From: Sasha Levin Date: Tue, 10 Aug 2021 12:10:02 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.4.280~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2485b86aab8bcbce140c0724d20e76ae95b8a5b3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alpha-send-stop-ipi-to-send-to-online-cpus.patch b/queue-4.19/alpha-send-stop-ipi-to-send-to-online-cpus.patch new file mode 100644 index 00000000000..04b9cdcbd15 --- /dev/null +++ b/queue-4.19/alpha-send-stop-ipi-to-send-to-online-cpus.patch @@ -0,0 +1,48 @@ +From e49038e07f66807f6c4891ca1ee8dd29901e8d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 10:16:27 -0500 +Subject: alpha: Send stop IPI to send to online CPUs + +From: Prarit Bhargava + +[ Upstream commit caace6ca4e06f09413fb8f8a63319594cfb7d47d ] + +This issue was noticed while debugging a shutdown issue where some +secondary CPUs are not being shutdown correctly. A fix for that [1] requires +that secondary cpus be offlined using the cpu_online_mask so that the +stop operation is a no-op if CPU HOTPLUG is disabled. I, like the author in +[1] looked at the architectures and found that alpha is one of two +architectures that executes smp_send_stop() on all possible CPUs. + +On alpha, smp_send_stop() sends an IPI to all possible CPUs but only needs +to send them to online CPUs. + +Send the stop IPI to only the online CPUs. + +[1] https://lkml.org/lkml/2020/1/10/250 + +Signed-off-by: Prarit Bhargava +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Signed-off-by: Matt Turner +Signed-off-by: Sasha Levin +--- + arch/alpha/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c +index d0dccae53ba9..8a89b9adb4fe 100644 +--- a/arch/alpha/kernel/smp.c ++++ b/arch/alpha/kernel/smp.c +@@ -585,7 +585,7 @@ void + smp_send_stop(void) + { + cpumask_t to_whom; +- cpumask_copy(&to_whom, cpu_possible_mask); ++ cpumask_copy(&to_whom, cpu_online_mask); + cpumask_clear_cpu(smp_processor_id(), &to_whom); + #ifdef DEBUG_IPI_MSG + if (hard_smp_processor_id() != boot_cpu_id) +-- +2.30.2 + diff --git a/queue-4.19/arm-imx-add-mmdc-ipg-clock-operation-for-mmdc.patch b/queue-4.19/arm-imx-add-mmdc-ipg-clock-operation-for-mmdc.patch new file mode 100644 index 00000000000..83df1947853 --- /dev/null +++ b/queue-4.19/arm-imx-add-mmdc-ipg-clock-operation-for-mmdc.patch @@ -0,0 +1,56 @@ +From 4dc77d23122e77746f424df4f20b150d64524933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Aug 2018 15:53:12 +0800 +Subject: ARM: imx: add mmdc ipg clock operation for mmdc + +From: Anson Huang + +[ Upstream commit 9454a0caff6ac6d2a5ea17dd624dc13387bbfcd3 ] + +i.MX6 SoCs have MMDC ipg clock for registers access, to make +sure MMDC registers access successfully, add optional clock +enable for MMDC driver. + +Signed-off-by: Anson Huang +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/mmdc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/arch/arm/mach-imx/mmdc.c b/arch/arm/mach-imx/mmdc.c +index 1d340fda5e4f..ae0a61c61a6e 100644 +--- a/arch/arm/mach-imx/mmdc.c ++++ b/arch/arm/mach-imx/mmdc.c +@@ -11,6 +11,7 @@ + * http://www.gnu.org/copyleft/gpl.html + */ + ++#include + #include + #include + #include +@@ -547,7 +548,20 @@ static int imx_mmdc_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; + void __iomem *mmdc_base, *reg; ++ struct clk *mmdc_ipg_clk; + u32 val; ++ int err; ++ ++ /* the ipg clock is optional */ ++ mmdc_ipg_clk = devm_clk_get(&pdev->dev, NULL); ++ if (IS_ERR(mmdc_ipg_clk)) ++ mmdc_ipg_clk = NULL; ++ ++ err = clk_prepare_enable(mmdc_ipg_clk); ++ if (err) { ++ dev_err(&pdev->dev, "Unable to enable mmdc ipg clock.\n"); ++ return err; ++ } + + mmdc_base = of_iomap(np, 0); + WARN_ON(!mmdc_base); +-- +2.30.2 + diff --git a/queue-4.19/libata-fix-ata_pio_sector-for-config_highmem.patch b/queue-4.19/libata-fix-ata_pio_sector-for-config_highmem.patch new file mode 100644 index 00000000000..604c51e03f8 --- /dev/null +++ b/queue-4.19/libata-fix-ata_pio_sector-for-config_highmem.patch @@ -0,0 +1,92 @@ +From 9af904db393394ebf907aa6f53585b449ca444ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 15:02:37 +0200 +Subject: libata: fix ata_pio_sector for CONFIG_HIGHMEM + +From: Christoph Hellwig + +[ Upstream commit ecef6a9effe49e8e2635c839020b9833b71e934c ] + +Data transfers are not required to be block aligned in memory, so they +span two pages. Fix this by splitting the call to >sff_data_xfer into +two for that case. + +This has been broken since the initial libata import before the damn +of git, but was uncovered by the legacy ide driver removal. + +Reported-by: kernel test robot +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210709130237.3730959-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sff.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index 7484ffdabd54..ec62d26c32a9 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -657,6 +657,20 @@ unsigned int ata_sff_data_xfer32(struct ata_queued_cmd *qc, unsigned char *buf, + } + EXPORT_SYMBOL_GPL(ata_sff_data_xfer32); + ++static void ata_pio_xfer(struct ata_queued_cmd *qc, struct page *page, ++ unsigned int offset, size_t xfer_size) ++{ ++ bool do_write = (qc->tf.flags & ATA_TFLAG_WRITE); ++ unsigned char *buf; ++ ++ buf = kmap_atomic(page); ++ qc->ap->ops->sff_data_xfer(qc, buf + offset, xfer_size, do_write); ++ kunmap_atomic(buf); ++ ++ if (!do_write && !PageSlab(page)) ++ flush_dcache_page(page); ++} ++ + /** + * ata_pio_sector - Transfer a sector of data. + * @qc: Command on going +@@ -668,11 +682,9 @@ EXPORT_SYMBOL_GPL(ata_sff_data_xfer32); + */ + static void ata_pio_sector(struct ata_queued_cmd *qc) + { +- int do_write = (qc->tf.flags & ATA_TFLAG_WRITE); + struct ata_port *ap = qc->ap; + struct page *page; + unsigned int offset; +- unsigned char *buf; + + if (!qc->cursg) { + qc->curbytes = qc->nbytes; +@@ -690,13 +702,20 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) + + DPRINTK("data %s\n", qc->tf.flags & ATA_TFLAG_WRITE ? "write" : "read"); + +- /* do the actual data transfer */ +- buf = kmap_atomic(page); +- ap->ops->sff_data_xfer(qc, buf + offset, qc->sect_size, do_write); +- kunmap_atomic(buf); ++ /* ++ * Split the transfer when it splits a page boundary. Note that the ++ * split still has to be dword aligned like all ATA data transfers. ++ */ ++ WARN_ON_ONCE(offset % 4); ++ if (offset + qc->sect_size > PAGE_SIZE) { ++ unsigned int split_len = PAGE_SIZE - offset; + +- if (!do_write && !PageSlab(page)) +- flush_dcache_page(page); ++ ata_pio_xfer(qc, page, offset, split_len); ++ ata_pio_xfer(qc, nth_page(page, 1), 0, ++ qc->sect_size - split_len); ++ } else { ++ ata_pio_xfer(qc, page, offset, qc->sect_size); ++ } + + qc->curbytes += qc->sect_size; + qc->cursg_ofs += qc->sect_size; +-- +2.30.2 + diff --git a/queue-4.19/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch b/queue-4.19/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch new file mode 100644 index 00000000000..053fc0f802f --- /dev/null +++ b/queue-4.19/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch @@ -0,0 +1,58 @@ +From 9a91cb3427b8191ddc87918f832f3cafab5e734c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 21:45:12 +0800 +Subject: net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and + ql_adapter_reset + +From: Letu Ren + +[ Upstream commit 92766c4628ea349c8ddab0cd7bd0488f36e5c4ce ] + +When calling the 'ql_wait_for_drvr_lock' and 'ql_adapter_reset', the driver +has already acquired the spin lock, so the driver should not call 'ssleep' +in atomic context. + +This bug can be fixed by using 'mdelay' instead of 'ssleep'. + +Reported-by: Letu Ren +Signed-off-by: Letu Ren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index 2d71646640ac..f98e2f417c2e 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -155,7 +155,7 @@ static int ql_wait_for_drvr_lock(struct ql3_adapter *qdev) + "driver lock acquired\n"); + return 1; + } +- ssleep(1); ++ mdelay(1000); + } while (++i < 10); + + netdev_err(qdev->ndev, "Timed out waiting for driver lock...\n"); +@@ -3292,7 +3292,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev) + if ((value & ISP_CONTROL_SR) == 0) + break; + +- ssleep(1); ++ mdelay(1000); + } while ((--max_wait_time)); + + /* +@@ -3328,7 +3328,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev) + ispControlStatus); + if ((value & ISP_CONTROL_FSR) == 0) + break; +- ssleep(1); ++ mdelay(1000); + } while ((--max_wait_time)); + } + if (max_wait_time == 0) +-- +2.30.2 + diff --git a/queue-4.19/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch b/queue-4.19/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch new file mode 100644 index 00000000000..97c7b8f18f3 --- /dev/null +++ b/queue-4.19/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch @@ -0,0 +1,98 @@ +From 0b456d675a97edc54bb82a0917b8559a45e2a671 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:07:43 +0800 +Subject: reiserfs: add check for root_inode in reiserfs_fill_super + +From: Yu Kuai + +[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ] + +Our syzcaller report a NULL pointer dereference: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0 +Oops: 0010 [#1] SMP KASAN +CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4 +RIP: 0010:0x0 +Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. +RSP: 0018:ffff888114e779b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa +RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0 +RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001 +R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00 +R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0 +FS: 00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __lookup_slow+0x116/0x2d0 + ? page_put_link+0x120/0x120 + ? __d_lookup+0xfc/0x320 + ? d_lookup+0x49/0x90 + lookup_one_len+0x13c/0x170 + ? __lookup_slow+0x2d0/0x2d0 + ? reiserfs_schedule_old_flush+0x31/0x130 + reiserfs_lookup_privroot+0x64/0x150 + reiserfs_fill_super+0x158c/0x1b90 + ? finish_unfinished+0xb10/0xb10 + ? bprintf+0xe0/0xe0 + ? __mutex_lock_slowpath+0x30/0x30 + ? __kasan_check_write+0x20/0x30 + ? up_write+0x51/0xb0 + ? set_blocksize+0x9f/0x1f0 + mount_bdev+0x27c/0x2d0 + ? finish_unfinished+0xb10/0xb10 + ? reiserfs_kill_sb+0x120/0x120 + get_super_block+0x19/0x30 + legacy_get_tree+0x76/0xf0 + vfs_get_tree+0x49/0x160 + ? capable+0x1d/0x30 + path_mount+0xacc/0x1380 + ? putname+0x97/0xd0 + ? finish_automount+0x450/0x450 + ? kmem_cache_free+0xf8/0x5a0 + ? putname+0x97/0xd0 + do_mount+0xe2/0x110 + ? path_mount+0x1380/0x1380 + ? copy_mount_options+0x69/0x140 + __x64_sys_mount+0xf0/0x190 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +This is because 'root_inode' is initialized with wrong mode, and +it's i_op is set to 'reiserfs_special_inode_operations'. Thus add +check for 'root_inode' to fix the problem. + +Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com +Signed-off-by: Yu Kuai +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index ec5716dd58c2..831a542c22c6 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -2085,6 +2085,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + unlock_new_inode(root_inode); + } + ++ if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) || ++ !root_inode->i_size) { ++ SWARN(silent, s, "", "corrupt root inode, run fsck"); ++ iput(root_inode); ++ errval = -EUCLEAN; ++ goto error; ++ } ++ + s->s_root = d_make_root(root_inode); + if (!s->s_root) + goto error; +-- +2.30.2 + diff --git a/queue-4.19/reiserfs-check-directory-items-on-read-from-disk.patch b/queue-4.19/reiserfs-check-directory-items-on-read-from-disk.patch new file mode 100644 index 00000000000..94aa799e284 --- /dev/null +++ b/queue-4.19/reiserfs-check-directory-items-on-read-from-disk.patch @@ -0,0 +1,79 @@ +From b0c68c458437d51a48b09c743f0f96b8cbeb4fe4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 20:59:29 +0530 +Subject: reiserfs: check directory items on read from disk + +From: Shreyansh Chouhan + +[ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ] + +While verifying the leaf item that we read from the disk, reiserfs +doesn't check the directory items, this could cause a crash when we +read a directory item from the disk that has an invalid deh_location. + +This patch adds a check to the directory items read from the disk that +does a bounds check on deh_location for the directory entries. Any +directory entry header with a directory entry offset greater than the +item length is considered invalid. + +Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com +Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com +Signed-off-by: Shreyansh Chouhan +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c +index 5229038852ca..4ebad6781b0e 100644 +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path) + search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET; + } + ++static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih) ++{ ++ struct reiserfs_de_head *deh; ++ int i; ++ ++ deh = B_I_DEH(bh, ih); ++ for (i = 0; i < ih_entry_count(ih); i++) { ++ if (deh_location(&deh[i]) > ih_item_len(ih)) { ++ reiserfs_warning(NULL, "reiserfs-5094", ++ "directory entry location seems wrong %h", ++ &deh[i]); ++ return 0; ++ } ++ } ++ ++ return 1; ++} ++ + static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) + { + struct block_head *blkh; +@@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) + "(second one): %h", ih); + return 0; + } +- if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { +- reiserfs_warning(NULL, "reiserfs-5093", +- "item entry count seems wrong %h", +- ih); +- return 0; ++ if (is_direntry_le_ih(ih)) { ++ if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) { ++ reiserfs_warning(NULL, "reiserfs-5093", ++ "item entry count seems wrong %h", ++ ih); ++ return 0; ++ } ++ return has_valid_deh_location(bh, ih); + } + prev_location = ih_location(ih); + } +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index aea033aed83..4813d18bc37 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -46,3 +46,9 @@ kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch spi-meson-spicc-fix-memory-leak-in-meson_spicc_remove.patch perf-x86-amd-don-t-touch-the-amd64_eventsel_hostonly-bit-inside-the-guest.patch qmi_wwan-add-network-device-usage-statistics-for-qmimux-devices.patch +libata-fix-ata_pio_sector-for-config_highmem.patch +reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch +reiserfs-check-directory-items-on-read-from-disk.patch +alpha-send-stop-ipi-to-send-to-online-cpus.patch +net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch +arm-imx-add-mmdc-ipg-clock-operation-for-mmdc.patch