From: Sasha Levin Date: Mon, 4 Jan 2021 15:53:15 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.19.165~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=267cfac344d09a4769e1e1dd0bb6f50ff47205c7;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-pcm-clear-the-full-allocated-memory-at-hw_param.patch b/queue-4.14/alsa-pcm-clear-the-full-allocated-memory-at-hw_param.patch new file mode 100644 index 00000000000..8ed196a1fbc --- /dev/null +++ b/queue-4.14/alsa-pcm-clear-the-full-allocated-memory-at-hw_param.patch @@ -0,0 +1,52 @@ +From 3391d324a2343b573d55204d72b11f227fec95d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Dec 2020 15:56:25 +0100 +Subject: ALSA: pcm: Clear the full allocated memory at hw_params + +From: Takashi Iwai + +[ Upstream commit 618de0f4ef11acd8cf26902e65493d46cc20cc89 ] + +The PCM hw_params core function tries to clear up the PCM buffer +before actually using for avoiding the information leak from the +previous usages or the usage before a new allocation. It performs the +memset() with runtime->dma_bytes, but this might still leave some +remaining bytes untouched; namely, the PCM buffer size is aligned in +page size for mmap, hence runtime->dma_bytes doesn't necessarily cover +all PCM buffer pages, and the remaining bytes are exposed via mmap. + +This patch changes the memory clearance to cover the all buffer pages +if the stream is supposed to be mmap-ready (that guarantees that the +buffer size is aligned in page size). + +Reviewed-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20201218145625.2045-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 071e09c3d8557..c78db361cbbaa 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -721,8 +721,13 @@ static int snd_pcm_hw_params(struct snd_pcm_substream *substream, + runtime->boundary *= 2; + + /* clear the buffer for avoiding possible kernel info leaks */ +- if (runtime->dma_area && !substream->ops->copy_user) +- memset(runtime->dma_area, 0, runtime->dma_bytes); ++ if (runtime->dma_area && !substream->ops->copy_user) { ++ size_t size = runtime->dma_bytes; ++ ++ if (runtime->info & SNDRV_PCM_INFO_MMAP) ++ size = PAGE_ALIGN(size); ++ memset(runtime->dma_area, 0, size); ++ } + + snd_pcm_timer_resolution_change(substream); + snd_pcm_set_state(substream, SNDRV_PCM_STATE_SETUP); +-- +2.27.0 + diff --git a/queue-4.14/dm-verity-skip-verity-work-if-i-o-error-when-system-.patch b/queue-4.14/dm-verity-skip-verity-work-if-i-o-error-when-system-.patch new file mode 100644 index 00000000000..2b9ad1a3637 --- /dev/null +++ b/queue-4.14/dm-verity-skip-verity-work-if-i-o-error-when-system-.patch @@ -0,0 +1,59 @@ +From f2410bc75c81977afd2aeb3cb397ef66660e392e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Dec 2020 09:46:59 +0900 +Subject: dm verity: skip verity work if I/O error when system is shutting down + +From: Hyeongseok Kim + +[ Upstream commit 252bd1256396cebc6fc3526127fdb0b317601318 ] + +If emergency system shutdown is called, like by thermal shutdown, +a dm device could be alive when the block device couldn't process +I/O requests anymore. In this state, the handling of I/O errors +by new dm I/O requests or by those already in-flight can lead to +a verity corruption state, which is a misjudgment. + +So, skip verity work in response to I/O error when system is shutting +down. + +Signed-off-by: Hyeongseok Kim +Reviewed-by: Sami Tolvanen +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-verity-target.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c +index e705799976c2c..2dae30713eb3d 100644 +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -551,6 +551,15 @@ static int verity_verify_io(struct dm_verity_io *io) + return 0; + } + ++/* ++ * Skip verity work in response to I/O error when system is shutting down. ++ */ ++static inline bool verity_is_system_shutting_down(void) ++{ ++ return system_state == SYSTEM_HALT || system_state == SYSTEM_POWER_OFF ++ || system_state == SYSTEM_RESTART; ++} ++ + /* + * End one "io" structure with a given error. + */ +@@ -578,7 +587,8 @@ static void verity_end_io(struct bio *bio) + { + struct dm_verity_io *io = bio->bi_private; + +- if (bio->bi_status && !verity_fec_is_enabled(io->v)) { ++ if (bio->bi_status && ++ (!verity_fec_is_enabled(io->v) || verity_is_system_shutting_down())) { + verity_finish_io(io, bio->bi_status); + return; + } +-- +2.27.0 + diff --git a/queue-4.14/module-delay-kobject-uevent-until-after-module-init-.patch b/queue-4.14/module-delay-kobject-uevent-until-after-module-init-.patch new file mode 100644 index 00000000000..ce6c6953523 --- /dev/null +++ b/queue-4.14/module-delay-kobject-uevent-until-after-module-init-.patch @@ -0,0 +1,72 @@ +From c741060900ee01699d0c248d664c75402ff63a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Nov 2020 10:09:39 +0100 +Subject: module: delay kobject uevent until after module init call + +From: Jessica Yu + +[ Upstream commit 38dc717e97153e46375ee21797aa54777e5498f3 ] + +Apparently there has been a longstanding race between udev/systemd and +the module loader. Currently, the module loader sends a uevent right +after sysfs initialization, but before the module calls its init +function. However, some udev rules expect that the module has +initialized already upon receiving the uevent. + +This race has been triggered recently (see link in references) in some +systemd mount unit files. For instance, the configfs module creates the +/sys/kernel/config mount point in its init function, however the module +loader issues the uevent before this happens. sys-kernel-config.mount +expects to be able to mount /sys/kernel/config upon receipt of the +module loading uevent, but if the configfs module has not called its +init function yet, then this directory will not exist and the mount unit +fails. A similar situation exists for sys-fs-fuse-connections.mount, as +the fuse sysfs mount point is created during the fuse module's init +function. If udev is faster than module initialization then the mount +unit would fail in a similar fashion. + +To fix this race, delay the module KOBJ_ADD uevent until after the +module has finished calling its init routine. + +References: https://github.com/systemd/systemd/issues/17586 +Reviewed-by: Greg Kroah-Hartman +Tested-By: Nicolas Morey-Chaisemartin +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index c4f0a8fe144e1..0b2654592d3a7 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -1789,7 +1789,6 @@ static int mod_sysfs_init(struct module *mod) + if (err) + mod_kobject_put(mod); + +- /* delay uevent until full sysfs population */ + out: + return err; + } +@@ -1826,7 +1825,6 @@ static int mod_sysfs_setup(struct module *mod, + add_sect_attrs(mod, info); + add_notes_attrs(mod, info); + +- kobject_uevent(&mod->mkobj.kobj, KOBJ_ADD); + return 0; + + out_unreg_modinfo_attrs: +@@ -3481,6 +3479,9 @@ static noinline int do_init_module(struct module *mod) + blocking_notifier_call_chain(&module_notify_list, + MODULE_STATE_LIVE, mod); + ++ /* Delay uevent until module has finished its init routine */ ++ kobject_uevent(&mod->mkobj.kobj, KOBJ_ADD); ++ + /* + * We need to finish all async code before the module init sequence + * is done. This has potential to deadlock. For example, a newly +-- +2.27.0 + diff --git a/queue-4.14/module-set-module_state_going-state-when-a-module-fa.patch b/queue-4.14/module-set-module_state_going-state-when-a-module-fa.patch new file mode 100644 index 00000000000..75ae748437f --- /dev/null +++ b/queue-4.14/module-set-module_state_going-state-when-a-module-fa.patch @@ -0,0 +1,36 @@ +From 060b02e44d1106ac99afbbf9d24a662b908ca710 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Oct 2020 15:03:36 +0100 +Subject: module: set MODULE_STATE_GOING state when a module fails to load + +From: Miroslav Benes + +[ Upstream commit 5e8ed280dab9eeabc1ba0b2db5dbe9fe6debb6b5 ] + +If a module fails to load due to an error in prepare_coming_module(), +the following error handling in load_module() runs with +MODULE_STATE_COMING in module's state. Fix it by correctly setting +MODULE_STATE_GOING under "bug_cleanup" label. + +Signed-off-by: Miroslav Benes +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + kernel/module.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/module.c b/kernel/module.c +index 2806c9b6577c1..c4f0a8fe144e1 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3801,6 +3801,7 @@ static int load_module(struct load_info *info, const char __user *uargs, + MODULE_STATE_GOING, mod); + klp_module_going(mod); + bug_cleanup: ++ mod->state = MODULE_STATE_GOING; + /* module_bug_cleanup needs module_mutex protection */ + mutex_lock(&module_mutex); + module_bug_cleanup(mod); +-- +2.27.0 + diff --git a/queue-4.14/powerpc-sysdev-add-missing-iounmap-on-error-in-mpic_.patch b/queue-4.14/powerpc-sysdev-add-missing-iounmap-on-error-in-mpic_.patch new file mode 100644 index 00000000000..e43bde70152 --- /dev/null +++ b/queue-4.14/powerpc-sysdev-add-missing-iounmap-on-error-in-mpic_.patch @@ -0,0 +1,39 @@ +From ce9b73f0137089c117ea02d4e5fdd61454d27a57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Oct 2020 17:15:51 +0800 +Subject: powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() + +From: Qinglang Miao + +[ Upstream commit ffa1797040c5da391859a9556be7b735acbe1242 ] + +I noticed that iounmap() of msgr_block_addr before return from +mpic_msgr_probe() in the error handling case is missing. So use +devm_ioremap() instead of just ioremap() when remapping the message +register block, so the mapping will be automatically released on +probe failure. + +Signed-off-by: Qinglang Miao +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201028091551.136400-1-miaoqinglang@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/mpic_msgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/sysdev/mpic_msgr.c b/arch/powerpc/sysdev/mpic_msgr.c +index 280e964e1aa88..497e86cfb12e0 100644 +--- a/arch/powerpc/sysdev/mpic_msgr.c ++++ b/arch/powerpc/sysdev/mpic_msgr.c +@@ -196,7 +196,7 @@ static int mpic_msgr_probe(struct platform_device *dev) + + /* IO map the message register block. */ + of_address_to_resource(np, 0, &rsrc); +- msgr_block_addr = ioremap(rsrc.start, resource_size(&rsrc)); ++ msgr_block_addr = devm_ioremap(&dev->dev, rsrc.start, resource_size(&rsrc)); + if (!msgr_block_addr) { + dev_err(&dev->dev, "Failed to iomap MPIC message registers"); + return -EFAULT; +-- +2.27.0 + diff --git a/queue-4.14/quota-don-t-overflow-quota-file-offsets.patch b/queue-4.14/quota-don-t-overflow-quota-file-offsets.patch new file mode 100644 index 00000000000..f3fd218cfd2 --- /dev/null +++ b/queue-4.14/quota-don-t-overflow-quota-file-offsets.patch @@ -0,0 +1,66 @@ +From 576d44d4f72f5d29d5ce15eb7e19bdb5c70687f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 16:32:10 +0100 +Subject: quota: Don't overflow quota file offsets + +From: Jan Kara + +[ Upstream commit 10f04d40a9fa29785206c619f80d8beedb778837 ] + +The on-disk quota format supports quota files with upto 2^32 blocks. Be +careful when computing quota file offsets in the quota files from block +numbers as they can overflow 32-bit types. Since quota files larger than +4GB would require ~26 millions of quota users, this is mostly a +theoretical concern now but better be careful, fuzzers would find the +problem sooner or later anyway... + +Reviewed-by: Andreas Dilger +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/quota_tree.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/quota/quota_tree.c b/fs/quota/quota_tree.c +index bb3f59bcfcf5b..656f9ff63edda 100644 +--- a/fs/quota/quota_tree.c ++++ b/fs/quota/quota_tree.c +@@ -61,7 +61,7 @@ static ssize_t read_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf) + + memset(buf, 0, info->dqi_usable_bs); + return sb->s_op->quota_read(sb, info->dqi_type, buf, +- info->dqi_usable_bs, blk << info->dqi_blocksize_bits); ++ info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits); + } + + static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf) +@@ -70,7 +70,7 @@ static ssize_t write_blk(struct qtree_mem_dqinfo *info, uint blk, char *buf) + ssize_t ret; + + ret = sb->s_op->quota_write(sb, info->dqi_type, buf, +- info->dqi_usable_bs, blk << info->dqi_blocksize_bits); ++ info->dqi_usable_bs, (loff_t)blk << info->dqi_blocksize_bits); + if (ret != info->dqi_usable_bs) { + quota_error(sb, "dquota write failed"); + if (ret >= 0) +@@ -283,7 +283,7 @@ static uint find_free_dqentry(struct qtree_mem_dqinfo *info, + blk); + goto out_buf; + } +- dquot->dq_off = (blk << info->dqi_blocksize_bits) + ++ dquot->dq_off = ((loff_t)blk << info->dqi_blocksize_bits) + + sizeof(struct qt_disk_dqdbheader) + + i * info->dqi_entry_size; + kfree(buf); +@@ -558,7 +558,7 @@ static loff_t find_block_dqentry(struct qtree_mem_dqinfo *info, + ret = -EIO; + goto out_buf; + } else { +- ret = (blk << info->dqi_blocksize_bits) + sizeof(struct ++ ret = ((loff_t)blk << info->dqi_blocksize_bits) + sizeof(struct + qt_disk_dqdbheader) + i * info->dqi_entry_size; + } + out_buf: +-- +2.27.0 + diff --git a/queue-4.14/rtc-sun6i-fix-memleak-in-sun6i_rtc_clk_init.patch b/queue-4.14/rtc-sun6i-fix-memleak-in-sun6i_rtc_clk_init.patch new file mode 100644 index 00000000000..6e35cbe9ecb --- /dev/null +++ b/queue-4.14/rtc-sun6i-fix-memleak-in-sun6i_rtc_clk_init.patch @@ -0,0 +1,65 @@ +From 9ea11f31fbf3085db00378c764197b62c93acf36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 14:12:26 +0800 +Subject: rtc: sun6i: Fix memleak in sun6i_rtc_clk_init + +From: Dinghao Liu + +[ Upstream commit 28d211919e422f58c1e6c900e5810eee4f1ce4c8 ] + +When clk_hw_register_fixed_rate_with_accuracy() fails, +clk_data should be freed. It's the same for the subsequent +two error paths, but we should also unregister the already +registered clocks in them. + +Signed-off-by: Dinghao Liu +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20201020061226.6572-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-sun6i.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-sun6i.c b/drivers/rtc/rtc-sun6i.c +index 8eb2b6dd36fea..1d0d9c8d0085d 100644 +--- a/drivers/rtc/rtc-sun6i.c ++++ b/drivers/rtc/rtc-sun6i.c +@@ -230,7 +230,7 @@ static void __init sun6i_rtc_clk_init(struct device_node *node) + 300000000); + if (IS_ERR(rtc->int_osc)) { + pr_crit("Couldn't register the internal oscillator\n"); +- return; ++ goto err; + } + + parents[0] = clk_hw_get_name(rtc->int_osc); +@@ -246,7 +246,7 @@ static void __init sun6i_rtc_clk_init(struct device_node *node) + rtc->losc = clk_register(NULL, &rtc->hw); + if (IS_ERR(rtc->losc)) { + pr_crit("Couldn't register the LOSC clock\n"); +- return; ++ goto err_register; + } + + of_property_read_string_index(node, "clock-output-names", 1, +@@ -257,7 +257,7 @@ static void __init sun6i_rtc_clk_init(struct device_node *node) + &rtc->lock); + if (IS_ERR(rtc->ext_losc)) { + pr_crit("Couldn't register the LOSC external gate\n"); +- return; ++ goto err_register; + } + + clk_data->num = 2; +@@ -266,6 +266,8 @@ static void __init sun6i_rtc_clk_init(struct device_node *node) + of_clk_add_hw_provider(node, of_clk_hw_onecell_get, clk_data); + return; + ++err_register: ++ clk_hw_unregister_fixed_rate(rtc->int_osc); + err: + kfree(clk_data); + } +-- +2.27.0 + diff --git a/queue-4.14/series b/queue-4.14/series index 96e71bc1300..3c360b73cd8 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -16,3 +16,10 @@ reiserfs-add-check-for-an-invalid-ih_entry_count.patch misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch media-gp8psk-initialize-stats-at-power-control-logic.patch alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch +rtc-sun6i-fix-memleak-in-sun6i_rtc_clk_init.patch +module-set-module_state_going-state-when-a-module-fa.patch +quota-don-t-overflow-quota-file-offsets.patch +powerpc-sysdev-add-missing-iounmap-on-error-in-mpic_.patch +module-delay-kobject-uevent-until-after-module-init-.patch +alsa-pcm-clear-the-full-allocated-memory-at-hw_param.patch +dm-verity-skip-verity-work-if-i-o-error-when-system-.patch