From 391e1e3ca03706b781bda2dcef168ffd7ec7fbd2 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 3 Dec 2024 07:33:30 -0500 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- queue-5.10/9p-xen-fix-init-sequence.patch | 56 ++++++ queue-5.10/9p-xen-fix-release-of-irq.patch | 42 +++++ ...return-unsigned-int-from-bdev_io_min.patch | 39 ++++ ...s2-fix-use-of-uninitialized-variable.patch | 57 ++++++ ...move-incorrect-code-in-do_eisa_entry.patch | 86 +++++++++ ...s-ignore-sb_rdonly-when-mounting-nfs.patch | 79 ++++++++ ...e-after-free-problem-in-the-asynchro.patch | 52 ++++++ ...t-fail-temperature-reads-on-undervol.patch | 49 +++++ ...dt-bit-position-of-the-status-regist.patch | 39 ++++ ...tc_read_time-was-successful-in-rtc_t.patch | 53 ++++++ ...e-irqf_no_autoen-flag-in-request_irq.patch | 50 +++++ queue-5.10/series | 23 +++ ...after-free-bug-in-register_intc_cont.patch | 46 +++++ ...t_sock_upd_timeout-when-reset-transp.patch | 38 ++++ ...pc_client-refcount-to-use-refcount_t.patch | 161 +++++++++++++++++ ...rror-code-comment-in-xs_tcp_setup_so.patch | 49 +++++ ...necessary-test-in-rpc_task_set_clien.patch | 67 +++++++ ...internal-use-of-sockwq_async_nospace.patch | 114 ++++++++++++ ...duplicate-slab-cache-names-while-att.patch | 104 +++++++++++ ...tion-fix-use-after-free-in-ubifs_tnc.patch | 171 ++++++++++++++++++ ...e-total-block-count-by-deducting-jou.patch | 46 +++++ ...race-for-specified-task-in-show_stac.patch | 37 ++++ ...-integer-overflow-during-physmem-set.patch | 50 +++++ ...n-value-of-elf_core_copy_task_fpregs.patch | 36 ++++ 24 files changed, 1544 insertions(+) create mode 100644 queue-5.10/9p-xen-fix-init-sequence.patch create mode 100644 queue-5.10/9p-xen-fix-release-of-irq.patch create mode 100644 queue-5.10/block-return-unsigned-int-from-bdev_io_min.patch create mode 100644 queue-5.10/jffs2-fix-use-of-uninitialized-variable.patch create mode 100644 queue-5.10/modpost-remove-incorrect-code-in-do_eisa_entry.patch create mode 100644 queue-5.10/nfs-ignore-sb_rdonly-when-mounting-nfs.patch create mode 100644 queue-5.10/nfsv4.0-fix-a-use-after-free-problem-in-the-asynchro.patch create mode 100644 queue-5.10/rtc-ab-eoz9-don-t-fail-temperature-reads-on-undervol.patch create mode 100644 queue-5.10/rtc-abx80x-fix-wdt-bit-position-of-the-status-regist.patch create mode 100644 queue-5.10/rtc-check-if-__rtc_read_time-was-successful-in-rtc_t.patch create mode 100644 queue-5.10/rtc-st-lpc-use-irqf_no_autoen-flag-in-request_irq.patch create mode 100644 queue-5.10/sh-intc-fix-use-after-free-bug-in-register_intc_cont.patch create mode 100644 queue-5.10/sunrpc-clear-xprt_sock_upd_timeout-when-reset-transp.patch create mode 100644 queue-5.10/sunrpc-convert-rpc_client-refcount-to-use-refcount_t.patch create mode 100644 queue-5.10/sunrpc-correct-error-code-comment-in-xs_tcp_setup_so.patch create mode 100644 queue-5.10/sunrpc-remove-unnecessary-test-in-rpc_task_set_clien.patch create mode 100644 queue-5.10/sunrpc-replace-internal-use-of-sockwq_async_nospace.patch create mode 100644 queue-5.10/ubi-fastmap-fix-duplicate-slab-cache-names-while-att.patch create mode 100644 queue-5.10/ubifs-authentication-fix-use-after-free-in-ubifs_tnc.patch create mode 100644 queue-5.10/ubifs-correct-the-total-block-count-by-deducting-jou.patch create mode 100644 queue-5.10/um-always-dump-trace-for-specified-task-in-show_stac.patch create mode 100644 queue-5.10/um-fix-potential-integer-overflow-during-physmem-set.patch create mode 100644 queue-5.10/um-fix-the-return-value-of-elf_core_copy_task_fpregs.patch diff --git a/queue-5.10/9p-xen-fix-init-sequence.patch b/queue-5.10/9p-xen-fix-init-sequence.patch new file mode 100644 index 00000000000..899a5a14b93 --- /dev/null +++ b/queue-5.10/9p-xen-fix-init-sequence.patch @@ -0,0 +1,56 @@ +From 4b18ee21ed4ea88ebeb6c74ea7e5edf067018fd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 21:16:33 +0000 +Subject: 9p/xen: fix init sequence + +From: Alex Zenla + +[ Upstream commit 7ef3ae82a6ebbf4750967d1ce43bcdb7e44ff74b ] + +Large amount of mount hangs observed during hotplugging of 9pfs devices. The +9pfs Xen driver attempts to initialize itself more than once, causing the +frontend and backend to disagree: the backend listens on a channel that the +frontend does not send on, resulting in stalled processing. + +Only allow initialization of 9p frontend once. + +Fixes: c15fe55d14b3b ("9p/xen: fix connection sequence") +Signed-off-by: Alex Zenla +Signed-off-by: Alexander Merritt +Signed-off-by: Ariadne Conill +Reviewed-by: Juergen Gross +Message-ID: <20241119211633.38321-1-alexander@edera.dev> +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_xen.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index da056170849bf..dc8702024c555 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -487,6 +487,7 @@ static int xen_9pfs_front_init(struct xenbus_device *dev) + goto error; + } + ++ xenbus_switch_state(dev, XenbusStateInitialised); + return 0; + + error_xenbus: +@@ -534,8 +535,10 @@ static void xen_9pfs_front_changed(struct xenbus_device *dev, + break; + + case XenbusStateInitWait: +- if (!xen_9pfs_front_init(dev)) +- xenbus_switch_state(dev, XenbusStateInitialised); ++ if (dev->state != XenbusStateInitialising) ++ break; ++ ++ xen_9pfs_front_init(dev); + break; + + case XenbusStateConnected: +-- +2.43.0 + diff --git a/queue-5.10/9p-xen-fix-release-of-irq.patch b/queue-5.10/9p-xen-fix-release-of-irq.patch new file mode 100644 index 00000000000..67fab2683a2 --- /dev/null +++ b/queue-5.10/9p-xen-fix-release-of-irq.patch @@ -0,0 +1,42 @@ +From 5101bd9ca388ad3d74175d59f5cac3bb0a00fa37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Nov 2024 22:51:00 +0000 +Subject: 9p/xen: fix release of IRQ + +From: Alex Zenla + +[ Upstream commit e43c608f40c065b30964f0a806348062991b802d ] + +Kernel logs indicate an IRQ was double-freed. + +Pass correct device ID during IRQ release. + +Fixes: 71ebd71921e45 ("xen/9pfs: connect to the backend") +Signed-off-by: Alex Zenla +Signed-off-by: Alexander Merritt +Signed-off-by: Ariadne Conill +Reviewed-by: Juergen Gross +Message-ID: <20241121225100.5736-1-alexander@edera.dev> +[Dominique: remove confusing variable reset to 0] +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_xen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c +index dc8702024c555..5ff1892edbf2e 100644 +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -307,7 +307,7 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv) + if (!priv->rings[i].intf) + break; + if (priv->rings[i].irq > 0) +- unbind_from_irqhandler(priv->rings[i].irq, priv->dev); ++ unbind_from_irqhandler(priv->rings[i].irq, ring); + if (priv->rings[i].data.in) { + for (j = 0; + j < (1 << priv->rings[i].intf->ring_order); +-- +2.43.0 + diff --git a/queue-5.10/block-return-unsigned-int-from-bdev_io_min.patch b/queue-5.10/block-return-unsigned-int-from-bdev_io_min.patch new file mode 100644 index 00000000000..ae7cc125bf0 --- /dev/null +++ b/queue-5.10/block-return-unsigned-int-from-bdev_io_min.patch @@ -0,0 +1,39 @@ +From b4df6662ab1065c41b0fe49ca30406f4847bfe94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Nov 2024 08:26:02 +0100 +Subject: block: return unsigned int from bdev_io_min + +From: Christoph Hellwig + +[ Upstream commit 46fd48ab3ea3eb3bb215684bd66ea3d260b091a9 ] + +The underlying limit is defined as an unsigned int, so return that from +bdev_io_min as well. + +Fixes: ac481c20ef8f ("block: Topology ioctls") +Signed-off-by: Christoph Hellwig +Reviewed-by: Martin K. Petersen +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/20241119072602.1059488-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blkdev.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index e5f11dae208dd..7ad4df2c25255 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1468,7 +1468,7 @@ static inline unsigned int queue_io_min(const struct request_queue *q) + return q->limits.io_min; + } + +-static inline int bdev_io_min(struct block_device *bdev) ++static inline unsigned int bdev_io_min(struct block_device *bdev) + { + return queue_io_min(bdev_get_queue(bdev)); + } +-- +2.43.0 + diff --git a/queue-5.10/jffs2-fix-use-of-uninitialized-variable.patch b/queue-5.10/jffs2-fix-use-of-uninitialized-variable.patch new file mode 100644 index 00000000000..05b87a1cf25 --- /dev/null +++ b/queue-5.10/jffs2-fix-use-of-uninitialized-variable.patch @@ -0,0 +1,57 @@ +From 8dd2af0086c60621227cc473c237e45168a7741e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2024 12:52:05 +0800 +Subject: jffs2: fix use of uninitialized variable + +From: Qingfang Deng + +[ Upstream commit 3ba44ee966bc3c41dd8a944f963466c8fcc60dc8 ] + +When building the kernel with -Wmaybe-uninitialized, the compiler +reports this warning: + +In function 'jffs2_mark_erased_block', + inlined from 'jffs2_erase_pending_blocks' at fs/jffs2/erase.c:116:4: +fs/jffs2/erase.c:474:9: warning: 'bad_offset' may be used uninitialized [-Wmaybe-uninitialized] + 474 | jffs2_erase_failed(c, jeb, bad_offset); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +fs/jffs2/erase.c: In function 'jffs2_erase_pending_blocks': +fs/jffs2/erase.c:402:18: note: 'bad_offset' was declared here + 402 | uint32_t bad_offset; + | ^~~~~~~~~~ + +When mtd->point() is used, jffs2_erase_pending_blocks can return -EIO +without initializing bad_offset, which is later used at the filebad +label in jffs2_mark_erased_block. +Fix it by initializing this variable. + +Fixes: 8a0f572397ca ("[JFFS2] Return values of jffs2_block_check_erase error paths") +Signed-off-by: Qingfang Deng +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/erase.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c +index 7e9abdb897122..5fbaf6ab9f482 100644 +--- a/fs/jffs2/erase.c ++++ b/fs/jffs2/erase.c +@@ -340,10 +340,9 @@ static int jffs2_block_check_erase(struct jffs2_sb_info *c, struct jffs2_erasebl + } while(--retlen); + mtd_unpoint(c->mtd, jeb->offset, c->sector_size); + if (retlen) { +- pr_warn("Newly-erased block contained word 0x%lx at offset 0x%08tx\n", +- *wordebuf, +- jeb->offset + +- c->sector_size-retlen * sizeof(*wordebuf)); ++ *bad_offset = jeb->offset + c->sector_size - retlen * sizeof(*wordebuf); ++ pr_warn("Newly-erased block contained word 0x%lx at offset 0x%08x\n", ++ *wordebuf, *bad_offset); + return -EIO; + } + return 0; +-- +2.43.0 + diff --git a/queue-5.10/modpost-remove-incorrect-code-in-do_eisa_entry.patch b/queue-5.10/modpost-remove-incorrect-code-in-do_eisa_entry.patch new file mode 100644 index 00000000000..bd206682ea6 --- /dev/null +++ b/queue-5.10/modpost-remove-incorrect-code-in-do_eisa_entry.patch @@ -0,0 +1,86 @@ +From 19795c692138953b4851b6efcbb870638854ea90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2024 08:56:39 +0900 +Subject: modpost: remove incorrect code in do_eisa_entry() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Masahiro Yamada + +[ Upstream commit 0c3e091319e4748cb36ac9a50848903dc6f54054 ] + +This function contains multiple bugs after the following commits: + + - ac551828993e ("modpost: i2c aliases need no trailing wildcard") + - 6543becf26ff ("mod/file2alias: make modalias generation safe for cross compiling") + +Commit ac551828993e inserted the following code to do_eisa_entry(): + +    else +            strcat(alias, "*"); + +This is incorrect because 'alias' is uninitialized. If it is not +NULL-terminated, strcat() could cause a buffer overrun. + +Even if 'alias' happens to be zero-filled, it would output: + + MODULE_ALIAS("*"); + +This would match anything. As a result, the module could be loaded by +any unrelated uevent from an unrelated subsystem. + +Commit ac551828993e introduced another bug.             + +Prior to that commit, the conditional check was: + +    if (eisa->sig[0]) + +This checked if the first character of eisa_device_id::sig was not '\0'. + +However, commit ac551828993e changed it as follows: + +    if (sig[0]) + +sig[0] is NOT the first character of the eisa_device_id::sig. The +type of 'sig' is 'char (*)[8]', meaning that the type of 'sig[0]' is +'char [8]' instead of 'char'. 'sig[0]' and 'symval' refer to the same +address, which never becomes NULL. + +The correct conversion would have been: + +    if ((*sig)[0]) + +However, this if-conditional was meaningless because the earlier change +in commit ac551828993e was incorrect. + +This commit removes the entire incorrect code, which should never have +been executed. + +Fixes: ac551828993e ("modpost: i2c aliases need no trailing wildcard") +Fixes: 6543becf26ff ("mod/file2alias: make modalias generation safe for cross compiling") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/file2alias.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c +index 7154df094f40b..1c9c33f491e64 100644 +--- a/scripts/mod/file2alias.c ++++ b/scripts/mod/file2alias.c +@@ -786,10 +786,7 @@ static int do_eisa_entry(const char *filename, void *symval, + char *alias) + { + DEF_FIELD_ADDR(symval, eisa_device_id, sig); +- if (sig[0]) +- sprintf(alias, EISA_DEVICE_MODALIAS_FMT "*", *sig); +- else +- strcat(alias, "*"); ++ sprintf(alias, EISA_DEVICE_MODALIAS_FMT "*", *sig); + return 1; + } + +-- +2.43.0 + diff --git a/queue-5.10/nfs-ignore-sb_rdonly-when-mounting-nfs.patch b/queue-5.10/nfs-ignore-sb_rdonly-when-mounting-nfs.patch new file mode 100644 index 00000000000..8a98399a417 --- /dev/null +++ b/queue-5.10/nfs-ignore-sb_rdonly-when-mounting-nfs.patch @@ -0,0 +1,79 @@ +From 7167d6c14d4cdd12c49f60dc878a7b202e67a32a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2024 12:53:03 +0800 +Subject: nfs: ignore SB_RDONLY when mounting nfs + +From: Li Lingfeng + +[ Upstream commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3 ] + +When exporting only one file system with fsid=0 on the server side, the +client alternately uses the ro/rw mount options to perform the mount +operation, and a new vfsmount is generated each time. + +It can be reproduced as follows: +[root@localhost ~]# mount /dev/sda /mnt2 +[root@localhost ~]# echo "/mnt2 *(rw,no_root_squash,fsid=0)" >/etc/exports +[root@localhost ~]# systemctl restart nfs-server +[root@localhost ~]# mount -t nfs -o ro,vers=4 127.0.0.1:/ /mnt/sdaa +[root@localhost ~]# mount -t nfs -o rw,vers=4 127.0.0.1:/ /mnt/sdaa +[root@localhost ~]# mount -t nfs -o ro,vers=4 127.0.0.1:/ /mnt/sdaa +[root@localhost ~]# mount -t nfs -o rw,vers=4 127.0.0.1:/ /mnt/sdaa +[root@localhost ~]# mount | grep nfs4 +127.0.0.1:/ on /mnt/sdaa type nfs4 (ro,relatime,vers=4.2,rsize=1048576,... +127.0.0.1:/ on /mnt/sdaa type nfs4 (rw,relatime,vers=4.2,rsize=1048576,... +127.0.0.1:/ on /mnt/sdaa type nfs4 (ro,relatime,vers=4.2,rsize=1048576,... +127.0.0.1:/ on /mnt/sdaa type nfs4 (rw,relatime,vers=4.2,rsize=1048576,... +[root@localhost ~]# + +We expected that after mounting with the ro option, using the rw option to +mount again would return EBUSY, but the actual situation was not the case. + +As shown above, when mounting for the first time, a superblock with the ro +flag will be generated, and at the same time, in do_new_mount_fc --> +do_add_mount, it detects that the superblock corresponding to the current +target directory is inconsistent with the currently generated one +(path->mnt->mnt_sb != newmnt->mnt.mnt_sb), and a new vfsmount will be +generated. + +When mounting with the rw option for the second time, since no matching +superblock can be found in the fs_supers list, a new superblock with the +rw flag will be generated again. The superblock in use (ro) is different +from the newly generated superblock (rw), and a new vfsmount will be +generated again. + +When mounting with the ro option for the third time, the superblock (ro) +is found in fs_supers, the superblock in use (rw) is different from the +found superblock (ro), and a new vfsmount will be generated again. + +We can switch between ro/rw through remount, and only one superblock needs +to be generated, thus avoiding the problem of repeated generation of +vfsmount caused by switching superblocks. + +Furthermore, This can also resolve the issue described in the link. + +Fixes: 275a5d24bf56 ("NFS: Error when mounting the same filesystem with different options") +Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Signed-off-by: Li Lingfeng +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 566f1b11f62f7..394a82d470d55 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -11,7 +11,7 @@ + #include + #include + +-#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) ++#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS) + + extern const struct export_operations nfs_export_ops; + +-- +2.43.0 + diff --git a/queue-5.10/nfsv4.0-fix-a-use-after-free-problem-in-the-asynchro.patch b/queue-5.10/nfsv4.0-fix-a-use-after-free-problem-in-the-asynchro.patch new file mode 100644 index 00000000000..bd7694eef40 --- /dev/null +++ b/queue-5.10/nfsv4.0-fix-a-use-after-free-problem-in-the-asynchro.patch @@ -0,0 +1,52 @@ +From 5f86f98e0763c13b7dff87b1f786780408f24881 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Nov 2024 12:13:31 -0500 +Subject: NFSv4.0: Fix a use-after-free problem in the asynchronous open() + +From: Trond Myklebust + +[ Upstream commit 2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889 ] + +Yang Erkun reports that when two threads are opening files at the same +time, and are forced to abort before a reply is seen, then the call to +nfs_release_seqid() in nfs4_opendata_free() can result in a +use-after-free of the pointer to the defunct rpc task of the other +thread. +The fix is to ensure that if the RPC call is aborted before the call to +nfs_wait_on_sequence() is complete, then we must call nfs_release_seqid() +in nfs4_open_release() before the rpc_task is freed. + +Reported-by: Yang Erkun +Fixes: 24ac23ab88df ("NFSv4: Convert open() into an asynchronous RPC call") +Reviewed-by: Yang Erkun +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 1ff3f9efbe519..ac3fab214df12 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2518,12 +2518,14 @@ static void nfs4_open_release(void *calldata) + struct nfs4_opendata *data = calldata; + struct nfs4_state *state = NULL; + ++ /* In case of error, no cleanup! */ ++ if (data->rpc_status != 0 || !data->rpc_done) { ++ nfs_release_seqid(data->o_arg.seqid); ++ goto out_free; ++ } + /* If this request hasn't been cancelled, do nothing */ + if (!data->cancelled) + goto out_free; +- /* In case of error, no cleanup! */ +- if (data->rpc_status != 0 || !data->rpc_done) +- goto out_free; + /* In case we need an open_confirm, no cleanup! */ + if (data->o_res.rflags & NFS4_OPEN_RESULT_CONFIRM) + goto out_free; +-- +2.43.0 + diff --git a/queue-5.10/rtc-ab-eoz9-don-t-fail-temperature-reads-on-undervol.patch b/queue-5.10/rtc-ab-eoz9-don-t-fail-temperature-reads-on-undervol.patch new file mode 100644 index 00000000000..22bc85cc778 --- /dev/null +++ b/queue-5.10/rtc-ab-eoz9-don-t-fail-temperature-reads-on-undervol.patch @@ -0,0 +1,49 @@ +From cdd7e2ffa1824812ba78f2fe16f2de498a7795e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Nov 2024 11:10:30 +0100 +Subject: rtc: ab-eoz9: don't fail temperature reads on undervoltage + notification + +From: Maxime Chevallier + +[ Upstream commit e0779a0dcf41a6452ac0a169cd96863feb5787c7 ] + +The undervoltage flags reported by the RTC are useful to know if the +time and date are reliable after a reboot. Although the threshold VLOW1 +indicates that the thermometer has been shutdown and time compensation +is off, it doesn't mean that the temperature readout is currently +impossible. + +As the system is running, the RTC voltage is now fully established and +we can read the temperature. + +Fixes: 67075b63cce2 ("rtc: add AB-RTCMC-32.768kHz-EOZ9 RTC support") +Signed-off-by: Maxime Chevallier +Link: https://lore.kernel.org/r/20241122101031.68916-3-maxime.chevallier@bootlin.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ab-eoz9.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/rtc/rtc-ab-eoz9.c b/drivers/rtc/rtc-ab-eoz9.c +index d690985caa4cf..1d6a626fdf933 100644 +--- a/drivers/rtc/rtc-ab-eoz9.c ++++ b/drivers/rtc/rtc-ab-eoz9.c +@@ -281,13 +281,6 @@ static int abeoz9z3_temp_read(struct device *dev, + if (ret < 0) + return ret; + +- if ((val & ABEOZ9_REG_CTRL_STATUS_V1F) || +- (val & ABEOZ9_REG_CTRL_STATUS_V2F)) { +- dev_err(dev, +- "thermometer might be disabled due to low voltage\n"); +- return -EINVAL; +- } +- + switch (attr) { + case hwmon_temp_input: + ret = regmap_read(regmap, ABEOZ9_REG_REG_TEMP, &val); +-- +2.43.0 + diff --git a/queue-5.10/rtc-abx80x-fix-wdt-bit-position-of-the-status-regist.patch b/queue-5.10/rtc-abx80x-fix-wdt-bit-position-of-the-status-regist.patch new file mode 100644 index 00000000000..3af30c003cd --- /dev/null +++ b/queue-5.10/rtc-abx80x-fix-wdt-bit-position-of-the-status-regist.patch @@ -0,0 +1,39 @@ +From 08e9bd1012790e737c7c5f2bb7c3d16637105fca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Oct 2024 13:17:37 +0900 +Subject: rtc: abx80x: Fix WDT bit position of the status register + +From: Nobuhiro Iwamatsu + +[ Upstream commit 10e078b273ee7a2b8b4f05a64ac458f5e652d18d ] + +The WDT bit in the status register is 5, not 6. This fixes from 6 to 5. + +Link: https://abracon.com/Support/AppsManuals/Precisiontiming/AB08XX-Application-Manual.pdf +Link: https://www.microcrystal.com/fileadmin/Media/Products/RTC/App.Manual/RV-1805-C3_App-Manual.pdf +Fixes: 749e36d0a0d7 ("rtc: abx80x: add basic watchdog support") +Cc: Jeremy Gebben +Signed-off-by: Nobuhiro Iwamatsu +Link: https://lore.kernel.org/r/20241008041737.1640633-1-iwamatsu@nigauri.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-abx80x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-abx80x.c b/drivers/rtc/rtc-abx80x.c +index 803725b3a02c3..034b314fb3ec9 100644 +--- a/drivers/rtc/rtc-abx80x.c ++++ b/drivers/rtc/rtc-abx80x.c +@@ -37,7 +37,7 @@ + #define ABX8XX_REG_STATUS 0x0f + #define ABX8XX_STATUS_AF BIT(2) + #define ABX8XX_STATUS_BLF BIT(4) +-#define ABX8XX_STATUS_WDT BIT(6) ++#define ABX8XX_STATUS_WDT BIT(5) + + #define ABX8XX_REG_CTRL1 0x10 + #define ABX8XX_CTRL_WRITE BIT(0) +-- +2.43.0 + diff --git a/queue-5.10/rtc-check-if-__rtc_read_time-was-successful-in-rtc_t.patch b/queue-5.10/rtc-check-if-__rtc_read_time-was-successful-in-rtc_t.patch new file mode 100644 index 00000000000..670fcc1cd83 --- /dev/null +++ b/queue-5.10/rtc-check-if-__rtc_read_time-was-successful-in-rtc_t.patch @@ -0,0 +1,53 @@ +From 66880e58f163cf7d3a3a64310b29b2c9e4dc13e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 12:31:53 +0800 +Subject: rtc: check if __rtc_read_time was successful in rtc_timer_do_work() + +From: Yongliang Gao + +[ Upstream commit e8ba8a2bc4f60a1065f23d6a0e7cbea945a0f40d ] + +If the __rtc_read_time call fails,, the struct rtc_time tm; may contain +uninitialized data, or an illegal date/time read from the RTC hardware. + +When calling rtc_tm_to_ktime later, the result may be a very large value +(possibly KTIME_MAX). If there are periodic timers in rtc->timerqueue, +they will continually expire, may causing kernel softlockup. + +Fixes: 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events") +Signed-off-by: Yongliang Gao +Acked-by: Jingqun Li +Link: https://lore.kernel.org/r/20241011043153.3788112-1-leonylgao@gmail.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/interface.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c +index 154ea5ae2c0c3..a755f4af1c215 100644 +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -907,13 +907,18 @@ void rtc_timer_do_work(struct work_struct *work) + struct timerqueue_node *next; + ktime_t now; + struct rtc_time tm; ++ int err; + + struct rtc_device *rtc = + container_of(work, struct rtc_device, irqwork); + + mutex_lock(&rtc->ops_lock); + again: +- __rtc_read_time(rtc, &tm); ++ err = __rtc_read_time(rtc, &tm); ++ if (err) { ++ mutex_unlock(&rtc->ops_lock); ++ return; ++ } + now = rtc_tm_to_ktime(tm); + while ((next = timerqueue_getnext(&rtc->timerqueue))) { + if (next->expires > now) +-- +2.43.0 + diff --git a/queue-5.10/rtc-st-lpc-use-irqf_no_autoen-flag-in-request_irq.patch b/queue-5.10/rtc-st-lpc-use-irqf_no_autoen-flag-in-request_irq.patch new file mode 100644 index 00000000000..2dd398ddaa4 --- /dev/null +++ b/queue-5.10/rtc-st-lpc-use-irqf_no_autoen-flag-in-request_irq.patch @@ -0,0 +1,50 @@ +From 52e75d535ea7bd35d0ac807239eed06c11c46caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Sep 2024 11:37:27 +0800 +Subject: rtc: st-lpc: Use IRQF_NO_AUTOEN flag in request_irq() + +From: Jinjie Ruan + +[ Upstream commit b6cd7adec0cf03f0aefc55676e71dd721cbc71a8 ] + +If request_irq() fails in st_rtc_probe(), there is no need to enable +the irq, and if it succeeds, disable_irq() after request_irq() still has +a time gap in which interrupts can come. + +request_irq() with IRQF_NO_AUTOEN flag will disable IRQ auto-enable when +request IRQ. + +Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/r/20240912033727.3013951-1-ruanjinjie@huawei.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-st-lpc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c +index c4ea3f3f08844..f9a2d745a568d 100644 +--- a/drivers/rtc/rtc-st-lpc.c ++++ b/drivers/rtc/rtc-st-lpc.c +@@ -218,15 +218,14 @@ static int st_rtc_probe(struct platform_device *pdev) + return -EINVAL; + } + +- ret = devm_request_irq(&pdev->dev, rtc->irq, st_rtc_handler, 0, +- pdev->name, rtc); ++ ret = devm_request_irq(&pdev->dev, rtc->irq, st_rtc_handler, ++ IRQF_NO_AUTOEN, pdev->name, rtc); + if (ret) { + dev_err(&pdev->dev, "Failed to request irq %i\n", rtc->irq); + return ret; + } + + enable_irq_wake(rtc->irq); +- disable_irq(rtc->irq); + + rtc->clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(rtc->clk)) { +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 1b91f1c5ac5..a012ea3f3e1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -276,3 +276,26 @@ usb-dwc3-gadget-fix-looping-of-queued-sg-entries.patch lib-string_helpers-silence-snprintf-output-truncation-warning.patch nfsd-prevent-a-potential-integer-overflow.patch sunrpc-make-sure-cache-entry-active-before-cache_show.patch +um-fix-potential-integer-overflow-during-physmem-set.patch +um-fix-the-return-value-of-elf_core_copy_task_fpregs.patch +um-always-dump-trace-for-specified-task-in-show_stac.patch +nfsv4.0-fix-a-use-after-free-problem-in-the-asynchro.patch +rtc-st-lpc-use-irqf_no_autoen-flag-in-request_irq.patch +rtc-abx80x-fix-wdt-bit-position-of-the-status-regist.patch +rtc-check-if-__rtc_read_time-was-successful-in-rtc_t.patch +ubifs-correct-the-total-block-count-by-deducting-jou.patch +ubi-fastmap-fix-duplicate-slab-cache-names-while-att.patch +ubifs-authentication-fix-use-after-free-in-ubifs_tnc.patch +jffs2-fix-use-of-uninitialized-variable.patch +block-return-unsigned-int-from-bdev_io_min.patch +9p-xen-fix-init-sequence.patch +9p-xen-fix-release-of-irq.patch +rtc-ab-eoz9-don-t-fail-temperature-reads-on-undervol.patch +modpost-remove-incorrect-code-in-do_eisa_entry.patch +nfs-ignore-sb_rdonly-when-mounting-nfs.patch +sunrpc-correct-error-code-comment-in-xs_tcp_setup_so.patch +sunrpc-convert-rpc_client-refcount-to-use-refcount_t.patch +sunrpc-remove-unnecessary-test-in-rpc_task_set_clien.patch +sunrpc-replace-internal-use-of-sockwq_async_nospace.patch +sunrpc-clear-xprt_sock_upd_timeout-when-reset-transp.patch +sh-intc-fix-use-after-free-bug-in-register_intc_cont.patch diff --git a/queue-5.10/sh-intc-fix-use-after-free-bug-in-register_intc_cont.patch b/queue-5.10/sh-intc-fix-use-after-free-bug-in-register_intc_cont.patch new file mode 100644 index 00000000000..ba1d73ff21f --- /dev/null +++ b/queue-5.10/sh-intc-fix-use-after-free-bug-in-register_intc_cont.patch @@ -0,0 +1,46 @@ +From 949f10ea27092581c287df1a432624c7aa6a755a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2024 11:41:59 +0300 +Subject: sh: intc: Fix use-after-free bug in register_intc_controller() + +From: Dan Carpenter + +[ Upstream commit 63e72e551942642c48456a4134975136cdcb9b3c ] + +In the error handling for this function, d is freed without ever +removing it from intc_list which would lead to a use after free. +To fix this, let's only add it to the list after everything has +succeeded. + +Fixes: 2dcec7a988a1 ("sh: intc: set_irq_wake() support") +Signed-off-by: Dan Carpenter +Reviewed-by: John Paul Adrian Glaubitz +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + drivers/sh/intc/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/sh/intc/core.c b/drivers/sh/intc/core.c +index f8e070d67fa32..51586c5e993bb 100644 +--- a/drivers/sh/intc/core.c ++++ b/drivers/sh/intc/core.c +@@ -194,7 +194,6 @@ int __init register_intc_controller(struct intc_desc *desc) + goto err0; + + INIT_LIST_HEAD(&d->list); +- list_add_tail(&d->list, &intc_list); + + raw_spin_lock_init(&d->lock); + INIT_RADIX_TREE(&d->tree, GFP_ATOMIC); +@@ -380,6 +379,7 @@ int __init register_intc_controller(struct intc_desc *desc) + + d->skip_suspend = desc->skip_syscore_suspend; + ++ list_add_tail(&d->list, &intc_list); + nr_intc_controllers++; + + return 0; +-- +2.43.0 + diff --git a/queue-5.10/sunrpc-clear-xprt_sock_upd_timeout-when-reset-transp.patch b/queue-5.10/sunrpc-clear-xprt_sock_upd_timeout-when-reset-transp.patch new file mode 100644 index 00000000000..d096dc9a374 --- /dev/null +++ b/queue-5.10/sunrpc-clear-xprt_sock_upd_timeout-when-reset-transp.patch @@ -0,0 +1,38 @@ +From c332729099ff71351948e711ccaf3b4b8a1913ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2024 17:38:04 +0800 +Subject: sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport + +From: Liu Jian + +[ Upstream commit 4db9ad82a6c823094da27de4825af693a3475d51 ] + +Since transport->sock has been set to NULL during reset transport, +XPRT_SOCK_UPD_TIMEOUT also needs to be cleared. Otherwise, the +xs_tcp_set_socket_timeouts() may be triggered in xs_tcp_send_request() +to dereference the transport->sock that has been set to NULL. + +Fixes: 7196dbb02ea0 ("SUNRPC: Allow changing of the TCP timeout parameters on the fly") +Signed-off-by: Li Lingfeng +Signed-off-by: Liu Jian +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtsock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 278d044e1fd4a..79ce634017f9a 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -1129,6 +1129,7 @@ static void xs_sock_reset_state_flags(struct rpc_xprt *xprt) + clear_bit(XPRT_SOCK_WAKE_WRITE, &transport->sock_state); + clear_bit(XPRT_SOCK_WAKE_DISCONNECT, &transport->sock_state); + clear_bit(XPRT_SOCK_NOSPACE, &transport->sock_state); ++ clear_bit(XPRT_SOCK_UPD_TIMEOUT, &transport->sock_state); + } + + static void xs_run_error_worker(struct sock_xprt *transport, unsigned int nr) +-- +2.43.0 + diff --git a/queue-5.10/sunrpc-convert-rpc_client-refcount-to-use-refcount_t.patch b/queue-5.10/sunrpc-convert-rpc_client-refcount-to-use-refcount_t.patch new file mode 100644 index 00000000000..97c9cf72c33 --- /dev/null +++ b/queue-5.10/sunrpc-convert-rpc_client-refcount-to-use-refcount_t.patch @@ -0,0 +1,161 @@ +From d965efdd174f95ba7a9e83ea41c1f0d3fba51313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 08:01:27 -0400 +Subject: SUNRPC: Convert rpc_client refcount to use refcount_t + +From: Trond Myklebust + +[ Upstream commit 71d3d0ebc894294ef9454e45a3ac2e9ba60b3351 ] + +There are now tools in the refcount library that allow us to convert the +client shutdown code. + +Reported-by: Xiyu Yang +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Stable-dep-of: 4db9ad82a6c8 ("sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport") +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/clnt.h | 3 ++- + net/sunrpc/auth_gss/gss_rpc_upcall.c | 2 +- + net/sunrpc/clnt.c | 22 ++++++++++------------ + net/sunrpc/debugfs.c | 2 +- + net/sunrpc/rpc_pipe.c | 2 +- + 5 files changed, 15 insertions(+), 16 deletions(-) + +diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h +index 187e9f06cf64b..33691492dafb8 100644 +--- a/include/linux/sunrpc/clnt.h ++++ b/include/linux/sunrpc/clnt.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -34,7 +35,7 @@ struct rpc_inode; + * The high-level client handle + */ + struct rpc_clnt { +- atomic_t cl_count; /* Number of references */ ++ refcount_t cl_count; /* Number of references */ + unsigned int cl_clid; /* client id */ + struct list_head cl_clients; /* Global list of clients */ + struct list_head cl_tasks; /* List of tasks */ +diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c +index af9c7f43859c4..05ff66b86b4eb 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_upcall.c ++++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c +@@ -160,7 +160,7 @@ static struct rpc_clnt *get_gssp_clnt(struct sunrpc_net *sn) + mutex_lock(&sn->gssp_lock); + clnt = sn->gssp_clnt; + if (clnt) +- atomic_inc(&clnt->cl_count); ++ refcount_inc(&clnt->cl_count); + mutex_unlock(&sn->gssp_lock); + return clnt; + } +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 86397f9c4bc83..457042b653bba 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -169,7 +169,7 @@ static int rpc_clnt_skip_event(struct rpc_clnt *clnt, unsigned long event) + case RPC_PIPEFS_MOUNT: + if (clnt->cl_pipedir_objects.pdh_dentry != NULL) + return 1; +- if (atomic_read(&clnt->cl_count) == 0) ++ if (refcount_read(&clnt->cl_count) == 0) + return 1; + break; + case RPC_PIPEFS_UMOUNT: +@@ -419,7 +419,7 @@ static struct rpc_clnt * rpc_new_client(const struct rpc_create_args *args, + clnt->cl_rtt = &clnt->cl_rtt_default; + rpc_init_rtt(&clnt->cl_rtt_default, clnt->cl_timeout->to_initval); + +- atomic_set(&clnt->cl_count, 1); ++ refcount_set(&clnt->cl_count, 1); + + if (nodename == NULL) + nodename = utsname()->nodename; +@@ -430,7 +430,7 @@ static struct rpc_clnt * rpc_new_client(const struct rpc_create_args *args, + if (err) + goto out_no_path; + if (parent) +- atomic_inc(&parent->cl_count); ++ refcount_inc(&parent->cl_count); + + trace_rpc_clnt_new(clnt, xprt, program->name, args->servername); + return clnt; +@@ -917,18 +917,16 @@ rpc_free_client(struct rpc_clnt *clnt) + static struct rpc_clnt * + rpc_free_auth(struct rpc_clnt *clnt) + { +- if (clnt->cl_auth == NULL) +- return rpc_free_client(clnt); +- + /* + * Note: RPCSEC_GSS may need to send NULL RPC calls in order to + * release remaining GSS contexts. This mechanism ensures + * that it can do so safely. + */ +- atomic_inc(&clnt->cl_count); +- rpcauth_release(clnt->cl_auth); +- clnt->cl_auth = NULL; +- if (atomic_dec_and_test(&clnt->cl_count)) ++ if (clnt->cl_auth != NULL) { ++ rpcauth_release(clnt->cl_auth); ++ clnt->cl_auth = NULL; ++ } ++ if (refcount_dec_and_test(&clnt->cl_count)) + return rpc_free_client(clnt); + return NULL; + } +@@ -942,7 +940,7 @@ rpc_release_client(struct rpc_clnt *clnt) + do { + if (list_empty(&clnt->cl_tasks)) + wake_up(&destroy_wait); +- if (!atomic_dec_and_test(&clnt->cl_count)) ++ if (refcount_dec_not_one(&clnt->cl_count)) + break; + clnt = rpc_free_auth(clnt); + } while (clnt != NULL); +@@ -1083,7 +1081,7 @@ void rpc_task_set_client(struct rpc_task *task, struct rpc_clnt *clnt) + if (clnt != NULL) { + rpc_task_set_transport(task, clnt); + task->tk_client = clnt; +- atomic_inc(&clnt->cl_count); ++ refcount_inc(&clnt->cl_count); + if (clnt->cl_softrtry) + task->tk_flags |= RPC_TASK_SOFT; + if (clnt->cl_softerr) +diff --git a/net/sunrpc/debugfs.c b/net/sunrpc/debugfs.c +index 56029e3af6ff0..79995eb959279 100644 +--- a/net/sunrpc/debugfs.c ++++ b/net/sunrpc/debugfs.c +@@ -90,7 +90,7 @@ static int tasks_open(struct inode *inode, struct file *filp) + struct seq_file *seq = filp->private_data; + struct rpc_clnt *clnt = seq->private = inode->i_private; + +- if (!atomic_inc_not_zero(&clnt->cl_count)) { ++ if (!refcount_inc_not_zero(&clnt->cl_count)) { + seq_release(inode, filp); + ret = -EINVAL; + } +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index bb13620e62468..a3545ecf9a6e5 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c +@@ -423,7 +423,7 @@ rpc_info_open(struct inode *inode, struct file *file) + spin_lock(&file->f_path.dentry->d_lock); + if (!d_unhashed(file->f_path.dentry)) + clnt = RPC_I(inode)->private; +- if (clnt != NULL && atomic_inc_not_zero(&clnt->cl_count)) { ++ if (clnt != NULL && refcount_inc_not_zero(&clnt->cl_count)) { + spin_unlock(&file->f_path.dentry->d_lock); + m->private = clnt; + } else { +-- +2.43.0 + diff --git a/queue-5.10/sunrpc-correct-error-code-comment-in-xs_tcp_setup_so.patch b/queue-5.10/sunrpc-correct-error-code-comment-in-xs_tcp_setup_so.patch new file mode 100644 index 00000000000..bdf870d7268 --- /dev/null +++ b/queue-5.10/sunrpc-correct-error-code-comment-in-xs_tcp_setup_so.patch @@ -0,0 +1,49 @@ +From 22ab47bd6a929d73e54896658d6ff18e1515c41a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Oct 2020 22:36:38 +0100 +Subject: SUNRPC: correct error code comment in xs_tcp_setup_socket() + +From: Calum Mackay + +[ Upstream commit 8c71139d9f84c1963b0a416941244502a20a7e52 ] + +This comment was introduced by commit 6ea44adce915 +("SUNRPC: ensure correct error is reported by xs_tcp_setup_socket()"). + +I believe EIO was a typo at the time: it should have been EAGAIN. + +Subsequently, commit 0445f92c5d53 ("SUNRPC: Fix disconnection races") +changed that to ENOTCONN. + +Rather than trying to keep the comment here in sync with the code in +xprt_force_disconnect(), make the point in a non-specific way. + +Fixes: 6ea44adce915 ("SUNRPC: ensure correct error is reported by xs_tcp_setup_socket()") +Signed-off-by: Calum Mackay +Signed-off-by: Anna Schumaker +Stable-dep-of: 4db9ad82a6c8 ("sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport") +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtsock.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index e0cd6d7350533..93e59d5a363d0 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2332,10 +2332,8 @@ static void xs_tcp_setup_socket(struct work_struct *work) + case -EHOSTUNREACH: + case -EADDRINUSE: + case -ENOBUFS: +- /* +- * xs_tcp_force_close() wakes tasks with -EIO. +- * We need to wake them first to ensure the +- * correct error code. ++ /* xs_tcp_force_close() wakes tasks with a fixed error code. ++ * We need to wake them first to ensure the correct error code. + */ + xprt_wake_pending_tasks(xprt, status); + xs_tcp_force_close(xprt); +-- +2.43.0 + diff --git a/queue-5.10/sunrpc-remove-unnecessary-test-in-rpc_task_set_clien.patch b/queue-5.10/sunrpc-remove-unnecessary-test-in-rpc_task_set_clien.patch new file mode 100644 index 00000000000..7bf9addf0fb --- /dev/null +++ b/queue-5.10/sunrpc-remove-unnecessary-test-in-rpc_task_set_clien.patch @@ -0,0 +1,67 @@ +From f6aa78f1fabc74377a56bdcd9d99039ce002cc2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 18:04:28 -0300 +Subject: sunrpc: remove unnecessary test in rpc_task_set_client() + +From: Thiago Rafael Becker + +[ Upstream commit 023859ce6f88f7cfc223752fb56ec453a147b852 ] + +In rpc_task_set_client(), testing for a NULL clnt is not necessary, as +clnt should always be a valid pointer to a rpc_client. + +Signed-off-by: Thiago Rafael Becker +Signed-off-by: Trond Myklebust +Stable-dep-of: 4db9ad82a6c8 ("sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport") +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 33 +++++++++++++++------------------ + 1 file changed, 15 insertions(+), 18 deletions(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 457042b653bba..7ec5b0bc48ebf 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1077,24 +1077,21 @@ void rpc_task_set_transport(struct rpc_task *task, struct rpc_clnt *clnt) + static + void rpc_task_set_client(struct rpc_task *task, struct rpc_clnt *clnt) + { +- +- if (clnt != NULL) { +- rpc_task_set_transport(task, clnt); +- task->tk_client = clnt; +- refcount_inc(&clnt->cl_count); +- if (clnt->cl_softrtry) +- task->tk_flags |= RPC_TASK_SOFT; +- if (clnt->cl_softerr) +- task->tk_flags |= RPC_TASK_TIMEOUT; +- if (clnt->cl_noretranstimeo) +- task->tk_flags |= RPC_TASK_NO_RETRANS_TIMEOUT; +- if (atomic_read(&clnt->cl_swapper)) +- task->tk_flags |= RPC_TASK_SWAPPER; +- /* Add to the client's list of all tasks */ +- spin_lock(&clnt->cl_lock); +- list_add_tail(&task->tk_task, &clnt->cl_tasks); +- spin_unlock(&clnt->cl_lock); +- } ++ rpc_task_set_transport(task, clnt); ++ task->tk_client = clnt; ++ refcount_inc(&clnt->cl_count); ++ if (clnt->cl_softrtry) ++ task->tk_flags |= RPC_TASK_SOFT; ++ if (clnt->cl_softerr) ++ task->tk_flags |= RPC_TASK_TIMEOUT; ++ if (clnt->cl_noretranstimeo) ++ task->tk_flags |= RPC_TASK_NO_RETRANS_TIMEOUT; ++ if (atomic_read(&clnt->cl_swapper)) ++ task->tk_flags |= RPC_TASK_SWAPPER; ++ /* Add to the client's list of all tasks */ ++ spin_lock(&clnt->cl_lock); ++ list_add_tail(&task->tk_task, &clnt->cl_tasks); ++ spin_unlock(&clnt->cl_lock); + } + + static void +-- +2.43.0 + diff --git a/queue-5.10/sunrpc-replace-internal-use-of-sockwq_async_nospace.patch b/queue-5.10/sunrpc-replace-internal-use-of-sockwq_async_nospace.patch new file mode 100644 index 00000000000..bcfa7b027cc --- /dev/null +++ b/queue-5.10/sunrpc-replace-internal-use-of-sockwq_async_nospace.patch @@ -0,0 +1,114 @@ +From 62d6fda7ffd3255fa70f65c63e3a00d823e46a6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 08:12:40 -0400 +Subject: SUNRPC: Replace internal use of SOCKWQ_ASYNC_NOSPACE + +From: Trond Myklebust + +[ Upstream commit 2790a624d43084de590884934969e19c7a82316a ] + +The socket's SOCKWQ_ASYNC_NOSPACE can be cleared by various actors in +the socket layer, so replace it with our own flag in the transport +sock_state field. + +Reported-by: Chuck Lever +Signed-off-by: Trond Myklebust +Stable-dep-of: 4db9ad82a6c8 ("sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport") +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/xprtsock.h | 1 + + net/sunrpc/xprtsock.c | 22 ++++------------------ + 2 files changed, 5 insertions(+), 18 deletions(-) + +diff --git a/include/linux/sunrpc/xprtsock.h b/include/linux/sunrpc/xprtsock.h +index 689062afdd610..3eb0079669c50 100644 +--- a/include/linux/sunrpc/xprtsock.h ++++ b/include/linux/sunrpc/xprtsock.h +@@ -90,5 +90,6 @@ struct sock_xprt { + #define XPRT_SOCK_WAKE_PENDING (6) + #define XPRT_SOCK_WAKE_DISCONNECT (7) + #define XPRT_SOCK_CONNECT_SENT (8) ++#define XPRT_SOCK_NOSPACE (9) + + #endif /* _LINUX_SUNRPC_XPRTSOCK_H */ +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 93e59d5a363d0..278d044e1fd4a 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -770,14 +770,8 @@ static int xs_nospace(struct rpc_rqst *req, struct sock_xprt *transport) + + /* Don't race with disconnect */ + if (xprt_connected(xprt)) { +- struct socket_wq *wq; +- +- rcu_read_lock(); +- wq = rcu_dereference(sk->sk_wq); +- set_bit(SOCKWQ_ASYNC_NOSPACE, &wq->flags); +- rcu_read_unlock(); +- + /* wait for more buffer space */ ++ set_bit(XPRT_SOCK_NOSPACE, &transport->sock_state); + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); + sk->sk_write_pending++; + xprt_wait_for_buffer_space(xprt); +@@ -1134,6 +1128,7 @@ static void xs_sock_reset_state_flags(struct rpc_xprt *xprt) + clear_bit(XPRT_SOCK_WAKE_ERROR, &transport->sock_state); + clear_bit(XPRT_SOCK_WAKE_WRITE, &transport->sock_state); + clear_bit(XPRT_SOCK_WAKE_DISCONNECT, &transport->sock_state); ++ clear_bit(XPRT_SOCK_NOSPACE, &transport->sock_state); + } + + static void xs_run_error_worker(struct sock_xprt *transport, unsigned int nr) +@@ -1497,7 +1492,6 @@ static void xs_tcp_state_change(struct sock *sk) + + static void xs_write_space(struct sock *sk) + { +- struct socket_wq *wq; + struct sock_xprt *transport; + struct rpc_xprt *xprt; + +@@ -1508,15 +1502,10 @@ static void xs_write_space(struct sock *sk) + if (unlikely(!(xprt = xprt_from_sock(sk)))) + return; + transport = container_of(xprt, struct sock_xprt, xprt); +- rcu_read_lock(); +- wq = rcu_dereference(sk->sk_wq); +- if (!wq || test_and_clear_bit(SOCKWQ_ASYNC_NOSPACE, &wq->flags) == 0) +- goto out; +- ++ if (!test_and_clear_bit(XPRT_SOCK_NOSPACE, &transport->sock_state)) ++ return; + xs_run_error_worker(transport, XPRT_SOCK_WAKE_WRITE); + sk->sk_write_pending--; +-out: +- rcu_read_unlock(); + } + + /** +@@ -1860,7 +1849,6 @@ static int xs_local_finish_connecting(struct rpc_xprt *xprt, + sk->sk_user_data = xprt; + sk->sk_data_ready = xs_data_ready; + sk->sk_write_space = xs_udp_write_space; +- sock_set_flag(sk, SOCK_FASYNC); + sk->sk_error_report = xs_error_report; + + xprt_clear_connected(xprt); +@@ -2058,7 +2046,6 @@ static void xs_udp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock) + sk->sk_user_data = xprt; + sk->sk_data_ready = xs_data_ready; + sk->sk_write_space = xs_udp_write_space; +- sock_set_flag(sk, SOCK_FASYNC); + + xprt_set_connected(xprt); + +@@ -2214,7 +2201,6 @@ static int xs_tcp_finish_connecting(struct rpc_xprt *xprt, struct socket *sock) + sk->sk_data_ready = xs_data_ready; + sk->sk_state_change = xs_tcp_state_change; + sk->sk_write_space = xs_tcp_write_space; +- sock_set_flag(sk, SOCK_FASYNC); + sk->sk_error_report = xs_error_report; + + /* socket options */ +-- +2.43.0 + diff --git a/queue-5.10/ubi-fastmap-fix-duplicate-slab-cache-names-while-att.patch b/queue-5.10/ubi-fastmap-fix-duplicate-slab-cache-names-while-att.patch new file mode 100644 index 00000000000..a72caca546f --- /dev/null +++ b/queue-5.10/ubi-fastmap-fix-duplicate-slab-cache-names-while-att.patch @@ -0,0 +1,104 @@ +From 9d542aed7f317bc52f2010b4950d14864ac21556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Oct 2024 12:50:02 +0800 +Subject: ubi: fastmap: Fix duplicate slab cache names while attaching + +From: Zhihao Cheng + +[ Upstream commit bcddf52b7a17adcebc768d26f4e27cf79adb424c ] + +Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when +DEBUG_VM=y"), the duplicate slab cache names can be detected and a +kernel WARNING is thrown out. +In UBI fast attaching process, alloc_ai() could be invoked twice +with the same slab cache name 'ubi_aeb_slab_cache', which will trigger +following warning messages: + kmem_cache of name 'ubi_aeb_slab_cache' already exists + WARNING: CPU: 0 PID: 7519 at mm/slab_common.c:107 + __kmem_cache_create_args+0x100/0x5f0 + Modules linked in: ubi(+) nandsim [last unloaded: nandsim] + CPU: 0 UID: 0 PID: 7519 Comm: modprobe Tainted: G 6.12.0-rc2 + RIP: 0010:__kmem_cache_create_args+0x100/0x5f0 + Call Trace: + __kmem_cache_create_args+0x100/0x5f0 + alloc_ai+0x295/0x3f0 [ubi] + ubi_attach+0x3c3/0xcc0 [ubi] + ubi_attach_mtd_dev+0x17cf/0x3fa0 [ubi] + ubi_init+0x3fb/0x800 [ubi] + do_init_module+0x265/0x7d0 + __x64_sys_finit_module+0x7a/0xc0 + +The problem could be easily reproduced by loading UBI device by fastmap +with CONFIG_DEBUG_VM=y. +Fix it by using different slab names for alloc_ai() callers. + +Fixes: d2158f69a7d4 ("UBI: Remove alloc_ai() slab name from parameter list") +Fixes: fdf10ed710c0 ("ubi: Rework Fastmap attach base code") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/attach.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/mtd/ubi/attach.c b/drivers/mtd/ubi/attach.c +index ae5abe492b52a..adc47b87b38a5 100644 +--- a/drivers/mtd/ubi/attach.c ++++ b/drivers/mtd/ubi/attach.c +@@ -1447,7 +1447,7 @@ static int scan_all(struct ubi_device *ubi, struct ubi_attach_info *ai, + return err; + } + +-static struct ubi_attach_info *alloc_ai(void) ++static struct ubi_attach_info *alloc_ai(const char *slab_name) + { + struct ubi_attach_info *ai; + +@@ -1461,7 +1461,7 @@ static struct ubi_attach_info *alloc_ai(void) + INIT_LIST_HEAD(&ai->alien); + INIT_LIST_HEAD(&ai->fastmap); + ai->volumes = RB_ROOT; +- ai->aeb_slab_cache = kmem_cache_create("ubi_aeb_slab_cache", ++ ai->aeb_slab_cache = kmem_cache_create(slab_name, + sizeof(struct ubi_ainf_peb), + 0, 0, NULL); + if (!ai->aeb_slab_cache) { +@@ -1491,7 +1491,7 @@ static int scan_fast(struct ubi_device *ubi, struct ubi_attach_info **ai) + + err = -ENOMEM; + +- scan_ai = alloc_ai(); ++ scan_ai = alloc_ai("ubi_aeb_slab_cache_fastmap"); + if (!scan_ai) + goto out; + +@@ -1557,7 +1557,7 @@ int ubi_attach(struct ubi_device *ubi, int force_scan) + int err; + struct ubi_attach_info *ai; + +- ai = alloc_ai(); ++ ai = alloc_ai("ubi_aeb_slab_cache"); + if (!ai) + return -ENOMEM; + +@@ -1575,7 +1575,7 @@ int ubi_attach(struct ubi_device *ubi, int force_scan) + if (err > 0 || mtd_is_eccerr(err)) { + if (err != UBI_NO_FASTMAP) { + destroy_ai(ai); +- ai = alloc_ai(); ++ ai = alloc_ai("ubi_aeb_slab_cache"); + if (!ai) + return -ENOMEM; + +@@ -1614,7 +1614,7 @@ int ubi_attach(struct ubi_device *ubi, int force_scan) + if (ubi->fm && ubi_dbg_chk_fastmap(ubi)) { + struct ubi_attach_info *scan_ai; + +- scan_ai = alloc_ai(); ++ scan_ai = alloc_ai("ubi_aeb_slab_cache_dbg_chk_fastmap"); + if (!scan_ai) { + err = -ENOMEM; + goto out_wl; +-- +2.43.0 + diff --git a/queue-5.10/ubifs-authentication-fix-use-after-free-in-ubifs_tnc.patch b/queue-5.10/ubifs-authentication-fix-use-after-free-in-ubifs_tnc.patch new file mode 100644 index 00000000000..2ba96641e75 --- /dev/null +++ b/queue-5.10/ubifs-authentication-fix-use-after-free-in-ubifs_tnc.patch @@ -0,0 +1,171 @@ +From 74587e83b76a95250baa07aa57321e0e649ca6b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Oct 2024 16:46:59 +0200 +Subject: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit + +From: Waqar Hameed + +[ Upstream commit 4617fb8fc15effe8eda4dd898d4e33eb537a7140 ] + +After an insertion in TNC, the tree might split and cause a node to +change its `znode->parent`. A further deletion of other nodes in the +tree (which also could free the nodes), the aforementioned node's +`znode->cparent` could still point to a freed node. This +`znode->cparent` may not be updated when getting nodes to commit in +`ubifs_tnc_start_commit()`. This could then trigger a use-after-free +when accessing the `znode->cparent` in `write_index()` in +`ubifs_tnc_end_commit()`. + +This can be triggered by running + + rm -f /etc/test-file.bin + dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync + +in a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then +reports: + + BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950 + Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153 + + Call trace: + dump_backtrace+0x0/0x340 + show_stack+0x18/0x24 + dump_stack_lvl+0x9c/0xbc + print_address_description.constprop.0+0x74/0x2b0 + kasan_report+0x1d8/0x1f0 + kasan_check_range+0xf8/0x1a0 + memcpy+0x84/0xf4 + ubifs_tnc_end_commit+0xa5c/0x1950 + do_commit+0x4e0/0x1340 + ubifs_bg_thread+0x234/0x2e0 + kthread+0x36c/0x410 + ret_from_fork+0x10/0x20 + + Allocated by task 401: + kasan_save_stack+0x38/0x70 + __kasan_kmalloc+0x8c/0xd0 + __kmalloc+0x34c/0x5bc + tnc_insert+0x140/0x16a4 + ubifs_tnc_add+0x370/0x52c + ubifs_jnl_write_data+0x5d8/0x870 + do_writepage+0x36c/0x510 + ubifs_writepage+0x190/0x4dc + __writepage+0x58/0x154 + write_cache_pages+0x394/0x830 + do_writepages+0x1f0/0x5b0 + filemap_fdatawrite_wbc+0x170/0x25c + file_write_and_wait_range+0x140/0x190 + ubifs_fsync+0xe8/0x290 + vfs_fsync_range+0xc0/0x1e4 + do_fsync+0x40/0x90 + __arm64_sys_fsync+0x34/0x50 + invoke_syscall.constprop.0+0xa8/0x260 + do_el0_svc+0xc8/0x1f0 + el0_svc+0x34/0x70 + el0t_64_sync_handler+0x108/0x114 + el0t_64_sync+0x1a4/0x1a8 + + Freed by task 403: + kasan_save_stack+0x38/0x70 + kasan_set_track+0x28/0x40 + kasan_set_free_info+0x28/0x4c + __kasan_slab_free+0xd4/0x13c + kfree+0xc4/0x3a0 + tnc_delete+0x3f4/0xe40 + ubifs_tnc_remove_range+0x368/0x73c + ubifs_tnc_remove_ino+0x29c/0x2e0 + ubifs_jnl_delete_inode+0x150/0x260 + ubifs_evict_inode+0x1d4/0x2e4 + evict+0x1c8/0x450 + iput+0x2a0/0x3c4 + do_unlinkat+0x2cc/0x490 + __arm64_sys_unlinkat+0x90/0x100 + invoke_syscall.constprop.0+0xa8/0x260 + do_el0_svc+0xc8/0x1f0 + el0_svc+0x34/0x70 + el0t_64_sync_handler+0x108/0x114 + el0t_64_sync+0x1a4/0x1a8 + +The offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free +when a node becomes root in TNC but still has a `cparent` to an already +freed node. More specifically, consider the following TNC: + + zroot + / + / + zp1 + / + / + zn + +Inserting a new node `zn_new` with a key smaller then `zn` will trigger +a split in `tnc_insert()` if `zp1` is full: + + zroot + / \ + / \ + zp1 zp2 + / \ + / \ + zn_new zn + +`zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still +points to `zp1`. + +Now, consider a removal of all the nodes _except_ `zn`. Just when +`tnc_delete()` is about to delete `zroot` and `zp2`: + + zroot + \ + \ + zp2 + \ + \ + zn + +`zroot` and `zp2` get freed and the tree collapses: + + zn + +`zn` now becomes the new `zroot`. + +`get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and +`write_index()` will check its `znode->cparent` that wrongly points to +the already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called +with `znode->cparent->zbranch[znode->iip].hash` that triggers the +use-after-free! + +Fix this by explicitly setting `znode->cparent` to `NULL` in +`get_znodes_to_commit()` for the root node. The search for the dirty +nodes is bottom-up in the tree. Thus, when `find_next_dirty(znode)` +returns NULL, the current `znode` _is_ the root node. Add an assert for +this. + +Fixes: 16a26b20d2af ("ubifs: authentication: Add hashes to index nodes") +Tested-by: Waqar Hameed +Co-developed-by: Zhihao Cheng +Signed-off-by: Zhihao Cheng +Signed-off-by: Waqar Hameed +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/tnc_commit.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/ubifs/tnc_commit.c b/fs/ubifs/tnc_commit.c +index 234be1c4dc870..dc4f794fd5b73 100644 +--- a/fs/ubifs/tnc_commit.c ++++ b/fs/ubifs/tnc_commit.c +@@ -657,6 +657,8 @@ static int get_znodes_to_commit(struct ubifs_info *c) + znode->alt = 0; + cnext = find_next_dirty(znode); + if (!cnext) { ++ ubifs_assert(c, !znode->parent); ++ znode->cparent = NULL; + znode->cnext = c->cnext; + break; + } +-- +2.43.0 + diff --git a/queue-5.10/ubifs-correct-the-total-block-count-by-deducting-jou.patch b/queue-5.10/ubifs-correct-the-total-block-count-by-deducting-jou.patch new file mode 100644 index 00000000000..39d618aef1a --- /dev/null +++ b/queue-5.10/ubifs-correct-the-total-block-count-by-deducting-jou.patch @@ -0,0 +1,46 @@ +From 6ee0ef1557c5d7f94668f44ba856a3689dfde5d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2024 09:09:09 +0800 +Subject: ubifs: Correct the total block count by deducting journal reservation + +From: Zhihao Cheng + +[ Upstream commit 84a2bee9c49769310efa19601157ef50a1df1267 ] + +Since commit e874dcde1cbf ("ubifs: Reserve one leb for each journal +head while doing budget"), available space is calulated by deducting +reservation for all journal heads. However, the total block count ( +which is only used by statfs) is not updated yet, which will cause +the wrong displaying for used space(total - available). +Fix it by deducting reservation for all journal heads from total +block count. + +Fixes: e874dcde1cbf ("ubifs: Reserve one leb for each journal head while doing budget") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c +index 1df193c87e920..9ab8568705308 100644 +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -777,10 +777,10 @@ static void init_constants_master(struct ubifs_info *c) + * necessary to report something for the 'statfs()' call. + * + * Subtract the LEB reserved for GC, the LEB which is reserved for +- * deletions, minimum LEBs for the index, and assume only one journal +- * head is available. ++ * deletions, minimum LEBs for the index, the LEBs which are reserved ++ * for each journal head. + */ +- tmp64 = c->main_lebs - 1 - 1 - MIN_INDEX_LEBS - c->jhead_cnt + 1; ++ tmp64 = c->main_lebs - 1 - 1 - MIN_INDEX_LEBS - c->jhead_cnt; + tmp64 *= (long long)c->leb_size - c->leb_overhead; + tmp64 = ubifs_reported_space(c, tmp64); + c->block_cnt = tmp64 >> UBIFS_BLOCK_SHIFT; +-- +2.43.0 + diff --git a/queue-5.10/um-always-dump-trace-for-specified-task-in-show_stac.patch b/queue-5.10/um-always-dump-trace-for-specified-task-in-show_stac.patch new file mode 100644 index 00000000000..f2ee97231fd --- /dev/null +++ b/queue-5.10/um-always-dump-trace-for-specified-task-in-show_stac.patch @@ -0,0 +1,37 @@ +From 08070fff990e7f70eedc2bfdc7199ed49365e7c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Nov 2024 18:39:33 +0800 +Subject: um: Always dump trace for specified task in show_stack + +From: Tiwei Bie + +[ Upstream commit 0f659ff362eac69777c4c191b7e5ccb19d76c67d ] + +Currently, show_stack() always dumps the trace of the current task. +However, it should dump the trace of the specified task if one is +provided. Otherwise, things like running "echo t > sysrq-trigger" +won't work as expected. + +Fixes: 970e51feaddb ("um: Add support for CONFIG_STACKTRACE") +Signed-off-by: Tiwei Bie +Link: https://patch.msgid.link/20241106103933.1132365-1-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/kernel/sysrq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/kernel/sysrq.c b/arch/um/kernel/sysrq.c +index 7452f70d50d06..34edf6b8b69d5 100644 +--- a/arch/um/kernel/sysrq.c ++++ b/arch/um/kernel/sysrq.c +@@ -52,5 +52,5 @@ void show_stack(struct task_struct *task, unsigned long *stack, + } + + printk("%sCall Trace:\n", loglvl); +- dump_trace(current, &stackops, (void *)loglvl); ++ dump_trace(task ?: current, &stackops, (void *)loglvl); + } +-- +2.43.0 + diff --git a/queue-5.10/um-fix-potential-integer-overflow-during-physmem-set.patch b/queue-5.10/um-fix-potential-integer-overflow-during-physmem-set.patch new file mode 100644 index 00000000000..23f0c613fe8 --- /dev/null +++ b/queue-5.10/um-fix-potential-integer-overflow-during-physmem-set.patch @@ -0,0 +1,50 @@ +From f04c8691dee2df2a92360f7f371849d5ce2e1458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Sep 2024 12:59:48 +0800 +Subject: um: Fix potential integer overflow during physmem setup + +From: Tiwei Bie + +[ Upstream commit a98b7761f697e590ed5d610d87fa12be66f23419 ] + +This issue happens when the real map size is greater than LONG_MAX, +which can be easily triggered on UML/i386. + +Fixes: fe205bdd1321 ("um: Print minimum physical memory requirement") +Signed-off-by: Tiwei Bie +Link: https://patch.msgid.link/20240916045950.508910-3-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/kernel/physmem.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/um/kernel/physmem.c b/arch/um/kernel/physmem.c +index e7c7b53a1435b..87b51089b0616 100644 +--- a/arch/um/kernel/physmem.c ++++ b/arch/um/kernel/physmem.c +@@ -80,10 +80,10 @@ void __init setup_physmem(unsigned long start, unsigned long reserve_end, + unsigned long len, unsigned long long highmem) + { + unsigned long reserve = reserve_end - start; +- long map_size = len - reserve; ++ unsigned long map_size = len - reserve; + int err; + +- if(map_size <= 0) { ++ if (len <= reserve) { + os_warn("Too few physical memory! Needed=%lu, given=%lu\n", + reserve, len); + exit(1); +@@ -94,7 +94,7 @@ void __init setup_physmem(unsigned long start, unsigned long reserve_end, + err = os_map_memory((void *) reserve_end, physmem_fd, reserve, + map_size, 1, 1, 1); + if (err < 0) { +- os_warn("setup_physmem - mapping %ld bytes of memory at 0x%p " ++ os_warn("setup_physmem - mapping %lu bytes of memory at 0x%p " + "failed - errno = %d\n", map_size, + (void *) reserve_end, err); + exit(1); +-- +2.43.0 + diff --git a/queue-5.10/um-fix-the-return-value-of-elf_core_copy_task_fpregs.patch b/queue-5.10/um-fix-the-return-value-of-elf_core_copy_task_fpregs.patch new file mode 100644 index 00000000000..d56d45cd199 --- /dev/null +++ b/queue-5.10/um-fix-the-return-value-of-elf_core_copy_task_fpregs.patch @@ -0,0 +1,36 @@ +From e4ef3cbe0af92cfd031dde1d8181b6b1721c938b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Sep 2024 10:33:02 +0800 +Subject: um: Fix the return value of elf_core_copy_task_fpregs + +From: Tiwei Bie + +[ Upstream commit 865e3845eeaa21e9a62abc1361644e67124f1ec0 ] + +This function is expected to return a boolean value, which should be +true on success and false on failure. + +Fixes: d1254b12c93e ("uml: fix x86_64 core dump crash") +Signed-off-by: Tiwei Bie +Link: https://patch.msgid.link/20240913023302.130300-1-tiwei.btw@antgroup.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c +index 76faaf1082cec..63c6fbd4e45b6 100644 +--- a/arch/um/kernel/process.c ++++ b/arch/um/kernel/process.c +@@ -406,6 +406,6 @@ int elf_core_copy_fpregs(struct task_struct *t, elf_fpregset_t *fpu) + { + int cpu = current_thread_info()->cpu; + +- return save_i387_registers(userspace_pid[cpu], (unsigned long *) fpu); ++ return save_i387_registers(userspace_pid[cpu], (unsigned long *) fpu) == 0; + } + +-- +2.43.0 + -- 2.47.3