From 4df2a8fed8a72fecd5bf4536baab8a210fc99988 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Dec 2019 14:59:34 +0100 Subject: [PATCH] 5.3-stable patches added patches: ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch rtc-disable-uie-before-setting-time-and-enable-after.patch splice-only-read-in-as-much-information-as-there-is-pipe-buffer-space.patch --- ...ug-in-ext4_wait_for_tail_page_commit.patch | 120 ++++++++++++++++++ ...-cast-the-type-of-unmap_start-to-u64.patch | 73 +++++++++++ ...before-setting-time-and-enable-after.patch | 72 +++++++++++ queue-5.3/series | 4 + ...mation-as-there-is-pipe-buffer-space.patch | 66 ++++++++++ 5 files changed, 335 insertions(+) create mode 100644 queue-5.3/ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch create mode 100644 queue-5.3/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch create mode 100644 queue-5.3/rtc-disable-uie-before-setting-time-and-enable-after.patch create mode 100644 queue-5.3/splice-only-read-in-as-much-information-as-there-is-pipe-buffer-space.patch diff --git a/queue-5.3/ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch b/queue-5.3/ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch new file mode 100644 index 00000000000..2325b359b3f --- /dev/null +++ b/queue-5.3/ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch @@ -0,0 +1,120 @@ +From 565333a1554d704789e74205989305c811fd9c7a Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Thu, 19 Sep 2019 14:35:08 +0800 +Subject: ext4: fix a bug in ext4_wait_for_tail_page_commit + +From: yangerkun + +commit 565333a1554d704789e74205989305c811fd9c7a upstream. + +No need to wait for any commit once the page is fully truncated. +Besides, it may confuse e.g. concurrent ext4_writepage() with the page +still be dirty (will be cleared by truncate_pagecache() in +ext4_setattr()) but buffers has been freed; and then trigger a bug +show as below: + +[ 26.057508] ------------[ cut here ]------------ +[ 26.058531] kernel BUG at fs/ext4/inode.c:2134! +... +[ 26.088130] Call trace: +[ 26.088695] ext4_writepage+0x914/0xb28 +[ 26.089541] writeout.isra.4+0x1b4/0x2b8 +[ 26.090409] move_to_new_page+0x3b0/0x568 +[ 26.091338] __unmap_and_move+0x648/0x988 +[ 26.092241] unmap_and_move+0x48c/0xbb8 +[ 26.093096] migrate_pages+0x220/0xb28 +[ 26.093945] kernel_mbind+0x828/0xa18 +[ 26.094791] __arm64_sys_mbind+0xc8/0x138 +[ 26.095716] el0_svc_common+0x190/0x490 +[ 26.096571] el0_svc_handler+0x60/0xd0 +[ 26.097423] el0_svc+0x8/0xc + +Run the procedure (generate by syzkaller) parallel with ext3. + +void main() +{ + int fd, fd1, ret; + void *addr; + size_t length = 4096; + int flags; + off_t offset = 0; + char *str = "12345"; + + fd = open("a", O_RDWR | O_CREAT); + assert(fd >= 0); + + /* Truncate to 4k */ + ret = ftruncate(fd, length); + assert(ret == 0); + + /* Journal data mode */ + flags = 0xc00f; + ret = ioctl(fd, _IOW('f', 2, long), &flags); + assert(ret == 0); + + /* Truncate to 0 */ + fd1 = open("a", O_TRUNC | O_NOATIME); + assert(fd1 >= 0); + + addr = mmap(NULL, length, PROT_WRITE | PROT_READ, + MAP_SHARED, fd, offset); + assert(addr != (void *)-1); + + memcpy(addr, str, 5); + mbind(addr, length, 0, 0, 0, MPOL_MF_MOVE); +} + +And the bug will be triggered once we seen the below order. + +reproduce1 reproduce2 + +... | ... +truncate to 4k | +change to journal data mode | + | memcpy(set page dirty) +truncate to 0: | +ext4_setattr: | +... | +ext4_wait_for_tail_page_commit | + | mbind(trigger bug) +truncate_pagecache(clean dirty)| ... +... | + +mbind will call ext4_writepage() since the page still be dirty, and then +report the bug since the buffers has been free. Fix it by return +directly once offset equals to 0 which means the page has been fully +truncated. + +Reported-by: Hulk Robot +Signed-off-by: yangerkun +Link: https://lore.kernel.org/r/20190919063508.1045-1-yangerkun@huawei.com +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5493,11 +5493,15 @@ static void ext4_wait_for_tail_page_comm + + offset = inode->i_size & (PAGE_SIZE - 1); + /* +- * All buffers in the last page remain valid? Then there's nothing to +- * do. We do the check mainly to optimize the common PAGE_SIZE == +- * blocksize case ++ * If the page is fully truncated, we don't need to wait for any commit ++ * (and we even should not as __ext4_journalled_invalidatepage() may ++ * strip all buffers from the page but keep the page dirty which can then ++ * confuse e.g. concurrent ext4_writepage() seeing dirty page without ++ * buffers). Also we don't need to wait for any commit if all buffers in ++ * the page remain valid. This is most beneficial for the common case of ++ * blocksize == PAGESIZE. + */ +- if (offset > PAGE_SIZE - i_blocksize(inode)) ++ if (!offset || offset > (PAGE_SIZE - i_blocksize(inode))) + return; + while (1) { + page = find_lock_page(inode->i_mapping, diff --git a/queue-5.3/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch b/queue-5.3/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch new file mode 100644 index 00000000000..1df8aa3f40d --- /dev/null +++ b/queue-5.3/mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch @@ -0,0 +1,73 @@ +From aa71ecd8d86500da6081a72da6b0b524007e0627 Mon Sep 17 00:00:00 2001 +From: Chen Jun +Date: Sat, 30 Nov 2019 17:58:11 -0800 +Subject: mm/shmem.c: cast the type of unmap_start to u64 + +From: Chen Jun + +commit aa71ecd8d86500da6081a72da6b0b524007e0627 upstream. + +In 64bit system. sb->s_maxbytes of shmem filesystem is MAX_LFS_FILESIZE, +which equal LLONG_MAX. + +If offset > LLONG_MAX - PAGE_SIZE, offset + len < LLONG_MAX in +shmem_fallocate, which will pass the checking in vfs_fallocate. + + /* Check for wrap through zero too */ + if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0)) + return -EFBIG; + +loff_t unmap_start = round_up(offset, PAGE_SIZE) in shmem_fallocate +causes a overflow. + +Syzkaller reports a overflow problem in mm/shmem: + + UBSAN: Undefined behaviour in mm/shmem.c:2014:10 + signed integer overflow: '9223372036854775807 + 1' cannot be represented in type 'long long int' + CPU: 0 PID:17076 Comm: syz-executor0 Not tainted 4.1.46+ #1 + Hardware name: linux, dummy-virt (DT) + Call trace: + dump_backtrace+0x0/0x2c8 arch/arm64/kernel/traps.c:100 + show_stack+0x20/0x30 arch/arm64/kernel/traps.c:238 + __dump_stack lib/dump_stack.c:15 [inline] + ubsan_epilogue+0x18/0x70 lib/ubsan.c:164 + handle_overflow+0x158/0x1b0 lib/ubsan.c:195 + shmem_fallocate+0x6d0/0x820 mm/shmem.c:2104 + vfs_fallocate+0x238/0x428 fs/open.c:312 + SYSC_fallocate fs/open.c:335 [inline] + SyS_fallocate+0x54/0xc8 fs/open.c:239 + +The highest bit of unmap_start will be appended with sign bit 1 +(overflow) when calculate shmem_falloc.start: + + shmem_falloc.start = unmap_start >> PAGE_SHIFT. + +Fix it by casting the type of unmap_start to u64, when right shifted. + +This bug is found in LTS Linux 4.1. It also seems to exist in mainline. + +Link: http://lkml.kernel.org/r/1573867464-5107-1-git-send-email-chenjun102@huawei.com +Signed-off-by: Chen Jun +Reviewed-by: Andrew Morton +Cc: Hugh Dickins +Cc: Qian Cai +Cc: Kefeng Wang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2730,7 +2730,7 @@ static long shmem_fallocate(struct file + } + + shmem_falloc.waitq = &shmem_falloc_waitq; +- shmem_falloc.start = unmap_start >> PAGE_SHIFT; ++ shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT; + shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; + spin_lock(&inode->i_lock); + inode->i_private = &shmem_falloc; diff --git a/queue-5.3/rtc-disable-uie-before-setting-time-and-enable-after.patch b/queue-5.3/rtc-disable-uie-before-setting-time-and-enable-after.patch new file mode 100644 index 00000000000..a3dfc627958 --- /dev/null +++ b/queue-5.3/rtc-disable-uie-before-setting-time-and-enable-after.patch @@ -0,0 +1,72 @@ +From 7e7c005b4b1f1f169bcc4b2c3a40085ecc663df2 Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Mon, 21 Oct 2019 01:13:20 +0200 +Subject: rtc: disable uie before setting time and enable after + +From: Alexandre Belloni + +commit 7e7c005b4b1f1f169bcc4b2c3a40085ecc663df2 upstream. + +When setting the time in the future with the uie timer enabled, +rtc_timer_do_work will loop for a while because the expiration of the uie +timer was way before the current RTC time and a new timer will be enqueued +until the current rtc time is reached. + +If the uie timer is enabled, disable it before setting the time and enable +it after expiring current timers (which may actually be an alarm). + +This is the safest thing to do to ensure the uie timer is still +synchronized with the RTC, especially in the UIE emulation case. + +Reported-by: syzbot+08116743f8ad6f9a6de7@syzkaller.appspotmail.com +Fixes: 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events") +Link: https://lore.kernel.org/r/20191020231320.8191-1-alexandre.belloni@bootlin.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/interface.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -125,7 +125,7 @@ EXPORT_SYMBOL_GPL(rtc_read_time); + + int rtc_set_time(struct rtc_device *rtc, struct rtc_time *tm) + { +- int err; ++ int err, uie; + + err = rtc_valid_tm(tm); + if (err != 0) +@@ -137,6 +137,17 @@ int rtc_set_time(struct rtc_device *rtc, + + rtc_subtract_offset(rtc, tm); + ++#ifdef CONFIG_RTC_INTF_DEV_UIE_EMUL ++ uie = rtc->uie_rtctimer.enabled || rtc->uie_irq_active; ++#else ++ uie = rtc->uie_rtctimer.enabled; ++#endif ++ if (uie) { ++ err = rtc_update_irq_enable(rtc, 0); ++ if (err) ++ return err; ++ } ++ + err = mutex_lock_interruptible(&rtc->ops_lock); + if (err) + return err; +@@ -153,6 +164,12 @@ int rtc_set_time(struct rtc_device *rtc, + /* A timer might have just expired */ + schedule_work(&rtc->irqwork); + ++ if (uie) { ++ err = rtc_update_irq_enable(rtc, 1); ++ if (err) ++ return err; ++ } ++ + trace_rtc_set_time(rtc_tm_to_time64(tm), err); + return err; + } diff --git a/queue-5.3/series b/queue-5.3/series index e176462a341..4102266522c 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -176,3 +176,7 @@ ext4-work-around-deleting-a-file-with-i_nlink-0-safely.patch firmware-qcom-scm-ensure-a0-status-code-is-treated-as-signed.patch s390-smp-vdso-fix-asce-handling.patch s390-kaslr-store-kaslr-offset-for-early-dumps.patch +mm-shmem.c-cast-the-type-of-unmap_start-to-u64.patch +rtc-disable-uie-before-setting-time-and-enable-after.patch +splice-only-read-in-as-much-information-as-there-is-pipe-buffer-space.patch +ext4-fix-a-bug-in-ext4_wait_for_tail_page_commit.patch diff --git a/queue-5.3/splice-only-read-in-as-much-information-as-there-is-pipe-buffer-space.patch b/queue-5.3/splice-only-read-in-as-much-information-as-there-is-pipe-buffer-space.patch new file mode 100644 index 00000000000..bfd751d0a80 --- /dev/null +++ b/queue-5.3/splice-only-read-in-as-much-information-as-there-is-pipe-buffer-space.patch @@ -0,0 +1,66 @@ +From 3253d9d093376d62b4a56e609f15d2ec5085ac73 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 15 Oct 2019 08:44:32 -0700 +Subject: splice: only read in as much information as there is pipe buffer space +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Darrick J. Wong + +commit 3253d9d093376d62b4a56e609f15d2ec5085ac73 upstream. + +Andreas Grünbacher reports that on the two filesystems that support +iomap directio, it's possible for splice() to return -EAGAIN (instead of +a short splice) if the pipe being written to has less space available in +its pipe buffers than the length supplied by the calling process. + +Months ago we fixed splice_direct_to_actor to clamp the length of the +read request to the size of the splice pipe. Do the same to do_splice. + +Fixes: 17614445576b6 ("splice: don't read more than available pipe space") +Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com +Reported-by: Andreas Grünbacher +Reviewed-by: Andreas Grünbacher +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/splice.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -945,12 +945,13 @@ ssize_t splice_direct_to_actor(struct fi + WARN_ON_ONCE(pipe->nrbufs != 0); + + while (len) { ++ unsigned int pipe_pages; + size_t read_len; + loff_t pos = sd->pos, prev_pos = pos; + + /* Don't try to read more the pipe has space for. */ +- read_len = min_t(size_t, len, +- (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT); ++ pipe_pages = pipe->buffers - pipe->nrbufs; ++ read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT); + ret = do_splice_to(in, &pos, pipe, read_len, flags); + if (unlikely(ret <= 0)) + goto out_release; +@@ -1180,8 +1181,15 @@ static long do_splice(struct file *in, l + + pipe_lock(opipe); + ret = wait_for_space(opipe, flags); +- if (!ret) ++ if (!ret) { ++ unsigned int pipe_pages; ++ ++ /* Don't try to read more the pipe has space for. */ ++ pipe_pages = opipe->buffers - opipe->nrbufs; ++ len = min(len, (size_t)pipe_pages << PAGE_SHIFT); ++ + ret = do_splice_to(in, &offset, opipe, len, flags); ++ } + pipe_unlock(opipe); + if (ret > 0) + wakeup_pipe_readers(opipe); -- 2.47.3