From 43dd69fd598e2bc0b5fd4d431be2fd1e5ff283a4 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 23 Aug 2020 17:41:35 -0400 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...annotation-of-io-read-write-16-32-be.patch | 57 ++++++ ...ext4-clean-up-ext4_match-and-callers.patch | 165 ++++++++++++++++++ ...g-of-directory-entry-validity-for-in.patch | 60 +++++++ ...d-a-newline-when-printing-proto-by-s.patch | 39 +++++ queue-4.4/jffs2-fix-uaf-problem.patch | 80 +++++++++ ...erwriting-of-bits-in-coldfire-v3-cac.patch | 52 ++++++ ...e-improve-exception-handling-in-budg.patch | 56 ++++++ ...edia-vpss-clean-up-resources-in-init.patch | 66 +++++++ ...skb-in-fc_disc_gpn_id_resp-for-valid.patch | 66 +++++++ queue-4.4/series | 12 ++ ...d-loop-when-vq-is-broken-in-virtqueu.patch | 53 ++++++ ...s-fix-inode-quota-reservation-checks.patch | 56 ++++++ ...san-null-ptr-deref-in-xfs_sysfs_init.patch | 59 +++++++ 13 files changed, 821 insertions(+) create mode 100644 queue-4.4/alpha-fix-annotation-of-io-read-write-16-32-be.patch create mode 100644 queue-4.4/ext4-clean-up-ext4_match-and-callers.patch create mode 100644 queue-4.4/ext4-fix-checking-of-directory-entry-validity-for-in.patch create mode 100644 queue-4.4/input-psmouse-add-a-newline-when-printing-proto-by-s.patch create mode 100644 queue-4.4/jffs2-fix-uaf-problem.patch create mode 100644 queue-4.4/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch create mode 100644 queue-4.4/media-budget-core-improve-exception-handling-in-budg.patch create mode 100644 queue-4.4/media-vpss-clean-up-resources-in-init.patch create mode 100644 queue-4.4/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch create mode 100644 queue-4.4/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch create mode 100644 queue-4.4/xfs-fix-inode-quota-reservation-checks.patch create mode 100644 queue-4.4/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch diff --git a/queue-4.4/alpha-fix-annotation-of-io-read-write-16-32-be.patch b/queue-4.4/alpha-fix-annotation-of-io-read-write-16-32-be.patch new file mode 100644 index 00000000000..91663051331 --- /dev/null +++ b/queue-4.4/alpha-fix-annotation-of-io-read-write-16-32-be.patch @@ -0,0 +1,57 @@ +From 8ad6687af834b1455fddd66d0225b6d074e3dad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:33:54 -0700 +Subject: alpha: fix annotation of io{read,write}{16,32}be() + +From: Luc Van Oostenryck + +[ Upstream commit bd72866b8da499e60633ff28f8a4f6e09ca78efe ] + +These accessors must be used to read/write a big-endian bus. The value +returned or written is native-endian. + +However, these accessors are defined using be{16,32}_to_cpu() or +cpu_to_be{16,32}() to make the endian conversion but these expect a +__be{16,32} when none is present. Keeping them would need a force cast +that would solve nothing at all. + +So, do the conversion using swab{16,32}, like done in asm-generic for +similar situations. + +Reported-by: kernel test robot +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Andrew Morton +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Cc: Matt Turner +Cc: Stephen Boyd +Cc: Arnd Bergmann +Link: http://lkml.kernel.org/r/20200622114232.80039-1-luc.vanoostenryck@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/io.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h +index ff4049155c840..355aec0867f4d 100644 +--- a/arch/alpha/include/asm/io.h ++++ b/arch/alpha/include/asm/io.h +@@ -491,10 +491,10 @@ extern inline void writeq(u64 b, volatile void __iomem *addr) + } + #endif + +-#define ioread16be(p) be16_to_cpu(ioread16(p)) +-#define ioread32be(p) be32_to_cpu(ioread32(p)) +-#define iowrite16be(v,p) iowrite16(cpu_to_be16(v), (p)) +-#define iowrite32be(v,p) iowrite32(cpu_to_be32(v), (p)) ++#define ioread16be(p) swab16(ioread16(p)) ++#define ioread32be(p) swab32(ioread32(p)) ++#define iowrite16be(v,p) iowrite16(swab16(v), (p)) ++#define iowrite32be(v,p) iowrite32(swab32(v), (p)) + + #define inb_p inb + #define inw_p inw +-- +2.25.1 + diff --git a/queue-4.4/ext4-clean-up-ext4_match-and-callers.patch b/queue-4.4/ext4-clean-up-ext4_match-and-callers.patch new file mode 100644 index 00000000000..4bee3123d85 --- /dev/null +++ b/queue-4.4/ext4-clean-up-ext4_match-and-callers.patch @@ -0,0 +1,165 @@ +From 12e9a53afa9956f12d257de1a5fce9ad95f3ee2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2017 10:00:13 -0700 +Subject: ext4: clean up ext4_match() and callers + +From: Eric Biggers + +[ Upstream commit d9b9f8d5a88cb7881d9f1c2b7e9de9a3fe1dc9e2 ] + +When ext4 encryption was originally merged, we were encrypting the +user-specified filename in ext4_match(), introducing a lot of additional +complexity into ext4_match() and its callers. This has since been +changed to encrypt the filename earlier, so we can remove the gunk +that's no longer needed. This more or less reverts ext4_search_dir() +and ext4_find_dest_de() to the way they were in the v4.0 kernel. + +Signed-off-by: Eric Biggers +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 81 +++++++++++++++---------------------------------- + 1 file changed, 25 insertions(+), 56 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 566a8b08ccdd6..eb41fb189d4b3 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1226,19 +1226,18 @@ static void dx_insert_block(struct dx_frame *frame, u32 hash, ext4_lblk_t block) + } + + /* +- * NOTE! unlike strncmp, ext4_match returns 1 for success, 0 for failure. ++ * Test whether a directory entry matches the filename being searched for. + * +- * `len <= EXT4_NAME_LEN' is guaranteed by caller. +- * `de != NULL' is guaranteed by caller. ++ * Return: %true if the directory entry matches, otherwise %false. + */ +-static inline int ext4_match(struct ext4_filename *fname, +- struct ext4_dir_entry_2 *de) ++static inline bool ext4_match(const struct ext4_filename *fname, ++ const struct ext4_dir_entry_2 *de) + { + const void *name = fname_name(fname); + u32 len = fname_len(fname); + + if (!de->inode) +- return 0; ++ return false; + + #ifdef CONFIG_EXT4_FS_ENCRYPTION + if (unlikely(!name)) { +@@ -1270,48 +1269,31 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + struct ext4_dir_entry_2 * de; + char * dlimit; + int de_len; +- int res; + + de = (struct ext4_dir_entry_2 *)search_buf; + dlimit = search_buf + buf_size; + while ((char *) de < dlimit) { + /* this code is executed quadratically often */ + /* do minimal checking `by hand' */ +- if ((char *) de + de->name_len <= dlimit) { +- res = ext4_match(fname, de); +- if (res < 0) { +- res = -1; +- goto return_result; +- } +- if (res > 0) { +- /* found a match - just to be sure, do +- * a full check */ +- if (ext4_check_dir_entry(dir, NULL, de, bh, +- bh->b_data, +- bh->b_size, offset)) { +- res = -1; +- goto return_result; +- } +- *res_dir = de; +- res = 1; +- goto return_result; +- } +- ++ if ((char *) de + de->name_len <= dlimit && ++ ext4_match(fname, de)) { ++ /* found a match - just to be sure, do ++ * a full check */ ++ if (ext4_check_dir_entry(dir, NULL, de, bh, bh->b_data, ++ bh->b_size, offset)) ++ return -1; ++ *res_dir = de; ++ return 1; + } + /* prevent looping on a bad block */ + de_len = ext4_rec_len_from_disk(de->rec_len, + dir->i_sb->s_blocksize); +- if (de_len <= 0) { +- res = -1; +- goto return_result; +- } ++ if (de_len <= 0) ++ return -1; + offset += de_len; + de = (struct ext4_dir_entry_2 *) ((char *) de + de_len); + } +- +- res = 0; +-return_result: +- return res; ++ return 0; + } + + static int is_dx_internal_node(struct inode *dir, ext4_lblk_t block, +@@ -1824,24 +1806,15 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode, + int nlen, rlen; + unsigned int offset = 0; + char *top; +- int res; + + de = (struct ext4_dir_entry_2 *)buf; + top = buf + buf_size - reclen; + while ((char *) de <= top) { + if (ext4_check_dir_entry(dir, NULL, de, bh, +- buf, buf_size, offset)) { +- res = -EFSCORRUPTED; +- goto return_result; +- } +- /* Provide crypto context and crypto buffer to ext4 match */ +- res = ext4_match(fname, de); +- if (res < 0) +- goto return_result; +- if (res > 0) { +- res = -EEXIST; +- goto return_result; +- } ++ buf, buf_size, offset)) ++ return -EFSCORRUPTED; ++ if (ext4_match(fname, de)) ++ return -EEXIST; + nlen = EXT4_DIR_REC_LEN(de->name_len); + rlen = ext4_rec_len_from_disk(de->rec_len, buf_size); + if ((de->inode ? rlen - nlen : rlen) >= reclen) +@@ -1849,15 +1822,11 @@ int ext4_find_dest_de(struct inode *dir, struct inode *inode, + de = (struct ext4_dir_entry_2 *)((char *)de + rlen); + offset += rlen; + } +- + if ((char *) de > top) +- res = -ENOSPC; +- else { +- *dest_de = de; +- res = 0; +- } +-return_result: +- return res; ++ return -ENOSPC; ++ ++ *dest_de = de; ++ return 0; + } + + int ext4_insert_dentry(struct inode *dir, +-- +2.25.1 + diff --git a/queue-4.4/ext4-fix-checking-of-directory-entry-validity-for-in.patch b/queue-4.4/ext4-fix-checking-of-directory-entry-validity-for-in.patch new file mode 100644 index 00000000000..f962843b9cd --- /dev/null +++ b/queue-4.4/ext4-fix-checking-of-directory-entry-validity-for-in.patch @@ -0,0 +1,60 @@ +From 2b3c025f77db462036740efd42a8603faeb83090 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 18:21:35 +0200 +Subject: ext4: fix checking of directory entry validity for inline directories + +From: Jan Kara + +[ Upstream commit 7303cb5bfe845f7d43cd9b2dbd37dbb266efda9b ] + +ext4_search_dir() and ext4_generic_delete_entry() can be called both for +standard director blocks and for inline directories stored inside inode +or inline xattr space. For the second case we didn't call +ext4_check_dir_entry() with proper constraints that could result in +accepting corrupted directory entry as well as false positive filesystem +errors like: + +EXT4-fs error (device dm-0): ext4_search_dir:1395: inode #28320400: +block 113246792: comm dockerd: bad entry in directory: directory entry too +close to block end - offset=0, inode=28320403, rec_len=32, name_len=8, +size=4096 + +Fix the arguments passed to ext4_check_dir_entry(). + +Fixes: 109ba779d6cc ("ext4: check for directory entries too close to block end") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20200731162135.8080-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/namei.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index eb41fb189d4b3..faf142a6fa8bb 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1279,8 +1279,8 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, + ext4_match(fname, de)) { + /* found a match - just to be sure, do + * a full check */ +- if (ext4_check_dir_entry(dir, NULL, de, bh, bh->b_data, +- bh->b_size, offset)) ++ if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf, ++ buf_size, offset)) + return -1; + *res_dir = de; + return 1; +@@ -2312,7 +2312,7 @@ int ext4_generic_delete_entry(handle_t *handle, + de = (struct ext4_dir_entry_2 *)entry_buf; + while (i < buf_size - csum_size) { + if (ext4_check_dir_entry(dir, NULL, de, bh, +- bh->b_data, bh->b_size, i)) ++ entry_buf, buf_size, i)) + return -EFSCORRUPTED; + if (de == de_del) { + if (pde) +-- +2.25.1 + diff --git a/queue-4.4/input-psmouse-add-a-newline-when-printing-proto-by-s.patch b/queue-4.4/input-psmouse-add-a-newline-when-printing-proto-by-s.patch new file mode 100644 index 00000000000..74c9ecbe39d --- /dev/null +++ b/queue-4.4/input-psmouse-add-a-newline-when-printing-proto-by-s.patch @@ -0,0 +1,39 @@ +From d85a50349cc4c035ecb93430a41e0c6bc5559e5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jul 2020 22:24:07 -0700 +Subject: Input: psmouse - add a newline when printing 'proto' by sysfs + +From: Xiongfeng Wang + +[ Upstream commit 4aec14de3a15cf9789a0e19c847f164776f49473 ] + +When I cat parameter 'proto' by sysfs, it displays as follows. It's +better to add a newline for easy reading. + +root@syzkaller:~# cat /sys/module/psmouse/parameters/proto +autoroot@syzkaller:~# + +Signed-off-by: Xiongfeng Wang +Link: https://lore.kernel.org/r/20200720073846.120724-1-wangxiongfeng2@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/psmouse-base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/mouse/psmouse-base.c b/drivers/input/mouse/psmouse-base.c +index ad18dab0ac476..5bd9633541b07 100644 +--- a/drivers/input/mouse/psmouse-base.c ++++ b/drivers/input/mouse/psmouse-base.c +@@ -1911,7 +1911,7 @@ static int psmouse_get_maxproto(char *buffer, const struct kernel_param *kp) + { + int type = *((unsigned int *)kp->arg); + +- return sprintf(buffer, "%s", psmouse_protocol_by_type(type)->name); ++ return sprintf(buffer, "%s\n", psmouse_protocol_by_type(type)->name); + } + + static int __init psmouse_init(void) +-- +2.25.1 + diff --git a/queue-4.4/jffs2-fix-uaf-problem.patch b/queue-4.4/jffs2-fix-uaf-problem.patch new file mode 100644 index 00000000000..c81471ec8a2 --- /dev/null +++ b/queue-4.4/jffs2-fix-uaf-problem.patch @@ -0,0 +1,80 @@ +From 1e722b06a3a63754ca5beee772001d29fd6b257a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jun 2020 17:06:35 +0800 +Subject: jffs2: fix UAF problem + +From: Zhe Li + +[ Upstream commit 798b7347e4f29553db4b996393caf12f5b233daf ] + +The log of UAF problem is listed below. +BUG: KASAN: use-after-free in jffs2_rmdir+0xa4/0x1cc [jffs2] at addr c1f165fc +Read of size 4 by task rm/8283 +============================================================================= +BUG kmalloc-32 (Tainted: P B O ): kasan: bad access detected +----------------------------------------------------------------------------- + +INFO: Allocated in 0xbbbbbbbb age=3054364 cpu=0 pid=0 + 0xb0bba6ef + jffs2_write_dirent+0x11c/0x9c8 [jffs2] + __slab_alloc.isra.21.constprop.25+0x2c/0x44 + __kmalloc+0x1dc/0x370 + jffs2_write_dirent+0x11c/0x9c8 [jffs2] + jffs2_do_unlink+0x328/0x5fc [jffs2] + jffs2_rmdir+0x110/0x1cc [jffs2] + vfs_rmdir+0x180/0x268 + do_rmdir+0x2cc/0x300 + ret_from_syscall+0x0/0x3c +INFO: Freed in 0x205b age=3054364 cpu=0 pid=0 + 0x2e9173 + jffs2_add_fd_to_list+0x138/0x1dc [jffs2] + jffs2_add_fd_to_list+0x138/0x1dc [jffs2] + jffs2_garbage_collect_dirent.isra.3+0x21c/0x288 [jffs2] + jffs2_garbage_collect_live+0x16bc/0x1800 [jffs2] + jffs2_garbage_collect_pass+0x678/0x11d4 [jffs2] + jffs2_garbage_collect_thread+0x1e8/0x3b0 [jffs2] + kthread+0x1a8/0x1b0 + ret_from_kernel_thread+0x5c/0x64 +Call Trace: +[c17ddd20] [c02452d4] kasan_report.part.0+0x298/0x72c (unreliable) +[c17ddda0] [d2509680] jffs2_rmdir+0xa4/0x1cc [jffs2] +[c17dddd0] [c026da04] vfs_rmdir+0x180/0x268 +[c17dde00] [c026f4e4] do_rmdir+0x2cc/0x300 +[c17ddf40] [c001a658] ret_from_syscall+0x0/0x3c + +The root cause is that we don't get "jffs2_inode_info.sem" before +we scan list "jffs2_inode_info.dents" in function jffs2_rmdir. +This patch add codes to get "jffs2_inode_info.sem" before we scan +"jffs2_inode_info.dents" to slove the UAF problem. + +Signed-off-by: Zhe Li +Reviewed-by: Hou Tao +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/dir.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c +index e273171696972..7a3368929245d 100644 +--- a/fs/jffs2/dir.c ++++ b/fs/jffs2/dir.c +@@ -588,10 +588,14 @@ static int jffs2_rmdir (struct inode *dir_i, struct dentry *dentry) + int ret; + uint32_t now = get_seconds(); + ++ mutex_lock(&f->sem); + for (fd = f->dents ; fd; fd = fd->next) { +- if (fd->ino) ++ if (fd->ino) { ++ mutex_unlock(&f->sem); + return -ENOTEMPTY; ++ } + } ++ mutex_unlock(&f->sem); + + ret = jffs2_do_unlink(c, dir_f, dentry->d_name.name, + dentry->d_name.len, f, now); +-- +2.25.1 + diff --git a/queue-4.4/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch b/queue-4.4/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch new file mode 100644 index 00000000000..076c5a08603 --- /dev/null +++ b/queue-4.4/m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch @@ -0,0 +1,52 @@ +From ffe439be9f78e17e16d6d415aeca02137f8d497b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 17:17:52 +1000 +Subject: m68knommu: fix overwriting of bits in ColdFire V3 cache control + +From: Greg Ungerer + +[ Upstream commit bdee0e793cea10c516ff48bf3ebb4ef1820a116b ] + +The Cache Control Register (CACR) of the ColdFire V3 has bits that +control high level caching functions, and also enable/disable the use +of the alternate stack pointer register (the EUSP bit) to provide +separate supervisor and user stack pointer registers. The code as +it is today will blindly clear the EUSP bit on cache actions like +invalidation. So it is broken for this case - and that will result +in failed booting (interrupt entry and exit processing will be +completely hosed). + +This only affects ColdFire V3 parts that support the alternate stack +register (like the 5329 for example) - generally speaking new parts do, +older parts don't. It has no impact on ColdFire V3 parts with the single +stack pointer, like the 5307 for example. + +Fix the cache bit defines used, so they maintain the EUSP bit when +carrying out cache actions through the CACR register. + +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/m53xxacr.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/m68k/include/asm/m53xxacr.h b/arch/m68k/include/asm/m53xxacr.h +index 3177ce8331d69..baee0c77b9818 100644 +--- a/arch/m68k/include/asm/m53xxacr.h ++++ b/arch/m68k/include/asm/m53xxacr.h +@@ -88,9 +88,9 @@ + * coherency though in all cases. And for copyback caches we will need + * to push cached data as well. + */ +-#define CACHE_INIT CACR_CINVA +-#define CACHE_INVALIDATE CACR_CINVA +-#define CACHE_INVALIDATED CACR_CINVA ++#define CACHE_INIT (CACHE_MODE + CACR_CINVA - CACR_EC) ++#define CACHE_INVALIDATE (CACHE_MODE + CACR_CINVA) ++#define CACHE_INVALIDATED (CACHE_MODE + CACR_CINVA) + + #define ACR0_MODE ((CONFIG_RAMBASE & 0xff000000) + \ + (0x000f0000) + \ +-- +2.25.1 + diff --git a/queue-4.4/media-budget-core-improve-exception-handling-in-budg.patch b/queue-4.4/media-budget-core-improve-exception-handling-in-budg.patch new file mode 100644 index 00000000000..a9320f09497 --- /dev/null +++ b/queue-4.4/media-budget-core-improve-exception-handling-in-budg.patch @@ -0,0 +1,56 @@ +From 350abde29518782ee05bfbfaf45c7f022abfa186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 18:17:28 +0200 +Subject: media: budget-core: Improve exception handling in budget_register() + +From: Chuhong Yuan + +[ Upstream commit fc0456458df8b3421dba2a5508cd817fbc20ea71 ] + +budget_register() has no error handling after its failure. +Add the missed undo functions for error handling to fix it. + +Signed-off-by: Chuhong Yuan +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ttpci/budget-core.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/pci/ttpci/budget-core.c b/drivers/media/pci/ttpci/budget-core.c +index e9674b40007c1..6107c469efa07 100644 +--- a/drivers/media/pci/ttpci/budget-core.c ++++ b/drivers/media/pci/ttpci/budget-core.c +@@ -386,20 +386,25 @@ static int budget_register(struct budget *budget) + ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->hw_frontend); + + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + budget->mem_frontend.source = DMX_MEMORY_FE; + ret = dvbdemux->dmx.add_frontend(&dvbdemux->dmx, &budget->mem_frontend); + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + ret = dvbdemux->dmx.connect_frontend(&dvbdemux->dmx, &budget->hw_frontend); + if (ret < 0) +- return ret; ++ goto err_release_dmx; + + dvb_net_init(&budget->dvb_adapter, &budget->dvb_net, &dvbdemux->dmx); + + return 0; ++ ++err_release_dmx: ++ dvb_dmxdev_release(&budget->dmxdev); ++ dvb_dmx_release(&budget->demux); ++ return ret; + } + + static void budget_unregister(struct budget *budget) +-- +2.25.1 + diff --git a/queue-4.4/media-vpss-clean-up-resources-in-init.patch b/queue-4.4/media-vpss-clean-up-resources-in-init.patch new file mode 100644 index 00000000000..eb1b1ba21ec --- /dev/null +++ b/queue-4.4/media-vpss-clean-up-resources-in-init.patch @@ -0,0 +1,66 @@ +From ce138a3a18cba332da1e5cc9c41fbf0cc40d3e33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 11:02:23 +0200 +Subject: media: vpss: clean up resources in init + +From: Evgeny Novikov + +[ Upstream commit 9c487b0b0ea7ff22127fe99a7f67657d8730ff94 ] + +If platform_driver_register() fails within vpss_init() resources are not +cleaned up. The patch fixes this issue by introducing the corresponding +error handling. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/davinci/vpss.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c +index c2c68988e38ac..9884b34d6f406 100644 +--- a/drivers/media/platform/davinci/vpss.c ++++ b/drivers/media/platform/davinci/vpss.c +@@ -519,19 +519,31 @@ static void vpss_exit(void) + + static int __init vpss_init(void) + { ++ int ret; ++ + if (!request_mem_region(VPSS_CLK_CTRL, 4, "vpss_clock_control")) + return -EBUSY; + + oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4); + if (unlikely(!oper_cfg.vpss_regs_base2)) { +- release_mem_region(VPSS_CLK_CTRL, 4); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto err_ioremap; + } + + writel(VPSS_CLK_CTRL_VENCCLKEN | +- VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); ++ VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); ++ ++ ret = platform_driver_register(&vpss_driver); ++ if (ret) ++ goto err_pd_register; ++ ++ return 0; + +- return platform_driver_register(&vpss_driver); ++err_pd_register: ++ iounmap(oper_cfg.vpss_regs_base2); ++err_ioremap: ++ release_mem_region(VPSS_CLK_CTRL, 4); ++ return ret; + } + subsys_initcall(vpss_init); + module_exit(vpss_exit); +-- +2.25.1 + diff --git a/queue-4.4/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch b/queue-4.4/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch new file mode 100644 index 00000000000..fb97a722989 --- /dev/null +++ b/queue-4.4/scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch @@ -0,0 +1,66 @@ +From 56fe3c45faceed070d9a871043e7be9b3c6d7b4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 01:18:23 -0700 +Subject: scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases + +From: Javed Hasan + +[ Upstream commit ec007ef40abb6a164d148b0dc19789a7a2de2cc8 ] + +In fc_disc_gpn_id_resp(), skb is supposed to get freed in all cases except +for PTR_ERR. However, in some cases it didn't. + +This fix is to call fc_frame_free(fp) before function returns. + +Link: https://lore.kernel.org/r/20200729081824.30996-2-jhasan@marvell.com +Reviewed-by: Girish Basrur +Reviewed-by: Santosh Vernekar +Reviewed-by: Saurav Kashyap +Reviewed-by: Shyam Sundar +Signed-off-by: Javed Hasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libfc/fc_disc.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/libfc/fc_disc.c b/drivers/scsi/libfc/fc_disc.c +index 880a9068ca126..ef06af4e3611d 100644 +--- a/drivers/scsi/libfc/fc_disc.c ++++ b/drivers/scsi/libfc/fc_disc.c +@@ -595,8 +595,12 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, + mutex_lock(&disc->disc_mutex); + if (PTR_ERR(fp) == -FC_EX_CLOSED) + goto out; +- if (IS_ERR(fp)) +- goto redisc; ++ if (IS_ERR(fp)) { ++ mutex_lock(&disc->disc_mutex); ++ fc_disc_restart(disc); ++ mutex_unlock(&disc->disc_mutex); ++ goto out; ++ } + + cp = fc_frame_payload_get(fp, sizeof(*cp)); + if (!cp) +@@ -621,7 +625,7 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, + new_rdata->disc_id = disc->disc_id; + lport->tt.rport_login(new_rdata); + } +- goto out; ++ goto free_fp; + } + rdata->disc_id = disc->disc_id; + lport->tt.rport_login(rdata); +@@ -635,6 +639,8 @@ static void fc_disc_gpn_id_resp(struct fc_seq *sp, struct fc_frame *fp, + redisc: + fc_disc_restart(disc); + } ++free_fp: ++ fc_frame_free(fp); + out: + mutex_unlock(&disc->disc_mutex); + kref_put(&rdata->kref, lport->tt.rport_destroy); +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 1fde23ebb37..70d2aa84cf3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,15 @@ btrfs-don-t-show-full-path-of-bind-mounts-in-subvol.patch romfs-fix-uninitialized-memory-leak-in-romfs_dev_read.patch mm-include-cma-pages-in-lowmem_reserve-at-boot.patch mm-page_alloc-fix-core-hung-in-free_pcppages_bulk.patch +ext4-clean-up-ext4_match-and-callers.patch +ext4-fix-checking-of-directory-entry-validity-for-in.patch +media-budget-core-improve-exception-handling-in-budg.patch +media-vpss-clean-up-resources-in-init.patch +input-psmouse-add-a-newline-when-printing-proto-by-s.patch +m68knommu-fix-overwriting-of-bits-in-coldfire-v3-cac.patch +xfs-fix-inode-quota-reservation-checks.patch +jffs2-fix-uaf-problem.patch +scsi-libfc-free-skb-in-fc_disc_gpn_id_resp-for-valid.patch +virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch +xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch +alpha-fix-annotation-of-io-read-write-16-32-be.patch diff --git a/queue-4.4/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch b/queue-4.4/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch new file mode 100644 index 00000000000..936b2727f66 --- /dev/null +++ b/queue-4.4/virtio_ring-avoid-loop-when-vq-is-broken-in-virtqueu.patch @@ -0,0 +1,53 @@ +From 92003491b269581e9c7faedb00217eb0f531eabb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 15:44:09 +0800 +Subject: virtio_ring: Avoid loop when vq is broken in virtqueue_poll + +From: Mao Wenan + +[ Upstream commit 481a0d7422db26fb63e2d64f0652667a5c6d0f3e ] + +The loop may exist if vq->broken is true, +virtqueue_get_buf_ctx_packed or virtqueue_get_buf_ctx_split +will return NULL, so virtnet_poll will reschedule napi to +receive packet, it will lead cpu usage(si) to 100%. + +call trace as below: +virtnet_poll + virtnet_receive + virtqueue_get_buf_ctx + virtqueue_get_buf_ctx_packed + virtqueue_get_buf_ctx_split + virtqueue_napi_complete + virtqueue_poll //return true + virtqueue_napi_schedule //it will reschedule napi + +to fix this, return false if vq is broken in virtqueue_poll. + +Signed-off-by: Mao Wenan +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/1596354249-96204-1-git-send-email-wenan.mao@linux.alibaba.com +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_ring.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index a01a41a412693..6b3565feddb21 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -603,6 +603,9 @@ bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx) + { + struct vring_virtqueue *vq = to_vvq(_vq); + ++ if (unlikely(vq->broken)) ++ return false; ++ + virtio_mb(vq->weak_barriers); + return (u16)last_used_idx != virtio16_to_cpu(_vq->vdev, vq->vring.used->idx); + } +-- +2.25.1 + diff --git a/queue-4.4/xfs-fix-inode-quota-reservation-checks.patch b/queue-4.4/xfs-fix-inode-quota-reservation-checks.patch new file mode 100644 index 00000000000..4f167a176cd --- /dev/null +++ b/queue-4.4/xfs-fix-inode-quota-reservation-checks.patch @@ -0,0 +1,56 @@ +From 254f1bbda7c8e38d190a7cd1ef67bb2f0f03adb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 10:36:09 -0700 +Subject: xfs: fix inode quota reservation checks + +From: Darrick J. Wong + +[ Upstream commit f959b5d037e71a4d69b5bf71faffa065d9269b4a ] + +xfs_trans_dqresv is the function that we use to make reservations +against resource quotas. Each resource contains two counters: the +q_core counter, which tracks resources allocated on disk; and the dquot +reservation counter, which tracks how much of that resource has either +been allocated or reserved by threads that are working on metadata +updates. + +For disk blocks, we compare the proposed reservation counter against the +hard and soft limits to decide if we're going to fail the operation. +However, for inodes we inexplicably compare against the q_core counter, +not the incore reservation count. + +Since the q_core counter is always lower than the reservation count and +we unlock the dquot between reservation and transaction commit, this +means that multiple threads can reserve the last inode count before we +hit the hard limit, and when they commit, we'll be well over the hard +limit. + +Fix this by checking against the incore inode reservation counter, since +we would appear to maintain that correctly (and that's what we report in +GETQUOTA). + +Signed-off-by: Darrick J. Wong +Reviewed-by: Allison Collins +Reviewed-by: Chandan Babu R +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_trans_dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/xfs/xfs_trans_dquot.c b/fs/xfs/xfs_trans_dquot.c +index ce78534a047ee..bb8de2dddabe2 100644 +--- a/fs/xfs/xfs_trans_dquot.c ++++ b/fs/xfs/xfs_trans_dquot.c +@@ -662,7 +662,7 @@ xfs_trans_dqresv( + } + } + if (ninos > 0) { +- total_count = be64_to_cpu(dqp->q_core.d_icount) + ninos; ++ total_count = dqp->q_res_icount + ninos; + timer = be32_to_cpu(dqp->q_core.d_itimer); + warns = be16_to_cpu(dqp->q_core.d_iwarns); + warnlimit = dqp->q_mount->m_quotainfo->qi_iwarnlimit; +-- +2.25.1 + diff --git a/queue-4.4/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch b/queue-4.4/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch new file mode 100644 index 00000000000..c7119cbecc9 --- /dev/null +++ b/queue-4.4/xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch @@ -0,0 +1,59 @@ +From d501d9cc701860dd4d89eb5e797e3681e2ff88d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 15:18:48 -0700 +Subject: xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init + +From: Eiichi Tsukata + +[ Upstream commit 96cf2a2c75567ff56195fe3126d497a2e7e4379f ] + +If xfs_sysfs_init is called with parent_kobj == NULL, UBSAN +shows the following warning: + + UBSAN: null-ptr-deref in ./fs/xfs/xfs_sysfs.h:37:23 + member access within null pointer of type 'struct xfs_kobj' + Call Trace: + dump_stack+0x10e/0x195 + ubsan_type_mismatch_common+0x241/0x280 + __ubsan_handle_type_mismatch_v1+0x32/0x40 + init_xfs_fs+0x12b/0x28f + do_one_initcall+0xdd/0x1d0 + do_initcall_level+0x151/0x1b6 + do_initcalls+0x50/0x8f + do_basic_setup+0x29/0x2b + kernel_init_freeable+0x19f/0x20b + kernel_init+0x11/0x1e0 + ret_from_fork+0x22/0x30 + +Fix it by checking parent_kobj before the code accesses its member. + +Signed-off-by: Eiichi Tsukata +Reviewed-by: Darrick J. Wong +[darrick: minor whitespace edits] +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_sysfs.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/xfs/xfs_sysfs.h b/fs/xfs/xfs_sysfs.h +index be692e59938db..c457b010c623d 100644 +--- a/fs/xfs/xfs_sysfs.h ++++ b/fs/xfs/xfs_sysfs.h +@@ -44,9 +44,11 @@ xfs_sysfs_init( + struct xfs_kobj *parent_kobj, + const char *name) + { ++ struct kobject *parent; ++ ++ parent = parent_kobj ? &parent_kobj->kobject : NULL; + init_completion(&kobj->complete); +- return kobject_init_and_add(&kobj->kobject, ktype, +- &parent_kobj->kobject, "%s", name); ++ return kobject_init_and_add(&kobj->kobject, ktype, parent, "%s", name); + } + + static inline void +-- +2.25.1 + -- 2.47.3