From: Sasha Levin Date: Fri, 24 Sep 2021 11:43:41 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.4.285~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6fe92577c578efa03b2ead160f6e81cede005b19;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch b/queue-4.14/blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch new file mode 100644 index 00000000000..312ce55472d --- /dev/null +++ b/queue-4.14/blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch @@ -0,0 +1,39 @@ +From 4a96ddd4e5dca2f95297c86b3873b5c1c13696e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:12:42 +0800 +Subject: blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() + +From: Li Jinlin + +[ Upstream commit 884f0e84f1e3195b801319c8ec3d5774e9bf2710 ] + +The pending timer has been set up in blk_throtl_init(). However, the +timer is not deleted in blk_throtl_exit(). This means that the timer +handler may still be running after freeing the timer, which would +result in a use-after-free. + +Fix by calling del_timer_sync() to delete the timer in blk_throtl_exit(). + +Signed-off-by: Li Jinlin +Link: https://lore.kernel.org/r/20210907121242.2885564-1-lijinlin3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-throttle.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/blk-throttle.c b/block/blk-throttle.c +index a8cd7b3d9647..fcbbe2e45a2b 100644 +--- a/block/blk-throttle.c ++++ b/block/blk-throttle.c +@@ -2414,6 +2414,7 @@ int blk_throtl_init(struct request_queue *q) + void blk_throtl_exit(struct request_queue *q) + { + BUG_ON(!q->td); ++ del_timer_sync(&q->td->service_queue.pending_timer); + throtl_shutdown_wq(q); + blkcg_deactivate_policy(q, &blkcg_policy_throtl); + free_percpu(q->td->latency_buckets); +-- +2.33.0 + diff --git a/queue-4.14/ceph-lockdep-annotations-for-try_nonblocking_invalid.patch b/queue-4.14/ceph-lockdep-annotations-for-try_nonblocking_invalid.patch new file mode 100644 index 00000000000..ab000db4145 --- /dev/null +++ b/queue-4.14/ceph-lockdep-annotations-for-try_nonblocking_invalid.patch @@ -0,0 +1,33 @@ +From 50b73602456a470eed3e567b08e1ff925ff6cec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 08:31:03 -0400 +Subject: ceph: lockdep annotations for try_nonblocking_invalidate + +From: Jeff Layton + +[ Upstream commit 3eaf5aa1cfa8c97c72f5824e2e9263d6cc977b03 ] + +Signed-off-by: Jeff Layton +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/caps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index b077b9a6bf95..a0168d9bb85d 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1657,6 +1657,8 @@ static int __mark_caps_flushing(struct inode *inode, + * try to invalidate mapping pages without blocking. + */ + static int try_nonblocking_invalidate(struct inode *inode) ++ __releases(ci->i_ceph_lock) ++ __acquires(ci->i_ceph_lock) + { + struct ceph_inode_info *ci = ceph_inode(inode); + u32 invalidating_gen = ci->i_rdcache_gen; +-- +2.33.0 + diff --git a/queue-4.14/dmaengine-ioat-depends-on-uml.patch b/queue-4.14/dmaengine-ioat-depends-on-uml.patch new file mode 100644 index 00000000000..4f7171171fe --- /dev/null +++ b/queue-4.14/dmaengine-ioat-depends-on-uml.patch @@ -0,0 +1,39 @@ +From 6f8ce6685e29aa0c3ff583ba152707a992609c25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 11:24:09 +0200 +Subject: dmaengine: ioat: depends on !UML + +From: Johannes Berg + +[ Upstream commit bbac7a92a46f0876e588722ebe552ddfe6fd790f ] + +Now that UML has PCI support, this driver must depend also on +!UML since it pokes at X86_64 architecture internals that don't +exist on ARCH=um. + +Reported-by: Geert Uytterhoeven +Signed-off-by: Johannes Berg +Acked-by: Dave Jiang +Link: https://lore.kernel.org/r/20210809112409.a3a0974874d2.I2ffe3d11ed37f735da2f39884a74c953b258b995@changeid +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig +index ff69feefc1c6..5ea37d133f24 100644 +--- a/drivers/dma/Kconfig ++++ b/drivers/dma/Kconfig +@@ -262,7 +262,7 @@ config INTEL_IDMA64 + + config INTEL_IOATDMA + tristate "Intel I/OAT DMA support" +- depends on PCI && X86_64 ++ depends on PCI && X86_64 && !UML + select DMA_ENGINE + select DMA_ENGINE_RAID + select DCA +-- +2.33.0 + diff --git a/queue-4.14/dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch b/queue-4.14/dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch new file mode 100644 index 00000000000..ede3f6fbdb0 --- /dev/null +++ b/queue-4.14/dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch @@ -0,0 +1,50 @@ +From 3e37a2d903ccf1027b2cfc54e100331bf2886a72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 14:28:48 +0530 +Subject: dmaengine: xilinx_dma: Set DMA mask for coherent APIs + +From: Radhey Shyam Pandey + +[ Upstream commit aac6c0f90799d66b8989be1e056408f33fd99fe6 ] + +The xilinx dma driver uses the consistent allocations, so for correct +operation also set the DMA mask for coherent APIs. It fixes the below +kernel crash with dmatest client when DMA IP is configured with 64-bit +address width and linux is booted from high (>4GB) memory. + +Call trace: +[ 489.531257] dma_alloc_from_pool+0x8c/0x1c0 +[ 489.535431] dma_direct_alloc+0x284/0x330 +[ 489.539432] dma_alloc_attrs+0x80/0xf0 +[ 489.543174] dma_pool_alloc+0x160/0x2c0 +[ 489.547003] xilinx_cdma_prep_memcpy+0xa4/0x180 +[ 489.551524] dmatest_func+0x3cc/0x114c +[ 489.555266] kthread+0x124/0x130 +[ 489.558486] ret_from_fork+0x10/0x3c +[ 489.562051] ---[ end trace 248625b2d596a90a ]--- + +Signed-off-by: Radhey Shyam Pandey +Reviewed-by: Harini Katakam +Link: https://lore.kernel.org/r/1629363528-30347-1-git-send-email-radhey.shyam.pandey@xilinx.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 21203e3a54fd..3c2084766a31 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -2585,7 +2585,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + xdev->ext_addr = false; + + /* Set the dma mask bits */ +- dma_set_mask(xdev->dev, DMA_BIT_MASK(addr_width)); ++ dma_set_mask_and_coherent(xdev->dev, DMA_BIT_MASK(addr_width)); + + /* Initialize the DMA engine */ + xdev->common.dev = &pdev->dev; +-- +2.33.0 + diff --git a/queue-4.14/kconfig.debug-drop-selecting-non-existing-hardlockup.patch b/queue-4.14/kconfig.debug-drop-selecting-non-existing-hardlockup.patch new file mode 100644 index 00000000000..5b82939d01c --- /dev/null +++ b/queue-4.14/kconfig.debug-drop-selecting-non-existing-hardlockup.patch @@ -0,0 +1,49 @@ +From 99a9a36c5bb38bb26745d785854348f81e2c20cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:47 -0700 +Subject: Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH + +From: Lukas Bulwahn + +[ Upstream commit 6fe26259b4884b657cbc233fb9cdade9d704976e ] + +Commit 05a4a9527931 ("kernel/watchdog: split up config options") adds a +new config HARDLOCKUP_DETECTOR, which selects the non-existing config +HARDLOCKUP_DETECTOR_ARCH. + +Hence, ./scripts/checkkconfigsymbols.py warns: + +HARDLOCKUP_DETECTOR_ARCH Referencing files: lib/Kconfig.debug + +Simply drop selecting the non-existing HARDLOCKUP_DETECTOR_ARCH. + +Link: https://lkml.kernel.org/r/20210806115618.22088-1-lukas.bulwahn@gmail.com +Fixes: 05a4a9527931 ("kernel/watchdog: split up config options") +Signed-off-by: Lukas Bulwahn +Cc: Nicholas Piggin +Cc: Masahiro Yamada +Cc: Babu Moger +Cc: Don Zickus +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/Kconfig.debug | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index e1df563cdfe7..428eaf16a1d2 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -816,7 +816,6 @@ config HARDLOCKUP_DETECTOR + depends on HAVE_HARDLOCKUP_DETECTOR_PERF || HAVE_HARDLOCKUP_DETECTOR_ARCH + select LOCKUP_DETECTOR + select HARDLOCKUP_DETECTOR_PERF if HAVE_HARDLOCKUP_DETECTOR_PERF +- select HARDLOCKUP_DETECTOR_ARCH if HAVE_HARDLOCKUP_DETECTOR_ARCH + help + Say Y here to enable the kernel to act as a watchdog to detect + hard lockups. +-- +2.33.0 + diff --git a/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch new file mode 100644 index 00000000000..377d85e1374 --- /dev/null +++ b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch @@ -0,0 +1,42 @@ +From 704d599be3f6c683dcd27f90b3ffede592aac6d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:15 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group + +From: Nanyong Sun + +[ Upstream commit 24f8cb1ed057c840728167dab33b32e44147c86f ] + +If kobject_init_and_add return with error, kobject_put() is needed here to +avoid memory leak, because kobject_init_and_add may return error without +freeing the memory associated with the kobject it allocated. + +Link: https://lkml.kernel.org/r/20210629022556.3985106-4-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-4-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index 027a50bc0765..eab7bd68da12 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -101,8 +101,8 @@ static int nilfs_sysfs_create_##name##_group(struct the_nilfs *nilfs) \ + err = kobject_init_and_add(kobj, &nilfs_##name##_ktype, parent, \ + #name); \ + if (err) \ +- return err; \ +- return 0; \ ++ kobject_put(kobj); \ ++ return err; \ + } \ + static void nilfs_sysfs_delete_##name##_group(struct the_nilfs *nilfs) \ + { \ +-- +2.33.0 + diff --git a/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch new file mode 100644 index 00000000000..8d595c538b3 --- /dev/null +++ b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch @@ -0,0 +1,97 @@ +From 41126a5b48606463cbbc683d161cff7befda24bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:09 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_create_device_group + +From: Nanyong Sun + +[ Upstream commit 5f5dec07aca7067216ed4c1342e464e7307a9197 ] + +Patch series "nilfs2: fix incorrect usage of kobject". + +This patchset from Nanyong Sun fixes memory leak issues and a NULL +pointer dereference issue caused by incorrect usage of kboject in nilfs2 +sysfs implementation. + +This patch (of 6): + +Reported by syzkaller: + + BUG: memory leak + unreferenced object 0xffff888100ca8988 (size 8): + comm "syz-executor.1", pid 1930, jiffies 4294745569 (age 18.052s) + hex dump (first 8 bytes): + 6c 6f 6f 70 31 00 ff ff loop1... + backtrace: + kstrdup+0x36/0x70 mm/util.c:60 + kstrdup_const+0x35/0x60 mm/util.c:83 + kvasprintf_const+0xf1/0x180 lib/kasprintf.c:48 + kobject_set_name_vargs+0x56/0x150 lib/kobject.c:289 + kobject_add_varg lib/kobject.c:384 [inline] + kobject_init_and_add+0xc9/0x150 lib/kobject.c:473 + nilfs_sysfs_create_device_group+0x150/0x7d0 fs/nilfs2/sysfs.c:986 + init_nilfs+0xa21/0xea0 fs/nilfs2/the_nilfs.c:637 + nilfs_fill_super fs/nilfs2/super.c:1046 [inline] + nilfs_mount+0x7b4/0xe80 fs/nilfs2/super.c:1316 + legacy_get_tree+0x105/0x210 fs/fs_context.c:592 + vfs_get_tree+0x8e/0x2d0 fs/super.c:1498 + do_new_mount fs/namespace.c:2905 [inline] + path_mount+0xf9b/0x1990 fs/namespace.c:3235 + do_mount+0xea/0x100 fs/namespace.c:3248 + __do_sys_mount fs/namespace.c:3456 [inline] + __se_sys_mount fs/namespace.c:3433 [inline] + __x64_sys_mount+0x14b/0x1f0 fs/namespace.c:3433 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If kobject_init_and_add return with error, then the cleanup of kobject +is needed because memory may be allocated in kobject_init_and_add +without freeing. + +And the place of cleanup_dev_kobject should use kobject_put to free the +memory associated with the kobject. As the section "Kobject removal" of +"Documentation/core-api/kobject.rst" says, kobject_del() just makes the +kobject "invisible", but it is not cleaned up. And no more cleanup will +do after cleanup_dev_kobject, so kobject_put is needed here. + +Link: https://lkml.kernel.org/r/1625651306-10829-1-git-send-email-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/1625651306-10829-2-git-send-email-konishi.ryusuke@gmail.com +Reported-by: Hulk Robot +Link: https://lkml.kernel.org/r/20210629022556.3985106-2-sunnanyong@huawei.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index e9903bceb2bf..a35978bf8395 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -1010,7 +1010,7 @@ int nilfs_sysfs_create_device_group(struct super_block *sb) + err = kobject_init_and_add(&nilfs->ns_dev_kobj, &nilfs_dev_ktype, NULL, + "%s", sb->s_id); + if (err) +- goto free_dev_subgroups; ++ goto cleanup_dev_kobject; + + err = nilfs_sysfs_create_mounted_snapshots_group(nilfs); + if (err) +@@ -1047,9 +1047,7 @@ delete_mounted_snapshots_group: + nilfs_sysfs_delete_mounted_snapshots_group(nilfs); + + cleanup_dev_kobject: +- kobject_del(&nilfs->ns_dev_kobj); +- +-free_dev_subgroups: ++ kobject_put(&nilfs->ns_dev_kobj); + kfree(nilfs->ns_dev_subgroups); + + failed_create_device_group: +-- +2.33.0 + diff --git a/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch new file mode 100644 index 00000000000..58734b9282b --- /dev/null +++ b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch @@ -0,0 +1,43 @@ +From 6e943503a888f769ce8bd899d34821e8dcae111b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:21 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group + +From: Nanyong Sun + +[ Upstream commit b2fe39c248f3fa4bbb2a20759b4fdd83504190f7 ] + +If kobject_init_and_add returns with error, kobject_put() is needed here +to avoid memory leak, because kobject_init_and_add may return error +without freeing the memory associated with the kobject it allocated. + +Link: https://lkml.kernel.org/r/20210629022556.3985106-6-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-6-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index 31eed118d0ce..28f5572c6aae 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -217,9 +217,9 @@ int nilfs_sysfs_create_snapshot_group(struct nilfs_root *root) + } + + if (err) +- return err; ++ kobject_put(&root->snapshot_kobj); + +- return 0; ++ return err; + } + + void nilfs_sysfs_delete_snapshot_group(struct nilfs_root *root) +-- +2.33.0 + diff --git a/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch new file mode 100644 index 00000000000..effd369bd7d --- /dev/null +++ b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch @@ -0,0 +1,40 @@ +From 63b0c9586e0cf6f12d9d895e783f85b75e28b3c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:18 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group + +From: Nanyong Sun + +[ Upstream commit a3e181259ddd61fd378390977a1e4e2316853afa ] + +The kobject_put() should be used to cleanup the memory associated with the +kobject instead of kobject_del. See the section "Kobject removal" of +"Documentation/core-api/kobject.rst". + +Link: https://lkml.kernel.org/r/20210629022556.3985106-5-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-5-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index eab7bd68da12..31eed118d0ce 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -106,7 +106,7 @@ static int nilfs_sysfs_create_##name##_group(struct the_nilfs *nilfs) \ + } \ + static void nilfs_sysfs_delete_##name##_group(struct the_nilfs *nilfs) \ + { \ +- kobject_del(&nilfs->ns_##parent_name##_subgroups->sg_##name##_kobj); \ ++ kobject_put(&nilfs->ns_##parent_name##_subgroups->sg_##name##_kobj); \ + } + + /************************************************************************ +-- +2.33.0 + diff --git a/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch new file mode 100644 index 00000000000..887aa37e6c5 --- /dev/null +++ b/queue-4.14/nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch @@ -0,0 +1,40 @@ +From 517cc26c2805a8131fc0061fd29b98f7075edfc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:23 -0700 +Subject: nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group + +From: Nanyong Sun + +[ Upstream commit 17243e1c3072b8417a5ebfc53065d0a87af7ca77 ] + +kobject_put() should be used to cleanup the memory associated with the +kobject instead of kobject_del(). See the section "Kobject removal" of +"Documentation/core-api/kobject.rst". + +Link: https://lkml.kernel.org/r/20210629022556.3985106-7-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-7-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index 28f5572c6aae..33fba75aa9f3 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -224,7 +224,7 @@ int nilfs_sysfs_create_snapshot_group(struct nilfs_root *root) + + void nilfs_sysfs_delete_snapshot_group(struct nilfs_root *root) + { +- kobject_del(&root->snapshot_kobj); ++ kobject_put(&root->snapshot_kobj); + } + + /************************************************************************ +-- +2.33.0 + diff --git a/queue-4.14/nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch b/queue-4.14/nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch new file mode 100644 index 00000000000..aad53c73a8b --- /dev/null +++ b/queue-4.14/nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch @@ -0,0 +1,49 @@ +From ab195c77ff82f9b3ab8bc6a8e09612f9708cb9f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:00:12 -0700 +Subject: nilfs2: fix NULL pointer in nilfs_##name##_attr_release + +From: Nanyong Sun + +[ Upstream commit dbc6e7d44a514f231a64d9d5676e001b660b6448 ] + +In nilfs_##name##_attr_release, kobj->parent should not be referenced +because it is a NULL pointer. The release() method of kobject is always +called in kobject_put(kobj), in the implementation of kobject_put(), the +kobj->parent will be assigned as NULL before call the release() method. +So just use kobj to get the subgroups, which is more efficient and can fix +a NULL pointer reference problem. + +Link: https://lkml.kernel.org/r/20210629022556.3985106-3-sunnanyong@huawei.com +Link: https://lkml.kernel.org/r/1625651306-10829-3-git-send-email-konishi.ryusuke@gmail.com +Signed-off-by: Nanyong Sun +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/nilfs2/sysfs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c +index a35978bf8395..027a50bc0765 100644 +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -73,11 +73,9 @@ static const struct sysfs_ops nilfs_##name##_attr_ops = { \ + #define NILFS_DEV_INT_GROUP_TYPE(name, parent_name) \ + static void nilfs_##name##_attr_release(struct kobject *kobj) \ + { \ +- struct nilfs_sysfs_##parent_name##_subgroups *subgroups; \ +- struct the_nilfs *nilfs = container_of(kobj->parent, \ +- struct the_nilfs, \ +- ns_##parent_name##_kobj); \ +- subgroups = nilfs->ns_##parent_name##_subgroups; \ ++ struct nilfs_sysfs_##parent_name##_subgroups *subgroups = container_of(kobj, \ ++ struct nilfs_sysfs_##parent_name##_subgroups, \ ++ sg_##name##_kobj); \ + complete(&subgroups->sg_##name##_kobj_unregister); \ + } \ + static struct kobj_type nilfs_##name##_ktype = { \ +-- +2.33.0 + diff --git a/queue-4.14/parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch b/queue-4.14/parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch new file mode 100644 index 00000000000..4feaa5a492e --- /dev/null +++ b/queue-4.14/parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch @@ -0,0 +1,64 @@ +From c5113f5f811aa8cea01816204db6866dfa9c9a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 08:30:41 -0700 +Subject: parisc: Move pci_dev_is_behind_card_dino to where it is used + +From: Guenter Roeck + +[ Upstream commit 907872baa9f1538eed02ec737b8e89eba6c6e4b9 ] + +parisc build test images fail to compile with the following error. + +drivers/parisc/dino.c:160:12: error: + 'pci_dev_is_behind_card_dino' defined but not used + +Move the function just ahead of its only caller to avoid the error. + +Fixes: 5fa1659105fa ("parisc: Disable HP HSC-PCI Cards to prevent kernel crash") +Cc: Helge Deller +Signed-off-by: Guenter Roeck +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/dino.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/parisc/dino.c b/drivers/parisc/dino.c +index 8bed46630857..c11515bdac83 100644 +--- a/drivers/parisc/dino.c ++++ b/drivers/parisc/dino.c +@@ -160,15 +160,6 @@ struct dino_device + (struct dino_device *)__pdata; }) + + +-/* Check if PCI device is behind a Card-mode Dino. */ +-static int pci_dev_is_behind_card_dino(struct pci_dev *dev) +-{ +- struct dino_device *dino_dev; +- +- dino_dev = DINO_DEV(parisc_walk_tree(dev->bus->bridge)); +- return is_card_dino(&dino_dev->hba.dev->id); +-} +- + /* + * Dino Configuration Space Accessor Functions + */ +@@ -452,6 +443,15 @@ static void quirk_cirrus_cardbus(struct pci_dev *dev) + DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_CIRRUS, PCI_DEVICE_ID_CIRRUS_6832, quirk_cirrus_cardbus ); + + #ifdef CONFIG_TULIP ++/* Check if PCI device is behind a Card-mode Dino. */ ++static int pci_dev_is_behind_card_dino(struct pci_dev *dev) ++{ ++ struct dino_device *dino_dev; ++ ++ dino_dev = DINO_DEV(parisc_walk_tree(dev->bus->bridge)); ++ return is_card_dino(&dino_dev->hba.dev->id); ++} ++ + static void pci_fixup_tulip(struct pci_dev *dev) + { + if (!pci_dev_is_behind_card_dino(dev)) +-- +2.33.0 + diff --git a/queue-4.14/pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch b/queue-4.14/pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch new file mode 100644 index 00000000000..4f9ffef9e71 --- /dev/null +++ b/queue-4.14/pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch @@ -0,0 +1,53 @@ +From aa36f93d09654aa901fb0e624781113ef6ddaa2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 18:27:52 +0200 +Subject: pwm: rockchip: Don't modify HW state in .remove() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 9d768cd7fd42bb0be16f36aec48548fca5260759 ] + +A consumer is expected to disable a PWM before calling pwm_put(). And if +they didn't there is hopefully a good reason (or the consumer needs +fixing). Also if disabling an enabled PWM was the right thing to do, +this should better be done in the framework instead of in each low level +driver. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-rockchip.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/drivers/pwm/pwm-rockchip.c b/drivers/pwm/pwm-rockchip.c +index 48bcc853d57a..cf34fb00c054 100644 +--- a/drivers/pwm/pwm-rockchip.c ++++ b/drivers/pwm/pwm-rockchip.c +@@ -392,20 +392,6 @@ static int rockchip_pwm_remove(struct platform_device *pdev) + { + struct rockchip_pwm_chip *pc = platform_get_drvdata(pdev); + +- /* +- * Disable the PWM clk before unpreparing it if the PWM device is still +- * running. This should only happen when the last PWM user left it +- * enabled, or when nobody requested a PWM that was previously enabled +- * by the bootloader. +- * +- * FIXME: Maybe the core should disable all PWM devices in +- * pwmchip_remove(). In this case we'd only have to call +- * clk_unprepare() after pwmchip_remove(). +- * +- */ +- if (pwm_is_enabled(pc->chip.pwms)) +- clk_disable(pc->clk); +- + clk_unprepare(pc->pclk); + clk_unprepare(pc->clk); + +-- +2.33.0 + diff --git a/queue-4.14/series b/queue-4.14/series index aa05976aae2..053d98e1917 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -15,3 +15,16 @@ prctl-allow-to-setup-brk-for-et_dyn-executables.patch profiling-fix-shift-out-of-bounds-bugs.patch pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch +kconfig.debug-drop-selecting-non-existing-hardlockup.patch +parisc-move-pci_dev_is_behind_card_dino-to-where-it-.patch +dmaengine-ioat-depends-on-uml.patch +dmaengine-xilinx_dma-set-dma-mask-for-coherent-apis.patch +ceph-lockdep-annotations-for-try_nonblocking_invalid.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_create_device_.patch +nilfs2-fix-null-pointer-in-nilfs_-name-_attr_release.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_create_-name-_.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_-name-_.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_create_snapsho.patch +nilfs2-fix-memory-leak-in-nilfs_sysfs_delete_snapsho.patch +pwm-rockchip-don-t-modify-hw-state-in-.remove-callba.patch +blk-throttle-fix-uaf-by-deleteing-timer-in-blk_throt.patch