--- /dev/null
+From 10eb91d6090753f6693c4535d23f188c94a9bfb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Apr 2020 16:26:53 -0700
+Subject: bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B
+
+From: Luke Nelson <lukenels@cs.washington.edu>
+
+[ Upstream commit aee194b14dd2b2bde6252b3acf57d36dccfc743a ]
+
+This patch fixes an encoding bug in emit_stx for BPF_B when the source
+register is BPF_REG_FP.
+
+The current implementation for BPF_STX BPF_B in emit_stx saves one REX
+byte when the operands can be encoded using Mod-R/M alone. The lower 8
+bits of registers %rax, %rbx, %rcx, and %rdx can be accessed without using
+a REX prefix via %al, %bl, %cl, and %dl, respectively. Other registers,
+(e.g., %rsi, %rdi, %rbp, %rsp) require a REX prefix to use their 8-bit
+equivalents (%sil, %dil, %bpl, %spl).
+
+The current code checks if the source for BPF_STX BPF_B is BPF_REG_1
+or BPF_REG_2 (which map to %rdi and %rsi), in which case it emits the
+required REX prefix. However, it misses the case when the source is
+BPF_REG_FP (mapped to %rbp).
+
+The result is that BPF_STX BPF_B with BPF_REG_FP as the source operand
+will read from register %ch instead of the correct %bpl. This patch fixes
+the problem by fixing and refactoring the check on which registers need
+the extra REX byte. Since no BPF registers map to %rsp, there is no need
+to handle %spl.
+
+Fixes: 622582786c9e0 ("net: filter: x86: internal BPF JIT")
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Luke Nelson <luke.r.nels@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20200418232655.23870-1-luke.r.nels@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index dd9a861fd5264..bea13c35979e5 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -145,6 +145,19 @@ static bool is_ereg(u32 reg)
+ BIT(BPF_REG_9));
+ }
+
++/*
++ * is_ereg_8l() == true if BPF register 'reg' is mapped to access x86-64
++ * lower 8-bit registers dil,sil,bpl,spl,r8b..r15b, which need extra byte
++ * of encoding. al,cl,dl,bl have simpler encoding.
++ */
++static bool is_ereg_8l(u32 reg)
++{
++ return is_ereg(reg) ||
++ (1 << reg) & (BIT(BPF_REG_1) |
++ BIT(BPF_REG_2) |
++ BIT(BPF_REG_FP));
++}
++
+ /* add modifiers if 'reg' maps to x64 registers r8..r15 */
+ static u8 add_1mod(u8 byte, u32 reg)
+ {
+@@ -731,9 +744,8 @@ st: if (is_imm8(insn->off))
+ /* STX: *(u8*)(dst_reg + off) = src_reg */
+ case BPF_STX | BPF_MEM | BPF_B:
+ /* emit 'mov byte ptr [rax + off], al' */
+- if (is_ereg(dst_reg) || is_ereg(src_reg) ||
+- /* have to add extra byte for x86 SIL, DIL regs */
+- src_reg == BPF_REG_1 || src_reg == BPF_REG_2)
++ if (is_ereg(dst_reg) || is_ereg_8l(src_reg))
++ /* Add extra byte for eregs or SIL,DIL,BPL in src_reg */
+ EMIT2(add_2mod(0x40, dst_reg, src_reg), 0x88);
+ else
+ EMIT1(0x88);
+--
+2.20.1
+
--- /dev/null
+From 21269f8a2135fe343c8f1ffd48b8ea56b17d404e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 23:33:05 -0400
+Subject: ext4: convert BUG_ON's to WARN_ON's in mballoc.c
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 907ea529fc4c3296701d2bfc8b831dd2a8121a34 ]
+
+If the in-core buddy bitmap gets corrupted (or out of sync with the
+block bitmap), issue a WARN_ON and try to recover. In most cases this
+involves skipping trying to allocate out of a particular block group.
+We can end up declaring the file system corrupted, which is fair,
+since the file system probably should be checked before we proceed any
+further.
+
+Link: https://lore.kernel.org/r/20200414035649.293164-1-tytso@mit.edu
+Google-Bug-Id: 34811296
+Google-Bug-Id: 34639169
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index fda49f4c5a8eb..04fab14e630c1 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -1944,7 +1944,8 @@ void ext4_mb_complex_scan_group(struct ext4_allocation_context *ac,
+ int free;
+
+ free = e4b->bd_info->bb_free;
+- BUG_ON(free <= 0);
++ if (WARN_ON(free <= 0))
++ return;
+
+ i = e4b->bd_info->bb_first_free;
+
+@@ -1965,7 +1966,8 @@ void ext4_mb_complex_scan_group(struct ext4_allocation_context *ac,
+ }
+
+ mb_find_extent(e4b, i, ac->ac_g_ex.fe_len, &ex);
+- BUG_ON(ex.fe_len <= 0);
++ if (WARN_ON(ex.fe_len <= 0))
++ break;
+ if (free < ex.fe_len) {
+ ext4_grp_locked_error(sb, e4b->bd_group, 0, 0,
+ "%d free clusters as per "
+--
+2.20.1
+
--- /dev/null
+From d414bb7c426244483d93a634ec27b8ea3174c065 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Apr 2020 16:42:46 -0500
+Subject: of: unittest: kmemleak on changeset destroy
+
+From: Frank Rowand <frank.rowand@sony.com>
+
+[ Upstream commit b3fb36ed694b05738d45218ea72cf7feb10ce2b1 ]
+
+kmemleak reports several memory leaks from devicetree unittest.
+This is the fix for problem 1 of 5.
+
+of_unittest_changeset() reaches deeply into the dynamic devicetree
+functions. Several nodes were left with an elevated reference
+count and thus were not properly cleaned up. Fix the reference
+counts so that the memory will be freed.
+
+Fixes: 201c910bd689 ("of: Transactional DT support.")
+Reported-by: Erhard F. <erhard_f@mailbox.org>
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index 91e6891b777b6..109497dbfba08 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -544,6 +544,10 @@ static void __init of_unittest_changeset(void)
+ mutex_unlock(&of_mutex);
+
+ of_changeset_destroy(&chgset);
++
++ of_node_put(n1);
++ of_node_put(n2);
++ of_node_put(n21);
+ #endif
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 7cf9626ae98c7cf2758326aa53fa6458feeb898f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2020 15:26:10 +0200
+Subject: scsi: target: fix PR IN / READ FULL STATUS for FC
+
+From: Bodo Stroesser <bstroesser@ts.fujitsu.com>
+
+[ Upstream commit 8fed04eb79a74cbf471dfaa755900a51b37273ab ]
+
+Creation of the response to READ FULL STATUS fails for FC based
+reservations. Reason is the too high loop limit (< 24) in
+fc_get_pr_transport_id(). The string representation of FC WWPN is 23 chars
+long only ("11:22:33:44:55:66:77:88"). So when i is 23, the loop body is
+executed a last time for the ending '\0' of the string and thus hex2bin()
+reports an error.
+
+Link: https://lore.kernel.org/r/20200408132610.14623-3-bstroesser@ts.fujitsu.com
+Signed-off-by: Bodo Stroesser <bstroesser@ts.fujitsu.com>
+Reviewed-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_fabric_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_fabric_lib.c b/drivers/target/target_core_fabric_lib.c
+index 6e75095af6818..2ecb2f7042a13 100644
+--- a/drivers/target/target_core_fabric_lib.c
++++ b/drivers/target/target_core_fabric_lib.c
+@@ -75,7 +75,7 @@ static int fc_get_pr_transport_id(
+ * encoded TransportID.
+ */
+ ptr = &se_nacl->initiatorname[0];
+- for (i = 0; i < 24; ) {
++ for (i = 0; i < 23; ) {
+ if (!strncmp(&ptr[i], ":", 1)) {
+ i++;
+ continue;
+--
+2.20.1
+
usb-gadget-udc-bdc-remove-unnecessary-null-checks-in-bdc_req_complete.patch
net-cxgb4-check-the-return-from-t4_query_params-properly.patch
perf-core-fix-parent-pid-tid-in-task-exit-events.patch
+bpf-x86-fix-encoding-for-lower-8-bit-registers-in-bp.patch
+scsi-target-fix-pr-in-read-full-status-for-fc.patch
+xen-xenbus-ensure-xenbus_map_ring_valloc-returns-pro.patch
+ext4-convert-bug_on-s-to-warn_on-s-in-mballoc.c.patch
+of-unittest-kmemleak-on-changeset-destroy.patch
--- /dev/null
+From 5d1fb1095c0a8919b73d9e786a58eabe3d4b45e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Mar 2020 09:03:58 +0100
+Subject: xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant
+ status
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 6b51fd3f65a22e3d1471b18a1d56247e246edd46 ]
+
+xenbus_map_ring_valloc() maps a ring page and returns the status of the
+used grant (0 meaning success).
+
+There are Xen hypervisors which might return the value 1 for the status
+of a failed grant mapping due to a bug. Some callers of
+xenbus_map_ring_valloc() test for errors by testing the returned status
+to be less than zero, resulting in no error detected and crashing later
+due to a not available ring page.
+
+Set the return value of xenbus_map_ring_valloc() to GNTST_general_error
+in case the grant status reported by Xen is greater than zero.
+
+This is part of XSA-316.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Wei Liu <wl@xen.org>
+Link: https://lore.kernel.org/r/20200326080358.1018-1-jgross@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/xenbus/xenbus_client.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c
+index 056da6ee1a357..df27cefb2fa35 100644
+--- a/drivers/xen/xenbus/xenbus_client.c
++++ b/drivers/xen/xenbus/xenbus_client.c
+@@ -469,7 +469,14 @@ EXPORT_SYMBOL_GPL(xenbus_free_evtchn);
+ int xenbus_map_ring_valloc(struct xenbus_device *dev, grant_ref_t *gnt_refs,
+ unsigned int nr_grefs, void **vaddr)
+ {
+- return ring_ops->map(dev, gnt_refs, nr_grefs, vaddr);
++ int err;
++
++ err = ring_ops->map(dev, gnt_refs, nr_grefs, vaddr);
++ /* Some hypervisors are buggy and can return 1. */
++ if (err > 0)
++ err = GNTST_general_error;
++
++ return err;
+ }
+ EXPORT_SYMBOL_GPL(xenbus_map_ring_valloc);
+
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
