--- /dev/null
+From 47912eaa061a6a81e4aa790591a1874c650733c0 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 21 Jul 2022 16:06:18 +0200
+Subject: fuse: limit nsec
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 47912eaa061a6a81e4aa790591a1874c650733c0 upstream.
+
+Limit nanoseconds to 0..999999999.
+
+Fixes: d8a5ba45457e ("[PATCH] FUSE - core")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -174,6 +174,12 @@ void fuse_change_attributes_common(struc
+ inode->i_uid = make_kuid(fc->user_ns, attr->uid);
+ inode->i_gid = make_kgid(fc->user_ns, attr->gid);
+ inode->i_blocks = attr->blocks;
++
++ /* Sanitize nsecs */
++ attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1);
++ attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1);
++ attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1);
++
+ inode->i_atime.tv_sec = attr->atime;
+ inode->i_atime.tv_nsec = attr->atimensec;
+ /* mtime from server may be stale due to local buffered write */
--- /dev/null
+From e5a16a5c4602c119262f350274021f90465f479d Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alexandr.lobakin@intel.com>
+Date: Fri, 24 Jun 2022 14:13:05 +0200
+Subject: ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr()
+
+From: Alexander Lobakin <alexandr.lobakin@intel.com>
+
+commit e5a16a5c4602c119262f350274021f90465f479d upstream.
+
+test_bit(), as any other bitmap op, takes `unsigned long *` as a
+second argument (pointer to the actual bitmap), as any bitmap
+itself is an array of unsigned longs. However, the ia64_get_irr()
+code passes a ref to `u64` as a second argument.
+This works with the ia64 bitops implementation due to that they
+have `void *` as the second argument and then cast it later on.
+This works with the bitmap API itself due to that `unsigned long`
+has the same size on ia64 as `u64` (`unsigned long long`), but
+from the compiler PoV those two are different.
+Define @irr as `unsigned long` to fix that. That implies no
+functional changes. Has been hidden for 16 years!
+
+Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations")
+Cc: stable@vger.kernel.org # 2.6.16+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Yury Norov <yury.norov@gmail.com>
+Signed-off-by: Yury Norov <yury.norov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/ia64/include/asm/processor.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/ia64/include/asm/processor.h
++++ b/arch/ia64/include/asm/processor.h
+@@ -552,7 +552,7 @@ ia64_get_irr(unsigned int vector)
+ {
+ unsigned int reg = vector / 64;
+ unsigned int bit = vector % 64;
+- u64 irr;
++ unsigned long irr;
+
+ switch (reg) {
+ case 0: irr = ia64_getreg(_IA64_REG_CR_IRR0); break;
--- /dev/null
+From 3dc96bba65f53daa217f0a8f43edad145286a8f5 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 12 Jul 2022 12:54:21 +0200
+Subject: mbcache: add functions to delete entry if unused
+
+From: Jan Kara <jack@suse.cz>
+
+commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 upstream.
+
+Add function mb_cache_entry_delete_or_get() to delete mbcache entry if
+it is unused and also add a function to wait for entry to become unused
+- mb_cache_entry_wait_unused(). We do not share code between the two
+deleting function as one of them will go away soon.
+
+CC: stable@vger.kernel.org
+Fixes: 82939d7999df ("ext4: convert to mbcache2")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/mbcache.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++--
+ include/linux/mbcache.h | 10 ++++++-
+ 2 files changed, 73 insertions(+), 3 deletions(-)
+
+--- a/fs/mbcache.c
++++ b/fs/mbcache.c
+@@ -10,7 +10,7 @@
+ /*
+ * Mbcache is a simple key-value store. Keys need not be unique, however
+ * key-value pairs are expected to be unique (we use this fact in
+- * mb_cache_entry_delete()).
++ * mb_cache_entry_delete_or_get()).
+ *
+ * Ext2 and ext4 use this cache for deduplication of extended attribute blocks.
+ * Ext4 also uses it for deduplication of xattr values stored in inodes.
+@@ -124,6 +124,19 @@ void __mb_cache_entry_free(struct mb_cac
+ }
+ EXPORT_SYMBOL(__mb_cache_entry_free);
+
++/*
++ * mb_cache_entry_wait_unused - wait to be the last user of the entry
++ *
++ * @entry - entry to work on
++ *
++ * Wait to be the last user of the entry.
++ */
++void mb_cache_entry_wait_unused(struct mb_cache_entry *entry)
++{
++ wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3);
++}
++EXPORT_SYMBOL(mb_cache_entry_wait_unused);
++
+ static struct mb_cache_entry *__entry_find(struct mb_cache *cache,
+ struct mb_cache_entry *entry,
+ u32 key)
+@@ -216,7 +229,7 @@ out:
+ }
+ EXPORT_SYMBOL(mb_cache_entry_get);
+
+-/* mb_cache_entry_delete - remove a cache entry
++/* mb_cache_entry_delete - try to remove a cache entry
+ * @cache - cache we work with
+ * @key - key
+ * @value - value
+@@ -253,6 +266,55 @@ void mb_cache_entry_delete(struct mb_cac
+ }
+ EXPORT_SYMBOL(mb_cache_entry_delete);
+
++/* mb_cache_entry_delete_or_get - remove a cache entry if it has no users
++ * @cache - cache we work with
++ * @key - key
++ * @value - value
++ *
++ * Remove entry from cache @cache with key @key and value @value. The removal
++ * happens only if the entry is unused. The function returns NULL in case the
++ * entry was successfully removed or there's no entry in cache. Otherwise the
++ * function grabs reference of the entry that we failed to delete because it
++ * still has users and return it.
++ */
++struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
++ u32 key, u64 value)
++{
++ struct hlist_bl_node *node;
++ struct hlist_bl_head *head;
++ struct mb_cache_entry *entry;
++
++ head = mb_cache_entry_head(cache, key);
++ hlist_bl_lock(head);
++ hlist_bl_for_each_entry(entry, node, head, e_hash_list) {
++ if (entry->e_key == key && entry->e_value == value) {
++ if (atomic_read(&entry->e_refcnt) > 2) {
++ atomic_inc(&entry->e_refcnt);
++ hlist_bl_unlock(head);
++ return entry;
++ }
++ /* We keep hash list reference to keep entry alive */
++ hlist_bl_del_init(&entry->e_hash_list);
++ hlist_bl_unlock(head);
++ spin_lock(&cache->c_list_lock);
++ if (!list_empty(&entry->e_list)) {
++ list_del_init(&entry->e_list);
++ if (!WARN_ONCE(cache->c_entry_count == 0,
++ "mbcache: attempt to decrement c_entry_count past zero"))
++ cache->c_entry_count--;
++ atomic_dec(&entry->e_refcnt);
++ }
++ spin_unlock(&cache->c_list_lock);
++ mb_cache_entry_put(cache, entry);
++ return NULL;
++ }
++ }
++ hlist_bl_unlock(head);
++
++ return NULL;
++}
++EXPORT_SYMBOL(mb_cache_entry_delete_or_get);
++
+ /* mb_cache_entry_touch - cache entry got used
+ * @cache - cache the entry belongs to
+ * @entry - entry that got used
+--- a/include/linux/mbcache.h
++++ b/include/linux/mbcache.h
+@@ -30,15 +30,23 @@ void mb_cache_destroy(struct mb_cache *c
+ int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
+ u64 value, bool reusable);
+ void __mb_cache_entry_free(struct mb_cache_entry *entry);
++void mb_cache_entry_wait_unused(struct mb_cache_entry *entry);
+ static inline int mb_cache_entry_put(struct mb_cache *cache,
+ struct mb_cache_entry *entry)
+ {
+- if (!atomic_dec_and_test(&entry->e_refcnt))
++ unsigned int cnt = atomic_dec_return(&entry->e_refcnt);
++
++ if (cnt > 0) {
++ if (cnt <= 3)
++ wake_up_var(&entry->e_refcnt);
+ return 0;
++ }
+ __mb_cache_entry_free(entry);
+ return 1;
+ }
+
++struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
++ u32 key, u64 value);
+ void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value);
+ struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key,
+ u64 value);
--- /dev/null
+From 58318914186c157477b978b1739dfe2f1b9dc0fe Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 12 Jul 2022 12:54:20 +0200
+Subject: mbcache: don't reclaim used entries
+
+From: Jan Kara <jack@suse.cz>
+
+commit 58318914186c157477b978b1739dfe2f1b9dc0fe upstream.
+
+Do not reclaim entries that are currently used by somebody from a
+shrinker. Firstly, these entries are likely useful. Secondly, we will
+need to keep such entries to protect pending increment of xattr block
+refcount.
+
+CC: stable@vger.kernel.org
+Fixes: 82939d7999df ("ext4: convert to mbcache2")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/mbcache.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/mbcache.c
++++ b/fs/mbcache.c
+@@ -287,7 +287,7 @@ static unsigned long mb_cache_shrink(str
+ while (nr_to_scan-- && !list_empty(&cache->c_list)) {
+ entry = list_first_entry(&cache->c_list,
+ struct mb_cache_entry, e_list);
+- if (entry->e_referenced) {
++ if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) {
+ entry->e_referenced = 0;
+ list_move_tail(&entry->e_list, &cache->c_list);
+ continue;
+@@ -301,6 +301,14 @@ static unsigned long mb_cache_shrink(str
+ spin_unlock(&cache->c_list_lock);
+ head = mb_cache_entry_head(cache, entry->e_key);
+ hlist_bl_lock(head);
++ /* Now a reliable check if the entry didn't get used... */
++ if (atomic_read(&entry->e_refcnt) > 2) {
++ hlist_bl_unlock(head);
++ spin_lock(&cache->c_list_lock);
++ list_add_tail(&entry->e_list, &cache->c_list);
++ cache->c_entry_count++;
++ continue;
++ }
+ if (!hlist_bl_unhashed(&entry->e_hash_list)) {
+ hlist_bl_del_init(&entry->e_hash_list);
+ atomic_dec(&entry->e_refcnt);
--- /dev/null
+From d17f744e883b2f8d13cca252d71cfe8ace346f7d Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 26 Jul 2022 04:33:12 -0400
+Subject: md-raid10: fix KASAN warning
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d17f744e883b2f8d13cca252d71cfe8ace346f7d upstream.
+
+There's a KASAN warning in raid10_remove_disk when running the lvm
+test lvconvert-raid-reshape.sh. We fix this warning by verifying that the
+value "number" is valid.
+
+BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10]
+Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682
+
+CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x34/0x44
+ print_report.cold+0x45/0x57a
+ ? __lock_text_start+0x18/0x18
+ ? raid10_remove_disk+0x61/0x2a0 [raid10]
+ kasan_report+0xa8/0xe0
+ ? raid10_remove_disk+0x61/0x2a0 [raid10]
+ raid10_remove_disk+0x61/0x2a0 [raid10]
+Buffer I/O error on dev dm-76, logical block 15344, async page read
+ ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0
+ remove_and_add_spares+0x367/0x8a0 [md_mod]
+ ? super_written+0x1c0/0x1c0 [md_mod]
+ ? mutex_trylock+0xac/0x120
+ ? _raw_spin_lock+0x72/0xc0
+ ? _raw_spin_lock_bh+0xc0/0xc0
+ md_check_recovery+0x848/0x960 [md_mod]
+ raid10d+0xcf/0x3360 [raid10]
+ ? sched_clock_cpu+0x185/0x1a0
+ ? rb_erase+0x4d4/0x620
+ ? var_wake_function+0xe0/0xe0
+ ? psi_group_change+0x411/0x500
+ ? preempt_count_sub+0xf/0xc0
+ ? _raw_spin_lock_irqsave+0x78/0xc0
+ ? __lock_text_start+0x18/0x18
+ ? raid10_sync_request+0x36c0/0x36c0 [raid10]
+ ? preempt_count_sub+0xf/0xc0
+ ? _raw_spin_unlock_irqrestore+0x19/0x40
+ ? del_timer_sync+0xa9/0x100
+ ? try_to_del_timer_sync+0xc0/0xc0
+ ? _raw_spin_lock_irqsave+0x78/0xc0
+ ? __lock_text_start+0x18/0x18
+ ? _raw_spin_unlock_irq+0x11/0x24
+ ? __list_del_entry_valid+0x68/0xa0
+ ? finish_wait+0xa3/0x100
+ md_thread+0x161/0x260 [md_mod]
+ ? unregister_md_personality+0xa0/0xa0 [md_mod]
+ ? _raw_spin_lock_irqsave+0x78/0xc0
+ ? prepare_to_wait_event+0x2c0/0x2c0
+ ? unregister_md_personality+0xa0/0xa0 [md_mod]
+ kthread+0x148/0x180
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x1f/0x30
+ </TASK>
+
+Allocated by task 124495:
+ kasan_save_stack+0x1e/0x40
+ __kasan_kmalloc+0x80/0xa0
+ setup_conf+0x140/0x5c0 [raid10]
+ raid10_run+0x4cd/0x740 [raid10]
+ md_run+0x6f9/0x1300 [md_mod]
+ raid_ctr+0x2531/0x4ac0 [dm_raid]
+ dm_table_add_target+0x2b0/0x620 [dm_mod]
+ table_load+0x1c8/0x400 [dm_mod]
+ ctl_ioctl+0x29e/0x560 [dm_mod]
+ dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
+ __do_compat_sys_ioctl+0xfa/0x160
+ do_syscall_64+0x90/0xc0
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Last potentially related work creation:
+ kasan_save_stack+0x1e/0x40
+ __kasan_record_aux_stack+0x9e/0xc0
+ kvfree_call_rcu+0x84/0x480
+ timerfd_release+0x82/0x140
+L __fput+0xfa/0x400
+ task_work_run+0x80/0xc0
+ exit_to_user_mode_prepare+0x155/0x160
+ syscall_exit_to_user_mode+0x12/0x40
+ do_syscall_64+0x42/0xc0
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x1e/0x40
+ __kasan_record_aux_stack+0x9e/0xc0
+ kvfree_call_rcu+0x84/0x480
+ timerfd_release+0x82/0x140
+ __fput+0xfa/0x400
+ task_work_run+0x80/0xc0
+ exit_to_user_mode_prepare+0x155/0x160
+ syscall_exit_to_user_mode+0x12/0x40
+ do_syscall_64+0x42/0xc0
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+The buggy address belongs to the object at ffff889108f3d200
+ which belongs to the cache kmalloc-256 of size 256
+The buggy address is located 0 bytes to the right of
+ 256-byte region [ffff889108f3d200, ffff889108f3d300)
+
+The buggy address belongs to the physical page:
+page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c
+head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0
+flags: 0x4000000000010200(slab|head|zone=2)
+raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40
+raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1863,9 +1863,12 @@ static int raid10_remove_disk(struct mdd
+ int err = 0;
+ int number = rdev->raid_disk;
+ struct md_rdev **rdevp;
+- struct raid10_info *p = conf->mirrors + number;
++ struct raid10_info *p;
+
+ print_conf(conf);
++ if (unlikely(number >= mddev->raid_disks))
++ return 0;
++ p = conf->mirrors + number;
+ if (rdev == p->rdev)
+ rdevp = &p->rdev;
+ else if (rdev == p->replacement)
--- /dev/null
+From a7209541239e5dd44d981289e5f9059222d40fd1 Mon Sep 17 00:00:00 2001
+From: Narendra Hadke <nhadke@marvell.com>
+Date: Tue, 26 Jul 2022 11:12:21 +0200
+Subject: serial: mvebu-uart: uart2 error bits clearing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Narendra Hadke <nhadke@marvell.com>
+
+commit a7209541239e5dd44d981289e5f9059222d40fd1 upstream.
+
+For mvebu uart2, error bits are not cleared on buffer read.
+This causes interrupt loop and system hang.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Yi Guo <yi.guo@cavium.com>
+Reviewed-by: Nadav Haklai <nadavh@marvell.com>
+Signed-off-by: Narendra Hadke <nhadke@marvell.com>
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20220726091221.12358-1-pali@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/mvebu-uart.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -237,6 +237,7 @@ static void mvebu_uart_rx_chars(struct u
+ struct tty_port *tport = &port->state->port;
+ unsigned char ch = 0;
+ char flag = 0;
++ int ret;
+
+ do {
+ if (status & STAT_RX_RDY(port)) {
+@@ -249,6 +250,16 @@ static void mvebu_uart_rx_chars(struct u
+ port->icount.parity++;
+ }
+
++ /*
++ * For UART2, error bits are not cleared on buffer read.
++ * This causes interrupt loop and system hang.
++ */
++ if (IS_EXTENDED(port) && (status & STAT_BRK_ERR)) {
++ ret = readl(port->membase + UART_STAT);
++ ret |= STAT_BRK_ERR;
++ writel(ret, port->membase + UART_STAT);
++ }
++
+ if (status & STAT_BRK_DET) {
+ port->icount.brk++;
+ status &= ~(STAT_FRM_ERR | STAT_PAR_ERR);
selftests-bpf-fix-test_align-verifier-log-patterns.patch
selftests-bpf-fix-dubious-pointer-arithmetic-test.patch
iio-light-isl29028-fix-the-warning-in-isl29028_remove.patch
+fuse-limit-nsec.patch
+serial-mvebu-uart-uart2-error-bits-clearing.patch
+md-raid10-fix-kasan-warning.patch
+mbcache-don-t-reclaim-used-entries.patch
+mbcache-add-functions-to-delete-entry-if-unused.patch
+ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
