From: Greg Kroah-Hartman Date: Tue, 3 Nov 2020 14:47:27 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.14.204~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6e059127442dd60b68d8be034221fe1426e92261;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: btrfs-cleanup-cow-block-on-error.patch btrfs-fix-use-after-free-on-readahead-extent-after-failure-to-create-it.patch btrfs-reschedule-if-necessary-when-logging-directory-items.patch dmaengine-dma-jz4780-fix-race-in-jz4780_dma_tx_status.patch iio-adc-ti-adc12138-fix-alignment-issue-with-timestamp.patch iio-gyro-itg3200-fix-timestamp-alignment-and-prevent-data-leak.patch iio-light-si1145-fix-timestamp-alignment-and-prevent-data-leak.patch powerpc-powernv-elog-fix-race-while-processing-opal-error-log-event.patch powerpc-warn-about-use-of-smt_snooze_delay.patch scsi-mptfusion-fix-null-pointer-dereferences-in-mptscsih_remove.patch ubifs-dent-fix-some-potential-memory-leaks-while-iterating-entries.patch usb-dwc3-core-add-phy-cleanup-for-probe-error-handling.patch usb-dwc3-core-don-t-trigger-runtime-pm-when-remove-driver.patch usb-host-fsl-mph-dr-of-check-return-of-dma_set_mask.patch vt-keyboard-extend-func_buf_lock-to-readers.patch vt-keyboard-simplify-vt_kdgkbsent.patch --- diff --git a/queue-4.9/btrfs-cleanup-cow-block-on-error.patch b/queue-4.9/btrfs-cleanup-cow-block-on-error.patch new file mode 100644 index 00000000000..a560acee016 --- /dev/null +++ b/queue-4.9/btrfs-cleanup-cow-block-on-error.patch @@ -0,0 +1,135 @@ +From 572c83acdcdafeb04e70aa46be1fa539310be20c Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Tue, 29 Sep 2020 08:53:54 -0400 +Subject: btrfs: cleanup cow block on error + +From: Josef Bacik + +commit 572c83acdcdafeb04e70aa46be1fa539310be20c upstream. + +In fstest btrfs/064 a transaction abort in __btrfs_cow_block could lead +to a system lockup. It gets stuck trying to write back inodes, and the +write back thread was trying to lock an extent buffer: + + $ cat /proc/2143497/stack + [<0>] __btrfs_tree_lock+0x108/0x250 + [<0>] lock_extent_buffer_for_io+0x35e/0x3a0 + [<0>] btree_write_cache_pages+0x15a/0x3b0 + [<0>] do_writepages+0x28/0xb0 + [<0>] __writeback_single_inode+0x54/0x5c0 + [<0>] writeback_sb_inodes+0x1e8/0x510 + [<0>] wb_writeback+0xcc/0x440 + [<0>] wb_workfn+0xd7/0x650 + [<0>] process_one_work+0x236/0x560 + [<0>] worker_thread+0x55/0x3c0 + [<0>] kthread+0x13a/0x150 + [<0>] ret_from_fork+0x1f/0x30 + +This is because we got an error while COWing a block, specifically here + + if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state)) { + ret = btrfs_reloc_cow_block(trans, root, buf, cow); + if (ret) { + btrfs_abort_transaction(trans, ret); + return ret; + } + } + + [16402.241552] BTRFS: Transaction aborted (error -2) + [16402.242362] WARNING: CPU: 1 PID: 2563188 at fs/btrfs/ctree.c:1074 __btrfs_cow_block+0x376/0x540 + [16402.249469] CPU: 1 PID: 2563188 Comm: fsstress Not tainted 5.9.0-rc6+ #8 + [16402.249936] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 + [16402.250525] RIP: 0010:__btrfs_cow_block+0x376/0x540 + [16402.252417] RSP: 0018:ffff9cca40e578b0 EFLAGS: 00010282 + [16402.252787] RAX: 0000000000000025 RBX: 0000000000000002 RCX: ffff9132bbd19388 + [16402.253278] RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9132bbd19380 + [16402.254063] RBP: ffff9132b41a49c0 R08: 0000000000000000 R09: 0000000000000000 + [16402.254887] R10: 0000000000000000 R11: ffff91324758b080 R12: ffff91326ef17ce0 + [16402.255694] R13: ffff91325fc0f000 R14: ffff91326ef176b0 R15: ffff9132815e2000 + [16402.256321] FS: 00007f542c6d7b80(0000) GS:ffff9132bbd00000(0000) knlGS:0000000000000000 + [16402.256973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [16402.257374] CR2: 00007f127b83f250 CR3: 0000000133480002 CR4: 0000000000370ee0 + [16402.257867] Call Trace: + [16402.258072] btrfs_cow_block+0x109/0x230 + [16402.258356] btrfs_search_slot+0x530/0x9d0 + [16402.258655] btrfs_lookup_file_extent+0x37/0x40 + [16402.259155] __btrfs_drop_extents+0x13c/0xd60 + [16402.259628] ? btrfs_block_rsv_migrate+0x4f/0xb0 + [16402.259949] btrfs_replace_file_extents+0x190/0x820 + [16402.260873] btrfs_clone+0x9ae/0xc00 + [16402.261139] btrfs_extent_same_range+0x66/0x90 + [16402.261771] btrfs_remap_file_range+0x353/0x3b1 + [16402.262333] vfs_dedupe_file_range_one.part.0+0xd5/0x140 + [16402.262821] vfs_dedupe_file_range+0x189/0x220 + [16402.263150] do_vfs_ioctl+0x552/0x700 + [16402.263662] __x64_sys_ioctl+0x62/0xb0 + [16402.264023] do_syscall_64+0x33/0x40 + [16402.264364] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [16402.264862] RIP: 0033:0x7f542c7d15cb + [16402.266901] RSP: 002b:00007ffd35944ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [16402.267627] RAX: ffffffffffffffda RBX: 00000000009d1968 RCX: 00007f542c7d15cb + [16402.268298] RDX: 00000000009d2490 RSI: 00000000c0189436 RDI: 0000000000000003 + [16402.268958] RBP: 00000000009d2520 R08: 0000000000000036 R09: 00000000009d2e64 + [16402.269726] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 + [16402.270659] R13: 000000000001f000 R14: 00000000009d1970 R15: 00000000009d2e80 + [16402.271498] irq event stamp: 0 + [16402.271846] hardirqs last enabled at (0): [<0000000000000000>] 0x0 + [16402.272497] hardirqs last disabled at (0): [] copy_process+0x6b9/0x1ba0 + [16402.273343] softirqs last enabled at (0): [] copy_process+0x6b9/0x1ba0 + [16402.273905] softirqs last disabled at (0): [<0000000000000000>] 0x0 + [16402.274338] ---[ end trace 737874a5a41a8236 ]--- + [16402.274669] BTRFS: error (device dm-9) in __btrfs_cow_block:1074: errno=-2 No such entry + [16402.276179] BTRFS info (device dm-9): forced readonly + [16402.277046] BTRFS: error (device dm-9) in btrfs_replace_file_extents:2723: errno=-2 No such entry + [16402.278744] BTRFS: error (device dm-9) in __btrfs_cow_block:1074: errno=-2 No such entry + [16402.279968] BTRFS: error (device dm-9) in __btrfs_cow_block:1074: errno=-2 No such entry + [16402.280582] BTRFS info (device dm-9): balance: ended with status: -30 + +The problem here is that as soon as we allocate the new block it is +locked and marked dirty in the btree inode. This means that we could +attempt to writeback this block and need to lock the extent buffer. +However we're not unlocking it here and thus we deadlock. + +Fix this by unlocking the cow block if we have any errors inside of +__btrfs_cow_block, and also free it so we do not leak it. + +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ctree.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -1122,6 +1122,8 @@ static noinline int __btrfs_cow_block(st + + ret = update_ref_for_cow(trans, root, buf, cow, &last_ref); + if (ret) { ++ btrfs_tree_unlock(cow); ++ free_extent_buffer(cow); + btrfs_abort_transaction(trans, ret); + return ret; + } +@@ -1129,6 +1131,8 @@ static noinline int __btrfs_cow_block(st + if (test_bit(BTRFS_ROOT_REF_COWS, &root->state)) { + ret = btrfs_reloc_cow_block(trans, root, buf, cow); + if (ret) { ++ btrfs_tree_unlock(cow); ++ free_extent_buffer(cow); + btrfs_abort_transaction(trans, ret); + return ret; + } +@@ -1160,6 +1164,8 @@ static noinline int __btrfs_cow_block(st + if (last_ref) { + ret = tree_mod_log_free_eb(root->fs_info, buf); + if (ret) { ++ btrfs_tree_unlock(cow); ++ free_extent_buffer(cow); + btrfs_abort_transaction(trans, ret); + return ret; + } diff --git a/queue-4.9/btrfs-fix-use-after-free-on-readahead-extent-after-failure-to-create-it.patch b/queue-4.9/btrfs-fix-use-after-free-on-readahead-extent-after-failure-to-create-it.patch new file mode 100644 index 00000000000..f78fc328747 --- /dev/null +++ b/queue-4.9/btrfs-fix-use-after-free-on-readahead-extent-after-failure-to-create-it.patch @@ -0,0 +1,139 @@ +From 83bc1560e02e25c6439341352024ebe8488f4fbd Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 12 Oct 2020 11:55:23 +0100 +Subject: btrfs: fix use-after-free on readahead extent after failure to create it + +From: Filipe Manana + +commit 83bc1560e02e25c6439341352024ebe8488f4fbd upstream. + +If we fail to find suitable zones for a new readahead extent, we end up +leaving a stale pointer in the global readahead extents radix tree +(fs_info->reada_tree), which can trigger the following trace later on: + + [13367.696354] BUG: kernel NULL pointer dereference, address: 00000000000000b0 + [13367.696802] #PF: supervisor read access in kernel mode + [13367.697249] #PF: error_code(0x0000) - not-present page + [13367.697721] PGD 0 P4D 0 + [13367.698171] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI + [13367.698632] CPU: 6 PID: 851214 Comm: btrfs Tainted: G W 5.9.0-rc6-btrfs-next-69 #1 + [13367.699100] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + [13367.700069] RIP: 0010:__lock_acquire+0x20a/0x3970 + [13367.700562] Code: ff 1f 0f b7 c0 48 0f (...) + [13367.701609] RSP: 0018:ffffb14448f57790 EFLAGS: 00010046 + [13367.702140] RAX: 0000000000000000 RBX: 29b935140c15e8cf RCX: 0000000000000000 + [13367.702698] RDX: 0000000000000002 RSI: ffffffffb3d66bd0 RDI: 0000000000000046 + [13367.703240] RBP: ffff8a52ba8ac040 R08: 00000c2866ad9288 R09: 0000000000000001 + [13367.703783] R10: 0000000000000001 R11: 00000000b66d9b53 R12: ffff8a52ba8ac9b0 + [13367.704330] R13: 0000000000000000 R14: ffff8a532b6333e8 R15: 0000000000000000 + [13367.704880] FS: 00007fe1df6b5700(0000) GS:ffff8a5376600000(0000) knlGS:0000000000000000 + [13367.705438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [13367.705995] CR2: 00000000000000b0 CR3: 000000022cca8004 CR4: 00000000003706e0 + [13367.706565] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [13367.707127] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [13367.707686] Call Trace: + [13367.708246] ? ___slab_alloc+0x395/0x740 + [13367.708820] ? reada_add_block+0xae/0xee0 [btrfs] + [13367.709383] lock_acquire+0xb1/0x480 + [13367.709955] ? reada_add_block+0xe0/0xee0 [btrfs] + [13367.710537] ? reada_add_block+0xae/0xee0 [btrfs] + [13367.711097] ? rcu_read_lock_sched_held+0x5d/0x90 + [13367.711659] ? kmem_cache_alloc_trace+0x8d2/0x990 + [13367.712221] ? lock_acquired+0x33b/0x470 + [13367.712784] _raw_spin_lock+0x34/0x80 + [13367.713356] ? reada_add_block+0xe0/0xee0 [btrfs] + [13367.713966] reada_add_block+0xe0/0xee0 [btrfs] + [13367.714529] ? btrfs_root_node+0x15/0x1f0 [btrfs] + [13367.715077] btrfs_reada_add+0x117/0x170 [btrfs] + [13367.715620] scrub_stripe+0x21e/0x10d0 [btrfs] + [13367.716141] ? kvm_sched_clock_read+0x5/0x10 + [13367.716657] ? __lock_acquire+0x41e/0x3970 + [13367.717184] ? scrub_chunk+0x60/0x140 [btrfs] + [13367.717697] ? find_held_lock+0x32/0x90 + [13367.718254] ? scrub_chunk+0x60/0x140 [btrfs] + [13367.718773] ? lock_acquired+0x33b/0x470 + [13367.719278] ? scrub_chunk+0xcd/0x140 [btrfs] + [13367.719786] scrub_chunk+0xcd/0x140 [btrfs] + [13367.720291] scrub_enumerate_chunks+0x270/0x5c0 [btrfs] + [13367.720787] ? finish_wait+0x90/0x90 + [13367.721281] btrfs_scrub_dev+0x1ee/0x620 [btrfs] + [13367.721762] ? rcu_read_lock_any_held+0x8e/0xb0 + [13367.722235] ? preempt_count_add+0x49/0xa0 + [13367.722710] ? __sb_start_write+0x19b/0x290 + [13367.723192] btrfs_ioctl+0x7f5/0x36f0 [btrfs] + [13367.723660] ? __fget_files+0x101/0x1d0 + [13367.724118] ? find_held_lock+0x32/0x90 + [13367.724559] ? __fget_files+0x101/0x1d0 + [13367.724982] ? __x64_sys_ioctl+0x83/0xb0 + [13367.725399] __x64_sys_ioctl+0x83/0xb0 + [13367.725802] do_syscall_64+0x33/0x80 + [13367.726188] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + [13367.726574] RIP: 0033:0x7fe1df7add87 + [13367.726948] Code: 00 00 00 48 8b 05 09 91 (...) + [13367.727763] RSP: 002b:00007fe1df6b4d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [13367.728179] RAX: ffffffffffffffda RBX: 000055ce1fb596a0 RCX: 00007fe1df7add87 + [13367.728604] RDX: 000055ce1fb596a0 RSI: 00000000c400941b RDI: 0000000000000003 + [13367.729021] RBP: 0000000000000000 R08: 00007fe1df6b5700 R09: 0000000000000000 + [13367.729431] R10: 00007fe1df6b5700 R11: 0000000000000246 R12: 00007ffd922b07de + [13367.729842] R13: 00007ffd922b07df R14: 00007fe1df6b4e40 R15: 0000000000802000 + [13367.730275] Modules linked in: btrfs blake2b_generic xor (...) + [13367.732638] CR2: 00000000000000b0 + [13367.733166] ---[ end trace d298b6805556acd9 ]--- + +What happens is the following: + +1) At reada_find_extent() we don't find any existing readahead extent for + the metadata extent starting at logical address X; + +2) So we proceed to create a new one. We then call btrfs_map_block() to get + information about which stripes contain extent X; + +3) After that we iterate over the stripes and create only one zone for the + readahead extent - only one because reada_find_zone() returned NULL for + all iterations except for one, either because a memory allocation failed + or it couldn't find the block group of the extent (it may have just been + deleted); + +4) We then add the new readahead extent to the readahead extents radix + tree at fs_info->reada_tree; + +5) Then we iterate over each zone of the new readahead extent, and find + that the device used for that zone no longer exists, because it was + removed or it was the source device of a device replace operation. + Since this left 'have_zone' set to 0, after finishing the loop we jump + to the 'error' label, call kfree() on the new readahead extent and + return without removing it from the radix tree at fs_info->reada_tree; + +6) Any future call to reada_find_extent() for the logical address X will + find the stale pointer in the readahead extents radix tree, increment + its reference counter, which can trigger the use-after-free right + away or return it to the caller reada_add_block() that results in the + use-after-free of the example trace above. + +So fix this by making sure we delete the readahead extent from the radix +tree if we fail to setup zones for it (when 'have_zone = 0'). + +Fixes: 319450211842ba ("btrfs: reada: bypass adding extent when all zone failed") +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/reada.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/reada.c ++++ b/fs/btrfs/reada.c +@@ -456,6 +456,8 @@ static struct reada_extent *reada_find_e + } + have_zone = 1; + } ++ if (!have_zone) ++ radix_tree_delete(&fs_info->reada_tree, index); + spin_unlock(&fs_info->reada_lock); + btrfs_dev_replace_unlock(&fs_info->dev_replace, 0); + diff --git a/queue-4.9/btrfs-reschedule-if-necessary-when-logging-directory-items.patch b/queue-4.9/btrfs-reschedule-if-necessary-when-logging-directory-items.patch new file mode 100644 index 00000000000..16e0d0bf02b --- /dev/null +++ b/queue-4.9/btrfs-reschedule-if-necessary-when-logging-directory-items.patch @@ -0,0 +1,111 @@ +From bb56f02f26fe23798edb1b2175707419b28c752a Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 14 Sep 2020 15:27:50 +0100 +Subject: btrfs: reschedule if necessary when logging directory items + +From: Filipe Manana + +commit bb56f02f26fe23798edb1b2175707419b28c752a upstream. + +Logging directories with many entries can take a significant amount of +time, and in some cases monopolize a cpu/core for a long time if the +logging task doesn't happen to block often enough. + +Johannes and Lu Fengqi reported test case generic/041 triggering a soft +lockup when the kernel has CONFIG_SOFTLOCKUP_DETECTOR=y. For this test +case we log an inode with 3002 hard links, and because the test removed +one hard link before fsyncing the file, the inode logging causes the +parent directory do be logged as well, which has 6004 directory items to +log (3002 BTRFS_DIR_ITEM_KEY items plus 3002 BTRFS_DIR_INDEX_KEY items), +so it can take a significant amount of time and trigger the soft lockup. + +So just make tree-log.c:log_dir_items() reschedule when necessary, +releasing the current search path before doing so and then resume from +where it was before the reschedule. + +The stack trace produced when the soft lockup happens is the following: + +[10480.277653] watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [xfs_io:28172] +[10480.279418] Modules linked in: dm_thin_pool dm_persistent_data (...) +[10480.284915] irq event stamp: 29646366 +[10480.285987] hardirqs last enabled at (29646365): [] __slab_alloc.constprop.0+0x56/0x60 +[10480.288482] hardirqs last disabled at (29646366): [] irqentry_enter+0x1d/0x50 +[10480.290856] softirqs last enabled at (4612): [] __do_softirq+0x323/0x56c +[10480.293615] softirqs last disabled at (4483): [] asm_call_on_stack+0xf/0x20 +[10480.296428] CPU: 2 PID: 28172 Comm: xfs_io Not tainted 5.9.0-rc4-default+ #1248 +[10480.298948] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014 +[10480.302455] RIP: 0010:__slab_alloc.constprop.0+0x19/0x60 +[10480.304151] Code: 86 e8 31 75 21 00 66 66 2e 0f 1f 84 00 00 00 (...) +[10480.309558] RSP: 0018:ffffadbe09397a58 EFLAGS: 00000282 +[10480.311179] RAX: ffff8a495ab92840 RBX: 0000000000000282 RCX: 0000000000000006 +[10480.313242] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff85249b66 +[10480.315260] RBP: ffff8a497d04b740 R08: 0000000000000001 R09: 0000000000000001 +[10480.317229] R10: ffff8a497d044800 R11: ffff8a495ab93c40 R12: 0000000000000000 +[10480.319169] R13: 0000000000000000 R14: 0000000000000c40 R15: ffffffffc01daf70 +[10480.321104] FS: 00007fa1dc5c0e40(0000) GS:ffff8a497da00000(0000) knlGS:0000000000000000 +[10480.323559] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[10480.325235] CR2: 00007fa1dc5befb8 CR3: 0000000004f8a006 CR4: 0000000000170ea0 +[10480.327259] Call Trace: +[10480.328286] ? overwrite_item+0x1f0/0x5a0 [btrfs] +[10480.329784] __kmalloc+0x831/0xa20 +[10480.331009] ? btrfs_get_32+0xb0/0x1d0 [btrfs] +[10480.332464] overwrite_item+0x1f0/0x5a0 [btrfs] +[10480.333948] log_dir_items+0x2ee/0x570 [btrfs] +[10480.335413] log_directory_changes+0x82/0xd0 [btrfs] +[10480.336926] btrfs_log_inode+0xc9b/0xda0 [btrfs] +[10480.338374] ? init_once+0x20/0x20 [btrfs] +[10480.339711] btrfs_log_inode_parent+0x8d3/0xd10 [btrfs] +[10480.341257] ? dget_parent+0x97/0x2e0 +[10480.342480] btrfs_log_dentry_safe+0x3a/0x50 [btrfs] +[10480.343977] btrfs_sync_file+0x24b/0x5e0 [btrfs] +[10480.345381] do_fsync+0x38/0x70 +[10480.346483] __x64_sys_fsync+0x10/0x20 +[10480.347703] do_syscall_64+0x2d/0x70 +[10480.348891] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[10480.350444] RIP: 0033:0x7fa1dc80970b +[10480.351642] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 (...) +[10480.356952] RSP: 002b:00007fffb3d081d0 EFLAGS: 00000293 ORIG_RAX: 000000000000004a +[10480.359458] RAX: ffffffffffffffda RBX: 0000562d93d45e40 RCX: 00007fa1dc80970b +[10480.361426] RDX: 0000562d93d44ab0 RSI: 0000562d93d45e60 RDI: 0000000000000003 +[10480.363367] RBP: 0000000000000001 R08: 0000000000000000 R09: 00007fa1dc7b2a40 +[10480.365317] R10: 0000562d93d0e366 R11: 0000000000000293 R12: 0000000000000001 +[10480.367299] R13: 0000562d93d45290 R14: 0000562d93d45e40 R15: 0000562d93d45e60 + +Link: https://lore.kernel.org/linux-btrfs/20180713090216.GC575@fnst.localdomain/ +Reported-by: Johannes Thumshirn +CC: stable@vger.kernel.org # 4.4+ +Tested-by: Johannes Thumshirn +Reviewed-by: Johannes Thumshirn +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/tree-log.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3357,6 +3357,7 @@ static noinline int log_dir_items(struct + * search and this search we'll not find the key again and can just + * bail. + */ ++search: + ret = btrfs_search_slot(NULL, root, &min_key, path, 0, 0); + if (ret != 0) + goto done; +@@ -3376,6 +3377,13 @@ static noinline int log_dir_items(struct + + if (min_key.objectid != ino || min_key.type != key_type) + goto done; ++ ++ if (need_resched()) { ++ btrfs_release_path(path); ++ cond_resched(); ++ goto search; ++ } ++ + ret = overwrite_item(trans, log, dst_path, src, i, + &min_key); + if (ret) { diff --git a/queue-4.9/dmaengine-dma-jz4780-fix-race-in-jz4780_dma_tx_status.patch b/queue-4.9/dmaengine-dma-jz4780-fix-race-in-jz4780_dma_tx_status.patch new file mode 100644 index 00000000000..2ddb9c3c7cf --- /dev/null +++ b/queue-4.9/dmaengine-dma-jz4780-fix-race-in-jz4780_dma_tx_status.patch @@ -0,0 +1,57 @@ +From baf6fd97b16ea8f981b8a8b04039596f32fc2972 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sun, 4 Oct 2020 16:03:07 +0200 +Subject: dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status + +From: Paul Cercueil + +commit baf6fd97b16ea8f981b8a8b04039596f32fc2972 upstream. + +The jz4780_dma_tx_status() function would check if a channel's cookie +state was set to 'completed', and if not, it would enter the critical +section. However, in that time frame, the jz4780_dma_chan_irq() function +was able to set the cookie to 'completed', and clear the jzchan->vchan +pointer, which was deferenced in the critical section of the first +function. + +Fix this race by checking the channel's cookie state after entering the +critical function and not before. + +Fixes: d894fc6046fe ("dmaengine: jz4780: add driver for the Ingenic JZ4780 DMA controller") +Cc: stable@vger.kernel.org # v4.0 +Signed-off-by: Paul Cercueil +Reported-by: Artur Rojek +Tested-by: Artur Rojek +Link: https://lore.kernel.org/r/20201004140307.885556-1-paul@crapouillou.net +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/dma-jz4780.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/dma/dma-jz4780.c ++++ b/drivers/dma/dma-jz4780.c +@@ -567,11 +567,11 @@ static enum dma_status jz4780_dma_tx_sta + enum dma_status status; + unsigned long flags; + ++ spin_lock_irqsave(&jzchan->vchan.lock, flags); ++ + status = dma_cookie_status(chan, cookie, txstate); + if ((status == DMA_COMPLETE) || (txstate == NULL)) +- return status; +- +- spin_lock_irqsave(&jzchan->vchan.lock, flags); ++ goto out_unlock_irqrestore; + + vdesc = vchan_find_desc(&jzchan->vchan, cookie); + if (vdesc) { +@@ -588,6 +588,7 @@ static enum dma_status jz4780_dma_tx_sta + && jzchan->desc->status & (JZ_DMA_DCS_AR | JZ_DMA_DCS_HLT)) + status = DMA_ERROR; + ++out_unlock_irqrestore: + spin_unlock_irqrestore(&jzchan->vchan.lock, flags); + return status; + } diff --git a/queue-4.9/iio-adc-ti-adc12138-fix-alignment-issue-with-timestamp.patch b/queue-4.9/iio-adc-ti-adc12138-fix-alignment-issue-with-timestamp.patch new file mode 100644 index 00000000000..bd182bb8492 --- /dev/null +++ b/queue-4.9/iio-adc-ti-adc12138-fix-alignment-issue-with-timestamp.patch @@ -0,0 +1,87 @@ +From 293e809b2e8e608b65a949101aaf7c0bd1224247 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:51:01 +0100 +Subject: iio:adc:ti-adc12138 Fix alignment issue with timestamp + +From: Jonathan Cameron + +commit 293e809b2e8e608b65a949101aaf7c0bd1224247 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. + +We move to a suitable structure in the iio_priv() data with alignment +explicitly requested. This data is allocated with kzalloc so no +data can leak apart from previous readings. Note that previously +no leak at all could occur, but previous readings should never +be a problem. + +In this case the timestamp location depends on what other channels +are enabled. As such we can't use a structure without misleading +by suggesting only one possible timestamp location. + +Fixes: 50a6edb1b6e0 ("iio: adc: add ADC12130/ADC12132/ADC12138 ADC driver") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: Akinobu Mita +Cc: +Link: https://lore.kernel.org/r/20200722155103.979802-26-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-adc12138.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/ti-adc12138.c ++++ b/drivers/iio/adc/ti-adc12138.c +@@ -50,6 +50,12 @@ struct adc12138 { + struct completion complete; + /* The number of cclk periods for the S/H's acquisition time */ + unsigned int acquisition_time; ++ /* ++ * Maximum size needed: 16x 2 bytes ADC data + 8 bytes timestamp. ++ * Less may be need if not all channels are enabled, as long as ++ * the 8 byte alignment of the timestamp is maintained. ++ */ ++ __be16 data[20] __aligned(8); + + u8 tx_buf[2] ____cacheline_aligned; + u8 rx_buf[2]; +@@ -333,7 +339,6 @@ static irqreturn_t adc12138_trigger_hand + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct adc12138 *adc = iio_priv(indio_dev); +- __be16 data[20] = { }; /* 16x 2 bytes ADC data + 8 bytes timestamp */ + __be16 trash; + int ret; + int scan_index; +@@ -349,7 +354,7 @@ static irqreturn_t adc12138_trigger_hand + reinit_completion(&adc->complete); + + ret = adc12138_start_and_read_conv(adc, scan_chan, +- i ? &data[i - 1] : &trash); ++ i ? &adc->data[i - 1] : &trash); + if (ret) { + dev_warn(&adc->spi->dev, + "failed to start conversion\n"); +@@ -366,7 +371,7 @@ static irqreturn_t adc12138_trigger_hand + } + + if (i) { +- ret = adc12138_read_conv_data(adc, &data[i - 1]); ++ ret = adc12138_read_conv_data(adc, &adc->data[i - 1]); + if (ret) { + dev_warn(&adc->spi->dev, + "failed to get conversion data\n"); +@@ -374,7 +379,7 @@ static irqreturn_t adc12138_trigger_hand + } + } + +- iio_push_to_buffers_with_timestamp(indio_dev, data, ++ iio_push_to_buffers_with_timestamp(indio_dev, adc->data, + iio_get_time_ns(indio_dev)); + out: + mutex_unlock(&adc->lock); diff --git a/queue-4.9/iio-gyro-itg3200-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-4.9/iio-gyro-itg3200-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..16dbd69b521 --- /dev/null +++ b/queue-4.9/iio-gyro-itg3200-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,60 @@ +From 10ab7cfd5522f0041028556dac864a003e158556 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:41 +0100 +Subject: iio:gyro:itg3200: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit 10ab7cfd5522f0041028556dac864a003e158556 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses a 16 byte array of smaller elements on the stack. +This is fixed by using an explicit c structure. As there are no +holes in the structure, there is no possiblity of data leakage +in this case. + +The explicit alignment of ts is not strictly necessary but potentially +makes the code slightly less fragile. It also removes the possibility +of this being cut and paste into another driver where the alignment +isn't already true. + +Fixes: 36e0371e7764 ("iio:itg3200: Use iio_push_to_buffers_with_timestamp()") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Link: https://lore.kernel.org/r/20200722155103.979802-6-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/gyro/itg3200_buffer.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/iio/gyro/itg3200_buffer.c ++++ b/drivers/iio/gyro/itg3200_buffer.c +@@ -49,13 +49,20 @@ static irqreturn_t itg3200_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct itg3200 *st = iio_priv(indio_dev); +- __be16 buf[ITG3200_SCAN_ELEMENTS + sizeof(s64)/sizeof(u16)]; ++ /* ++ * Ensure correct alignment and padding including for the ++ * timestamp that may be inserted. ++ */ ++ struct { ++ __be16 buf[ITG3200_SCAN_ELEMENTS]; ++ s64 ts __aligned(8); ++ } scan; + +- int ret = itg3200_read_all_channels(st->i2c, buf); ++ int ret = itg3200_read_all_channels(st->i2c, scan.buf); + if (ret < 0) + goto error_ret; + +- iio_push_to_buffers_with_timestamp(indio_dev, buf, pf->timestamp); ++ iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp); + + iio_trigger_notify_done(indio_dev->trig); + diff --git a/queue-4.9/iio-light-si1145-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-4.9/iio-light-si1145-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..dfaae0b638c --- /dev/null +++ b/queue-4.9/iio-light-si1145-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,94 @@ +From 0456ecf34d466261970e0ff92b2b9c78a4908637 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:44 +0100 +Subject: iio:light:si1145: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit 0456ecf34d466261970e0ff92b2b9c78a4908637 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses a 24 byte array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable array in the iio_priv() data with alignment +explicitly requested. This data is allocated with kzalloc so no +data can leak appart from previous readings. + +Depending on the enabled channels, the location of the timestamp +can be at various aligned offsets through the buffer. As such we +any use of a structure to enforce this alignment would incorrectly +suggest a single location for the timestamp. Comments adjusted to +express this clearly in the code. + +Fixes: ac45e57f1590 ("iio: light: Add driver for Silabs si1132, si1141/2/3 and si1145/6/7 ambient light, uv index and proximity sensors") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: Peter Meerwald-Stadler +Cc: +Link: https://lore.kernel.org/r/20200722155103.979802-9-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/si1145.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/iio/light/si1145.c ++++ b/drivers/iio/light/si1145.c +@@ -172,6 +172,7 @@ struct si1145_part_info { + * @part_info: Part information + * @trig: Pointer to iio trigger + * @meas_rate: Value of MEAS_RATE register. Only set in HW in auto mode ++ * @buffer: Used to pack data read from sensor. + */ + struct si1145_data { + struct i2c_client *client; +@@ -183,6 +184,14 @@ struct si1145_data { + bool autonomous; + struct iio_trigger *trig; + int meas_rate; ++ /* ++ * Ensure timestamp will be naturally aligned if present. ++ * Maximum buffer size (may be only partly used if not all ++ * channels are enabled): ++ * 6*2 bytes channels data + 4 bytes alignment + ++ * 8 bytes timestamp ++ */ ++ u8 buffer[24] __aligned(8); + }; + + /** +@@ -444,12 +453,6 @@ static irqreturn_t si1145_trigger_handle + struct iio_poll_func *pf = private; + struct iio_dev *indio_dev = pf->indio_dev; + struct si1145_data *data = iio_priv(indio_dev); +- /* +- * Maximum buffer size: +- * 6*2 bytes channels data + 4 bytes alignment + +- * 8 bytes timestamp +- */ +- u8 buffer[24]; + int i, j = 0; + int ret; + u8 irq_status = 0; +@@ -482,7 +485,7 @@ static irqreturn_t si1145_trigger_handle + + ret = i2c_smbus_read_i2c_block_data_or_emulated( + data->client, indio_dev->channels[i].address, +- sizeof(u16) * run, &buffer[j]); ++ sizeof(u16) * run, &data->buffer[j]); + if (ret < 0) + goto done; + j += run * sizeof(u16); +@@ -497,7 +500,7 @@ static irqreturn_t si1145_trigger_handle + goto done; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, + iio_get_time_ns(indio_dev)); + + done: diff --git a/queue-4.9/powerpc-powernv-elog-fix-race-while-processing-opal-error-log-event.patch b/queue-4.9/powerpc-powernv-elog-fix-race-while-processing-opal-error-log-event.patch new file mode 100644 index 00000000000..200285f5831 --- /dev/null +++ b/queue-4.9/powerpc-powernv-elog-fix-race-while-processing-opal-error-log-event.patch @@ -0,0 +1,128 @@ +From aea948bb80b478ddc2448f7359d574387521a52d Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Tue, 6 Oct 2020 13:02:18 +0530 +Subject: powerpc/powernv/elog: Fix race while processing OPAL error log event. + +From: Mahesh Salgaonkar + +commit aea948bb80b478ddc2448f7359d574387521a52d upstream. + +Every error log reported by OPAL is exported to userspace through a +sysfs interface and notified using kobject_uevent(). The userspace +daemon (opal_errd) then reads the error log and acknowledges the error +log is saved safely to disk. Once acknowledged the kernel removes the +respective sysfs file entry causing respective resources to be +released including kobject. + +However it's possible the userspace daemon may already be scanning +elog entries when a new sysfs elog entry is created by the kernel. +User daemon may read this new entry and ack it even before kernel can +notify userspace about it through kobject_uevent() call. If that +happens then we have a potential race between +elog_ack_store->kobject_put() and kobject_uevent which can lead to +use-after-free of a kernfs object resulting in a kernel crash. eg: + + BUG: Unable to handle kernel data access on read at 0x6b6b6b6b6b6b6bfb + Faulting instruction address: 0xc0000000008ff2a0 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV + CPU: 27 PID: 805 Comm: irq/29-opal-elo Not tainted 5.9.0-rc2-gcc-8.2.0-00214-g6f56a67bcbb5-dirty #363 + ... + NIP kobject_uevent_env+0xa0/0x910 + LR elog_event+0x1f4/0x2d0 + Call Trace: + 0x5deadbeef0000122 (unreliable) + elog_event+0x1f4/0x2d0 + irq_thread_fn+0x4c/0xc0 + irq_thread+0x1c0/0x2b0 + kthread+0x1c4/0x1d0 + ret_from_kernel_thread+0x5c/0x6c + +This patch fixes this race by protecting the sysfs file +creation/notification by holding a reference count on kobject until we +safely send kobject_uevent(). + +The function create_elog_obj() returns the elog object which if used +by caller function will end up in use-after-free problem again. +However, the return value of create_elog_obj() function isn't being +used today and there is no need as well. Hence change it to return +void to make this fix complete. + +Fixes: 774fea1a38c6 ("powerpc/powernv: Read OPAL error log and export it through sysfs") +Cc: stable@vger.kernel.org # v3.15+ +Reported-by: Oliver O'Halloran +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Aneesh Kumar K.V +Reviewed-by: Oliver O'Halloran +Reviewed-by: Vasant Hegde +[mpe: Rework the logic to use a single return, reword comments, add oops] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201006122051.190176-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/opal-elog.c | 33 ++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal-elog.c ++++ b/arch/powerpc/platforms/powernv/opal-elog.c +@@ -183,14 +183,14 @@ static ssize_t raw_attr_read(struct file + return count; + } + +-static struct elog_obj *create_elog_obj(uint64_t id, size_t size, uint64_t type) ++static void create_elog_obj(uint64_t id, size_t size, uint64_t type) + { + struct elog_obj *elog; + int rc; + + elog = kzalloc(sizeof(*elog), GFP_KERNEL); + if (!elog) +- return NULL; ++ return; + + elog->kobj.kset = elog_kset; + +@@ -223,18 +223,37 @@ static struct elog_obj *create_elog_obj( + rc = kobject_add(&elog->kobj, NULL, "0x%llx", id); + if (rc) { + kobject_put(&elog->kobj); +- return NULL; ++ return; + } + ++ /* ++ * As soon as the sysfs file for this elog is created/activated there is ++ * a chance the opal_errd daemon (or any userspace) might read and ++ * acknowledge the elog before kobject_uevent() is called. If that ++ * happens then there is a potential race between ++ * elog_ack_store->kobject_put() and kobject_uevent() which leads to a ++ * use-after-free of a kernfs object resulting in a kernel crash. ++ * ++ * To avoid that, we need to take a reference on behalf of the bin file, ++ * so that our reference remains valid while we call kobject_uevent(). ++ * We then drop our reference before exiting the function, leaving the ++ * bin file to drop the last reference (if it hasn't already). ++ */ ++ ++ /* Take a reference for the bin file */ ++ kobject_get(&elog->kobj); + rc = sysfs_create_bin_file(&elog->kobj, &elog->raw_attr); +- if (rc) { ++ if (rc == 0) { ++ kobject_uevent(&elog->kobj, KOBJ_ADD); ++ } else { ++ /* Drop the reference taken for the bin file */ + kobject_put(&elog->kobj); +- return NULL; + } + +- kobject_uevent(&elog->kobj, KOBJ_ADD); ++ /* Drop our reference */ ++ kobject_put(&elog->kobj); + +- return elog; ++ return; + } + + static irqreturn_t elog_event(int irq, void *data) diff --git a/queue-4.9/powerpc-warn-about-use-of-smt_snooze_delay.patch b/queue-4.9/powerpc-warn-about-use-of-smt_snooze_delay.patch new file mode 100644 index 00000000000..74de5dc9f64 --- /dev/null +++ b/queue-4.9/powerpc-warn-about-use-of-smt_snooze_delay.patch @@ -0,0 +1,104 @@ +From a02f6d42357acf6e5de6ffc728e6e77faf3ad217 Mon Sep 17 00:00:00 2001 +From: Joel Stanley +Date: Wed, 2 Sep 2020 09:30:11 +0930 +Subject: powerpc: Warn about use of smt_snooze_delay + +From: Joel Stanley + +commit a02f6d42357acf6e5de6ffc728e6e77faf3ad217 upstream. + +It's not done anything for a long time. Save the percpu variable, and +emit a warning to remind users to not expect it to do anything. + +This uses pr_warn_once instead of pr_warn_ratelimit as testing +'ppc64_cpu --smt=off' on a 24 core / 4 SMT system showed the warning +to be noisy, as the online/offline loop is slow. + +Fixes: 3fa8cad82b94 ("powerpc/pseries/cpuidle: smt-snooze-delay cleanup.") +Cc: stable@vger.kernel.org # v3.14 +Signed-off-by: Joel Stanley +Acked-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200902000012.3440389-1-joel@jms.id.au +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/sysfs.c | 42 +++++++++++++++++------------------------- + 1 file changed, 17 insertions(+), 25 deletions(-) + +--- a/arch/powerpc/kernel/sysfs.c ++++ b/arch/powerpc/kernel/sysfs.c +@@ -28,29 +28,27 @@ + + static DEFINE_PER_CPU(struct cpu, cpu_devices); + +-/* +- * SMT snooze delay stuff, 64-bit only for now +- */ +- + #ifdef CONFIG_PPC64 + +-/* Time in microseconds we delay before sleeping in the idle loop */ +-static DEFINE_PER_CPU(long, smt_snooze_delay) = { 100 }; ++/* ++ * Snooze delay has not been hooked up since 3fa8cad82b94 ("powerpc/pseries/cpuidle: ++ * smt-snooze-delay cleanup.") and has been broken even longer. As was foretold in ++ * 2014: ++ * ++ * "ppc64_util currently utilises it. Once we fix ppc64_util, propose to clean ++ * up the kernel code." ++ * ++ * powerpc-utils stopped using it as of 1.3.8. At some point in the future this ++ * code should be removed. ++ */ + + static ssize_t store_smt_snooze_delay(struct device *dev, + struct device_attribute *attr, + const char *buf, + size_t count) + { +- struct cpu *cpu = container_of(dev, struct cpu, dev); +- ssize_t ret; +- long snooze; +- +- ret = sscanf(buf, "%ld", &snooze); +- if (ret != 1) +- return -EINVAL; +- +- per_cpu(smt_snooze_delay, cpu->dev.id) = snooze; ++ pr_warn_once("%s (%d) stored to unsupported smt_snooze_delay, which has no effect.\n", ++ current->comm, current->pid); + return count; + } + +@@ -58,9 +56,9 @@ static ssize_t show_smt_snooze_delay(str + struct device_attribute *attr, + char *buf) + { +- struct cpu *cpu = container_of(dev, struct cpu, dev); +- +- return sprintf(buf, "%ld\n", per_cpu(smt_snooze_delay, cpu->dev.id)); ++ pr_warn_once("%s (%d) read from unsupported smt_snooze_delay\n", ++ current->comm, current->pid); ++ return sprintf(buf, "100\n"); + } + + static DEVICE_ATTR(smt_snooze_delay, 0644, show_smt_snooze_delay, +@@ -68,16 +66,10 @@ static DEVICE_ATTR(smt_snooze_delay, 064 + + static int __init setup_smt_snooze_delay(char *str) + { +- unsigned int cpu; +- long snooze; +- + if (!cpu_has_feature(CPU_FTR_SMT)) + return 1; + +- snooze = simple_strtol(str, NULL, 10); +- for_each_possible_cpu(cpu) +- per_cpu(smt_snooze_delay, cpu) = snooze; +- ++ pr_warn("smt-snooze-delay command line option has no effect\n"); + return 1; + } + __setup("smt-snooze-delay=", setup_smt_snooze_delay); diff --git a/queue-4.9/scsi-mptfusion-fix-null-pointer-dereferences-in-mptscsih_remove.patch b/queue-4.9/scsi-mptfusion-fix-null-pointer-dereferences-in-mptscsih_remove.patch new file mode 100644 index 00000000000..326713c3dc9 --- /dev/null +++ b/queue-4.9/scsi-mptfusion-fix-null-pointer-dereferences-in-mptscsih_remove.patch @@ -0,0 +1,77 @@ +From 2f4843b172c2c0360ee7792ad98025fae7baefde Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Thu, 22 Oct 2020 11:00:05 +0200 +Subject: scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() + +From: Helge Deller + +commit 2f4843b172c2c0360ee7792ad98025fae7baefde upstream. + +The mptscsih_remove() function triggers a kernel oops if the Scsi_Host +pointer (ioc->sh) is NULL, as can be seen in this syslog: + + ioc0: LSI53C1030 B2: Capabilities={Initiator,Target} + Begin: Waiting for root file system ... + scsi host2: error handler thread failed to spawn, error = -4 + mptspi: ioc0: WARNING - Unable to register controller with SCSI subsystem + Backtrace: + [<000000001045b7cc>] mptspi_probe+0x248/0x3d0 [mptspi] + [<0000000040946470>] pci_device_probe+0x1ac/0x2d8 + [<0000000040add668>] really_probe+0x1bc/0x988 + [<0000000040ade704>] driver_probe_device+0x160/0x218 + [<0000000040adee24>] device_driver_attach+0x160/0x188 + [<0000000040adef90>] __driver_attach+0x144/0x320 + [<0000000040ad7c78>] bus_for_each_dev+0xd4/0x158 + [<0000000040adc138>] driver_attach+0x4c/0x80 + [<0000000040adb3ec>] bus_add_driver+0x3e0/0x498 + [<0000000040ae0130>] driver_register+0xf4/0x298 + [<00000000409450c4>] __pci_register_driver+0x78/0xa8 + [<000000000007d248>] mptspi_init+0x18c/0x1c4 [mptspi] + +This patch adds the necessary NULL-pointer checks. Successfully tested on +a HP C8000 parisc workstation with buggy SCSI drives. + +Link: https://lore.kernel.org/r/20201022090005.GA9000@ls3530.fritz.box +Cc: +Signed-off-by: Helge Deller +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/message/fusion/mptscsih.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/message/fusion/mptscsih.c ++++ b/drivers/message/fusion/mptscsih.c +@@ -1176,8 +1176,10 @@ mptscsih_remove(struct pci_dev *pdev) + + scsi_remove_host(host); + +- if((hd = shost_priv(host)) == NULL) +- return; ++ if (host == NULL) ++ hd = NULL; ++ else ++ hd = shost_priv(host); + + mptscsih_shutdown(pdev); + +@@ -1193,14 +1195,15 @@ mptscsih_remove(struct pci_dev *pdev) + "Free'd ScsiLookup (%d) memory\n", + ioc->name, sz1)); + +- kfree(hd->info_kbuf); ++ if (hd) ++ kfree(hd->info_kbuf); + + /* NULL the Scsi_Host pointer + */ + ioc->sh = NULL; + +- scsi_host_put(host); +- ++ if (host) ++ scsi_host_put(host); + mpt_detach(pdev); + + } diff --git a/queue-4.9/series b/queue-4.9/series index bd4c5179f1e..0779522011f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -53,3 +53,19 @@ acpi-video-use-acpi-backlight-for-hp-635-notebook.patch acpi-debug-don-t-allow-debugging-when-acpi-is-disabled.patch acpi-cpufreq-honor-_psd-table-setting-on-new-amd-cpus.patch w1-mxc_w1-fix-timeout-resolution-problem-leading-to-bus-error.patch +scsi-mptfusion-fix-null-pointer-dereferences-in-mptscsih_remove.patch +btrfs-reschedule-if-necessary-when-logging-directory-items.patch +btrfs-cleanup-cow-block-on-error.patch +btrfs-fix-use-after-free-on-readahead-extent-after-failure-to-create-it.patch +usb-dwc3-core-add-phy-cleanup-for-probe-error-handling.patch +usb-dwc3-core-don-t-trigger-runtime-pm-when-remove-driver.patch +usb-host-fsl-mph-dr-of-check-return-of-dma_set_mask.patch +vt-keyboard-simplify-vt_kdgkbsent.patch +vt-keyboard-extend-func_buf_lock-to-readers.patch +dmaengine-dma-jz4780-fix-race-in-jz4780_dma_tx_status.patch +iio-light-si1145-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-adc-ti-adc12138-fix-alignment-issue-with-timestamp.patch +iio-gyro-itg3200-fix-timestamp-alignment-and-prevent-data-leak.patch +powerpc-warn-about-use-of-smt_snooze_delay.patch +powerpc-powernv-elog-fix-race-while-processing-opal-error-log-event.patch +ubifs-dent-fix-some-potential-memory-leaks-while-iterating-entries.patch diff --git a/queue-4.9/ubifs-dent-fix-some-potential-memory-leaks-while-iterating-entries.patch b/queue-4.9/ubifs-dent-fix-some-potential-memory-leaks-while-iterating-entries.patch new file mode 100644 index 00000000000..4406305a8a5 --- /dev/null +++ b/queue-4.9/ubifs-dent-fix-some-potential-memory-leaks-while-iterating-entries.patch @@ -0,0 +1,33 @@ +From 58f6e78a65f1fcbf732f60a7478ccc99873ff3ba Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Mon, 1 Jun 2020 17:10:37 +0800 +Subject: ubifs: dent: Fix some potential memory leaks while iterating entries + +From: Zhihao Cheng + +commit 58f6e78a65f1fcbf732f60a7478ccc99873ff3ba upstream. + +Fix some potential memory leaks in error handling branches while +iterating dent entries. For example, function dbg_check_dir() +forgets to free pdent if it exists. + +Signed-off-by: Zhihao Cheng +Cc: +Fixes: 1e51764a3c2ac05a2 ("UBIFS: add new flash file system") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/debug.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ubifs/debug.c ++++ b/fs/ubifs/debug.c +@@ -1125,6 +1125,7 @@ int dbg_check_dir(struct ubifs_info *c, + err = PTR_ERR(dent); + if (err == -ENOENT) + break; ++ kfree(pdent); + return err; + } + diff --git a/queue-4.9/usb-dwc3-core-add-phy-cleanup-for-probe-error-handling.patch b/queue-4.9/usb-dwc3-core-add-phy-cleanup-for-probe-error-handling.patch new file mode 100644 index 00000000000..43de77b31c7 --- /dev/null +++ b/queue-4.9/usb-dwc3-core-add-phy-cleanup-for-probe-error-handling.patch @@ -0,0 +1,42 @@ +From 03c1fd622f72c7624c81b64fdba4a567ae5ee9cb Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Tue, 28 Jul 2020 20:42:41 +0800 +Subject: usb: dwc3: core: add phy cleanup for probe error handling + +From: Li Jun + +commit 03c1fd622f72c7624c81b64fdba4a567ae5ee9cb upstream. + +Add the phy cleanup if dwc3 mode init fail, which is the missing part of +de-init for dwc3 core init. + +Fixes: c499ff71ff2a ("usb: dwc3: core: re-factor init and exit paths") +Cc: +Signed-off-by: Li Jun +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1148,6 +1148,17 @@ static int dwc3_probe(struct platform_de + + err5: + dwc3_event_buffers_cleanup(dwc); ++ ++ usb_phy_shutdown(dwc->usb2_phy); ++ usb_phy_shutdown(dwc->usb3_phy); ++ phy_exit(dwc->usb2_generic_phy); ++ phy_exit(dwc->usb3_generic_phy); ++ ++ usb_phy_set_suspend(dwc->usb2_phy, 1); ++ usb_phy_set_suspend(dwc->usb3_phy, 1); ++ phy_power_off(dwc->usb2_generic_phy); ++ phy_power_off(dwc->usb3_generic_phy); ++ + dwc3_ulpi_exit(dwc); + + err4: diff --git a/queue-4.9/usb-dwc3-core-don-t-trigger-runtime-pm-when-remove-driver.patch b/queue-4.9/usb-dwc3-core-don-t-trigger-runtime-pm-when-remove-driver.patch new file mode 100644 index 00000000000..29f0605466e --- /dev/null +++ b/queue-4.9/usb-dwc3-core-don-t-trigger-runtime-pm-when-remove-driver.patch @@ -0,0 +1,106 @@ +From 266d0493900ac5d6a21cdbe6b1624ed2da94d47a Mon Sep 17 00:00:00 2001 +From: Li Jun +Date: Tue, 28 Jul 2020 20:42:40 +0800 +Subject: usb: dwc3: core: don't trigger runtime pm when remove driver + +From: Li Jun + +commit 266d0493900ac5d6a21cdbe6b1624ed2da94d47a upstream. + +No need to trigger runtime pm in driver removal, otherwise if user +disable auto suspend via sys file, runtime suspend may be entered, +which will call dwc3_core_exit() again and there will be clock disable +not balance warning: + +[ 2026.820154] xhci-hcd xhci-hcd.0.auto: remove, state 4 +[ 2026.825268] usb usb2: USB disconnect, device number 1 +[ 2026.831017] xhci-hcd xhci-hcd.0.auto: USB bus 2 deregistered +[ 2026.836806] xhci-hcd xhci-hcd.0.auto: remove, state 4 +[ 2026.842029] usb usb1: USB disconnect, device number 1 +[ 2026.848029] xhci-hcd xhci-hcd.0.auto: USB bus 1 deregistered +[ 2026.865889] ------------[ cut here ]------------ +[ 2026.870506] usb2_ctrl_root_clk already disabled +[ 2026.875082] WARNING: CPU: 0 PID: 731 at drivers/clk/clk.c:958 +clk_core_disable+0xa0/0xa8 +[ 2026.883170] Modules linked in: dwc3(-) phy_fsl_imx8mq_usb [last +unloaded: dwc3] +[ 2026.890488] CPU: 0 PID: 731 Comm: rmmod Not tainted +5.8.0-rc7-00280-g9d08cca-dirty #245 +[ 2026.898489] Hardware name: NXP i.MX8MQ EVK (DT) +[ 2026.903020] pstate: 20000085 (nzCv daIf -PAN -UAO BTYPE=--) +[ 2026.908594] pc : clk_core_disable+0xa0/0xa8 +[ 2026.912777] lr : clk_core_disable+0xa0/0xa8 +[ 2026.916958] sp : ffff8000121b39a0 +[ 2026.920271] x29: ffff8000121b39a0 x28: ffff0000b11f3700 +[ 2026.925583] x27: 0000000000000000 x26: ffff0000b539c700 +[ 2026.930895] x25: 000001d7e44e1232 x24: ffff0000b76fa800 +[ 2026.936208] x23: ffff0000b76fa6f8 x22: ffff800008d01040 +[ 2026.941520] x21: ffff0000b539ce00 x20: ffff0000b7105000 +[ 2026.946832] x19: ffff0000b7105000 x18: 0000000000000010 +[ 2026.952144] x17: 0000000000000001 x16: 0000000000000000 +[ 2026.957456] x15: ffff0000b11f3b70 x14: ffffffffffffffff +[ 2026.962768] x13: ffff8000921b36f7 x12: ffff8000121b36ff +[ 2026.968080] x11: ffff8000119e1000 x10: ffff800011bf26d0 +[ 2026.973392] x9 : 0000000000000000 x8 : ffff800011bf3000 +[ 2026.978704] x7 : ffff800010695d68 x6 : 0000000000000252 +[ 2026.984016] x5 : ffff0000bb9881f0 x4 : 0000000000000000 +[ 2026.989327] x3 : 0000000000000027 x2 : 0000000000000023 +[ 2026.994639] x1 : ac2fa471aa7cab00 x0 : 0000000000000000 +[ 2026.999951] Call trace: +[ 2027.002401] clk_core_disable+0xa0/0xa8 +[ 2027.006238] clk_core_disable_lock+0x20/0x38 +[ 2027.010508] clk_disable+0x1c/0x28 +[ 2027.013911] clk_bulk_disable+0x34/0x50 +[ 2027.017758] dwc3_core_exit+0xec/0x110 [dwc3] +[ 2027.022122] dwc3_suspend_common+0x84/0x188 [dwc3] +[ 2027.026919] dwc3_runtime_suspend+0x74/0x9c [dwc3] +[ 2027.031712] pm_generic_runtime_suspend+0x28/0x40 +[ 2027.036419] genpd_runtime_suspend+0xa0/0x258 +[ 2027.040777] __rpm_callback+0x88/0x140 +[ 2027.044526] rpm_callback+0x20/0x80 +[ 2027.048015] rpm_suspend+0xd0/0x418 +[ 2027.051503] __pm_runtime_suspend+0x58/0xa0 +[ 2027.055693] dwc3_runtime_idle+0x7c/0x90 [dwc3] +[ 2027.060224] __rpm_callback+0x88/0x140 +[ 2027.063973] rpm_idle+0x78/0x150 +[ 2027.067201] __pm_runtime_idle+0x58/0xa0 +[ 2027.071130] dwc3_remove+0x64/0xc0 [dwc3] +[ 2027.075140] platform_drv_remove+0x28/0x48 +[ 2027.079239] device_release_driver_internal+0xf4/0x1c0 +[ 2027.084377] driver_detach+0x4c/0xd8 +[ 2027.087954] bus_remove_driver+0x54/0xa8 +[ 2027.091877] driver_unregister+0x2c/0x58 +[ 2027.095799] platform_driver_unregister+0x10/0x18 +[ 2027.100509] dwc3_driver_exit+0x14/0x1408 [dwc3] +[ 2027.105129] __arm64_sys_delete_module+0x178/0x218 +[ 2027.109922] el0_svc_common.constprop.0+0x68/0x160 +[ 2027.114714] do_el0_svc+0x20/0x80 +[ 2027.118031] el0_sync_handler+0x88/0x190 +[ 2027.121953] el0_sync+0x140/0x180 +[ 2027.125267] ---[ end trace 027f4f8189958f1f ]--- +[ 2027.129976] ------------[ cut here ]------------ + +Fixes: fc8bb91bc83e ("usb: dwc3: implement runtime PM") +Cc: +Signed-off-by: Li Jun +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1205,9 +1205,9 @@ static int dwc3_remove(struct platform_d + dwc3_core_exit(dwc); + dwc3_ulpi_exit(dwc); + +- pm_runtime_put_sync(&pdev->dev); +- pm_runtime_allow(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); + + dwc3_free_event_buffers(dwc); + dwc3_free_scratch_buffers(dwc); diff --git a/queue-4.9/usb-host-fsl-mph-dr-of-check-return-of-dma_set_mask.patch b/queue-4.9/usb-host-fsl-mph-dr-of-check-return-of-dma_set_mask.patch new file mode 100644 index 00000000000..c7989045634 --- /dev/null +++ b/queue-4.9/usb-host-fsl-mph-dr-of-check-return-of-dma_set_mask.patch @@ -0,0 +1,42 @@ +From 3cd54a618834430a26a648d880dd83d740f2ae30 Mon Sep 17 00:00:00 2001 +From: Ran Wang +Date: Sat, 10 Oct 2020 14:03:08 +0800 +Subject: usb: host: fsl-mph-dr-of: check return of dma_set_mask() + +From: Ran Wang + +commit 3cd54a618834430a26a648d880dd83d740f2ae30 upstream. + +fsl_usb2_device_register() should stop init if dma_set_mask() return +error. + +Fixes: cae058610465 ("drivers/usb/host: fsl: Set DMA_MASK of usb platform device") +Reviewed-by: Peter Chen +Signed-off-by: Ran Wang +Link: https://lore.kernel.org/r/20201010060308.33693-1-ran.wang_1@nxp.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/fsl-mph-dr-of.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/fsl-mph-dr-of.c ++++ b/drivers/usb/host/fsl-mph-dr-of.c +@@ -98,10 +98,13 @@ static struct platform_device *fsl_usb2_ + + pdev->dev.coherent_dma_mask = ofdev->dev.coherent_dma_mask; + +- if (!pdev->dev.dma_mask) ++ if (!pdev->dev.dma_mask) { + pdev->dev.dma_mask = &ofdev->dev.coherent_dma_mask; +- else +- dma_set_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ } else { ++ retval = dma_set_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ if (retval) ++ goto error; ++ } + + retval = platform_device_add_data(pdev, pdata, sizeof(*pdata)); + if (retval) diff --git a/queue-4.9/vt-keyboard-extend-func_buf_lock-to-readers.patch b/queue-4.9/vt-keyboard-extend-func_buf_lock-to-readers.patch new file mode 100644 index 00000000000..6b6cb45a1ca --- /dev/null +++ b/queue-4.9/vt-keyboard-extend-func_buf_lock-to-readers.patch @@ -0,0 +1,94 @@ +From 82e61c3909db51d91b9d3e2071557b6435018b80 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 19 Oct 2020 10:55:17 +0200 +Subject: vt: keyboard, extend func_buf_lock to readers + +From: Jiri Slaby + +commit 82e61c3909db51d91b9d3e2071557b6435018b80 upstream. + +Both read-side users of func_table/func_buf need locking. Without that, +one can easily confuse the code by repeatedly setting altering strings +like: +while (1) + for (a = 0; a < 2; a++) { + struct kbsentry kbs = {}; + strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n"); + ioctl(fd, KDSKBSENT, &kbs); + } + +When that program runs, one can get unexpected output by holding F1 +(note the unxpected period on the last line): +. +88888 +.8888 + +So protect all accesses to 'func_table' (and func_buf) by preexisting +'func_buf_lock'. + +It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep. +On the other hand, KDGKBSENT needs a local (atomic) copy of the string +because copy_to_user can sleep. Use already allocated, but unused +'kbs->kb_string' for that purpose. + +Note that the program above needs at least CAP_SYS_TTY_CONFIG. + +This depends on the previous patch and on the func_buf_lock lock added +in commit 46ca3f735f34 (tty/vt: fix write/write race in ioctl(KDSKBSENT) +handler) in 5.2. + +Likely fixes CVE-2020-25656. + +Cc: +Reported-by: Minh Yuan +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20201019085517.10176-2-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/keyboard.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -712,8 +712,13 @@ static void k_fn(struct vc_data *vc, uns + return; + + if ((unsigned)value < ARRAY_SIZE(func_table)) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&func_buf_lock, flags); + if (func_table[value]) + puts_queue(vc, func_table[value]); ++ spin_unlock_irqrestore(&func_buf_lock, flags); ++ + } else + pr_err("k_fn called with value=%d\n", value); + } +@@ -1959,7 +1964,7 @@ out: + #undef s + #undef v + +-/* FIXME: This one needs untangling and locking */ ++/* FIXME: This one needs untangling */ + int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + { + struct kbsentry *kbs; +@@ -1991,10 +1996,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + switch (cmd) { + case KDGKBSENT: { + /* size should have been a struct member */ +- unsigned char *from = func_table[i] ? : ""; ++ ssize_t len = sizeof(user_kdgkb->kb_string); ++ ++ spin_lock_irqsave(&func_buf_lock, flags); ++ len = strlcpy(kbs->kb_string, func_table[i] ? : "", len); ++ spin_unlock_irqrestore(&func_buf_lock, flags); + +- ret = copy_to_user(user_kdgkb->kb_string, from, +- strlen(from) + 1) ? -EFAULT : 0; ++ ret = copy_to_user(user_kdgkb->kb_string, kbs->kb_string, ++ len + 1) ? -EFAULT : 0; + + goto reterr; + } diff --git a/queue-4.9/vt-keyboard-simplify-vt_kdgkbsent.patch b/queue-4.9/vt-keyboard-simplify-vt_kdgkbsent.patch new file mode 100644 index 00000000000..41dbd79d6f4 --- /dev/null +++ b/queue-4.9/vt-keyboard-simplify-vt_kdgkbsent.patch @@ -0,0 +1,73 @@ +From 6ca03f90527e499dd5e32d6522909e2ad390896b Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 19 Oct 2020 10:55:16 +0200 +Subject: vt: keyboard, simplify vt_kdgkbsent + +From: Jiri Slaby + +commit 6ca03f90527e499dd5e32d6522909e2ad390896b upstream. + +Use 'strlen' of the string, add one for NUL terminator and simply do +'copy_to_user' instead of the explicit 'for' loop. This makes the +KDGKBSENT case more compact. + +The only thing we need to take care about is NULL 'func_table[i]'. Use +an empty string in that case. + +The original check for overflow could never trigger as the func_buf +strings are always shorter or equal to 'struct kbsentry's. + +Cc: +Signed-off-by: Jiri Slaby +Link: https://lore.kernel.org/r/20201019085517.10176-1-jslaby@suse.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/keyboard.c | 28 +++++++++------------------- + 1 file changed, 9 insertions(+), 19 deletions(-) + +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -1963,9 +1963,7 @@ out: + int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + { + struct kbsentry *kbs; +- char *p; + u_char *q; +- u_char __user *up; + int sz, fnw_sz; + int delta; + char *first_free, *fj, *fnw; +@@ -1991,23 +1989,15 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb + i = kbs->kb_func; + + switch (cmd) { +- case KDGKBSENT: +- sz = sizeof(kbs->kb_string) - 1; /* sz should have been +- a struct member */ +- up = user_kdgkb->kb_string; +- p = func_table[i]; +- if(p) +- for ( ; *p && sz; p++, sz--) +- if (put_user(*p, up++)) { +- ret = -EFAULT; +- goto reterr; +- } +- if (put_user('\0', up)) { +- ret = -EFAULT; +- goto reterr; +- } +- kfree(kbs); +- return ((p && *p) ? -EOVERFLOW : 0); ++ case KDGKBSENT: { ++ /* size should have been a struct member */ ++ unsigned char *from = func_table[i] ? : ""; ++ ++ ret = copy_to_user(user_kdgkb->kb_string, from, ++ strlen(from) + 1) ? -EFAULT : 0; ++ ++ goto reterr; ++ } + case KDSKBSENT: + if (!perm) { + ret = -EPERM;