From: Sasha Levin Date: Fri, 18 Feb 2022 03:28:50 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.9.303~76 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=42b56b4c2617acd06493e53f54e0f809383d0eac;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/ax25-improve-the-incomplete-fix-to-avoid-uaf-and-npd.patch b/queue-4.14/ax25-improve-the-incomplete-fix-to-avoid-uaf-and-npd.patch new file mode 100644 index 00000000000..6b26d2cc144 --- /dev/null +++ b/queue-4.14/ax25-improve-the-incomplete-fix-to-avoid-uaf-and-npd.patch @@ -0,0 +1,90 @@ +From f4dac994d953953338864eb18705d30dbfa2f11b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jan 2022 12:47:15 +0800 +Subject: ax25: improve the incomplete fix to avoid UAF and NPD bugs + +From: Duoming Zhou + +[ Upstream commit 4e0f718daf97d47cf7dec122da1be970f145c809 ] + +The previous commit 1ade48d0c27d ("ax25: NPD bug when detaching +AX25 device") introduce lock_sock() into ax25_kill_by_device to +prevent NPD bug. But the concurrency NPD or UAF bug will occur, +when lock_sock() or release_sock() dereferences the ax25_cb->sock. + +The NULL pointer dereference bug can be shown as below: + +ax25_kill_by_device() | ax25_release() + | ax25_destroy_socket() + | ax25_cb_del() + ... | ... + | ax25->sk=NULL; + lock_sock(s->sk); //(1) | + s->ax25_dev = NULL; | ... + release_sock(s->sk); //(2) | + ... | + +The root cause is that the sock is set to null before dereference +site (1) or (2). Therefore, this patch extracts the ax25_cb->sock +in advance, and uses ax25_list_lock to protect it, which can synchronize +with ax25_cb_del() and ensure the value of sock is not null before +dereference sites. + +The concurrency UAF bug can be shown as below: + +ax25_kill_by_device() | ax25_release() + | ax25_destroy_socket() + ... | ... + | sock_put(sk); //FREE + lock_sock(s->sk); //(1) | + s->ax25_dev = NULL; | ... + release_sock(s->sk); //(2) | + ... | + +The root cause is that the sock is released before dereference +site (1) or (2). Therefore, this patch uses sock_hold() to increase +the refcount of sock and uses ax25_list_lock to protect it, which +can synchronize with ax25_cb_del() in ax25_destroy_socket() and +ensure the sock wil not be released before dereference sites. + +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ax25/af_ax25.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 0232afd9d9c3c..36d2e1dfa1e6b 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -80,6 +80,7 @@ static void ax25_kill_by_device(struct net_device *dev) + { + ax25_dev *ax25_dev; + ax25_cb *s; ++ struct sock *sk; + + if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL) + return; +@@ -88,13 +89,15 @@ static void ax25_kill_by_device(struct net_device *dev) + again: + ax25_for_each(s, &ax25_list) { + if (s->ax25_dev == ax25_dev) { ++ sk = s->sk; ++ sock_hold(sk); + spin_unlock_bh(&ax25_list_lock); +- lock_sock(s->sk); ++ lock_sock(sk); + s->ax25_dev = NULL; +- release_sock(s->sk); ++ release_sock(sk); + ax25_disconnect(s, ENETUNREACH); + spin_lock_bh(&ax25_list_lock); +- ++ sock_put(sk); + /* The entry could have been deleted from the + * list meanwhile and thus the next pointer is + * no longer valid. Play it safe and restart +-- +2.34.1 + diff --git a/queue-4.14/net-ieee802154-at86rf230-stop-leaking-skb-s.patch b/queue-4.14/net-ieee802154-at86rf230-stop-leaking-skb-s.patch new file mode 100644 index 00000000000..2a8da8af973 --- /dev/null +++ b/queue-4.14/net-ieee802154-at86rf230-stop-leaking-skb-s.patch @@ -0,0 +1,74 @@ +From 7ea28ef9e411eb4c537050d4e085912cd8ce4e3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jan 2022 13:14:23 +0100 +Subject: net: ieee802154: at86rf230: Stop leaking skb's + +From: Miquel Raynal + +[ Upstream commit e5ce576d45bf72fd0e3dc37eff897bfcc488f6a9 ] + +Upon error the ieee802154_xmit_complete() helper is not called. Only +ieee802154_wake_queue() is called manually. In the Tx case we then leak +the skb structure. + +Free the skb structure upon error before returning when appropriate. + +As the 'is_tx = 0' cannot be moved in the complete handler because of a +possible race between the delay in switching to STATE_RX_AACK_ON and a +new interrupt, we introduce an intermediate 'was_tx' boolean just for +this purpose. + +There is no Fixes tag applying here, many changes have been made on this +area and the issue kind of always existed. + +Suggested-by: Alexander Aring +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20220125121426.848337-4-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/at86rf230.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c +index 5c48bdb6f6787..c2667c71a0cd1 100644 +--- a/drivers/net/ieee802154/at86rf230.c ++++ b/drivers/net/ieee802154/at86rf230.c +@@ -108,6 +108,7 @@ struct at86rf230_local { + unsigned long cal_timeout; + bool is_tx; + bool is_tx_from_off; ++ bool was_tx; + u8 tx_retry; + struct sk_buff *tx_skb; + struct at86rf230_state_change tx; +@@ -351,7 +352,11 @@ at86rf230_async_error_recover_complete(void *context) + if (ctx->free) + kfree(ctx); + +- ieee802154_wake_queue(lp->hw); ++ if (lp->was_tx) { ++ lp->was_tx = 0; ++ dev_kfree_skb_any(lp->tx_skb); ++ ieee802154_wake_queue(lp->hw); ++ } + } + + static void +@@ -360,7 +365,11 @@ at86rf230_async_error_recover(void *context) + struct at86rf230_state_change *ctx = context; + struct at86rf230_local *lp = ctx->lp; + +- lp->is_tx = 0; ++ if (lp->is_tx) { ++ lp->was_tx = 1; ++ lp->is_tx = 0; ++ } ++ + at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON, + at86rf230_async_error_recover_complete); + } +-- +2.34.1 + diff --git a/queue-4.14/quota-make-dquot_quota_sync-return-errors-from-sync_.patch b/queue-4.14/quota-make-dquot_quota_sync-return-errors-from-sync_.patch new file mode 100644 index 00000000000..a7b316393dd --- /dev/null +++ b/queue-4.14/quota-make-dquot_quota_sync-return-errors-from-sync_.patch @@ -0,0 +1,47 @@ +From b1856e06b41663d72203c90ee7f20166144b8595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Jan 2022 08:53:16 -0800 +Subject: quota: make dquot_quota_sync return errors from ->sync_fs + +From: Darrick J. Wong + +[ Upstream commit dd5532a4994bfda0386eb2286ec00758cee08444 ] + +Strangely, dquot_quota_sync ignores the return code from the ->sync_fs +call, which means that quotacalls like Q_SYNC never see the error. This +doesn't seem right, so fix that. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Jan Kara +Reviewed-by: Christoph Hellwig +Acked-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 30f5da8f4affa..7c364cda8daac 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -680,9 +680,14 @@ int dquot_quota_sync(struct super_block *sb, int type) + /* This is not very clever (and fast) but currently I don't know about + * any other simple way of getting quota data to disk and we must get + * them there for userspace to be visible... */ +- if (sb->s_op->sync_fs) +- sb->s_op->sync_fs(sb, 1); +- sync_blockdev(sb->s_bdev); ++ if (sb->s_op->sync_fs) { ++ ret = sb->s_op->sync_fs(sb, 1); ++ if (ret) ++ return ret; ++ } ++ ret = sync_blockdev(sb->s_bdev); ++ if (ret) ++ return ret; + + /* + * Now when everything is written we can discard the pagecache so +-- +2.34.1 + diff --git a/queue-4.14/revert-module-async-async_synchronize_full-on-module.patch b/queue-4.14/revert-module-async-async_synchronize_full-on-module.patch new file mode 100644 index 00000000000..2223521a4df --- /dev/null +++ b/queue-4.14/revert-module-async-async_synchronize_full-on-module.patch @@ -0,0 +1,153 @@ +From b241017496ec139c436e7d161a703f7e2e757621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 15:39:53 -0800 +Subject: Revert "module, async: async_synchronize_full() on module init iff + async is used" + +From: Igor Pylypiv + +[ Upstream commit 67d6212afda218d564890d1674bab28e8612170f ] + +This reverts commit 774a1221e862b343388347bac9b318767336b20b. + +We need to finish all async code before the module init sequence is +done. In the reverted commit the PF_USED_ASYNC flag was added to mark a +thread that called async_schedule(). Then the PF_USED_ASYNC flag was +used to determine whether or not async_synchronize_full() needs to be +invoked. This works when modprobe thread is calling async_schedule(), +but it does not work if module dispatches init code to a worker thread +which then calls async_schedule(). + +For example, PCI driver probing is invoked from a worker thread based on +a node where device is attached: + + if (cpu < nr_cpu_ids) + error = work_on_cpu(cpu, local_pci_probe, &ddi); + else + error = local_pci_probe(&ddi); + +We end up in a situation where a worker thread gets the PF_USED_ASYNC +flag set instead of the modprobe thread. As a result, +async_synchronize_full() is not invoked and modprobe completes without +waiting for the async code to finish. + +The issue was discovered while loading the pm80xx driver: +(scsi_mod.scan=async) + +modprobe pm80xx worker +... + do_init_module() + ... + pci_call_probe() + work_on_cpu(local_pci_probe) + local_pci_probe() + pm8001_pci_probe() + scsi_scan_host() + async_schedule() + worker->flags |= PF_USED_ASYNC; + ... + < return from worker > + ... + if (current->flags & PF_USED_ASYNC) <--- false + async_synchronize_full(); + +Commit 21c3c5d28007 ("block: don't request module during elevator init") +fixed the deadlock issue which the reverted commit 774a1221e862 +("module, async: async_synchronize_full() on module init iff async is +used") tried to fix. + +Since commit 0fdff3ec6d87 ("async, kmod: warn on synchronous +request_module() from async workers") synchronous module loading from +async is not allowed. + +Given that the original deadlock issue is fixed and it is no longer +allowed to call synchronous request_module() from async we can remove +PF_USED_ASYNC flag to make module init consistently invoke +async_synchronize_full() unless async module probe is requested. + +Signed-off-by: Igor Pylypiv +Reviewed-by: Changyuan Lyu +Reviewed-by: Luis Chamberlain +Acked-by: Tejun Heo +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/sched.h | 1 - + kernel/async.c | 3 --- + kernel/module.c | 25 +++++-------------------- + 3 files changed, 5 insertions(+), 24 deletions(-) + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 914cc8b180eda..63522a384f5aa 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1346,7 +1346,6 @@ extern struct pid *cad_pid; + #define PF_MEMALLOC 0x00000800 /* Allocating memory */ + #define PF_NPROC_EXCEEDED 0x00001000 /* set_user() noticed that RLIMIT_NPROC was exceeded */ + #define PF_USED_MATH 0x00002000 /* If unset the fpu must be initialized before use */ +-#define PF_USED_ASYNC 0x00004000 /* Used async_schedule*(), used by module init */ + #define PF_NOFREEZE 0x00008000 /* This thread should not be frozen */ + #define PF_FROZEN 0x00010000 /* Frozen for system suspend */ + #define PF_KSWAPD 0x00020000 /* I am kswapd */ +diff --git a/kernel/async.c b/kernel/async.c +index a893d6170944f..4bf1b00a28d86 100644 +--- a/kernel/async.c ++++ b/kernel/async.c +@@ -191,9 +191,6 @@ static async_cookie_t __async_schedule(async_func_t func, void *data, struct asy + atomic_inc(&entry_count); + spin_unlock_irqrestore(&async_lock, flags); + +- /* mark that this task has queued an async job, used by module init */ +- current->flags |= PF_USED_ASYNC; +- + /* schedule for execution */ + queue_work(system_unbound_wq, &entry->work); + +diff --git a/kernel/module.c b/kernel/module.c +index e962096672636..8404b41be7c6f 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3499,12 +3499,6 @@ static noinline int do_init_module(struct module *mod) + } + freeinit->module_init = mod->init_layout.base; + +- /* +- * We want to find out whether @mod uses async during init. Clear +- * PF_USED_ASYNC. async_schedule*() will set it. +- */ +- current->flags &= ~PF_USED_ASYNC; +- + do_mod_ctors(mod); + /* Start the module */ + if (mod->init != NULL) +@@ -3530,22 +3524,13 @@ static noinline int do_init_module(struct module *mod) + + /* + * We need to finish all async code before the module init sequence +- * is done. This has potential to deadlock. For example, a newly +- * detected block device can trigger request_module() of the +- * default iosched from async probing task. Once userland helper +- * reaches here, async_synchronize_full() will wait on the async +- * task waiting on request_module() and deadlock. +- * +- * This deadlock is avoided by perfomring async_synchronize_full() +- * iff module init queued any async jobs. This isn't a full +- * solution as it will deadlock the same if module loading from +- * async jobs nests more than once; however, due to the various +- * constraints, this hack seems to be the best option for now. +- * Please refer to the following thread for details. ++ * is done. This has potential to deadlock if synchronous module ++ * loading is requested from async (which is not allowed!). + * +- * http://thread.gmane.org/gmane.linux.kernel/1420814 ++ * See commit 0fdff3ec6d87 ("async, kmod: warn on synchronous ++ * request_module() from async workers") for more details. + */ +- if (!mod->async_probe_requested && (current->flags & PF_USED_ASYNC)) ++ if (!mod->async_probe_requested) + async_synchronize_full(); + + mutex_lock(&module_mutex); +-- +2.34.1 + diff --git a/queue-4.14/selftests-zram-adapt-the-situation-that-dev-zram0-is.patch b/queue-4.14/selftests-zram-adapt-the-situation-that-dev-zram0-is.patch new file mode 100644 index 00000000000..d721894c312 --- /dev/null +++ b/queue-4.14/selftests-zram-adapt-the-situation-that-dev-zram0-is.patch @@ -0,0 +1,329 @@ +From d1bfe04fff75902e2e6b337b3039d34597449d40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 17:11:37 +0800 +Subject: selftests/zram: Adapt the situation that /dev/zram0 is being used + +From: Yang Xu + +[ Upstream commit 01dabed20573804750af5c7bf8d1598a6bf7bf6e ] + +If zram-generator package is installed and works, then we can not remove +zram module because zram swap is being used. This case needs a clean zram +environment, change this test by using hot_add/hot_remove interface. So +even zram device is being used, we still can add zram device and remove +them in cleanup. + +The two interface was introduced since kernel commit 6566d1a32bf7("zram: +add dynamic device add/remove functionality") in v4.2-rc1. If kernel +supports these two interface, we use hot_add/hot_remove to slove this +problem, if not, just check whether zram is being used or built in, then +skip it on old kernel. + +Signed-off-by: Yang Xu +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/zram/zram.sh | 15 +--- + tools/testing/selftests/zram/zram01.sh | 3 +- + tools/testing/selftests/zram/zram02.sh | 1 - + tools/testing/selftests/zram/zram_lib.sh | 110 +++++++++++++---------- + 4 files changed, 66 insertions(+), 63 deletions(-) + +diff --git a/tools/testing/selftests/zram/zram.sh b/tools/testing/selftests/zram/zram.sh +index 232e958ec4547..b0b91d9b0dc21 100755 +--- a/tools/testing/selftests/zram/zram.sh ++++ b/tools/testing/selftests/zram/zram.sh +@@ -2,9 +2,6 @@ + # SPDX-License-Identifier: GPL-2.0 + TCID="zram.sh" + +-# Kselftest framework requirement - SKIP code is 4. +-ksft_skip=4 +- + . ./zram_lib.sh + + run_zram () { +@@ -18,14 +15,4 @@ echo "" + + check_prereqs + +-# check zram module exists +-MODULE_PATH=/lib/modules/`uname -r`/kernel/drivers/block/zram/zram.ko +-if [ -f $MODULE_PATH ]; then +- run_zram +-elif [ -b /dev/zram0 ]; then +- run_zram +-else +- echo "$TCID : No zram.ko module or /dev/zram0 device file not found" +- echo "$TCID : CONFIG_ZRAM is not set" +- exit $ksft_skip +-fi ++run_zram +diff --git a/tools/testing/selftests/zram/zram01.sh b/tools/testing/selftests/zram/zram01.sh +index ac6e4ddd2604e..8abc9965089d1 100755 +--- a/tools/testing/selftests/zram/zram01.sh ++++ b/tools/testing/selftests/zram/zram01.sh +@@ -42,7 +42,7 @@ zram_algs="lzo" + + zram_fill_fs() + { +- for i in $(seq 0 $(($dev_num - 1))); do ++ for i in $(seq $dev_start $dev_end); do + echo "fill zram$i..." + local b=0 + while [ true ]; do +@@ -76,7 +76,6 @@ zram_mount + + zram_fill_fs + zram_cleanup +-zram_unload + + if [ $ERR_CODE -ne 0 ]; then + echo "$TCID : [FAIL]" +diff --git a/tools/testing/selftests/zram/zram02.sh b/tools/testing/selftests/zram/zram02.sh +index 74569b883737f..3768cfd2e5f83 100755 +--- a/tools/testing/selftests/zram/zram02.sh ++++ b/tools/testing/selftests/zram/zram02.sh +@@ -45,7 +45,6 @@ zram_set_memlimit + zram_makeswap + zram_swapoff + zram_cleanup +-zram_unload + + if [ $ERR_CODE -ne 0 ]; then + echo "$TCID : [FAIL]" +diff --git a/tools/testing/selftests/zram/zram_lib.sh b/tools/testing/selftests/zram/zram_lib.sh +index 2c1d1c567f854..130d193cbd727 100755 +--- a/tools/testing/selftests/zram/zram_lib.sh ++++ b/tools/testing/selftests/zram/zram_lib.sh +@@ -14,10 +14,12 @@ + # Author: Alexey Kodanev + # Modified: Naresh Kamboju + +-MODULE=0 + dev_makeswap=-1 + dev_mounted=-1 +- ++dev_start=0 ++dev_end=-1 ++module_load=-1 ++sys_control=-1 + # Kselftest framework requirement - SKIP code is 4. + ksft_skip=4 + kernel_version=`uname -r | cut -d'.' -f1,2` +@@ -55,57 +57,72 @@ zram_cleanup() + { + echo "zram cleanup" + local i= +- for i in $(seq 0 $dev_makeswap); do ++ for i in $(seq $dev_start $dev_makeswap); do + swapoff /dev/zram$i + done + +- for i in $(seq 0 $dev_mounted); do ++ for i in $(seq $dev_start $dev_mounted); do + umount /dev/zram$i + done + +- for i in $(seq 0 $(($dev_num - 1))); do ++ for i in $(seq $dev_start $dev_end); do + echo 1 > /sys/block/zram${i}/reset + rm -rf zram$i + done + +-} ++ if [ $sys_control -eq 1 ]; then ++ for i in $(seq $dev_start $dev_end); do ++ echo $i > /sys/class/zram-control/hot_remove ++ done ++ fi + +-zram_unload() +-{ +- if [ $MODULE -ne 0 ] ; then +- echo "zram rmmod zram" ++ if [ $module_load -eq 1 ]; then + rmmod zram > /dev/null 2>&1 + fi + } + + zram_load() + { +- # check zram module exists +- MODULE_PATH=/lib/modules/`uname -r`/kernel/drivers/block/zram/zram.ko +- if [ -f $MODULE_PATH ]; then +- MODULE=1 +- echo "create '$dev_num' zram device(s)" +- modprobe zram num_devices=$dev_num +- if [ $? -ne 0 ]; then +- echo "failed to insert zram module" +- exit 1 +- fi +- +- dev_num_created=$(ls /dev/zram* | wc -w) ++ echo "create '$dev_num' zram device(s)" ++ ++ # zram module loaded, new kernel ++ if [ -d "/sys/class/zram-control" ]; then ++ echo "zram modules already loaded, kernel supports" \ ++ "zram-control interface" ++ dev_start=$(ls /dev/zram* | wc -w) ++ dev_end=$(($dev_start + $dev_num - 1)) ++ sys_control=1 ++ ++ for i in $(seq $dev_start $dev_end); do ++ cat /sys/class/zram-control/hot_add > /dev/null ++ done ++ ++ echo "all zram devices (/dev/zram$dev_start~$dev_end" \ ++ "successfully created" ++ return 0 ++ fi + +- if [ "$dev_num_created" -ne "$dev_num" ]; then +- echo "unexpected num of devices: $dev_num_created" +- ERR_CODE=-1 ++ # detect old kernel or built-in ++ modprobe zram num_devices=$dev_num ++ if [ ! -d "/sys/class/zram-control" ]; then ++ if grep -q '^zram' /proc/modules; then ++ rmmod zram > /dev/null 2>&1 ++ if [ $? -ne 0 ]; then ++ echo "zram module is being used on old kernel" \ ++ "without zram-control interface" ++ exit $ksft_skip ++ fi + else +- echo "zram load module successful" ++ echo "test needs CONFIG_ZRAM=m on old kernel without" \ ++ "zram-control interface" ++ exit $ksft_skip + fi +- elif [ -b /dev/zram0 ]; then +- echo "/dev/zram0 device file found: OK" +- else +- echo "ERROR: No zram.ko module or no /dev/zram0 device found" +- echo "$TCID : CONFIG_ZRAM is not set" +- exit 1 ++ modprobe zram num_devices=$dev_num + fi ++ ++ module_load=1 ++ dev_end=$(($dev_num - 1)) ++ echo "all zram devices (/dev/zram0~$dev_end) successfully created" + } + + zram_max_streams() +@@ -119,7 +136,7 @@ zram_max_streams() + return 0 + fi + +- local i=0 ++ local i=$dev_start + for max_s in $zram_max_streams; do + local sys_path="/sys/block/zram${i}/max_comp_streams" + echo $max_s > $sys_path || \ +@@ -131,7 +148,7 @@ zram_max_streams() + echo "FAIL can't set max_streams '$max_s', get $max_stream" + + i=$(($i + 1)) +- echo "$sys_path = '$max_streams' ($i/$dev_num)" ++ echo "$sys_path = '$max_streams'" + done + + echo "zram max streams: OK" +@@ -141,15 +158,16 @@ zram_compress_alg() + { + echo "test that we can set compression algorithm" + +- local algs=$(cat /sys/block/zram0/comp_algorithm) ++ local i=$dev_start ++ local algs=$(cat /sys/block/zram${i}/comp_algorithm) + echo "supported algs: $algs" +- local i=0 ++ + for alg in $zram_algs; do + local sys_path="/sys/block/zram${i}/comp_algorithm" + echo "$alg" > $sys_path || \ + echo "FAIL can't set '$alg' to $sys_path" + i=$(($i + 1)) +- echo "$sys_path = '$alg' ($i/$dev_num)" ++ echo "$sys_path = '$alg'" + done + + echo "zram set compression algorithm: OK" +@@ -158,14 +176,14 @@ zram_compress_alg() + zram_set_disksizes() + { + echo "set disk size to zram device(s)" +- local i=0 ++ local i=$dev_start + for ds in $zram_sizes; do + local sys_path="/sys/block/zram${i}/disksize" + echo "$ds" > $sys_path || \ + echo "FAIL can't set '$ds' to $sys_path" + + i=$(($i + 1)) +- echo "$sys_path = '$ds' ($i/$dev_num)" ++ echo "$sys_path = '$ds'" + done + + echo "zram set disksizes: OK" +@@ -175,14 +193,14 @@ zram_set_memlimit() + { + echo "set memory limit to zram device(s)" + +- local i=0 ++ local i=$dev_start + for ds in $zram_mem_limits; do + local sys_path="/sys/block/zram${i}/mem_limit" + echo "$ds" > $sys_path || \ + echo "FAIL can't set '$ds' to $sys_path" + + i=$(($i + 1)) +- echo "$sys_path = '$ds' ($i/$dev_num)" ++ echo "$sys_path = '$ds'" + done + + echo "zram set memory limit: OK" +@@ -191,8 +209,8 @@ zram_set_memlimit() + zram_makeswap() + { + echo "make swap with zram device(s)" +- local i=0 +- for i in $(seq 0 $(($dev_num - 1))); do ++ local i=$dev_start ++ for i in $(seq $dev_start $dev_end); do + mkswap /dev/zram$i > err.log 2>&1 + if [ $? -ne 0 ]; then + cat err.log +@@ -215,7 +233,7 @@ zram_makeswap() + zram_swapoff() + { + local i= +- for i in $(seq 0 $dev_makeswap); do ++ for i in $(seq $dev_start $dev_end); do + swapoff /dev/zram$i > err.log 2>&1 + if [ $? -ne 0 ]; then + cat err.log +@@ -229,7 +247,7 @@ zram_swapoff() + + zram_makefs() + { +- local i=0 ++ local i=$dev_start + for fs in $zram_filesystems; do + # if requested fs not supported default it to ext2 + which mkfs.$fs > /dev/null 2>&1 || fs=ext2 +@@ -248,7 +266,7 @@ zram_makefs() + zram_mount() + { + local i=0 +- for i in $(seq 0 $(($dev_num - 1))); do ++ for i in $(seq $dev_start $dev_end); do + echo "mount /dev/zram$i" + mkdir zram$i + mount /dev/zram$i zram$i > /dev/null || \ +-- +2.34.1 + diff --git a/queue-4.14/selftests-zram-skip-max_comp_streams-interface-on-ne.patch b/queue-4.14/selftests-zram-skip-max_comp_streams-interface-on-ne.patch new file mode 100644 index 00000000000..8ff2df34b05 --- /dev/null +++ b/queue-4.14/selftests-zram-skip-max_comp_streams-interface-on-ne.patch @@ -0,0 +1,75 @@ +From 38ccd242f916daa66402366b82d925012d2adc88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 17:11:35 +0800 +Subject: selftests/zram: Skip max_comp_streams interface on newer kernel + +From: Yang Xu + +[ Upstream commit fc4eb486a59d70bd35cf1209f0e68c2d8b979193 ] + +Since commit 43209ea2d17a ("zram: remove max_comp_streams internals"), zram +has switched to per-cpu streams. Even kernel still keep this interface for +some reasons, but writing to max_comp_stream doesn't take any effect. So +skip it on newer kernel ie 4.7. + +The code that comparing kernel version is from xfstests testsuite ext4/053. + +Signed-off-by: Yang Xu +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/zram/zram_lib.sh | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/tools/testing/selftests/zram/zram_lib.sh b/tools/testing/selftests/zram/zram_lib.sh +index 9e73a4fb9b0aa..2c1d1c567f854 100755 +--- a/tools/testing/selftests/zram/zram_lib.sh ++++ b/tools/testing/selftests/zram/zram_lib.sh +@@ -20,6 +20,9 @@ dev_mounted=-1 + + # Kselftest framework requirement - SKIP code is 4. + ksft_skip=4 ++kernel_version=`uname -r | cut -d'.' -f1,2` ++kernel_major=${kernel_version%.*} ++kernel_minor=${kernel_version#*.} + + trap INT + +@@ -34,6 +37,20 @@ check_prereqs() + fi + } + ++kernel_gte() ++{ ++ major=${1%.*} ++ minor=${1#*.} ++ ++ if [ $kernel_major -gt $major ]; then ++ return 0 ++ elif [[ $kernel_major -eq $major && $kernel_minor -ge $minor ]]; then ++ return 0 ++ fi ++ ++ return 1 ++} ++ + zram_cleanup() + { + echo "zram cleanup" +@@ -95,6 +112,13 @@ zram_max_streams() + { + echo "set max_comp_streams to zram device(s)" + ++ kernel_gte 4.7 ++ if [ $? -eq 0 ]; then ++ echo "The device attribute max_comp_streams was"\ ++ "deprecated in 4.7" ++ return 0 ++ fi ++ + local i=0 + for max_s in $zram_max_streams; do + local sys_path="/sys/block/zram${i}/max_comp_streams" +-- +2.34.1 + diff --git a/queue-4.14/selftests-zram01.sh-fix-compression-ratio-calculatio.patch b/queue-4.14/selftests-zram01.sh-fix-compression-ratio-calculatio.patch new file mode 100644 index 00000000000..d5ad2bfd5ed --- /dev/null +++ b/queue-4.14/selftests-zram01.sh-fix-compression-ratio-calculatio.patch @@ -0,0 +1,84 @@ +From dc51e4d05a71c5dc8b47b82fd94c9d0085903223 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 17:11:36 +0800 +Subject: selftests/zram01.sh: Fix compression ratio calculation + +From: Yang Xu + +[ Upstream commit d18da7ec3719559d6e74937266d0416e6c7e0b31 ] + +zram01 uses `free -m` to measure zram memory usage. The results are no +sense because they are polluted by all running processes on the system. + +We Should only calculate the free memory delta for the current process. +So use the third field of /sys/block/zram/mm_stat to measure memory +usage instead. The file is available since kernel 4.1. + +orig_data_size(first): uncompressed size of data stored in this disk. +compr_data_size(second): compressed size of data stored in this disk +mem_used_total(third): the amount of memory allocated for this disk + +Also remove useless zram cleanup call in zram_fill_fs and so we don't +need to cleanup zram twice if fails. + +Signed-off-by: Yang Xu +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/zram/zram01.sh | 30 +++++++------------------- + 1 file changed, 8 insertions(+), 22 deletions(-) + +diff --git a/tools/testing/selftests/zram/zram01.sh b/tools/testing/selftests/zram/zram01.sh +index b9566a6478a9c..ac6e4ddd2604e 100755 +--- a/tools/testing/selftests/zram/zram01.sh ++++ b/tools/testing/selftests/zram/zram01.sh +@@ -42,8 +42,6 @@ zram_algs="lzo" + + zram_fill_fs() + { +- local mem_free0=$(free -m | awk 'NR==2 {print $4}') +- + for i in $(seq 0 $(($dev_num - 1))); do + echo "fill zram$i..." + local b=0 +@@ -54,29 +52,17 @@ zram_fill_fs() + b=$(($b + 1)) + done + echo "zram$i can be filled with '$b' KB" +- done + +- local mem_free1=$(free -m | awk 'NR==2 {print $4}') +- local used_mem=$(($mem_free0 - $mem_free1)) ++ local mem_used_total=`awk '{print $3}' "/sys/block/zram$i/mm_stat"` ++ local v=$((100 * 1024 * $b / $mem_used_total)) ++ if [ "$v" -lt 100 ]; then ++ echo "FAIL compression ratio: 0.$v:1" ++ ERR_CODE=-1 ++ return ++ fi + +- local total_size=0 +- for sm in $zram_sizes; do +- local s=$(echo $sm | sed 's/M//') +- total_size=$(($total_size + $s)) ++ echo "zram compression ratio: $(echo "scale=2; $v / 100 " | bc):1: OK" + done +- +- echo "zram used ${used_mem}M, zram disk sizes ${total_size}M" +- +- local v=$((100 * $total_size / $used_mem)) +- +- if [ "$v" -lt 100 ]; then +- echo "FAIL compression ratio: 0.$v:1" +- ERR_CODE=-1 +- zram_cleanup +- return +- fi +- +- echo "zram compression ratio: $(echo "scale=2; $v / 100 " | bc):1: OK" + } + + check_prereqs +-- +2.34.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 9bccfc9bb45..b86f7166766 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -4,3 +4,11 @@ serial-parisc-gsc-fix-build-when-iosapic-is-not-set.patch parisc-fix-data-tlb-miss-in-sba_unmap_sg.patch parisc-fix-sglist-access-in-ccio-dma.c.patch btrfs-send-in-case-of-io-error-log-it.patch +net-ieee802154-at86rf230-stop-leaking-skb-s.patch +selftests-zram-skip-max_comp_streams-interface-on-ne.patch +selftests-zram01.sh-fix-compression-ratio-calculatio.patch +selftests-zram-adapt-the-situation-that-dev-zram0-is.patch +ax25-improve-the-incomplete-fix-to-avoid-uaf-and-npd.patch +vfs-make-freeze_super-abort-when-sync_filesystem-ret.patch +quota-make-dquot_quota_sync-return-errors-from-sync_.patch +revert-module-async-async_synchronize_full-on-module.patch diff --git a/queue-4.14/vfs-make-freeze_super-abort-when-sync_filesystem-ret.patch b/queue-4.14/vfs-make-freeze_super-abort-when-sync_filesystem-ret.patch new file mode 100644 index 00000000000..d79c8e814c8 --- /dev/null +++ b/queue-4.14/vfs-make-freeze_super-abort-when-sync_filesystem-ret.patch @@ -0,0 +1,76 @@ +From 0eba344ae66b92e08ecbaac8b1f8b3d04c434536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Jan 2022 08:53:16 -0800 +Subject: vfs: make freeze_super abort when sync_filesystem returns error + +From: Darrick J. Wong + +[ Upstream commit 2719c7160dcfaae1f73a1c0c210ad3281c19022e ] + +If we fail to synchronize the filesystem while preparing to freeze the +fs, abort the freeze. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Jan Kara +Reviewed-by: Christoph Hellwig +Acked-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/super.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/fs/super.c b/fs/super.c +index 1d7461bca1600..819a33e79a011 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -1380,11 +1380,9 @@ static void lockdep_sb_freeze_acquire(struct super_block *sb) + percpu_rwsem_acquire(sb->s_writers.rw_sem + level, 0, _THIS_IP_); + } + +-static void sb_freeze_unlock(struct super_block *sb) ++static void sb_freeze_unlock(struct super_block *sb, int level) + { +- int level; +- +- for (level = SB_FREEZE_LEVELS - 1; level >= 0; level--) ++ for (level--; level >= 0; level--) + percpu_up_write(sb->s_writers.rw_sem + level); + } + +@@ -1455,7 +1453,14 @@ int freeze_super(struct super_block *sb) + sb_wait_write(sb, SB_FREEZE_PAGEFAULT); + + /* All writers are done so after syncing there won't be dirty data */ +- sync_filesystem(sb); ++ ret = sync_filesystem(sb); ++ if (ret) { ++ sb->s_writers.frozen = SB_UNFROZEN; ++ sb_freeze_unlock(sb, SB_FREEZE_PAGEFAULT); ++ wake_up(&sb->s_writers.wait_unfrozen); ++ deactivate_locked_super(sb); ++ return ret; ++ } + + /* Now wait for internal filesystem counter */ + sb->s_writers.frozen = SB_FREEZE_FS; +@@ -1467,7 +1472,7 @@ int freeze_super(struct super_block *sb) + printk(KERN_ERR + "VFS:Filesystem freeze failed\n"); + sb->s_writers.frozen = SB_UNFROZEN; +- sb_freeze_unlock(sb); ++ sb_freeze_unlock(sb, SB_FREEZE_FS); + wake_up(&sb->s_writers.wait_unfrozen); + deactivate_locked_super(sb); + return ret; +@@ -1519,7 +1524,7 @@ int thaw_super(struct super_block *sb) + } + + sb->s_writers.frozen = SB_UNFROZEN; +- sb_freeze_unlock(sb); ++ sb_freeze_unlock(sb, SB_FREEZE_FS); + out: + wake_up(&sb->s_writers.wait_unfrozen); + deactivate_locked_super(sb); +-- +2.34.1 +