allocate XOL slots for uprobes use") +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Oleg Nesterov +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + kernel/events/uprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c +index 3361da45e1db7..3ca91daddc9f5 100644 +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1198,7 +1198,7 @@ static struct xol_area *__create_xol_area(unsigned long vaddr) + + area->xol_mapping.name = "[uprobes]"; + area->xol_mapping.pages = area->pages; +- area->pages[0] = alloc_page(GFP_HIGHUSER); ++ area->pages[0] = alloc_page(GFP_HIGHUSER | __GFP_ZERO); + if (!area->pages[0]) + goto free_bitmap; + area->pages[1] = NULL; +-- +2.43.0 +