From: Sasha Levin Date: Sun, 23 Aug 2020 01:16:36 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.234~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a60fbc09e830849bc3c6cc69651e79d769b56403;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch b/queue-4.4/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch new file mode 100644 index 00000000000..6a7d03541c6 --- /dev/null +++ b/queue-4.4/btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch @@ -0,0 +1,67 @@ +From ef9641259dc3ba46460aba9a136d9c523f60b4c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 11:12:46 -0400 +Subject: btrfs: don't show full path of bind mounts in subvol= + +From: Josef Bacik + +[ Upstream commit 3ef3959b29c4a5bd65526ab310a1a18ae533172a ] + +Chris Murphy reported a problem where rpm ostree will bind mount a bunch +of things for whatever voodoo it's doing. But when it does this +/proc/mounts shows something like + + /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo/bar 0 0 + +Despite subvolid=256 being subvol=/foo. This is because we're just +spitting out the dentry of the mount point, which in the case of bind +mounts is the source path for the mountpoint. Instead we should spit +out the path to the actual subvol. Fix this by looking up the name for +the subvolid we have mounted. With this fix the same test looks like +this + + /dev/sda /mnt/test btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + /dev/sda /mnt/test/baz btrfs rw,relatime,subvolid=256,subvol=/foo 0 0 + +Reported-by: Chris Murphy +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/super.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 540e6f141745a..77e6ce0e1e351 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1120,6 +1120,7 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) + struct btrfs_fs_info *info = btrfs_sb(dentry->d_sb); + struct btrfs_root *root = info->tree_root; + char *compress_type; ++ const char *subvol_name; + + if (btrfs_test_opt(root, DEGRADED)) + seq_puts(seq, ",degraded"); +@@ -1204,8 +1205,13 @@ static int btrfs_show_options(struct seq_file *seq, struct dentry *dentry) + #endif + seq_printf(seq, ",subvolid=%llu", + BTRFS_I(d_inode(dentry))->root->root_key.objectid); +- seq_puts(seq, ",subvol="); +- seq_dentry(seq, dentry, " \t\n\\"); ++ subvol_name = btrfs_get_subvol_name_from_objectid(info, ++ BTRFS_I(d_inode(dentry))->root->root_key.objectid); ++ if (!IS_ERR(subvol_name)) { ++ seq_puts(seq, ",subvol="); ++ seq_escape(seq, subvol_name, " \t\n\\"); ++ kfree(subvol_name); ++ } + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.4/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch b/queue-4.4/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch new file mode 100644 index 00000000000..39661cc582a --- /dev/null +++ b/queue-4.4/btrfs-export-helpers-for-subvolume-name-id-resolutio.patch @@ -0,0 +1,107 @@ +From 4ba2157ae5f2a0fd1795c0476e44b49bcdf15802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Feb 2020 14:56:12 +0100 +Subject: btrfs: export helpers for subvolume name/id resolution + +From: Marcos Paulo de Souza + +[ Upstream commit c0c907a47dccf2cf26251a8fb4a8e7a3bf79ce84 ] + +The functions will be used outside of export.c and super.c to allow +resolving subvolume name from a given id, eg. for subvolume deletion by +id ioctl. + +Signed-off-by: Marcos Paulo de Souza +Reviewed-by: David Sterba +[ split from the next patch ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 2 ++ + fs/btrfs/export.c | 8 ++++---- + fs/btrfs/export.h | 5 +++++ + fs/btrfs/super.c | 8 ++++---- + 4 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 0b06d4942da77..8fb9a1e0048be 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -4096,6 +4096,8 @@ ssize_t btrfs_listxattr(struct dentry *dentry, char *buffer, size_t size); + /* super.c */ + int btrfs_parse_options(struct btrfs_root *root, char *options); + int btrfs_sync_fs(struct super_block *sb, int wait); ++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, ++ u64 subvol_objectid); + + #ifdef CONFIG_PRINTK + __printf(2, 3) +diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c +index 2513a7f533342..92f80ed642194 100644 +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -55,9 +55,9 @@ static int btrfs_encode_fh(struct inode *inode, u32 *fh, int *max_len, + return type; + } + +-static struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, +- u64 root_objectid, u32 generation, +- int check_generation) ++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, ++ u64 root_objectid, u32 generation, ++ int check_generation) + { + struct btrfs_fs_info *fs_info = btrfs_sb(sb); + struct btrfs_root *root; +@@ -150,7 +150,7 @@ static struct dentry *btrfs_fh_to_dentry(struct super_block *sb, struct fid *fh, + return btrfs_get_dentry(sb, objectid, root_objectid, generation, 1); + } + +-static struct dentry *btrfs_get_parent(struct dentry *child) ++struct dentry *btrfs_get_parent(struct dentry *child) + { + struct inode *dir = d_inode(child); + struct btrfs_root *root = BTRFS_I(dir)->root; +diff --git a/fs/btrfs/export.h b/fs/btrfs/export.h +index 074348a95841f..7a305e5549991 100644 +--- a/fs/btrfs/export.h ++++ b/fs/btrfs/export.h +@@ -16,4 +16,9 @@ struct btrfs_fid { + u64 parent_root_objectid; + } __attribute__ ((packed)); + ++struct dentry *btrfs_get_dentry(struct super_block *sb, u64 objectid, ++ u64 root_objectid, u32 generation, ++ int check_generation); ++struct dentry *btrfs_get_parent(struct dentry *child); ++ + #endif +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 404051bf5cba9..540e6f141745a 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -843,8 +843,8 @@ out: + return error; + } + +-static char *get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, +- u64 subvol_objectid) ++char *btrfs_get_subvol_name_from_objectid(struct btrfs_fs_info *fs_info, ++ u64 subvol_objectid) + { + struct btrfs_root *root = fs_info->tree_root; + struct btrfs_root *fs_root; +@@ -1323,8 +1323,8 @@ static struct dentry *mount_subvol(const char *subvol_name, u64 subvol_objectid, + goto out; + } + } +- subvol_name = get_subvol_name_from_objectid(btrfs_sb(mnt->mnt_sb), +- subvol_objectid); ++ subvol_name = btrfs_get_subvol_name_from_objectid( ++ btrfs_sb(mnt->mnt_sb), subvol_objectid); + if (IS_ERR(subvol_name)) { + root = ERR_CAST(subvol_name); + subvol_name = NULL; +-- +2.25.1 + diff --git a/queue-4.4/coredump-fix-race-condition-between-collapse_huge_pa.patch b/queue-4.4/coredump-fix-race-condition-between-collapse_huge_pa.patch new file mode 100644 index 00000000000..f7aea5aee41 --- /dev/null +++ b/queue-4.4/coredump-fix-race-condition-between-collapse_huge_pa.patch @@ -0,0 +1,104 @@ +From a7c22212656caa5b294bbaccaa995fec3e54d75f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2019 15:56:11 -0700 +Subject: coredump: fix race condition between collapse_huge_page() and core + dumping + +From: Andrea Arcangeli + +[ Upstream commit 59ea6d06cfa9247b586a695c21f94afa7183af74 ] + +When fixing the race conditions between the coredump and the mmap_sem +holders outside the context of the process, we focused on +mmget_not_zero()/get_task_mm() callers in 04f5866e41fb70 ("coredump: fix +race condition between mmget_not_zero()/get_task_mm() and core +dumping"), but those aren't the only cases where the mmap_sem can be +taken outside of the context of the process as Michal Hocko noticed +while backporting that commit to older -stable kernels. + +If mmgrab() is called in the context of the process, but then the +mm_count reference is transferred outside the context of the process, +that can also be a problem if the mmap_sem has to be taken for writing +through that mm_count reference. + +khugepaged registration calls mmgrab() in the context of the process, +but the mmap_sem for writing is taken later in the context of the +khugepaged kernel thread. + +collapse_huge_page() after taking the mmap_sem for writing doesn't +modify any vma, so it's not obvious that it could cause a problem to the +coredump, but it happens to modify the pmd in a way that breaks an +invariant that pmd_trans_huge_lock() relies upon. collapse_huge_page() +needs the mmap_sem for writing just to block concurrent page faults that +call pmd_trans_huge_lock(). + +Specifically the invariant that "!pmd_trans_huge()" cannot become a +"pmd_trans_huge()" doesn't hold while collapse_huge_page() runs. + +The coredump will call __get_user_pages() without mmap_sem for reading, +which eventually can invoke a lockless page fault which will need a +functional pmd_trans_huge_lock(). + +So collapse_huge_page() needs to use mmget_still_valid() to check it's +not running concurrently with the coredump... as long as the coredump +can invoke page faults without holding the mmap_sem for reading. + +This has "Fixes: khugepaged" to facilitate backporting, but in my view +it's more a bug in the coredump code that will eventually have to be +rewritten to stop invoking page faults without the mmap_sem for reading. +So the long term plan is still to drop all mmget_still_valid(). + +Link: http://lkml.kernel.org/r/20190607161558.32104-1-aarcange@redhat.com +Fixes: ba76149f47d8 ("thp: khugepaged") +Signed-off-by: Andrea Arcangeli +Reported-by: Michal Hocko +Acked-by: Michal Hocko +Acked-by: Kirill A. Shutemov +Cc: Oleg Nesterov +Cc: Jann Horn +Cc: Hugh Dickins +Cc: Mike Rapoport +Cc: Mike Kravetz +Cc: Peter Xu +Cc: Jason Gunthorpe +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/mm.h | 4 ++++ + mm/huge_memory.c | 3 +++ + 2 files changed, 7 insertions(+) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 03cf5526e4456..2b17d2fca4299 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1123,6 +1123,10 @@ void unmap_vmas(struct mmu_gather *tlb, struct vm_area_struct *start_vma, + * followed by taking the mmap_sem for writing before modifying the + * vmas or anything the coredump pretends not to change from under it. + * ++ * It also has to be called when mmgrab() is used in the context of ++ * the process, but then the mm_count refcount is transferred outside ++ * the context of the process to run down_write() on that pinned mm. ++ * + * NOTE: find_extend_vma() called from GUP context is the only place + * that can modify the "mm" (notably the vm_start/end) under mmap_sem + * for reading and outside the context of the process, so it is also +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 465786cd6490e..c5628ebc0fc29 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2587,6 +2587,9 @@ static void collapse_huge_page(struct mm_struct *mm, + * handled by the anon_vma lock + PG_lock. + */ + down_write(&mm->mmap_sem); ++ result = SCAN_ANY_PROCESS; ++ if (!mmget_still_valid(mm)) ++ goto out; + if (unlikely(khugepaged_test_exit(mm))) + goto out; + +-- +2.25.1 + diff --git a/queue-4.4/drm-imx-imx-ldb-disable-both-channels-for-split-mode.patch b/queue-4.4/drm-imx-imx-ldb-disable-both-channels-for-split-mode.patch new file mode 100644 index 00000000000..3a8f6666dcf --- /dev/null +++ b/queue-4.4/drm-imx-imx-ldb-disable-both-channels-for-split-mode.patch @@ -0,0 +1,60 @@ +From 51d779d30662af4c8e8219647308fae7a26c0825 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jul 2020 10:28:52 +0800 +Subject: drm/imx: imx-ldb: Disable both channels for split mode in + enc->disable() + +From: Liu Ying + +[ Upstream commit 3b2a999582c467d1883716b37ffcc00178a13713 ] + +Both of the two LVDS channels should be disabled for split mode +in the encoder's ->disable() callback, because they are enabled +in the encoder's ->enable() callback. + +Fixes: 6556f7f82b9c ("drm: imx: Move imx-drm driver out of staging") +Cc: Philipp Zabel +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: NXP Linux Team +Cc: +Signed-off-by: Liu Ying +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/imx-ldb.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c +index 31ca56e593f58..b9dc2ef64ed88 100644 +--- a/drivers/gpu/drm/imx/imx-ldb.c ++++ b/drivers/gpu/drm/imx/imx-ldb.c +@@ -305,6 +305,7 @@ static void imx_ldb_encoder_disable(struct drm_encoder *encoder) + { + struct imx_ldb_channel *imx_ldb_ch = enc_to_imx_ldb_ch(encoder); + struct imx_ldb *ldb = imx_ldb_ch->ldb; ++ int dual = ldb->ldb_ctrl & LDB_SPLIT_MODE_EN; + int mux, ret; + + /* +@@ -321,14 +322,14 @@ static void imx_ldb_encoder_disable(struct drm_encoder *encoder) + + drm_panel_disable(imx_ldb_ch->panel); + +- if (imx_ldb_ch == &ldb->channel[0]) ++ if (imx_ldb_ch == &ldb->channel[0] || dual) + ldb->ldb_ctrl &= ~LDB_CH0_MODE_EN_MASK; +- else if (imx_ldb_ch == &ldb->channel[1]) ++ if (imx_ldb_ch == &ldb->channel[1] || dual) + ldb->ldb_ctrl &= ~LDB_CH1_MODE_EN_MASK; + + regmap_write(ldb->regmap, IOMUXC_GPR2, ldb->ldb_ctrl); + +- if (ldb->ldb_ctrl & LDB_SPLIT_MODE_EN) { ++ if (dual) { + clk_disable_unprepare(ldb->clk[0]); + clk_disable_unprepare(ldb->clk[1]); + } +-- +2.25.1 + diff --git a/queue-4.4/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch b/queue-4.4/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch new file mode 100644 index 00000000000..99aff0c3da7 --- /dev/null +++ b/queue-4.4/khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch @@ -0,0 +1,51 @@ +From 32a08d766866a36579fe27c94e12d75ab6ad8578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 17:42:02 -0700 +Subject: khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() + +From: Hugh Dickins + +[ Upstream commit f3f99d63a8156c7a4a6b20aac22b53c5579c7dc1 ] + +syzbot crashes on the VM_BUG_ON_MM(khugepaged_test_exit(mm), mm) in +__khugepaged_enter(): yes, when one thread is about to dump core, has set +core_state, and is waiting for others, another might do something calling +__khugepaged_enter(), which now crashes because I lumped the core_state +test (known as "mmget_still_valid") into khugepaged_test_exit(). I still +think it's best to lump them together, so just in this exceptional case, +check mm->mm_users directly instead of khugepaged_test_exit(). + +Fixes: bbe98f9cadff ("khugepaged: khugepaged_test_exit() check mmget_still_valid()") +Reported-by: syzbot +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Acked-by: Yang Shi +Cc: "Kirill A. Shutemov" +Cc: Andrea Arcangeli +Cc: Song Liu +Cc: Mike Kravetz +Cc: Eric Dumazet +Cc: [4.8+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008141503370.18085@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/huge_memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index 1c4d7d2f53d22..f38d24bb8a1bc 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2149,7 +2149,7 @@ int __khugepaged_enter(struct mm_struct *mm) + return -ENOMEM; + + /* __khugepaged_exit() must not run from under us */ +- VM_BUG_ON_MM(khugepaged_test_exit(mm), mm); ++ VM_BUG_ON_MM(atomic_read(&mm->mm_users) == 0, mm); + if (unlikely(test_and_set_bit(MMF_VM_HUGEPAGE, &mm->flags))) { + free_mm_slot(mm_slot); + return 0; +-- +2.25.1 + diff --git a/queue-4.4/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch b/queue-4.4/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch new file mode 100644 index 00000000000..e13d78672b9 --- /dev/null +++ b/queue-4.4/khugepaged-khugepaged_test_exit-check-mmget_still_va.patch @@ -0,0 +1,60 @@ +From d649ff3c89aefcfc65bd5a786f41ebabce633be6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 23:26:25 -0700 +Subject: khugepaged: khugepaged_test_exit() check mmget_still_valid() + +From: Hugh Dickins + +[ Upstream commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 ] + +Move collapse_huge_page()'s mmget_still_valid() check into +khugepaged_test_exit() itself. collapse_huge_page() is used for anon THP +only, and earned its mmget_still_valid() check because it inserts a huge +pmd entry in place of the page table's pmd entry; whereas +collapse_file()'s retract_page_tables() or collapse_pte_mapped_thp() +merely clears the page table's pmd entry. But core dumping without mmap +lock must have been as open to mistaking a racily cleared pmd entry for a +page table at physical page 0, as exit_mmap() was. And we certainly have +no interest in mapping as a THP once dumping core. + +Fixes: 59ea6d06cfa9 ("coredump: fix race condition between collapse_huge_page() and core dumping") +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Cc: Andrea Arcangeli +Cc: Song Liu +Cc: Mike Kravetz +Cc: Kirill A. Shutemov +Cc: [4.8+] +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021217020.27773@eggly.anvils +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/huge_memory.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index c5628ebc0fc29..1c4d7d2f53d22 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2136,7 +2136,7 @@ static void insert_to_mm_slots_hash(struct mm_struct *mm, + + static inline int khugepaged_test_exit(struct mm_struct *mm) + { +- return atomic_read(&mm->mm_users) == 0; ++ return atomic_read(&mm->mm_users) == 0 || !mmget_still_valid(mm); + } + + int __khugepaged_enter(struct mm_struct *mm) +@@ -2587,9 +2587,6 @@ static void collapse_huge_page(struct mm_struct *mm, + * handled by the anon_vma lock + PG_lock. + */ + down_write(&mm->mmap_sem); +- result = SCAN_ANY_PROCESS; +- if (!mmget_still_valid(mm)) +- goto out; + if (unlikely(khugepaged_test_exit(mm))) + goto out; + +-- +2.25.1 + diff --git a/queue-4.4/net-compat-add-missing-sock-updates-for-scm_rights.patch b/queue-4.4/net-compat-add-missing-sock-updates-for-scm_rights.patch new file mode 100644 index 00000000000..c46d340c3d0 --- /dev/null +++ b/queue-4.4/net-compat-add-missing-sock-updates-for-scm_rights.patch @@ -0,0 +1,97 @@ +From ec866e01d6ee93d97f7447e5f3bf6f5653023b41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2020 16:11:29 -0700 +Subject: net/compat: Add missing sock updates for SCM_RIGHTS + +From: Kees Cook + +[ Upstream commit d9539752d23283db4692384a634034f451261e29 ] + +Add missed sock updates to compat path via a new helper, which will be +used more in coming patches. (The net/core/scm.c code is left as-is here +to assist with -stable backports for the compat path.) + +Cc: Christoph Hellwig +Cc: Sargun Dhillon +Cc: Jakub Kicinski +Cc: stable@vger.kernel.org +Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set correctly") +Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set correctly") +Acked-by: Christian Brauner +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 4 ++++ + net/compat.c | 1 + + net/core/sock.c | 21 +++++++++++++++++++++ + 3 files changed, 26 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 426a57874964c..31198b32d9122 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -779,6 +779,8 @@ static inline int sk_memalloc_socks(void) + { + return static_key_false(&memalloc_socks); + } ++ ++void __receive_sock(struct file *file); + #else + + static inline int sk_memalloc_socks(void) +@@ -786,6 +788,8 @@ static inline int sk_memalloc_socks(void) + return 0; + } + ++static inline void __receive_sock(struct file *file) ++{ } + #endif + + static inline gfp_t sk_gfp_atomic(const struct sock *sk, gfp_t gfp_mask) +diff --git a/net/compat.c b/net/compat.c +index d676840104556..20c5e5f215f23 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -284,6 +284,7 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) + break; + } + /* Bump the usage count and install the file. */ ++ __receive_sock(fp[i]); + fd_install(new_fd, get_file(fp[i])); + } + +diff --git a/net/core/sock.c b/net/core/sock.c +index 120d5058d81ae..82f9a7dbea6fe 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2275,6 +2275,27 @@ int sock_no_mmap(struct file *file, struct socket *sock, struct vm_area_struct * + } + EXPORT_SYMBOL(sock_no_mmap); + ++/* ++ * When a file is received (via SCM_RIGHTS, etc), we must bump the ++ * various sock-based usage counts. ++ */ ++void __receive_sock(struct file *file) ++{ ++ struct socket *sock; ++ int error; ++ ++ /* ++ * The resulting value of "error" is ignored here since we only ++ * need to take action when the file is a socket and testing ++ * "sock" for NULL is sufficient. ++ */ ++ sock = sock_from_file(file, &error); ++ if (sock) { ++ sock_update_netprioidx(sock->sk); ++ sock_update_classid(sock->sk); ++ } ++} ++ + ssize_t sock_no_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags) + { + ssize_t res; +-- +2.25.1 + diff --git a/queue-4.4/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch b/queue-4.4/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch new file mode 100644 index 00000000000..f0e0dd7e37b --- /dev/null +++ b/queue-4.4/perf-probe-fix-memory-leakage-when-the-probe-point-i.patch @@ -0,0 +1,52 @@ +From ea1dced71b18b50bd2e1e172629676e93e81bcfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 22:11:23 +0900 +Subject: perf probe: Fix memory leakage when the probe point is not found + +From: Masami Hiramatsu + +[ Upstream commit 12d572e785b15bc764e956caaa8a4c846fd15694 ] + +Fix the memory leakage in debuginfo__find_trace_events() when the probe +point is not found in the debuginfo. If there is no probe point found in +the debuginfo, debuginfo__find_probes() will NOT return -ENOENT, but 0. + +Thus the caller of debuginfo__find_probes() must check the tf.ntevs and +release the allocated memory for the array of struct probe_trace_event. + +The current code releases the memory only if the debuginfo__find_probes() +hits an error but not checks tf.ntevs. In the result, the memory allocated +on *tevs are not released if tf.ntevs == 0. + +This fixes the memory leakage by checking tf.ntevs == 0 in addition to +ret < 0. + +Fixes: ff741783506c ("perf probe: Introduce debuginfo to encapsulate dwarf information") +Signed-off-by: Masami Hiramatsu +Reviewed-by: Srikar Dronamraju +Cc: Andi Kleen +Cc: Oleg Nesterov +Cc: stable@vger.kernel.org +Link: http://lore.kernel.org/lkml/159438668346.62703.10887420400718492503.stgit@devnote2 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-finder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c +index c694f10d004cc..1b73537af91db 100644 +--- a/tools/perf/util/probe-finder.c ++++ b/tools/perf/util/probe-finder.c +@@ -1274,7 +1274,7 @@ int debuginfo__find_trace_events(struct debuginfo *dbg, + tf.ntevs = 0; + + ret = debuginfo__find_probes(dbg, &tf.pf); +- if (ret < 0) { ++ if (ret < 0 || tf.ntevs == 0) { + for (i = 0; i < tf.ntevs; i++) + clear_probe_trace_event(&tf.tevs[i]); + zfree(tevs); +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..79cf9f1e121 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,10 @@ +drm-imx-imx-ldb-disable-both-channels-for-split-mode.patch +perf-probe-fix-memory-leakage-when-the-probe-point-i.patch +net-compat-add-missing-sock-updates-for-scm_rights.patch +watchdog-f71808e_wdt-indicate-wdiof_cardreset-suppor.patch +watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_in.patch +coredump-fix-race-condition-between-collapse_huge_pa.patch +khugepaged-khugepaged_test_exit-check-mmget_still_va.patch +khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch +btrfs-export-helpers-for-subvolume-name-id-resolutio.patch +btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch diff --git a/queue-4.4/watchdog-f71808e_wdt-indicate-wdiof_cardreset-suppor.patch b/queue-4.4/watchdog-f71808e_wdt-indicate-wdiof_cardreset-suppor.patch new file mode 100644 index 00000000000..7490a6e63fe --- /dev/null +++ b/queue-4.4/watchdog-f71808e_wdt-indicate-wdiof_cardreset-suppor.patch @@ -0,0 +1,43 @@ +From dcdf668e362bd34df345421df7508a5d3889672b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jun 2020 21:17:43 +0200 +Subject: watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in + watchdog_info.options + +From: Ahmad Fatoum + +[ Upstream commit e871e93fb08a619dfc015974a05768ed6880fd82 ] + +The driver supports populating bootstatus with WDIOF_CARDRESET, but so +far userspace couldn't portably determine whether absence of this flag +meant no watchdog reset or no driver support. Or-in the bit to fix this. + +Fixes: b97cb21a4634 ("watchdog: f71808e_wdt: Fix WDTMOUT_STS register read") +Cc: stable@vger.kernel.org +Signed-off-by: Ahmad Fatoum +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200611191750.28096-3-a.fatoum@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/f71808e_wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index 2048aad91add8..3577e356e08cc 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -644,7 +644,8 @@ static int __init watchdog_init(int sioaddr) + watchdog.sioaddr = sioaddr; + watchdog.ident.options = WDIOC_SETTIMEOUT + | WDIOF_MAGICCLOSE +- | WDIOF_KEEPALIVEPING; ++ | WDIOF_KEEPALIVEPING ++ | WDIOF_CARDRESET; + + snprintf(watchdog.ident.identity, + sizeof(watchdog.ident.identity), "%s watchdog", +-- +2.25.1 + diff --git a/queue-4.4/watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_in.patch b/queue-4.4/watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_in.patch new file mode 100644 index 00000000000..5e244fb6610 --- /dev/null +++ b/queue-4.4/watchdog-f71808e_wdt-remove-use-of-wrong-watchdog_in.patch @@ -0,0 +1,52 @@ +From d71c0ea12240d1add774b652aca223bc27e643aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jun 2020 21:17:44 +0200 +Subject: watchdog: f71808e_wdt: remove use of wrong watchdog_info option + +From: Ahmad Fatoum + +[ Upstream commit 802141462d844f2e6a4d63a12260d79b7afc4c34 ] + +The flags that should be or-ed into the watchdog_info.options by drivers +all start with WDIOF_, e.g. WDIOF_SETTIMEOUT, which indicates that the +driver's watchdog_ops has a usable set_timeout. + +WDIOC_SETTIMEOUT was used instead, which expands to 0xc0045706, which +equals: + + WDIOF_FANFAULT | WDIOF_EXTERN1 | WDIOF_PRETIMEOUT | WDIOF_ALARMONLY | + WDIOF_MAGICCLOSE | 0xc0045000 + +These were so far indicated to userspace on WDIOC_GETSUPPORT. +As the driver has not yet been migrated to the new watchdog kernel API, +the constant can just be dropped without substitute. + +Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG") +Cc: stable@vger.kernel.org +Signed-off-by: Ahmad Fatoum +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20200611191750.28096-4-a.fatoum@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/f71808e_wdt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index 3577e356e08cc..2b12ef019ae02 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -642,8 +642,7 @@ static int __init watchdog_init(int sioaddr) + * into the module have been registered yet. + */ + watchdog.sioaddr = sioaddr; +- watchdog.ident.options = WDIOC_SETTIMEOUT +- | WDIOF_MAGICCLOSE ++ watchdog.ident.options = WDIOF_MAGICCLOSE + | WDIOF_KEEPALIVEPING + | WDIOF_CARDRESET; + +-- +2.25.1 +