From 104d71a98937220d0a9f25c51729f1e8b1de57f3 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 16 Nov 2020 08:58:17 -0500 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...es-avoid-fortify_panic-when-copying-.patch | 228 ++++++++++++++++++ ...ng-kfree-in-error-path-of-cosa_write.patch | 39 +++ ..._device-refcount-leak-in-nbd_release.patch | 36 +++ ...f_node-memory-leak-in-of_dma_is_cohe.patch | 47 ++++ .../perf-fix-get_recursion_context.patch | 35 +++ ...aspeed-fix-gpi-only-function-problem.patch | 50 ++++ ...t-default-bias-in-case-no-particular.patch | 58 +++++ queue-4.14/series | 10 + ...g-unlock-on-error-in-xfs_fs_map_bloc.patch | 37 +++ ...gument-to-rmap-lookup-when-convertin.patch | 39 +++ ...-key-and-record-comparison-functions.patch | 92 +++++++ 11 files changed, 671 insertions(+) create mode 100644 queue-4.14/arm-9019-1-kprobes-avoid-fortify_panic-when-copying-.patch create mode 100644 queue-4.14/cosa-add-missing-kfree-in-error-path-of-cosa_write.patch create mode 100644 queue-4.14/nbd-fix-a-block_device-refcount-leak-in-nbd_release.patch create mode 100644 queue-4.14/of-address-fix-of_node-memory-leak-in-of_dma_is_cohe.patch create mode 100644 queue-4.14/perf-fix-get_recursion_context.patch create mode 100644 queue-4.14/pinctrl-aspeed-fix-gpi-only-function-problem.patch create mode 100644 queue-4.14/pinctrl-intel-set-default-bias-in-case-no-particular.patch create mode 100644 queue-4.14/xfs-fix-a-missing-unlock-on-error-in-xfs_fs_map_bloc.patch create mode 100644 queue-4.14/xfs-fix-flags-argument-to-rmap-lookup-when-convertin.patch create mode 100644 queue-4.14/xfs-fix-rmap-key-and-record-comparison-functions.patch diff --git a/queue-4.14/arm-9019-1-kprobes-avoid-fortify_panic-when-copying-.patch b/queue-4.14/arm-9019-1-kprobes-avoid-fortify_panic-when-copying-.patch new file mode 100644 index 00000000000..c4788935500 --- /dev/null +++ b/queue-4.14/arm-9019-1-kprobes-avoid-fortify_panic-when-copying-.patch @@ -0,0 +1,228 @@ +From 8d8cf8204651aa0727d41d39f5f4be4e8fc0ce85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Oct 2020 01:43:59 +0100 +Subject: ARM: 9019/1: kprobes: Avoid fortify_panic() when copying optprobe + template + +From: Andrew Jeffery + +[ Upstream commit 9fa2e7af3d53a4b769136eccc32c02e128a4ee51 ] + +Setting both CONFIG_KPROBES=y and CONFIG_FORTIFY_SOURCE=y on ARM leads +to a panic in memcpy() when injecting a kprobe despite the fixes found +in commit e46daee53bb5 ("ARM: 8806/1: kprobes: Fix false positive with +FORTIFY_SOURCE") and commit 0ac569bf6a79 ("ARM: 8834/1: Fix: kprobes: +optimized kprobes illegal instruction"). + +arch/arm/include/asm/kprobes.h effectively declares +the target type of the optprobe_template_entry assembly label as a u32 +which leads memcpy()'s __builtin_object_size() call to determine that +the pointed-to object is of size four. However, the symbol is used as a handle +for the optimised probe assembly template that is at least 96 bytes in size. +The symbol's use despite its type blows up the memcpy() in ARM's +arch_prepare_optimized_kprobe() with a false-positive fortify_panic() when it +should instead copy the optimised probe template into place: + +``` +$ sudo perf probe -a aspeed_g6_pinctrl_probe +[ 158.457252] detected buffer overflow in memcpy +[ 158.458069] ------------[ cut here ]------------ +[ 158.458283] kernel BUG at lib/string.c:1153! +[ 158.458436] Internal error: Oops - BUG: 0 [#1] SMP ARM +[ 158.458768] Modules linked in: +[ 158.459043] CPU: 1 PID: 99 Comm: perf Not tainted 5.9.0-rc7-00038-gc53ebf8167e9 #158 +[ 158.459296] Hardware name: Generic DT based system +[ 158.459529] PC is at fortify_panic+0x18/0x20 +[ 158.459658] LR is at __irq_work_queue_local+0x3c/0x74 +[ 158.459831] pc : [<8047451c>] lr : [<8020ecd4>] psr: 60000013 +[ 158.460032] sp : be2d1d50 ip : be2d1c58 fp : be2d1d5c +[ 158.460174] r10: 00000006 r9 : 00000000 r8 : 00000060 +[ 158.460348] r7 : 8011e434 r6 : b9e0b800 r5 : 7f000000 r4 : b9fe4f0c +[ 158.460557] r3 : 80c04cc8 r2 : 00000000 r1 : be7c03cc r0 : 00000022 +[ 158.460801] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 158.461037] Control: 10c5387d Table: b9cd806a DAC: 00000051 +[ 158.461251] Process perf (pid: 99, stack limit = 0x81c71a69) +[ 158.461472] Stack: (0xbe2d1d50 to 0xbe2d2000) +[ 158.461757] 1d40: be2d1d84 be2d1d60 8011e724 80474510 +[ 158.462104] 1d60: b9e0b800 b9fe4f0c 00000000 b9fe4f14 80c8ec80 be235000 be2d1d9c be2d1d88 +[ 158.462436] 1d80: 801cee44 8011e57c b9fe4f0c 00000000 be2d1dc4 be2d1da0 801d0ad0 801cedec +[ 158.462742] 1da0: 00000000 00000000 b9fe4f00 ffffffea 00000000 be235000 be2d1de4 be2d1dc8 +[ 158.463087] 1dc0: 80204604 801d0738 00000000 00000000 b9fe4004 ffffffea be2d1e94 be2d1de8 +[ 158.463428] 1de0: 80205434 80204570 00385c00 00000000 00000000 00000000 be2d1e14 be2d1e08 +[ 158.463880] 1e00: 802ba014 b9fe4f00 b9e718c0 b9fe4f84 b9e71ec8 be2d1e24 00000000 00385c00 +[ 158.464365] 1e20: 00000000 626f7270 00000065 802b905c be2d1e94 0000002e 00000000 802b9914 +[ 158.464829] 1e40: be2d1e84 be2d1e50 802b9914 8028ff78 804629d0 b9e71ec0 0000002e b9e71ec0 +[ 158.465141] 1e60: be2d1ea8 80c04cc8 00000cc0 b9e713c4 00000002 80205834 80205834 0000002e +[ 158.465488] 1e80: be235000 be235000 be2d1ea4 be2d1e98 80205854 80204e94 be2d1ecc be2d1ea8 +[ 158.465806] 1ea0: 801ee4a0 80205840 00000002 80c04cc8 00000000 0000002e 0000002e 00000000 +[ 158.466110] 1ec0: be2d1f0c be2d1ed0 801ee5c8 801ee428 00000000 be2d0000 006b1fd0 00000051 +[ 158.466398] 1ee0: 00000000 b9eedf00 0000002e 80204410 006b1fd0 be2d1f60 00000000 00000004 +[ 158.466763] 1f00: be2d1f24 be2d1f10 8020442c 801ee4c4 80205834 802c613c be2d1f5c be2d1f28 +[ 158.467102] 1f20: 802c60ac 8020441c be2d1fac be2d1f38 8010c764 802e9888 be2d1f5c b9eedf00 +[ 158.467447] 1f40: b9eedf00 006b1fd0 0000002e 00000000 be2d1f94 be2d1f60 802c634c 802c5fec +[ 158.467812] 1f60: 00000000 00000000 00000000 80c04cc8 006b1fd0 00000003 76f7a610 00000004 +[ 158.468155] 1f80: 80100284 be2d0000 be2d1fa4 be2d1f98 802c63ec 802c62e8 00000000 be2d1fa8 +[ 158.468508] 1fa0: 80100080 802c63e0 006b1fd0 00000003 00000003 006b1fd0 0000002e 00000000 +[ 158.468858] 1fc0: 006b1fd0 00000003 76f7a610 00000004 006b1fb0 0026d348 00000017 7ef2738c +[ 158.469202] 1fe0: 76f3431c 7ef272d8 0014ec50 76f34338 60000010 00000003 00000000 00000000 +[ 158.469461] Backtrace: +[ 158.469683] [<80474504>] (fortify_panic) from [<8011e724>] (arch_prepare_optimized_kprobe+0x1b4/0x1f8) +[ 158.470021] [<8011e570>] (arch_prepare_optimized_kprobe) from [<801cee44>] (alloc_aggr_kprobe+0x64/0x70) +[ 158.470287] r9:be235000 r8:80c8ec80 r7:b9fe4f14 r6:00000000 r5:b9fe4f0c r4:b9e0b800 +[ 158.470478] [<801cede0>] (alloc_aggr_kprobe) from [<801d0ad0>] (register_kprobe+0x3a4/0x5a0) +[ 158.470685] r5:00000000 r4:b9fe4f0c +[ 158.470790] [<801d072c>] (register_kprobe) from [<80204604>] (__register_trace_kprobe+0xa0/0xa4) +[ 158.471001] r9:be235000 r8:00000000 r7:ffffffea r6:b9fe4f00 r5:00000000 r4:00000000 +[ 158.471188] [<80204564>] (__register_trace_kprobe) from [<80205434>] (trace_kprobe_create+0x5ac/0x9ac) +[ 158.471408] r7:ffffffea r6:b9fe4004 r5:00000000 r4:00000000 +[ 158.471553] [<80204e88>] (trace_kprobe_create) from [<80205854>] (create_or_delete_trace_kprobe+0x20/0x3c) +[ 158.471766] r10:be235000 r9:be235000 r8:0000002e r7:80205834 r6:80205834 r5:00000002 +[ 158.471949] r4:b9e713c4 +[ 158.472027] [<80205834>] (create_or_delete_trace_kprobe) from [<801ee4a0>] (trace_run_command+0x84/0x9c) +[ 158.472255] [<801ee41c>] (trace_run_command) from [<801ee5c8>] (trace_parse_run_command+0x110/0x1f8) +[ 158.472471] r6:00000000 r5:0000002e r4:0000002e +[ 158.472594] [<801ee4b8>] (trace_parse_run_command) from [<8020442c>] (probes_write+0x1c/0x28) +[ 158.472800] r10:00000004 r9:00000000 r8:be2d1f60 r7:006b1fd0 r6:80204410 r5:0000002e +[ 158.472968] r4:b9eedf00 +[ 158.473046] [<80204410>] (probes_write) from [<802c60ac>] (vfs_write+0xcc/0x1e8) +[ 158.473226] [<802c5fe0>] (vfs_write) from [<802c634c>] (ksys_write+0x70/0xf8) +[ 158.473400] r8:00000000 r7:0000002e r6:006b1fd0 r5:b9eedf00 r4:b9eedf00 +[ 158.473567] [<802c62dc>] (ksys_write) from [<802c63ec>] (sys_write+0x18/0x1c) +[ 158.473745] r9:be2d0000 r8:80100284 r7:00000004 r6:76f7a610 r5:00000003 r4:006b1fd0 +[ 158.473932] [<802c63d4>] (sys_write) from [<80100080>] (ret_fast_syscall+0x0/0x54) +[ 158.474126] Exception stack(0xbe2d1fa8 to 0xbe2d1ff0) +[ 158.474305] 1fa0: 006b1fd0 00000003 00000003 006b1fd0 0000002e 00000000 +[ 158.474573] 1fc0: 006b1fd0 00000003 76f7a610 00000004 006b1fb0 0026d348 00000017 7ef2738c +[ 158.474811] 1fe0: 76f3431c 7ef272d8 0014ec50 76f34338 +[ 158.475171] Code: e24cb004 e1a01000 e59f0004 ebf40dd3 (e7f001f2) +[ 158.475847] ---[ end trace 55a5b31c08a29f00 ]--- +[ 158.476088] Kernel panic - not syncing: Fatal exception +[ 158.476375] CPU0: stopping +[ 158.476709] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G D 5.9.0-rc7-00038-gc53ebf8167e9 #158 +[ 158.477176] Hardware name: Generic DT based system +[ 158.477411] Backtrace: +[ 158.477604] [<8010dd28>] (dump_backtrace) from [<8010dfd4>] (show_stack+0x20/0x24) +[ 158.477990] r7:00000000 r6:60000193 r5:00000000 r4:80c2f634 +[ 158.478323] [<8010dfb4>] (show_stack) from [<8046390c>] (dump_stack+0xcc/0xe8) +[ 158.478686] [<80463840>] (dump_stack) from [<80110750>] (handle_IPI+0x334/0x3a0) +[ 158.479063] r7:00000000 r6:00000004 r5:80b65cc8 r4:80c78278 +[ 158.479352] [<8011041c>] (handle_IPI) from [<801013f8>] (gic_handle_irq+0x88/0x94) +[ 158.479757] r10:10c5387d r9:80c01ed8 r8:00000000 r7:c0802000 r6:80c0537c r5:000003ff +[ 158.480146] r4:c080200c r3:fffffff4 +[ 158.480364] [<80101370>] (gic_handle_irq) from [<80100b6c>] (__irq_svc+0x6c/0x90) +[ 158.480748] Exception stack(0x80c01ed8 to 0x80c01f20) +[ 158.481031] 1ec0: 000128bc 00000000 +[ 158.481499] 1ee0: be7b8174 8011d3a0 80c00000 00000000 80c04cec 80c04d28 80c5d7c2 80a026d4 +[ 158.482091] 1f00: 10c5387d 80c01f34 80c01f38 80c01f28 80109554 80109558 60000013 ffffffff +[ 158.482621] r9:80c00000 r8:80c5d7c2 r7:80c01f0c r6:ffffffff r5:60000013 r4:80109558 +[ 158.482983] [<80109518>] (arch_cpu_idle) from [<80818780>] (default_idle_call+0x38/0x120) +[ 158.483360] [<80818748>] (default_idle_call) from [<801585a8>] (do_idle+0xd4/0x158) +[ 158.483945] r5:00000000 r4:80c00000 +[ 158.484237] [<801584d4>] (do_idle) from [<801588f4>] (cpu_startup_entry+0x28/0x2c) +[ 158.484784] r9:80c78000 r8:00000000 r7:80c78000 r6:80c78040 r5:80c04cc0 r4:000000d6 +[ 158.485328] [<801588cc>] (cpu_startup_entry) from [<80810a78>] (rest_init+0x9c/0xbc) +[ 158.485930] [<808109dc>] (rest_init) from [<80b00ae4>] (arch_call_rest_init+0x18/0x1c) +[ 158.486503] r5:80c04cc0 r4:00000001 +[ 158.486857] [<80b00acc>] (arch_call_rest_init) from [<80b00fcc>] (start_kernel+0x46c/0x548) +[ 158.487589] [<80b00b60>] (start_kernel) from [<00000000>] (0x0) +``` + +Fixes: e46daee53bb5 ("ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE") +Fixes: 0ac569bf6a79 ("ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction") +Suggested-by: Kees Cook +Signed-off-by: Andrew Jeffery +Tested-by: Luka Oreskovic +Tested-by: Joel Stanley +Reviewed-by: Joel Stanley +Acked-by: Masami Hiramatsu +Cc: Luka Oreskovic +Cc: Juraj Vijtiuk +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/kprobes.h | 22 +++++++++++----------- + arch/arm/probes/kprobes/opt-arm.c | 18 +++++++++--------- + 2 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/arch/arm/include/asm/kprobes.h b/arch/arm/include/asm/kprobes.h +index 59655459da591..74cef57bf806a 100644 +--- a/arch/arm/include/asm/kprobes.h ++++ b/arch/arm/include/asm/kprobes.h +@@ -54,20 +54,20 @@ int kprobe_exceptions_notify(struct notifier_block *self, + unsigned long val, void *data); + + /* optinsn template addresses */ +-extern __visible kprobe_opcode_t optprobe_template_entry; +-extern __visible kprobe_opcode_t optprobe_template_val; +-extern __visible kprobe_opcode_t optprobe_template_call; +-extern __visible kprobe_opcode_t optprobe_template_end; +-extern __visible kprobe_opcode_t optprobe_template_sub_sp; +-extern __visible kprobe_opcode_t optprobe_template_add_sp; +-extern __visible kprobe_opcode_t optprobe_template_restore_begin; +-extern __visible kprobe_opcode_t optprobe_template_restore_orig_insn; +-extern __visible kprobe_opcode_t optprobe_template_restore_end; ++extern __visible kprobe_opcode_t optprobe_template_entry[]; ++extern __visible kprobe_opcode_t optprobe_template_val[]; ++extern __visible kprobe_opcode_t optprobe_template_call[]; ++extern __visible kprobe_opcode_t optprobe_template_end[]; ++extern __visible kprobe_opcode_t optprobe_template_sub_sp[]; ++extern __visible kprobe_opcode_t optprobe_template_add_sp[]; ++extern __visible kprobe_opcode_t optprobe_template_restore_begin[]; ++extern __visible kprobe_opcode_t optprobe_template_restore_orig_insn[]; ++extern __visible kprobe_opcode_t optprobe_template_restore_end[]; + + #define MAX_OPTIMIZED_LENGTH 4 + #define MAX_OPTINSN_SIZE \ +- ((unsigned long)&optprobe_template_end - \ +- (unsigned long)&optprobe_template_entry) ++ ((unsigned long)optprobe_template_end - \ ++ (unsigned long)optprobe_template_entry) + #define RELATIVEJUMP_SIZE 4 + + struct arch_optimized_insn { +diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c +index 0dc23fc227ed2..cf08cb7267670 100644 +--- a/arch/arm/probes/kprobes/opt-arm.c ++++ b/arch/arm/probes/kprobes/opt-arm.c +@@ -98,21 +98,21 @@ asm ( + "optprobe_template_end:\n"); + + #define TMPL_VAL_IDX \ +- ((unsigned long *)&optprobe_template_val - (unsigned long *)&optprobe_template_entry) ++ ((unsigned long *)optprobe_template_val - (unsigned long *)optprobe_template_entry) + #define TMPL_CALL_IDX \ +- ((unsigned long *)&optprobe_template_call - (unsigned long *)&optprobe_template_entry) ++ ((unsigned long *)optprobe_template_call - (unsigned long *)optprobe_template_entry) + #define TMPL_END_IDX \ +- ((unsigned long *)&optprobe_template_end - (unsigned long *)&optprobe_template_entry) ++ ((unsigned long *)optprobe_template_end - (unsigned long *)optprobe_template_entry) + #define TMPL_ADD_SP \ +- ((unsigned long *)&optprobe_template_add_sp - (unsigned long *)&optprobe_template_entry) ++ ((unsigned long *)optprobe_template_add_sp - (unsigned long *)optprobe_template_entry) + #define TMPL_SUB_SP \ +- ((unsigned long *)&optprobe_template_sub_sp - (unsigned long *)&optprobe_template_entry) ++ ((unsigned long *)optprobe_template_sub_sp - (unsigned long *)optprobe_template_entry) + #define TMPL_RESTORE_BEGIN \ +- ((unsigned long *)&optprobe_template_restore_begin - (unsigned long *)&optprobe_template_entry) ++ ((unsigned long *)optprobe_template_restore_begin - (unsigned long *)optprobe_template_entry) + #define TMPL_RESTORE_ORIGN_INSN \ +- ((unsigned long *)&optprobe_template_restore_orig_insn - (unsigned long *)&optprobe_template_entry) ++ ((unsigned long *)optprobe_template_restore_orig_insn - (unsigned long *)optprobe_template_entry) + #define TMPL_RESTORE_END \ +- ((unsigned long *)&optprobe_template_restore_end - (unsigned long *)&optprobe_template_entry) ++ ((unsigned long *)optprobe_template_restore_end - (unsigned long *)optprobe_template_entry) + + /* + * ARM can always optimize an instruction when using ARM ISA, except +@@ -247,7 +247,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op, struct kprobe *or + } + + /* Copy arch-dep-instance from template. */ +- memcpy(code, (unsigned long *)&optprobe_template_entry, ++ memcpy(code, (unsigned long *)optprobe_template_entry, + TMPL_END_IDX * sizeof(kprobe_opcode_t)); + + /* Adjust buffer according to instruction. */ +-- +2.27.0 + diff --git a/queue-4.14/cosa-add-missing-kfree-in-error-path-of-cosa_write.patch b/queue-4.14/cosa-add-missing-kfree-in-error-path-of-cosa_write.patch new file mode 100644 index 00000000000..dfca295d1bf --- /dev/null +++ b/queue-4.14/cosa-add-missing-kfree-in-error-path-of-cosa_write.patch @@ -0,0 +1,39 @@ +From 1550eb1ac8d66b34387846e89c7327b02f1eecd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Nov 2020 22:46:14 +0800 +Subject: cosa: Add missing kfree in error path of cosa_write + +From: Wang Hai + +[ Upstream commit 52755b66ddcef2e897778fac5656df18817b59ab ] + +If memory allocation for 'kbuf' succeed, cosa_write() doesn't have a +corresponding kfree() in exception handling. Thus add kfree() for this +function implementation. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Acked-by: Jan "Yenya" Kasprzak +Link: https://lore.kernel.org/r/20201110144614.43194-1-wanghai38@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/cosa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wan/cosa.c b/drivers/net/wan/cosa.c +index 6ea16260ec760..1a1f2d1069fb8 100644 +--- a/drivers/net/wan/cosa.c ++++ b/drivers/net/wan/cosa.c +@@ -902,6 +902,7 @@ static ssize_t cosa_write(struct file *file, + chan->tx_status = 1; + spin_unlock_irqrestore(&cosa->lock, flags); + up(&chan->wsem); ++ kfree(kbuf); + return -ERESTARTSYS; + } + } +-- +2.27.0 + diff --git a/queue-4.14/nbd-fix-a-block_device-refcount-leak-in-nbd_release.patch b/queue-4.14/nbd-fix-a-block_device-refcount-leak-in-nbd_release.patch new file mode 100644 index 00000000000..12588e849c3 --- /dev/null +++ b/queue-4.14/nbd-fix-a-block_device-refcount-leak-in-nbd_release.patch @@ -0,0 +1,36 @@ +From ac435220a9317b823a691cb1f4c6e0b69fc8a5e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Nov 2020 18:30:59 +0100 +Subject: nbd: fix a block_device refcount leak in nbd_release + +From: Christoph Hellwig + +[ Upstream commit 2bd645b2d3f0bacadaa6037f067538e1cd4e42ef ] + +bdget_disk needs to be paired with bdput to not leak a reference +on the block device inode. + +Fixes: 08ba91ee6e2c ("nbd: Add the nbd NBD_DISCONNECT_ON_CLOSE config flag.") +Signed-off-by: Christoph Hellwig +Reviewed-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 9a0fb2d52a76c..70ef826af7f8d 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1432,6 +1432,7 @@ static void nbd_release(struct gendisk *disk, fmode_t mode) + if (test_bit(NBD_DISCONNECT_ON_CLOSE, &nbd->config->runtime_flags) && + bdev->bd_openers == 0) + nbd_disconnect_and_put(nbd); ++ bdput(bdev); + + nbd_config_put(nbd); + nbd_put(nbd); +-- +2.27.0 + diff --git a/queue-4.14/of-address-fix-of_node-memory-leak-in-of_dma_is_cohe.patch b/queue-4.14/of-address-fix-of_node-memory-leak-in-of_dma_is_cohe.patch new file mode 100644 index 00000000000..f3719977512 --- /dev/null +++ b/queue-4.14/of-address-fix-of_node-memory-leak-in-of_dma_is_cohe.patch @@ -0,0 +1,47 @@ +From fd5ce3e81cdd5b22f02a3ebd091893c40dde799a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Nov 2020 15:28:25 +1300 +Subject: of/address: Fix of_node memory leak in of_dma_is_coherent + +From: Evan Nimmo + +[ Upstream commit a5bea04fcc0b3c0aec71ee1fd58fd4ff7ee36177 ] + +Commit dabf6b36b83a ("of: Add OF_DMA_DEFAULT_COHERENT & select it on +powerpc") added a check to of_dma_is_coherent which returns early +if OF_DMA_DEFAULT_COHERENT is enabled. This results in the of_node_put() +being skipped causing a memory leak. Moved the of_node_get() below this +check so we now we only get the node if OF_DMA_DEFAULT_COHERENT is not +enabled. + +Fixes: dabf6b36b83a ("of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc") +Signed-off-by: Evan Nimmo +Link: https://lore.kernel.org/r/20201110022825.30895-1-evan.nimmo@alliedtelesis.co.nz +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/address.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/of/address.c b/drivers/of/address.c +index 456339c19aed7..94f4ff22044f6 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -899,11 +899,13 @@ EXPORT_SYMBOL_GPL(of_dma_get_range); + */ + bool of_dma_is_coherent(struct device_node *np) + { +- struct device_node *node = of_node_get(np); ++ struct device_node *node; + + if (IS_ENABLED(CONFIG_OF_DMA_DEFAULT_COHERENT)) + return true; + ++ node = of_node_get(np); ++ + while (node) { + if (of_property_read_bool(node, "dma-coherent")) { + of_node_put(node); +-- +2.27.0 + diff --git a/queue-4.14/perf-fix-get_recursion_context.patch b/queue-4.14/perf-fix-get_recursion_context.patch new file mode 100644 index 00000000000..e8559710081 --- /dev/null +++ b/queue-4.14/perf-fix-get_recursion_context.patch @@ -0,0 +1,35 @@ +From 27d8ddff27d3cd2633226a3b6b5ae33bc0c9fed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Oct 2020 12:49:45 +0100 +Subject: perf: Fix get_recursion_context() + +From: Peter Zijlstra + +[ Upstream commit ce0f17fc93f63ee91428af10b7b2ddef38cd19e5 ] + +One should use in_serving_softirq() to detect SoftIRQ context. + +Fixes: 96f6d4444302 ("perf_counter: avoid recursion") +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20201030151955.120572175@infradead.org +Signed-off-by: Sasha Levin +--- + kernel/events/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/internal.h b/kernel/events/internal.h +index 09b1537ae06cd..41317d04eeae2 100644 +--- a/kernel/events/internal.h ++++ b/kernel/events/internal.h +@@ -213,7 +213,7 @@ static inline int get_recursion_context(int *recursion) + rctx = 3; + else if (in_irq()) + rctx = 2; +- else if (in_softirq()) ++ else if (in_serving_softirq()) + rctx = 1; + else + rctx = 0; +-- +2.27.0 + diff --git a/queue-4.14/pinctrl-aspeed-fix-gpi-only-function-problem.patch b/queue-4.14/pinctrl-aspeed-fix-gpi-only-function-problem.patch new file mode 100644 index 00000000000..4bbea54ed6a --- /dev/null +++ b/queue-4.14/pinctrl-aspeed-fix-gpi-only-function-problem.patch @@ -0,0 +1,50 @@ +From a8fb8da098e23da43d3804502d3582fb60d76111 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Oct 2020 13:54:50 +0800 +Subject: pinctrl: aspeed: Fix GPI only function problem. + +From: Billy Tsai + +[ Upstream commit 9b92f5c51e9a41352d665f6f956bd95085a56a83 ] + +Some gpio pin at aspeed soc is input only and the prefix name of these +pin is "GPI" only. +This patch fine-tune the condition of GPIO check from "GPIO" to "GPI" +and it will fix the usage error of banks D and E in the AST2400/AST2500 +and banks T and U in the AST2600. + +Fixes: 4d3d0e4272d8 ("pinctrl: Add core support for Aspeed SoCs") +Signed-off-by: Billy Tsai +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20201030055450.29613-1-billy_tsai@aspeedtech.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/aspeed/pinctrl-aspeed.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed.c b/drivers/pinctrl/aspeed/pinctrl-aspeed.c +index 7f13ce8450a34..5249033ed413e 100644 +--- a/drivers/pinctrl/aspeed/pinctrl-aspeed.c ++++ b/drivers/pinctrl/aspeed/pinctrl-aspeed.c +@@ -458,13 +458,14 @@ int aspeed_pinmux_set_mux(struct pinctrl_dev *pctldev, unsigned int function, + static bool aspeed_expr_is_gpio(const struct aspeed_sig_expr *expr) + { + /* +- * The signal type is GPIO if the signal name has "GPIO" as a prefix. ++ * The signal type is GPIO if the signal name has "GPI" as a prefix. + * strncmp (rather than strcmp) is used to implement the prefix + * requirement. + * +- * expr->signal might look like "GPIOT3" in the GPIO case. ++ * expr->signal might look like "GPIOB1" in the GPIO case. ++ * expr->signal might look like "GPIT0" in the GPI case. + */ +- return strncmp(expr->signal, "GPIO", 4) == 0; ++ return strncmp(expr->signal, "GPI", 3) == 0; + } + + static bool aspeed_gpio_in_exprs(const struct aspeed_sig_expr **exprs) +-- +2.27.0 + diff --git a/queue-4.14/pinctrl-intel-set-default-bias-in-case-no-particular.patch b/queue-4.14/pinctrl-intel-set-default-bias-in-case-no-particular.patch new file mode 100644 index 00000000000..71f46acdbd6 --- /dev/null +++ b/queue-4.14/pinctrl-intel-set-default-bias-in-case-no-particular.patch @@ -0,0 +1,58 @@ +From f80311f1ecad6eeada9b51d804177d69042f45c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Oct 2020 13:46:38 +0300 +Subject: pinctrl: intel: Set default bias in case no particular value given + +From: Andy Shevchenko + +[ Upstream commit f3c75e7a9349d1d33eb53ddc1b31640994969f73 ] + +When GPIO library asks pin control to set the bias, it doesn't pass +any value of it and argument is considered boolean (and this is true +for ACPI GpioIo() / GpioInt() resources, by the way). Thus, individual +drivers must behave well, when they got the resistance value of 1 Ohm, +i.e. transforming it to sane default. + +In case of Intel pin control hardware the 5 kOhm sounds plausible +because on one hand it's a minimum of resistors present in all +hardware generations and at the same time it's high enough to minimize +leakage current (will be only 200 uA with the above choice). + +Fixes: e57725eabf87 ("pinctrl: intel: Add support for hardware debouncer") +Reported-by: Jamie McClymont +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-intel.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pinctrl/intel/pinctrl-intel.c b/drivers/pinctrl/intel/pinctrl-intel.c +index 71df0f70b61f0..45b062b0d4188 100644 +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -602,6 +602,10 @@ static int intel_config_set_pull(struct intel_pinctrl *pctrl, unsigned pin, + + value |= PADCFG1_TERM_UP; + ++ /* Set default strength value in case none is given */ ++ if (arg == 1) ++ arg = 5000; ++ + switch (arg) { + case 20000: + value |= PADCFG1_TERM_20K << PADCFG1_TERM_SHIFT; +@@ -624,6 +628,10 @@ static int intel_config_set_pull(struct intel_pinctrl *pctrl, unsigned pin, + case PIN_CONFIG_BIAS_PULL_DOWN: + value &= ~(PADCFG1_TERM_UP | PADCFG1_TERM_MASK); + ++ /* Set default strength value in case none is given */ ++ if (arg == 1) ++ arg = 5000; ++ + switch (arg) { + case 20000: + value |= PADCFG1_TERM_20K << PADCFG1_TERM_SHIFT; +-- +2.27.0 + diff --git a/queue-4.14/series b/queue-4.14/series index e0be97d0f23..c9e7d1d300c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -31,3 +31,13 @@ mac80211-always-wind-down-sta-state.patch cfg80211-regulatory-fix-inconsistent-format-argument.patch scsi-scsi_dh_alua-avoid-crash-during-alua_bus_detach.patch iommu-amd-increase-interrupt-remapping-table-limit-t.patch +pinctrl-intel-set-default-bias-in-case-no-particular.patch +arm-9019-1-kprobes-avoid-fortify_panic-when-copying-.patch +pinctrl-aspeed-fix-gpi-only-function-problem.patch +nbd-fix-a-block_device-refcount-leak-in-nbd_release.patch +xfs-fix-flags-argument-to-rmap-lookup-when-convertin.patch +xfs-fix-rmap-key-and-record-comparison-functions.patch +xfs-fix-a-missing-unlock-on-error-in-xfs_fs_map_bloc.patch +of-address-fix-of_node-memory-leak-in-of_dma_is_cohe.patch +cosa-add-missing-kfree-in-error-path-of-cosa_write.patch +perf-fix-get_recursion_context.patch diff --git a/queue-4.14/xfs-fix-a-missing-unlock-on-error-in-xfs_fs_map_bloc.patch b/queue-4.14/xfs-fix-a-missing-unlock-on-error-in-xfs_fs_map_bloc.patch new file mode 100644 index 00000000000..d00e6e54603 --- /dev/null +++ b/queue-4.14/xfs-fix-a-missing-unlock-on-error-in-xfs_fs_map_bloc.patch @@ -0,0 +1,37 @@ +From fe0120f27dfb04f950ae0ce9d961736bd6b248ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Nov 2020 08:07:37 -0800 +Subject: xfs: fix a missing unlock on error in xfs_fs_map_blocks + +From: Christoph Hellwig + +[ Upstream commit 2bd3fa793aaa7e98b74e3653fdcc72fa753913b5 ] + +We also need to drop the iolock when invalidate_inode_pages2 fails, not +only on all other error or successful cases. + +Fixes: 527851124d10 ("xfs: implement pNFS export operations") +Signed-off-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_pnfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/xfs/xfs_pnfs.c b/fs/xfs/xfs_pnfs.c +index aa6c5c193f458..8538916d255ea 100644 +--- a/fs/xfs/xfs_pnfs.c ++++ b/fs/xfs/xfs_pnfs.c +@@ -140,7 +140,7 @@ xfs_fs_map_blocks( + goto out_unlock; + error = invalidate_inode_pages2(inode->i_mapping); + if (WARN_ON_ONCE(error)) +- return error; ++ goto out_unlock; + + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + length); + offset_fsb = XFS_B_TO_FSBT(mp, offset); +-- +2.27.0 + diff --git a/queue-4.14/xfs-fix-flags-argument-to-rmap-lookup-when-convertin.patch b/queue-4.14/xfs-fix-flags-argument-to-rmap-lookup-when-convertin.patch new file mode 100644 index 00000000000..3d471781d30 --- /dev/null +++ b/queue-4.14/xfs-fix-flags-argument-to-rmap-lookup-when-convertin.patch @@ -0,0 +1,39 @@ +From ef89095a02b50d23ff914c753ad0828f700a6154 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Nov 2020 16:32:43 -0800 +Subject: xfs: fix flags argument to rmap lookup when converting shared file + rmaps + +From: Darrick J. Wong + +[ Upstream commit ea8439899c0b15a176664df62aff928010fad276 ] + +Pass the same oldext argument (which contains the existing rmapping's +unwritten state) to xfs_rmap_lookup_le_range at the start of +xfs_rmap_convert_shared. At this point in the code, flags is zero, +which means that we perform lookups using the wrong key. + +Fixes: 3f165b334e51 ("xfs: convert unwritten status of reverse mappings for shared files") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_rmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/xfs/libxfs/xfs_rmap.c b/fs/xfs/libxfs/xfs_rmap.c +index 55c88a732690e..1f16c2da24723 100644 +--- a/fs/xfs/libxfs/xfs_rmap.c ++++ b/fs/xfs/libxfs/xfs_rmap.c +@@ -1319,7 +1319,7 @@ xfs_rmap_convert_shared( + * record for our insertion point. This will also give us the record for + * start block contiguity tests. + */ +- error = xfs_rmap_lookup_le_range(cur, bno, owner, offset, flags, ++ error = xfs_rmap_lookup_le_range(cur, bno, owner, offset, oldext, + &PREV, &i); + XFS_WANT_CORRUPTED_GOTO(mp, i == 1, done); + +-- +2.27.0 + diff --git a/queue-4.14/xfs-fix-rmap-key-and-record-comparison-functions.patch b/queue-4.14/xfs-fix-rmap-key-and-record-comparison-functions.patch new file mode 100644 index 00000000000..373343d0a03 --- /dev/null +++ b/queue-4.14/xfs-fix-rmap-key-and-record-comparison-functions.patch @@ -0,0 +1,92 @@ +From 9dcf21eca5e38866599534b18999b5b102124f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Nov 2020 16:32:44 -0800 +Subject: xfs: fix rmap key and record comparison functions + +From: Darrick J. Wong + +[ Upstream commit 6ff646b2ceb0eec916101877f38da0b73e3a5b7f ] + +Keys for extent interval records in the reverse mapping btree are +supposed to be computed as follows: + +(physical block, owner, fork, is_btree, is_unwritten, offset) + +This provides users the ability to look up a reverse mapping from a bmbt +record -- start with the physical block; then if there are multiple +records for the same block, move on to the owner; then the inode fork +type; and so on to the file offset. + +However, the key comparison functions incorrectly remove the +fork/btree/unwritten information that's encoded in the on-disk offset. +This means that lookup comparisons are only done with: + +(physical block, owner, offset) + +This means that queries can return incorrect results. On consistent +filesystems this hasn't been an issue because blocks are never shared +between forks or with bmbt blocks; and are never unwritten. However, +this bug means that online repair cannot always detect corruption in the +key information in internal rmapbt nodes. + +Found by fuzzing keys[1].attrfork = ones on xfs/371. + +Fixes: 4b8ed67794fe ("xfs: add rmap btree operations") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/libxfs/xfs_rmap_btree.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/fs/xfs/libxfs/xfs_rmap_btree.c b/fs/xfs/libxfs/xfs_rmap_btree.c +index 9d9c9192584c9..cd689d21d3af8 100644 +--- a/fs/xfs/libxfs/xfs_rmap_btree.c ++++ b/fs/xfs/libxfs/xfs_rmap_btree.c +@@ -262,8 +262,8 @@ xfs_rmapbt_key_diff( + else if (y > x) + return -1; + +- x = XFS_RMAP_OFF(be64_to_cpu(kp->rm_offset)); +- y = rec->rm_offset; ++ x = be64_to_cpu(kp->rm_offset); ++ y = xfs_rmap_irec_offset_pack(rec); + if (x > y) + return 1; + else if (y > x) +@@ -294,8 +294,8 @@ xfs_rmapbt_diff_two_keys( + else if (y > x) + return -1; + +- x = XFS_RMAP_OFF(be64_to_cpu(kp1->rm_offset)); +- y = XFS_RMAP_OFF(be64_to_cpu(kp2->rm_offset)); ++ x = be64_to_cpu(kp1->rm_offset); ++ y = be64_to_cpu(kp2->rm_offset); + if (x > y) + return 1; + else if (y > x) +@@ -400,8 +400,8 @@ xfs_rmapbt_keys_inorder( + return 1; + else if (a > b) + return 0; +- a = XFS_RMAP_OFF(be64_to_cpu(k1->rmap.rm_offset)); +- b = XFS_RMAP_OFF(be64_to_cpu(k2->rmap.rm_offset)); ++ a = be64_to_cpu(k1->rmap.rm_offset); ++ b = be64_to_cpu(k2->rmap.rm_offset); + if (a <= b) + return 1; + return 0; +@@ -430,8 +430,8 @@ xfs_rmapbt_recs_inorder( + return 1; + else if (a > b) + return 0; +- a = XFS_RMAP_OFF(be64_to_cpu(r1->rmap.rm_offset)); +- b = XFS_RMAP_OFF(be64_to_cpu(r2->rmap.rm_offset)); ++ a = be64_to_cpu(r1->rmap.rm_offset); ++ b = be64_to_cpu(r2->rmap.rm_offset); + if (a <= b) + return 1; + return 0; +-- +2.27.0 + -- 2.47.3