From: Greg Kroah-Hartman Date: Sat, 13 Aug 2022 14:36:58 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.15.61~161 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=10bd51872232aeb697e0cfcbeb274f5bc92bf9d8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: fuse-limit-nsec.patch ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch mbcache-don-t-reclaim-used-entries.patch md-raid10-fix-kasan-warning.patch --- diff --git a/queue-4.14/fuse-limit-nsec.patch b/queue-4.14/fuse-limit-nsec.patch new file mode 100644 index 00000000000..60753867ec6 --- /dev/null +++ b/queue-4.14/fuse-limit-nsec.patch @@ -0,0 +1,34 @@ +From 47912eaa061a6a81e4aa790591a1874c650733c0 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 21 Jul 2022 16:06:18 +0200 +Subject: fuse: limit nsec + +From: Miklos Szeredi + +commit 47912eaa061a6a81e4aa790591a1874c650733c0 upstream. + +Limit nanoseconds to 0..999999999. + +Fixes: d8a5ba45457e ("[PATCH] FUSE - core") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -174,6 +174,12 @@ void fuse_change_attributes_common(struc + inode->i_uid = make_kuid(&init_user_ns, attr->uid); + inode->i_gid = make_kgid(&init_user_ns, attr->gid); + inode->i_blocks = attr->blocks; ++ ++ /* Sanitize nsecs */ ++ attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1); ++ attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1); ++ attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1); ++ + inode->i_atime.tv_sec = attr->atime; + inode->i_atime.tv_nsec = attr->atimensec; + /* mtime from server may be stale due to local buffered write */ diff --git a/queue-4.14/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch b/queue-4.14/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch new file mode 100644 index 00000000000..74eb63bfd1b --- /dev/null +++ b/queue-4.14/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch @@ -0,0 +1,44 @@ +From e5a16a5c4602c119262f350274021f90465f479d Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Fri, 24 Jun 2022 14:13:05 +0200 +Subject: ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() + +From: Alexander Lobakin + +commit e5a16a5c4602c119262f350274021f90465f479d upstream. + +test_bit(), as any other bitmap op, takes `unsigned long *` as a +second argument (pointer to the actual bitmap), as any bitmap +itself is an array of unsigned longs. However, the ia64_get_irr() +code passes a ref to `u64` as a second argument. +This works with the ia64 bitops implementation due to that they +have `void *` as the second argument and then cast it later on. +This works with the bitmap API itself due to that `unsigned long` +has the same size on ia64 as `u64` (`unsigned long long`), but +from the compiler PoV those two are different. +Define @irr as `unsigned long` to fix that. That implies no +functional changes. Has been hidden for 16 years! + +Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations") +Cc: stable@vger.kernel.org # 2.6.16+ +Reported-by: kernel test robot +Signed-off-by: Alexander Lobakin +Reviewed-by: Andy Shevchenko +Reviewed-by: Yury Norov +Signed-off-by: Yury Norov +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/ia64/include/asm/processor.h ++++ b/arch/ia64/include/asm/processor.h +@@ -552,7 +552,7 @@ ia64_get_irr(unsigned int vector) + { + unsigned int reg = vector / 64; + unsigned int bit = vector % 64; +- u64 irr; ++ unsigned long irr; + + switch (reg) { + case 0: irr = ia64_getreg(_IA64_REG_CR_IRR0); break; diff --git a/queue-4.14/mbcache-don-t-reclaim-used-entries.patch b/queue-4.14/mbcache-don-t-reclaim-used-entries.patch new file mode 100644 index 00000000000..a0305f9c543 --- /dev/null +++ b/queue-4.14/mbcache-don-t-reclaim-used-entries.patch @@ -0,0 +1,50 @@ +From 58318914186c157477b978b1739dfe2f1b9dc0fe Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 12 Jul 2022 12:54:20 +0200 +Subject: mbcache: don't reclaim used entries + +From: Jan Kara + +commit 58318914186c157477b978b1739dfe2f1b9dc0fe upstream. + +Do not reclaim entries that are currently used by somebody from a +shrinker. Firstly, these entries are likely useful. Secondly, we will +need to keep such entries to protect pending increment of xattr block +refcount. + +CC: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/mbcache.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/mbcache.c ++++ b/fs/mbcache.c +@@ -285,7 +285,7 @@ static unsigned long mb_cache_shrink(str + while (nr_to_scan-- && !list_empty(&cache->c_list)) { + entry = list_first_entry(&cache->c_list, + struct mb_cache_entry, e_list); +- if (entry->e_referenced) { ++ if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) { + entry->e_referenced = 0; + list_move_tail(&entry->e_list, &cache->c_list); + continue; +@@ -299,6 +299,14 @@ static unsigned long mb_cache_shrink(str + spin_unlock(&cache->c_list_lock); + head = mb_cache_entry_head(cache, entry->e_key); + hlist_bl_lock(head); ++ /* Now a reliable check if the entry didn't get used... */ ++ if (atomic_read(&entry->e_refcnt) > 2) { ++ hlist_bl_unlock(head); ++ spin_lock(&cache->c_list_lock); ++ list_add_tail(&entry->e_list, &cache->c_list); ++ cache->c_entry_count++; ++ continue; ++ } + if (!hlist_bl_unhashed(&entry->e_hash_list)) { + hlist_bl_del_init(&entry->e_hash_list); + atomic_dec(&entry->e_refcnt); diff --git a/queue-4.14/md-raid10-fix-kasan-warning.patch b/queue-4.14/md-raid10-fix-kasan-warning.patch new file mode 100644 index 00000000000..3b2b36b590e --- /dev/null +++ b/queue-4.14/md-raid10-fix-kasan-warning.patch @@ -0,0 +1,148 @@ +From d17f744e883b2f8d13cca252d71cfe8ace346f7d Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 26 Jul 2022 04:33:12 -0400 +Subject: md-raid10: fix KASAN warning + +From: Mikulas Patocka + +commit d17f744e883b2f8d13cca252d71cfe8ace346f7d upstream. + +There's a KASAN warning in raid10_remove_disk when running the lvm +test lvconvert-raid-reshape.sh. We fix this warning by verifying that the +value "number" is valid. + +BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10] +Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682 + +CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x45/0x57a + ? __lock_text_start+0x18/0x18 + ? raid10_remove_disk+0x61/0x2a0 [raid10] + kasan_report+0xa8/0xe0 + ? raid10_remove_disk+0x61/0x2a0 [raid10] + raid10_remove_disk+0x61/0x2a0 [raid10] +Buffer I/O error on dev dm-76, logical block 15344, async page read + ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0 + remove_and_add_spares+0x367/0x8a0 [md_mod] + ? super_written+0x1c0/0x1c0 [md_mod] + ? mutex_trylock+0xac/0x120 + ? _raw_spin_lock+0x72/0xc0 + ? _raw_spin_lock_bh+0xc0/0xc0 + md_check_recovery+0x848/0x960 [md_mod] + raid10d+0xcf/0x3360 [raid10] + ? sched_clock_cpu+0x185/0x1a0 + ? rb_erase+0x4d4/0x620 + ? var_wake_function+0xe0/0xe0 + ? psi_group_change+0x411/0x500 + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? raid10_sync_request+0x36c0/0x36c0 [raid10] + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_unlock_irqrestore+0x19/0x40 + ? del_timer_sync+0xa9/0x100 + ? try_to_del_timer_sync+0xc0/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? _raw_spin_unlock_irq+0x11/0x24 + ? __list_del_entry_valid+0x68/0xa0 + ? finish_wait+0xa3/0x100 + md_thread+0x161/0x260 [md_mod] + ? unregister_md_personality+0xa0/0xa0 [md_mod] + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? prepare_to_wait_event+0x2c0/0x2c0 + ? unregister_md_personality+0xa0/0xa0 [md_mod] + kthread+0x148/0x180 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Allocated by task 124495: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x80/0xa0 + setup_conf+0x140/0x5c0 [raid10] + raid10_run+0x4cd/0x740 [raid10] + md_run+0x6f9/0x1300 [md_mod] + raid_ctr+0x2531/0x4ac0 [dm_raid] + dm_table_add_target+0x2b0/0x620 [dm_mod] + table_load+0x1c8/0x400 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0x9e/0xc0 + kvfree_call_rcu+0x84/0x480 + timerfd_release+0x82/0x140 +L __fput+0xfa/0x400 + task_work_run+0x80/0xc0 + exit_to_user_mode_prepare+0x155/0x160 + syscall_exit_to_user_mode+0x12/0x40 + do_syscall_64+0x42/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Second to last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0x9e/0xc0 + kvfree_call_rcu+0x84/0x480 + timerfd_release+0x82/0x140 + __fput+0xfa/0x400 + task_work_run+0x80/0xc0 + exit_to_user_mode_prepare+0x155/0x160 + syscall_exit_to_user_mode+0x12/0x40 + do_syscall_64+0x42/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +The buggy address belongs to the object at ffff889108f3d200 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 0 bytes to the right of + 256-byte region [ffff889108f3d200, ffff889108f3d300) + +The buggy address belongs to the physical page: +page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c +head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x4000000000010200(slab|head|zone=2) +raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 +raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1831,9 +1831,12 @@ static int raid10_remove_disk(struct mdd + int err = 0; + int number = rdev->raid_disk; + struct md_rdev **rdevp; +- struct raid10_info *p = conf->mirrors + number; ++ struct raid10_info *p; + + print_conf(conf); ++ if (unlikely(number >= mddev->raid_disks)) ++ return 0; ++ p = conf->mirrors + number; + if (rdev == p->rdev) + rdevp = &p->rdev; + else if (rdev == p->replacement) diff --git a/queue-4.14/series b/queue-4.14/series index 2de01ff06a7..ac26b45f84c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -27,3 +27,7 @@ parisc-fix-device-names-in-proc-iomem.patch drm-nouveau-fix-another-off-by-one-in-nvbios_addr.patch drm-amdgpu-check-bo-s-requested-pinning-domains-against-its-preferred_domains.patch iio-light-isl29028-fix-the-warning-in-isl29028_remove.patch +fuse-limit-nsec.patch +md-raid10-fix-kasan-warning.patch +mbcache-don-t-reclaim-used-entries.patch +ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch