--- /dev/null
+From cfd312695b71df04c3a2597859ff12c470d1e2e4 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:48:18 +0100
+Subject: btrfs: check for error when looking up inode during dir entry replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit cfd312695b71df04c3a2597859ff12c470d1e2e4 upstream.
+
+At replay_one_name(), we are treating any error from btrfs_lookup_inode()
+as if the inode does not exists. Fix this by checking for an error and
+returning it to the caller.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1949,8 +1949,8 @@ static noinline int replay_one_name(stru
+ struct btrfs_key log_key;
+ struct inode *dir;
+ u8 log_type;
+- int exists;
+- int ret = 0;
++ bool exists;
++ int ret;
+ bool update_size = (key->type == BTRFS_DIR_INDEX_KEY);
+ bool name_added = false;
+
+@@ -1970,12 +1970,12 @@ static noinline int replay_one_name(stru
+ name_len);
+
+ btrfs_dir_item_key_to_cpu(eb, di, &log_key);
+- exists = btrfs_lookup_inode(trans, root, path, &log_key, 0);
+- if (exists == 0)
+- exists = 1;
+- else
+- exists = 0;
++ ret = btrfs_lookup_inode(trans, root, path, &log_key, 0);
+ btrfs_release_path(path);
++ if (ret < 0)
++ goto out;
++ exists = (ret == 0);
++ ret = 0;
+
+ if (key->type == BTRFS_DIR_ITEM_KEY) {
+ dst_di = btrfs_lookup_dir_item(trans, root, path, key->objectid,
--- /dev/null
+From 52db77791fe24538c8aa2a183248399715f6b380 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:52:32 +0100
+Subject: btrfs: deal with errors when adding inode reference during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 52db77791fe24538c8aa2a183248399715f6b380 upstream.
+
+At __inode_add_ref(), we treating any error returned from
+btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning
+that there is no existing directory entry in the fs/subvolume tree.
+This is not correct since we can get errors such as, for example, -EIO
+when reading extent buffers while searching the fs/subvolume's btree.
+
+So fix that and return the error to the caller when it is not -ENOENT.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1160,7 +1160,10 @@ next:
+ /* look for a conflicting sequence number */
+ di = btrfs_lookup_dir_index_item(trans, root, path, btrfs_ino(dir),
+ ref_index, name, namelen, 0);
+- if (di && !IS_ERR(di)) {
++ if (IS_ERR(di)) {
++ if (PTR_ERR(di) != -ENOENT)
++ return PTR_ERR(di);
++ } else if (di) {
+ ret = drop_one_dir_item(trans, root, path, dir, di);
+ if (ret)
+ return ret;
+@@ -1170,7 +1173,9 @@ next:
+ /* look for a conflicting name */
+ di = btrfs_lookup_dir_item(trans, root, path, btrfs_ino(dir),
+ name, namelen, 0);
+- if (di && !IS_ERR(di)) {
++ if (IS_ERR(di)) {
++ return PTR_ERR(di);
++ } else if (di) {
+ ret = drop_one_dir_item(trans, root, path, dir, di);
+ if (ret)
+ return ret;
--- /dev/null
+From e15ac6413745e3def00e663de00aea5a717311c1 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:52:31 +0100
+Subject: btrfs: deal with errors when replaying dir entry during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit e15ac6413745e3def00e663de00aea5a717311c1 upstream.
+
+At replay_one_one(), we are treating any error returned from
+btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning
+that there is no existing directory entry in the fs/subvolume tree.
+This is not correct since we can get errors such as, for example, -EIO
+when reading extent buffers while searching the fs/subvolume's btree.
+
+So fix that and return the error to the caller when it is not -ENOENT.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1985,7 +1985,14 @@ static noinline int replay_one_name(stru
+ ret = -EINVAL;
+ goto out;
+ }
+- if (IS_ERR_OR_NULL(dst_di)) {
++
++ if (dst_di == ERR_PTR(-ENOENT))
++ dst_di = NULL;
++
++ if (IS_ERR(dst_di)) {
++ ret = PTR_ERR(dst_di);
++ goto out;
++ } else if (!dst_di) {
+ /* we need a sequence number to insert, so we only
+ * do inserts for the BTRFS_DIR_INDEX_KEY types
+ */
--- /dev/null
+From 19ea40dddf1833db868533958ca066f368862211 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 14 Sep 2021 14:57:59 +0800
+Subject: btrfs: unlock newly allocated extent buffer after error
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 19ea40dddf1833db868533958ca066f368862211 upstream.
+
+[BUG]
+There is a bug report that injected ENOMEM error could leave a tree
+block locked while we return to user-space:
+
+ BTRFS info (device loop0): enabling ssd optimizations
+ FAULT_INJECTION: forcing a failure.
+ name failslab, interval 1, probability 0, space 0, times 0
+ CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+ rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
+ fail_dump lib/fault-inject.c:52 [inline]
+ should_fail+0x13c/0x160 lib/fault-inject.c:146
+ should_failslab+0x5/0x10 mm/slab_common.c:1328
+ slab_pre_alloc_hook.constprop.99+0x4e/0xc0 mm/slab.h:494
+ slab_alloc_node mm/slub.c:3120 [inline]
+ slab_alloc mm/slub.c:3214 [inline]
+ kmem_cache_alloc+0x44/0x280 mm/slub.c:3219
+ btrfs_alloc_delayed_extent_op fs/btrfs/delayed-ref.h:299 [inline]
+ btrfs_alloc_tree_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833
+ __btrfs_cow_block+0x16f/0x7d0 fs/btrfs/ctree.c:415
+ btrfs_cow_block+0x12a/0x300 fs/btrfs/ctree.c:570
+ btrfs_search_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768
+ btrfs_insert_empty_items+0x80/0xf0 fs/btrfs/ctree.c:3905
+ btrfs_new_inode+0x311/0xa60 fs/btrfs/inode.c:6530
+ btrfs_create+0x12b/0x270 fs/btrfs/inode.c:6783
+ lookup_open+0x660/0x780 fs/namei.c:3282
+ open_last_lookups fs/namei.c:3352 [inline]
+ path_openat+0x465/0xe20 fs/namei.c:3557
+ do_filp_open+0xe3/0x170 fs/namei.c:3588
+ do_sys_openat2+0x357/0x4a0 fs/open.c:1200
+ do_sys_open+0x87/0xd0 fs/open.c:1216
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x46ae99
+ Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
+ 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
+ 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+ RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
+ RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99
+ RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800
+ RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017
+ R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0
+
+ ================================================
+ WARNING: lock held when returning to user space!
+ 5.15.0-rc1 #16 Not tainted
+ ------------------------------------------------
+ syz-executor/7579 is leaving the kernel with locks still held!
+ 1 lock held by syz-executor/7579:
+ #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:
+ __btrfs_tree_lock+0x2e/0x1a0 fs/btrfs/locking.c:112
+
+[CAUSE]
+In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new
+extent buffer @buf is locked, but if later operations like adding
+delayed tree ref fail, we just free @buf without unlocking it,
+resulting above warning.
+
+[FIX]
+Unlock @buf in out_free_buf: label.
+
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/CACkBjsZ9O6Zr0KK1yGn=1rQi6Crh1yeCRdTSBxx9R99L4xdn-Q@mail.gmail.com/
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4596,6 +4596,7 @@ struct extent_buffer *btrfs_alloc_tree_b
+ out_free_delayed:
+ btrfs_free_delayed_extent_op(extent_op);
+ out_free_buf:
++ btrfs_tree_unlock(buf);
+ free_extent_buffer(buf);
+ out_free_reserved:
+ btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 0);
--- /dev/null
+From fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 24 Sep 2021 00:35:42 +0000
+Subject: csky: don't let sigreturn play with priveleged bits of status register
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f upstream.
+
+csky restore_sigcontext() blindly overwrites regs->sr with the value
+it finds in sigcontext. Attacker can store whatever they want in there,
+which includes things like S-bit. Userland shouldn't be able to set
+that, or anything other than C flag (bit 0).
+
+Do the same thing other architectures with protected bits in flags
+register do - preserve everything that shouldn't be settable in
+user mode, picking the rest from the value saved is sigcontext.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Guo Ren <guoren@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/csky/kernel/signal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/csky/kernel/signal.c
++++ b/arch/csky/kernel/signal.c
+@@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt
+ struct sigcontext __user *sc)
+ {
+ int err = 0;
++ unsigned long sr = regs->sr;
+
+ /* sc_pt_regs is structured the same as the start of pt_regs */
+ err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs));
+
++ /* BIT(0) of regs->sr is Condition Code/Carry bit */
++ regs->sr = (sr & ~1) | (regs->sr & 1);
++
+ /* Restore the floating-point state. */
+ err |= restore_fpu_state(sc);
+
--- /dev/null
+From af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 Mon Sep 17 00:00:00 2001
+From: Guo Ren <guoren@linux.alibaba.com>
+Date: Fri, 24 Sep 2021 15:33:38 +0800
+Subject: csky: Fixup regs.sr broken in ptrace
+
+From: Guo Ren <guoren@linux.alibaba.com>
+
+commit af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 upstream.
+
+gpr_get() return the entire pt_regs (include sr) to userspace, if we
+don't restore the C bit in gpr_set, it may break the ALU result in
+that context. So the C flag bit is part of gpr context, that's why
+riscv totally remove the C bit in the ISA. That makes sr reg clear
+from userspace to supervisor privilege.
+
+Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/csky/kernel/ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/csky/kernel/ptrace.c
++++ b/arch/csky/kernel/ptrace.c
+@@ -96,7 +96,8 @@ static int gpr_set(struct task_struct *t
+ if (ret)
+ return ret;
+
+- regs.sr = task_pt_regs(target)->sr;
++ /* BIT(0) of regs.sr is Condition Code/Carry bit */
++ regs.sr = (regs.sr & BIT(0)) | (task_pt_regs(target)->sr & ~BIT(0));
+ #ifdef CONFIG_CPU_HAS_HILO
+ regs.dcsr = task_pt_regs(target)->dcsr;
+ #endif
--- /dev/null
+From be358af1191b1b2fedebd8f3421cafdc8edacc7d Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 14 Oct 2021 14:35:07 -0400
+Subject: nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^'
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit be358af1191b1b2fedebd8f3421cafdc8edacc7d upstream.
+
+I received a build failure for a new patch I'm working on the nds32
+architecture, and when I went to test it, I couldn't get to my build error,
+because it failed to build with a bunch of:
+
+ Error: invalid operands (*UND* and *UND* sections) for `^'
+
+issues with various files. Those files were temporary asm files that looked
+like: kernel/.tmp_mc_fork.s
+
+I decided to look deeper, and found that the "mc" portion of that name
+stood for "mcount", and was created by the recordmcount.pl script. One that
+I wrote over a decade ago. Once I knew the source of the problem, I was
+able to investigate it further.
+
+The way the recordmcount.pl script works (BTW, there's a C version that
+simply modifies the ELF object) is by doing an "objdump" on the object
+file. Looks for all the calls to "mcount", and creates an offset of those
+locations from some global variable it can use (usually a global function
+name, found with <.*>:). Creates a asm file that is a table of references
+to these locations, using the found variable/function. Compiles it and
+links it back into the original object file. This asm file is called
+".tmp_mc_<object_base_name>.s".
+
+The problem here is that the objdump produced by the nds32 object file,
+contains things that look like:
+
+ 0000159a <.L3^B1>:
+ 159a: c6 00 beqz38 $r6, 159a <.L3^B1>
+ 159a: R_NDS32_9_PCREL_RELA .text+0x159e
+ 159c: 84 d2 movi55 $r6, #-14
+ 159e: 80 06 mov55 $r0, $r6
+ 15a0: ec 3c addi10.sp #0x3c
+
+Where ".L3^B1 is somehow selected as the "global" variable to index off of.
+
+Then the assembly file that holds the mcount locations looks like this:
+
+ .section __mcount_loc,"a",@progbits
+ .align 2
+ .long .L3^B1 + -5522
+ .long .L3^B1 + -5384
+ .long .L3^B1 + -5270
+ .long .L3^B1 + -5098
+ .long .L3^B1 + -4970
+ .long .L3^B1 + -4758
+ .long .L3^B1 + -4122
+ [...]
+
+And when it is compiled back to an object to link to the original object,
+the compile fails on the "^" symbol.
+
+Simple solution for now, is to have the perl script ignore using function
+symbols that have an "^" in the name.
+
+Link: https://lkml.kernel.org/r/20211014143507.4ad2c0f7@gandalf.local.home
+
+Cc: stable@vger.kernel.org
+Acked-by: Greentime Hu <green.hu@gmail.com>
+Fixes: fbf58a52ac088 ("nds32/ftrace: Add RECORD_MCOUNT support")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/recordmcount.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -222,7 +222,7 @@ if ($arch =~ /(x86(_64)?)|(i386)/) {
+ $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\S+)";
+ $weak_regex = "^[0-9a-fA-F]+\\s+([wW])\\s+(\\S+)";
+ $section_regex = "Disassembly of section\\s+(\\S+):";
+-$function_regex = "^([0-9a-fA-F]+)\\s+<(.*?)>:";
++$function_regex = "^([0-9a-fA-F]+)\\s+<([^^]*?)>:";
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s(mcount|__fentry__)\$";
+ $section_type = '@progbits';
+ $mcount_adjust = 0;
--- /dev/null
+From 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 5 Oct 2021 14:08:36 +0200
+Subject: s390: fix strrchr() implementation
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d upstream.
+
+Fix two problems found in the strrchr() implementation for s390
+architectures: evaluate empty strings (return the string address instead of
+NULL, if '\0' is passed as second argument); evaluate the first character
+of non-empty strings (the current implementation stops at the second).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reported-by: Heiko Carstens <hca@linux.ibm.com> (incorrect behavior with empty strings)
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Link: https://lore.kernel.org/r/20211005120836.60630-1-roberto.sassu@huawei.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/lib/string.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/arch/s390/lib/string.c
++++ b/arch/s390/lib/string.c
+@@ -246,14 +246,13 @@ EXPORT_SYMBOL(strcmp);
+ #ifdef __HAVE_ARCH_STRRCHR
+ char *strrchr(const char *s, int c)
+ {
+- size_t len = __strend(s) - s;
++ ssize_t len = __strend(s) - s;
+
+- if (len)
+- do {
+- if (s[len] == (char) c)
+- return (char *) s + len;
+- } while (--len > 0);
+- return NULL;
++ do {
++ if (s[len] == (char)c)
++ return (char *)s + len;
++ } while (--len >= 0);
++ return NULL;
+ }
+ EXPORT_SYMBOL(strrchr);
+ #endif
alsa-hda-realtek-add-quirk-for-clevo-x170km-g.patch
alsa-hda-realtek-alc236-headset-mic-recording-issue.patch
alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch
+nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch
+s390-fix-strrchr-implementation.patch
+csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch
+csky-fixup-regs.sr-broken-in-ptrace.patch
+btrfs-unlock-newly-allocated-extent-buffer-after-error.patch
+btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch
+btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch
+btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
