From: Greg Kroah-Hartman Date: Mon, 13 Sep 2021 09:45:33 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v5.4.146~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad9680fcfffb2afcee2c1365a64103633fc31fab;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: auxdisplay-hd44780-fix-oops-on-module-unloading.patch bio-fix-page-leak-bio_add_hw_page-failure.patch cifs-do-not-leak-edeadlk-to-dgetents64-for-status_user_session_deleted.patch io_uring-fail-links-of-cancelled-timeouts.patch io_uring-io_uring_complete-trace-should-take-an-integer.patch io_uring-ioring_op_write-needs-hash_reg_file-set.patch io_uring-limit-fixed-table-size-by-rlimit_nofile.patch io_uring-reexpand-under-reexpanded-iters.patch raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch smb3-fix-posix-extensions-mount-option.patch time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch --- diff --git a/queue-5.14/auxdisplay-hd44780-fix-oops-on-module-unloading.patch b/queue-5.14/auxdisplay-hd44780-fix-oops-on-module-unloading.patch new file mode 100644 index 00000000000..274151725ba --- /dev/null +++ b/queue-5.14/auxdisplay-hd44780-fix-oops-on-module-unloading.patch @@ -0,0 +1,34 @@ +From 333ff32d54cdefc2e479892e7f15ac91e026b57d Mon Sep 17 00:00:00 2001 +From: Lars Poeschel +Date: Wed, 14 Jul 2021 13:02:28 +0200 +Subject: auxdisplay: hd44780: Fix oops on module unloading + +From: Lars Poeschel + +commit 333ff32d54cdefc2e479892e7f15ac91e026b57d upstream. + +Fixes: 718e05ed92ec ("auxdisplay: Introduce hd44780_common.[ch]") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/CAHp75VfKyqy+vM0XkP9Yb+znGOTVT4zYCRY3A3nQ7C3WNUVN0g@mail.gmail.com/ +Reported-By: Andy Shevchenko +Signed-off-by: Lars Poeschel +Tested-by: Andy Shevchenko +[added Link, Fixes, Cc stable tags, edited message] +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/auxdisplay/hd44780.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/auxdisplay/hd44780.c ++++ b/drivers/auxdisplay/hd44780.c +@@ -323,8 +323,8 @@ static int hd44780_remove(struct platfor + { + struct charlcd *lcd = platform_get_drvdata(pdev); + +- kfree(lcd->drvdata); + charlcd_unregister(lcd); ++ kfree(lcd->drvdata); + + kfree(lcd); + return 0; diff --git a/queue-5.14/bio-fix-page-leak-bio_add_hw_page-failure.patch b/queue-5.14/bio-fix-page-leak-bio_add_hw_page-failure.patch new file mode 100644 index 00000000000..172cf1178d9 --- /dev/null +++ b/queue-5.14/bio-fix-page-leak-bio_add_hw_page-failure.patch @@ -0,0 +1,62 @@ +From d9cf3bd531844ffbfe94b16e417037a16efc988d Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 19 Jul 2021 11:53:00 +0100 +Subject: bio: fix page leak bio_add_hw_page failure + +From: Pavel Begunkov + +commit d9cf3bd531844ffbfe94b16e417037a16efc988d upstream. + +__bio_iov_append_get_pages() doesn't put not appended pages on +bio_add_hw_page() failure, so potentially leaking them, fix it. Also, do +the same for __bio_iov_iter_get_pages(), even though it looks like it +can't be triggered by userspace in this case. + +Fixes: 0512a75b98f8 ("block: Introduce REQ_OP_ZONE_APPEND") +Cc: stable@vger.kernel.org # 5.8+ +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/1edfa6a2ffd66d55e6345a477df5387d2c1415d0.1626653825.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/bio.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -979,6 +979,14 @@ static int bio_iov_bvec_set_append(struc + return 0; + } + ++static void bio_put_pages(struct page **pages, size_t size, size_t off) ++{ ++ size_t i, nr = DIV_ROUND_UP(size + (off & ~PAGE_MASK), PAGE_SIZE); ++ ++ for (i = 0; i < nr; i++) ++ put_page(pages[i]); ++} ++ + #define PAGE_PTRS_PER_BVEC (sizeof(struct bio_vec) / sizeof(struct page *)) + + /** +@@ -1023,8 +1031,10 @@ static int __bio_iov_iter_get_pages(stru + if (same_page) + put_page(page); + } else { +- if (WARN_ON_ONCE(bio_full(bio, len))) +- return -EINVAL; ++ if (WARN_ON_ONCE(bio_full(bio, len))) { ++ bio_put_pages(pages + i, left, offset); ++ return -EINVAL; ++ } + __bio_add_page(bio, page, len, offset); + } + offset = 0; +@@ -1069,6 +1079,7 @@ static int __bio_iov_append_get_pages(st + len = min_t(size_t, PAGE_SIZE - offset, left); + if (bio_add_hw_page(q, bio, page, len, offset, + max_append_sectors, &same_page) != len) { ++ bio_put_pages(pages + i, left, offset); + ret = -EINVAL; + break; + } diff --git a/queue-5.14/cifs-do-not-leak-edeadlk-to-dgetents64-for-status_user_session_deleted.patch b/queue-5.14/cifs-do-not-leak-edeadlk-to-dgetents64-for-status_user_session_deleted.patch new file mode 100644 index 00000000000..f045ef34b44 --- /dev/null +++ b/queue-5.14/cifs-do-not-leak-edeadlk-to-dgetents64-for-status_user_session_deleted.patch @@ -0,0 +1,66 @@ +From 3998f0b8bc49ec784990971dc1f16bf367b19078 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 25 Aug 2021 21:16:56 +1000 +Subject: cifs: Do not leak EDEADLK to dgetents64 for STATUS_USER_SESSION_DELETED + +From: Ronnie Sahlberg + +commit 3998f0b8bc49ec784990971dc1f16bf367b19078 upstream. + +RHBZ: 1994393 + +If we hit a STATUS_USER_SESSION_DELETED for the Create part in the +Create/QueryDirectory compound that starts a directory scan +we will leak EDEADLK back to userspace and surprise glibc and the application. + +Pick this up initiate_cifs_search() and retry a small number of tries before we +return an error to userspace. + +Cc: stable@vger.kernel.org +Reported-by: Xiaoli Feng +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/readdir.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -369,7 +369,7 @@ int get_symlink_reparse_path(char *full_ + */ + + static int +-initiate_cifs_search(const unsigned int xid, struct file *file, ++_initiate_cifs_search(const unsigned int xid, struct file *file, + const char *full_path) + { + __u16 search_flags; +@@ -451,6 +451,27 @@ error_exit: + return rc; + } + ++static int ++initiate_cifs_search(const unsigned int xid, struct file *file, ++ const char *full_path) ++{ ++ int rc, retry_count = 0; ++ ++ do { ++ rc = _initiate_cifs_search(xid, file, full_path); ++ /* ++ * If we don't have enough credits to start reading the ++ * directory just try again after short wait. ++ */ ++ if (rc != -EDEADLK) ++ break; ++ ++ usleep_range(512, 2048); ++ } while (retry_count++ < 5); ++ ++ return rc; ++} ++ + /* return length of unicode string in bytes */ + static int cifs_unicode_bytelen(const char *str) + { diff --git a/queue-5.14/io_uring-fail-links-of-cancelled-timeouts.patch b/queue-5.14/io_uring-fail-links-of-cancelled-timeouts.patch new file mode 100644 index 00000000000..968fb360a38 --- /dev/null +++ b/queue-5.14/io_uring-fail-links-of-cancelled-timeouts.patch @@ -0,0 +1,33 @@ +From 2ae2eb9dde18979b40629dd413b9adbd6c894cdf Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Thu, 9 Sep 2021 13:56:27 +0100 +Subject: io_uring: fail links of cancelled timeouts + +From: Pavel Begunkov + +commit 2ae2eb9dde18979b40629dd413b9adbd6c894cdf upstream. + +When we cancel a timeout we should mark it with REQ_F_FAIL, so +linked requests are cancelled as well, but not queued for further +execution. + +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/fff625b44eeced3a5cae79f60e6acf3fbdf8f990.1631192135.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1329,6 +1329,8 @@ static void io_kill_timeout(struct io_ki + struct io_timeout_data *io = req->async_data; + + if (hrtimer_try_to_cancel(&io->timer) != -1) { ++ if (status) ++ req_set_fail(req); + atomic_set(&req->ctx->cq_timeouts, + atomic_read(&req->ctx->cq_timeouts) + 1); + list_del_init(&req->timeout.list); diff --git a/queue-5.14/io_uring-io_uring_complete-trace-should-take-an-integer.patch b/queue-5.14/io_uring-io_uring_complete-trace-should-take-an-integer.patch new file mode 100644 index 00000000000..896cfd53bc6 --- /dev/null +++ b/queue-5.14/io_uring-io_uring_complete-trace-should-take-an-integer.patch @@ -0,0 +1,56 @@ +From 2fc2a7a62eb58650e71b4550cf6fa6cc0a75b2d2 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Fri, 3 Sep 2021 16:55:26 -0600 +Subject: io_uring: io_uring_complete() trace should take an integer + +From: Jens Axboe + +commit 2fc2a7a62eb58650e71b4550cf6fa6cc0a75b2d2 upstream. + +It currently takes a long, and while that's normally OK, the io_uring +limit is an int. Internally in io_uring it's an int, but sometimes it's +passed as a long. That can yield confusing results where a completions +seems to generate a huge result: + +ou-sqp-1297-1298 [001] ...1 788.056371: io_uring_complete: ring 000000000e98e046, user_data 0x0, result 4294967171, cflags 0 + +which is due to -ECANCELED being stored in an unsigned, and then passed +in as a long. Using the right int type, the trace looks correct: + +iou-sqp-338-339 [002] ...1 15.633098: io_uring_complete: ring 00000000e0ac60cf, user_data 0x0, result -125, cflags 0 + +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/io_uring.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/trace/events/io_uring.h ++++ b/include/trace/events/io_uring.h +@@ -295,14 +295,14 @@ TRACE_EVENT(io_uring_fail_link, + */ + TRACE_EVENT(io_uring_complete, + +- TP_PROTO(void *ctx, u64 user_data, long res, unsigned cflags), ++ TP_PROTO(void *ctx, u64 user_data, int res, unsigned cflags), + + TP_ARGS(ctx, user_data, res, cflags), + + TP_STRUCT__entry ( + __field( void *, ctx ) + __field( u64, user_data ) +- __field( long, res ) ++ __field( int, res ) + __field( unsigned, cflags ) + ), + +@@ -313,7 +313,7 @@ TRACE_EVENT(io_uring_complete, + __entry->cflags = cflags; + ), + +- TP_printk("ring %p, user_data 0x%llx, result %ld, cflags %x", ++ TP_printk("ring %p, user_data 0x%llx, result %d, cflags %x", + __entry->ctx, (unsigned long long)__entry->user_data, + __entry->res, __entry->cflags) + ); diff --git a/queue-5.14/io_uring-ioring_op_write-needs-hash_reg_file-set.patch b/queue-5.14/io_uring-ioring_op_write-needs-hash_reg_file-set.patch new file mode 100644 index 00000000000..920f4b69718 --- /dev/null +++ b/queue-5.14/io_uring-ioring_op_write-needs-hash_reg_file-set.patch @@ -0,0 +1,35 @@ +From 7b3188e7ed54102a5dcc73d07727f41fb528f7c8 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 30 Aug 2021 19:37:41 -0600 +Subject: io_uring: IORING_OP_WRITE needs hash_reg_file set + +From: Jens Axboe + +commit 7b3188e7ed54102a5dcc73d07727f41fb528f7c8 upstream. + +During some testing, it became evident that using IORING_OP_WRITE doesn't +hash buffered writes like the other writes commands do. That's simply +an oversight, and can cause performance regressions when doing buffered +writes with this command. + +Correct that and add the flag, so that buffered writes are correctly +hashed when using the non-iovec based write command. + +Cc: stable@vger.kernel.org +Fixes: 3a6820f2bb8a ("io_uring: add non-vectored read/write commands") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1001,6 +1001,7 @@ static const struct io_op_def io_op_defs + }, + [IORING_OP_WRITE] = { + .needs_file = 1, ++ .hash_reg_file = 1, + .unbound_nonreg_file = 1, + .pollout = 1, + .plug = 1, diff --git a/queue-5.14/io_uring-limit-fixed-table-size-by-rlimit_nofile.patch b/queue-5.14/io_uring-limit-fixed-table-size-by-rlimit_nofile.patch new file mode 100644 index 00000000000..1cc4f0759c5 --- /dev/null +++ b/queue-5.14/io_uring-limit-fixed-table-size-by-rlimit_nofile.patch @@ -0,0 +1,33 @@ +From 3a1b8a4e843f96b636431450d8d79061605cf74b Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Fri, 20 Aug 2021 10:36:35 +0100 +Subject: io_uring: limit fixed table size by RLIMIT_NOFILE + +From: Pavel Begunkov + +commit 3a1b8a4e843f96b636431450d8d79061605cf74b upstream. + +Limit the number of files in io_uring fixed tables by RLIMIT_NOFILE, +that's the first and the simpliest restriction that we should impose. + +Cc: stable@vger.kernel.org +Suggested-by: Jens Axboe +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/b2756c340aed7d6c0b302c26dab50c6c5907f4ce.1629451684.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -7722,6 +7722,8 @@ static int io_sqe_files_register(struct + return -EINVAL; + if (nr_args > IORING_MAX_FIXED_FILES) + return -EMFILE; ++ if (nr_args > rlimit(RLIMIT_NOFILE)) ++ return -EMFILE; + ret = io_rsrc_node_switch_start(ctx); + if (ret) + return ret; diff --git a/queue-5.14/io_uring-reexpand-under-reexpanded-iters.patch b/queue-5.14/io_uring-reexpand-under-reexpanded-iters.patch new file mode 100644 index 00000000000..f80bf9a9a26 --- /dev/null +++ b/queue-5.14/io_uring-reexpand-under-reexpanded-iters.patch @@ -0,0 +1,70 @@ +From 89c2b3b74918200e46699338d7bcc19b1ea12110 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 23 Aug 2021 11:18:45 +0100 +Subject: io_uring: reexpand under-reexpanded iters + +From: Pavel Begunkov + +commit 89c2b3b74918200e46699338d7bcc19b1ea12110 upstream. + +[ 74.211232] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x809/0x900 +[ 74.212778] Read of size 8 at addr ffff888025dc78b8 by task +syz-executor.0/828 +[ 74.214756] CPU: 0 PID: 828 Comm: syz-executor.0 Not tainted +5.14.0-rc3-next-20210730 #1 +[ 74.216525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 74.219033] Call Trace: +[ 74.219683] dump_stack_lvl+0x8b/0xb3 +[ 74.220706] print_address_description.constprop.0+0x1f/0x140 +[ 74.224226] kasan_report.cold+0x7f/0x11b +[ 74.226085] iov_iter_revert+0x809/0x900 +[ 74.227960] io_write+0x57d/0xe40 +[ 74.232647] io_issue_sqe+0x4da/0x6a80 +[ 74.242578] __io_queue_sqe+0x1ac/0xe60 +[ 74.245358] io_submit_sqes+0x3f6e/0x76a0 +[ 74.248207] __do_sys_io_uring_enter+0x90c/0x1a20 +[ 74.257167] do_syscall_64+0x3b/0x90 +[ 74.257984] entry_SYSCALL_64_after_hwframe+0x44/0xae + +old_size = iov_iter_count(); +... +iov_iter_revert(old_size - iov_iter_count()); + +If iov_iter_revert() is done base on the initial size as above, and the +iter is truncated and not reexpanded in the middle, it miscalculates +borders causing problems. This trace is due to no one reexpanding after +generic_write_checks(). + +Now iters store how many bytes has been truncated, so reexpand them to +the initial state right before reverting. + +Cc: stable@vger.kernel.org +Reported-by: Palash Oswal +Reported-by: Sudip Mukherjee +Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com +Signed-off-by: Pavel Begunkov +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -3324,6 +3324,7 @@ static int io_read(struct io_kiocb *req, + if (req->flags & REQ_F_NOWAIT) + goto done; + /* some cases will consume bytes even on error returns */ ++ iov_iter_reexpand(iter, iter->count + iter->truncated); + iov_iter_revert(iter, io_size - iov_iter_count(iter)); + ret = 0; + } else if (ret == -EIOCBQUEUED) { +@@ -3463,6 +3464,7 @@ done: + } else { + copy_iov: + /* some cases will consume bytes even on error returns */ ++ iov_iter_reexpand(iter, iter->count + iter->truncated); + iov_iter_revert(iter, io_size - iov_iter_count(iter)); + ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false); + return ret ?: -EAGAIN; diff --git a/queue-5.14/raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch b/queue-5.14/raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch new file mode 100644 index 00000000000..83dfc32eb96 --- /dev/null +++ b/queue-5.14/raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch @@ -0,0 +1,90 @@ +From 6607cd319b6b91bff94e90f798a61c031650b514 Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Tue, 24 Aug 2021 09:16:54 +0800 +Subject: raid1: ensure write behind bio has less than BIO_MAX_VECS sectors + +From: Guoqing Jiang + +commit 6607cd319b6b91bff94e90f798a61c031650b514 upstream. + +We can't split write behind bio with more than BIO_MAX_VECS sectors, +otherwise the below call trace was triggered because we could allocate +oversized write behind bio later. + +[ 8.097936] bvec_alloc+0x90/0xc0 +[ 8.098934] bio_alloc_bioset+0x1b3/0x260 +[ 8.099959] raid1_make_request+0x9ce/0xc50 [raid1] +[ 8.100988] ? __bio_clone_fast+0xa8/0xe0 +[ 8.102008] md_handle_request+0x158/0x1d0 [md_mod] +[ 8.103050] md_submit_bio+0xcd/0x110 [md_mod] +[ 8.104084] submit_bio_noacct+0x139/0x530 +[ 8.105127] submit_bio+0x78/0x1d0 +[ 8.106163] ext4_io_submit+0x48/0x60 [ext4] +[ 8.107242] ext4_writepages+0x652/0x1170 [ext4] +[ 8.108300] ? do_writepages+0x41/0x100 +[ 8.109338] ? __ext4_mark_inode_dirty+0x240/0x240 [ext4] +[ 8.110406] do_writepages+0x41/0x100 +[ 8.111450] __filemap_fdatawrite_range+0xc5/0x100 +[ 8.112513] file_write_and_wait_range+0x61/0xb0 +[ 8.113564] ext4_sync_file+0x73/0x370 [ext4] +[ 8.114607] __x64_sys_fsync+0x33/0x60 +[ 8.115635] do_syscall_64+0x33/0x40 +[ 8.116670] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Thanks for the comment from Christoph. + +[1]. https://bugs.archlinux.org/task/70992 + +Cc: stable@vger.kernel.org # v5.12+ +Reported-by: Jens Stutte +Tested-by: Jens Stutte +Reviewed-by: Christoph Hellwig +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid1.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1329,6 +1329,7 @@ static void raid1_write_request(struct m + struct raid1_plug_cb *plug = NULL; + int first_clone; + int max_sectors; ++ bool write_behind = false; + + if (mddev_is_clustered(mddev) && + md_cluster_ops->area_resyncing(mddev, WRITE, +@@ -1381,6 +1382,15 @@ static void raid1_write_request(struct m + max_sectors = r1_bio->sectors; + for (i = 0; i < disks; i++) { + struct md_rdev *rdev = rcu_dereference(conf->mirrors[i].rdev); ++ ++ /* ++ * The write-behind io is only attempted on drives marked as ++ * write-mostly, which means we could allocate write behind ++ * bio later. ++ */ ++ if (rdev && test_bit(WriteMostly, &rdev->flags)) ++ write_behind = true; ++ + if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { + atomic_inc(&rdev->nr_pending); + blocked_rdev = rdev; +@@ -1454,6 +1464,15 @@ static void raid1_write_request(struct m + goto retry_write; + } + ++ /* ++ * When using a bitmap, we may call alloc_behind_master_bio below. ++ * alloc_behind_master_bio allocates a copy of the data payload a page ++ * at a time and thus needs a new bio that can fit the whole payload ++ * this bio in page sized chunks. ++ */ ++ if (write_behind && bitmap) ++ max_sectors = min_t(int, max_sectors, ++ BIO_MAX_VECS * (PAGE_SIZE >> 9)); + if (max_sectors < bio_sectors(bio)) { + struct bio *split = bio_split(bio, max_sectors, + GFP_NOIO, &conf->bio_split); diff --git a/queue-5.14/series b/queue-5.14/series index 5f36c057fcb..72731c0857e 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -295,3 +295,15 @@ ipv4-fix-endianness-issue-in-inet_rtm_getroute_build.patch asoc-rt5682-remove-unused-variable-in-rt5682_i2c_remove.patch iwlwifi-add-support-for-ax201-in-samsung-galaxy-book-flex2-alpha.patch f2fs-guarantee-to-write-dirty-data-when-enabling-checkpoint-back.patch +time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch +auxdisplay-hd44780-fix-oops-on-module-unloading.patch +io_uring-limit-fixed-table-size-by-rlimit_nofile.patch +io_uring-ioring_op_write-needs-hash_reg_file-set.patch +io_uring-io_uring_complete-trace-should-take-an-integer.patch +io_uring-reexpand-under-reexpanded-iters.patch +io_uring-fail-links-of-cancelled-timeouts.patch +bio-fix-page-leak-bio_add_hw_page-failure.patch +raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch +cifs-do-not-leak-edeadlk-to-dgetents64-for-status_user_session_deleted.patch +smb3-fix-posix-extensions-mount-option.patch +tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch diff --git a/queue-5.14/smb3-fix-posix-extensions-mount-option.patch b/queue-5.14/smb3-fix-posix-extensions-mount-option.patch new file mode 100644 index 00000000000..397152c8534 --- /dev/null +++ b/queue-5.14/smb3-fix-posix-extensions-mount-option.patch @@ -0,0 +1,44 @@ +From 7321be2663da5922343cc121f1ff04924cee2e76 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 23 Aug 2021 13:52:12 -0500 +Subject: smb3: fix posix extensions mount option + +From: Steve French + +commit 7321be2663da5922343cc121f1ff04924cee2e76 upstream. + +We were incorrectly initializing the posix extensions in the +conversion to the new mount API. + +CC: # 5.11+ +Reported-by: Christian Brauner +Acked-by: Christian Brauner +Suggested-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/fs_context.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -1266,10 +1266,17 @@ static int smb3_fs_context_parse_param(s + ctx->posix_paths = 1; + break; + case Opt_unix: +- if (result.negated) ++ if (result.negated) { ++ if (ctx->linux_ext == 1) ++ pr_warn_once("conflicting posix mount options specified\n"); + ctx->linux_ext = 0; +- else + ctx->no_linux_ext = 1; ++ } else { ++ if (ctx->no_linux_ext == 1) ++ pr_warn_once("conflicting posix mount options specified\n"); ++ ctx->linux_ext = 1; ++ ctx->no_linux_ext = 0; ++ } + break; + case Opt_nocase: + ctx->nocase = 1; diff --git a/queue-5.14/time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch b/queue-5.14/time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch new file mode 100644 index 00000000000..72f5b06819e --- /dev/null +++ b/queue-5.14/time-handle-negative-seconds-correctly-in-timespec64_to_ns.patch @@ -0,0 +1,61 @@ +From 39ff83f2f6cc5cc1458dfcea9697f96338210beb Mon Sep 17 00:00:00 2001 +From: Lukas Hannen +Date: Wed, 25 Aug 2021 10:12:43 +0000 +Subject: time: Handle negative seconds correctly in timespec64_to_ns() + +From: Lukas Hannen + +commit 39ff83f2f6cc5cc1458dfcea9697f96338210beb upstream. + +timespec64_ns() prevents multiplication overflows by comparing the seconds +value of the timespec to KTIME_SEC_MAX. If the value is greater or equal it +returns KTIME_MAX. + +But that check casts the signed seconds value to unsigned which makes the +comparision true for all negative values and therefore return wrongly +KTIME_MAX. + +Negative second values are perfectly valid and required in some places, +e.g. ptp_clock_adjtime(). + +Remove the cast and add a check for the negative boundary which is required +to prevent undefined behaviour due to multiplication underflow. + +Fixes: cb47755725da ("time: Prevent undefined behaviour in timespec64_to_ns()")' +Signed-off-by: Lukas Hannen +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/AM6PR01MB541637BD6F336B8FFB72AF80EEC69@AM6PR01MB5416.eurprd01.prod.exchangelabs.com +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/time64.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/include/linux/time64.h ++++ b/include/linux/time64.h +@@ -25,7 +25,9 @@ struct itimerspec64 { + #define TIME64_MIN (-TIME64_MAX - 1) + + #define KTIME_MAX ((s64)~((u64)1 << 63)) ++#define KTIME_MIN (-KTIME_MAX - 1) + #define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) ++#define KTIME_SEC_MIN (KTIME_MIN / NSEC_PER_SEC) + + /* + * Limits for settimeofday(): +@@ -124,10 +126,13 @@ static inline bool timespec64_valid_sett + */ + static inline s64 timespec64_to_ns(const struct timespec64 *ts) + { +- /* Prevent multiplication overflow */ +- if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX) ++ /* Prevent multiplication overflow / underflow */ ++ if (ts->tv_sec >= KTIME_SEC_MAX) + return KTIME_MAX; + ++ if (ts->tv_sec <= KTIME_SEC_MIN) ++ return KTIME_MIN; ++ + return ((s64) ts->tv_sec * NSEC_PER_SEC) + ts->tv_nsec; + } + diff --git a/queue-5.14/tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch b/queue-5.14/tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch new file mode 100644 index 00000000000..8690a1bd8d0 --- /dev/null +++ b/queue-5.14/tty-fix-data-race-between-tiocsti-and-flush_to_ldisc.patch @@ -0,0 +1,59 @@ +From bb2853a6a421a052268eee00fd5d3f6b3504b2b1 Mon Sep 17 00:00:00 2001 +From: Nguyen Dinh Phi +Date: Mon, 23 Aug 2021 08:06:41 +0800 +Subject: tty: Fix data race between tiocsti() and flush_to_ldisc() + +From: Nguyen Dinh Phi + +commit bb2853a6a421a052268eee00fd5d3f6b3504b2b1 upstream. + +The ops->receive_buf() may be accessed concurrently from these two +functions. If the driver flushes data to the line discipline +receive_buf() method while tiocsti() is waiting for the +ops->receive_buf() to finish its work, the data race will happen. + +For example: +tty_ioctl |tty_ldisc_receive_buf + ->tioctsi | ->tty_port_default_receive_buf + | ->tty_ldisc_receive_buf + ->hci_uart_tty_receive | ->hci_uart_tty_receive + ->h4_recv | ->h4_recv + +In this case, the h4 receive buffer will be overwritten by the +latecomer, and we will lost the data. + +Hence, change tioctsi() function to use the exclusive lock interface +from tty_buffer to avoid the data race. + +Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com +Reviewed-by: Jiri Slaby +Signed-off-by: Nguyen Dinh Phi +Link: https://lore.kernel.org/r/20210823000641.2082292-1-phind.uet@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2290,8 +2290,6 @@ static int tty_fasync(int fd, struct fil + * Locking: + * Called functions take tty_ldiscs_lock + * current->signal->tty check is safe without locks +- * +- * FIXME: may race normal receive processing + */ + + static int tiocsti(struct tty_struct *tty, char __user *p) +@@ -2307,8 +2305,10 @@ static int tiocsti(struct tty_struct *tt + ld = tty_ldisc_ref_wait(tty); + if (!ld) + return -EIO; ++ tty_buffer_lock_exclusive(tty->port); + if (ld->ops->receive_buf) + ld->ops->receive_buf(tty, &ch, &mbz, 1); ++ tty_buffer_unlock_exclusive(tty->port); + tty_ldisc_deref(ld); + return 0; + }