From: Greg Kroah-Hartman Date: Sun, 9 May 2021 10:13:39 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v5.4.118~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=853abd646846fe636635f797505378f434618f39;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: f2fs-fix-error-handling-in-f2fs_end_enable_verity.patch f2fs-fix-to-avoid-out-of-bounds-memory-access.patch fs-fix-reporting-supported-extra-file-attributes-for-statx.patch kcsan-debugfs-move-debugfs-file-creation-out-of-early-init.patch makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch riscv-kprobe-fix-kernel-panic-when-invoking-sys_read-traced-by-kprobe.patch ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch virtiofs-fix-memory-leak-in-virtio_fs_probe.patch --- diff --git a/queue-5.12/f2fs-fix-error-handling-in-f2fs_end_enable_verity.patch b/queue-5.12/f2fs-fix-error-handling-in-f2fs_end_enable_verity.patch new file mode 100644 index 00000000000..fb2263c090a --- /dev/null +++ b/queue-5.12/f2fs-fix-error-handling-in-f2fs_end_enable_verity.patch @@ -0,0 +1,135 @@ +From 3c0315424f5e3d2a4113c7272367bee1e8e6a174 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 4 Mar 2021 21:43:10 -0800 +Subject: f2fs: fix error handling in f2fs_end_enable_verity() + +From: Eric Biggers + +commit 3c0315424f5e3d2a4113c7272367bee1e8e6a174 upstream. + +f2fs didn't properly clean up if verity failed to be enabled on a file: + +- It left verity metadata (pages past EOF) in the page cache, which + would be exposed to userspace if the file was later extended. + +- It didn't truncate the verity metadata at all (either from cache or + from disk) if an error occurred while setting the verity bit. + +Fix these bugs by adding a call to truncate_inode_pages() and ensuring +that we truncate the verity metadata (both from cache and from disk) in +all error paths. Also rework the code to cleanly separate the success +path from the error paths, which makes it much easier to understand. + +Finally, log a message if f2fs_truncate() fails, since it might +otherwise fail silently. + +Reported-by: Yunlei He +Fixes: 95ae251fe828 ("f2fs: add fs-verity support") +Cc: # v5.4+ +Signed-off-by: Eric Biggers +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/verity.c | 79 ++++++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 56 insertions(+), 23 deletions(-) + +--- a/fs/f2fs/verity.c ++++ b/fs/f2fs/verity.c +@@ -152,40 +152,73 @@ static int f2fs_end_enable_verity(struct + size_t desc_size, u64 merkle_tree_size) + { + struct inode *inode = file_inode(filp); ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + u64 desc_pos = f2fs_verity_metadata_pos(inode) + merkle_tree_size; + struct fsverity_descriptor_location dloc = { + .version = cpu_to_le32(F2FS_VERIFY_VER), + .size = cpu_to_le32(desc_size), + .pos = cpu_to_le64(desc_pos), + }; +- int err = 0; ++ int err = 0, err2 = 0; + +- if (desc != NULL) { +- /* Succeeded; write the verity descriptor. */ +- err = pagecache_write(inode, desc, desc_size, desc_pos); +- +- /* Write all pages before clearing FI_VERITY_IN_PROGRESS. */ +- if (!err) +- err = filemap_write_and_wait(inode->i_mapping); +- } +- +- /* If we failed, truncate anything we wrote past i_size. */ +- if (desc == NULL || err) +- f2fs_truncate(inode); ++ /* ++ * If an error already occurred (which fs/verity/ signals by passing ++ * desc == NULL), then only clean-up is needed. ++ */ ++ if (desc == NULL) ++ goto cleanup; ++ ++ /* Append the verity descriptor. */ ++ err = pagecache_write(inode, desc, desc_size, desc_pos); ++ if (err) ++ goto cleanup; ++ ++ /* ++ * Write all pages (both data and verity metadata). Note that this must ++ * happen before clearing FI_VERITY_IN_PROGRESS; otherwise pages beyond ++ * i_size won't be written properly. For crash consistency, this also ++ * must happen before the verity inode flag gets persisted. ++ */ ++ err = filemap_write_and_wait(inode->i_mapping); ++ if (err) ++ goto cleanup; ++ ++ /* Set the verity xattr. */ ++ err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY, ++ F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc), ++ NULL, XATTR_CREATE); ++ if (err) ++ goto cleanup; ++ ++ /* Finally, set the verity inode flag. */ ++ file_set_verity(inode); ++ f2fs_set_inode_flags(inode); ++ f2fs_mark_inode_dirty_sync(inode, true); + + clear_inode_flag(inode, FI_VERITY_IN_PROGRESS); ++ return 0; + +- if (desc != NULL && !err) { +- err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY, +- F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc), +- NULL, XATTR_CREATE); +- if (!err) { +- file_set_verity(inode); +- f2fs_set_inode_flags(inode); +- f2fs_mark_inode_dirty_sync(inode, true); +- } ++cleanup: ++ /* ++ * Verity failed to be enabled, so clean up by truncating any verity ++ * metadata that was written beyond i_size (both from cache and from ++ * disk) and clearing FI_VERITY_IN_PROGRESS. ++ * ++ * Taking i_gc_rwsem[WRITE] is needed to stop f2fs garbage collection ++ * from re-instantiating cached pages we are truncating (since unlike ++ * normal file accesses, garbage collection isn't limited by i_size). ++ */ ++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ truncate_inode_pages(inode->i_mapping, inode->i_size); ++ err2 = f2fs_truncate(inode); ++ if (err2) { ++ f2fs_err(sbi, "Truncating verity metadata failed (errno=%d)", ++ err2); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); + } +- return err; ++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); ++ clear_inode_flag(inode, FI_VERITY_IN_PROGRESS); ++ return err ?: err2; + } + + static int f2fs_get_verity_descriptor(struct inode *inode, void *buf, diff --git a/queue-5.12/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch b/queue-5.12/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch new file mode 100644 index 00000000000..9c9d8933bf3 --- /dev/null +++ b/queue-5.12/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch @@ -0,0 +1,58 @@ +From b862676e371715456c9dade7990c8004996d0d9e Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 22 Mar 2021 19:47:30 +0800 +Subject: f2fs: fix to avoid out-of-bounds memory access + +From: Chao Yu + +commit b862676e371715456c9dade7990c8004996d0d9e upstream. + +butt3rflyh4ck reported a bug found by +syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]: + + dump_stack+0xfa/0x151 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232 + __kasan_report mm/kasan/report.c:399 [inline] + kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 + f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline] + current_nat_addr fs/f2fs/node.h:213 [inline] + get_next_nat_page fs/f2fs/node.c:123 [inline] + __flush_nat_entry_set fs/f2fs/node.c:2888 [inline] + f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991 + f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640 + f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807 + f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454 + __sync_filesystem fs/sync.c:39 [inline] + sync_filesystem fs/sync.c:67 [inline] + sync_filesystem+0x1b5/0x260 fs/sync.c:48 + generic_shutdown_super+0x70/0x370 fs/super.c:448 + kill_block_super+0x97/0xf0 fs/super.c:1394 + +The root cause is, if nat entry in checkpoint journal area is corrupted, +e.g. nid of journalled nat entry exceeds max nid value, during checkpoint, +once it tries to flush nat journal to NAT area, get_next_nat_page() may +access out-of-bounds memory on nat_bitmap due to it uses wrong nid value +as bitmap offset. + +[1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u + +Reported-and-tested-by: butt3rflyh4ck +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -2785,6 +2785,9 @@ static void remove_nats_in_journal(struc + struct f2fs_nat_entry raw_ne; + nid_t nid = le32_to_cpu(nid_in_journal(journal, i)); + ++ if (f2fs_check_nid_range(sbi, nid)) ++ continue; ++ + raw_ne = nat_in_journal(journal, i); + + ne = __lookup_nat_cache(nm_i, nid); diff --git a/queue-5.12/fs-fix-reporting-supported-extra-file-attributes-for-statx.patch b/queue-5.12/fs-fix-reporting-supported-extra-file-attributes-for-statx.patch new file mode 100644 index 00000000000..ab8f373bc05 --- /dev/null +++ b/queue-5.12/fs-fix-reporting-supported-extra-file-attributes-for-statx.patch @@ -0,0 +1,51 @@ +From 5afa7e8b70d65819245fece61a65fd753b4aae33 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 17 Apr 2021 23:03:50 -0400 +Subject: fs: fix reporting supported extra file attributes for statx() + +From: Theodore Ts'o + +commit 5afa7e8b70d65819245fece61a65fd753b4aae33 upstream. + +statx(2) notes that any attribute that is not indicated as supported +by stx_attributes_mask has no usable value. Commits 801e523796004 +("fs: move generic stat response attr handling to vfs_getattr_nosec") +and 712b2698e4c02 ("fs/stat: Define DAX statx attribute") sets +STATX_ATTR_AUTOMOUNT and STATX_ATTR_DAX, respectively, without setting +stx_attributes_mask, which can cause xfstests generic/532 to fail. + +Fix this in the same way as commit 1b9598c8fb99 ("xfs: fix reporting +supported extra file attributes for statx()") + +Fixes: 801e523796004 ("fs: move generic stat response attr handling to vfs_getattr_nosec") +Fixes: 712b2698e4c02 ("fs/stat: Define DAX statx attribute") +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/stat.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -86,12 +86,20 @@ int vfs_getattr_nosec(const struct path + /* SB_NOATIME means filesystem supplies dummy atime value */ + if (inode->i_sb->s_flags & SB_NOATIME) + stat->result_mask &= ~STATX_ATIME; ++ ++ /* ++ * Note: If you add another clause to set an attribute flag, please ++ * update attributes_mask below. ++ */ + if (IS_AUTOMOUNT(inode)) + stat->attributes |= STATX_ATTR_AUTOMOUNT; + + if (IS_DAX(inode)) + stat->attributes |= STATX_ATTR_DAX; + ++ stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT | ++ STATX_ATTR_DAX); ++ + mnt_userns = mnt_user_ns(path->mnt); + if (inode->i_op->getattr) + return inode->i_op->getattr(mnt_userns, path, stat, diff --git a/queue-5.12/kcsan-debugfs-move-debugfs-file-creation-out-of-early-init.patch b/queue-5.12/kcsan-debugfs-move-debugfs-file-creation-out-of-early-init.patch new file mode 100644 index 00000000000..a431f7fe7da --- /dev/null +++ b/queue-5.12/kcsan-debugfs-move-debugfs-file-creation-out-of-early-init.patch @@ -0,0 +1,69 @@ +From e36299efe7d749976fbdaaf756dee6ef32543c2c Mon Sep 17 00:00:00 2001 +From: Marco Elver +Date: Wed, 3 Mar 2021 10:38:45 +0100 +Subject: kcsan, debugfs: Move debugfs file creation out of early init + +From: Marco Elver + +commit e36299efe7d749976fbdaaf756dee6ef32543c2c upstream. + +Commit 56348560d495 ("debugfs: do not attempt to create a new file +before the filesystem is initalized") forbids creating new debugfs files +until debugfs is fully initialized. This means that KCSAN's debugfs +file creation, which happened at the end of __init(), no longer works. +And was apparently never supposed to work! + +However, there is no reason to create KCSAN's debugfs file so early. +This commit therefore moves its creation to a late_initcall() callback. + +Cc: "Rafael J. Wysocki" +Cc: stable +Fixes: 56348560d495 ("debugfs: do not attempt to create a new file before the filesystem is initalized") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Marco Elver +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kcsan/core.c | 2 -- + kernel/kcsan/debugfs.c | 4 +++- + kernel/kcsan/kcsan.h | 5 ----- + 3 files changed, 3 insertions(+), 8 deletions(-) + +--- a/kernel/kcsan/core.c ++++ b/kernel/kcsan/core.c +@@ -639,8 +639,6 @@ void __init kcsan_init(void) + + BUG_ON(!in_task()); + +- kcsan_debugfs_init(); +- + for_each_possible_cpu(cpu) + per_cpu(kcsan_rand_state, cpu) = (u32)get_cycles(); + +--- a/kernel/kcsan/debugfs.c ++++ b/kernel/kcsan/debugfs.c +@@ -261,7 +261,9 @@ static const struct file_operations debu + .release = single_release + }; + +-void __init kcsan_debugfs_init(void) ++static void __init kcsan_debugfs_init(void) + { + debugfs_create_file("kcsan", 0644, NULL, NULL, &debugfs_ops); + } ++ ++late_initcall(kcsan_debugfs_init); +--- a/kernel/kcsan/kcsan.h ++++ b/kernel/kcsan/kcsan.h +@@ -31,11 +31,6 @@ void kcsan_save_irqtrace(struct task_str + void kcsan_restore_irqtrace(struct task_struct *task); + + /* +- * Initialize debugfs file. +- */ +-void kcsan_debugfs_init(void); +- +-/* + * Statistics counters displayed via debugfs; should only be modified in + * slow-paths. + */ diff --git a/queue-5.12/makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch b/queue-5.12/makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch new file mode 100644 index 00000000000..27d5f916802 --- /dev/null +++ b/queue-5.12/makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch @@ -0,0 +1,49 @@ +From 885480b084696331bea61a4f7eba10652999a9c1 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 28 Apr 2021 18:23:50 -0700 +Subject: Makefile: Move -Wno-unused-but-set-variable out of GCC only block + +From: Nathan Chancellor + +commit 885480b084696331bea61a4f7eba10652999a9c1 upstream. + +Currently, -Wunused-but-set-variable is only supported by GCC so it is +disabled unconditionally in a GCC only block (it is enabled with W=1). +clang currently has its implementation for this warning in review so +preemptively move this statement out of the GCC only block and wrap it +with cc-disable-warning so that both compilers function the same. + +Cc: stable@vger.kernel.org +Link: https://reviews.llvm.org/D100581 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Tested-by: Nick Desaulniers +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + Makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -775,16 +775,16 @@ KBUILD_CFLAGS += -Wno-gnu + KBUILD_CFLAGS += -mno-global-merge + else + +-# These warnings generated too much noise in a regular build. +-# Use make W=1 to enable them (see scripts/Makefile.extrawarn) +-KBUILD_CFLAGS += -Wno-unused-but-set-variable +- + # Warn about unmarked fall-throughs in switch statement. + # Disabled for clang while comment to attribute conversion happens and + # https://github.com/ClangBuiltLinux/linux/issues/636 is discussed. + KBUILD_CFLAGS += $(call cc-option,-Wimplicit-fallthrough,) + endif + ++# These warnings generated too much noise in a regular build. ++# Use make W=1 to enable them (see scripts/Makefile.extrawarn) ++KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable) ++ + KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable) + ifdef CONFIG_FRAME_POINTER + KBUILD_CFLAGS += -fno-omit-frame-pointer -fno-optimize-sibling-calls diff --git a/queue-5.12/riscv-kprobe-fix-kernel-panic-when-invoking-sys_read-traced-by-kprobe.patch b/queue-5.12/riscv-kprobe-fix-kernel-panic-when-invoking-sys_read-traced-by-kprobe.patch new file mode 100644 index 00000000000..b3c152d27ca --- /dev/null +++ b/queue-5.12/riscv-kprobe-fix-kernel-panic-when-invoking-sys_read-traced-by-kprobe.patch @@ -0,0 +1,113 @@ +From b1ebaa0e1318494a7637099a26add50509e37964 Mon Sep 17 00:00:00 2001 +From: Liao Chang +Date: Tue, 30 Mar 2021 16:18:48 +0800 +Subject: riscv/kprobe: fix kernel panic when invoking sys_read traced by kprobe + +From: Liao Chang + +commit b1ebaa0e1318494a7637099a26add50509e37964 upstream. + +The execution of sys_read end up hitting a BUG_ON() in __find_get_block +after installing kprobe at sys_read, the BUG message like the following: + +[ 65.708663] ------------[ cut here ]------------ +[ 65.709987] kernel BUG at fs/buffer.c:1251! +[ 65.711283] Kernel BUG [#1] +[ 65.712032] Modules linked in: +[ 65.712925] CPU: 0 PID: 51 Comm: sh Not tainted 5.12.0-rc4 #1 +[ 65.714407] Hardware name: riscv-virtio,qemu (DT) +[ 65.715696] epc : __find_get_block+0x218/0x2c8 +[ 65.716835] ra : __getblk_gfp+0x1c/0x4a +[ 65.717831] epc : ffffffe00019f11e ra : ffffffe00019f56a sp : ffffffe002437930 +[ 65.719553] gp : ffffffe000f06030 tp : ffffffe0015abc00 t0 : ffffffe00191e038 +[ 65.721290] t1 : ffffffe00191e038 t2 : 000000000000000a s0 : ffffffe002437960 +[ 65.723051] s1 : ffffffe00160ad00 a0 : ffffffe00160ad00 a1 : 000000000000012a +[ 65.724772] a2 : 0000000000000400 a3 : 0000000000000008 a4 : 0000000000000040 +[ 65.726545] a5 : 0000000000000000 a6 : ffffffe00191e000 a7 : 0000000000000000 +[ 65.728308] s2 : 000000000000012a s3 : 0000000000000400 s4 : 0000000000000008 +[ 65.730049] s5 : 000000000000006c s6 : ffffffe00240f800 s7 : ffffffe000f080a8 +[ 65.731802] s8 : 0000000000000001 s9 : 000000000000012a s10: 0000000000000008 +[ 65.733516] s11: 0000000000000008 t3 : 00000000000003ff t4 : 000000000000000f +[ 65.734434] t5 : 00000000000003ff t6 : 0000000000040000 +[ 65.734613] status: 0000000000000100 badaddr: 0000000000000000 cause: 0000000000000003 +[ 65.734901] Call Trace: +[ 65.735076] [] __find_get_block+0x218/0x2c8 +[ 65.735417] [] __ext4_get_inode_loc+0xb2/0x2f6 +[ 65.735618] [] ext4_get_inode_loc+0x3a/0x8a +[ 65.735802] [] ext4_reserve_inode_write+0x2e/0x8c +[ 65.735999] [] __ext4_mark_inode_dirty+0x4c/0x18e +[ 65.736208] [] ext4_dirty_inode+0x46/0x66 +[ 65.736387] [] __mark_inode_dirty+0x12c/0x3da +[ 65.736576] [] touch_atime+0x146/0x150 +[ 65.736748] [] filemap_read+0x234/0x246 +[ 65.736920] [] generic_file_read_iter+0xc0/0x114 +[ 65.737114] [] ext4_file_read_iter+0x42/0xea +[ 65.737310] [] new_sync_read+0xe2/0x15a +[ 65.737483] [] vfs_read+0xca/0xf2 +[ 65.737641] [] ksys_read+0x5e/0xc8 +[ 65.737816] [] sys_read+0xe/0x16 +[ 65.737973] [] ret_from_syscall+0x0/0x2 +[ 65.738858] ---[ end trace fe93f985456c935d ]--- + +A simple reproducer looks like: + echo 'p:myprobe sys_read fd=%a0 buf=%a1 count=%a2' > /sys/kernel/debug/tracing/kprobe_events + echo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable + cat /sys/kernel/debug/tracing/trace + +Here's what happens to hit that BUG_ON(): + +1) After installing kprobe at entry of sys_read, the first instruction + is replaced by 'ebreak' instruction on riscv64 platform. + +2) Once kernel reach the 'ebreak' instruction at the entry of sys_read, + it trap into the riscv breakpoint handler, where it do something to + setup for coming single-step of origin instruction, including backup + the 'sstatus' in pt_regs, followed by disable interrupt during single + stepping via clear 'SIE' bit of 'sstatus' in pt_regs. + +3) Then kernel restore to the instruction slot contains two instructions, + one is original instruction at entry of sys_read, the other is 'ebreak'. + Here it trigger a 'Instruction page fault' exception (value at 'scause' + is '0xc'), if PF is not filled into PageTabe for that slot yet. + +4) Again kernel trap into page fault exception handler, where it choose + different policy according to the state of running kprobe. Because + afte 2) the state is KPROBE_HIT_SS, so kernel reset the current kprobe + and 'pc' points back to the probe address. + +5) Because 'epc' point back to 'ebreak' instrution at sys_read probe, + kernel trap into breakpoint handler again, and repeat the operations + at 2), however 'sstatus' without 'SIE' is keep at 4), it cause the + real 'sstatus' saved at 2) is overwritten by the one withou 'SIE'. + +6) When kernel cross the probe the 'sstatus' CSR restore with value + without 'SIE', and reach __find_get_block where it requires the + interrupt must be enabled. + +Fix this is very trivial, just restore the value of 'sstatus' in pt_regs +with backup one at 2) when the instruction being single stepped cause a +page fault. + +Fixes: c22b0bcb1dd02 ("riscv: Add kprobes supported") +Signed-off-by: Liao Chang +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/probes/kprobes.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/riscv/kernel/probes/kprobes.c ++++ b/arch/riscv/kernel/probes/kprobes.c +@@ -260,8 +260,10 @@ int __kprobes kprobe_fault_handler(struc + + if (kcb->kprobe_status == KPROBE_REENTER) + restore_previous_kprobe(kcb); +- else ++ else { ++ kprobes_restore_local_irqflag(kcb, regs); + reset_current_kprobe(); ++ } + + break; + case KPROBE_HIT_ACTIVE: diff --git a/queue-5.12/series b/queue-5.12/series index 92345596a1e..0a6ae2eab1a 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -285,3 +285,11 @@ tools-power-turbostat-fix-turbostat-for-amd-zen-cpus.patch btrfs-fix-race-when-picking-most-recent-mod-log-oper.patch btrfs-fix-a-potential-hole-punching-failure.patch arm64-vdso-discard-.note.gnu.property-sections-in-vd.patch +makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch +riscv-kprobe-fix-kernel-panic-when-invoking-sys_read-traced-by-kprobe.patch +fs-fix-reporting-supported-extra-file-attributes-for-statx.patch +virtiofs-fix-memory-leak-in-virtio_fs_probe.patch +kcsan-debugfs-move-debugfs-file-creation-out-of-early-init.patch +ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch +f2fs-fix-error-handling-in-f2fs_end_enable_verity.patch +f2fs-fix-to-avoid-out-of-bounds-memory-access.patch diff --git a/queue-5.12/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch b/queue-5.12/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch new file mode 100644 index 00000000000..077998d7a76 --- /dev/null +++ b/queue-5.12/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch @@ -0,0 +1,46 @@ +From 3e903315790baf4a966436e7f32e9c97864570ac Mon Sep 17 00:00:00 2001 +From: Guochun Mao +Date: Tue, 16 Mar 2021 16:52:14 +0800 +Subject: ubifs: Only check replay with inode type to judge if inode linked + +From: Guochun Mao + +commit 3e903315790baf4a966436e7f32e9c97864570ac upstream. + +Conside the following case, it just write a big file into flash, +when complete writing, delete the file, and then power off promptly. +Next time power on, we'll get a replay list like: +... +LEB 1105:211344 len 4144 deletion 0 sqnum 428783 key type 1 inode 80 +LEB 15:233544 len 160 deletion 1 sqnum 428785 key type 0 inode 80 +LEB 1105:215488 len 4144 deletion 0 sqnum 428787 key type 1 inode 80 +... +In the replay list, data nodes' deletion are 0, and the inode node's +deletion is 1. In current logic, the file's dentry will be removed, +but inode and the flash space it occupied will be reserved. +User will see that much free space been disappeared. + +We only need to check the deletion value of the following inode type +node of the replay entry. + +Fixes: e58725d51fa8 ("ubifs: Handle re-linking of inodes correctly while recovery") +Cc: stable@vger.kernel.org +Signed-off-by: Guochun Mao +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/ubifs/replay.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ubifs/replay.c ++++ b/fs/ubifs/replay.c +@@ -223,7 +223,8 @@ static bool inode_still_linked(struct ub + */ + list_for_each_entry_reverse(r, &c->replay_list, list) { + ubifs_assert(c, r->sqnum >= rino->sqnum); +- if (key_inum(c, &r->key) == key_inum(c, &rino->key)) ++ if (key_inum(c, &r->key) == key_inum(c, &rino->key) && ++ key_type(c, &r->key) == UBIFS_INO_KEY) + return r->deletion == 0; + + } diff --git a/queue-5.12/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch b/queue-5.12/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch new file mode 100644 index 00000000000..f3b059ebb61 --- /dev/null +++ b/queue-5.12/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch @@ -0,0 +1,59 @@ +From c79c5e0178922a9e092ec8fed026750f39dcaef4 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Wed, 17 Mar 2021 08:44:43 +0000 +Subject: virtiofs: fix memory leak in virtio_fs_probe() + +From: Luis Henriques + +commit c79c5e0178922a9e092ec8fed026750f39dcaef4 upstream. + +When accidentally passing twice the same tag to qemu, kmemleak ended up +reporting a memory leak in virtiofs. Also, looking at the log I saw the +following error (that's when I realised the duplicated tag): + + virtiofs: probe of virtio5 failed with error -17 + +Here's the kmemleak log for reference: + +unreferenced object 0xffff888103d47800 (size 1024): + comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s) + hex dump (first 32 bytes): + 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... + ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................ + backtrace: + [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs] + [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210 + [<000000004d6baf3c>] really_probe+0xea/0x430 + [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0 + [<00000000196f47a7>] __driver_attach+0x98/0x140 + [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0 + [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0 + [<0000000032b09ba7>] driver_register+0x8f/0xe0 + [<00000000cdd55998>] 0xffffffffa002c013 + [<000000000ea196a2>] do_one_initcall+0x64/0x2e0 + [<0000000008f727ce>] do_init_module+0x5c/0x260 + [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120 + [<00000000ad2f48c6>] do_syscall_64+0x33/0x40 + [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Cc: stable@vger.kernel.org +Signed-off-by: Luis Henriques +Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem") +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Vivek Goyal +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/virtio_fs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/fuse/virtio_fs.c ++++ b/fs/fuse/virtio_fs.c +@@ -896,6 +896,7 @@ static int virtio_fs_probe(struct virtio + out_vqs: + vdev->config->reset(vdev); + virtio_fs_cleanup_vqs(vdev, fs); ++ kfree(fs->vqs); + + out: + vdev->priv = NULL;