From 11c0289472af07dce0a0b6b1c693a5670a129ac6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 28 Dec 2020 10:36:25 +0100 Subject: [PATCH] 4.19-stable patches added patches: arm-dts-at91-sama5d2-fix-can-message-ram-offset-and-size.patch arm-dts-pandaboard-fix-pinmux-for-gpio-user-button-of-pandaboard-es.patch ceph-fix-race-in-concurrent-__ceph_remove_cap-invocations.patch ext4-fix-a-memory-leak-of-ext4_free_data.patch ext4-fix-deadlock-with-fs-freezing-and-ea-inodes.patch ima-don-t-modify-file-descriptor-mode-on-the-fly.patch jffs2-fix-gc-exit-abnormally.patch kvm-arm64-introduce-handling-of-aarch32-ttbcr2-traps.patch powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__set_pte_at.patch powerpc-powernv-memtrace-don-t-leak-kernel-memory-to-user-space.patch powerpc-powernv-memtrace-fix-crashing-the-kernel-when-enabling-concurrently.patch powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-filter.patch powerpc-xmon-change-printk-to-pr_cont.patch smb3-avoid-confusing-warning-message-on-mount-to-azure.patch smb3.1.1-do-not-log-warning-message-if-server-doesn-t-populate-salt.patch ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch --- ...-fix-can-message-ram-offset-and-size.patch | 64 ++++++++++ ...or-gpio-user-button-of-pandaboard-es.patch | 32 +++++ ...urrent-__ceph_remove_cap-invocations.patch | 53 +++++++++ ...-fix-a-memory-leak-of-ext4_free_data.patch | 40 +++++++ ...dlock-with-fs-freezing-and-ea-inodes.patch | 110 ++++++++++++++++++ ...dify-file-descriptor-mode-on-the-fly.patch | 75 ++++++++++++ queue-4.19/jffs2-fix-gc-exit-abnormally.patch | 76 ++++++++++++ ...uce-handling-of-aarch32-ttbcr2-traps.patch | 42 +++++++ ...-ux-u-x-instructions-in-__set_pte_at.patch | 63 ++++++++++ ...n-t-leak-kernel-memory-to-user-space.patch | 103 ++++++++++++++++ ...he-kernel-when-enabling-concurrently.patch | 96 +++++++++++++++ ...-of-ibm-open-errinjct-in-rtas-filter.patch | 48 ++++++++ ...owerpc-xmon-change-printk-to-pr_cont.patch | 66 +++++++++++ queue-4.19/series | 16 +++ ...ng-warning-message-on-mount-to-azure.patch | 40 +++++++ ...sage-if-server-doesn-t-populate-salt.patch | 87 ++++++++++++++ ...uf-don-t-leak-kernel-memory-to-flash.patch | 69 +++++++++++ 17 files changed, 1080 insertions(+) create mode 100644 queue-4.19/arm-dts-at91-sama5d2-fix-can-message-ram-offset-and-size.patch create mode 100644 queue-4.19/arm-dts-pandaboard-fix-pinmux-for-gpio-user-button-of-pandaboard-es.patch create mode 100644 queue-4.19/ceph-fix-race-in-concurrent-__ceph_remove_cap-invocations.patch create mode 100644 queue-4.19/ext4-fix-a-memory-leak-of-ext4_free_data.patch create mode 100644 queue-4.19/ext4-fix-deadlock-with-fs-freezing-and-ea-inodes.patch create mode 100644 queue-4.19/ima-don-t-modify-file-descriptor-mode-on-the-fly.patch create mode 100644 queue-4.19/jffs2-fix-gc-exit-abnormally.patch create mode 100644 queue-4.19/kvm-arm64-introduce-handling-of-aarch32-ttbcr2-traps.patch create mode 100644 queue-4.19/powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__set_pte_at.patch create mode 100644 queue-4.19/powerpc-powernv-memtrace-don-t-leak-kernel-memory-to-user-space.patch create mode 100644 queue-4.19/powerpc-powernv-memtrace-fix-crashing-the-kernel-when-enabling-concurrently.patch create mode 100644 queue-4.19/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-filter.patch create mode 100644 queue-4.19/powerpc-xmon-change-printk-to-pr_cont.patch create mode 100644 queue-4.19/smb3-avoid-confusing-warning-message-on-mount-to-azure.patch create mode 100644 queue-4.19/smb3.1.1-do-not-log-warning-message-if-server-doesn-t-populate-salt.patch create mode 100644 queue-4.19/ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch diff --git a/queue-4.19/arm-dts-at91-sama5d2-fix-can-message-ram-offset-and-size.patch b/queue-4.19/arm-dts-at91-sama5d2-fix-can-message-ram-offset-and-size.patch new file mode 100644 index 00000000000..5ebc4fd0e77 --- /dev/null +++ b/queue-4.19/arm-dts-at91-sama5d2-fix-can-message-ram-offset-and-size.patch @@ -0,0 +1,64 @@ +From 85b8350ae99d1300eb6dc072459246c2649a8e50 Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Thu, 3 Dec 2020 10:19:49 +0100 +Subject: ARM: dts: at91: sama5d2: fix CAN message ram offset and size + +From: Nicolas Ferre + +commit 85b8350ae99d1300eb6dc072459246c2649a8e50 upstream. + +CAN0 and CAN1 instances share the same message ram configured +at 0x210000 on sama5d2 Linux systems. +According to current configuration of CAN0, we need 0x1c00 bytes +so that the CAN1 don't overlap its message ram: +64 x RX FIFO0 elements => 64 x 72 bytes +32 x TXE (TX Event FIFO) elements => 32 x 8 bytes +32 x TXB (TX Buffer) elements => 32 x 72 bytes +So a total of 7168 bytes (0x1C00). + +Fix offset to match this needed size. +Make the CAN0 message ram ioremap match exactly this size so that is +easily understandable. Adapt CAN1 size accordingly. + +Fixes: bc6d5d7666b7 ("ARM: dts: at91: sama5d2: add m_can nodes") +Reported-by: Dan Sneddon +Signed-off-by: Nicolas Ferre +Signed-off-by: Alexandre Belloni +Tested-by: Cristian Birsan +Cc: stable@vger.kernel.org # v4.13+ +Link: https://lore.kernel.org/r/20201203091949.9015-1-nicolas.ferre@microchip.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sama5d2.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/sama5d2.dtsi ++++ b/arch/arm/boot/dts/sama5d2.dtsi +@@ -1298,7 +1298,7 @@ + + can0: can@f8054000 { + compatible = "bosch,m_can"; +- reg = <0xf8054000 0x4000>, <0x210000 0x4000>; ++ reg = <0xf8054000 0x4000>, <0x210000 0x1c00>; + reg-names = "m_can", "message_ram"; + interrupts = <56 IRQ_TYPE_LEVEL_HIGH 7>, + <64 IRQ_TYPE_LEVEL_HIGH 7>; +@@ -1491,7 +1491,7 @@ + + can1: can@fc050000 { + compatible = "bosch,m_can"; +- reg = <0xfc050000 0x4000>, <0x210000 0x4000>; ++ reg = <0xfc050000 0x4000>, <0x210000 0x3800>; + reg-names = "m_can", "message_ram"; + interrupts = <57 IRQ_TYPE_LEVEL_HIGH 7>, + <65 IRQ_TYPE_LEVEL_HIGH 7>; +@@ -1501,7 +1501,7 @@ + assigned-clocks = <&can1_gclk>; + assigned-clock-parents = <&utmi>; + assigned-clock-rates = <40000000>; +- bosch,mram-cfg = <0x1100 0 0 64 0 0 32 32>; ++ bosch,mram-cfg = <0x1c00 0 0 64 0 0 32 32>; + status = "disabled"; + }; + diff --git a/queue-4.19/arm-dts-pandaboard-fix-pinmux-for-gpio-user-button-of-pandaboard-es.patch b/queue-4.19/arm-dts-pandaboard-fix-pinmux-for-gpio-user-button-of-pandaboard-es.patch new file mode 100644 index 00000000000..27f6eb81bb8 --- /dev/null +++ b/queue-4.19/arm-dts-pandaboard-fix-pinmux-for-gpio-user-button-of-pandaboard-es.patch @@ -0,0 +1,32 @@ +From df9dbaf2c415cd94ad520067a1eccfee62f00a33 Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Sat, 3 Oct 2020 16:10:00 +0200 +Subject: ARM: dts: pandaboard: fix pinmux for gpio user button of Pandaboard ES + +From: H. Nikolaus Schaller + +commit df9dbaf2c415cd94ad520067a1eccfee62f00a33 upstream. + +The pinmux control register offset passed to OMAP4_IOPAD is odd. + +Fixes: ab9a13665e7c ("ARM: dts: pandaboard: add gpio user button") +Cc: stable@vger.kernel.org +Signed-off-by: H. Nikolaus Schaller +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/omap4-panda-es.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/omap4-panda-es.dts ++++ b/arch/arm/boot/dts/omap4-panda-es.dts +@@ -49,7 +49,7 @@ + + button_pins: pinmux_button_pins { + pinctrl-single,pins = < +- OMAP4_IOPAD(0x11b, PIN_INPUT_PULLUP | MUX_MODE3) /* gpio_113 */ ++ OMAP4_IOPAD(0x0fc, PIN_INPUT_PULLUP | MUX_MODE3) /* gpio_113 */ + >; + }; + }; diff --git a/queue-4.19/ceph-fix-race-in-concurrent-__ceph_remove_cap-invocations.patch b/queue-4.19/ceph-fix-race-in-concurrent-__ceph_remove_cap-invocations.patch new file mode 100644 index 00000000000..87bc5081419 --- /dev/null +++ b/queue-4.19/ceph-fix-race-in-concurrent-__ceph_remove_cap-invocations.patch @@ -0,0 +1,53 @@ +From e5cafce3ad0f8652d6849314d951459c2bff7233 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Thu, 12 Nov 2020 10:45:12 +0000 +Subject: ceph: fix race in concurrent __ceph_remove_cap invocations + +From: Luis Henriques + +commit e5cafce3ad0f8652d6849314d951459c2bff7233 upstream. + +A NULL pointer dereference may occur in __ceph_remove_cap with some of the +callbacks used in ceph_iterate_session_caps, namely trim_caps_cb and +remove_session_caps_cb. Those callers hold the session->s_mutex, so they +are prevented from concurrent execution, but ceph_evict_inode does not. + +Since the callers of this function hold the i_ceph_lock, the fix is simply +a matter of returning immediately if caps->ci is NULL. + +Cc: stable@vger.kernel.org +URL: https://tracker.ceph.com/issues/43272 +Suggested-by: Jeff Layton +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/caps.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1047,12 +1047,19 @@ void __ceph_remove_cap(struct ceph_cap * + { + struct ceph_mds_session *session = cap->session; + struct ceph_inode_info *ci = cap->ci; +- struct ceph_mds_client *mdsc = +- ceph_sb_to_client(ci->vfs_inode.i_sb)->mdsc; ++ struct ceph_mds_client *mdsc; + int removed = 0; + ++ /* 'ci' being NULL means the remove have already occurred */ ++ if (!ci) { ++ dout("%s: cap inode is NULL\n", __func__); ++ return; ++ } ++ + dout("__ceph_remove_cap %p from %p\n", cap, &ci->vfs_inode); + ++ mdsc = ceph_inode_to_client(&ci->vfs_inode)->mdsc; ++ + /* remove from inode's cap rbtree, and clear auth cap */ + rb_erase(&cap->ci_node, &ci->i_caps); + if (ci->i_auth_cap == cap) diff --git a/queue-4.19/ext4-fix-a-memory-leak-of-ext4_free_data.patch b/queue-4.19/ext4-fix-a-memory-leak-of-ext4_free_data.patch new file mode 100644 index 00000000000..2d96c9eef83 --- /dev/null +++ b/queue-4.19/ext4-fix-a-memory-leak-of-ext4_free_data.patch @@ -0,0 +1,40 @@ +From cca415537244f6102cbb09b5b90db6ae2c953bdd Mon Sep 17 00:00:00 2001 +From: Chunguang Xu +Date: Sat, 7 Nov 2020 23:58:18 +0800 +Subject: ext4: fix a memory leak of ext4_free_data + +From: Chunguang Xu + +commit cca415537244f6102cbb09b5b90db6ae2c953bdd upstream. + +When freeing metadata, we will create an ext4_free_data and +insert it into the pending free list. After the current +transaction is committed, the object will be freed. + +ext4_mb_free_metadata() will check whether the area to be freed +overlaps with the pending free list. If true, return directly. At this +time, ext4_free_data is leaked. Fortunately, the probability of this +problem is small, since it only occurs if the file system is corrupted +such that a block is claimed by more one inode and those inodes are +deleted within a single jbd2 transaction. + +Signed-off-by: Chunguang Xu +Link: https://lore.kernel.org/r/1604764698-4269-8-git-send-email-brookxu@tencent.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/mballoc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4690,6 +4690,7 @@ ext4_mb_free_metadata(handle_t *handle, + ext4_group_first_block_no(sb, group) + + EXT4_C2B(sbi, cluster), + "Block already on to-be-freed list"); ++ kmem_cache_free(ext4_free_data_cachep, new_entry); + return 0; + } + } diff --git a/queue-4.19/ext4-fix-deadlock-with-fs-freezing-and-ea-inodes.patch b/queue-4.19/ext4-fix-deadlock-with-fs-freezing-and-ea-inodes.patch new file mode 100644 index 00000000000..9c922ef4949 --- /dev/null +++ b/queue-4.19/ext4-fix-deadlock-with-fs-freezing-and-ea-inodes.patch @@ -0,0 +1,110 @@ +From 46e294efc355c48d1dd4d58501aa56dac461792a Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 27 Nov 2020 12:06:49 +0100 +Subject: ext4: fix deadlock with fs freezing and EA inodes + +From: Jan Kara + +commit 46e294efc355c48d1dd4d58501aa56dac461792a upstream. + +Xattr code using inodes with large xattr data can end up dropping last +inode reference (and thus deleting the inode) from places like +ext4_xattr_set_entry(). That function is called with transaction started +and so ext4_evict_inode() can deadlock against fs freezing like: + +CPU1 CPU2 + +removexattr() freeze_super() + vfs_removexattr() + ext4_xattr_set() + handle = ext4_journal_start() + ... + ext4_xattr_set_entry() + iput(old_ea_inode) + ext4_evict_inode(old_ea_inode) + sb->s_writers.frozen = SB_FREEZE_FS; + sb_wait_write(sb, SB_FREEZE_FS); + ext4_freeze() + jbd2_journal_lock_updates() + -> blocks waiting for all + handles to stop + sb_start_intwrite() + -> blocks as sb is already in SB_FREEZE_FS state + +Generally it is advisable to delete inodes from a separate transaction +as it can consume quite some credits however in this case it would be +quite clumsy and furthermore the credits for inode deletion are quite +limited and already accounted for. So just tweak ext4_evict_inode() to +avoid freeze protection if we have transaction already started and thus +it is not really needed anyway. + +Cc: stable@vger.kernel.org +Fixes: dec214d00e0d ("ext4: xattr inode deduplication") +Signed-off-by: Jan Kara +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/20201127110649.24730-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -203,6 +203,7 @@ void ext4_evict_inode(struct inode *inod + */ + int extra_credits = 6; + struct ext4_xattr_inode_array *ea_inode_array = NULL; ++ bool freeze_protected = false; + + trace_ext4_evict_inode(inode); + +@@ -250,9 +251,14 @@ void ext4_evict_inode(struct inode *inod + + /* + * Protect us against freezing - iput() caller didn't have to have any +- * protection against it +- */ +- sb_start_intwrite(inode->i_sb); ++ * protection against it. When we are in a running transaction though, ++ * we are already protected against freezing and we cannot grab further ++ * protection due to lock ordering constraints. ++ */ ++ if (!ext4_journal_current_handle()) { ++ sb_start_intwrite(inode->i_sb); ++ freeze_protected = true; ++ } + + if (!IS_NOQUOTA(inode)) + extra_credits += EXT4_MAXQUOTAS_DEL_BLOCKS(inode->i_sb); +@@ -271,7 +277,8 @@ void ext4_evict_inode(struct inode *inod + * cleaned up. + */ + ext4_orphan_del(NULL, inode); +- sb_end_intwrite(inode->i_sb); ++ if (freeze_protected) ++ sb_end_intwrite(inode->i_sb); + goto no_delete; + } + +@@ -312,7 +319,8 @@ void ext4_evict_inode(struct inode *inod + stop_handle: + ext4_journal_stop(handle); + ext4_orphan_del(NULL, inode); +- sb_end_intwrite(inode->i_sb); ++ if (freeze_protected) ++ sb_end_intwrite(inode->i_sb); + ext4_xattr_inode_array_free(ea_inode_array); + goto no_delete; + } +@@ -341,7 +349,8 @@ stop_handle: + else + ext4_free_inode(handle, inode); + ext4_journal_stop(handle); +- sb_end_intwrite(inode->i_sb); ++ if (freeze_protected) ++ sb_end_intwrite(inode->i_sb); + ext4_xattr_inode_array_free(ea_inode_array); + return; + no_delete: diff --git a/queue-4.19/ima-don-t-modify-file-descriptor-mode-on-the-fly.patch b/queue-4.19/ima-don-t-modify-file-descriptor-mode-on-the-fly.patch new file mode 100644 index 00000000000..7388795855d --- /dev/null +++ b/queue-4.19/ima-don-t-modify-file-descriptor-mode-on-the-fly.patch @@ -0,0 +1,75 @@ +From 207cdd565dfc95a0a5185263a567817b7ebf5467 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Thu, 26 Nov 2020 11:34:56 +0100 +Subject: ima: Don't modify file descriptor mode on the fly + +From: Roberto Sassu + +commit 207cdd565dfc95a0a5185263a567817b7ebf5467 upstream. + +Commit a408e4a86b36b ("ima: open a new file instance if no read +permissions") already introduced a second open to measure a file when the +original file descriptor does not allow it. However, it didn't remove the +existing method of changing the mode of the original file descriptor, which +is still necessary if the current process does not have enough privileges +to open a new one. + +Changing the mode isn't really an option, as the filesystem might need to +do preliminary steps to make the read possible. Thus, this patch removes +the code and keeps the second open as the only option to measure a file +when it is unreadable with the original file descriptor. + +Cc: # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode +Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension") +Signed-off-by: Roberto Sassu +Reviewed-by: Christoph Hellwig +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_crypto.c | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -415,7 +415,7 @@ int ima_calc_file_hash(struct file *file + loff_t i_size; + int rc; + struct file *f = file; +- bool new_file_instance = false, modified_mode = false; ++ bool new_file_instance = false; + + /* + * For consistency, fail file's opened with the O_DIRECT flag on +@@ -433,18 +433,10 @@ int ima_calc_file_hash(struct file *file + O_TRUNC | O_CREAT | O_NOCTTY | O_EXCL); + flags |= O_RDONLY; + f = dentry_open(&file->f_path, flags, file->f_cred); +- if (IS_ERR(f)) { +- /* +- * Cannot open the file again, lets modify f_mode +- * of original and continue +- */ +- pr_info_ratelimited("Unable to reopen file for reading.\n"); +- f = file; +- f->f_mode |= FMODE_READ; +- modified_mode = true; +- } else { +- new_file_instance = true; +- } ++ if (IS_ERR(f)) ++ return PTR_ERR(f); ++ ++ new_file_instance = true; + } + + i_size = i_size_read(file_inode(f)); +@@ -459,8 +451,6 @@ int ima_calc_file_hash(struct file *file + out: + if (new_file_instance) + fput(f); +- else if (modified_mode) +- f->f_mode &= ~FMODE_READ; + return rc; + } + diff --git a/queue-4.19/jffs2-fix-gc-exit-abnormally.patch b/queue-4.19/jffs2-fix-gc-exit-abnormally.patch new file mode 100644 index 00000000000..db239da47ad --- /dev/null +++ b/queue-4.19/jffs2-fix-gc-exit-abnormally.patch @@ -0,0 +1,76 @@ +From 9afc9a8a4909fece0e911e72b1060614ba2f7969 Mon Sep 17 00:00:00 2001 +From: Zhe Li +Date: Fri, 29 May 2020 11:37:11 +0800 +Subject: jffs2: Fix GC exit abnormally + +From: Zhe Li + +commit 9afc9a8a4909fece0e911e72b1060614ba2f7969 upstream. + +The log of this problem is: +jffs2: Error garbage collecting node at 0x***! +jffs2: No space for garbage collection. Aborting GC thread + +This is because GC believe that it do nothing, so it abort. + +After going over the image of jffs2, I find a scene that +can trigger this problem stably. +The scene is: there is a normal dirent node at summary-area, +but abnormal at corresponding not-summary-area with error +name_crc. + +The reason that GC exit abnormally is because it find that +abnormal dirent node to GC, but when it goes to function +jffs2_add_fd_to_list, it cannot meet the condition listed +below: + +if ((*prev)->nhash == new->nhash && !strcmp((*prev)->name, new->name)) + +So no node is marked obsolete, statistical information of +erase_block do not change, which cause GC exit abnormally. + +The root cause of this problem is: we do not check the +name_crc of the abnormal dirent node with summary is enabled. + +Noticed that in function jffs2_scan_dirent_node, we use +function jffs2_scan_dirty_space to deal with the dirent +node with error name_crc. So this patch add a checking +code in function read_direntry to ensure the correctness +of dirent node. If checked failed, the dirent node will +be marked obsolete so GC will pass this node and this +problem will be fixed. + +Cc: +Signed-off-by: Zhe Li +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/readinode.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/fs/jffs2/readinode.c ++++ b/fs/jffs2/readinode.c +@@ -672,6 +672,22 @@ static inline int read_direntry(struct j + jffs2_free_full_dirent(fd); + return -EIO; + } ++ ++#ifdef CONFIG_JFFS2_SUMMARY ++ /* ++ * we use CONFIG_JFFS2_SUMMARY because without it, we ++ * have checked it while mounting ++ */ ++ crc = crc32(0, fd->name, rd->nsize); ++ if (unlikely(crc != je32_to_cpu(rd->name_crc))) { ++ JFFS2_NOTICE("name CRC failed on dirent node at" ++ "%#08x: read %#08x,calculated %#08x\n", ++ ref_offset(ref), je32_to_cpu(rd->node_crc), crc); ++ jffs2_mark_node_obsolete(c, ref); ++ jffs2_free_full_dirent(fd); ++ return 0; ++ } ++#endif + } + + fd->nhash = full_name_hash(NULL, fd->name, rd->nsize); diff --git a/queue-4.19/kvm-arm64-introduce-handling-of-aarch32-ttbcr2-traps.patch b/queue-4.19/kvm-arm64-introduce-handling-of-aarch32-ttbcr2-traps.patch new file mode 100644 index 00000000000..1710d977390 --- /dev/null +++ b/queue-4.19/kvm-arm64-introduce-handling-of-aarch32-ttbcr2-traps.patch @@ -0,0 +1,42 @@ +From ca4e514774930f30b66375a974b5edcbebaf0e7e Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 10 Nov 2020 11:10:15 +0000 +Subject: KVM: arm64: Introduce handling of AArch32 TTBCR2 traps + +From: Marc Zyngier + +commit ca4e514774930f30b66375a974b5edcbebaf0e7e upstream. + +ARMv8.2 introduced TTBCR2, which shares TCR_EL1 with TTBCR. +Gracefully handle traps to this register when HCR_EL2.TVM is set. + +Cc: stable@vger.kernel.org +Reported-by: James Morse +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/kvm_host.h | 1 + + arch/arm64/kvm/sys_regs.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -165,6 +165,7 @@ enum vcpu_sysreg { + #define c2_TTBR1 (TTBR1_EL1 * 2) /* Translation Table Base Register 1 */ + #define c2_TTBR1_high (c2_TTBR1 + 1) /* TTBR1 top 32 bits */ + #define c2_TTBCR (TCR_EL1 * 2) /* Translation Table Base Control R. */ ++#define c2_TTBCR2 (c2_TTBCR + 1) /* Translation Table Base Control R. 2 */ + #define c3_DACR (DACR32_EL2 * 2)/* Domain Access Control Register */ + #define c5_DFSR (ESR_EL1 * 2) /* Data Fault Status Register */ + #define c5_IFSR (IFSR32_EL2 * 2)/* Instruction Fault Status Register */ +--- a/arch/arm64/kvm/sys_regs.c ++++ b/arch/arm64/kvm/sys_regs.c +@@ -1661,6 +1661,7 @@ static const struct sys_reg_desc cp15_re + { Op1( 0), CRn( 2), CRm( 0), Op2( 0), access_vm_reg, NULL, c2_TTBR0 }, + { Op1( 0), CRn( 2), CRm( 0), Op2( 1), access_vm_reg, NULL, c2_TTBR1 }, + { Op1( 0), CRn( 2), CRm( 0), Op2( 2), access_vm_reg, NULL, c2_TTBCR }, ++ { Op1( 0), CRn( 2), CRm( 0), Op2( 3), access_vm_reg, NULL, c2_TTBCR2 }, + { Op1( 0), CRn( 3), CRm( 0), Op2( 0), access_vm_reg, NULL, c3_DACR }, + { Op1( 0), CRn( 5), CRm( 0), Op2( 0), access_vm_reg, NULL, c5_DFSR }, + { Op1( 0), CRn( 5), CRm( 0), Op2( 1), access_vm_reg, NULL, c5_IFSR }, diff --git a/queue-4.19/powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__set_pte_at.patch b/queue-4.19/powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__set_pte_at.patch new file mode 100644 index 00000000000..cb90fc4cda7 --- /dev/null +++ b/queue-4.19/powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__set_pte_at.patch @@ -0,0 +1,63 @@ +From d85be8a49e733dcd23674aa6202870d54bf5600d Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Thu, 22 Oct 2020 09:29:20 +0000 +Subject: powerpc: Fix incorrect stw{, ux, u, x} instructions in __set_pte_at + +From: Mathieu Desnoyers + +commit d85be8a49e733dcd23674aa6202870d54bf5600d upstream. + +The placeholder for instruction selection should use the second +argument's operand, which is %1, not %0. This could generate incorrect +assembly code if the memory addressing of operand %0 is a different +form from that of operand %1. + +Also remove the %Un placeholder because having %Un placeholders +for two operands which are based on the same local var (ptep) doesn't +make much sense. By the way, it doesn't change the current behaviour +because "<>" constraint is missing for the associated "=m". + +[chleroy: revised commit log iaw segher's comments and removed %U0] + +Fixes: 9bf2b5cdc5fe ("powerpc: Fixes for CONFIG_PTE_64BIT for SMP support") +Cc: # v2.6.28+ +Signed-off-by: Mathieu Desnoyers +Signed-off-by: Christophe Leroy +Acked-by: Segher Boessenkool +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/96354bd77977a6a933fe9020da57629007fdb920.1603358942.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/book3s/32/pgtable.h | 4 ++-- + arch/powerpc/include/asm/nohash/pgtable.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/include/asm/book3s/32/pgtable.h ++++ b/arch/powerpc/include/asm/book3s/32/pgtable.h +@@ -434,9 +434,9 @@ static inline void __set_pte_at(struct m + if (pte_val(*ptep) & _PAGE_HASHPTE) + flush_hash_entry(mm, ptep, addr); + __asm__ __volatile__("\ +- stw%U0%X0 %2,%0\n\ ++ stw%X0 %2,%0\n\ + eieio\n\ +- stw%U0%X0 %L2,%1" ++ stw%X1 %L2,%1" + : "=m" (*ptep), "=m" (*((unsigned char *)ptep+4)) + : "r" (pte) : "memory"); + +--- a/arch/powerpc/include/asm/nohash/pgtable.h ++++ b/arch/powerpc/include/asm/nohash/pgtable.h +@@ -151,9 +151,9 @@ static inline void __set_pte_at(struct m + */ + if (IS_ENABLED(CONFIG_PPC32) && IS_ENABLED(CONFIG_PTE_64BIT) && !percpu) { + __asm__ __volatile__("\ +- stw%U0%X0 %2,%0\n\ ++ stw%X0 %2,%0\n\ + eieio\n\ +- stw%U0%X0 %L2,%1" ++ stw%X1 %L2,%1" + : "=m" (*ptep), "=m" (*((unsigned char *)ptep+4)) + : "r" (pte) : "memory"); + return; diff --git a/queue-4.19/powerpc-powernv-memtrace-don-t-leak-kernel-memory-to-user-space.patch b/queue-4.19/powerpc-powernv-memtrace-don-t-leak-kernel-memory-to-user-space.patch new file mode 100644 index 00000000000..14a95aaaff1 --- /dev/null +++ b/queue-4.19/powerpc-powernv-memtrace-don-t-leak-kernel-memory-to-user-space.patch @@ -0,0 +1,103 @@ +From c74cf7a3d59a21b290fe0468f5b470d0b8ee37df Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 11 Nov 2020 15:53:15 +0100 +Subject: powerpc/powernv/memtrace: Don't leak kernel memory to user space + +From: David Hildenbrand + +commit c74cf7a3d59a21b290fe0468f5b470d0b8ee37df upstream. + +We currently leak kernel memory to user space, because memory +offlining doesn't do any implicit clearing of memory and we are +missing explicit clearing of memory. + +Let's keep it simple and clear pages before removing the linear +mapping. + +Reproduced in QEMU/TCG with 10 GiB of main memory: + [root@localhost ~]# dd obs=9G if=/dev/urandom of=/dev/null + [... wait until "free -m" used counter no longer changes and cancel] + 19665802+0 records in + 1+0 records out + 9663676416 bytes (9.7 GB, 9.0 GiB) copied, 135.548 s, 71.3 MB/s + [root@localhost ~]# cat /sys/devices/system/memory/block_size_bytes + 40000000 + [root@localhost ~]# echo 0x40000000 > /sys/kernel/debug/powerpc/memtrace/enable + [ 402.978663][ T1086] page:000000001bc4bc74 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24900 + [ 402.980063][ T1086] flags: 0x7ffff000001000(reserved) + [ 402.980415][ T1086] raw: 007ffff000001000 c00c000000924008 c00c000000924008 0000000000000000 + [ 402.980627][ T1086] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 + [ 402.980845][ T1086] page dumped because: unmovable page + [ 402.989608][ T1086] Offlined Pages 16384 + [ 403.324155][ T1086] memtrace: Allocated trace memory on node 0 at 0x0000000200000000 + +Before this patch: + [root@localhost ~]# hexdump -C /sys/kernel/debug/powerpc/memtrace/00000000/trace | head + 00000000 c8 25 72 51 4d 26 36 c5 5c c2 56 15 d5 1a cd 10 |.%rQM&6.\.V.....| + 00000010 19 b9 50 b2 cb e3 60 b8 ec 0a f3 ec 4b 3c 39 f0 |..P...`.....K<9.|$ + 00000020 4e 5a 4c cf bd 26 19 ff 37 79 13 67 24 b7 b8 57 |NZL..&..7y.g$..W|$ + 00000030 98 3e f5 be 6f 14 6a bd a4 52 bc 6e e9 e0 c1 5d |.>..o.j..R.n...]|$ + 00000040 76 b3 ae b5 88 d7 da e3 64 23 85 2c 10 88 07 b6 |v.......d#.,....|$ + 00000050 9a d8 91 de f7 50 27 69 2e 64 9c 6f d3 19 45 79 |.....P'i.d.o..Ey|$ + 00000060 6a 6f 8a 61 71 19 1f c7 f1 df 28 26 ca 0f 84 55 |jo.aq.....(&...U|$ + 00000070 01 3f be e4 e2 e1 da ff 7b 8c 8e 32 37 b4 24 53 |.?......{..27.$S|$ + 00000080 1b 70 30 45 56 e6 8c c4 0e b5 4c fb 9f dd 88 06 |.p0EV.....L.....|$ + 00000090 ef c4 18 79 f1 60 b1 5c 79 59 4d f4 36 d7 4a 5c |...y.`.\yYM.6.J\|$ + +After this patch: + [root@localhost ~]# hexdump -C /sys/kernel/debug/powerpc/memtrace/00000000/trace | head + 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 40000000 + +Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") +Cc: stable@vger.kernel.org # v4.14+ +Reported-by: Michael Ellerman +Signed-off-by: David Hildenbrand +Reviewed-by: Oscar Salvador +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201111145322.15793-2-david@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/memtrace.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/arch/powerpc/platforms/powernv/memtrace.c ++++ b/arch/powerpc/platforms/powernv/memtrace.c +@@ -70,6 +70,23 @@ static int change_memblock_state(struct + return 0; + } + ++static void memtrace_clear_range(unsigned long start_pfn, ++ unsigned long nr_pages) ++{ ++ unsigned long pfn; ++ ++ /* ++ * As pages are offline, we cannot trust the memmap anymore. As HIGHMEM ++ * does not apply, avoid passing around "struct page" and use ++ * clear_page() instead directly. ++ */ ++ for (pfn = start_pfn; pfn < start_pfn + nr_pages; pfn++) { ++ if (IS_ALIGNED(pfn, PAGES_PER_SECTION)) ++ cond_resched(); ++ clear_page(__va(PFN_PHYS(pfn))); ++ } ++} ++ + /* called with device_hotplug_lock held */ + static bool memtrace_offline_pages(u32 nid, u64 start_pfn, u64 nr_pages) + { +@@ -115,6 +132,11 @@ static u64 memtrace_alloc_node(u32 nid, + for (base_pfn = end_pfn; base_pfn > start_pfn; base_pfn -= nr_pages) { + if (memtrace_offline_pages(nid, base_pfn, nr_pages) == true) { + /* ++ * Clear the range while we still have a linear ++ * mapping. ++ */ ++ memtrace_clear_range(base_pfn, nr_pages); ++ /* + * Remove memory in memory block size chunks so that + * iomem resources are always split to the same size and + * we never try to remove memory that spans two iomem diff --git a/queue-4.19/powerpc-powernv-memtrace-fix-crashing-the-kernel-when-enabling-concurrently.patch b/queue-4.19/powerpc-powernv-memtrace-fix-crashing-the-kernel-when-enabling-concurrently.patch new file mode 100644 index 00000000000..f538c800961 --- /dev/null +++ b/queue-4.19/powerpc-powernv-memtrace-fix-crashing-the-kernel-when-enabling-concurrently.patch @@ -0,0 +1,96 @@ +From d6718941a2767fb383e105d257d2105fe4f15f0e Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 11 Nov 2020 15:53:16 +0100 +Subject: powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently + +From: David Hildenbrand + +commit d6718941a2767fb383e105d257d2105fe4f15f0e upstream. + +It's very easy to crash the kernel right now by simply trying to +enable memtrace concurrently, hammering on the "enable" interface + +loop.sh: + #!/bin/bash + + dmesg --console-off + + while true; do + echo 0x40000000 > /sys/kernel/debug/powerpc/memtrace/enable + done + +[root@localhost ~]# loop.sh & +[root@localhost ~]# loop.sh & + +Resulting quickly in a kernel crash. Let's properly protect using a +mutex. + +Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") +Cc: stable@vger.kernel.org# v4.14+ +Signed-off-by: David Hildenbrand +Reviewed-by: Oscar Salvador +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201111145322.15793-3-david@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/memtrace.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/platforms/powernv/memtrace.c ++++ b/arch/powerpc/platforms/powernv/memtrace.c +@@ -33,6 +33,7 @@ struct memtrace_entry { + char name[16]; + }; + ++static DEFINE_MUTEX(memtrace_mutex); + static u64 memtrace_size; + + static struct memtrace_entry *memtrace_array; +@@ -294,6 +295,7 @@ static int memtrace_online(void) + + static int memtrace_enable_set(void *data, u64 val) + { ++ int rc = -EAGAIN; + u64 bytes; + + /* +@@ -306,25 +308,31 @@ static int memtrace_enable_set(void *dat + return -EINVAL; + } + ++ mutex_lock(&memtrace_mutex); ++ + /* Re-add/online previously removed/offlined memory */ + if (memtrace_size) { + if (memtrace_online()) +- return -EAGAIN; ++ goto out_unlock; + } + +- if (!val) +- return 0; ++ if (!val) { ++ rc = 0; ++ goto out_unlock; ++ } + + /* Offline and remove memory */ + if (memtrace_init_regions_runtime(val)) +- return -EINVAL; ++ goto out_unlock; + + if (memtrace_init_debugfs()) +- return -EINVAL; ++ goto out_unlock; + + memtrace_size = val; +- +- return 0; ++ rc = 0; ++out_unlock: ++ mutex_unlock(&memtrace_mutex); ++ return rc; + } + + static int memtrace_enable_get(void *data, u64 *val) diff --git a/queue-4.19/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-filter.patch b/queue-4.19/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-filter.patch new file mode 100644 index 00000000000..37f826220b6 --- /dev/null +++ b/queue-4.19/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-filter.patch @@ -0,0 +1,48 @@ +From f10881a46f8914428110d110140a455c66bdf27b Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Tue, 8 Dec 2020 13:54:34 -0600 +Subject: powerpc/rtas: Fix typo of ibm,open-errinjct in RTAS filter + +From: Tyrel Datwyler + +commit f10881a46f8914428110d110140a455c66bdf27b upstream. + +Commit bd59380c5ba4 ("powerpc/rtas: Restrict RTAS requests from userspace") +introduced the following error when invoking the errinjct userspace +tool: + + [root@ltcalpine2-lp5 librtas]# errinjct open + [327884.071171] sys_rtas: RTAS call blocked - exploit attempt? + [327884.071186] sys_rtas: token=0x26, nargs=0 (called by errinjct) + errinjct: Could not open RTAS error injection facility + errinjct: librtas: open: Unexpected I/O error + +The entry for ibm,open-errinjct in rtas_filter array has a typo where +the "j" is omitted in the rtas call name. After fixing this typo the +errinjct tool functions again as expected. + + [root@ltcalpine2-lp5 linux]# errinjct open + RTAS error injection facility open, token = 1 + +Fixes: bd59380c5ba4 ("powerpc/rtas: Restrict RTAS requests from userspace") +Cc: stable@vger.kernel.org +Signed-off-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201208195434.8289-1-tyreld@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/rtas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -1095,7 +1095,7 @@ static struct rtas_filter rtas_filters[] + { "ibm,display-message", -1, 0, -1, -1, -1 }, + { "ibm,errinjct", -1, 2, -1, -1, -1, 1024 }, + { "ibm,close-errinjct", -1, -1, -1, -1, -1 }, +- { "ibm,open-errinct", -1, -1, -1, -1, -1 }, ++ { "ibm,open-errinjct", -1, -1, -1, -1, -1 }, + { "ibm,get-config-addr-info2", -1, -1, -1, -1, -1 }, + { "ibm,get-dynamic-sensor-state", -1, 1, -1, -1, -1 }, + { "ibm,get-indices", -1, 2, 3, -1, -1 }, diff --git a/queue-4.19/powerpc-xmon-change-printk-to-pr_cont.patch b/queue-4.19/powerpc-xmon-change-printk-to-pr_cont.patch new file mode 100644 index 00000000000..7ef7c6586dc --- /dev/null +++ b/queue-4.19/powerpc-xmon-change-printk-to-pr_cont.patch @@ -0,0 +1,66 @@ +From 7c6c86b36a36dd4a13d30bba07718e767aa2e7a1 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 4 Dec 2020 10:35:38 +0000 +Subject: powerpc/xmon: Change printk() to pr_cont() + +From: Christophe Leroy + +commit 7c6c86b36a36dd4a13d30bba07718e767aa2e7a1 upstream. + +Since some time now, printk() adds carriage return, leading to +unusable xmon output if there is no udbg backend available: + + [ 54.288722] sysrq: Entering xmon + [ 54.292209] Vector: 0 at [cace3d2c] + [ 54.292274] pc: + [ 54.292331] c0023650 + [ 54.292468] : xmon+0x28/0x58 + [ 54.292519] + [ 54.292574] lr: + [ 54.292630] c0023724 + [ 54.292749] : sysrq_handle_xmon+0xa4/0xfc + [ 54.292801] + [ 54.292867] sp: cace3de8 + [ 54.292931] msr: 9032 + [ 54.292999] current = 0xc28d0000 + [ 54.293072] pid = 377, comm = sh + [ 54.293157] Linux version 5.10.0-rc6-s3k-dev-01364-gedf13f0ccd76-dirty (root@po17688vm.idsi0.si.c-s.fr) (powerpc64-linux-gcc (GCC) 10.1.0, GNU ld (GNU Binutils) 2.34) #4211 PREEMPT Fri Dec 4 09:32:11 UTC 2020 + [ 54.293287] enter ? for help + [ 54.293470] [cace3de8] + [ 54.293532] c0023724 + [ 54.293654] sysrq_handle_xmon+0xa4/0xfc + [ 54.293711] (unreliable) + ... + [ 54.296002] + [ 54.296159] --- Exception: c01 (System Call) at + [ 54.296217] 0fd4e784 + [ 54.296303] + [ 54.296375] SP (7fca6ff0) is in userspace + [ 54.296431] mon> + [ 54.296484] + +Use pr_cont() instead. + +Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines") +Cc: stable@vger.kernel.org # v4.9+ +Signed-off-by: Christophe Leroy +[mpe: Mention that it only happens when udbg is not available] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/c8a6ec704416ecd5ff2bd26213c9bc026bdd19de.1607077340.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/xmon/nonstdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/xmon/nonstdio.c ++++ b/arch/powerpc/xmon/nonstdio.c +@@ -182,7 +182,7 @@ void xmon_printf(const char *format, ... + + if (n && rc == 0) { + /* No udbg hooks, fallback to printk() - dangerous */ +- printk("%s", xmon_outbuf); ++ pr_cont("%s", xmon_outbuf); + } + } + diff --git a/queue-4.19/series b/queue-4.19/series index 7cb649dc6c7..d80e94ac801 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -295,3 +295,19 @@ usb-serial-keyspan_pda-fix-stalled-writes.patch usb-serial-keyspan_pda-fix-write-wakeup-use-after-free.patch usb-serial-keyspan_pda-fix-tx-unthrottle-use-after-free.patch usb-serial-keyspan_pda-fix-write-unthrottling.patch +ext4-fix-a-memory-leak-of-ext4_free_data.patch +ext4-fix-deadlock-with-fs-freezing-and-ea-inodes.patch +kvm-arm64-introduce-handling-of-aarch32-ttbcr2-traps.patch +arm-dts-pandaboard-fix-pinmux-for-gpio-user-button-of-pandaboard-es.patch +arm-dts-at91-sama5d2-fix-can-message-ram-offset-and-size.patch +powerpc-fix-incorrect-stw-ux-u-x-instructions-in-__set_pte_at.patch +powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-filter.patch +powerpc-xmon-change-printk-to-pr_cont.patch +powerpc-powernv-memtrace-don-t-leak-kernel-memory-to-user-space.patch +powerpc-powernv-memtrace-fix-crashing-the-kernel-when-enabling-concurrently.patch +ima-don-t-modify-file-descriptor-mode-on-the-fly.patch +ceph-fix-race-in-concurrent-__ceph_remove_cap-invocations.patch +smb3-avoid-confusing-warning-message-on-mount-to-azure.patch +smb3.1.1-do-not-log-warning-message-if-server-doesn-t-populate-salt.patch +ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch +jffs2-fix-gc-exit-abnormally.patch diff --git a/queue-4.19/smb3-avoid-confusing-warning-message-on-mount-to-azure.patch b/queue-4.19/smb3-avoid-confusing-warning-message-on-mount-to-azure.patch new file mode 100644 index 00000000000..70117d6d706 --- /dev/null +++ b/queue-4.19/smb3-avoid-confusing-warning-message-on-mount-to-azure.patch @@ -0,0 +1,40 @@ +From ebcd6de98754d9b6a5f89d7835864b1c365d432f Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 8 Dec 2020 21:13:31 -0600 +Subject: SMB3: avoid confusing warning message on mount to Azure + +From: Steve French + +commit ebcd6de98754d9b6a5f89d7835864b1c365d432f upstream. + +Mounts to Azure cause an unneeded warning message in dmesg + "CIFS: VFS: parse_server_interfaces: incomplete interface info" + +Azure rounds up the size (by 8 additional bytes, to a +16 byte boundary) of the structure returned on the query +of the server interfaces at mount time. This is permissible +even though different than other servers so do not log a warning +if query network interfaces response is only rounded up by 8 +bytes or fewer. + +CC: Stable +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -366,7 +366,8 @@ parse_server_interfaces(struct network_i + goto out; + } + +- if (bytes_left || p->Next) ++ /* Azure rounds the buffer size up 8, to a 16 byte boundary */ ++ if ((bytes_left > 8) || p->Next) + cifs_dbg(VFS, "%s: incomplete interface info\n", __func__); + + diff --git a/queue-4.19/smb3.1.1-do-not-log-warning-message-if-server-doesn-t-populate-salt.patch b/queue-4.19/smb3.1.1-do-not-log-warning-message-if-server-doesn-t-populate-salt.patch new file mode 100644 index 00000000000..0158f52e238 --- /dev/null +++ b/queue-4.19/smb3.1.1-do-not-log-warning-message-if-server-doesn-t-populate-salt.patch @@ -0,0 +1,87 @@ +From 7955f105afb6034af344038d663bc98809483cdd Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 9 Dec 2020 22:19:00 -0600 +Subject: SMB3.1.1: do not log warning message if server doesn't populate salt + +From: Steve French + +commit 7955f105afb6034af344038d663bc98809483cdd upstream. + +In the negotiate protocol preauth context, the server is not required +to populate the salt (although it is done by most servers) so do +not warn on mount. + +We retain the checks (warn) that the preauth context is the minimum +size and that the salt does not exceed DataLength of the SMB response. +Although we use the defaults in the case that the preauth context +response is invalid, these checks may be useful in the future +as servers add support for additional mechanisms. + +CC: Stable +Reviewed-by: Shyam Prasad N +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 7 +++++-- + fs/cifs/smb2pdu.h | 14 +++++++++++--- + 2 files changed, 16 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -406,8 +406,8 @@ build_preauth_ctxt(struct smb2_preauth_n + pneg_ctxt->ContextType = SMB2_PREAUTH_INTEGRITY_CAPABILITIES; + pneg_ctxt->DataLength = cpu_to_le16(38); + pneg_ctxt->HashAlgorithmCount = cpu_to_le16(1); +- pneg_ctxt->SaltLength = cpu_to_le16(SMB311_SALT_SIZE); +- get_random_bytes(pneg_ctxt->Salt, SMB311_SALT_SIZE); ++ pneg_ctxt->SaltLength = cpu_to_le16(SMB311_LINUX_CLIENT_SALT_SIZE); ++ get_random_bytes(pneg_ctxt->Salt, SMB311_LINUX_CLIENT_SALT_SIZE); + pneg_ctxt->HashAlgorithms = SMB2_PREAUTH_INTEGRITY_SHA512; + } + +@@ -461,6 +461,9 @@ static void decode_preauth_context(struc + if (len < MIN_PREAUTH_CTXT_DATA_LEN) { + printk_once(KERN_WARNING "server sent bad preauth context\n"); + return; ++ } else if (len < MIN_PREAUTH_CTXT_DATA_LEN + le16_to_cpu(ctxt->SaltLength)) { ++ pr_warn_once("server sent invalid SaltLength\n"); ++ return; + } + if (le16_to_cpu(ctxt->HashAlgorithmCount) != 1) + printk_once(KERN_WARNING "illegal SMB3 hash algorithm count\n"); +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -257,12 +257,20 @@ struct smb2_neg_context { + /* Followed by array of data */ + } __packed; + +-#define SMB311_SALT_SIZE 32 ++#define SMB311_LINUX_CLIENT_SALT_SIZE 32 + /* Hash Algorithm Types */ + #define SMB2_PREAUTH_INTEGRITY_SHA512 cpu_to_le16(0x0001) + #define SMB2_PREAUTH_HASH_SIZE 64 + +-#define MIN_PREAUTH_CTXT_DATA_LEN (SMB311_SALT_SIZE + 6) ++/* ++ * SaltLength that the server send can be zero, so the only three required ++ * fields (all __le16) end up six bytes total, so the minimum context data len ++ * in the response is six bytes which accounts for ++ * ++ * HashAlgorithmCount, SaltLength, and 1 HashAlgorithm. ++ */ ++#define MIN_PREAUTH_CTXT_DATA_LEN 6 ++ + struct smb2_preauth_neg_context { + __le16 ContextType; /* 1 */ + __le16 DataLength; +@@ -270,7 +278,7 @@ struct smb2_preauth_neg_context { + __le16 HashAlgorithmCount; /* 1 */ + __le16 SaltLength; + __le16 HashAlgorithms; /* HashAlgorithms[0] since only one defined */ +- __u8 Salt[SMB311_SALT_SIZE]; ++ __u8 Salt[SMB311_LINUX_CLIENT_SALT_SIZE]; + } __packed; + + /* Encryption Algorithms Ciphers */ diff --git a/queue-4.19/ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch b/queue-4.19/ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch new file mode 100644 index 00000000000..ad988714cf3 --- /dev/null +++ b/queue-4.19/ubifs-wbuf-don-t-leak-kernel-memory-to-flash.patch @@ -0,0 +1,69 @@ +From 20f1431160c6b590cdc269a846fc5a448abf5b98 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 16 Nov 2020 22:05:30 +0100 +Subject: ubifs: wbuf: Don't leak kernel memory to flash + +From: Richard Weinberger + +commit 20f1431160c6b590cdc269a846fc5a448abf5b98 upstream. + +Write buffers use a kmalloc()'ed buffer, they can leak +up to seven bytes of kernel memory to flash if writes are not +aligned. +So use ubifs_pad() to fill these gaps with padding bytes. +This was never a problem while scanning because the scanner logic +manually aligns node lengths and skips over these gaps. + +Cc: +Fixes: 1e51764a3c2ac05a2 ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/io.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/fs/ubifs/io.c ++++ b/fs/ubifs/io.c +@@ -331,7 +331,7 @@ void ubifs_pad(const struct ubifs_info * + { + uint32_t crc; + +- ubifs_assert(c, pad >= 0 && !(pad & 7)); ++ ubifs_assert(c, pad >= 0); + + if (pad >= UBIFS_PAD_NODE_SZ) { + struct ubifs_ch *ch = buf; +@@ -728,6 +728,10 @@ int ubifs_wbuf_write_nolock(struct ubifs + * write-buffer. + */ + memcpy(wbuf->buf + wbuf->used, buf, len); ++ if (aligned_len > len) { ++ ubifs_assert(c, aligned_len - len < 8); ++ ubifs_pad(c, wbuf->buf + wbuf->used + len, aligned_len - len); ++ } + + if (aligned_len == wbuf->avail) { + dbg_io("flush jhead %s wbuf to LEB %d:%d", +@@ -820,13 +824,18 @@ int ubifs_wbuf_write_nolock(struct ubifs + } + + spin_lock(&wbuf->lock); +- if (aligned_len) ++ if (aligned_len) { + /* + * And now we have what's left and what does not take whole + * max. write unit, so write it to the write-buffer and we are + * done. + */ + memcpy(wbuf->buf, buf + written, len); ++ if (aligned_len > len) { ++ ubifs_assert(c, aligned_len - len < 8); ++ ubifs_pad(c, wbuf->buf + len, aligned_len - len); ++ } ++ } + + if (c->leb_size - wbuf->offs >= c->max_write_size) + wbuf->size = c->max_write_size; -- 2.47.3