From: Greg Kroah-Hartman Date: Fri, 29 Jan 2021 10:50:13 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.254~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bef8f7d5b4e4d7c783768d05cca49817bb152222;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: dm-integrity-conditionally-disable-recalculate-feature.patch fs-fix-lazytime-expiration-handling-in-__writeback_single_inode.patch tools-factor-hostcc-hostld-hostar-definitions.patch writeback-drop-i_dirty_time_expire.patch --- diff --git a/queue-4.19/dm-integrity-conditionally-disable-recalculate-feature.patch b/queue-4.19/dm-integrity-conditionally-disable-recalculate-feature.patch new file mode 100644 index 00000000000..fcf25ed93ce --- /dev/null +++ b/queue-4.19/dm-integrity-conditionally-disable-recalculate-feature.patch @@ -0,0 +1,125 @@ +From 5c02406428d5219c367c5f53457698c58bc5f917 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 20 Jan 2021 13:59:11 -0500 +Subject: dm integrity: conditionally disable "recalculate" feature + +From: Mikulas Patocka + +commit 5c02406428d5219c367c5f53457698c58bc5f917 upstream. + +Otherwise a malicious user could (ab)use the "recalculate" feature +that makes dm-integrity calculate the checksums in the background +while the device is already usable. When the system restarts before all +checksums have been calculated, the calculation continues where it was +interrupted even if the recalculate feature is not requested the next +time the dm device is set up. + +Disable recalculating if we use internal_hash or journal_hash with a +key (e.g. HMAC) and we don't have the "legacy_recalculate" flag. + +This may break activation of a volume, created by an older kernel, +that is not yet fully recalculated -- if this happens, the user should +add the "legacy_recalculate" flag to constructor parameters. + +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Reported-by: Daniel Glockner +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/device-mapper/dm-integrity.txt | 7 +++++++ + drivers/md/dm-integrity.c | 24 +++++++++++++++++++++++- + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/Documentation/device-mapper/dm-integrity.txt ++++ b/Documentation/device-mapper/dm-integrity.txt +@@ -146,6 +146,13 @@ block_size:number + Supported values are 512, 1024, 2048 and 4096 bytes. If not + specified the default block size is 512 bytes. + ++legacy_recalculate ++ Allow recalculating of volumes with HMAC keys. This is disabled by ++ default for security reasons - an attacker could modify the volume, ++ set recalc_sector to zero, and the kernel would not detect the ++ modification. ++ ++ + The journal mode (D/J), buffer_sectors, journal_watermark, commit_time can + be changed when reloading the target (load an inactive table and swap the + tables with suspend and resume). The other arguments should not be changed +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -240,6 +240,7 @@ struct dm_integrity_c { + + bool journal_uptodate; + bool just_formatted; ++ bool legacy_recalculate; + + struct alg_spec internal_hash_alg; + struct alg_spec journal_crypt_alg; +@@ -345,6 +346,14 @@ static int dm_integrity_failed(struct dm + return READ_ONCE(ic->failed); + } + ++static bool dm_integrity_disable_recalculate(struct dm_integrity_c *ic) ++{ ++ if ((ic->internal_hash_alg.key || ic->journal_mac_alg.key) && ++ !ic->legacy_recalculate) ++ return true; ++ return false; ++} ++ + static commit_id_t dm_integrity_commit_id(struct dm_integrity_c *ic, unsigned i, + unsigned j, unsigned char seq) + { +@@ -2503,6 +2512,7 @@ static void dm_integrity_status(struct d + arg_count += !!ic->internal_hash_alg.alg_string; + arg_count += !!ic->journal_crypt_alg.alg_string; + arg_count += !!ic->journal_mac_alg.alg_string; ++ arg_count += ic->legacy_recalculate; + DMEMIT("%s %llu %u %c %u", ic->dev->name, (unsigned long long)ic->start, + ic->tag_size, ic->mode, arg_count); + if (ic->meta_dev) +@@ -2516,6 +2526,8 @@ static void dm_integrity_status(struct d + DMEMIT(" buffer_sectors:%u", 1U << ic->log2_buffer_sectors); + DMEMIT(" journal_watermark:%u", (unsigned)watermark_percentage); + DMEMIT(" commit_time:%u", ic->autocommit_msec); ++ if (ic->legacy_recalculate) ++ DMEMIT(" legacy_recalculate"); + + #define EMIT_ALG(a, n) \ + do { \ +@@ -3118,7 +3130,7 @@ static int dm_integrity_ctr(struct dm_ta + unsigned extra_args; + struct dm_arg_set as; + static const struct dm_arg _args[] = { +- {0, 15, "Invalid number of feature args"}, ++ {0, 12, "Invalid number of feature args"}, + }; + unsigned journal_sectors, interleave_sectors, buffer_sectors, journal_watermark, sync_msec; + bool recalculate; +@@ -3248,6 +3260,8 @@ static int dm_integrity_ctr(struct dm_ta + goto bad; + } else if (!strcmp(opt_string, "recalculate")) { + recalculate = true; ++ } else if (!strcmp(opt_string, "legacy_recalculate")) { ++ ic->legacy_recalculate = true; + } else { + r = -EINVAL; + ti->error = "Invalid argument"; +@@ -3523,6 +3537,14 @@ try_smaller_buffer: + } + } + ++ if (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING) && ++ le64_to_cpu(ic->sb->recalc_sector) < ic->provided_data_sectors && ++ dm_integrity_disable_recalculate(ic)) { ++ ti->error = "Recalculating with HMAC is disabled for security reasons - if you really need it, use the argument \"legacy_recalculate\""; ++ r = -EOPNOTSUPP; ++ goto bad; ++ } ++ + ic->bufio = dm_bufio_client_create(ic->meta_dev ? ic->meta_dev->bdev : ic->dev->bdev, + 1U << (SECTOR_SHIFT + ic->log2_buffer_sectors), 1, 0, NULL, NULL); + if (IS_ERR(ic->bufio)) { diff --git a/queue-4.19/fs-fix-lazytime-expiration-handling-in-__writeback_single_inode.patch b/queue-4.19/fs-fix-lazytime-expiration-handling-in-__writeback_single_inode.patch new file mode 100644 index 00000000000..a8a00f9333e --- /dev/null +++ b/queue-4.19/fs-fix-lazytime-expiration-handling-in-__writeback_single_inode.patch @@ -0,0 +1,115 @@ +From foo@baz Fri Jan 29 11:41:04 AM CET 2021 +From: Eric Biggers +Date: Mon, 25 Jan 2021 12:05:09 -0800 +Subject: fs: fix lazytime expiration handling in __writeback_single_inode() +To: stable@vger.kernel.org +Cc: linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, Jan Kara , Christoph Hellwig +Message-ID: <20210125200509.261295-3-ebiggers@kernel.org> + +From: Eric Biggers + +commit 1e249cb5b7fc09ff216aa5a12f6c302e434e88f9 upstream. + +When lazytime is enabled and an inode is being written due to its +in-memory updated timestamps having expired, either due to a sync() or +syncfs() system call or due to dirtytime_expire_interval having elapsed, +the VFS needs to inform the filesystem so that the filesystem can copy +the inode's timestamps out to the on-disk data structures. + +This is done by __writeback_single_inode() calling +mark_inode_dirty_sync(), which then calls ->dirty_inode(I_DIRTY_SYNC). + +However, this occurs after __writeback_single_inode() has already +cleared the dirty flags from ->i_state. This causes two bugs: + +- mark_inode_dirty_sync() redirties the inode, causing it to remain + dirty. This wastefully causes the inode to be written twice. But + more importantly, it breaks cases where sync_filesystem() is expected + to clean dirty inodes. This includes the FS_IOC_REMOVE_ENCRYPTION_KEY + ioctl (as reported at + https://lore.kernel.org/r/20200306004555.GB225345@gmail.com), as well + as possibly filesystem freezing (freeze_super()). + +- Since ->i_state doesn't contain I_DIRTY_TIME when ->dirty_inode() is + called from __writeback_single_inode() for lazytime expiration, + xfs_fs_dirty_inode() ignores the notification. (XFS only cares about + lazytime expirations, and it assumes that i_state will contain + I_DIRTY_TIME during those.) Therefore, lazy timestamps aren't + persisted by sync(), syncfs(), or dirtytime_expire_interval on XFS. + +Fix this by moving the call to mark_inode_dirty_sync() to earlier in +__writeback_single_inode(), before the dirty flags are cleared from +i_state. This makes filesystems be properly notified of the timestamp +expiration, and it avoids incorrectly redirtying the inode. + +This fixes xfstest generic/580 (which tests +FS_IOC_REMOVE_ENCRYPTION_KEY) when run on ext4 or f2fs with lazytime +enabled. It also fixes the new lazytime xfstest I've proposed, which +reproduces the above-mentioned XFS bug +(https://lore.kernel.org/r/20210105005818.92978-1-ebiggers@kernel.org). + +Alternatively, we could call ->dirty_inode(I_DIRTY_SYNC) directly. But +due to the introduction of I_SYNC_QUEUED, mark_inode_dirty_sync() is the +right thing to do because mark_inode_dirty_sync() now knows not to move +the inode to a writeback list if it is currently queued for sync. + +Fixes: 0ae45f63d4ef ("vfs: add support for a lazytime mount option") +Cc: stable@vger.kernel.org +Depends-on: 5afced3bf281 ("writeback: Avoid skipping inode writeback") +Link: https://lore.kernel.org/r/20210112190253.64307-2-ebiggers@kernel.org +Suggested-by: Jan Kara +Reviewed-by: Christoph Hellwig +Reviewed-by: Jan Kara +Signed-off-by: Eric Biggers +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/fs-writeback.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -1393,21 +1393,25 @@ __writeback_single_inode(struct inode *i + } + + /* +- * Some filesystems may redirty the inode during the writeback +- * due to delalloc, clear dirty metadata flags right before +- * write_inode() ++ * If the inode has dirty timestamps and we need to write them, call ++ * mark_inode_dirty_sync() to notify the filesystem about it and to ++ * change I_DIRTY_TIME into I_DIRTY_SYNC. + */ +- spin_lock(&inode->i_lock); +- +- dirty = inode->i_state & I_DIRTY; + if ((inode->i_state & I_DIRTY_TIME) && +- ((dirty & I_DIRTY_INODE) || +- wbc->sync_mode == WB_SYNC_ALL || wbc->for_sync || ++ (wbc->sync_mode == WB_SYNC_ALL || wbc->for_sync || + time_after(jiffies, inode->dirtied_time_when + + dirtytime_expire_interval * HZ))) { +- dirty |= I_DIRTY_TIME; + trace_writeback_lazytime(inode); ++ mark_inode_dirty_sync(inode); + } ++ ++ /* ++ * Some filesystems may redirty the inode during the writeback ++ * due to delalloc, clear dirty metadata flags right before ++ * write_inode() ++ */ ++ spin_lock(&inode->i_lock); ++ dirty = inode->i_state & I_DIRTY; + inode->i_state &= ~dirty; + + /* +@@ -1428,8 +1432,6 @@ __writeback_single_inode(struct inode *i + + spin_unlock(&inode->i_lock); + +- if (dirty & I_DIRTY_TIME) +- mark_inode_dirty_sync(inode); + /* Don't write the inode if only I_DIRTY_PAGES was set */ + if (dirty & ~I_DIRTY_PAGES) { + int err = write_inode(inode, wbc); diff --git a/queue-4.19/series b/queue-4.19/series index a4218617fc0..b92f0043350 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -20,3 +20,7 @@ futex_Simplify_fixup_pi_state_owner_.patch futex_Handle_faults_correctly_for_PI_futexes.patch hid-wacom-correct-null-dereference-on-aes-pen-proximity.patch tracing-fix-race-in-trace_open-and-buffer-resize-call.patch +tools-factor-hostcc-hostld-hostar-definitions.patch +dm-integrity-conditionally-disable-recalculate-feature.patch +writeback-drop-i_dirty_time_expire.patch +fs-fix-lazytime-expiration-handling-in-__writeback_single_inode.patch diff --git a/queue-4.19/tools-factor-hostcc-hostld-hostar-definitions.patch b/queue-4.19/tools-factor-hostcc-hostld-hostar-definitions.patch new file mode 100644 index 00000000000..6b6ab946b36 --- /dev/null +++ b/queue-4.19/tools-factor-hostcc-hostld-hostar-definitions.patch @@ -0,0 +1,101 @@ +From c8a950d0d3b926a02c7b2e713850d38217cec3d1 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Brucker +Date: Tue, 10 Nov 2020 17:43:05 +0100 +Subject: tools: Factor HOSTCC, HOSTLD, HOSTAR definitions + +From: Jean-Philippe Brucker + +commit c8a950d0d3b926a02c7b2e713850d38217cec3d1 upstream. + +Several Makefiles in tools/ need to define the host toolchain variables. +Move their definition to tools/scripts/Makefile.include + +Signed-off-by: Jean-Philippe Brucker +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/bpf/20201110164310.2600671-2-jean-philippe@linaro.org +Cc: Alistair Delva +Signed-off-by: Greg Kroah-Hartman + +--- + tools/build/Makefile | 4 ---- + tools/objtool/Makefile | 9 --------- + tools/perf/Makefile.perf | 4 ---- + tools/power/acpi/Makefile.config | 1 - + tools/scripts/Makefile.include | 10 ++++++++++ + 5 files changed, 10 insertions(+), 18 deletions(-) + +--- a/tools/build/Makefile ++++ b/tools/build/Makefile +@@ -15,10 +15,6 @@ endef + $(call allow-override,CC,$(CROSS_COMPILE)gcc) + $(call allow-override,LD,$(CROSS_COMPILE)ld) + +-HOSTCC ?= gcc +-HOSTLD ?= ld +-HOSTAR ?= ar +- + export HOSTCC HOSTLD HOSTAR + + ifeq ($(V),1) +--- a/tools/objtool/Makefile ++++ b/tools/objtool/Makefile +@@ -7,15 +7,6 @@ ARCH := x86 + endif + + # always use the host compiler +-ifneq ($(LLVM),) +-HOSTAR ?= llvm-ar +-HOSTCC ?= clang +-HOSTLD ?= ld.lld +-else +-HOSTAR ?= ar +-HOSTCC ?= gcc +-HOSTLD ?= ld +-endif + AR = $(HOSTAR) + CC = $(HOSTCC) + LD = $(HOSTLD) +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -148,10 +148,6 @@ endef + + LD += $(EXTRA_LDFLAGS) + +-HOSTCC ?= gcc +-HOSTLD ?= ld +-HOSTAR ?= ar +- + PKG_CONFIG = $(CROSS_COMPILE)pkg-config + LLVM_CONFIG ?= llvm-config + +--- a/tools/power/acpi/Makefile.config ++++ b/tools/power/acpi/Makefile.config +@@ -57,7 +57,6 @@ INSTALL_SCRIPT = ${INSTALL_PROGRAM} + CROSS = #/usr/i386-linux-uclibc/usr/bin/i386-uclibc- + CROSS_COMPILE ?= $(CROSS) + LD = $(CC) +-HOSTCC = gcc + + # check if compiler option is supported + cc-supports = ${shell if $(CC) ${1} -S -o /dev/null -x c /dev/null > /dev/null 2>&1; then echo "$(1)"; fi;} +--- a/tools/scripts/Makefile.include ++++ b/tools/scripts/Makefile.include +@@ -60,6 +60,16 @@ $(call allow-override,LD,$(CROSS_COMPILE + $(call allow-override,CXX,$(CROSS_COMPILE)g++) + $(call allow-override,STRIP,$(CROSS_COMPILE)strip) + ++ifneq ($(LLVM),) ++HOSTAR ?= llvm-ar ++HOSTCC ?= clang ++HOSTLD ?= ld.lld ++else ++HOSTAR ?= ar ++HOSTCC ?= gcc ++HOSTLD ?= ld ++endif ++ + ifeq ($(CC_NO_CLANG), 1) + EXTRA_WARNINGS += -Wstrict-aliasing=3 + endif diff --git a/queue-4.19/writeback-drop-i_dirty_time_expire.patch b/queue-4.19/writeback-drop-i_dirty_time_expire.patch new file mode 100644 index 00000000000..501b02b3aee --- /dev/null +++ b/queue-4.19/writeback-drop-i_dirty_time_expire.patch @@ -0,0 +1,137 @@ +From foo@baz Fri Jan 29 11:41:04 AM CET 2021 +From: Eric Biggers +Date: Mon, 25 Jan 2021 12:05:08 -0800 +Subject: writeback: Drop I_DIRTY_TIME_EXPIRE +To: stable@vger.kernel.org +Cc: linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, Jan Kara , Christoph Hellwig +Message-ID: <20210125200509.261295-2-ebiggers@kernel.org> + +From: Jan Kara + +commit 5fcd57505c002efc5823a7355e21f48dd02d5a51 upstream. + +The only use of I_DIRTY_TIME_EXPIRE is to detect in +__writeback_single_inode() that inode got there because flush worker +decided it's time to writeback the dirty inode time stamps (either +because we are syncing or because of age). However we can detect this +directly in __writeback_single_inode() and there's no need for the +strange propagation with I_DIRTY_TIME_EXPIRE flag. + +Reviewed-by: Christoph Hellwig +Signed-off-by: Jan Kara +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 2 +- + fs/fs-writeback.c | 28 +++++++++++----------------- + fs/xfs/xfs_trans_inode.c | 4 ++-- + include/linux/fs.h | 1 - + include/trace/events/writeback.h | 1 - + 5 files changed, 14 insertions(+), 22 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5209,7 +5209,7 @@ static int other_inode_match(struct inod + (inode->i_state & I_DIRTY_TIME)) { + struct ext4_inode_info *ei = EXT4_I(inode); + +- inode->i_state &= ~(I_DIRTY_TIME | I_DIRTY_TIME_EXPIRED); ++ inode->i_state &= ~I_DIRTY_TIME; + spin_unlock(&inode->i_lock); + + spin_lock(&ei->i_raw_lock); +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -1157,7 +1157,7 @@ static bool inode_dirtied_after(struct i + */ + static int move_expired_inodes(struct list_head *delaying_queue, + struct list_head *dispatch_queue, +- int flags, unsigned long dirtied_before) ++ unsigned long dirtied_before) + { + LIST_HEAD(tmp); + struct list_head *pos, *node; +@@ -1173,8 +1173,6 @@ static int move_expired_inodes(struct li + list_move(&inode->i_io_list, &tmp); + moved++; + spin_lock(&inode->i_lock); +- if (flags & EXPIRE_DIRTY_ATIME) +- inode->i_state |= I_DIRTY_TIME_EXPIRED; + inode->i_state |= I_SYNC_QUEUED; + spin_unlock(&inode->i_lock); + if (sb_is_blkdev_sb(inode->i_sb)) +@@ -1222,11 +1220,11 @@ static void queue_io(struct bdi_writebac + + assert_spin_locked(&wb->list_lock); + list_splice_init(&wb->b_more_io, &wb->b_io); +- moved = move_expired_inodes(&wb->b_dirty, &wb->b_io, 0, dirtied_before); ++ moved = move_expired_inodes(&wb->b_dirty, &wb->b_io, dirtied_before); + if (!work->for_sync) + time_expire_jif = jiffies - dirtytime_expire_interval * HZ; + moved += move_expired_inodes(&wb->b_dirty_time, &wb->b_io, +- EXPIRE_DIRTY_ATIME, time_expire_jif); ++ time_expire_jif); + if (moved) + wb_io_lists_populated(wb); + trace_writeback_queue_io(wb, work, dirtied_before, moved); +@@ -1402,18 +1400,14 @@ __writeback_single_inode(struct inode *i + spin_lock(&inode->i_lock); + + dirty = inode->i_state & I_DIRTY; +- if (inode->i_state & I_DIRTY_TIME) { +- if ((dirty & I_DIRTY_INODE) || +- wbc->sync_mode == WB_SYNC_ALL || +- unlikely(inode->i_state & I_DIRTY_TIME_EXPIRED) || +- unlikely(time_after(jiffies, +- (inode->dirtied_time_when + +- dirtytime_expire_interval * HZ)))) { +- dirty |= I_DIRTY_TIME | I_DIRTY_TIME_EXPIRED; +- trace_writeback_lazytime(inode); +- } +- } else +- inode->i_state &= ~I_DIRTY_TIME_EXPIRED; ++ if ((inode->i_state & I_DIRTY_TIME) && ++ ((dirty & I_DIRTY_INODE) || ++ wbc->sync_mode == WB_SYNC_ALL || wbc->for_sync || ++ time_after(jiffies, inode->dirtied_time_when + ++ dirtytime_expire_interval * HZ))) { ++ dirty |= I_DIRTY_TIME; ++ trace_writeback_lazytime(inode); ++ } + inode->i_state &= ~dirty; + + /* +--- a/fs/xfs/xfs_trans_inode.c ++++ b/fs/xfs/xfs_trans_inode.c +@@ -99,9 +99,9 @@ xfs_trans_log_inode( + * to log the timestamps, or will clear already cleared fields in the + * worst case. + */ +- if (inode->i_state & (I_DIRTY_TIME | I_DIRTY_TIME_EXPIRED)) { ++ if (inode->i_state & I_DIRTY_TIME) { + spin_lock(&inode->i_lock); +- inode->i_state &= ~(I_DIRTY_TIME | I_DIRTY_TIME_EXPIRED); ++ inode->i_state &= ~I_DIRTY_TIME; + spin_unlock(&inode->i_lock); + } + +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2071,7 +2071,6 @@ static inline void init_sync_kiocb(struc + #define I_DIO_WAKEUP (1 << __I_DIO_WAKEUP) + #define I_LINKABLE (1 << 10) + #define I_DIRTY_TIME (1 << 11) +-#define I_DIRTY_TIME_EXPIRED (1 << 12) + #define I_WB_SWITCH (1 << 13) + #define I_OVL_INUSE (1 << 14) + #define I_CREATING (1 << 15) +--- a/include/trace/events/writeback.h ++++ b/include/trace/events/writeback.h +@@ -20,7 +20,6 @@ + {I_CLEAR, "I_CLEAR"}, \ + {I_SYNC, "I_SYNC"}, \ + {I_DIRTY_TIME, "I_DIRTY_TIME"}, \ +- {I_DIRTY_TIME_EXPIRED, "I_DIRTY_TIME_EXPIRED"}, \ + {I_REFERENCED, "I_REFERENCED"} \ + ) +