From e75eaa297f2244c16596ced4aa08e175f4136695 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 17 Aug 2020 15:06:40 +0200 Subject: [PATCH] 5.8-stable patches added patches: drm-xen-front-fix-misused-is_err_or_null-checks.patch io_uring-fix-null-pointer-dereference-in-loop_rw_iter.patch s390-dasd-fix-inability-to-use-dasd-with-diag-driver.patch s390-gmap-improve-thp-splitting.patch s390-numa-set-node-distance-to-local_distance.patch xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch xen-balloon-make-the-balloon-wait-interruptible.patch xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch --- ...nt-fix-misused-is_err_or_null-checks.patch | 107 ++++++++++++++++++ ...-pointer-dereference-in-loop_rw_iter.patch | 107 ++++++++++++++++++ ...ability-to-use-dasd-with-diag-driver.patch | 105 +++++++++++++++++ .../s390-gmap-improve-thp-splitting.patch | 79 +++++++++++++ ...-set-node-distance-to-local_distance.patch | 39 +++++++ queue-5.8/series | 8 ++ ...-alloc_xenballooned_pages-error-path.patch | 43 +++++++ ...-make-the-balloon-wait-interruptible.patch | 44 +++++++ ...abuf-import-with-non-zero-sgt-offset.patch | 43 +++++++ 9 files changed, 575 insertions(+) create mode 100644 queue-5.8/drm-xen-front-fix-misused-is_err_or_null-checks.patch create mode 100644 queue-5.8/io_uring-fix-null-pointer-dereference-in-loop_rw_iter.patch create mode 100644 queue-5.8/s390-dasd-fix-inability-to-use-dasd-with-diag-driver.patch create mode 100644 queue-5.8/s390-gmap-improve-thp-splitting.patch create mode 100644 queue-5.8/s390-numa-set-node-distance-to-local_distance.patch create mode 100644 queue-5.8/xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch create mode 100644 queue-5.8/xen-balloon-make-the-balloon-wait-interruptible.patch create mode 100644 queue-5.8/xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch diff --git a/queue-5.8/drm-xen-front-fix-misused-is_err_or_null-checks.patch b/queue-5.8/drm-xen-front-fix-misused-is_err_or_null-checks.patch new file mode 100644 index 00000000000..de193b83135 --- /dev/null +++ b/queue-5.8/drm-xen-front-fix-misused-is_err_or_null-checks.patch @@ -0,0 +1,107 @@ +From 14dee058610446aa464254fc5c8e88c7535195e0 Mon Sep 17 00:00:00 2001 +From: Oleksandr Andrushchenko +Date: Thu, 13 Aug 2020 09:21:10 +0300 +Subject: drm/xen-front: Fix misused IS_ERR_OR_NULL checks + +From: Oleksandr Andrushchenko + +commit 14dee058610446aa464254fc5c8e88c7535195e0 upstream. + +The patch c575b7eeb89f: "drm/xen-front: Add support for Xen PV +display frontend" from Apr 3, 2018, leads to the following static +checker warning: + + drivers/gpu/drm/xen/xen_drm_front_gem.c:140 xen_drm_front_gem_create() + warn: passing zero to 'ERR_CAST' + +drivers/gpu/drm/xen/xen_drm_front_gem.c + 133 struct drm_gem_object *xen_drm_front_gem_create(struct drm_device *dev, + 134 size_t size) + 135 { + 136 struct xen_gem_object *xen_obj; + 137 + 138 xen_obj = gem_create(dev, size); + 139 if (IS_ERR_OR_NULL(xen_obj)) + 140 return ERR_CAST(xen_obj); + +Fix this and the rest of misused places with IS_ERR_OR_NULL in the +driver. + +Fixes: c575b7eeb89f: "drm/xen-front: Add support for Xen PV display frontend" + +Signed-off-by: Oleksandr Andrushchenko +Reported-by: Dan Carpenter +Reviewed-by: Dan Carpenter +Cc: +Link: https://lore.kernel.org/r/20200813062113.11030-3-andr2000@gmail.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/xen/xen_drm_front.c | 4 ++-- + drivers/gpu/drm/xen/xen_drm_front_gem.c | 8 ++++---- + drivers/gpu/drm/xen/xen_drm_front_kms.c | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/xen/xen_drm_front.c ++++ b/drivers/gpu/drm/xen/xen_drm_front.c +@@ -400,8 +400,8 @@ static int xen_drm_drv_dumb_create(struc + args->size = args->pitch * args->height; + + obj = xen_drm_front_gem_create(dev, args->size); +- if (IS_ERR_OR_NULL(obj)) { +- ret = PTR_ERR_OR_ZERO(obj); ++ if (IS_ERR(obj)) { ++ ret = PTR_ERR(obj); + goto fail; + } + +--- a/drivers/gpu/drm/xen/xen_drm_front_gem.c ++++ b/drivers/gpu/drm/xen/xen_drm_front_gem.c +@@ -83,7 +83,7 @@ static struct xen_gem_object *gem_create + + size = round_up(size, PAGE_SIZE); + xen_obj = gem_create_obj(dev, size); +- if (IS_ERR_OR_NULL(xen_obj)) ++ if (IS_ERR(xen_obj)) + return xen_obj; + + if (drm_info->front_info->cfg.be_alloc) { +@@ -117,7 +117,7 @@ static struct xen_gem_object *gem_create + */ + xen_obj->num_pages = DIV_ROUND_UP(size, PAGE_SIZE); + xen_obj->pages = drm_gem_get_pages(&xen_obj->base); +- if (IS_ERR_OR_NULL(xen_obj->pages)) { ++ if (IS_ERR(xen_obj->pages)) { + ret = PTR_ERR(xen_obj->pages); + xen_obj->pages = NULL; + goto fail; +@@ -136,7 +136,7 @@ struct drm_gem_object *xen_drm_front_gem + struct xen_gem_object *xen_obj; + + xen_obj = gem_create(dev, size); +- if (IS_ERR_OR_NULL(xen_obj)) ++ if (IS_ERR(xen_obj)) + return ERR_CAST(xen_obj); + + return &xen_obj->base; +@@ -194,7 +194,7 @@ xen_drm_front_gem_import_sg_table(struct + + size = attach->dmabuf->size; + xen_obj = gem_create_obj(dev, size); +- if (IS_ERR_OR_NULL(xen_obj)) ++ if (IS_ERR(xen_obj)) + return ERR_CAST(xen_obj); + + ret = gem_alloc_pages_array(xen_obj, size); +--- a/drivers/gpu/drm/xen/xen_drm_front_kms.c ++++ b/drivers/gpu/drm/xen/xen_drm_front_kms.c +@@ -60,7 +60,7 @@ fb_create(struct drm_device *dev, struct + int ret; + + fb = drm_gem_fb_create_with_funcs(dev, filp, mode_cmd, &fb_funcs); +- if (IS_ERR_OR_NULL(fb)) ++ if (IS_ERR(fb)) + return fb; + + gem_obj = fb->obj[0]; diff --git a/queue-5.8/io_uring-fix-null-pointer-dereference-in-loop_rw_iter.patch b/queue-5.8/io_uring-fix-null-pointer-dereference-in-loop_rw_iter.patch new file mode 100644 index 00000000000..9ef4be76ee1 --- /dev/null +++ b/queue-5.8/io_uring-fix-null-pointer-dereference-in-loop_rw_iter.patch @@ -0,0 +1,107 @@ +From 2dd2111d0d383df104b144e0d1f6b5a00cb7cd88 Mon Sep 17 00:00:00 2001 +From: Guoyu Huang +Date: Wed, 5 Aug 2020 03:53:50 -0700 +Subject: io_uring: Fix NULL pointer dereference in loop_rw_iter() + +From: Guoyu Huang + +commit 2dd2111d0d383df104b144e0d1f6b5a00cb7cd88 upstream. + +loop_rw_iter() does not check whether the file has a read or +write function. This can lead to NULL pointer dereference +when the user passes in a file descriptor that does not have +read or write function. + +The crash log looks like this: + +[ 99.834071] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 99.835364] #PF: supervisor instruction fetch in kernel mode +[ 99.836522] #PF: error_code(0x0010) - not-present page +[ 99.837771] PGD 8000000079d62067 P4D 8000000079d62067 PUD 79d8c067 PMD 0 +[ 99.839649] Oops: 0010 [#2] SMP PTI +[ 99.840591] CPU: 1 PID: 333 Comm: io_wqe_worker-0 Tainted: G D 5.8.0 #2 +[ 99.842622] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +[ 99.845140] RIP: 0010:0x0 +[ 99.845840] Code: Bad RIP value. +[ 99.846672] RSP: 0018:ffffa1c7c01ebc08 EFLAGS: 00010202 +[ 99.848018] RAX: 0000000000000000 RBX: ffff92363bd67300 RCX: ffff92363d461208 +[ 99.849854] RDX: 0000000000000010 RSI: 00007ffdbf696bb0 RDI: ffff92363bd67300 +[ 99.851743] RBP: ffffa1c7c01ebc40 R08: 0000000000000000 R09: 0000000000000000 +[ 99.853394] R10: ffffffff9ec692a0 R11: 0000000000000000 R12: 0000000000000010 +[ 99.855148] R13: 0000000000000000 R14: ffff92363d461208 R15: ffffa1c7c01ebc68 +[ 99.856914] FS: 0000000000000000(0000) GS:ffff92363dd00000(0000) knlGS:0000000000000000 +[ 99.858651] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 99.860032] CR2: ffffffffffffffd6 CR3: 000000007ac66000 CR4: 00000000000006e0 +[ 99.861979] Call Trace: +[ 99.862617] loop_rw_iter.part.0+0xad/0x110 +[ 99.863838] io_write+0x2ae/0x380 +[ 99.864644] ? kvm_sched_clock_read+0x11/0x20 +[ 99.865595] ? sched_clock+0x9/0x10 +[ 99.866453] ? sched_clock_cpu+0x11/0xb0 +[ 99.867326] ? newidle_balance+0x1d4/0x3c0 +[ 99.868283] io_issue_sqe+0xd8f/0x1340 +[ 99.869216] ? __switch_to+0x7f/0x450 +[ 99.870280] ? __switch_to_asm+0x42/0x70 +[ 99.871254] ? __switch_to_asm+0x36/0x70 +[ 99.872133] ? lock_timer_base+0x72/0xa0 +[ 99.873155] ? switch_mm_irqs_off+0x1bf/0x420 +[ 99.874152] io_wq_submit_work+0x64/0x180 +[ 99.875192] ? kthread_use_mm+0x71/0x100 +[ 99.876132] io_worker_handle_work+0x267/0x440 +[ 99.877233] io_wqe_worker+0x297/0x350 +[ 99.878145] kthread+0x112/0x150 +[ 99.878849] ? __io_worker_unuse+0x100/0x100 +[ 99.879935] ? kthread_park+0x90/0x90 +[ 99.880874] ret_from_fork+0x22/0x30 +[ 99.881679] Modules linked in: +[ 99.882493] CR2: 0000000000000000 +[ 99.883324] ---[ end trace 4453745f4673190b ]--- +[ 99.884289] RIP: 0010:0x0 +[ 99.884837] Code: Bad RIP value. +[ 99.885492] RSP: 0018:ffffa1c7c01ebc08 EFLAGS: 00010202 +[ 99.886851] RAX: 0000000000000000 RBX: ffff92363acd7f00 RCX: ffff92363d461608 +[ 99.888561] RDX: 0000000000000010 RSI: 00007ffe040d9e10 RDI: ffff92363acd7f00 +[ 99.890203] RBP: ffffa1c7c01ebc40 R08: 0000000000000000 R09: 0000000000000000 +[ 99.891907] R10: ffffffff9ec692a0 R11: 0000000000000000 R12: 0000000000000010 +[ 99.894106] R13: 0000000000000000 R14: ffff92363d461608 R15: ffffa1c7c01ebc68 +[ 99.896079] FS: 0000000000000000(0000) GS:ffff92363dd00000(0000) knlGS:0000000000000000 +[ 99.898017] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 99.899197] CR2: ffffffffffffffd6 CR3: 000000007ac66000 CR4: 00000000000006e0 + +Fixes: 32960613b7c3 ("io_uring: correctly handle non ->{read,write}_iter() file_operations") +Cc: stable@vger.kernel.org +Signed-off-by: Guoyu Huang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + + +--- + fs/io_uring.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2673,8 +2673,10 @@ static int io_read(struct io_kiocb *req, + + if (req->file->f_op->read_iter) + ret2 = call_read_iter(req->file, kiocb, &iter); +- else ++ else if (req->file->f_op->read) + ret2 = loop_rw_iter(READ, req->file, kiocb, &iter); ++ else ++ ret2 = -EINVAL; + + /* Catch -EAGAIN return for forced non-blocking submission */ + if (!force_nonblock || ret2 != -EAGAIN) { +@@ -2788,8 +2790,10 @@ static int io_write(struct io_kiocb *req + + if (req->file->f_op->write_iter) + ret2 = call_write_iter(req->file, kiocb, &iter); +- else ++ else if (req->file->f_op->write) + ret2 = loop_rw_iter(WRITE, req->file, kiocb, &iter); ++ else ++ ret2 = -EINVAL; + + if (!force_nonblock) + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY; diff --git a/queue-5.8/s390-dasd-fix-inability-to-use-dasd-with-diag-driver.patch b/queue-5.8/s390-dasd-fix-inability-to-use-dasd-with-diag-driver.patch new file mode 100644 index 00000000000..db2ef2c1cb4 --- /dev/null +++ b/queue-5.8/s390-dasd-fix-inability-to-use-dasd-with-diag-driver.patch @@ -0,0 +1,105 @@ +From 9f4aa52387c68049403b59939df5c0dd8e3872cc Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Tue, 14 Jul 2020 22:03:26 +0200 +Subject: s390/dasd: fix inability to use DASD with DIAG driver + +From: Stefan Haberland + +commit 9f4aa52387c68049403b59939df5c0dd8e3872cc upstream. + +During initialization of the DASD DIAG driver a request is issued +that has a bio structure that resides on the stack. With virtually +mapped kernel stacks this bio address might be in virtual storage +which is unsuitable for usage with the diag250 call. +In this case the device can not be set online using the DIAG +discipline and fails with -EOPNOTSUP. +In the system journal the following error message is presented: + +dasd: X.X.XXXX Setting the DASD online with discipline DIAG failed +with rc=-95 + +Fix by allocating the bio structure instead of having it on the stack. + +Fixes: ce3dc447493f ("s390: add support for virtually mapped kernel stacks") +Signed-off-by: Stefan Haberland +Reviewed-by: Peter Oberparleiter +Cc: stable@vger.kernel.org #4.20 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd_diag.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/drivers/s390/block/dasd_diag.c ++++ b/drivers/s390/block/dasd_diag.c +@@ -319,7 +319,7 @@ dasd_diag_check_device(struct dasd_devic + struct dasd_diag_characteristics *rdc_data; + struct vtoc_cms_label *label; + struct dasd_block *block; +- struct dasd_diag_bio bio; ++ struct dasd_diag_bio *bio; + unsigned int sb, bsize; + blocknum_t end_block; + int rc; +@@ -395,29 +395,36 @@ dasd_diag_check_device(struct dasd_devic + rc = -ENOMEM; + goto out; + } ++ bio = kzalloc(sizeof(*bio), GFP_KERNEL); ++ if (bio == NULL) { ++ DBF_DEV_EVENT(DBF_WARNING, device, "%s", ++ "No memory to allocate initialization bio"); ++ rc = -ENOMEM; ++ goto out_label; ++ } + rc = 0; + end_block = 0; + /* try all sizes - needed for ECKD devices */ + for (bsize = 512; bsize <= PAGE_SIZE; bsize <<= 1) { + mdsk_init_io(device, bsize, 0, &end_block); +- memset(&bio, 0, sizeof (struct dasd_diag_bio)); +- bio.type = MDSK_READ_REQ; +- bio.block_number = private->pt_block + 1; +- bio.buffer = label; ++ memset(bio, 0, sizeof(*bio)); ++ bio->type = MDSK_READ_REQ; ++ bio->block_number = private->pt_block + 1; ++ bio->buffer = label; + memset(&private->iob, 0, sizeof (struct dasd_diag_rw_io)); + private->iob.dev_nr = rdc_data->dev_nr; + private->iob.key = 0; + private->iob.flags = 0; /* do synchronous io */ + private->iob.block_count = 1; + private->iob.interrupt_params = 0; +- private->iob.bio_list = &bio; ++ private->iob.bio_list = bio; + private->iob.flaga = DASD_DIAG_FLAGA_DEFAULT; + rc = dia250(&private->iob, RW_BIO); + if (rc == 3) { + pr_warn("%s: A 64-bit DIAG call failed\n", + dev_name(&device->cdev->dev)); + rc = -EOPNOTSUPP; +- goto out_label; ++ goto out_bio; + } + mdsk_term_io(device); + if (rc == 0) +@@ -427,7 +434,7 @@ dasd_diag_check_device(struct dasd_devic + pr_warn("%s: Accessing the DASD failed because of an incorrect format (rc=%d)\n", + dev_name(&device->cdev->dev), rc); + rc = -EIO; +- goto out_label; ++ goto out_bio; + } + /* check for label block */ + if (memcmp(label->label_id, DASD_DIAG_CMS1, +@@ -457,6 +464,8 @@ dasd_diag_check_device(struct dasd_devic + (rc == 4) ? ", read-only device" : ""); + rc = 0; + } ++out_bio: ++ kfree(bio); + out_label: + free_page((long) label); + out: diff --git a/queue-5.8/s390-gmap-improve-thp-splitting.patch b/queue-5.8/s390-gmap-improve-thp-splitting.patch new file mode 100644 index 00000000000..aa23c5ea30b --- /dev/null +++ b/queue-5.8/s390-gmap-improve-thp-splitting.patch @@ -0,0 +1,79 @@ +From ba925fa35057a062ac98c3e8138b013ce4ce351c Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 29 Jul 2020 22:22:34 +0200 +Subject: s390/gmap: improve THP splitting + +From: Gerald Schaefer + +commit ba925fa35057a062ac98c3e8138b013ce4ce351c upstream. + +During s390_enable_sie(), we need to take care of splitting all qemu user +process THP mappings. This is currently done with follow_page(FOLL_SPLIT), +by simply iterating over all vma ranges, with PAGE_SIZE increment. + +This logic is sub-optimal and can result in a lot of unnecessary overhead, +especially when using qemu and ASAN with large shadow map. Ilya reported +significant system slow-down with one CPU busy for a long time and overall +unresponsiveness. + +Fix this by using walk_page_vma() and directly calling split_huge_pmd() +only for present pmds, which greatly reduces overhead. + +Cc: # v5.4+ +Reported-by: Ilya Leoshkevich +Tested-by: Ilya Leoshkevich +Acked-by: Christian Borntraeger +Signed-off-by: Gerald Schaefer +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/gmap.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -2485,23 +2485,36 @@ void gmap_sync_dirty_log_pmd(struct gmap + } + EXPORT_SYMBOL_GPL(gmap_sync_dirty_log_pmd); + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++static int thp_split_walk_pmd_entry(pmd_t *pmd, unsigned long addr, ++ unsigned long end, struct mm_walk *walk) ++{ ++ struct vm_area_struct *vma = walk->vma; ++ ++ split_huge_pmd(vma, pmd, addr); ++ return 0; ++} ++ ++static const struct mm_walk_ops thp_split_walk_ops = { ++ .pmd_entry = thp_split_walk_pmd_entry, ++}; ++ + static inline void thp_split_mm(struct mm_struct *mm) + { +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE + struct vm_area_struct *vma; +- unsigned long addr; + + for (vma = mm->mmap; vma != NULL; vma = vma->vm_next) { +- for (addr = vma->vm_start; +- addr < vma->vm_end; +- addr += PAGE_SIZE) +- follow_page(vma, addr, FOLL_SPLIT); + vma->vm_flags &= ~VM_HUGEPAGE; + vma->vm_flags |= VM_NOHUGEPAGE; ++ walk_page_vma(vma, &thp_split_walk_ops, NULL); + } + mm->def_flags |= VM_NOHUGEPAGE; +-#endif + } ++#else ++static inline void thp_split_mm(struct mm_struct *mm) ++{ ++} ++#endif /* CONFIG_TRANSPARENT_HUGEPAGE */ + + /* + * Remove all empty zero pages from the mapping for lazy refaulting diff --git a/queue-5.8/s390-numa-set-node-distance-to-local_distance.patch b/queue-5.8/s390-numa-set-node-distance-to-local_distance.patch new file mode 100644 index 00000000000..66904d05245 --- /dev/null +++ b/queue-5.8/s390-numa-set-node-distance-to-local_distance.patch @@ -0,0 +1,39 @@ +From 535e4fc623fab2e09a0653fc3a3e17f382ad0251 Mon Sep 17 00:00:00 2001 +From: Alexander Gordeev +Date: Tue, 4 Aug 2020 20:35:49 +0200 +Subject: s390/numa: set node distance to LOCAL_DISTANCE + +From: Alexander Gordeev + +commit 535e4fc623fab2e09a0653fc3a3e17f382ad0251 upstream. + +The node distance is hardcoded to 0, which causes a trouble +for some user-level applications. In particular, "libnuma" +expects the distance of a node to itself as LOCAL_DISTANCE. +This update removes the offending node distance override. + +Cc: # 4.4 +Fixes: 3a368f742da1 ("s390/numa: add core infrastructure") +Signed-off-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/topology.h | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/arch/s390/include/asm/topology.h ++++ b/arch/s390/include/asm/topology.h +@@ -86,12 +86,6 @@ static inline const struct cpumask *cpum + + #define pcibus_to_node(bus) __pcibus_to_node(bus) + +-#define node_distance(a, b) __node_distance(a, b) +-static inline int __node_distance(int a, int b) +-{ +- return 0; +-} +- + #else /* !CONFIG_NUMA */ + + #define numa_node_id numa_node_id diff --git a/queue-5.8/series b/queue-5.8/series index 1d9681c7e8e..40d2c42bbdf 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -450,3 +450,11 @@ arm-8992-1-fix-unwind_frame-for-clang-built-kernels.patch firmware-qcom_scm-fix-legacy-convention-scm-accessors.patch irqdomain-treewide-free-firmware-node-after-domain-removal.patch firmware_loader-efi-firmware-loader-must-handle-pre-allocated-buffer.patch +xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch +xen-balloon-make-the-balloon-wait-interruptible.patch +xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch +drm-xen-front-fix-misused-is_err_or_null-checks.patch +s390-dasd-fix-inability-to-use-dasd-with-diag-driver.patch +s390-numa-set-node-distance-to-local_distance.patch +s390-gmap-improve-thp-splitting.patch +io_uring-fix-null-pointer-dereference-in-loop_rw_iter.patch diff --git a/queue-5.8/xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch b/queue-5.8/xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch new file mode 100644 index 00000000000..716e3b5a82d --- /dev/null +++ b/queue-5.8/xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch @@ -0,0 +1,43 @@ +From 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Mon, 27 Jul 2020 11:13:39 +0200 +Subject: xen/balloon: fix accounting in alloc_xenballooned_pages error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream. + +target_unpopulated is incremented with nr_pages at the start of the +function, but the call to free_xenballooned_pages will only subtract +pgno number of pages, and thus the rest need to be subtracted before +returning or else accounting will be skewed. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200727091342.52325-2-roger.pau@citrix.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/balloon.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -630,6 +630,12 @@ int alloc_xenballooned_pages(int nr_page + out_undo: + mutex_unlock(&balloon_mutex); + free_xenballooned_pages(pgno, pages); ++ /* ++ * NB: free_xenballooned_pages will only subtract pgno pages, but since ++ * target_unpopulated is incremented with nr_pages at the start we need ++ * to remove the remaining ones also, or accounting will be screwed. ++ */ ++ balloon_stats.target_unpopulated -= nr_pages - pgno; + return ret; + } + EXPORT_SYMBOL(alloc_xenballooned_pages); diff --git a/queue-5.8/xen-balloon-make-the-balloon-wait-interruptible.patch b/queue-5.8/xen-balloon-make-the-balloon-wait-interruptible.patch new file mode 100644 index 00000000000..87024c4a662 --- /dev/null +++ b/queue-5.8/xen-balloon-make-the-balloon-wait-interruptible.patch @@ -0,0 +1,44 @@ +From 88a479ff6ef8af7f07e11593d58befc644244ff7 Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Mon, 27 Jul 2020 11:13:40 +0200 +Subject: xen/balloon: make the balloon wait interruptible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Roger Pau Monne + +commit 88a479ff6ef8af7f07e11593d58befc644244ff7 upstream. + +So it can be killed, or else processes can get hung indefinitely +waiting for balloon pages. + +Signed-off-by: Roger Pau Monné +Reviewed-by: Juergen Gross +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200727091342.52325-3-roger.pau@citrix.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/balloon.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -568,11 +568,13 @@ static int add_ballooned_pages(int nr_pa + if (xen_hotplug_unpopulated) { + st = reserve_additional_memory(); + if (st != BP_ECANCELED) { ++ int rc; ++ + mutex_unlock(&balloon_mutex); +- wait_event(balloon_wq, ++ rc = wait_event_interruptible(balloon_wq, + !list_empty(&ballooned_pages)); + mutex_lock(&balloon_mutex); +- return 0; ++ return rc ? -ENOMEM : 0; + } + } + diff --git a/queue-5.8/xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch b/queue-5.8/xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch new file mode 100644 index 00000000000..744c714a891 --- /dev/null +++ b/queue-5.8/xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch @@ -0,0 +1,43 @@ +From 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b Mon Sep 17 00:00:00 2001 +From: Oleksandr Andrushchenko +Date: Thu, 13 Aug 2020 09:21:09 +0300 +Subject: xen/gntdev: Fix dmabuf import with non-zero sgt offset + +From: Oleksandr Andrushchenko + +commit 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b upstream. + +It is possible that the scatter-gather table during dmabuf import has +non-zero offset of the data, but user-space doesn't expect that. +Fix this by failing the import, so user-space doesn't access wrong data. + +Fixes: bf8dc55b1358 ("xen/gntdev: Implement dma-buf import functionality") + +Signed-off-by: Oleksandr Andrushchenko +Acked-by: Juergen Gross +Cc: +Link: https://lore.kernel.org/r/20200813062113.11030-2-andr2000@gmail.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/gntdev-dmabuf.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/xen/gntdev-dmabuf.c ++++ b/drivers/xen/gntdev-dmabuf.c +@@ -613,6 +613,14 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_ + goto fail_detach; + } + ++ /* Check that we have zero offset. */ ++ if (sgt->sgl->offset) { ++ ret = ERR_PTR(-EINVAL); ++ pr_debug("DMA buffer has %d bytes offset, user-space expects 0\n", ++ sgt->sgl->offset); ++ goto fail_unmap; ++ } ++ + /* Check number of pages that imported buffer has. */ + if (attach->dmabuf->size != gntdev_dmabuf->nr_pages << PAGE_SHIFT) { + ret = ERR_PTR(-EINVAL); -- 2.47.3