From: Sasha Levin Date: Tue, 10 Aug 2021 12:10:02 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.4.280~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d08bc5d860aea5dc1207798089ad58c3c770419f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alpha-send-stop-ipi-to-send-to-online-cpus.patch b/queue-4.14/alpha-send-stop-ipi-to-send-to-online-cpus.patch new file mode 100644 index 00000000000..15abf65e2e5 --- /dev/null +++ b/queue-4.14/alpha-send-stop-ipi-to-send-to-online-cpus.patch @@ -0,0 +1,48 @@ +From c35d489401314e57fc52b3b3c610ce5f7bede75e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 10:16:27 -0500 +Subject: alpha: Send stop IPI to send to online CPUs + +From: Prarit Bhargava + +[ Upstream commit caace6ca4e06f09413fb8f8a63319594cfb7d47d ] + +This issue was noticed while debugging a shutdown issue where some +secondary CPUs are not being shutdown correctly. A fix for that [1] requires +that secondary cpus be offlined using the cpu_online_mask so that the +stop operation is a no-op if CPU HOTPLUG is disabled. I, like the author in +[1] looked at the architectures and found that alpha is one of two +architectures that executes smp_send_stop() on all possible CPUs. + +On alpha, smp_send_stop() sends an IPI to all possible CPUs but only needs +to send them to online CPUs. + +Send the stop IPI to only the online CPUs. + +[1] https://lkml.org/lkml/2020/1/10/250 + +Signed-off-by: Prarit Bhargava +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Signed-off-by: Matt Turner +Signed-off-by: Sasha Levin +--- + arch/alpha/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c +index d0dccae53ba9..8a89b9adb4fe 100644 +--- a/arch/alpha/kernel/smp.c ++++ b/arch/alpha/kernel/smp.c +@@ -585,7 +585,7 @@ void + smp_send_stop(void) + { + cpumask_t to_whom; +- cpumask_copy(&to_whom, cpu_possible_mask); ++ cpumask_copy(&to_whom, cpu_online_mask); + cpumask_clear_cpu(smp_processor_id(), &to_whom); + #ifdef DEBUG_IPI_MSG + if (hard_smp_processor_id() != boot_cpu_id) +-- +2.30.2 + diff --git a/queue-4.14/libata-fix-ata_pio_sector-for-config_highmem.patch b/queue-4.14/libata-fix-ata_pio_sector-for-config_highmem.patch new file mode 100644 index 00000000000..262ea58df56 --- /dev/null +++ b/queue-4.14/libata-fix-ata_pio_sector-for-config_highmem.patch @@ -0,0 +1,92 @@ +From 659e1d158380c62dd1110f91b0bc135e0353efec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 15:02:37 +0200 +Subject: libata: fix ata_pio_sector for CONFIG_HIGHMEM + +From: Christoph Hellwig + +[ Upstream commit ecef6a9effe49e8e2635c839020b9833b71e934c ] + +Data transfers are not required to be block aligned in memory, so they +span two pages. Fix this by splitting the call to >sff_data_xfer into +two for that case. + +This has been broken since the initial libata import before the damn +of git, but was uncovered by the legacy ide driver removal. + +Reported-by: kernel test robot +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210709130237.3730959-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sff.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index 7057630ccf52..1b4297ec3e87 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -657,6 +657,20 @@ unsigned int ata_sff_data_xfer32(struct ata_queued_cmd *qc, unsigned char *buf, + } + EXPORT_SYMBOL_GPL(ata_sff_data_xfer32); + ++static void ata_pio_xfer(struct ata_queued_cmd *qc, struct page *page, ++ unsigned int offset, size_t xfer_size) ++{ ++ bool do_write = (qc->tf.flags & ATA_TFLAG_WRITE); ++ unsigned char *buf; ++ ++ buf = kmap_atomic(page); ++ qc->ap->ops->sff_data_xfer(qc, buf + offset, xfer_size, do_write); ++ kunmap_atomic(buf); ++ ++ if (!do_write && !PageSlab(page)) ++ flush_dcache_page(page); ++} ++ + /** + * ata_sff_data_xfer_noirq - Transfer data by PIO + * @qc: queued command +@@ -698,11 +712,9 @@ EXPORT_SYMBOL_GPL(ata_sff_data_xfer_noirq); + */ + static void ata_pio_sector(struct ata_queued_cmd *qc) + { +- int do_write = (qc->tf.flags & ATA_TFLAG_WRITE); + struct ata_port *ap = qc->ap; + struct page *page; + unsigned int offset; +- unsigned char *buf; + + if (!qc->cursg) { + qc->curbytes = qc->nbytes; +@@ -720,13 +732,20 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) + + DPRINTK("data %s\n", qc->tf.flags & ATA_TFLAG_WRITE ? "write" : "read"); + +- /* do the actual data transfer */ +- buf = kmap_atomic(page); +- ap->ops->sff_data_xfer(qc, buf + offset, qc->sect_size, do_write); +- kunmap_atomic(buf); ++ /* ++ * Split the transfer when it splits a page boundary. Note that the ++ * split still has to be dword aligned like all ATA data transfers. ++ */ ++ WARN_ON_ONCE(offset % 4); ++ if (offset + qc->sect_size > PAGE_SIZE) { ++ unsigned int split_len = PAGE_SIZE - offset; + +- if (!do_write && !PageSlab(page)) +- flush_dcache_page(page); ++ ata_pio_xfer(qc, page, offset, split_len); ++ ata_pio_xfer(qc, nth_page(page, 1), 0, ++ qc->sect_size - split_len); ++ } else { ++ ata_pio_xfer(qc, page, offset, qc->sect_size); ++ } + + qc->curbytes += qc->sect_size; + qc->cursg_ofs += qc->sect_size; +-- +2.30.2 + diff --git a/queue-4.14/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch b/queue-4.14/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch new file mode 100644 index 00000000000..882111a3cb9 --- /dev/null +++ b/queue-4.14/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch @@ -0,0 +1,58 @@ +From ce1075bbbfbbccf3db9f72364e38047737a2f5d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 21:45:12 +0800 +Subject: net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and + ql_adapter_reset + +From: Letu Ren + +[ Upstream commit 92766c4628ea349c8ddab0cd7bd0488f36e5c4ce ] + +When calling the 'ql_wait_for_drvr_lock' and 'ql_adapter_reset', the driver +has already acquired the spin lock, so the driver should not call 'ssleep' +in atomic context. + +This bug can be fixed by using 'mdelay' instead of 'ssleep'. + +Reported-by: Letu Ren +Signed-off-by: Letu Ren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index a8bb061e1a8a..36c7d78ba780 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -155,7 +155,7 @@ static int ql_wait_for_drvr_lock(struct ql3_adapter *qdev) + "driver lock acquired\n"); + return 1; + } +- ssleep(1); ++ mdelay(1000); + } while (++i < 10); + + netdev_err(qdev->ndev, "Timed out waiting for driver lock...\n"); +@@ -3291,7 +3291,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev) + if ((value & ISP_CONTROL_SR) == 0) + break; + +- ssleep(1); ++ mdelay(1000); + } while ((--max_wait_time)); + + /* +@@ -3327,7 +3327,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev) + ispControlStatus); + if ((value & ISP_CONTROL_FSR) == 0) + break; +- ssleep(1); ++ mdelay(1000); + } while ((--max_wait_time)); + } + if (max_wait_time == 0) +-- +2.30.2 + diff --git a/queue-4.14/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch b/queue-4.14/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch new file mode 100644 index 00000000000..0b4dde5b7f5 --- /dev/null +++ b/queue-4.14/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch @@ -0,0 +1,98 @@ +From e3c95f84b0992c11b36c35cff71ef4724442a1ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:07:43 +0800 +Subject: reiserfs: add check for root_inode in reiserfs_fill_super + +From: Yu Kuai + +[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ] + +Our syzcaller report a NULL pointer dereference: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0 +Oops: 0010 [#1] SMP KASAN +CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4 +RIP: 0010:0x0 +Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. +RSP: 0018:ffff888114e779b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa +RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0 +RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001 +R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00 +R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0 +FS: 00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __lookup_slow+0x116/0x2d0 + ? page_put_link+0x120/0x120 + ? __d_lookup+0xfc/0x320 + ? d_lookup+0x49/0x90 + lookup_one_len+0x13c/0x170 + ? __lookup_slow+0x2d0/0x2d0 + ? reiserfs_schedule_old_flush+0x31/0x130 + reiserfs_lookup_privroot+0x64/0x150 + reiserfs_fill_super+0x158c/0x1b90 + ? finish_unfinished+0xb10/0xb10 + ? bprintf+0xe0/0xe0 + ? __mutex_lock_slowpath+0x30/0x30 + ? __kasan_check_write+0x20/0x30 + ? up_write+0x51/0xb0 + ? set_blocksize+0x9f/0x1f0 + mount_bdev+0x27c/0x2d0 + ? finish_unfinished+0xb10/0xb10 + ? reiserfs_kill_sb+0x120/0x120 + get_super_block+0x19/0x30 + legacy_get_tree+0x76/0xf0 + vfs_get_tree+0x49/0x160 + ? capable+0x1d/0x30 + path_mount+0xacc/0x1380 + ? putname+0x97/0xd0 + ? finish_automount+0x450/0x450 + ? kmem_cache_free+0xf8/0x5a0 + ? putname+0x97/0xd0 + do_mount+0xe2/0x110 + ? path_mount+0x1380/0x1380 + ? copy_mount_options+0x69/0x140 + __x64_sys_mount+0xf0/0x190 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +This is because 'root_inode' is initialized with wrong mode, and +it's i_op is set to 'reiserfs_special_inode_operations'. Thus add +check for 'root_inode' to fix the problem. + +Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com +Signed-off-by: Yu Kuai +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index fbae5f4eea09..7dfdc503e601 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -2085,6 +2085,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + unlock_new_inode(root_inode); + } + ++ if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) || ++ !root_inode->i_size) { ++ SWARN(silent, s, "", "corrupt root inode, run fsck"); ++ iput(root_inode); ++ errval = -EUCLEAN; ++ goto error; ++ } ++ + s->s_root = d_make_root(root_inode); + if (!s->s_root) + goto error; +-- +2.30.2 + diff --git a/queue-4.14/reiserfs-check-directory-items-on-read-from-disk.patch b/queue-4.14/reiserfs-check-directory-items-on-read-from-disk.patch new file mode 100644 index 00000000000..00e32bca726 --- /dev/null +++ b/queue-4.14/reiserfs-check-directory-items-on-read-from-disk.patch @@ -0,0 +1,79 @@ +From d8f91f4803f8d560ce561fcbed1782cc92889bba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 20:59:29 +0530 +Subject: reiserfs: check directory items on read from disk + +From: Shreyansh Chouhan + +[ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ] + +While verifying the leaf item that we read from the disk, reiserfs +doesn't check the directory items, this could cause a crash when we +read a directory item from the disk that has an invalid deh_location. + +This patch adds a check to the directory items read from the disk that +does a bounds check on deh_location for the directory entries. Any +directory entry header with a directory entry offset greater than the +item length is considered invalid. + +Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com +Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com +Signed-off-by: Shreyansh Chouhan +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c +index 5229038852ca..4ebad6781b0e 100644 +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path) + search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET; + } + ++static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih) ++{ ++ struct reiserfs_de_head *deh; ++ int i; ++ ++ deh = B_I_DEH(bh, ih); ++ for (i = 0; i < ih_entry_count(ih); i++) { ++ if (deh_location(&deh[i]) > ih_item_len(ih)) { ++ reiserfs_warning(NULL, "reiserfs-5094", ++ "directory entry location seems wrong %h", ++ &deh[i]); ++ return 0; ++ } ++ } ++ ++ return 1; ++} ++ + static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) + { + struct block_head *blkh; +@@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) + "(second one): %h", ih); + return 0; + } +- if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { +- reiserfs_warning(NULL, "reiserfs-5093", +- "item entry count seems wrong %h", +- ih); +- return 0; ++ if (is_direntry_le_ih(ih)) { ++ if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) { ++ reiserfs_warning(NULL, "reiserfs-5093", ++ "item entry count seems wrong %h", ++ ih); ++ return 0; ++ } ++ return has_valid_deh_location(bh, ih); + } + prev_location = ih_location(ih); + } +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 401c55f0bde..9d22ba39370 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -31,3 +31,8 @@ pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch spi-meson-spicc-fix-memory-leak-in-meson_spicc_remove.patch perf-x86-amd-don-t-touch-the-amd64_eventsel_hostonly-bit-inside-the-guest.patch qmi_wwan-add-network-device-usage-statistics-for-qmimux-devices.patch +libata-fix-ata_pio_sector-for-config_highmem.patch +reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch +reiserfs-check-directory-items-on-read-from-disk.patch +alpha-send-stop-ipi-to-send-to-online-cpus.patch +net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch