From: Greg Kroah-Hartman Date: Mon, 4 Oct 2021 10:15:08 +0000 (+0200) Subject: 5.14-stable patches X-Git-Tag: v4.4.286~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4ddcaf9ef3620cd546e3676173709ed95f25b5a1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.14-stable patches added patches: debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch driver-core-fw_devlink-improve-handling-of-cyclic-dependencies.patch elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch ext4-fix-reserved-space-counter-leakage.patch ext4-flush-s_error_work-before-journal-destroy-in-ext4_fill_super.patch ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch hid-u2fzero-ignore-incomplete-packets-without-data.patch ipack-ipoctal-fix-missing-allocation-failure-check.patch ipack-ipoctal-fix-module-reference-leak.patch ipack-ipoctal-fix-stack-information-leak.patch ipack-ipoctal-fix-tty-registration-error-handling.patch ipack-ipoctal-fix-tty-registration-race.patch net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch nios2-setup.c-drop-unused-variable-dram_start.patch nvme-add-command-id-quirk-for-apple-controllers.patch --- diff --git a/queue-5.14/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch b/queue-5.14/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch new file mode 100644 index 00000000000..afdc5d06105 --- /dev/null +++ b/queue-5.14/debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch @@ -0,0 +1,37 @@ +From af505cad9567f7a500d34bf183696d570d7f6810 Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Thu, 2 Sep 2021 12:29:17 +0200 +Subject: debugfs: debugfs_create_file_size(): use IS_ERR to check for error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nirmoy Das + +commit af505cad9567f7a500d34bf183696d570d7f6810 upstream. + +debugfs_create_file() returns encoded error so use IS_ERR for checking +return value. + +Reviewed-by: Christian König +Signed-off-by: Nirmoy Das +Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL") +Cc: stable +References: https://gitlab.freedesktop.org/drm/amd/-/issues/1686 +Link: https://lore.kernel.org/r/20210902102917.2233-1-nirmoy.das@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/debugfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -528,7 +528,7 @@ void debugfs_create_file_size(const char + { + struct dentry *de = debugfs_create_file(name, mode, parent, data, fops); + +- if (de) ++ if (!IS_ERR(de)) + d_inode(de)->i_size = file_size; + } + EXPORT_SYMBOL_GPL(debugfs_create_file_size); diff --git a/queue-5.14/driver-core-fw_devlink-improve-handling-of-cyclic-dependencies.patch b/queue-5.14/driver-core-fw_devlink-improve-handling-of-cyclic-dependencies.patch new file mode 100644 index 00000000000..250ed3036e3 --- /dev/null +++ b/queue-5.14/driver-core-fw_devlink-improve-handling-of-cyclic-dependencies.patch @@ -0,0 +1,80 @@ +From 2de9d8e0d2fe3a1eb632def2245529067cb35db5 Mon Sep 17 00:00:00 2001 +From: Saravana Kannan +Date: Wed, 15 Sep 2021 10:09:37 -0700 +Subject: driver core: fw_devlink: Improve handling of cyclic dependencies + +From: Saravana Kannan + +commit 2de9d8e0d2fe3a1eb632def2245529067cb35db5 upstream. + +When we have a dependency of the form: + +Device-A -> Device-C + Device-B + +Device-C -> Device-B + +Where, +* Indentation denotes "child of" parent in previous line. +* X -> Y denotes X is consumer of Y based on firmware (Eg: DT). + +We have cyclic dependency: device-A -> device-C -> device-B -> device-A + +fw_devlink current treats device-C -> device-B dependency as an invalid +dependency and doesn't enforce it but leaves the rest of the +dependencies as is. + +While the current behavior is necessary, it is not sufficient if the +false dependency in this example is actually device-A -> device-C. When +this is the case, device-C will correctly probe defer waiting for +device-B to be added, but device-A will be incorrectly probe deferred by +fw_devlink waiting on device-C to probe successfully. Due to this, none +of the devices in the cycle will end up probing. + +To fix this, we need to go relax all the dependencies in the cycle like +we already do in the other instances where fw_devlink detects cycles. +A real world example of this was reported[1] and analyzed[2]. + +[1] - https://lore.kernel.org/lkml/0a2c4106-7f48-2bb5-048e-8c001a7c3fda@samsung.com/ +[2] - https://lore.kernel.org/lkml/CAGETcx8peaew90SWiux=TyvuGgvTQOmO4BFALz7aj0Za5QdNFQ@mail.gmail.com/ + +Fixes: f9aa460672c9 ("driver core: Refactor fw_devlink feature") +Cc: stable +Reported-by: Marek Szyprowski +Tested-by: Marek Szyprowski +Signed-off-by: Saravana Kannan +Link: https://lore.kernel.org/r/20210915170940.617415-2-saravanak@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -1790,14 +1790,21 @@ static int fw_devlink_create_devlink(str + * be broken by applying logic. Check for these types of cycles and + * break them so that devices in the cycle probe properly. + * +- * If the supplier's parent is dependent on the consumer, then +- * the consumer-supplier dependency is a false dependency. So, +- * treat it as an invalid link. ++ * If the supplier's parent is dependent on the consumer, then the ++ * consumer and supplier have a cyclic dependency. Since fw_devlink ++ * can't tell which of the inferred dependencies are incorrect, don't ++ * enforce probe ordering between any of the devices in this cyclic ++ * dependency. Do this by relaxing all the fw_devlink device links in ++ * this cycle and by treating the fwnode link between the consumer and ++ * the supplier as an invalid dependency. + */ + sup_dev = fwnode_get_next_parent_dev(sup_handle); + if (sup_dev && device_is_dependent(con, sup_dev)) { +- dev_dbg(con, "Not linking to %pfwP - False link\n", +- sup_handle); ++ dev_info(con, "Fixing up cyclic dependency with %pfwP (%s)\n", ++ sup_handle, dev_name(sup_dev)); ++ device_links_write_lock(); ++ fw_devlink_relax_cycle(con, sup_dev); ++ device_links_write_unlock(); + ret = -EINVAL; + } else { + /* diff --git a/queue-5.14/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch b/queue-5.14/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch new file mode 100644 index 00000000000..a45add03b35 --- /dev/null +++ b/queue-5.14/elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch @@ -0,0 +1,60 @@ +From 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 Mon Sep 17 00:00:00 2001 +From: Chen Jingwen +Date: Tue, 28 Sep 2021 20:56:57 +0800 +Subject: elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings + +From: Chen Jingwen + +commit 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 upstream. + +In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf +executable mappings") we still leave MAP_FIXED_NOREPLACE in place for +load_elf_interp. + +Unfortunately, this will cause kernel to fail to start with: + + 1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already + Failed to execute /init (error -17) + +The reason is that the elf interpreter (ld.so) has overlapping segments. + + readelf -l ld-2.31.so + Program Headers: + Type Offset VirtAddr PhysAddr + FileSiz MemSiz Flags Align + LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 + 0x000000000002c94c 0x000000000002c94c R E 0x10000 + LOAD 0x000000000002dae0 0x000000000003dae0 0x000000000003dae0 + 0x00000000000021e8 0x0000000000002320 RW 0x10000 + LOAD 0x000000000002fe00 0x000000000003fe00 0x000000000003fe00 + 0x00000000000011ac 0x0000000000001328 RW 0x10000 + +The reason for this problem is the same as described in commit +ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments"). + +Not only executable binaries, elf interpreters (e.g. ld.so) can have +overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go +back to MAP_FIXED in load_elf_interp. + +Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map") +Cc: # v4.19 +Cc: Andrew Morton +Cc: Michal Hocko +Signed-off-by: Chen Jingwen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -630,7 +630,7 @@ static unsigned long load_elf_interp(str + + vaddr = eppnt->p_vaddr; + if (interp_elf_ex->e_type == ET_EXEC || load_addr_set) +- elf_type |= MAP_FIXED_NOREPLACE; ++ elf_type |= MAP_FIXED; + else if (no_base && interp_elf_ex->e_type == ET_DYN) + load_addr = -vaddr; + diff --git a/queue-5.14/ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch b/queue-5.14/ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch new file mode 100644 index 00000000000..f287fd7aa39 --- /dev/null +++ b/queue-5.14/ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch @@ -0,0 +1,99 @@ +From 1fd95c05d8f742abfe906620780aee4dbe1a2db0 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 2 Sep 2021 11:36:01 -0400 +Subject: ext4: add error checking to ext4_ext_replay_set_iblocks() + +From: Theodore Ts'o + +commit 1fd95c05d8f742abfe906620780aee4dbe1a2db0 upstream. + +If the call to ext4_map_blocks() fails due to an corrupted file +system, ext4_ext_replay_set_iblocks() can get stuck in an infinite +loop. This could be reproduced by running generic/526 with a file +system that has inline_data and fast_commit enabled. The system will +repeatedly log to the console: + +EXT4-fs warning (device dm-3): ext4_block_to_path:105: block 1074800922 > max in inode 131076 + +and the stack that it gets stuck in is: + + ext4_block_to_path+0xe3/0x130 + ext4_ind_map_blocks+0x93/0x690 + ext4_map_blocks+0x100/0x660 + skip_hole+0x47/0x70 + ext4_ext_replay_set_iblocks+0x223/0x440 + ext4_fc_replay_inode+0x29e/0x3b0 + ext4_fc_replay+0x278/0x550 + do_one_pass+0x646/0xc10 + jbd2_journal_recover+0x14a/0x270 + jbd2_journal_load+0xc4/0x150 + ext4_load_journal+0x1f3/0x490 + ext4_fill_super+0x22d4/0x2c00 + +With this patch, generic/526 still fails, but system is no longer +locking up in a tight loop. It's likely the root casue is that +fast_commit replay is corrupting file systems with inline_data, and we +probably need to add better error handling in the fast commit replay +code path beyond what is done here, which essentially just breaks the +infinite loop without reporting the to the higher levels of the code. + +Fixes: 8016E29F4362 ("ext4: fast commit recovery path") +Cc: stable@kernel.org +Cc: Harshad Shirwadkar +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5908,7 +5908,7 @@ void ext4_ext_replay_shrink_inode(struct + } + + /* Check if *cur is a hole and if it is, skip it */ +-static void skip_hole(struct inode *inode, ext4_lblk_t *cur) ++static int skip_hole(struct inode *inode, ext4_lblk_t *cur) + { + int ret; + struct ext4_map_blocks map; +@@ -5917,9 +5917,12 @@ static void skip_hole(struct inode *inod + map.m_len = ((inode->i_size) >> inode->i_sb->s_blocksize_bits) - *cur; + + ret = ext4_map_blocks(NULL, inode, &map, 0); ++ if (ret < 0) ++ return ret; + if (ret != 0) +- return; ++ return 0; + *cur = *cur + map.m_len; ++ return 0; + } + + /* Count number of blocks used by this inode and update i_blocks */ +@@ -5968,7 +5971,9 @@ int ext4_ext_replay_set_iblocks(struct i + * iblocks by total number of differences found. + */ + cur = 0; +- skip_hole(inode, &cur); ++ ret = skip_hole(inode, &cur); ++ if (ret < 0) ++ goto out; + path = ext4_find_extent(inode, cur, NULL, 0); + if (IS_ERR(path)) + goto out; +@@ -5987,8 +5992,12 @@ int ext4_ext_replay_set_iblocks(struct i + } + cur = max(cur + 1, le32_to_cpu(ex->ee_block) + + ext4_ext_get_actual_len(ex)); +- skip_hole(inode, &cur); +- ++ ret = skip_hole(inode, &cur); ++ if (ret < 0) { ++ ext4_ext_drop_refs(path); ++ kfree(path); ++ break; ++ } + path2 = ext4_find_extent(inode, cur, NULL, 0); + if (IS_ERR(path2)) { + ext4_ext_drop_refs(path); diff --git a/queue-5.14/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch b/queue-5.14/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch new file mode 100644 index 00000000000..8a554e726a5 --- /dev/null +++ b/queue-5.14/ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch @@ -0,0 +1,65 @@ +From 75ca6ad408f459f00b09a64f04c774559848c097 Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Sat, 5 Jun 2021 10:39:32 +0530 +Subject: ext4: fix loff_t overflow in ext4_max_bitmap_size() + +From: Ritesh Harjani + +commit 75ca6ad408f459f00b09a64f04c774559848c097 upstream. + +We should use unsigned long long rather than loff_t to avoid +overflow in ext4_max_bitmap_size() for comparison before returning. +w/o this patch sbi->s_bitmap_maxbytes was becoming a negative +value due to overflow of upper_limit (with has_huge_files as true) + +Below is a quick test to trigger it on a 64KB pagesize system. + +sudo mkfs.ext4 -b 65536 -O ^has_extents,^64bit /dev/loop2 +sudo mount /dev/loop2 /mnt +sudo echo "hello" > /mnt/hello -> This will error out with + "echo: write error: File too large" + +Signed-off-by: Ritesh Harjani +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/594f409e2c543e90fd836b78188dfa5c575065ba.1622867594.git.riteshh@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3185,17 +3185,17 @@ static loff_t ext4_max_size(int blkbits, + */ + static loff_t ext4_max_bitmap_size(int bits, int has_huge_files) + { +- loff_t res = EXT4_NDIR_BLOCKS; ++ unsigned long long upper_limit, res = EXT4_NDIR_BLOCKS; + int meta_blocks; +- loff_t upper_limit; +- /* This is calculated to be the largest file size for a dense, block ++ ++ /* ++ * This is calculated to be the largest file size for a dense, block + * mapped file such that the file's total number of 512-byte sectors, + * including data and all indirect blocks, does not exceed (2^48 - 1). + * + * __u32 i_blocks_lo and _u16 i_blocks_high represent the total + * number of 512-byte sectors of the file. + */ +- + if (!has_huge_files) { + /* + * !has_huge_files or implies that the inode i_block field +@@ -3238,7 +3238,7 @@ static loff_t ext4_max_bitmap_size(int b + if (res > MAX_LFS_FILESIZE) + res = MAX_LFS_FILESIZE; + +- return res; ++ return (loff_t)res; + } + + static ext4_fsblk_t descriptor_loc(struct super_block *sb, diff --git a/queue-5.14/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch b/queue-5.14/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch new file mode 100644 index 00000000000..5119405bb81 --- /dev/null +++ b/queue-5.14/ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch @@ -0,0 +1,68 @@ +From 42cb447410d024e9d54139ae9c21ea132a8c384c Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Tue, 14 Sep 2021 19:14:15 +0800 +Subject: ext4: fix potential infinite loop in ext4_dx_readdir() + +From: yangerkun + +commit 42cb447410d024e9d54139ae9c21ea132a8c384c upstream. + +When ext4_htree_fill_tree() fails, ext4_dx_readdir() can run into an +infinite loop since if info->last_pos != ctx->pos this will reset the +directory scan and reread the failing entry. For example: + +1. a dx_dir which has 3 block, block 0 as dx_root block, block 1/2 as + leaf block which own the ext4_dir_entry_2 +2. block 1 read ok and call_filldir which will fill the dirent and update + the ctx->pos +3. block 2 read fail, but we has already fill some dirent, so we will + return back to userspace will a positive return val(see ksys_getdents64) +4. the second ext4_dx_readdir will reset the world since info->last_pos + != ctx->pos, and will also init the curr_hash which pos to block 1 +5. So we will read block1 too, and once block2 still read fail, we can + only fill one dirent because the hash of the entry in block1(besides + the last one) won't greater than curr_hash +6. this time, we forget update last_pos too since the read for block2 + will fail, and since we has got the one entry, ksys_getdents64 can + return success +7. Latter we will trapped in a loop with step 4~6 + +Cc: stable@kernel.org +Signed-off-by: yangerkun +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210914111415.3921954-1-yangerkun@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/dir.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -551,7 +551,7 @@ static int ext4_dx_readdir(struct file * + struct dir_private_info *info = file->private_data; + struct inode *inode = file_inode(file); + struct fname *fname; +- int ret; ++ int ret = 0; + + if (!info) { + info = ext4_htree_create_dir_info(file, ctx->pos); +@@ -599,7 +599,7 @@ static int ext4_dx_readdir(struct file * + info->curr_minor_hash, + &info->next_hash); + if (ret < 0) +- return ret; ++ goto finished; + if (ret == 0) { + ctx->pos = ext4_get_htree_eof(file); + break; +@@ -630,7 +630,7 @@ static int ext4_dx_readdir(struct file * + } + finished: + info->last_pos = ctx->pos; +- return 0; ++ return ret < 0 ? ret : 0; + } + + static int ext4_release_dir(struct inode *inode, struct file *filp) diff --git a/queue-5.14/ext4-fix-reserved-space-counter-leakage.patch b/queue-5.14/ext4-fix-reserved-space-counter-leakage.patch new file mode 100644 index 00000000000..1cc04e4e8d1 --- /dev/null +++ b/queue-5.14/ext4-fix-reserved-space-counter-leakage.patch @@ -0,0 +1,89 @@ +From 6fed83957f21eff11c8496e9f24253b03d2bc1dc Mon Sep 17 00:00:00 2001 +From: Jeffle Xu +Date: Mon, 23 Aug 2021 14:13:58 +0800 +Subject: ext4: fix reserved space counter leakage + +From: Jeffle Xu + +commit 6fed83957f21eff11c8496e9f24253b03d2bc1dc upstream. + +When ext4_insert_delayed block receives and recovers from an error from +ext4_es_insert_delayed_block(), e.g., ENOMEM, it does not release the +space it has reserved for that block insertion as it should. One effect +of this bug is that s_dirtyclusters_counter is not decremented and +remains incorrectly elevated until the file system has been unmounted. +This can result in premature ENOSPC returns and apparent loss of free +space. + +Another effect of this bug is that +/sys/fs/ext4//delayed_allocation_blocks can remain non-zero even +after syncfs has been executed on the filesystem. + +Besides, add check for s_dirtyclusters_counter when inode is going to be +evicted and freed. s_dirtyclusters_counter can still keep non-zero until +inode is written back in .evict_inode(), and thus the check is delayed +to .destroy_inode(). + +Fixes: 51865fda28e5 ("ext4: let ext4 maintain extent status tree") +Cc: stable@kernel.org +Suggested-by: Gao Xiang +Signed-off-by: Jeffle Xu +Reviewed-by: Eric Whitney +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210823061358.84473-1-jefflexu@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 5 +++++ + fs/ext4/super.c | 6 ++++++ + 2 files changed, 11 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1640,6 +1640,7 @@ static int ext4_insert_delayed_block(str + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + int ret; + bool allocated = false; ++ bool reserved = false; + + /* + * If the cluster containing lblk is shared with a delayed, +@@ -1656,6 +1657,7 @@ static int ext4_insert_delayed_block(str + ret = ext4_da_reserve_space(inode); + if (ret != 0) /* ENOSPC */ + goto errout; ++ reserved = true; + } else { /* bigalloc */ + if (!ext4_es_scan_clu(inode, &ext4_es_is_delonly, lblk)) { + if (!ext4_es_scan_clu(inode, +@@ -1668,6 +1670,7 @@ static int ext4_insert_delayed_block(str + ret = ext4_da_reserve_space(inode); + if (ret != 0) /* ENOSPC */ + goto errout; ++ reserved = true; + } else { + allocated = true; + } +@@ -1678,6 +1681,8 @@ static int ext4_insert_delayed_block(str + } + + ret = ext4_es_insert_delayed_block(inode, lblk, allocated); ++ if (ret && reserved) ++ ext4_da_release_space(inode, 1); + + errout: + return ret; +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1351,6 +1351,12 @@ static void ext4_destroy_inode(struct in + true); + dump_stack(); + } ++ ++ if (EXT4_I(inode)->i_reserved_data_blocks) ++ ext4_msg(inode->i_sb, KERN_ERR, ++ "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!", ++ inode->i_ino, EXT4_I(inode), ++ EXT4_I(inode)->i_reserved_data_blocks); + } + + static void init_once(void *foo) diff --git a/queue-5.14/ext4-flush-s_error_work-before-journal-destroy-in-ext4_fill_super.patch b/queue-5.14/ext4-flush-s_error_work-before-journal-destroy-in-ext4_fill_super.patch new file mode 100644 index 00000000000..1a706722610 --- /dev/null +++ b/queue-5.14/ext4-flush-s_error_work-before-journal-destroy-in-ext4_fill_super.patch @@ -0,0 +1,96 @@ +From bb9464e08309f6befe80866f5be51778ca355ee9 Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Fri, 24 Sep 2021 17:39:17 +0800 +Subject: ext4: flush s_error_work before journal destroy in ext4_fill_super + +From: yangerkun + +commit bb9464e08309f6befe80866f5be51778ca355ee9 upstream. + +The error path in ext4_fill_super forget to flush s_error_work before +journal destroy, and it may trigger the follow bug since +flush_stashed_error_work can run concurrently with journal destroy +without any protection for sbi->s_journal. + +[32031.740193] EXT4-fs (loop66): get root inode failed +[32031.740484] EXT4-fs (loop66): mount failed +[32031.759805] ------------[ cut here ]------------ +[32031.759807] kernel BUG at fs/jbd2/transaction.c:373! +[32031.760075] invalid opcode: 0000 [#1] SMP PTI +[32031.760336] CPU: 5 PID: 1029268 Comm: kworker/5:1 Kdump: loaded +4.18.0 +[32031.765112] Call Trace: +[32031.765375] ? __switch_to_asm+0x35/0x70 +[32031.765635] ? __switch_to_asm+0x41/0x70 +[32031.765893] ? __switch_to_asm+0x35/0x70 +[32031.766148] ? __switch_to_asm+0x41/0x70 +[32031.766405] ? _cond_resched+0x15/0x40 +[32031.766665] jbd2__journal_start+0xf1/0x1f0 [jbd2] +[32031.766934] jbd2_journal_start+0x19/0x20 [jbd2] +[32031.767218] flush_stashed_error_work+0x30/0x90 [ext4] +[32031.767487] process_one_work+0x195/0x390 +[32031.767747] worker_thread+0x30/0x390 +[32031.768007] ? process_one_work+0x390/0x390 +[32031.768265] kthread+0x10d/0x130 +[32031.768521] ? kthread_flush_work_fn+0x10/0x10 +[32031.768778] ret_from_fork+0x35/0x40 + +static int start_this_handle(...) + BUG_ON(journal->j_flags & JBD2_UNMOUNT); <---- Trigger this + +Besides, after we enable fast commit, ext4_fc_replay can add work to +s_error_work but return success, so the latter journal destroy in +ext4_load_journal can trigger this problem too. + +Fix this problem with two steps: +1. Call ext4_commit_super directly in ext4_handle_error for the case + that called from ext4_fc_replay +2. Since it's hard to pair the init and flush for s_error_work, we'd + better add a extras flush_work before journal destroy in + ext4_fill_super + +Besides, this patch will call ext4_commit_super in ext4_handle_error for +any nojournal case too. But it seems safe since the reason we call +schedule_work was that we should save error info to sb through journal +if available. Conversely, for the nojournal case, it seems useless delay +commit superblock to s_error_work. + +Fixes: c92dc856848f ("ext4: defer saving error info from atomic context") +Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available") +Cc: stable@kernel.org +Signed-off-by: yangerkun +Reviewed-by: Jan Kara +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210924093917.1953239-1-yangerkun@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -661,7 +661,7 @@ static void ext4_handle_error(struct sup + * constraints, it may not be safe to do it right here so we + * defer superblock flushing to a workqueue. + */ +- if (continue_fs) ++ if (continue_fs && journal) + schedule_work(&EXT4_SB(sb)->s_error_work); + else + ext4_commit_super(sb); +@@ -5189,12 +5189,15 @@ failed_mount_wq: + sbi->s_ea_block_cache = NULL; + + if (sbi->s_journal) { ++ /* flush s_error_work before journal destroy. */ ++ flush_work(&sbi->s_error_work); + jbd2_journal_destroy(sbi->s_journal); + sbi->s_journal = NULL; + } + failed_mount3a: + ext4_es_unregister_shrinker(sbi); + failed_mount3: ++ /* flush s_error_work before sbi destroy */ + flush_work(&sbi->s_error_work); + del_timer_sync(&sbi->s_err_report); + ext4_stop_mmpd(sbi); diff --git a/queue-5.14/ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch b/queue-5.14/ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch new file mode 100644 index 00000000000..368bf5db7d8 --- /dev/null +++ b/queue-5.14/ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch @@ -0,0 +1,60 @@ +From a2c2f0826e2b75560b31daf1cd9a755ab93cf4c6 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Fri, 20 Aug 2021 12:45:05 +0800 +Subject: ext4: limit the number of blocks in one ADD_RANGE TLV + +From: Hou Tao + +commit a2c2f0826e2b75560b31daf1cd9a755ab93cf4c6 upstream. + +Now EXT4_FC_TAG_ADD_RANGE uses ext4_extent to track the +newly-added blocks, but the limit on the max value of +ee_len field is ignored, and it can lead to BUG_ON as +shown below when running command "fallocate -l 128M file" +on a fast_commit-enabled fs: + + kernel BUG at fs/ext4/ext4_extents.h:199! + invalid opcode: 0000 [#1] SMP PTI + CPU: 3 PID: 624 Comm: fallocate Not tainted 5.14.0-rc6+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) + RIP: 0010:ext4_fc_write_inode_data+0x1f3/0x200 + Call Trace: + ? ext4_fc_write_inode+0xf2/0x150 + ext4_fc_commit+0x93b/0xa00 + ? ext4_fallocate+0x1ad/0x10d0 + ext4_sync_file+0x157/0x340 + ? ext4_sync_file+0x157/0x340 + vfs_fsync_range+0x49/0x80 + do_fsync+0x3d/0x70 + __x64_sys_fsync+0x14/0x20 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Simply fixing it by limiting the number of blocks +in one EXT4_FC_TAG_ADD_RANGE TLV. + +Fixes: aa75f4d3daae ("ext4: main fast-commit commit path") +Cc: stable@kernel.org +Signed-off-by: Hou Tao +Signed-off-by: Theodore Ts'o +Link: https://lore.kernel.org/r/20210820044505.474318-1-houtao1@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fast_commit.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ext4/fast_commit.c ++++ b/fs/ext4/fast_commit.c +@@ -893,6 +893,12 @@ static int ext4_fc_write_inode_data(stru + sizeof(lrange), (u8 *)&lrange, crc)) + return -ENOSPC; + } else { ++ unsigned int max = (map.m_flags & EXT4_MAP_UNWRITTEN) ? ++ EXT_UNWRITTEN_MAX_LEN : EXT_INIT_MAX_LEN; ++ ++ /* Limit the number of blocks in one extent */ ++ map.m_len = min(max, map.m_len); ++ + fc_ext.fc_ino = cpu_to_le32(inode->i_ino); + ex = (struct ext4_extent *)&fc_ext.fc_ex; + ex->ee_block = cpu_to_le32(map.m_lblk); diff --git a/queue-5.14/hid-u2fzero-ignore-incomplete-packets-without-data.patch b/queue-5.14/hid-u2fzero-ignore-incomplete-packets-without-data.patch new file mode 100644 index 00000000000..c18e0123d56 --- /dev/null +++ b/queue-5.14/hid-u2fzero-ignore-incomplete-packets-without-data.patch @@ -0,0 +1,35 @@ +From 22d65765f211cc83186fd8b87521159f354c0da9 Mon Sep 17 00:00:00 2001 +From: Andrej Shadura +Date: Thu, 16 Sep 2021 17:33:11 +0100 +Subject: HID: u2fzero: ignore incomplete packets without data + +From: Andrej Shadura + +commit 22d65765f211cc83186fd8b87521159f354c0da9 upstream. + +Since the actual_length calculation is performed unsigned, packets +shorter than 7 bytes (e.g. packets without data or otherwise truncated) +or non-received packets ("zero" bytes) can cause buffer overflow. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437 +Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG") +Signed-off-by: Andrej Shadura +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-u2fzero.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-u2fzero.c ++++ b/drivers/hid/hid-u2fzero.c +@@ -198,7 +198,9 @@ static int u2fzero_rng_read(struct hwrng + } + + ret = u2fzero_recv(dev, &req, &resp); +- if (ret < 0) ++ ++ /* ignore errors or packets without data */ ++ if (ret < offsetof(struct u2f_hid_msg, init.data)) + return 0; + + /* only take the minimum amount of data it is safe to take */ diff --git a/queue-5.14/ipack-ipoctal-fix-missing-allocation-failure-check.patch b/queue-5.14/ipack-ipoctal-fix-missing-allocation-failure-check.patch new file mode 100644 index 00000000000..f37dcf1b240 --- /dev/null +++ b/queue-5.14/ipack-ipoctal-fix-missing-allocation-failure-check.patch @@ -0,0 +1,36 @@ +From 445c8132727728dc297492a7d9fc074af3e94ba3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:20 +0200 +Subject: ipack: ipoctal: fix missing allocation-failure check + +From: Johan Hovold + +commit 445c8132727728dc297492a7d9fc074af3e94ba3 upstream. + +Add the missing error handling when allocating the transmit buffer to +avoid dereferencing a NULL pointer in write() should the allocation +ever fail. + +Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board") +Cc: stable@vger.kernel.org # 3.5 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -386,7 +386,9 @@ static int ipoctal_inst_slot(struct ipoc + + channel = &ipoctal->channel[i]; + tty_port_init(&channel->tty_port); +- tty_port_alloc_xmit_buf(&channel->tty_port); ++ res = tty_port_alloc_xmit_buf(&channel->tty_port); ++ if (res) ++ continue; + channel->tty_port.ops = &ipoctal_tty_port_ops; + + ipoctal_reset_stats(&channel->stats); diff --git a/queue-5.14/ipack-ipoctal-fix-module-reference-leak.patch b/queue-5.14/ipack-ipoctal-fix-module-reference-leak.patch new file mode 100644 index 00000000000..66c660459b0 --- /dev/null +++ b/queue-5.14/ipack-ipoctal-fix-module-reference-leak.patch @@ -0,0 +1,79 @@ +From bb8a4fcb2136508224c596a7e665bdba1d7c3c27 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:21 +0200 +Subject: ipack: ipoctal: fix module reference leak + +From: Johan Hovold + +commit bb8a4fcb2136508224c596a7e665bdba1d7c3c27 upstream. + +A reference to the carrier module was taken on every open but was only +released once when the final reference to the tty struct was dropped. + +Fix this by taking the module reference and initialising the tty driver +data when installing the tty. + +Fixes: 82a82340bab6 ("ipoctal: get carrier driver to avoid rmmod") +Cc: stable@vger.kernel.org # 3.18 +Cc: Federico Vaga +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-6-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -82,22 +82,34 @@ static int ipoctal_port_activate(struct + return 0; + } + +-static int ipoctal_open(struct tty_struct *tty, struct file *file) ++static int ipoctal_install(struct tty_driver *driver, struct tty_struct *tty) + { + struct ipoctal_channel *channel = dev_get_drvdata(tty->dev); + struct ipoctal *ipoctal = chan_to_ipoctal(channel, tty->index); +- int err; +- +- tty->driver_data = channel; ++ int res; + + if (!ipack_get_carrier(ipoctal->dev)) + return -EBUSY; + +- err = tty_port_open(&channel->tty_port, tty, file); +- if (err) +- ipack_put_carrier(ipoctal->dev); ++ res = tty_standard_install(driver, tty); ++ if (res) ++ goto err_put_carrier; ++ ++ tty->driver_data = channel; ++ ++ return 0; ++ ++err_put_carrier: ++ ipack_put_carrier(ipoctal->dev); ++ ++ return res; ++} ++ ++static int ipoctal_open(struct tty_struct *tty, struct file *file) ++{ ++ struct ipoctal_channel *channel = tty->driver_data; + +- return err; ++ return tty_port_open(&channel->tty_port, tty, file); + } + + static void ipoctal_reset_stats(struct ipoctal_stats *stats) +@@ -662,6 +674,7 @@ static void ipoctal_cleanup(struct tty_s + + static const struct tty_operations ipoctal_fops = { + .ioctl = NULL, ++ .install = ipoctal_install, + .open = ipoctal_open, + .close = ipoctal_close, + .write = ipoctal_write_tty, diff --git a/queue-5.14/ipack-ipoctal-fix-stack-information-leak.patch b/queue-5.14/ipack-ipoctal-fix-stack-information-leak.patch new file mode 100644 index 00000000000..68ba7feceee --- /dev/null +++ b/queue-5.14/ipack-ipoctal-fix-stack-information-leak.patch @@ -0,0 +1,86 @@ +From a89936cce87d60766a75732a9e7e25c51164f47c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:17 +0200 +Subject: ipack: ipoctal: fix stack information leak + +From: Johan Hovold + +commit a89936cce87d60766a75732a9e7e25c51164f47c upstream. + +The tty driver name is used also after registering the driver and must +specifically not be allocated on the stack to avoid leaking information +to user space (or triggering an oops). + +Drivers should not try to encode topology information in the tty device +name but this one snuck in through staging without anyone noticing and +another driver has since copied this malpractice. + +Fixing the ABI is a separate issue, but this at least plugs the security +hole. + +Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board") +Cc: stable@vger.kernel.org # 3.5 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -264,7 +264,6 @@ static int ipoctal_inst_slot(struct ipoc + int res; + int i; + struct tty_driver *tty; +- char name[20]; + struct ipoctal_channel *channel; + struct ipack_region *region; + void __iomem *addr; +@@ -355,8 +354,11 @@ static int ipoctal_inst_slot(struct ipoc + /* Fill struct tty_driver with ipoctal data */ + tty->owner = THIS_MODULE; + tty->driver_name = KBUILD_MODNAME; +- sprintf(name, KBUILD_MODNAME ".%d.%d.", bus_nr, slot); +- tty->name = name; ++ tty->name = kasprintf(GFP_KERNEL, KBUILD_MODNAME ".%d.%d.", bus_nr, slot); ++ if (!tty->name) { ++ res = -ENOMEM; ++ goto err_put_driver; ++ } + tty->major = 0; + + tty->minor_start = 0; +@@ -372,8 +374,7 @@ static int ipoctal_inst_slot(struct ipoc + res = tty_register_driver(tty); + if (res) { + dev_err(&ipoctal->dev->dev, "Can't register tty driver.\n"); +- put_tty_driver(tty); +- return res; ++ goto err_free_name; + } + + /* Save struct tty_driver for use it when uninstalling the device */ +@@ -410,6 +411,13 @@ static int ipoctal_inst_slot(struct ipoc + ipoctal_irq_handler, ipoctal); + + return 0; ++ ++err_free_name: ++ kfree(tty->name); ++err_put_driver: ++ put_tty_driver(tty); ++ ++ return res; + } + + static inline int ipoctal_copy_write_buffer(struct ipoctal_channel *channel, +@@ -697,6 +705,7 @@ static void __ipoctal_remove(struct ipoc + } + + tty_unregister_driver(ipoctal->tty_drv); ++ kfree(ipoctal->tty_drv->name); + put_tty_driver(ipoctal->tty_drv); + kfree(ipoctal); + } diff --git a/queue-5.14/ipack-ipoctal-fix-tty-registration-error-handling.patch b/queue-5.14/ipack-ipoctal-fix-tty-registration-error-handling.patch new file mode 100644 index 00000000000..c08fe8d4521 --- /dev/null +++ b/queue-5.14/ipack-ipoctal-fix-tty-registration-error-handling.patch @@ -0,0 +1,56 @@ +From cd20d59291d1790dc74248476e928f57fc455189 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:19 +0200 +Subject: ipack: ipoctal: fix tty-registration error handling + +From: Johan Hovold + +commit cd20d59291d1790dc74248476e928f57fc455189 upstream. + +Registration of the ipoctal tty devices is unlikely to fail, but if it +ever does, make sure not to deregister a never registered tty device +(and dereference a NULL pointer) when the driver is later unbound. + +Fixes: 2afb41d9d30d ("Staging: ipack/devices/ipoctal: Check tty_register_device return value.") +Cc: stable@vger.kernel.org # 3.7 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -33,6 +33,7 @@ struct ipoctal_channel { + unsigned int pointer_read; + unsigned int pointer_write; + struct tty_port tty_port; ++ bool tty_registered; + union scc2698_channel __iomem *regs; + union scc2698_block __iomem *block_regs; + unsigned int board_id; +@@ -397,9 +398,11 @@ static int ipoctal_inst_slot(struct ipoc + i, NULL, channel, NULL); + if (IS_ERR(tty_dev)) { + dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n"); ++ tty_port_free_xmit_buf(&channel->tty_port); + tty_port_destroy(&channel->tty_port); + continue; + } ++ channel->tty_registered = true; + } + + /* +@@ -699,6 +702,10 @@ static void __ipoctal_remove(struct ipoc + + for (i = 0; i < NR_CHANNELS; i++) { + struct ipoctal_channel *channel = &ipoctal->channel[i]; ++ ++ if (!channel->tty_registered) ++ continue; ++ + tty_unregister_device(ipoctal->tty_drv, i); + tty_port_free_xmit_buf(&channel->tty_port); + tty_port_destroy(&channel->tty_port); diff --git a/queue-5.14/ipack-ipoctal-fix-tty-registration-race.patch b/queue-5.14/ipack-ipoctal-fix-tty-registration-race.patch new file mode 100644 index 00000000000..bbda39b77e9 --- /dev/null +++ b/queue-5.14/ipack-ipoctal-fix-tty-registration-race.patch @@ -0,0 +1,40 @@ +From 65c001df517a7bf9be8621b53d43c89f426ce8d6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Sep 2021 13:46:18 +0200 +Subject: ipack: ipoctal: fix tty registration race + +From: Johan Hovold + +commit 65c001df517a7bf9be8621b53d43c89f426ce8d6 upstream. + +Make sure to set the tty class-device driver data before registering the +tty to avoid having a racing open() dereference a NULL pointer. + +Fixes: 9c1d784afc6f ("Staging: ipack/devices/ipoctal: Get rid of ipoctal_list.") +Cc: stable@vger.kernel.org # 3.7 +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210917114622.5412-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/devices/ipoctal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ipack/devices/ipoctal.c ++++ b/drivers/ipack/devices/ipoctal.c +@@ -393,13 +393,13 @@ static int ipoctal_inst_slot(struct ipoc + spin_lock_init(&channel->lock); + channel->pointer_read = 0; + channel->pointer_write = 0; +- tty_dev = tty_port_register_device(&channel->tty_port, tty, i, NULL); ++ tty_dev = tty_port_register_device_attr(&channel->tty_port, tty, ++ i, NULL, channel, NULL); + if (IS_ERR(tty_dev)) { + dev_err(&ipoctal->dev->dev, "Failed to register tty device.\n"); + tty_port_destroy(&channel->tty_port); + continue; + } +- dev_set_drvdata(tty_dev, channel); + } + + /* diff --git a/queue-5.14/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch b/queue-5.14/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch new file mode 100644 index 00000000000..453f6df9cec --- /dev/null +++ b/queue-5.14/net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch @@ -0,0 +1,73 @@ +From a9f5970767d11eadc805d5283f202612c7ba1f59 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 27 Sep 2021 17:29:24 -0700 +Subject: net: udp: annotate data race around udp_sk(sk)->corkflag + +From: Eric Dumazet + +commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream. + +up->corkflag field can be read or written without any lock. +Annotate accesses to avoid possible syzbot/KCSAN reports. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 10 +++++----- + net/ipv6/udp.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1053,7 +1053,7 @@ int udp_sendmsg(struct sock *sk, struct + __be16 dport; + u8 tos; + int err, is_udplite = IS_UDPLITE(sk); +- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE; ++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE; + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); + struct sk_buff *skb; + struct ip_options_data opt_copy; +@@ -1361,7 +1361,7 @@ int udp_sendpage(struct sock *sk, struct + } + + up->len += size; +- if (!(up->corkflag || (flags&MSG_MORE))) ++ if (!(READ_ONCE(up->corkflag) || (flags&MSG_MORE))) + ret = udp_push_pending_frames(sk); + if (!ret) + ret = size; +@@ -2662,9 +2662,9 @@ int udp_lib_setsockopt(struct sock *sk, + switch (optname) { + case UDP_CORK: + if (val != 0) { +- up->corkflag = 1; ++ WRITE_ONCE(up->corkflag, 1); + } else { +- up->corkflag = 0; ++ WRITE_ONCE(up->corkflag, 0); + lock_sock(sk); + push_pending_frames(sk); + release_sock(sk); +@@ -2787,7 +2787,7 @@ int udp_lib_getsockopt(struct sock *sk, + + switch (optname) { + case UDP_CORK: +- val = up->corkflag; ++ val = READ_ONCE(up->corkflag); + break; + + case UDP_ENCAP: +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1303,7 +1303,7 @@ int udpv6_sendmsg(struct sock *sk, struc + int addr_len = msg->msg_namelen; + bool connected = false; + int ulen = len; +- int corkreq = up->corkflag || msg->msg_flags&MSG_MORE; ++ int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE; + int err; + int is_udplite = IS_UDPLITE(sk); + int (*getfrag)(void *, char *, int, int, int, struct sk_buff *); diff --git a/queue-5.14/nios2-setup.c-drop-unused-variable-dram_start.patch b/queue-5.14/nios2-setup.c-drop-unused-variable-dram_start.patch new file mode 100644 index 00000000000..aeffa39c38b --- /dev/null +++ b/queue-5.14/nios2-setup.c-drop-unused-variable-dram_start.patch @@ -0,0 +1,38 @@ +From 9523b33cc31cf8ce703f8facee9fd16cba36d5ad Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Fri, 24 Sep 2021 14:05:25 -0700 +Subject: NIOS2: setup.c: drop unused variable 'dram_start' + +From: Randy Dunlap + +commit 9523b33cc31cf8ce703f8facee9fd16cba36d5ad upstream. + +This is a nuisance when CONFIG_WERROR is set, so drop the variable +declaration since the code that used it was removed. + +../arch/nios2/kernel/setup.c: In function 'setup_arch': +../arch/nios2/kernel/setup.c:152:13: warning: unused variable 'dram_start' [-Wunused-variable] + 152 | int dram_start; + +Fixes: 7f7bc20bc41a ("nios2: Don't use _end for calculating min_low_pfn") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Reviewed-by: Mike Rapoport +Cc: Andreas Oetken +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/nios2/kernel/setup.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/nios2/kernel/setup.c ++++ b/arch/nios2/kernel/setup.c +@@ -149,8 +149,6 @@ static void __init find_limits(unsigned + + void __init setup_arch(char **cmdline_p) + { +- int dram_start; +- + console_verbose(); + + memory_start = memblock_start_of_DRAM(); diff --git a/queue-5.14/nvme-add-command-id-quirk-for-apple-controllers.patch b/queue-5.14/nvme-add-command-id-quirk-for-apple-controllers.patch new file mode 100644 index 00000000000..1e5fe57a50a --- /dev/null +++ b/queue-5.14/nvme-add-command-id-quirk-for-apple-controllers.patch @@ -0,0 +1,83 @@ +From a2941f6aa71a72be2c82c0a168523a492d093530 Mon Sep 17 00:00:00 2001 +From: Keith Busch +Date: Mon, 27 Sep 2021 08:43:06 -0700 +Subject: nvme: add command id quirk for apple controllers + +From: Keith Busch + +commit a2941f6aa71a72be2c82c0a168523a492d093530 upstream. + +Some apple controllers use the command id as an index to implementation +specific data structures and will fail if the value is out of bounds. +The nvme driver's recently introduced command sequence number breaks +this controller. + +Provide a quirk so these spec incompliant controllers can function as +before. The driver will not have the ability to detect bad completions +when this quirk is used, but we weren't previously checking this anyway. + +The quirk bit was selected so that it can readily apply to stable. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=214509 +Cc: Sven Peter +Reported-by: Orlando Chamberlain +Reported-by: Aditya Garg +Signed-off-by: Keith Busch +Reviewed-by: Christoph Hellwig +Tested-by: Sven Peter +Link: https://lore.kernel.org/r/20210927154306.387437-1-kbusch@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 4 +++- + drivers/nvme/host/nvme.h | 6 ++++++ + drivers/nvme/host/pci.c | 3 ++- + 3 files changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -980,6 +980,7 @@ EXPORT_SYMBOL_GPL(nvme_cleanup_cmd); + blk_status_t nvme_setup_cmd(struct nvme_ns *ns, struct request *req) + { + struct nvme_command *cmd = nvme_req(req)->cmd; ++ struct nvme_ctrl *ctrl = nvme_req(req)->ctrl; + blk_status_t ret = BLK_STS_OK; + + if (!(req->rq_flags & RQF_DONTPREP)) { +@@ -1028,7 +1029,8 @@ blk_status_t nvme_setup_cmd(struct nvme_ + return BLK_STS_IOERR; + } + +- nvme_req(req)->genctr++; ++ if (!(ctrl->quirks & NVME_QUIRK_SKIP_CID_GEN)) ++ nvme_req(req)->genctr++; + cmd->common.command_id = nvme_cid(req); + trace_nvme_setup_cmd(req, cmd); + return ret; +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -149,6 +149,12 @@ enum nvme_quirks { + * 48 bits. + */ + NVME_QUIRK_DMA_ADDRESS_BITS_48 = (1 << 16), ++ ++ /* ++ * The controller requires the command_id value be be limited, so skip ++ * encoding the generation sequence number. ++ */ ++ NVME_QUIRK_SKIP_CID_GEN = (1 << 17), + }; + + /* +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3282,7 +3282,8 @@ static const struct pci_device_id nvme_i + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2005), + .driver_data = NVME_QUIRK_SINGLE_VECTOR | + NVME_QUIRK_128_BYTES_SQES | +- NVME_QUIRK_SHARED_TAGS }, ++ NVME_QUIRK_SHARED_TAGS | ++ NVME_QUIRK_SKIP_CID_GEN }, + + { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) }, + { 0, } diff --git a/queue-5.14/series b/queue-5.14/series index 53c961d9587..0b7a301f2d3 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -142,3 +142,21 @@ sched-fair-null-terminate-buffer-when-updating-tunab.patch hwmon-occ-fix-p10-vrm-temp-sensors.patch hwmon-pmbus-mp2975-add-missed-pout-attribute-for-pag.patch kvm-fix-objtool-relocation-warning.patch +nvme-add-command-id-quirk-for-apple-controllers.patch +elf-don-t-use-map_fixed_noreplace-for-elf-interpreter-mappings.patch +driver-core-fw_devlink-improve-handling-of-cyclic-dependencies.patch +debugfs-debugfs_create_file_size-use-is_err-to-check-for-error.patch +ipack-ipoctal-fix-stack-information-leak.patch +ipack-ipoctal-fix-tty-registration-race.patch +ipack-ipoctal-fix-tty-registration-error-handling.patch +ipack-ipoctal-fix-missing-allocation-failure-check.patch +ipack-ipoctal-fix-module-reference-leak.patch +ext4-fix-loff_t-overflow-in-ext4_max_bitmap_size.patch +ext4-limit-the-number-of-blocks-in-one-add_range-tlv.patch +ext4-fix-reserved-space-counter-leakage.patch +ext4-add-error-checking-to-ext4_ext_replay_set_iblocks.patch +ext4-fix-potential-infinite-loop-in-ext4_dx_readdir.patch +ext4-flush-s_error_work-before-journal-destroy-in-ext4_fill_super.patch +hid-u2fzero-ignore-incomplete-packets-without-data.patch +net-udp-annotate-data-race-around-udp_sk-sk-corkflag.patch +nios2-setup.c-drop-unused-variable-dram_start.patch