From 2dc9f9ca7ec809efd14caaa4f26e74c9179fdf5b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 24 May 2021 10:58:11 +0200 Subject: [PATCH] 5.12-stable patches added patches: alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch alsa-firewire-lib-fix-amdtp_packet-tracepoints-event-for-packet_index-field.patch alsa-intel8x0-don-t-update-period-unless-prepared.patch alsa-line6-fix-racy-initialization-of-line6-midi.patch btrfs-avoid-rcu-stalls-while-running-delayed-iputs.patch btrfs-fix-removed-dentries-still-existing-after-log-is-synced.patch btrfs-zoned-fix-parallel-compressed-writes.patch btrfs-zoned-pass-start-block-to-btrfs_use_zone_append.patch cifs-fix-memory-leak-in-smb2_copychunk_range.patch fs-mount_setattr-tighten-permission-checks.patch misc-eeprom-at24-check-suspend-status-before-disable-regulator.patch --- ...-at-high-sampling-transfer-frequency.patch | 37 +++ ...epoints-event-for-packet_index-field.patch | 116 +++++++ ...-don-t-update-period-unless-prepared.patch | 72 +++++ ...ix-racy-initialization-of-line6-midi.patch | 85 ++++++ ...u-stalls-while-running-delayed-iputs.patch | 76 +++++ ...s-still-existing-after-log-is-synced.patch | 282 ++++++++++++++++++ ...zoned-fix-parallel-compressed-writes.patch | 136 +++++++++ ...start-block-to-btrfs_use_zone_append.patch | 89 ++++++ ...-memory-leak-in-smb2_copychunk_range.patch | 36 +++ ...nt_setattr-tighten-permission-checks.patch | 44 +++ ...pend-status-before-disable-regulator.patch | 45 +++ queue-5.12/series | 11 + 12 files changed, 1029 insertions(+) create mode 100644 queue-5.12/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch create mode 100644 queue-5.12/alsa-firewire-lib-fix-amdtp_packet-tracepoints-event-for-packet_index-field.patch create mode 100644 queue-5.12/alsa-intel8x0-don-t-update-period-unless-prepared.patch create mode 100644 queue-5.12/alsa-line6-fix-racy-initialization-of-line6-midi.patch create mode 100644 queue-5.12/btrfs-avoid-rcu-stalls-while-running-delayed-iputs.patch create mode 100644 queue-5.12/btrfs-fix-removed-dentries-still-existing-after-log-is-synced.patch create mode 100644 queue-5.12/btrfs-zoned-fix-parallel-compressed-writes.patch create mode 100644 queue-5.12/btrfs-zoned-pass-start-block-to-btrfs_use_zone_append.patch create mode 100644 queue-5.12/cifs-fix-memory-leak-in-smb2_copychunk_range.patch create mode 100644 queue-5.12/fs-mount_setattr-tighten-permission-checks.patch create mode 100644 queue-5.12/misc-eeprom-at24-check-suspend-status-before-disable-regulator.patch diff --git a/queue-5.12/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch b/queue-5.12/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch new file mode 100644 index 00000000000..4367366079f --- /dev/null +++ b/queue-5.12/alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch @@ -0,0 +1,37 @@ +From 4c6fe8c547e3c9e8c15dabdd23c569ee0df3adb1 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Tue, 18 May 2021 10:26:12 +0900 +Subject: ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency + +From: Takashi Sakamoto + +commit 4c6fe8c547e3c9e8c15dabdd23c569ee0df3adb1 upstream. + +At high sampling transfer frequency, TC Electronic Konnekt Live +transfers/receives 6 audio data frames in multi bit linear audio data +channel of data block in CIP payload. Current hard-coded stream format +is wrong. + +Cc: +Fixes: f1f0f330b1d0 ("ALSA: dice: add parameters of stream formats for models produced by TC Electronic") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20210518012612.37268-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/dice/dice-tcelectronic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/firewire/dice/dice-tcelectronic.c ++++ b/sound/firewire/dice/dice-tcelectronic.c +@@ -38,8 +38,8 @@ static const struct dice_tc_spec konnekt + }; + + static const struct dice_tc_spec konnekt_live = { +- .tx_pcm_chs = {{16, 16, 16}, {0, 0, 0} }, +- .rx_pcm_chs = {{16, 16, 16}, {0, 0, 0} }, ++ .tx_pcm_chs = {{16, 16, 6}, {0, 0, 0} }, ++ .rx_pcm_chs = {{16, 16, 6}, {0, 0, 0} }, + .has_midi = true, + }; + diff --git a/queue-5.12/alsa-firewire-lib-fix-amdtp_packet-tracepoints-event-for-packet_index-field.patch b/queue-5.12/alsa-firewire-lib-fix-amdtp_packet-tracepoints-event-for-packet_index-field.patch new file mode 100644 index 00000000000..2fb8ccaffeb --- /dev/null +++ b/queue-5.12/alsa-firewire-lib-fix-amdtp_packet-tracepoints-event-for-packet_index-field.patch @@ -0,0 +1,116 @@ +From 814b43127f4ac69332e809152e30773941438aff Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Thu, 13 May 2021 21:56:52 +0900 +Subject: ALSA: firewire-lib: fix amdtp_packet tracepoints event for packet_index field + +From: Takashi Sakamoto + +commit 814b43127f4ac69332e809152e30773941438aff upstream. + +The snd_firewire_lib:amdtp_packet tracepoints event includes index of +packet processed in a context handling. However in IR context, it is not +calculated as expected. + +Cc: +Fixes: 753e717986c2 ("ALSA: firewire-lib: use packet descriptor for IR context") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20210513125652.110249-6-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream-trace.h | 6 +++--- + sound/firewire/amdtp-stream.c | 15 +++++++++------ + 2 files changed, 12 insertions(+), 9 deletions(-) + +--- a/sound/firewire/amdtp-stream-trace.h ++++ b/sound/firewire/amdtp-stream-trace.h +@@ -14,8 +14,8 @@ + #include + + TRACE_EVENT(amdtp_packet, +- TP_PROTO(const struct amdtp_stream *s, u32 cycles, const __be32 *cip_header, unsigned int payload_length, unsigned int data_blocks, unsigned int data_block_counter, unsigned int index), +- TP_ARGS(s, cycles, cip_header, payload_length, data_blocks, data_block_counter, index), ++ TP_PROTO(const struct amdtp_stream *s, u32 cycles, const __be32 *cip_header, unsigned int payload_length, unsigned int data_blocks, unsigned int data_block_counter, unsigned int packet_index, unsigned int index), ++ TP_ARGS(s, cycles, cip_header, payload_length, data_blocks, data_block_counter, packet_index, index), + TP_STRUCT__entry( + __field(unsigned int, second) + __field(unsigned int, cycle) +@@ -48,7 +48,7 @@ TRACE_EVENT(amdtp_packet, + __entry->payload_quadlets = payload_length / sizeof(__be32); + __entry->data_blocks = data_blocks; + __entry->data_block_counter = data_block_counter, +- __entry->packet_index = s->packet_index; ++ __entry->packet_index = packet_index; + __entry->irq = !!in_interrupt(); + __entry->index = index; + ), +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -526,7 +526,7 @@ static void build_it_pkt_header(struct a + } + + trace_amdtp_packet(s, cycle, cip_header, payload_length, data_blocks, +- data_block_counter, index); ++ data_block_counter, s->packet_index, index); + } + + static int check_cip_header(struct amdtp_stream *s, const __be32 *buf, +@@ -630,7 +630,7 @@ static int parse_ir_ctx_header(struct am + unsigned int *payload_length, + unsigned int *data_blocks, + unsigned int *data_block_counter, +- unsigned int *syt, unsigned int index) ++ unsigned int *syt, unsigned int packet_index, unsigned int index) + { + const __be32 *cip_header; + int err; +@@ -662,7 +662,7 @@ static int parse_ir_ctx_header(struct am + } + + trace_amdtp_packet(s, cycle, cip_header, *payload_length, *data_blocks, +- *data_block_counter, index); ++ *data_block_counter, packet_index, index); + + return err; + } +@@ -701,12 +701,13 @@ static int generate_device_pkt_descs(str + unsigned int packets) + { + unsigned int dbc = s->data_block_counter; ++ unsigned int packet_index = s->packet_index; ++ unsigned int queue_size = s->queue_size; + int i; + int err; + + for (i = 0; i < packets; ++i) { + struct pkt_desc *desc = descs + i; +- unsigned int index = (s->packet_index + i) % s->queue_size; + unsigned int cycle; + unsigned int payload_length; + unsigned int data_blocks; +@@ -715,7 +716,7 @@ static int generate_device_pkt_descs(str + cycle = compute_cycle_count(ctx_header[1]); + + err = parse_ir_ctx_header(s, cycle, ctx_header, &payload_length, +- &data_blocks, &dbc, &syt, i); ++ &data_blocks, &dbc, &syt, packet_index, i); + if (err < 0) + return err; + +@@ -723,13 +724,15 @@ static int generate_device_pkt_descs(str + desc->syt = syt; + desc->data_blocks = data_blocks; + desc->data_block_counter = dbc; +- desc->ctx_payload = s->buffer.packets[index].buffer; ++ desc->ctx_payload = s->buffer.packets[packet_index].buffer; + + if (!(s->flags & CIP_DBC_IS_END_EVENT)) + dbc = (dbc + desc->data_blocks) & 0xff; + + ctx_header += + s->ctx_data.tx.ctx_header_size / sizeof(*ctx_header); ++ ++ packet_index = (packet_index + 1) % queue_size; + } + + s->data_block_counter = dbc; diff --git a/queue-5.12/alsa-intel8x0-don-t-update-period-unless-prepared.patch b/queue-5.12/alsa-intel8x0-don-t-update-period-unless-prepared.patch new file mode 100644 index 00000000000..12b428bc6e4 --- /dev/null +++ b/queue-5.12/alsa-intel8x0-don-t-update-period-unless-prepared.patch @@ -0,0 +1,72 @@ +From c1f0616124c455c5c762b6f123e40bba5df759e6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 16 May 2021 18:17:55 +0200 +Subject: ALSA: intel8x0: Don't update period unless prepared + +From: Takashi Iwai + +commit c1f0616124c455c5c762b6f123e40bba5df759e6 upstream. + +The interrupt handler of intel8x0 calls snd_intel8x0_update() whenever +the hardware sets the corresponding status bit for each stream. This +works fine for most cases as long as the hardware behaves properly. +But when the hardware gives a wrong bit set, this leads to a zero- +division Oops, and reportedly, this seems what happened on a VM. + +For fixing the crash, this patch adds a internal flag indicating that +the stream is ready to be updated, and check it (as well as the flag +being in suspended) to ignore such spurious update. + +Cc: +Reported-and-tested-by: Sergey Senozhatsky +Link: https://lore.kernel.org/r/s5h5yzi7uh0.wl-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/intel8x0.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/pci/intel8x0.c ++++ b/sound/pci/intel8x0.c +@@ -331,6 +331,7 @@ struct ichdev { + unsigned int ali_slot; /* ALI DMA slot */ + struct ac97_pcm *pcm; + int pcm_open_flag; ++ unsigned int prepared:1; + unsigned int suspended: 1; + }; + +@@ -691,6 +692,9 @@ static inline void snd_intel8x0_update(s + int status, civ, i, step; + int ack = 0; + ++ if (!ichdev->prepared || ichdev->suspended) ++ return; ++ + spin_lock_irqsave(&chip->reg_lock, flags); + status = igetbyte(chip, port + ichdev->roff_sr); + civ = igetbyte(chip, port + ICH_REG_OFF_CIV); +@@ -881,6 +885,7 @@ static int snd_intel8x0_hw_params(struct + if (ichdev->pcm_open_flag) { + snd_ac97_pcm_close(ichdev->pcm); + ichdev->pcm_open_flag = 0; ++ ichdev->prepared = 0; + } + err = snd_ac97_pcm_open(ichdev->pcm, params_rate(hw_params), + params_channels(hw_params), +@@ -902,6 +907,7 @@ static int snd_intel8x0_hw_free(struct s + if (ichdev->pcm_open_flag) { + snd_ac97_pcm_close(ichdev->pcm); + ichdev->pcm_open_flag = 0; ++ ichdev->prepared = 0; + } + return 0; + } +@@ -976,6 +982,7 @@ static int snd_intel8x0_pcm_prepare(stru + ichdev->pos_shift = (runtime->sample_bits > 16) ? 2 : 1; + } + snd_intel8x0_setup_periods(chip, ichdev); ++ ichdev->prepared = 1; + return 0; + } + diff --git a/queue-5.12/alsa-line6-fix-racy-initialization-of-line6-midi.patch b/queue-5.12/alsa-line6-fix-racy-initialization-of-line6-midi.patch new file mode 100644 index 00000000000..b1bd808ffcc --- /dev/null +++ b/queue-5.12/alsa-line6-fix-racy-initialization-of-line6-midi.patch @@ -0,0 +1,85 @@ +From 05ca447630334c323c9e2b788b61133ab75d60d3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 18 May 2021 10:39:39 +0200 +Subject: ALSA: line6: Fix racy initialization of LINE6 MIDI + +From: Takashi Iwai + +commit 05ca447630334c323c9e2b788b61133ab75d60d3 upstream. + +The initialization of MIDI devices that are found on some LINE6 +drivers are currently done in a racy way; namely, the MIDI buffer +instance is allocated and initialized in each private_init callback +while the communication with the interface is already started via +line6_init_cap_control() call before that point. This may lead to +Oops in line6_data_received() when a spurious event is received, as +reported by syzkaller. + +This patch moves the MIDI initialization to line6_init_cap_control() +as well instead of the too-lately-called private_init for avoiding the +race. Also this reduces slightly more lines, so it's a win-win +change. + +Reported-by: syzbot+0d2b3feb0a2887862e06@syzkallerlkml..appspotmail.com +Link: https://lore.kernel.org/r/000000000000a4be9405c28520de@google.com +Link: https://lore.kernel.org/r/20210517132725.GA50495@hyeyoo +Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Cc: +Link: https://lore.kernel.org/r/20210518083939.1927-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/driver.c | 4 ++++ + sound/usb/line6/pod.c | 5 ----- + sound/usb/line6/variax.c | 6 ------ + 3 files changed, 4 insertions(+), 11 deletions(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -699,6 +699,10 @@ static int line6_init_cap_control(struct + line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); + if (!line6->buffer_message) + return -ENOMEM; ++ ++ ret = line6_init_midi(line6); ++ if (ret < 0) ++ return ret; + } else { + ret = line6_hwdep_init(line6); + if (ret < 0) +--- a/sound/usb/line6/pod.c ++++ b/sound/usb/line6/pod.c +@@ -376,11 +376,6 @@ static int pod_init(struct usb_line6 *li + if (err < 0) + return err; + +- /* initialize MIDI subsystem: */ +- err = line6_init_midi(line6); +- if (err < 0) +- return err; +- + /* initialize PCM subsystem: */ + err = line6_init_pcm(line6, &pod_pcm_properties); + if (err < 0) +--- a/sound/usb/line6/variax.c ++++ b/sound/usb/line6/variax.c +@@ -159,7 +159,6 @@ static int variax_init(struct usb_line6 + const struct usb_device_id *id) + { + struct usb_line6_variax *variax = line6_to_variax(line6); +- int err; + + line6->process_message = line6_variax_process_message; + line6->disconnect = line6_variax_disconnect; +@@ -172,11 +171,6 @@ static int variax_init(struct usb_line6 + if (variax->buffer_activate == NULL) + return -ENOMEM; + +- /* initialize MIDI subsystem: */ +- err = line6_init_midi(&variax->line6); +- if (err < 0) +- return err; +- + /* initiate startup procedure: */ + schedule_delayed_work(&line6->startup_work, + msecs_to_jiffies(VARIAX_STARTUP_DELAY1)); diff --git a/queue-5.12/btrfs-avoid-rcu-stalls-while-running-delayed-iputs.patch b/queue-5.12/btrfs-avoid-rcu-stalls-while-running-delayed-iputs.patch new file mode 100644 index 00000000000..69168b30ed1 --- /dev/null +++ b/queue-5.12/btrfs-avoid-rcu-stalls-while-running-delayed-iputs.patch @@ -0,0 +1,76 @@ +From 71795ee590111e3636cc3c148289dfa9fa0a5fc3 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 29 Apr 2021 10:51:34 -0400 +Subject: btrfs: avoid RCU stalls while running delayed iputs + +From: Josef Bacik + +commit 71795ee590111e3636cc3c148289dfa9fa0a5fc3 upstream. + +Generally a delayed iput is added when we might do the final iput, so +usually we'll end up sleeping while processing the delayed iputs +naturally. However there's no guarantee of this, especially for small +files. In production we noticed 5 instances of RCU stalls while testing +a kernel release overnight across 1000 machines, so this is relatively +common: + + host count: 5 + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: ....: (20998 ticks this GP) idle=59e/1/0x4000000000000002 softirq=12333372/12333372 fqs=3208 + (t=21031 jiffies g=27810193 q=41075) NMI backtrace for cpu 1 + CPU: 1 PID: 1713 Comm: btrfs-cleaner Kdump: loaded Not tainted 5.6.13-0_fbk12_rc1_5520_gec92bffc1ec9 #1 + Call Trace: + dump_stack+0x50/0x70 + nmi_cpu_backtrace.cold.6+0x30/0x65 + ? lapic_can_unplug_cpu.cold.30+0x40/0x40 + nmi_trigger_cpumask_backtrace+0xba/0xca + rcu_dump_cpu_stacks+0x99/0xc7 + rcu_sched_clock_irq.cold.90+0x1b2/0x3a3 + ? trigger_load_balance+0x5c/0x200 + ? tick_sched_do_timer+0x60/0x60 + ? tick_sched_do_timer+0x60/0x60 + update_process_times+0x24/0x50 + tick_sched_timer+0x37/0x70 + __hrtimer_run_queues+0xfe/0x270 + hrtimer_interrupt+0xf4/0x210 + smp_apic_timer_interrupt+0x5e/0x120 + apic_timer_interrupt+0xf/0x20 + RIP: 0010:queued_spin_lock_slowpath+0x17d/0x1b0 + RSP: 0018:ffffc9000da5fe48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 + RAX: 0000000000000000 RBX: ffff889fa81d0cd8 RCX: 0000000000000029 + RDX: ffff889fff86c0c0 RSI: 0000000000080000 RDI: ffff88bfc2da7200 + RBP: ffff888f2dcdd768 R08: 0000000001040000 R09: 0000000000000000 + R10: 0000000000000001 R11: ffffffff82a55560 R12: ffff88bfc2da7200 + R13: 0000000000000000 R14: ffff88bff6c2a360 R15: ffffffff814bd870 + ? kzalloc.constprop.57+0x30/0x30 + list_lru_add+0x5a/0x100 + inode_lru_list_add+0x20/0x40 + iput+0x1c1/0x1f0 + run_delayed_iput_locked+0x46/0x90 + btrfs_run_delayed_iputs+0x3f/0x60 + cleaner_kthread+0xf2/0x120 + kthread+0x10b/0x130 + +Fix this by adding a cond_resched_lock() to the loop processing delayed +iputs so we can avoid these sort of stalls. + +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Rik van Riel +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3253,6 +3253,7 @@ void btrfs_run_delayed_iputs(struct btrf + inode = list_first_entry(&fs_info->delayed_iputs, + struct btrfs_inode, delayed_iput); + run_delayed_iput_locked(fs_info, inode); ++ cond_resched_lock(&fs_info->delayed_iput_lock); + } + spin_unlock(&fs_info->delayed_iput_lock); + } diff --git a/queue-5.12/btrfs-fix-removed-dentries-still-existing-after-log-is-synced.patch b/queue-5.12/btrfs-fix-removed-dentries-still-existing-after-log-is-synced.patch new file mode 100644 index 00000000000..8a55afcf9a9 --- /dev/null +++ b/queue-5.12/btrfs-fix-removed-dentries-still-existing-after-log-is-synced.patch @@ -0,0 +1,282 @@ +From 54a40fc3a1da21b52dbf19f72fdc27a2ec740760 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 12 May 2021 16:27:16 +0100 +Subject: btrfs: fix removed dentries still existing after log is synced + +From: Filipe Manana + +commit 54a40fc3a1da21b52dbf19f72fdc27a2ec740760 upstream. + +When we move one inode from one directory to another and both the inode +and its previous parent directory were logged before, we are not supposed +to have the dentry for the old parent if we have a power failure after the +log is synced. Only the new dentry is supposed to exist. + +Generally this works correctly, however there is a scenario where this is +not currently working, because the old parent of the file/directory that +was moved is not authoritative for a range that includes the dir index and +dir item keys of the old dentry. This case is better explained with the +following example and reproducer: + + # The test requires a very specific layout of keys and items in the + # fs/subvolume btree to trigger the bug. So we want to make sure that + # on whatever platform we are, we have the same leaf/node size. + # + # Currently in btrfs the node/leaf size can not be smaller than the page + # size (but it can be greater than the page size). So use the largest + # supported node/leaf size (64K). + + $ mkfs.btrfs -f -n 65536 /dev/sdc + $ mount /dev/sdc /mnt + + # "testdir" is inode 257. + $ mkdir /mnt/testdir + $ chmod 755 /mnt/testdir + + # Create several empty files to have the directory "testdir" with its + # items spread over several leaves (7 in this case). + $ for ((i = 1; i <= 1200; i++)); do + echo -n > /mnt/testdir/file$i + done + + # Create our test directory "dira", inode number 1458, which gets all + # its items in leaf 7. + # + # The BTRFS_DIR_ITEM_KEY item for inode 257 ("testdir") that points to + # the entry named "dira" is in leaf 2, while the BTRFS_DIR_INDEX_KEY + # item that points to that entry is in leaf 3. + # + # For this particular filesystem node size (64K), file count and file + # names, we endup with the directory entry items from inode 257 in + # leaves 2 and 3, as previously mentioned - what matters for triggering + # the bug exercised by this test case is that those items are not placed + # in leaf 1, they must be placed in a leaf different from the one + # containing the inode item for inode 257. + # + # The corresponding BTRFS_DIR_ITEM_KEY and BTRFS_DIR_INDEX_KEY items for + # the parent inode (257) are the following: + # + # item 460 key (257 DIR_ITEM 3724298081) itemoff 48344 itemsize 34 + # location key (1458 INODE_ITEM 0) type DIR + # transid 6 data_len 0 name_len 4 + # name: dira + # + # and: + # + # item 771 key (257 DIR_INDEX 1202) itemoff 36673 itemsize 34 + # location key (1458 INODE_ITEM 0) type DIR + # transid 6 data_len 0 name_len 4 + # name: dira + + $ mkdir /mnt/testdir/dira + + # Make sure everything done so far is durably persisted. + $ sync + + # Now do a change to inode 257 ("testdir") that does not result in + # COWing leaves 2 and 3 - the leaves that contain the directory items + # pointing to inode 1458 (directory "dira"). + # + # Changing permissions, the owner/group, updating or adding a xattr, + # etc, will not change (COW) leaves 2 and 3. So for the sake of + # simplicity change the permissions of inode 257, which results in + # updating its inode item and therefore change (COW) only leaf 1. + + $ chmod 700 /mnt/testdir + + # Now fsync directory inode 257. + # + # Since only the first leaf was changed/COWed, we log the inode item of + # inode 257 and only the dentries found in the first leaf, all have a + # key type of BTRFS_DIR_ITEM_KEY, and no keys of type + # BTRFS_DIR_INDEX_KEY, because they sort after the former type and none + # exist in the first leaf. + # + # We also log 3 items that represent ranges for dir items and dir + # indexes for which the log is authoritative: + # + # 1) a key of type BTRFS_DIR_LOG_ITEM_KEY, which indicates the log is + # authoritative for all BTRFS_DIR_ITEM_KEY keys that have an offset + # in the range [0, 2285968570] (the offset here is the crc32c of the + # dentry's name). The value 2285968570 corresponds to the offset of + # the first key of leaf 2 (which is of type BTRFS_DIR_ITEM_KEY); + # + # 2) a key of type BTRFS_DIR_LOG_ITEM_KEY, which indicates the log is + # authoritative for all BTRFS_DIR_ITEM_KEY keys that have an offset + # in the range [4293818216, (u64)-1] (the offset here is the crc32c + # of the dentry's name). The value 4293818216 corresponds to the + # offset of the highest key of type BTRFS_DIR_ITEM_KEY plus 1 + # (4293818215 + 1), which is located in leaf 2; + # + # 3) a key of type BTRFS_DIR_LOG_INDEX_KEY, with an offset of 1203, + # which indicates the log is authoritative for all keys of type + # BTRFS_DIR_INDEX_KEY that have an offset in the range + # [1203, (u64)-1]. The value 1203 corresponds to the offset of the + # last key of type BTRFS_DIR_INDEX_KEY plus 1 (1202 + 1), which is + # located in leaf 3; + # + # Also, because "testdir" is a directory and inode 1458 ("dira") is a + # child directory, we log inode 1458 too. + + $ xfs_io -c "fsync" /mnt/testdir + + # Now move "dira", inode 1458, to be a child of the root directory + # (inode 256). + # + # Because this inode was previously logged, when "testdir" was fsynced, + # the log is updated so that the old inode reference, referring to inode + # 257 as the parent, is deleted and the new inode reference, referring + # to inode 256 as the parent, is added to the log. + + $ mv /mnt/testdir/dira /mnt + + # Now change some file and fsync it. This guarantees the log changes + # made by the previous move/rename operation are persisted. We do not + # need to do any special modification to the file, just any change to + # any file and sync the log. + + $ xfs_io -c "pwrite -S 0xab 0 64K" -c "fsync" /mnt/testdir/file1 + + # Simulate a power failure and then mount again the filesystem to + # replay the log tree. We want to verify that we are able to mount the + # filesystem, meaning log replay was successful, and that directory + # inode 1458 ("dira") only has inode 256 (the filesystem's root) as + # its parent (and no longer a child of inode 257). + # + # It used to happen that during log replay we would end up having + # inode 1458 (directory "dira") with 2 hard links, being a child of + # inode 257 ("testdir") and inode 256 (the filesystem's root). This + # resulted in the tree checker detecting the issue and causing the + # mount operation to fail (with -EIO). + # + # This happened because in the log we have the new name/parent for + # inode 1458, which results in adding the new dentry with inode 256 + # as the parent, but the previous dentry, under inode 257 was never + # removed - this is because the ranges for dir items and dir indexes + # of inode 257 for which the log is authoritative do not include the + # old dir item and dir index for the dentry of inode 257 referring to + # inode 1458: + # + # - for dir items, the log is authoritative for the ranges + # [0, 2285968570] and [4293818216, (u64)-1]. The dir item at inode 257 + # pointing to inode 1458 has a key of (257 DIR_ITEM 3724298081), as + # previously mentioned, so the dir item is not deleted when the log + # replay procedure processes the authoritative ranges, as 3724298081 + # is outside both ranges; + # + # - for dir indexes, the log is authoritative for the range + # [1203, (u64)-1], and the dir index item of inode 257 pointing to + # inode 1458 has a key of (257 DIR_INDEX 1202), as previously + # mentioned, so the dir index item is not deleted when the log + # replay procedure processes the authoritative range. + + + + $ mount /dev/sdc /mnt + mount: /mnt: can't read superblock on /dev/sdc. + + $ dmesg + (...) + [87849.840509] BTRFS info (device sdc): start tree-log replay + [87849.875719] BTRFS critical (device sdc): corrupt leaf: root=5 block=30539776 slot=554 ino=1458, invalid nlink: has 2 expect no more than 1 for dir + [87849.878084] BTRFS info (device sdc): leaf 30539776 gen 7 total ptrs 557 free space 2092 owner 5 + [87849.879516] BTRFS info (device sdc): refs 1 lock_owner 0 current 2099108 + [87849.880613] item 0 key (1181 1 0) itemoff 65275 itemsize 160 + [87849.881544] inode generation 6 size 0 mode 100644 + [87849.882692] item 1 key (1181 12 257) itemoff 65258 itemsize 17 + (...) + [87850.562549] item 556 key (1458 12 257) itemoff 16017 itemsize 14 + [87850.563349] BTRFS error (device dm-0): block=30539776 write time tree block corruption detected + [87850.564386] ------------[ cut here ]------------ + [87850.564920] WARNING: CPU: 3 PID: 2099108 at fs/btrfs/disk-io.c:465 csum_one_extent_buffer+0xed/0x100 [btrfs] + [87850.566129] Modules linked in: btrfs dm_zero dm_snapshot (...) + [87850.573789] CPU: 3 PID: 2099108 Comm: mount Not tainted 5.12.0-rc8-btrfs-next-86 #1 + (...) + [87850.587481] Call Trace: + [87850.587768] btree_csum_one_bio+0x244/0x2b0 [btrfs] + [87850.588354] ? btrfs_bio_fits_in_stripe+0xd8/0x110 [btrfs] + [87850.589003] btrfs_submit_metadata_bio+0xb7/0x100 [btrfs] + [87850.589654] submit_one_bio+0x61/0x70 [btrfs] + [87850.590248] submit_extent_page+0x91/0x2f0 [btrfs] + [87850.590842] write_one_eb+0x175/0x440 [btrfs] + [87850.591370] ? find_extent_buffer_nolock+0x1c0/0x1c0 [btrfs] + [87850.592036] btree_write_cache_pages+0x1e6/0x610 [btrfs] + [87850.592665] ? free_debug_processing+0x1d5/0x240 + [87850.593209] do_writepages+0x43/0xf0 + [87850.593798] ? __filemap_fdatawrite_range+0xa4/0x100 + [87850.594391] __filemap_fdatawrite_range+0xc5/0x100 + [87850.595196] btrfs_write_marked_extents+0x68/0x160 [btrfs] + [87850.596202] btrfs_write_and_wait_transaction.isra.0+0x4d/0xd0 [btrfs] + [87850.597377] btrfs_commit_transaction+0x794/0xca0 [btrfs] + [87850.598455] ? _raw_spin_unlock_irqrestore+0x32/0x60 + [87850.599305] ? kmem_cache_free+0x15a/0x3d0 + [87850.600029] btrfs_recover_log_trees+0x346/0x380 [btrfs] + [87850.601021] ? replay_one_extent+0x7d0/0x7d0 [btrfs] + [87850.601988] open_ctree+0x13c9/0x1698 [btrfs] + [87850.602846] btrfs_mount_root.cold+0x13/0xed [btrfs] + [87850.603771] ? kmem_cache_alloc_trace+0x7c9/0x930 + [87850.604576] ? vfs_parse_fs_string+0x5d/0xb0 + [87850.605293] ? kfree+0x276/0x3f0 + [87850.605857] legacy_get_tree+0x30/0x50 + [87850.606540] vfs_get_tree+0x28/0xc0 + [87850.607163] fc_mount+0xe/0x40 + [87850.607695] vfs_kern_mount.part.0+0x71/0x90 + [87850.608440] btrfs_mount+0x13b/0x3e0 [btrfs] + (...) + [87850.629477] ---[ end trace 68802022b99a1ea0 ]--- + [87850.630849] BTRFS: error (device sdc) in btrfs_commit_transaction:2381: errno=-5 IO failure (Error while writing out transaction) + [87850.632422] BTRFS warning (device sdc): Skipping commit of aborted transaction. + [87850.633416] BTRFS: error (device sdc) in cleanup_transaction:1978: errno=-5 IO failure + [87850.634553] BTRFS: error (device sdc) in btrfs_replay_log:2431: errno=-5 IO failure (Failed to recover log tree) + [87850.637529] BTRFS error (device sdc): open_ctree failed + +In this example the inode we moved was a directory, so it was easy to +detect the problem because directories can only have one hard link and +the tree checker immediately detects that. If the moved inode was a file, +then the log replay would succeed and we would end up having both the +new hard link (/mnt/foo) and the old hard link (/mnt/testdir/foo) present, +but only the new one should be present. + +Fix this by forcing re-logging of the old parent directory when logging +the new name during a rename operation. This ensures we end up with a log +that is authoritative for a range covering the keys for the old dentry, +therefore causing the old dentry do be deleted when replaying the log. + +A test case for fstests will follow up soon. + +Fixes: 64d6b281ba4db0 ("btrfs: remove unnecessary check_parent_dirs_for_sync()") +CC: stable@vger.kernel.org # 5.12+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6457,6 +6457,24 @@ void btrfs_log_new_name(struct btrfs_tra + (!old_dir || old_dir->logged_trans < trans->transid)) + return; + ++ /* ++ * If we are doing a rename (old_dir is not NULL) from a directory that ++ * was previously logged, make sure the next log attempt on the directory ++ * is not skipped and logs the inode again. This is because the log may ++ * not currently be authoritative for a range including the old ++ * BTRFS_DIR_ITEM_KEY and BTRFS_DIR_INDEX_KEY keys, so we want to make ++ * sure after a log replay we do not end up with both the new and old ++ * dentries around (in case the inode is a directory we would have a ++ * directory with two hard links and 2 inode references for different ++ * parents). The next log attempt of old_dir will happen at ++ * btrfs_log_all_parents(), called through btrfs_log_inode_parent() ++ * below, because we have previously set inode->last_unlink_trans to the ++ * current transaction ID, either here or at btrfs_record_unlink_dir() in ++ * case inode is a directory. ++ */ ++ if (old_dir) ++ old_dir->logged_trans = 0; ++ + btrfs_init_log_ctx(&ctx, &inode->vfs_inode); + ctx.logging_new_name = true; + /* diff --git a/queue-5.12/btrfs-zoned-fix-parallel-compressed-writes.patch b/queue-5.12/btrfs-zoned-fix-parallel-compressed-writes.patch new file mode 100644 index 00000000000..a136bc9b939 --- /dev/null +++ b/queue-5.12/btrfs-zoned-fix-parallel-compressed-writes.patch @@ -0,0 +1,136 @@ +From 764c7c9a464b68f7c6a5a9ec0b923176a05e8e8f Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 19 May 2021 00:40:28 +0900 +Subject: btrfs: zoned: fix parallel compressed writes + +From: Johannes Thumshirn + +commit 764c7c9a464b68f7c6a5a9ec0b923176a05e8e8f upstream. + +When multiple processes write data to the same block group on a +compressed zoned filesystem, the underlying device could report I/O +errors and data corruption is possible. + +This happens because on a zoned file system, compressed data writes +where sent to the device via a REQ_OP_WRITE instead of a +REQ_OP_ZONE_APPEND operation. But with REQ_OP_WRITE and parallel +submission it cannot be guaranteed that the data is always submitted +aligned to the underlying zone's write pointer. + +The change to using REQ_OP_ZONE_APPEND instead of REQ_OP_WRITE on a +zoned filesystem is non intrusive on a regular file system or when +submitting to a conventional zone on a zoned filesystem, as it is +guarded by btrfs_use_zone_append. + +Reported-by: David Sterba +Fixes: 9d294a685fbc ("btrfs: zoned: enable to mount ZONED incompat flag") +CC: stable@vger.kernel.org # 5.12.x: e380adfc213a13: btrfs: zoned: pass start block to btrfs_use_zone_append +CC: stable@vger.kernel.org # 5.12.x +Signed-off-by: Johannes Thumshirn +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/compression.c | 42 ++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 38 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/compression.c ++++ b/fs/btrfs/compression.c +@@ -28,6 +28,7 @@ + #include "compression.h" + #include "extent_io.h" + #include "extent_map.h" ++#include "zoned.h" + + static const char* const btrfs_compress_types[] = { "", "zlib", "lzo", "zstd" }; + +@@ -349,6 +350,7 @@ static void end_compressed_bio_write(str + */ + inode = cb->inode; + cb->compressed_pages[0]->mapping = cb->inode->i_mapping; ++ btrfs_record_physical_zoned(inode, cb->start, bio); + btrfs_writepage_endio_finish_ordered(cb->compressed_pages[0], + cb->start, cb->start + cb->len - 1, + bio->bi_status == BLK_STS_OK); +@@ -401,6 +403,8 @@ blk_status_t btrfs_submit_compressed_wri + u64 first_byte = disk_start; + blk_status_t ret; + int skip_sum = inode->flags & BTRFS_INODE_NODATASUM; ++ const bool use_append = btrfs_use_zone_append(inode, disk_start); ++ const unsigned int bio_op = use_append ? REQ_OP_ZONE_APPEND : REQ_OP_WRITE; + + WARN_ON(!PAGE_ALIGNED(start)); + cb = kmalloc(compressed_bio_size(fs_info, compressed_len), GFP_NOFS); +@@ -418,10 +422,31 @@ blk_status_t btrfs_submit_compressed_wri + cb->nr_pages = nr_pages; + + bio = btrfs_bio_alloc(first_byte); +- bio->bi_opf = REQ_OP_WRITE | write_flags; ++ bio->bi_opf = bio_op | write_flags; + bio->bi_private = cb; + bio->bi_end_io = end_compressed_bio_write; + ++ if (use_append) { ++ struct extent_map *em; ++ struct map_lookup *map; ++ struct block_device *bdev; ++ ++ em = btrfs_get_chunk_map(fs_info, disk_start, PAGE_SIZE); ++ if (IS_ERR(em)) { ++ kfree(cb); ++ bio_put(bio); ++ return BLK_STS_NOTSUPP; ++ } ++ ++ map = em->map_lookup; ++ /* We only support single profile for now */ ++ ASSERT(map->num_stripes == 1); ++ bdev = map->stripes[0].dev->bdev; ++ ++ bio_set_dev(bio, bdev); ++ free_extent_map(em); ++ } ++ + if (blkcg_css) { + bio->bi_opf |= REQ_CGROUP_PUNT; + kthread_associate_blkcg(blkcg_css); +@@ -432,6 +457,7 @@ blk_status_t btrfs_submit_compressed_wri + bytes_left = compressed_len; + for (pg_index = 0; pg_index < cb->nr_pages; pg_index++) { + int submit = 0; ++ int len; + + page = compressed_pages[pg_index]; + page->mapping = inode->vfs_inode.i_mapping; +@@ -439,9 +465,13 @@ blk_status_t btrfs_submit_compressed_wri + submit = btrfs_bio_fits_in_stripe(page, PAGE_SIZE, bio, + 0); + ++ if (pg_index == 0 && use_append) ++ len = bio_add_zone_append_page(bio, page, PAGE_SIZE, 0); ++ else ++ len = bio_add_page(bio, page, PAGE_SIZE, 0); ++ + page->mapping = NULL; +- if (submit || bio_add_page(bio, page, PAGE_SIZE, 0) < +- PAGE_SIZE) { ++ if (submit || len < PAGE_SIZE) { + /* + * inc the count before we submit the bio so + * we know the end IO handler won't happen before +@@ -465,11 +495,15 @@ blk_status_t btrfs_submit_compressed_wri + } + + bio = btrfs_bio_alloc(first_byte); +- bio->bi_opf = REQ_OP_WRITE | write_flags; ++ bio->bi_opf = bio_op | write_flags; + bio->bi_private = cb; + bio->bi_end_io = end_compressed_bio_write; + if (blkcg_css) + bio->bi_opf |= REQ_CGROUP_PUNT; ++ /* ++ * Use bio_add_page() to ensure the bio has at least one ++ * page. ++ */ + bio_add_page(bio, page, PAGE_SIZE, 0); + } + if (bytes_left < PAGE_SIZE) { diff --git a/queue-5.12/btrfs-zoned-pass-start-block-to-btrfs_use_zone_append.patch b/queue-5.12/btrfs-zoned-pass-start-block-to-btrfs_use_zone_append.patch new file mode 100644 index 00000000000..71cff4cd20d --- /dev/null +++ b/queue-5.12/btrfs-zoned-pass-start-block-to-btrfs_use_zone_append.patch @@ -0,0 +1,89 @@ +From e380adfc213a13677993c0e35cb48f5a8e61ebb0 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Wed, 19 May 2021 00:40:27 +0900 +Subject: btrfs: zoned: pass start block to btrfs_use_zone_append + +From: Johannes Thumshirn + +commit e380adfc213a13677993c0e35cb48f5a8e61ebb0 upstream. + +btrfs_use_zone_append only needs the passed in extent_map's block_start +member, so there's no need to pass in the full extent map. + +This also enables the use of btrfs_use_zone_append in places where we only +have a start byte but no extent_map. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 2 +- + fs/btrfs/inode.c | 2 +- + fs/btrfs/zoned.c | 4 ++-- + fs/btrfs/zoned.h | 5 ++--- + 4 files changed, 6 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -3762,7 +3762,7 @@ static noinline_for_stack int __extent_w + /* Note that em_end from extent_map_end() is exclusive */ + iosize = min(em_end, end + 1) - cur; + +- if (btrfs_use_zone_append(inode, em)) ++ if (btrfs_use_zone_append(inode, em->block_start)) + opf = REQ_OP_ZONE_APPEND; + + free_extent_map(em); +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7782,7 +7782,7 @@ static int btrfs_dio_iomap_begin(struct + iomap->bdev = fs_info->fs_devices->latest_bdev; + iomap->length = len; + +- if (write && btrfs_use_zone_append(BTRFS_I(inode), em)) ++ if (write && btrfs_use_zone_append(BTRFS_I(inode), em->block_start)) + iomap->flags |= IOMAP_F_ZONE_APPEND; + + free_extent_map(em); +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -1278,7 +1278,7 @@ void btrfs_free_redirty_list(struct btrf + spin_unlock(&trans->releasing_ebs_lock); + } + +-bool btrfs_use_zone_append(struct btrfs_inode *inode, struct extent_map *em) ++bool btrfs_use_zone_append(struct btrfs_inode *inode, u64 start) + { + struct btrfs_fs_info *fs_info = inode->root->fs_info; + struct btrfs_block_group *cache; +@@ -1293,7 +1293,7 @@ bool btrfs_use_zone_append(struct btrfs_ + if (!is_data_inode(&inode->vfs_inode)) + return false; + +- cache = btrfs_lookup_block_group(fs_info, em->block_start); ++ cache = btrfs_lookup_block_group(fs_info, start); + ASSERT(cache); + if (!cache) + return false; +--- a/fs/btrfs/zoned.h ++++ b/fs/btrfs/zoned.h +@@ -47,7 +47,7 @@ void btrfs_calc_zone_unusable(struct btr + void btrfs_redirty_list_add(struct btrfs_transaction *trans, + struct extent_buffer *eb); + void btrfs_free_redirty_list(struct btrfs_transaction *trans); +-bool btrfs_use_zone_append(struct btrfs_inode *inode, struct extent_map *em); ++bool btrfs_use_zone_append(struct btrfs_inode *inode, u64 start); + void btrfs_record_physical_zoned(struct inode *inode, u64 file_offset, + struct bio *bio); + void btrfs_rewrite_logical_zoned(struct btrfs_ordered_extent *ordered); +@@ -146,8 +146,7 @@ static inline void btrfs_redirty_list_ad + struct extent_buffer *eb) { } + static inline void btrfs_free_redirty_list(struct btrfs_transaction *trans) { } + +-static inline bool btrfs_use_zone_append(struct btrfs_inode *inode, +- struct extent_map *em) ++static inline bool btrfs_use_zone_append(struct btrfs_inode *inode, u64 start) + { + return false; + } diff --git a/queue-5.12/cifs-fix-memory-leak-in-smb2_copychunk_range.patch b/queue-5.12/cifs-fix-memory-leak-in-smb2_copychunk_range.patch new file mode 100644 index 00000000000..e30bbd2a732 --- /dev/null +++ b/queue-5.12/cifs-fix-memory-leak-in-smb2_copychunk_range.patch @@ -0,0 +1,36 @@ +From d201d7631ca170b038e7f8921120d05eec70d7c5 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 19 May 2021 08:40:11 +1000 +Subject: cifs: fix memory leak in smb2_copychunk_range + +From: Ronnie Sahlberg + +commit d201d7631ca170b038e7f8921120d05eec70d7c5 upstream. + +When using smb2_copychunk_range() for large ranges we will +run through several iterations of a loop calling SMB2_ioctl() +but never actually free the returned buffer except for the final +iteration. +This leads to memory leaks everytime a large copychunk is requested. + +Fixes: 9bf0c9cd4314 ("CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files") +Cc: +Reviewed-by: Aurelien Aptel +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1822,6 +1822,8 @@ smb2_copychunk_range(const unsigned int + cpu_to_le32(min_t(u32, len, tcon->max_bytes_chunk)); + + /* Request server copy to target from src identified by key */ ++ kfree(retbuf); ++ retbuf = NULL; + rc = SMB2_ioctl(xid, tcon, trgtfile->fid.persistent_fid, + trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE, + true /* is_fsctl */, (char *)pcchunk, diff --git a/queue-5.12/fs-mount_setattr-tighten-permission-checks.patch b/queue-5.12/fs-mount_setattr-tighten-permission-checks.patch new file mode 100644 index 00000000000..a64482cce6c --- /dev/null +++ b/queue-5.12/fs-mount_setattr-tighten-permission-checks.patch @@ -0,0 +1,44 @@ +From 2ca4dcc4909d787ee153272f7efc2bff3b498720 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 11 May 2021 16:30:15 +0200 +Subject: fs/mount_setattr: tighten permission checks + +From: Christian Brauner + +commit 2ca4dcc4909d787ee153272f7efc2bff3b498720 upstream. + +We currently don't have any filesystems that support idmapped mounts +which are mountable inside a user namespace. That was a deliberate +decision for now as a userns root can just mount the filesystem +themselves. So enforce this restriction explicitly until there's a real +use-case for this. This way we can notice it and will have a chance to +adapt and audit our translation helpers and fstests appropriately if we +need to support such filesystems. + +Cc: Christoph Hellwig +Cc: Al Viro +Cc: stable@vger.kernel.org +CC: linux-fsdevel@vger.kernel.org +Suggested-by: Seth Forshee +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3853,8 +3853,12 @@ static int can_idmap_mount(const struct + if (!(m->mnt_sb->s_type->fs_flags & FS_ALLOW_IDMAP)) + return -EINVAL; + ++ /* Don't yet support filesystem mountable in user namespaces. */ ++ if (m->mnt_sb->s_user_ns != &init_user_ns) ++ return -EINVAL; ++ + /* We're not controlling the superblock. */ +- if (!ns_capable(m->mnt_sb->s_user_ns, CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + /* Mount has already been visible in the filesystem hierarchy. */ diff --git a/queue-5.12/misc-eeprom-at24-check-suspend-status-before-disable-regulator.patch b/queue-5.12/misc-eeprom-at24-check-suspend-status-before-disable-regulator.patch new file mode 100644 index 00000000000..7623d40a07f --- /dev/null +++ b/queue-5.12/misc-eeprom-at24-check-suspend-status-before-disable-regulator.patch @@ -0,0 +1,45 @@ +From 2962484dfef8dbb7f9059822bc26ce8a04d0e47c Mon Sep 17 00:00:00 2001 +From: Hsin-Yi Wang +Date: Tue, 20 Apr 2021 21:30:50 +0800 +Subject: misc: eeprom: at24: check suspend status before disable regulator + +From: Hsin-Yi Wang + +commit 2962484dfef8dbb7f9059822bc26ce8a04d0e47c upstream. + +cd5676db0574 ("misc: eeprom: at24: support pm_runtime control") disables +regulator in runtime suspend. If runtime suspend is called before +regulator disable, it will results in regulator unbalanced disabling. + +Fixes: cd5676db0574 ("misc: eeprom: at24: support pm_runtime control") +Cc: stable +Acked-by: Bartosz Golaszewski +Signed-off-by: Hsin-Yi Wang +Link: https://lore.kernel.org/r/20210420133050.377209-1-hsinyi@chromium.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/eeprom/at24.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/misc/eeprom/at24.c ++++ b/drivers/misc/eeprom/at24.c +@@ -763,7 +763,8 @@ static int at24_probe(struct i2c_client + at24->nvmem = devm_nvmem_register(dev, &nvmem_config); + if (IS_ERR(at24->nvmem)) { + pm_runtime_disable(dev); +- regulator_disable(at24->vcc_reg); ++ if (!pm_runtime_status_suspended(dev)) ++ regulator_disable(at24->vcc_reg); + return PTR_ERR(at24->nvmem); + } + +@@ -774,7 +775,8 @@ static int at24_probe(struct i2c_client + err = at24_read(at24, 0, &test_byte, 1); + if (err) { + pm_runtime_disable(dev); +- regulator_disable(at24->vcc_reg); ++ if (!pm_runtime_status_suspended(dev)) ++ regulator_disable(at24->vcc_reg); + return -ENODEV; + } + diff --git a/queue-5.12/series b/queue-5.12/series index 837aac204da..01d2de25531 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -32,3 +32,14 @@ perf-x86-avoid-touching-lbr_tos-msr-for-arch-lbr.patch locking-lockdep-correct-calling-tracepoints.patch locking-mutex-clear-mutex_flags-if-wait_list-is-empt.patch powerpc-fix-early-setup-to-make-early_ioremap-work.patch +btrfs-avoid-rcu-stalls-while-running-delayed-iputs.patch +btrfs-fix-removed-dentries-still-existing-after-log-is-synced.patch +btrfs-zoned-pass-start-block-to-btrfs_use_zone_append.patch +btrfs-zoned-fix-parallel-compressed-writes.patch +cifs-fix-memory-leak-in-smb2_copychunk_range.patch +fs-mount_setattr-tighten-permission-checks.patch +misc-eeprom-at24-check-suspend-status-before-disable-regulator.patch +alsa-dice-fix-stream-format-for-tc-electronic-konnekt-live-at-high-sampling-transfer-frequency.patch +alsa-intel8x0-don-t-update-period-unless-prepared.patch +alsa-firewire-lib-fix-amdtp_packet-tracepoints-event-for-packet_index-field.patch +alsa-line6-fix-racy-initialization-of-line6-midi.patch -- 2.47.3