From 24bfc04aad052975a407ef1af896502d22cd5b42 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 15 Apr 2020 14:15:41 +0200 Subject: [PATCH] 4.19-stable patches added patches: arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch cpufreq-powernv-fix-use-after-free.patch dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch drm-etnaviv-rework-perfmon-query-infrastructure.patch ext4-fix-a-data-race-at-inode-i_blocks.patch fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch input-i8042-add-acer-aspire-5738z-to-nomux-list.patch ipmi-fix-hung-processes-in-__get_guid.patch kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch perf-tools-support-python-3.8-in-makefile.patch powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch rtc-omap-use-define-directive-for-pin_config_active_high.patch s390-diag-fix-display-of-diagnose-call-statistics.patch scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch --- ...fix-undef_hook-mask-for-thumb-setend.patch | 53 +++ ...0-exit-with-error-if-cgu-init-failed.patch | 39 ++ .../cpufreq-powernv-fix-use-after-free.patch | 46 ++ ...ec-fix-memory-leak-in-verity_fec_dtr.patch | 57 +++ ...-add-cond_resched-to-avoid-cpu-hangs.patch | 52 +++ ...-rework-perfmon-query-infrastructure.patch | 136 ++++++ ...t4-fix-a-data-race-at-inode-i_blocks.patch | 90 ++++ ...-reachable-warn_once-to-pr_warn_once.patch | 55 +++ ...ystem-corruption-when-deleting-files.patch | 52 +++ ...-add-acer-aspire-5738z-to-nomux-list.patch | 52 +++ ...pmi-fix-hung-processes-in-__get_guid.patch | 68 +++ ...n-error-when-autoloading-is-disabled.patch | 108 +++++ ...over_pm-when-ata_dflag_detach-is-set.patch | 74 ++++ ...-in-nfs_destroy_unlinked_subrequests.patch | 31 ++ ...d-try-to-truncate-file-beyond-i_size.patch | 59 +++ ...tools-support-python-3.8-in-makefile.patch | 59 +++ ...ereference-when-drmem-is-unavailable.patch | 101 +++++ ...directive-for-pin_config_active_high.patch | 55 +++ ...-display-of-diagnose-call-statistics.patch | 36 ++ ...-recovery-trigger-for-point-to-point.patch | 79 ++++ ...cies-on-page-flags-from-mlock2-tests.patch | 393 ++++++++++++++++++ queue-4.19/series | 22 + ...ion-flags-in-blkfront_setup_indirect.patch | 103 +++++ 23 files changed, 1820 insertions(+) create mode 100644 queue-4.19/arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch create mode 100644 queue-4.19/clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch create mode 100644 queue-4.19/cpufreq-powernv-fix-use-after-free.patch create mode 100644 queue-4.19/dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch create mode 100644 queue-4.19/dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch create mode 100644 queue-4.19/drm-etnaviv-rework-perfmon-query-infrastructure.patch create mode 100644 queue-4.19/ext4-fix-a-data-race-at-inode-i_blocks.patch create mode 100644 queue-4.19/fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch create mode 100644 queue-4.19/hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch create mode 100644 queue-4.19/input-i8042-add-acer-aspire-5738z-to-nomux-list.patch create mode 100644 queue-4.19/ipmi-fix-hung-processes-in-__get_guid.patch create mode 100644 queue-4.19/kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch create mode 100644 queue-4.19/libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch create mode 100644 queue-4.19/nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch create mode 100644 queue-4.19/ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch create mode 100644 queue-4.19/perf-tools-support-python-3.8-in-makefile.patch create mode 100644 queue-4.19/powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch create mode 100644 queue-4.19/rtc-omap-use-define-directive-for-pin_config_active_high.patch create mode 100644 queue-4.19/s390-diag-fix-display-of-diagnose-call-statistics.patch create mode 100644 queue-4.19/scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch create mode 100644 queue-4.19/selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch create mode 100644 queue-4.19/xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch diff --git a/queue-4.19/arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch b/queue-4.19/arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch new file mode 100644 index 00000000000..ed9a09295a8 --- /dev/null +++ b/queue-4.19/arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch @@ -0,0 +1,53 @@ +From fc2266011accd5aeb8ebc335c381991f20e26e33 Mon Sep 17 00:00:00 2001 +From: Fredrik Strupe +Date: Wed, 8 Apr 2020 13:29:41 +0200 +Subject: arm64: armv8_deprecated: Fix undef_hook mask for thumb setend + +From: Fredrik Strupe + +commit fc2266011accd5aeb8ebc335c381991f20e26e33 upstream. + +For thumb instructions, call_undef_hook() in traps.c first reads a u16, +and if the u16 indicates a T32 instruction (u16 >= 0xe800), a second +u16 is read, which then makes up the the lower half-word of a T32 +instruction. For T16 instructions, the second u16 is not read, +which makes the resulting u32 opcode always have the upper half set to +0. + +However, having the upper half of instr_mask in the undef_hook set to 0 +masks out the upper half of all thumb instructions - both T16 and T32. +This results in trapped T32 instructions with the lower half-word equal +to the T16 encoding of setend (b650) being matched, even though the upper +half-word is not 0000 and thus indicates a T32 opcode. + +An example of such a T32 instruction is eaa0b650, which should raise a +SIGILL since T32 instructions with an eaa prefix are unallocated as per +Arm ARM, but instead works as a SETEND because the second half-word is set +to b650. + +This patch fixes the issue by extending instr_mask to include the +upper u32 half, which will still match T16 instructions where the upper +half is 0, but not T32 instructions. + +Fixes: 2d888f48e056 ("arm64: Emulate SETEND for AArch32 tasks") +Cc: # 4.0.x- +Reviewed-by: Suzuki K Poulose +Signed-off-by: Fredrik Strupe +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/armv8_deprecated.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -604,7 +604,7 @@ static struct undef_hook setend_hooks[] + }, + { + /* Thumb mode */ +- .instr_mask = 0x0000fff7, ++ .instr_mask = 0xfffffff7, + .instr_val = 0x0000b650, + .pstate_mask = (PSR_AA32_T_BIT | PSR_AA32_MODE_MASK), + .pstate_val = (PSR_AA32_T_BIT | PSR_AA32_MODE_USR), diff --git a/queue-4.19/clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch b/queue-4.19/clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch new file mode 100644 index 00000000000..a8b023981f6 --- /dev/null +++ b/queue-4.19/clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch @@ -0,0 +1,39 @@ +From c067b46d731a764fc46ecc466c2967088c97089e Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Thu, 13 Feb 2020 13:19:51 -0300 +Subject: clk: ingenic/jz4770: Exit with error if CGU init failed + +From: Paul Cercueil + +commit c067b46d731a764fc46ecc466c2967088c97089e upstream. + +Exit jz4770_cgu_init() if the 'cgu' pointer we get is NULL, since the +pointer is passed as argument to functions later on. + +Fixes: 7a01c19007ad ("clk: Add Ingenic jz4770 CGU driver") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Cercueil +Reported-by: kbuild test robot +Reported-by: Dan Carpenter +Link: https://lkml.kernel.org/r/20200213161952.37460-1-paul@crapouillou.net +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ingenic/jz4770-cgu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/clk/ingenic/jz4770-cgu.c ++++ b/drivers/clk/ingenic/jz4770-cgu.c +@@ -436,8 +436,10 @@ static void __init jz4770_cgu_init(struc + + cgu = ingenic_cgu_new(jz4770_cgu_clocks, + ARRAY_SIZE(jz4770_cgu_clocks), np); +- if (!cgu) ++ if (!cgu) { + pr_err("%s: failed to initialise CGU\n", __func__); ++ return; ++ } + + retval = ingenic_cgu_register_clocks(cgu); + if (retval) diff --git a/queue-4.19/cpufreq-powernv-fix-use-after-free.patch b/queue-4.19/cpufreq-powernv-fix-use-after-free.patch new file mode 100644 index 00000000000..bb7b6a5be45 --- /dev/null +++ b/queue-4.19/cpufreq-powernv-fix-use-after-free.patch @@ -0,0 +1,46 @@ +From d0a72efac89d1c35ac55197895201b7b94c5e6ef Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Thu, 6 Feb 2020 17:26:21 +1100 +Subject: cpufreq: powernv: Fix use-after-free + +From: Oliver O'Halloran + +commit d0a72efac89d1c35ac55197895201b7b94c5e6ef upstream. + +The cpufreq driver has a use-after-free that we can hit if: + +a) There's an OCC message pending when the notifier is registered, and +b) The cpufreq driver fails to register with the core. + +When a) occurs the notifier schedules a workqueue item to handle the +message. The backing work_struct is located on chips[].throttle and +when b) happens we clean up by freeing the array. Once we get to +the (now free) queued item and the kernel crashes. + +Fixes: c5e29ea7ac14 ("cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Oliver O'Halloran +Reviewed-by: Gautham R. Shenoy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200206062622.28235-1-oohall@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/powernv-cpufreq.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -1081,6 +1081,12 @@ free_and_return: + + static inline void clean_chip_info(void) + { ++ int i; ++ ++ /* flush any pending work items */ ++ if (chips) ++ for (i = 0; i < nr_chips; i++) ++ cancel_work_sync(&chips[i].throttle); + kfree(chips); + } + diff --git a/queue-4.19/dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch b/queue-4.19/dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch new file mode 100644 index 00000000000..70505781242 --- /dev/null +++ b/queue-4.19/dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch @@ -0,0 +1,57 @@ +From 75fa601934fda23d2f15bf44b09c2401942d8e15 Mon Sep 17 00:00:00 2001 +From: "Shetty, Harshini X (EXT-Sony Mobile)" +Date: Tue, 17 Mar 2020 09:15:45 +0000 +Subject: dm verity fec: fix memory leak in verity_fec_dtr + +From: Shetty, Harshini X (EXT-Sony Mobile) + +commit 75fa601934fda23d2f15bf44b09c2401942d8e15 upstream. + +Fix below kmemleak detected in verity_fec_ctr. output_pool is +allocated for each dm-verity-fec device. But it is not freed when +dm-table for the verity target is removed. Hence free the output +mempool in destructor function verity_fec_dtr. + +unreferenced object 0xffffffffa574d000 (size 4096): + comm "init", pid 1667, jiffies 4294894890 (age 307.168s) + hex dump (first 32 bytes): + 8e 36 00 98 66 a8 0b 9b 00 00 00 00 00 00 00 00 .6..f........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000060e82407>] __kmalloc+0x2b4/0x340 + [<00000000dd99488f>] mempool_kmalloc+0x18/0x20 + [<000000002560172b>] mempool_init_node+0x98/0x118 + [<000000006c3574d2>] mempool_init+0x14/0x20 + [<0000000008cb266e>] verity_fec_ctr+0x388/0x3b0 + [<000000000887261b>] verity_ctr+0x87c/0x8d0 + [<000000002b1e1c62>] dm_table_add_target+0x174/0x348 + [<000000002ad89eda>] table_load+0xe4/0x328 + [<000000001f06f5e9>] dm_ctl_ioctl+0x3b4/0x5a0 + [<00000000bee5fbb7>] do_vfs_ioctl+0x5dc/0x928 + [<00000000b475b8f5>] __arm64_sys_ioctl+0x70/0x98 + [<000000005361e2e8>] el0_svc_common+0xa0/0x158 + [<000000001374818f>] el0_svc_handler+0x6c/0x88 + [<000000003364e9f4>] el0_svc+0x8/0xc + [<000000009d84cec9>] 0xffffffffffffffff + +Fixes: a739ff3f543af ("dm verity: add support for forward error correction") +Depends-on: 6f1c819c219f7 ("dm: convert to bioset_init()/mempool_init()") +Cc: stable@vger.kernel.org +Signed-off-by: Harshini Shetty +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-verity-fec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -552,6 +552,7 @@ void verity_fec_dtr(struct dm_verity *v) + mempool_exit(&f->rs_pool); + mempool_exit(&f->prealloc_pool); + mempool_exit(&f->extra_pool); ++ mempool_exit(&f->output_pool); + kmem_cache_destroy(f->cache); + + if (f->data_bufio) diff --git a/queue-4.19/dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch b/queue-4.19/dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch new file mode 100644 index 00000000000..9a572af8ba3 --- /dev/null +++ b/queue-4.19/dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch @@ -0,0 +1,52 @@ +From 1edaa447d958bec24c6a79685a5790d98976fd16 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 27 Mar 2020 07:22:36 -0400 +Subject: dm writecache: add cond_resched to avoid CPU hangs + +From: Mikulas Patocka + +commit 1edaa447d958bec24c6a79685a5790d98976fd16 upstream. + +Initializing a dm-writecache device can take a long time when the +persistent memory device is large. Add cond_resched() to a few loops +to avoid warnings that the CPU is stuck. + +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -878,6 +878,7 @@ static int writecache_alloc_entries(stru + struct wc_entry *e = &wc->entries[b]; + e->index = b; + e->write_in_progress = false; ++ cond_resched(); + } + + return 0; +@@ -932,6 +933,7 @@ static void writecache_resume(struct dm_ + e->original_sector = le64_to_cpu(wme.original_sector); + e->seq_count = le64_to_cpu(wme.seq_count); + } ++ cond_resched(); + } + #endif + for (b = 0; b < wc->n_blocks; b++) { +@@ -1764,8 +1766,10 @@ static int init_memory(struct dm_writeca + pmem_assign(sb(wc)->n_blocks, cpu_to_le64(wc->n_blocks)); + pmem_assign(sb(wc)->seq_count, cpu_to_le64(0)); + +- for (b = 0; b < wc->n_blocks; b++) ++ for (b = 0; b < wc->n_blocks; b++) { + write_original_sector_seq_count(wc, &wc->entries[b], -1, -1); ++ cond_resched(); ++ } + + writecache_flush_all_metadata(wc); + writecache_commit_flushed(wc, false); diff --git a/queue-4.19/drm-etnaviv-rework-perfmon-query-infrastructure.patch b/queue-4.19/drm-etnaviv-rework-perfmon-query-infrastructure.patch new file mode 100644 index 00000000000..a38730ab941 --- /dev/null +++ b/queue-4.19/drm-etnaviv-rework-perfmon-query-infrastructure.patch @@ -0,0 +1,136 @@ +From ed1dd899baa32d47d9a93d98336472da50564346 Mon Sep 17 00:00:00 2001 +From: Christian Gmeiner +Date: Fri, 28 Feb 2020 11:37:49 +0100 +Subject: drm/etnaviv: rework perfmon query infrastructure + +From: Christian Gmeiner + +commit ed1dd899baa32d47d9a93d98336472da50564346 upstream. + +Report the correct perfmon domains and signals depending +on the supported feature flags. + +Reported-by: Dan Carpenter +Fixes: 9e2c2e273012 ("drm/etnaviv: add infrastructure to query perf counter") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Gmeiner +Signed-off-by: Lucas Stach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/etnaviv/etnaviv_perfmon.c | 59 ++++++++++++++++++++++++++---- + 1 file changed, 52 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c +@@ -31,6 +31,7 @@ struct etnaviv_pm_domain { + }; + + struct etnaviv_pm_domain_meta { ++ unsigned int feature; + const struct etnaviv_pm_domain *domains; + u32 nr_domains; + }; +@@ -388,36 +389,78 @@ static const struct etnaviv_pm_domain do + + static const struct etnaviv_pm_domain_meta doms_meta[] = { + { ++ .feature = chipFeatures_PIPE_3D, + .nr_domains = ARRAY_SIZE(doms_3d), + .domains = &doms_3d[0] + }, + { ++ .feature = chipFeatures_PIPE_2D, + .nr_domains = ARRAY_SIZE(doms_2d), + .domains = &doms_2d[0] + }, + { ++ .feature = chipFeatures_PIPE_VG, + .nr_domains = ARRAY_SIZE(doms_vg), + .domains = &doms_vg[0] + } + }; + ++static unsigned int num_pm_domains(const struct etnaviv_gpu *gpu) ++{ ++ unsigned int num = 0, i; ++ ++ for (i = 0; i < ARRAY_SIZE(doms_meta); i++) { ++ const struct etnaviv_pm_domain_meta *meta = &doms_meta[i]; ++ ++ if (gpu->identity.features & meta->feature) ++ num += meta->nr_domains; ++ } ++ ++ return num; ++} ++ ++static const struct etnaviv_pm_domain *pm_domain(const struct etnaviv_gpu *gpu, ++ unsigned int index) ++{ ++ const struct etnaviv_pm_domain *domain = NULL; ++ unsigned int offset = 0, i; ++ ++ for (i = 0; i < ARRAY_SIZE(doms_meta); i++) { ++ const struct etnaviv_pm_domain_meta *meta = &doms_meta[i]; ++ ++ if (!(gpu->identity.features & meta->feature)) ++ continue; ++ ++ if (meta->nr_domains < (index - offset)) { ++ offset += meta->nr_domains; ++ continue; ++ } ++ ++ domain = meta->domains + (index - offset); ++ } ++ ++ return domain; ++} ++ + int etnaviv_pm_query_dom(struct etnaviv_gpu *gpu, + struct drm_etnaviv_pm_domain *domain) + { +- const struct etnaviv_pm_domain_meta *meta = &doms_meta[domain->pipe]; ++ const unsigned int nr_domains = num_pm_domains(gpu); + const struct etnaviv_pm_domain *dom; + +- if (domain->iter >= meta->nr_domains) ++ if (domain->iter >= nr_domains) + return -EINVAL; + +- dom = meta->domains + domain->iter; ++ dom = pm_domain(gpu, domain->iter); ++ if (!dom) ++ return -EINVAL; + + domain->id = domain->iter; + domain->nr_signals = dom->nr_signals; + strncpy(domain->name, dom->name, sizeof(domain->name)); + + domain->iter++; +- if (domain->iter == meta->nr_domains) ++ if (domain->iter == nr_domains) + domain->iter = 0xff; + + return 0; +@@ -426,14 +469,16 @@ int etnaviv_pm_query_dom(struct etnaviv_ + int etnaviv_pm_query_sig(struct etnaviv_gpu *gpu, + struct drm_etnaviv_pm_signal *signal) + { +- const struct etnaviv_pm_domain_meta *meta = &doms_meta[signal->pipe]; ++ const unsigned int nr_domains = num_pm_domains(gpu); + const struct etnaviv_pm_domain *dom; + const struct etnaviv_pm_signal *sig; + +- if (signal->domain >= meta->nr_domains) ++ if (signal->domain >= nr_domains) + return -EINVAL; + +- dom = meta->domains + signal->domain; ++ dom = pm_domain(gpu, signal->domain); ++ if (!dom) ++ return -EINVAL; + + if (signal->iter >= dom->nr_signals) + return -EINVAL; diff --git a/queue-4.19/ext4-fix-a-data-race-at-inode-i_blocks.patch b/queue-4.19/ext4-fix-a-data-race-at-inode-i_blocks.patch new file mode 100644 index 00000000000..6560adaeb2c --- /dev/null +++ b/queue-4.19/ext4-fix-a-data-race-at-inode-i_blocks.patch @@ -0,0 +1,90 @@ +From 28936b62e71e41600bab319f262ea9f9b1027629 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Fri, 21 Feb 2020 23:32:58 -0500 +Subject: ext4: fix a data race at inode->i_blocks + +From: Qian Cai + +commit 28936b62e71e41600bab319f262ea9f9b1027629 upstream. + +inode->i_blocks could be accessed concurrently as noticed by KCSAN, + + BUG: KCSAN: data-race in ext4_do_update_inode [ext4] / inode_add_bytes + + write to 0xffff9a00d4b982d0 of 8 bytes by task 22100 on cpu 118: + inode_add_bytes+0x65/0xf0 + __inode_add_bytes at fs/stat.c:689 + (inlined by) inode_add_bytes at fs/stat.c:702 + ext4_mb_new_blocks+0x418/0xca0 [ext4] + ext4_ext_map_blocks+0x1a6b/0x27b0 [ext4] + ext4_map_blocks+0x1a9/0x950 [ext4] + _ext4_get_block+0xfc/0x270 [ext4] + ext4_get_block_unwritten+0x33/0x50 [ext4] + __block_write_begin_int+0x22e/0xae0 + __block_write_begin+0x39/0x50 + ext4_write_begin+0x388/0xb50 [ext4] + ext4_da_write_begin+0x35f/0x8f0 [ext4] + generic_perform_write+0x15d/0x290 + ext4_buffered_write_iter+0x11f/0x210 [ext4] + ext4_file_write_iter+0xce/0x9e0 [ext4] + new_sync_write+0x29c/0x3b0 + __vfs_write+0x92/0xa0 + vfs_write+0x103/0x260 + ksys_write+0x9d/0x130 + __x64_sys_write+0x4c/0x60 + do_syscall_64+0x91/0xb05 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + read to 0xffff9a00d4b982d0 of 8 bytes by task 8 on cpu 65: + ext4_do_update_inode+0x4a0/0xf60 [ext4] + ext4_inode_blocks_set at fs/ext4/inode.c:4815 + ext4_mark_iloc_dirty+0xaf/0x160 [ext4] + ext4_mark_inode_dirty+0x129/0x3e0 [ext4] + ext4_convert_unwritten_extents+0x253/0x2d0 [ext4] + ext4_convert_unwritten_io_end_vec+0xc5/0x150 [ext4] + ext4_end_io_rsv_work+0x22c/0x350 [ext4] + process_one_work+0x54f/0xb90 + worker_thread+0x80/0x5f0 + kthread+0x1cd/0x1f0 + ret_from_fork+0x27/0x50 + + 4 locks held by kworker/u256:0/8: + #0: ffff9a025abc4328 ((wq_completion)ext4-rsv-conversion){+.+.}, at: process_one_work+0x443/0xb90 + #1: ffffab5a862dbe20 ((work_completion)(&ei->i_rsv_conversion_work)){+.+.}, at: process_one_work+0x443/0xb90 + #2: ffff9a025a9d0f58 (jbd2_handle){++++}, at: start_this_handle+0x1c1/0x9d0 [jbd2] + #3: ffff9a00d4b985d8 (&(&ei->i_raw_lock)->rlock){+.+.}, at: ext4_do_update_inode+0xaa/0xf60 [ext4] + irq event stamp: 3009267 + hardirqs last enabled at (3009267): [] __find_get_block+0x107/0x790 + hardirqs last disabled at (3009266): [] __find_get_block+0x49/0x790 + softirqs last enabled at (3009230): [] __do_softirq+0x34c/0x57c + softirqs last disabled at (3009223): [] irq_exit+0xa2/0xc0 + + Reported by Kernel Concurrency Sanitizer on: + CPU: 65 PID: 8 Comm: kworker/u256:0 Tainted: G L 5.6.0-rc2-next-20200221+ #7 + Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019 + Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work [ext4] + +The plain read is outside of inode->i_lock critical section which +results in a data race. Fix it by adding READ_ONCE() there. + +Link: https://lore.kernel.org/r/20200222043258.2279-1-cai@lca.pw +Signed-off-by: Qian Cai +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5140,7 +5140,7 @@ static int ext4_inode_blocks_set(handle_ + struct ext4_inode_info *ei) + { + struct inode *inode = &(ei->vfs_inode); +- u64 i_blocks = inode->i_blocks; ++ u64 i_blocks = READ_ONCE(inode->i_blocks); + struct super_block *sb = inode->i_sb; + + if (i_blocks <= ~0U) { diff --git a/queue-4.19/fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch b/queue-4.19/fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch new file mode 100644 index 00000000000..b67202931b2 --- /dev/null +++ b/queue-4.19/fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch @@ -0,0 +1,55 @@ +From 26c5d78c976ca298e59a56f6101a97b618ba3539 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 10 Apr 2020 14:33:47 -0700 +Subject: fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once() + +From: Eric Biggers + +commit 26c5d78c976ca298e59a56f6101a97b618ba3539 upstream. + +After request_module(), nothing is stopping the module from being +unloaded until someone takes a reference to it via try_get_module(). + +The WARN_ONCE() in get_fs_type() is thus user-reachable, via userspace +running 'rmmod' concurrently. + +Since WARN_ONCE() is for kernel bugs only, not for user-reachable +situations, downgrade this warning to pr_warn_once(). + +Keep it printed once only, since the intent of this warning is to detect +a bug in modprobe at boot time. Printing the warning more than once +wouldn't really provide any useful extra information. + +Fixes: 41124db869b7 ("fs: warn in case userspace lied about modprobe return") +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Reviewed-by: Jessica Yu +Cc: Alexei Starovoitov +Cc: Greg Kroah-Hartman +Cc: Jeff Vander Stoep +Cc: Jessica Yu +Cc: Kees Cook +Cc: Luis Chamberlain +Cc: NeilBrown +Cc: [4.13+] +Link: http://lkml.kernel.org/r/20200312202552.241885-3-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/filesystems.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/filesystems.c ++++ b/fs/filesystems.c +@@ -267,7 +267,9 @@ struct file_system_type *get_fs_type(con + fs = __get_fs_type(name, len); + if (!fs && (request_module("fs-%.*s", len, name) == 0)) { + fs = __get_fs_type(name, len); +- WARN_ONCE(!fs, "request_module fs-%.*s succeeded, but still no fs?\n", len, name); ++ if (!fs) ++ pr_warn_once("request_module fs-%.*s succeeded, but still no fs?\n", ++ len, name); + } + + if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { diff --git a/queue-4.19/hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch b/queue-4.19/hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch new file mode 100644 index 00000000000..822fc5300d2 --- /dev/null +++ b/queue-4.19/hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch @@ -0,0 +1,52 @@ +From 25efb2ffdf991177e740b2f63e92b4ec7d310a92 Mon Sep 17 00:00:00 2001 +From: Simon Gander +Date: Fri, 10 Apr 2020 14:32:16 -0700 +Subject: hfsplus: fix crash and filesystem corruption when deleting files + +From: Simon Gander + +commit 25efb2ffdf991177e740b2f63e92b4ec7d310a92 upstream. + +When removing files containing extended attributes, the hfsplus driver may +remove the wrong entries from the attributes b-tree, causing major +filesystem damage and in some cases even kernel crashes. + +To remove a file, all its extended attributes have to be removed as well. +The driver does this by looking up all keys in the attributes b-tree with +the cnid of the file. Each of these entries then gets deleted using the +key used for searching, which doesn't contain the attribute's name when it +should. Since the key doesn't contain the name, the deletion routine will +not find the correct entry and instead remove the one in front of it. If +parent nodes have to be modified, these become corrupt as well. This +causes invalid links and unsorted entries that not even macOS's fsck_hfs +is able to fix. + +To fix this, modify the search key before an entry is deleted from the +attributes b-tree by copying the found entry's key into the search key, +therefore ensuring that the correct entry gets removed from the tree. + +Signed-off-by: Simon Gander +Signed-off-by: Andrew Morton +Reviewed-by: Anton Altaparmakov +Cc: +Link: http://lkml.kernel.org/r/20200327155541.1521-1-simon@tuxera.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hfsplus/attributes.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/hfsplus/attributes.c ++++ b/fs/hfsplus/attributes.c +@@ -292,6 +292,10 @@ static int __hfsplus_delete_attr(struct + return -ENOENT; + } + ++ /* Avoid btree corruption */ ++ hfs_bnode_read(fd->bnode, fd->search_key, ++ fd->keyoffset, fd->keylength); ++ + err = hfs_brec_remove(fd); + if (err) + return err; diff --git a/queue-4.19/input-i8042-add-acer-aspire-5738z-to-nomux-list.patch b/queue-4.19/input-i8042-add-acer-aspire-5738z-to-nomux-list.patch new file mode 100644 index 00000000000..7448d472588 --- /dev/null +++ b/queue-4.19/input-i8042-add-acer-aspire-5738z-to-nomux-list.patch @@ -0,0 +1,52 @@ +From ebc68cedec4aead47d8d11623d013cca9bf8e825 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 1 Apr 2020 13:23:06 -0700 +Subject: Input: i8042 - add Acer Aspire 5738z to nomux list + +From: Hans de Goede + +commit ebc68cedec4aead47d8d11623d013cca9bf8e825 upstream. + +The Acer Aspire 5738z has a button to disable (and re-enable) the +touchpad next to the touchpad. + +When this button is pressed a LED underneath indicates that the touchpad +is disabled (and an event is send to userspace and GNOME shows its +touchpad enabled / disable OSD thingie). + +So far so good, but after re-enabling the touchpad it no longer works. + +The laptop does not have an external ps2 port, so mux mode is not needed +and disabling mux mode fixes the touchpad no longer working after toggling +it off and back on again, so lets add this laptop model to the nomux list. + +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20200331123947.318908-1-hdegoede@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -534,6 +534,17 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo LaVie Z"), + }, + }, ++ { ++ /* ++ * Acer Aspire 5738z ++ * Touchpad stops working in mux mode when dis- + re-enabled ++ * with the touchpad enable/disable toggle hotkey ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 5738"), ++ }, ++ }, + { } + }; + diff --git a/queue-4.19/ipmi-fix-hung-processes-in-__get_guid.patch b/queue-4.19/ipmi-fix-hung-processes-in-__get_guid.patch new file mode 100644 index 00000000000..4e5fd7ddd69 --- /dev/null +++ b/queue-4.19/ipmi-fix-hung-processes-in-__get_guid.patch @@ -0,0 +1,68 @@ +From 32830a0534700f86366f371b150b17f0f0d140d7 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 3 Apr 2020 17:04:08 +0800 +Subject: ipmi: fix hung processes in __get_guid() + +From: Wen Yang + +commit 32830a0534700f86366f371b150b17f0f0d140d7 upstream. + +The wait_event() function is used to detect command completion. +When send_guid_cmd() returns an error, smi_send() has not been +called to send data. Therefore, wait_event() should not be used +on the error path, otherwise it will cause the following warning: + +[ 1361.588808] systemd-udevd D 0 1501 1436 0x00000004 +[ 1361.588813] ffff883f4b1298c0 0000000000000000 ffff883f4b188000 ffff887f7e3d9f40 +[ 1361.677952] ffff887f64bd4280 ffffc90037297a68 ffffffff8173ca3b ffffc90000000010 +[ 1361.767077] 00ffc90037297ad0 ffff887f7e3d9f40 0000000000000286 ffff883f4b188000 +[ 1361.856199] Call Trace: +[ 1361.885578] [] ? __schedule+0x23b/0x780 +[ 1361.951406] [] schedule+0x36/0x80 +[ 1362.010979] [] get_guid+0x118/0x150 [ipmi_msghandler] +[ 1362.091281] [] ? prepare_to_wait_event+0x100/0x100 +[ 1362.168533] [] ipmi_register_smi+0x405/0x940 [ipmi_msghandler] +[ 1362.258337] [] try_smi_init+0x529/0x950 [ipmi_si] +[ 1362.334521] [] ? std_irq_setup+0xd0/0xd0 [ipmi_si] +[ 1362.411701] [] init_ipmi_si+0x492/0x9e0 [ipmi_si] +[ 1362.487917] [] ? ipmi_pci_probe+0x280/0x280 [ipmi_si] +[ 1362.568219] [] do_one_initcall+0x50/0x180 +[ 1362.636109] [] ? kmem_cache_alloc_trace+0x142/0x190 +[ 1362.714330] [] do_init_module+0x5f/0x200 +[ 1362.781208] [] load_module+0x1898/0x1de0 +[ 1362.848069] [] ? __symbol_put+0x60/0x60 +[ 1362.913886] [] ? security_kernel_post_read_file+0x6b/0x80 +[ 1362.998514] [] SYSC_finit_module+0xe5/0x120 +[ 1363.068463] [] ? SYSC_finit_module+0xe5/0x120 +[ 1363.140513] [] SyS_finit_module+0xe/0x10 +[ 1363.207364] [] do_syscall_64+0x74/0x180 + +Fixes: 50c812b2b951 ("[PATCH] ipmi: add full sysfs support") +Signed-off-by: Wen Yang +Cc: Corey Minyard +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Cc: openipmi-developer@lists.sourceforge.net +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 2.6.17- +Message-Id: <20200403090408.58745-1-wenyang@linux.alibaba.com> +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_msghandler.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -3134,8 +3134,8 @@ static void __get_guid(struct ipmi_smi * + if (rv) + /* Send failed, no GUID available. */ + bmc->dyn_guid_set = 0; +- +- wait_event(intf->waitq, bmc->dyn_guid_set != 2); ++ else ++ wait_event(intf->waitq, bmc->dyn_guid_set != 2); + + /* dyn_guid_set makes the guid data available. */ + smp_rmb(); diff --git a/queue-4.19/kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch b/queue-4.19/kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch new file mode 100644 index 00000000000..9533e0571bd --- /dev/null +++ b/queue-4.19/kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch @@ -0,0 +1,108 @@ +From d7d27cfc5cf0766a26a8f56868c5ad5434735126 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 10 Apr 2020 14:33:43 -0700 +Subject: kmod: make request_module() return an error when autoloading is disabled + +From: Eric Biggers + +commit d7d27cfc5cf0766a26a8f56868c5ad5434735126 upstream. + +Patch series "module autoloading fixes and cleanups", v5. + +This series fixes a bug where request_module() was reporting success to +kernel code when module autoloading had been completely disabled via +'echo > /proc/sys/kernel/modprobe'. + +It also addresses the issues raised on the original thread +(https://lkml.kernel.org/lkml/20200310223731.126894-1-ebiggers@kernel.org/T/#u) +bydocumenting the modprobe sysctl, adding a self-test for the empty path +case, and downgrading a user-reachable WARN_ONCE(). + +This patch (of 4): + +It's long been possible to disable kernel module autoloading completely +(while still allowing manual module insertion) by setting +/proc/sys/kernel/modprobe to the empty string. + +This can be preferable to setting it to a nonexistent file since it +avoids the overhead of an attempted execve(), avoids potential +deadlocks, and avoids the call to security_kernel_module_request() and +thus on SELinux-based systems eliminates the need to write SELinux rules +to dontaudit module_request. + +However, when module autoloading is disabled in this way, +request_module() returns 0. This is broken because callers expect 0 to +mean that the module was successfully loaded. + +Apparently this was never noticed because this method of disabling +module autoloading isn't used much, and also most callers don't use the +return value of request_module() since it's always necessary to check +whether the module registered its functionality or not anyway. + +But improperly returning 0 can indeed confuse a few callers, for example +get_fs_type() in fs/filesystems.c where it causes a WARNING to be hit: + + if (!fs && (request_module("fs-%.*s", len, name) == 0)) { + fs = __get_fs_type(name, len); + WARN_ONCE(!fs, "request_module fs-%.*s succeeded, but still no fs?\n", len, name); + } + +This is easily reproduced with: + + echo > /proc/sys/kernel/modprobe + mount -t NONEXISTENT none / + +It causes: + + request_module fs-NONEXISTENT succeeded, but still no fs? + WARNING: CPU: 1 PID: 1106 at fs/filesystems.c:275 get_fs_type+0xd6/0xf0 + [...] + +This should actually use pr_warn_once() rather than WARN_ONCE(), since +it's also user-reachable if userspace immediately unloads the module. +Regardless, request_module() should correctly return an error when it +fails. So let's make it return -ENOENT, which matches the error when +the modprobe binary doesn't exist. + +I've also sent patches to document and test this case. + +Signed-off-by: Eric Biggers +Signed-off-by: Andrew Morton +Reviewed-by: Kees Cook +Reviewed-by: Jessica Yu +Acked-by: Luis Chamberlain +Cc: Alexei Starovoitov +Cc: Greg Kroah-Hartman +Cc: Jeff Vander Stoep +Cc: Ben Hutchings +Cc: Josh Triplett +Cc: +Link: http://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org +Link: http://lkml.kernel.org/r/20200312202552.241885-1-ebiggers@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kmod.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -120,7 +120,7 @@ out: + * invoke it. + * + * If module auto-loading support is disabled then this function +- * becomes a no-operation. ++ * simply returns -ENOENT. + */ + int __request_module(bool wait, const char *fmt, ...) + { +@@ -137,7 +137,7 @@ int __request_module(bool wait, const ch + WARN_ON_ONCE(wait && current_is_async()); + + if (!modprobe_path[0]) +- return 0; ++ return -ENOENT; + + va_start(args, fmt); + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); diff --git a/queue-4.19/libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch b/queue-4.19/libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch new file mode 100644 index 00000000000..a402cd86b9b --- /dev/null +++ b/queue-4.19/libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch @@ -0,0 +1,74 @@ +From 8305f72f952cff21ce8109dc1ea4b321c8efc5af Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Wed, 27 Mar 2019 17:02:54 +0800 +Subject: libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set + +From: Kai-Heng Feng + +commit 8305f72f952cff21ce8109dc1ea4b321c8efc5af upstream. + +During system resume from suspend, this can be observed on ASM1062 PMP +controller: + +ata10.01: SATA link down (SStatus 0 SControl 330) +ata10.02: hard resetting link +ata10.02: SATA link down (SStatus 0 SControl 330) +ata10.00: configured for UDMA/133 +Kernel panic - not syncing: stack-protector: Kernel + in: sata_pmp_eh_recover+0xa2b/0xa40 + +CPU: 2 PID: 230 Comm: scsi_eh_9 Tainted: P OE +#49-Ubuntu +Hardware name: System manufacturer System Product + 1001 12/10/2017 +Call Trace: +dump_stack+0x63/0x8b +panic+0xe4/0x244 +? sata_pmp_eh_recover+0xa2b/0xa40 +__stack_chk_fail+0x19/0x20 +sata_pmp_eh_recover+0xa2b/0xa40 +? ahci_do_softreset+0x260/0x260 [libahci] +? ahci_do_hardreset+0x140/0x140 [libahci] +? ata_phys_link_offline+0x60/0x60 +? ahci_stop_engine+0xc0/0xc0 [libahci] +sata_pmp_error_handler+0x22/0x30 +ahci_error_handler+0x45/0x80 [libahci] +ata_scsi_port_error_handler+0x29b/0x770 +? ata_scsi_cmd_error_handler+0x101/0x140 +ata_scsi_error+0x95/0xd0 +? scsi_try_target_reset+0x90/0x90 +scsi_error_handler+0xd0/0x5b0 +kthread+0x121/0x140 +? scsi_eh_get_sense+0x200/0x200 +? kthread_create_worker_on_cpu+0x70/0x70 +ret_from_fork+0x22/0x40 +Kernel Offset: 0xcc00000 from 0xffffffff81000000 +(relocation range: 0xffffffff80000000-0xffffffffbfffffff) + +Since sata_pmp_eh_recover_pmp() doens't set rc when ATA_DFLAG_DETACH is +set, sata_pmp_eh_recover() continues to run. During retry it triggers +the stack protector. + +Set correct rc in sata_pmp_eh_recover_pmp() to let sata_pmp_eh_recover() +jump to pmp_fail directly. + +BugLink: https://bugs.launchpad.net/bugs/1821434 +Cc: stable@vger.kernel.org +Signed-off-by: Kai-Heng Feng +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-pmp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/libata-pmp.c ++++ b/drivers/ata/libata-pmp.c +@@ -764,6 +764,7 @@ static int sata_pmp_eh_recover_pmp(struc + + if (dev->flags & ATA_DFLAG_DETACH) { + detach = 1; ++ rc = -ENODEV; + goto fail; + } + diff --git a/queue-4.19/nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch b/queue-4.19/nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch new file mode 100644 index 00000000000..bc88e348882 --- /dev/null +++ b/queue-4.19/nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch @@ -0,0 +1,31 @@ +From add42de31721fa29ed77a7ce388674d69f9d31a4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 1 Apr 2020 10:07:16 -0400 +Subject: NFS: Fix a page leak in nfs_destroy_unlinked_subrequests() + +From: Trond Myklebust + +commit add42de31721fa29ed77a7ce388674d69f9d31a4 upstream. + +When we detach a subrequest from the list, we must also release the +reference it holds to the parent. + +Fixes: 5b2b5187fa85 ("NFS: Fix nfs_page_group_destroy() and nfs_lock_and_join_requests() race cases") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/write.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -432,6 +432,7 @@ nfs_destroy_unlinked_subrequests(struct + } + + subreq->wb_head = subreq; ++ nfs_release_request(old_head); + + if (test_and_clear_bit(PG_INODE_REF, &subreq->wb_flags)) { + nfs_release_request(subreq); diff --git a/queue-4.19/ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch b/queue-4.19/ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch new file mode 100644 index 00000000000..99aeb34ef8f --- /dev/null +++ b/queue-4.19/ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch @@ -0,0 +1,59 @@ +From 783fda856e1034dee90a873f7654c418212d12d7 Mon Sep 17 00:00:00 2001 +From: Changwei Ge +Date: Fri, 10 Apr 2020 14:32:38 -0700 +Subject: ocfs2: no need try to truncate file beyond i_size + +From: Changwei Ge + +commit 783fda856e1034dee90a873f7654c418212d12d7 upstream. + +Linux fallocate(2) with FALLOC_FL_PUNCH_HOLE mode set, its offset can +exceed the inode size. Ocfs2 now doesn't allow that offset beyond inode +size. This restriction is not necessary and violates fallocate(2) +semantics. + +If fallocate(2) offset is beyond inode size, just return success and do +nothing further. + +Otherwise, ocfs2 will crash the kernel. + + kernel BUG at fs/ocfs2//alloc.c:7264! + ocfs2_truncate_inline+0x20f/0x360 [ocfs2] + ocfs2_remove_inode_range+0x23c/0xcb0 [ocfs2] + __ocfs2_change_file_space+0x4a5/0x650 [ocfs2] + ocfs2_fallocate+0x83/0xa0 [ocfs2] + vfs_fallocate+0x148/0x230 + SyS_fallocate+0x48/0x80 + do_syscall_64+0x79/0x170 + +Signed-off-by: Changwei Ge +Signed-off-by: Andrew Morton +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Link: http://lkml.kernel.org/r/20200407082754.17565-1-chge@linux.alibaba.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/alloc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -7403,6 +7403,10 @@ int ocfs2_truncate_inline(struct inode * + struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; + struct ocfs2_inline_data *idata = &di->id2.i_data; + ++ /* No need to punch hole beyond i_size. */ ++ if (start >= i_size_read(inode)) ++ return 0; ++ + if (end > i_size_read(inode)) + end = i_size_read(inode); + diff --git a/queue-4.19/perf-tools-support-python-3.8-in-makefile.patch b/queue-4.19/perf-tools-support-python-3.8-in-makefile.patch new file mode 100644 index 00000000000..16db2d0d8cc --- /dev/null +++ b/queue-4.19/perf-tools-support-python-3.8-in-makefile.patch @@ -0,0 +1,59 @@ +From b9c9ce4e598e012ca7c1813fae2f4d02395807de Mon Sep 17 00:00:00 2001 +From: Sam Lunt +Date: Fri, 31 Jan 2020 12:11:23 -0600 +Subject: perf tools: Support Python 3.8+ in Makefile + +From: Sam Lunt + +commit b9c9ce4e598e012ca7c1813fae2f4d02395807de upstream. + +Python 3.8 changed the output of 'python-config --ldflags' to no longer +include the '-lpythonX.Y' flag (this apparently fixed an issue loading +modules with a statically linked Python executable). The libpython +feature check in linux/build/feature fails if the Python library is not +included in FEATURE_CHECK_LDFLAGS-libpython variable. + +This adds a check in the Makefile to determine if PYTHON_CONFIG accepts +the '--embed' flag and passes that flag alongside '--ldflags' if so. + +tools/perf is the only place the libpython feature check is used. + +Signed-off-by: Sam Lunt +Tested-by: He Zhe +Link: http://lore.kernel.org/lkml/c56be2e1-8111-9dfe-8298-f7d0f9ab7431@windriver.com +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: trivial@kernel.org +Cc: stable@kernel.org +Link: http://lore.kernel.org/lkml/20200131181123.tmamivhq4b7uqasr@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/Makefile.config | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -205,8 +205,17 @@ strip-libs = $(filter-out -l%,$(1)) + + PYTHON_CONFIG_SQ := $(call shell-sq,$(PYTHON_CONFIG)) + ++# Python 3.8 changed the output of `python-config --ldflags` to not include the ++# '-lpythonX.Y' flag unless '--embed' is also passed. The feature check for ++# libpython fails if that flag is not included in LDFLAGS ++ifeq ($(shell $(PYTHON_CONFIG_SQ) --ldflags --embed 2>&1 1>/dev/null; echo $$?), 0) ++ PYTHON_CONFIG_LDFLAGS := --ldflags --embed ++else ++ PYTHON_CONFIG_LDFLAGS := --ldflags ++endif ++ + ifdef PYTHON_CONFIG +- PYTHON_EMBED_LDOPTS := $(shell $(PYTHON_CONFIG_SQ) --ldflags 2>/dev/null) ++ PYTHON_EMBED_LDOPTS := $(shell $(PYTHON_CONFIG_SQ) $(PYTHON_CONFIG_LDFLAGS) 2>/dev/null) + PYTHON_EMBED_LDFLAGS := $(call strip-libs,$(PYTHON_EMBED_LDOPTS)) + PYTHON_EMBED_LIBADD := $(call grep-libs,$(PYTHON_EMBED_LDOPTS)) -lutil + PYTHON_EMBED_CCOPTS := $(shell $(PYTHON_CONFIG_SQ) --includes 2>/dev/null) diff --git a/queue-4.19/powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch b/queue-4.19/powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch new file mode 100644 index 00000000000..35224743196 --- /dev/null +++ b/queue-4.19/powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch @@ -0,0 +1,101 @@ +From a83836dbc53e96f13fec248ecc201d18e1e3111d Mon Sep 17 00:00:00 2001 +From: Libor Pechacek +Date: Fri, 31 Jan 2020 14:28:29 +0100 +Subject: powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable + +From: Libor Pechacek + +commit a83836dbc53e96f13fec248ecc201d18e1e3111d upstream. + +In guests without hotplugagble memory drmem structure is only zero +initialized. Trying to manipulate DLPAR parameters results in a crash. + + $ echo "memory add count 1" > /sys/kernel/dlpar + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + ... + NIP: c0000000000ff294 LR: c0000000000ff248 CTR: 0000000000000000 + REGS: c0000000fb9d3880 TRAP: 0300 Tainted: G E (5.5.0-rc6-2-default) + MSR: 8000000000009033 CR: 28242428 XER: 20000000 + CFAR: c0000000009a6c10 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0 + ... + NIP dlpar_memory+0x6e4/0xd00 + LR dlpar_memory+0x698/0xd00 + Call Trace: + dlpar_memory+0x698/0xd00 (unreliable) + handle_dlpar_errorlog+0xc0/0x190 + dlpar_store+0x198/0x4a0 + kobj_attr_store+0x30/0x50 + sysfs_kf_write+0x64/0x90 + kernfs_fop_write+0x1b0/0x290 + __vfs_write+0x3c/0x70 + vfs_write+0xd0/0x260 + ksys_write+0xdc/0x130 + system_call+0x5c/0x68 + +Taking closer look at the code, I can see that for_each_drmem_lmb is a +macro expanding into `for (lmb = &drmem_info->lmbs[0]; lmb <= +&drmem_info->lmbs[drmem_info->n_lmbs - 1]; lmb++)`. When drmem_info->lmbs +is NULL, the loop would iterate through the whole address range if it +weren't stopped by the NULL pointer dereference on the next line. + +This patch aligns for_each_drmem_lmb and for_each_drmem_lmb_in_range +macro behavior with the common C semantics, where the end marker does +not belong to the scanned range, and alters get_lmb_range() semantics. +As a side effect, the wraparound observed in the crash is prevented. + +Fixes: 6c6ea53725b3 ("powerpc/mm: Separate ibm, dynamic-memory data from DT format") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Libor Pechacek +Signed-off-by: Michal Suchanek +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200131132829.10281-1-msuchanek@suse.de +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/drmem.h | 4 ++-- + arch/powerpc/platforms/pseries/hotplug-memory.c | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/drmem.h ++++ b/arch/powerpc/include/asm/drmem.h +@@ -28,12 +28,12 @@ struct drmem_lmb_info { + extern struct drmem_lmb_info *drmem_info; + + #define for_each_drmem_lmb_in_range(lmb, start, end) \ +- for ((lmb) = (start); (lmb) <= (end); (lmb)++) ++ for ((lmb) = (start); (lmb) < (end); (lmb)++) + + #define for_each_drmem_lmb(lmb) \ + for_each_drmem_lmb_in_range((lmb), \ + &drmem_info->lmbs[0], \ +- &drmem_info->lmbs[drmem_info->n_lmbs - 1]) ++ &drmem_info->lmbs[drmem_info->n_lmbs]) + + /* + * The of_drconf_cell_v1 struct defines the layout of the LMB data +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -227,7 +227,7 @@ static int get_lmb_range(u32 drc_index, + struct drmem_lmb **end_lmb) + { + struct drmem_lmb *lmb, *start, *end; +- struct drmem_lmb *last_lmb; ++ struct drmem_lmb *limit; + + start = NULL; + for_each_drmem_lmb(lmb) { +@@ -240,10 +240,10 @@ static int get_lmb_range(u32 drc_index, + if (!start) + return -EINVAL; + +- end = &start[n_lmbs - 1]; ++ end = &start[n_lmbs]; + +- last_lmb = &drmem_info->lmbs[drmem_info->n_lmbs - 1]; +- if (end > last_lmb) ++ limit = &drmem_info->lmbs[drmem_info->n_lmbs]; ++ if (end > limit) + return -EINVAL; + + *start_lmb = start; diff --git a/queue-4.19/rtc-omap-use-define-directive-for-pin_config_active_high.patch b/queue-4.19/rtc-omap-use-define-directive-for-pin_config_active_high.patch new file mode 100644 index 00000000000..255ad4ae7e5 --- /dev/null +++ b/queue-4.19/rtc-omap-use-define-directive-for-pin_config_active_high.patch @@ -0,0 +1,55 @@ +From c50156526a2f7176b50134e3e5fb108ba09791b2 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 31 Oct 2018 17:55:02 -0700 +Subject: rtc: omap: Use define directive for PIN_CONFIG_ACTIVE_HIGH + +From: Nathan Chancellor + +commit c50156526a2f7176b50134e3e5fb108ba09791b2 upstream. + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/rtc/rtc-omap.c:574:21: warning: implicit conversion from +enumeration type 'enum rtc_pin_config_param' to different enumeration +type 'enum pin_config_param' [-Wenum-conversion] + {"ti,active-high", PIN_CONFIG_ACTIVE_HIGH, 0}, + ~ ^~~~~~~~~~~~~~~~~~~~~~ +drivers/rtc/rtc-omap.c:579:12: warning: implicit conversion from +enumeration type 'enum rtc_pin_config_param' to different enumeration +type 'enum pin_config_param' [-Wenum-conversion] + PCONFDUMP(PIN_CONFIG_ACTIVE_HIGH, "input active high", NULL, false), + ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from +macro 'PCONFDUMP' + .param = a, .display = b, .format = c, .has_arg = d \ + ^ +2 warnings generated. + +It is expected that pinctrl drivers can extend pin_config_param because +of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion +isn't an issue. Most drivers that take advantage of this define the +PIN_CONFIG variables as constants, rather than enumerated values. Do the +same thing here so that Clang no longer warns. + +Link: https://github.com/ClangBuiltLinux/linux/issues/144 +Signed-off-by: Nathan Chancellor +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-omap.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/rtc/rtc-omap.c ++++ b/drivers/rtc/rtc-omap.c +@@ -561,9 +561,7 @@ static const struct pinctrl_ops rtc_pinc + .dt_free_map = pinconf_generic_dt_free_map, + }; + +-enum rtc_pin_config_param { +- PIN_CONFIG_ACTIVE_HIGH = PIN_CONFIG_END + 1, +-}; ++#define PIN_CONFIG_ACTIVE_HIGH (PIN_CONFIG_END + 1) + + static const struct pinconf_generic_params rtc_params[] = { + {"ti,active-high", PIN_CONFIG_ACTIVE_HIGH, 0}, diff --git a/queue-4.19/s390-diag-fix-display-of-diagnose-call-statistics.patch b/queue-4.19/s390-diag-fix-display-of-diagnose-call-statistics.patch new file mode 100644 index 00000000000..28b995deef4 --- /dev/null +++ b/queue-4.19/s390-diag-fix-display-of-diagnose-call-statistics.patch @@ -0,0 +1,36 @@ +From 6c7c851f1b666a8a455678a0b480b9162de86052 Mon Sep 17 00:00:00 2001 +From: Michael Mueller +Date: Tue, 3 Mar 2020 16:42:01 +0100 +Subject: s390/diag: fix display of diagnose call statistics + +From: Michael Mueller + +commit 6c7c851f1b666a8a455678a0b480b9162de86052 upstream. + +Show the full diag statistic table and not just parts of it. + +The issue surfaced in a KVM guest with a number of vcpus +defined smaller than NR_DIAG_STAT. + +Fixes: 1ec2772e0c3c ("s390/diag: add a statistic for diagnose calls") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Mueller +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/diag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/diag.c ++++ b/arch/s390/kernel/diag.c +@@ -79,7 +79,7 @@ static int show_diag_stat(struct seq_fil + + static void *show_diag_stat_start(struct seq_file *m, loff_t *pos) + { +- return *pos <= nr_cpu_ids ? (void *)((unsigned long) *pos + 1) : NULL; ++ return *pos <= NR_DIAG_STAT ? (void *)((unsigned long) *pos + 1) : NULL; + } + + static void *show_diag_stat_next(struct seq_file *m, void *v, loff_t *pos) diff --git a/queue-4.19/scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch b/queue-4.19/scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch new file mode 100644 index 00000000000..84ddab3d169 --- /dev/null +++ b/queue-4.19/scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch @@ -0,0 +1,79 @@ +From 819732be9fea728623e1ed84eba28def7384ad1f Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Thu, 12 Mar 2020 18:44:56 +0100 +Subject: scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point + +From: Steffen Maier + +commit 819732be9fea728623e1ed84eba28def7384ad1f upstream. + +v2.6.27 commit cc8c282963bd ("[SCSI] zfcp: Automatically attach remote +ports") introduced zfcp automatic port scan. + +Before that, the user had to use the sysfs attribute "port_add" of an FCP +device (adapter) to add and open remote (target) ports, even for the remote +peer port in point-to-point topology. That code path did a proper port open +recovery trigger taking the erp_lock. + +Since above commit, a new helper function zfcp_erp_open_ptp_port() +performed an UNlocked port open recovery trigger. This can race with other +parallel recovery triggers. In zfcp_erp_action_enqueue() this could corrupt +e.g. adapter->erp_total_count or adapter->erp_ready_head. + +As already found for fabric topology in v4.17 commit fa89adba1941 ("scsi: +zfcp: fix infinite iteration on ERP ready list"), there was an endless loop +during tracing of rport (un)block. A subsequent v4.18 commit 9e156c54ace3 +("scsi: zfcp: assert that the ERP lock is held when tracing a recovery +trigger") introduced a lockdep assertion for that case. + +As a side effect, that lockdep assertion now uncovered the unlocked code +path for PtP. It is from within an adapter ERP action: + +zfcp_erp_strategy[1479] intentionally DROPs erp lock around + zfcp_erp_strategy_do_action() +zfcp_erp_strategy_do_action[1441] NO erp lock +zfcp_erp_adapter_strategy[876] NO erp lock +zfcp_erp_adapter_strategy_open[855] NO erp lock +zfcp_erp_adapter_strategy_open_fsf[806]NO erp lock +zfcp_erp_adapter_strat_fsf_xconf[772] erp lock only around + zfcp_erp_action_to_running(), + BUT *_not_* around + zfcp_erp_enqueue_ptp_port() +zfcp_erp_enqueue_ptp_port[728] BUG: *_not_* taking erp lock +_zfcp_erp_port_reopen[432] assumes to be called with erp lock +zfcp_erp_action_enqueue[314] assumes to be called with erp lock +zfcp_dbf_rec_trig[288] _checks_ to be called with erp lock: + lockdep_assert_held(&adapter->erp_lock); + +It causes the following lockdep warning: + +WARNING: CPU: 2 PID: 775 at drivers/s390/scsi/zfcp_dbf.c:288 + zfcp_dbf_rec_trig+0x16a/0x188 +no locks held by zfcperp0.0.17c0/775. + +Fix this by using the proper locked recovery trigger helper function. + +Link: https://lore.kernel.org/r/20200312174505.51294-2-maier@linux.ibm.com +Fixes: cc8c282963bd ("[SCSI] zfcp: Automatically attach remote ports") +Cc: #v2.6.27+ +Reviewed-by: Jens Remus +Reviewed-by: Benjamin Block +Signed-off-by: Steffen Maier +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_erp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -738,7 +738,7 @@ static void zfcp_erp_enqueue_ptp_port(st + adapter->peer_d_id); + if (IS_ERR(port)) /* error or port already attached */ + return; +- _zfcp_erp_port_reopen(port, 0, "ereptp1"); ++ zfcp_erp_port_reopen(port, 0, "ereptp1"); + } + + static int zfcp_erp_adapter_strat_fsf_xconf(struct zfcp_erp_action *erp_action) diff --git a/queue-4.19/selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch b/queue-4.19/selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch new file mode 100644 index 00000000000..c7f04908ad9 --- /dev/null +++ b/queue-4.19/selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch @@ -0,0 +1,393 @@ +From eea274d64e6ea8aff2224d33d0851133a84cc7b5 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Wed, 1 Apr 2020 21:10:25 -0700 +Subject: selftests: vm: drop dependencies on page flags from mlock2 tests + +From: Michal Hocko + +commit eea274d64e6ea8aff2224d33d0851133a84cc7b5 upstream. + +It was noticed that mlock2 tests are failing after 9c4e6b1a7027f ("mm, +mlock, vmscan: no more skipping pagevecs") because the patch has changed +the timing on when the page is added to the unevictable LRU list and thus +gains the unevictable page flag. + +The test was just too dependent on the implementation details which were +true at the time when it was introduced. Page flags and the timing when +they are set is something no userspace should ever depend on. The test +should be testing only for the user observable contract of the tested +syscalls. Those are defined pretty well for the mlock and there are other +means for testing them. In fact this is already done and testing for page +flags can be safely dropped to achieve the aimed purpose. Present bits +can be checked by /proc//smaps RSS field and the locking state by +VmFlags although I would argue that Locked: field would be more +appropriate. + +Drop all the page flag machinery and considerably simplify the test. This +should be more robust for future kernel changes while checking the +promised contract is still valid. + +Fixes: 9c4e6b1a7027f ("mm, mlock, vmscan: no more skipping pagevecs") +Reported-by: Rafael Aquini +Signed-off-by: Michal Hocko +Signed-off-by: Andrew Morton +Acked-by: Rafael Aquini +Cc: Shakeel Butt +Cc: Eric B Munson +Cc: Shuah Khan +Cc: +Link: http://lkml.kernel.org/r/20200324154218.GS19542@dhcp22.suse.cz +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/vm/mlock2-tests.c | 233 ++++-------------------------- + 1 file changed, 37 insertions(+), 196 deletions(-) + +--- a/tools/testing/selftests/vm/mlock2-tests.c ++++ b/tools/testing/selftests/vm/mlock2-tests.c +@@ -67,59 +67,6 @@ out: + return ret; + } + +-static uint64_t get_pageflags(unsigned long addr) +-{ +- FILE *file; +- uint64_t pfn; +- unsigned long offset; +- +- file = fopen("/proc/self/pagemap", "r"); +- if (!file) { +- perror("fopen pagemap"); +- _exit(1); +- } +- +- offset = addr / getpagesize() * sizeof(pfn); +- +- if (fseek(file, offset, SEEK_SET)) { +- perror("fseek pagemap"); +- _exit(1); +- } +- +- if (fread(&pfn, sizeof(pfn), 1, file) != 1) { +- perror("fread pagemap"); +- _exit(1); +- } +- +- fclose(file); +- return pfn; +-} +- +-static uint64_t get_kpageflags(unsigned long pfn) +-{ +- uint64_t flags; +- FILE *file; +- +- file = fopen("/proc/kpageflags", "r"); +- if (!file) { +- perror("fopen kpageflags"); +- _exit(1); +- } +- +- if (fseek(file, pfn * sizeof(flags), SEEK_SET)) { +- perror("fseek kpageflags"); +- _exit(1); +- } +- +- if (fread(&flags, sizeof(flags), 1, file) != 1) { +- perror("fread kpageflags"); +- _exit(1); +- } +- +- fclose(file); +- return flags; +-} +- + #define VMFLAGS "VmFlags:" + + static bool is_vmflag_set(unsigned long addr, const char *vmflag) +@@ -159,19 +106,13 @@ out: + #define RSS "Rss:" + #define LOCKED "lo" + +-static bool is_vma_lock_on_fault(unsigned long addr) ++static unsigned long get_value_for_name(unsigned long addr, const char *name) + { +- bool ret = false; +- bool locked; +- FILE *smaps = NULL; +- unsigned long vma_size, vma_rss; + char *line = NULL; +- char *value; + size_t size = 0; +- +- locked = is_vmflag_set(addr, LOCKED); +- if (!locked) +- goto out; ++ char *value_ptr; ++ FILE *smaps = NULL; ++ unsigned long value = -1UL; + + smaps = seek_to_smaps_entry(addr); + if (!smaps) { +@@ -180,112 +121,70 @@ static bool is_vma_lock_on_fault(unsigne + } + + while (getline(&line, &size, smaps) > 0) { +- if (!strstr(line, SIZE)) { ++ if (!strstr(line, name)) { + free(line); + line = NULL; + size = 0; + continue; + } + +- value = line + strlen(SIZE); +- if (sscanf(value, "%lu kB", &vma_size) < 1) { ++ value_ptr = line + strlen(name); ++ if (sscanf(value_ptr, "%lu kB", &value) < 1) { + printf("Unable to parse smaps entry for Size\n"); + goto out; + } + break; + } + +- while (getline(&line, &size, smaps) > 0) { +- if (!strstr(line, RSS)) { +- free(line); +- line = NULL; +- size = 0; +- continue; +- } +- +- value = line + strlen(RSS); +- if (sscanf(value, "%lu kB", &vma_rss) < 1) { +- printf("Unable to parse smaps entry for Rss\n"); +- goto out; +- } +- break; +- } +- +- ret = locked && (vma_rss < vma_size); + out: +- free(line); + if (smaps) + fclose(smaps); +- return ret; ++ free(line); ++ return value; + } + +-#define PRESENT_BIT 0x8000000000000000ULL +-#define PFN_MASK 0x007FFFFFFFFFFFFFULL +-#define UNEVICTABLE_BIT (1UL << 18) +- +-static int lock_check(char *map) ++static bool is_vma_lock_on_fault(unsigned long addr) + { +- unsigned long page_size = getpagesize(); +- uint64_t page1_flags, page2_flags; ++ bool locked; ++ unsigned long vma_size, vma_rss; ++ ++ locked = is_vmflag_set(addr, LOCKED); ++ if (!locked) ++ return false; + +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); ++ vma_size = get_value_for_name(addr, SIZE); ++ vma_rss = get_value_for_name(addr, RSS); + +- /* Both pages should be present */ +- if (((page1_flags & PRESENT_BIT) == 0) || +- ((page2_flags & PRESENT_BIT) == 0)) { +- printf("Failed to make both pages present\n"); +- return 1; +- } ++ /* only one page is faulted in */ ++ return (vma_rss < vma_size); ++} + +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- page2_flags = get_kpageflags(page2_flags & PFN_MASK); ++#define PRESENT_BIT 0x8000000000000000ULL ++#define PFN_MASK 0x007FFFFFFFFFFFFFULL ++#define UNEVICTABLE_BIT (1UL << 18) + +- /* Both pages should be unevictable */ +- if (((page1_flags & UNEVICTABLE_BIT) == 0) || +- ((page2_flags & UNEVICTABLE_BIT) == 0)) { +- printf("Failed to make both pages unevictable\n"); +- return 1; +- } ++static int lock_check(unsigned long addr) ++{ ++ bool locked; ++ unsigned long vma_size, vma_rss; + +- if (!is_vmflag_set((unsigned long)map, LOCKED)) { +- printf("VMA flag %s is missing on page 1\n", LOCKED); +- return 1; +- } ++ locked = is_vmflag_set(addr, LOCKED); ++ if (!locked) ++ return false; + +- if (!is_vmflag_set((unsigned long)map + page_size, LOCKED)) { +- printf("VMA flag %s is missing on page 2\n", LOCKED); +- return 1; +- } ++ vma_size = get_value_for_name(addr, SIZE); ++ vma_rss = get_value_for_name(addr, RSS); + +- return 0; ++ return (vma_rss == vma_size); + } + + static int unlock_lock_check(char *map) + { +- unsigned long page_size = getpagesize(); +- uint64_t page1_flags, page2_flags; +- +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- page2_flags = get_kpageflags(page2_flags & PFN_MASK); +- +- if ((page1_flags & UNEVICTABLE_BIT) || (page2_flags & UNEVICTABLE_BIT)) { +- printf("A page is still marked unevictable after unlock\n"); +- return 1; +- } +- + if (is_vmflag_set((unsigned long)map, LOCKED)) { + printf("VMA flag %s is present on page 1 after unlock\n", LOCKED); + return 1; + } + +- if (is_vmflag_set((unsigned long)map + page_size, LOCKED)) { +- printf("VMA flag %s is present on page 2 after unlock\n", LOCKED); +- return 1; +- } +- + return 0; + } + +@@ -311,7 +210,7 @@ static int test_mlock_lock() + goto unmap; + } + +- if (lock_check(map)) ++ if (!lock_check((unsigned long)map)) + goto unmap; + + /* Now unlock and recheck attributes */ +@@ -330,64 +229,18 @@ out: + + static int onfault_check(char *map) + { +- unsigned long page_size = getpagesize(); +- uint64_t page1_flags, page2_flags; +- +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); +- +- /* Neither page should be present */ +- if ((page1_flags & PRESENT_BIT) || (page2_flags & PRESENT_BIT)) { +- printf("Pages were made present by MLOCK_ONFAULT\n"); +- return 1; +- } +- + *map = 'a'; +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); +- +- /* Only page 1 should be present */ +- if ((page1_flags & PRESENT_BIT) == 0) { +- printf("Page 1 is not present after fault\n"); +- return 1; +- } else if (page2_flags & PRESENT_BIT) { +- printf("Page 2 was made present\n"); +- return 1; +- } +- +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- +- /* Page 1 should be unevictable */ +- if ((page1_flags & UNEVICTABLE_BIT) == 0) { +- printf("Failed to make faulted page unevictable\n"); +- return 1; +- } +- + if (!is_vma_lock_on_fault((unsigned long)map)) { + printf("VMA is not marked for lock on fault\n"); + return 1; + } + +- if (!is_vma_lock_on_fault((unsigned long)map + page_size)) { +- printf("VMA is not marked for lock on fault\n"); +- return 1; +- } +- + return 0; + } + + static int unlock_onfault_check(char *map) + { + unsigned long page_size = getpagesize(); +- uint64_t page1_flags; +- +- page1_flags = get_pageflags((unsigned long)map); +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- +- if (page1_flags & UNEVICTABLE_BIT) { +- printf("Page 1 is still marked unevictable after unlock\n"); +- return 1; +- } + + if (is_vma_lock_on_fault((unsigned long)map) || + is_vma_lock_on_fault((unsigned long)map + page_size)) { +@@ -445,7 +298,6 @@ static int test_lock_onfault_of_present( + char *map; + int ret = 1; + unsigned long page_size = getpagesize(); +- uint64_t page1_flags, page2_flags; + + map = mmap(NULL, 2 * page_size, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); +@@ -465,17 +317,6 @@ static int test_lock_onfault_of_present( + goto unmap; + } + +- page1_flags = get_pageflags((unsigned long)map); +- page2_flags = get_pageflags((unsigned long)map + page_size); +- page1_flags = get_kpageflags(page1_flags & PFN_MASK); +- page2_flags = get_kpageflags(page2_flags & PFN_MASK); +- +- /* Page 1 should be unevictable */ +- if ((page1_flags & UNEVICTABLE_BIT) == 0) { +- printf("Failed to make present page unevictable\n"); +- goto unmap; +- } +- + if (!is_vma_lock_on_fault((unsigned long)map) || + !is_vma_lock_on_fault((unsigned long)map + page_size)) { + printf("VMA with present pages is not marked lock on fault\n"); +@@ -507,7 +348,7 @@ static int test_munlockall() + goto out; + } + +- if (lock_check(map)) ++ if (!lock_check((unsigned long)map)) + goto unmap; + + if (munlockall()) { +@@ -549,7 +390,7 @@ static int test_munlockall() + goto out; + } + +- if (lock_check(map)) ++ if (!lock_check((unsigned long)map)) + goto unmap; + + if (munlockall()) { diff --git a/queue-4.19/series b/queue-4.19/series index 1ee0ecb0150..a75c9fea92f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -99,3 +99,25 @@ tools-gpio-fix-out-of-tree-build-regression.patch mm-use-fixed-constant-in-page_frag_alloc-instead-of-size-1.patch net-qualcomm-rmnet-allow-configuration-updates-to-existing-devices.patch arm64-dts-allwinner-h6-fix-pmu-compatible.patch +dm-writecache-add-cond_resched-to-avoid-cpu-hangs.patch +dm-verity-fec-fix-memory-leak-in-verity_fec_dtr.patch +scsi-zfcp-fix-missing-erp_lock-in-port-recovery-trigger-for-point-to-point.patch +arm64-armv8_deprecated-fix-undef_hook-mask-for-thumb-setend.patch +selftests-vm-drop-dependencies-on-page-flags-from-mlock2-tests.patch +rtc-omap-use-define-directive-for-pin_config_active_high.patch +drm-etnaviv-rework-perfmon-query-infrastructure.patch +powerpc-pseries-avoid-null-pointer-dereference-when-drmem-is-unavailable.patch +nfs-fix-a-page-leak-in-nfs_destroy_unlinked_subrequests.patch +ext4-fix-a-data-race-at-inode-i_blocks.patch +fs-filesystems.c-downgrade-user-reachable-warn_once-to-pr_warn_once.patch +ocfs2-no-need-try-to-truncate-file-beyond-i_size.patch +perf-tools-support-python-3.8-in-makefile.patch +s390-diag-fix-display-of-diagnose-call-statistics.patch +input-i8042-add-acer-aspire-5738z-to-nomux-list.patch +clk-ingenic-jz4770-exit-with-error-if-cgu-init-failed.patch +kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch +cpufreq-powernv-fix-use-after-free.patch +hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch +libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch +ipmi-fix-hung-processes-in-__get_guid.patch +xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch diff --git a/queue-4.19/xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch b/queue-4.19/xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch new file mode 100644 index 00000000000..17894625e40 --- /dev/null +++ b/queue-4.19/xen-blkfront-fix-memory-allocation-flags-in-blkfront_setup_indirect.patch @@ -0,0 +1,103 @@ +From 3a169c0be75b59dd85d159493634870cdec6d3c4 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 3 Apr 2020 11:00:34 +0200 +Subject: xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Juergen Gross + +commit 3a169c0be75b59dd85d159493634870cdec6d3c4 upstream. + +Commit 1d5c76e664333 ("xen-blkfront: switch kcalloc to kvcalloc for +large array allocation") didn't fix the issue it was meant to, as the +flags for allocating the memory are GFP_NOIO, which will lead the +memory allocation falling back to kmalloc(). + +So instead of GFP_NOIO use GFP_KERNEL and do all the memory allocation +in blkfront_setup_indirect() in a memalloc_noio_{save,restore} section. + +Fixes: 1d5c76e664333 ("xen-blkfront: switch kcalloc to kvcalloc for large array allocation") +Cc: stable@vger.kernel.org +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Acked-by: Roger Pau Monné +Link: https://lore.kernel.org/r/20200403090034.8753-1-jgross@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkfront.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -47,6 +47,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2188,10 +2189,12 @@ static void blkfront_setup_discard(struc + + static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo) + { +- unsigned int psegs, grants; ++ unsigned int psegs, grants, memflags; + int err, i; + struct blkfront_info *info = rinfo->dev_info; + ++ memflags = memalloc_noio_save(); ++ + if (info->max_indirect_segments == 0) { + if (!HAS_EXTRA_REQ) + grants = BLKIF_MAX_SEGMENTS_PER_REQUEST; +@@ -2223,7 +2226,7 @@ static int blkfront_setup_indirect(struc + + BUG_ON(!list_empty(&rinfo->indirect_pages)); + for (i = 0; i < num; i++) { +- struct page *indirect_page = alloc_page(GFP_NOIO); ++ struct page *indirect_page = alloc_page(GFP_KERNEL); + if (!indirect_page) + goto out_of_memory; + list_add(&indirect_page->lru, &rinfo->indirect_pages); +@@ -2234,15 +2237,15 @@ static int blkfront_setup_indirect(struc + rinfo->shadow[i].grants_used = + kvcalloc(grants, + sizeof(rinfo->shadow[i].grants_used[0]), +- GFP_NOIO); ++ GFP_KERNEL); + rinfo->shadow[i].sg = kvcalloc(psegs, + sizeof(rinfo->shadow[i].sg[0]), +- GFP_NOIO); ++ GFP_KERNEL); + if (info->max_indirect_segments) + rinfo->shadow[i].indirect_grants = + kvcalloc(INDIRECT_GREFS(grants), + sizeof(rinfo->shadow[i].indirect_grants[0]), +- GFP_NOIO); ++ GFP_KERNEL); + if ((rinfo->shadow[i].grants_used == NULL) || + (rinfo->shadow[i].sg == NULL) || + (info->max_indirect_segments && +@@ -2251,6 +2254,7 @@ static int blkfront_setup_indirect(struc + sg_init_table(rinfo->shadow[i].sg, psegs); + } + ++ memalloc_noio_restore(memflags); + + return 0; + +@@ -2270,6 +2274,9 @@ out_of_memory: + __free_page(indirect_page); + } + } ++ ++ memalloc_noio_restore(memflags); ++ + return -ENOMEM; + } + -- 2.47.3