From 3b0e62eaca75d00a21c0b25fd4a47e6c8e9c4692 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Nov 2020 17:02:57 +0100 Subject: [PATCH] 5.9-stable patches added patches: block-add-a-return-value-to-set_capacity_revalidate_and_notify.patch btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch erofs-derive-atime-instead-of-leaving-it-empty.patch erofs-fix-setting-up-pcluster-for-temporary-pages.patch ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch firmware-xilinx-fix-out-of-bounds-access.patch kvm-arm64-don-t-hide-id-registers-from-userspace.patch loop-fix-occasional-uevent-drop.patch revert-usb-musb-convert-to-devm_platform_ioremap_resource_byname.patch speakup-fix-clearing-selection-in-safe-context.patch speakup-fix-var_id_t-values-and-thus-keymap.patch speakup-ttyio-do-not-schedule-in-ttyio_in_nowait.patch thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch uio-fix-use-after-free-in-uio_unregister_device.patch usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch usb-typec-ucsi-report-power-supply-changes.patch --- ...o-set_capacity_revalidate_and_notify.patch | 55 ++++++ ...have-replace-item-with-target-device.patch | 146 +++++++++++++++ ...size-calculation-in-merge_reloc_root.patch | 89 +++++++++ ...uster_pages_for_defrag-on-32bit-arch.patch | 66 +++++++ ...ix-memory-leak-in-btrfs_ref_tree_mod.patch | 33 ++++ ...ve-atime-instead-of-leaving-it-empty.patch | 79 ++++++++ ...ting-up-pcluster-for-temporary-pages.patch | 45 +++++ ...for-usr-grp-jquota-when-config_quota.patch | 46 +++++ ...roperly-in-ext4_inline_data_truncate.patch | 36 ++++ ...ware-xilinx-fix-out-of-bounds-access.patch | 51 ++++++ ...n-t-hide-id-registers-from-userspace.patch | 83 +++++++++ .../loop-fix-occasional-uevent-drop.patch | 55 ++++++ ...evm_platform_ioremap_resource_byname.patch | 50 +++++ queue-5.9/series | 21 +++ ...x-clearing-selection-in-safe-context.patch | 139 ++++++++++++++ ...-fix-var_id_t-values-and-thus-keymap.patch | 56 ++++++ ...o-do-not-schedule-in-ttyio_in_nowait.patch | 78 ++++++++ ...a_simple_remove-in-ring_request_msix.patch | 53 ++++++ ...mple_get-fails-in-enumerate_services.patch | 31 ++++ ...-after-free-in-uio_unregister_device.patch | 172 ++++++++++++++++++ ...e_echo-for-renesas-usb-download-mode.patch | 41 +++++ ...pec-ucsi-report-power-supply-changes.patch | 87 +++++++++ 22 files changed, 1512 insertions(+) create mode 100644 queue-5.9/block-add-a-return-value-to-set_capacity_revalidate_and_notify.patch create mode 100644 queue-5.9/btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch create mode 100644 queue-5.9/btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch create mode 100644 queue-5.9/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch create mode 100644 queue-5.9/btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch create mode 100644 queue-5.9/erofs-derive-atime-instead-of-leaving-it-empty.patch create mode 100644 queue-5.9/erofs-fix-setting-up-pcluster-for-temporary-pages.patch create mode 100644 queue-5.9/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch create mode 100644 queue-5.9/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch create mode 100644 queue-5.9/firmware-xilinx-fix-out-of-bounds-access.patch create mode 100644 queue-5.9/kvm-arm64-don-t-hide-id-registers-from-userspace.patch create mode 100644 queue-5.9/loop-fix-occasional-uevent-drop.patch create mode 100644 queue-5.9/revert-usb-musb-convert-to-devm_platform_ioremap_resource_byname.patch create mode 100644 queue-5.9/speakup-fix-clearing-selection-in-safe-context.patch create mode 100644 queue-5.9/speakup-fix-var_id_t-values-and-thus-keymap.patch create mode 100644 queue-5.9/speakup-ttyio-do-not-schedule-in-ttyio_in_nowait.patch create mode 100644 queue-5.9/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch create mode 100644 queue-5.9/thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch create mode 100644 queue-5.9/uio-fix-use-after-free-in-uio_unregister_device.patch create mode 100644 queue-5.9/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch create mode 100644 queue-5.9/usb-typec-ucsi-report-power-supply-changes.patch diff --git a/queue-5.9/block-add-a-return-value-to-set_capacity_revalidate_and_notify.patch b/queue-5.9/block-add-a-return-value-to-set_capacity_revalidate_and_notify.patch new file mode 100644 index 00000000000..ae29b7a9223 --- /dev/null +++ b/queue-5.9/block-add-a-return-value-to-set_capacity_revalidate_and_notify.patch @@ -0,0 +1,55 @@ +From 7e890c37c25c7cbca37ff0ab292873d8146e713b Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 12 Nov 2020 17:50:04 +0100 +Subject: block: add a return value to set_capacity_revalidate_and_notify + +From: Christoph Hellwig + +commit 7e890c37c25c7cbca37ff0ab292873d8146e713b upstream. + +Return if the function ended up sending an uevent or not. + +Cc: stable@vger.kernel.org # v5.9 +Signed-off-by: Christoph Hellwig +Reviewed-by: Petr Vorel +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 5 ++++- + include/linux/genhd.h | 2 +- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -49,7 +49,7 @@ static void disk_release_events(struct g + * Set disk capacity and notify if the size is not currently + * zero and will not be set to zero + */ +-void set_capacity_revalidate_and_notify(struct gendisk *disk, sector_t size, ++bool set_capacity_revalidate_and_notify(struct gendisk *disk, sector_t size, + bool revalidate) + { + sector_t capacity = get_capacity(disk); +@@ -63,7 +63,10 @@ void set_capacity_revalidate_and_notify( + char *envp[] = { "RESIZE=1", NULL }; + + kobject_uevent_env(&disk_to_dev(disk)->kobj, KOBJ_CHANGE, envp); ++ return true; + } ++ ++ return false; + } + + EXPORT_SYMBOL_GPL(set_capacity_revalidate_and_notify); +--- a/include/linux/genhd.h ++++ b/include/linux/genhd.h +@@ -315,7 +315,7 @@ static inline int get_disk_ro(struct gen + extern void disk_block_events(struct gendisk *disk); + extern void disk_unblock_events(struct gendisk *disk); + extern void disk_flush_events(struct gendisk *disk, unsigned int mask); +-extern void set_capacity_revalidate_and_notify(struct gendisk *disk, ++extern bool set_capacity_revalidate_and_notify(struct gendisk *disk, + sector_t size, bool revalidate); + extern unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask); + diff --git a/queue-5.9/btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch b/queue-5.9/btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch new file mode 100644 index 00000000000..897ad387d5e --- /dev/null +++ b/queue-5.9/btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch @@ -0,0 +1,146 @@ +From cf89af146b7e62af55470cf5f3ec3c56ec144a5e Mon Sep 17 00:00:00 2001 +From: Anand Jain +Date: Fri, 30 Oct 2020 06:53:56 +0800 +Subject: btrfs: dev-replace: fail mount if we don't have replace item with target device + +From: Anand Jain + +commit cf89af146b7e62af55470cf5f3ec3c56ec144a5e upstream. + +If there is a device BTRFS_DEV_REPLACE_DEVID without the device replace +item, then it means the filesystem is inconsistent state. This is either +corruption or a crafted image. Fail the mount as this needs a closer +look what is actually wrong. + +As of now if BTRFS_DEV_REPLACE_DEVID is present without the replace +item, in __btrfs_free_extra_devids() we determine that there is an +extra device, and free those extra devices but continue to mount the +device. +However, we were wrong in keeping tack of the rw_devices so the syzbot +testcase failed: + + WARNING: CPU: 1 PID: 3612 at fs/btrfs/volumes.c:1166 close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 1 PID: 3612 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x198/0x1fd lib/dump_stack.c:118 + panic+0x347/0x7c0 kernel/panic.c:231 + __warn.cold+0x20/0x46 kernel/panic.c:600 + report_bug+0x1bd/0x210 lib/bug.c:198 + handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234 + exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254 + asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 + RIP: 0010:close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 + RSP: 0018:ffffc900091777e0 EFLAGS: 00010246 + RAX: 0000000000040000 RBX: ffffffffffffffff RCX: ffffc9000c8b7000 + RDX: 0000000000040000 RSI: ffffffff83097f47 RDI: 0000000000000007 + RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff8880988a187f + R10: 0000000000000000 R11: 0000000000000001 R12: ffff88809593a130 + R13: ffff88809593a1ec R14: ffff8880988a1908 R15: ffff88809593a050 + close_fs_devices fs/btrfs/volumes.c:1193 [inline] + btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1179 + open_ctree+0x4984/0x4a2d fs/btrfs/disk-io.c:3434 + btrfs_fill_super fs/btrfs/super.c:1316 [inline] + btrfs_mount_root.cold+0x14/0x165 fs/btrfs/super.c:1672 + +The fix here is, when we determine that there isn't a replace item +then fail the mount if there is a replace target device (devid 0). + +CC: stable@vger.kernel.org # 4.19+ +Reported-by: syzbot+4cfe71a4da060be47502@syzkaller.appspotmail.com +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/dev-replace.c | 26 ++++++++++++++++++++++++-- + fs/btrfs/volumes.c | 26 +++++++------------------- + 2 files changed, 31 insertions(+), 21 deletions(-) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -95,6 +95,17 @@ int btrfs_init_dev_replace(struct btrfs_ + ret = btrfs_search_slot(NULL, dev_root, &key, path, 0, 0); + if (ret) { + no_valid_dev_replace_entry_found: ++ /* ++ * We don't have a replace item or it's corrupted. If there is ++ * a replace target, fail the mount. ++ */ ++ if (btrfs_find_device(fs_info->fs_devices, ++ BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) { ++ btrfs_err(fs_info, ++ "found replace target device without a valid replace item"); ++ ret = -EUCLEAN; ++ goto out; ++ } + ret = 0; + dev_replace->replace_state = + BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED; +@@ -147,8 +158,19 @@ no_valid_dev_replace_entry_found: + case BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED: + case BTRFS_IOCTL_DEV_REPLACE_STATE_FINISHED: + case BTRFS_IOCTL_DEV_REPLACE_STATE_CANCELED: +- dev_replace->srcdev = NULL; +- dev_replace->tgtdev = NULL; ++ /* ++ * We don't have an active replace item but if there is a ++ * replace target, fail the mount. ++ */ ++ if (btrfs_find_device(fs_info->fs_devices, ++ BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) { ++ btrfs_err(fs_info, ++ "replace devid present without an active replace item"); ++ ret = -EUCLEAN; ++ } else { ++ dev_replace->srcdev = NULL; ++ dev_replace->tgtdev = NULL; ++ } + break; + case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED: + case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED: +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1064,22 +1064,13 @@ again: + continue; + } + +- if (device->devid == BTRFS_DEV_REPLACE_DEVID) { +- /* +- * In the first step, keep the device which has +- * the correct fsid and the devid that is used +- * for the dev_replace procedure. +- * In the second step, the dev_replace state is +- * read from the device tree and it is known +- * whether the procedure is really active or +- * not, which means whether this device is +- * used or whether it should be removed. +- */ +- if (step == 0 || test_bit(BTRFS_DEV_STATE_REPLACE_TGT, +- &device->dev_state)) { +- continue; +- } +- } ++ /* ++ * We have already validated the presence of BTRFS_DEV_REPLACE_DEVID, ++ * in btrfs_init_dev_replace() so just continue. ++ */ ++ if (device->devid == BTRFS_DEV_REPLACE_DEVID) ++ continue; ++ + if (device->bdev) { + blkdev_put(device->bdev, device->mode); + device->bdev = NULL; +@@ -1088,9 +1079,6 @@ again: + if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) { + list_del_init(&device->dev_alloc_list); + clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state); +- if (!test_bit(BTRFS_DEV_STATE_REPLACE_TGT, +- &device->dev_state)) +- fs_devices->rw_devices--; + } + list_del_init(&device->dev_list); + fs_devices->num_devices--; diff --git a/queue-5.9/btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch b/queue-5.9/btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch new file mode 100644 index 00000000000..dc72007c5fd --- /dev/null +++ b/queue-5.9/btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch @@ -0,0 +1,89 @@ +From fca3a45d08782a2bb85e048fb8e3128b1388d7b7 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 26 Oct 2020 16:57:27 -0400 +Subject: btrfs: fix min reserved size calculation in merge_reloc_root + +From: Josef Bacik + +commit fca3a45d08782a2bb85e048fb8e3128b1388d7b7 upstream. + +The minimum reserve size was adjusted to take into account the height of +the tree we are merging, however we can have a root with a level == 0. +What we want is root_level + 1 to get the number of nodes we may have to +cow. This fixes the enospc_debug warning pops with btrfs/101. + +Nikolay: this fixes failures on btrfs/060 btrfs/062 btrfs/063 and +btrfs/195 That I was seeing, the call trace was: + + [ 3680.515564] ------------[ cut here ]------------ + [ 3680.515566] BTRFS: block rsv returned -28 + [ 3680.515585] WARNING: CPU: 2 PID: 8339 at fs/btrfs/block-rsv.c:521 btrfs_use_block_rsv+0x162/0x180 + [ 3680.515587] Modules linked in: + [ 3680.515591] CPU: 2 PID: 8339 Comm: btrfs Tainted: G W 5.9.0-rc8-default #95 + [ 3680.515593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 + [ 3680.515595] RIP: 0010:btrfs_use_block_rsv+0x162/0x180 + [ 3680.515600] RSP: 0018:ffffa01ac9753910 EFLAGS: 00010282 + [ 3680.515602] RAX: 0000000000000000 RBX: ffff984b34200000 RCX: 0000000000000027 + [ 3680.515604] RDX: 0000000000000027 RSI: 0000000000000000 RDI: ffff984b3bd19e28 + [ 3680.515606] RBP: 0000000000004000 R08: ffff984b3bd19e20 R09: 0000000000000001 + [ 3680.515608] R10: 0000000000000004 R11: 0000000000000046 R12: ffff984b264fdc00 + [ 3680.515609] R13: ffff984b13149000 R14: 00000000ffffffe4 R15: ffff984b34200000 + [ 3680.515613] FS: 00007f4e2912b8c0(0000) GS:ffff984b3bd00000(0000) knlGS:0000000000000000 + [ 3680.515615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 3680.515617] CR2: 00007fab87122150 CR3: 0000000118e42000 CR4: 00000000000006e0 + [ 3680.515620] Call Trace: + [ 3680.515627] btrfs_alloc_tree_block+0x8b/0x340 + [ 3680.515633] ? __lock_acquire+0x51a/0xac0 + [ 3680.515646] alloc_tree_block_no_bg_flush+0x4f/0x60 + [ 3680.515651] __btrfs_cow_block+0x14e/0x7e0 + [ 3680.515662] btrfs_cow_block+0x144/0x2c0 + [ 3680.515670] merge_reloc_root+0x4d4/0x610 + [ 3680.515675] ? btrfs_lookup_fs_root+0x78/0x90 + [ 3680.515686] merge_reloc_roots+0xee/0x280 + [ 3680.515695] relocate_block_group+0x2ce/0x5e0 + [ 3680.515704] btrfs_relocate_block_group+0x16e/0x310 + [ 3680.515711] btrfs_relocate_chunk+0x38/0xf0 + [ 3680.515716] btrfs_shrink_device+0x200/0x560 + [ 3680.515728] btrfs_rm_device+0x1ae/0x6a6 + [ 3680.515744] ? _copy_from_user+0x6e/0xb0 + [ 3680.515750] btrfs_ioctl+0x1afe/0x28c0 + [ 3680.515755] ? find_held_lock+0x2b/0x80 + [ 3680.515760] ? do_user_addr_fault+0x1f8/0x418 + [ 3680.515773] ? __x64_sys_ioctl+0x77/0xb0 + [ 3680.515775] __x64_sys_ioctl+0x77/0xb0 + [ 3680.515781] do_syscall_64+0x31/0x70 + [ 3680.515785] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: Nikolay Borisov +Fixes: 44d354abf33e ("btrfs: relocation: review the call sites which can be interrupted by signal") +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Nikolay Borisov +Tested-by: Nikolay Borisov +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/relocation.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1646,6 +1646,7 @@ static noinline_for_stack int merge_relo + struct btrfs_root_item *root_item; + struct btrfs_path *path; + struct extent_buffer *leaf; ++ int reserve_level; + int level; + int max_level; + int replaced = 0; +@@ -1694,7 +1695,8 @@ static noinline_for_stack int merge_relo + * Thus the needed metadata size is at most root_level * nodesize, + * and * 2 since we have two trees to COW. + */ +- min_reserved = fs_info->nodesize * btrfs_root_level(root_item) * 2; ++ reserve_level = max_t(int, 1, btrfs_root_level(root_item)); ++ min_reserved = fs_info->nodesize * reserve_level * 2; + memset(&next_key, 0, sizeof(next_key)); + + while (1) { diff --git a/queue-5.9/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch b/queue-5.9/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch new file mode 100644 index 00000000000..20eea3c3962 --- /dev/null +++ b/queue-5.9/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch @@ -0,0 +1,66 @@ +From a1fbc6750e212c5675a4e48d7f51d44607eb8756 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Sun, 4 Oct 2020 19:04:26 +0100 +Subject: btrfs: fix potential overflow in cluster_pages_for_defrag on 32bit arch + +From: Matthew Wilcox (Oracle) + +commit a1fbc6750e212c5675a4e48d7f51d44607eb8756 upstream. + +On 32-bit systems, this shift will overflow for files larger than 4GB as +start_index is unsigned long while the calls to btrfs_delalloc_*_space +expect u64. + +CC: stable@vger.kernel.org # 4.4+ +Fixes: df480633b891 ("btrfs: extent-tree: Switch to new delalloc space reserve and release") +Reviewed-by: Josef Bacik +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: David Sterba +[ define the variable instead of repeating the shift ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1261,6 +1261,7 @@ static int cluster_pages_for_defrag(stru + u64 page_start; + u64 page_end; + u64 page_cnt; ++ u64 start = (u64)start_index << PAGE_SHIFT; + int ret; + int i; + int i_done; +@@ -1277,8 +1278,7 @@ static int cluster_pages_for_defrag(stru + page_cnt = min_t(u64, (u64)num_pages, (u64)file_end - start_index + 1); + + ret = btrfs_delalloc_reserve_space(BTRFS_I(inode), &data_reserved, +- start_index << PAGE_SHIFT, +- page_cnt << PAGE_SHIFT); ++ start, page_cnt << PAGE_SHIFT); + if (ret) + return ret; + i_done = 0; +@@ -1367,8 +1367,7 @@ again: + btrfs_mod_outstanding_extents(BTRFS_I(inode), 1); + spin_unlock(&BTRFS_I(inode)->lock); + btrfs_delalloc_release_space(BTRFS_I(inode), data_reserved, +- start_index << PAGE_SHIFT, +- (page_cnt - i_done) << PAGE_SHIFT, true); ++ start, (page_cnt - i_done) << PAGE_SHIFT, true); + } + + +@@ -1395,8 +1394,7 @@ out: + put_page(pages[i]); + } + btrfs_delalloc_release_space(BTRFS_I(inode), data_reserved, +- start_index << PAGE_SHIFT, +- page_cnt << PAGE_SHIFT, true); ++ start, page_cnt << PAGE_SHIFT, true); + btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT); + extent_changeset_free(data_reserved); + return ret; diff --git a/queue-5.9/btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch b/queue-5.9/btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch new file mode 100644 index 00000000000..d7121ab9432 --- /dev/null +++ b/queue-5.9/btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch @@ -0,0 +1,33 @@ +From 468600c6ec28613b756193c5f780aac062f1acdf Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Wed, 21 Oct 2020 13:36:55 +0800 +Subject: btrfs: ref-verify: fix memory leak in btrfs_ref_tree_mod + +From: Dinghao Liu + +commit 468600c6ec28613b756193c5f780aac062f1acdf upstream. + +There is one error handling path that does not free ref, which may cause +a minor memory leak. + +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Josef Bacik +Signed-off-by: Dinghao Liu +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ref-verify.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/ref-verify.c ++++ b/fs/btrfs/ref-verify.c +@@ -860,6 +860,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i + "dropping a ref for a root that doesn't have a ref on the block"); + dump_block_entry(fs_info, be); + dump_ref_action(fs_info, ra); ++ kfree(ref); + kfree(ra); + goto out_unlock; + } diff --git a/queue-5.9/erofs-derive-atime-instead-of-leaving-it-empty.patch b/queue-5.9/erofs-derive-atime-instead-of-leaving-it-empty.patch new file mode 100644 index 00000000000..3e6983e525c --- /dev/null +++ b/queue-5.9/erofs-derive-atime-instead-of-leaving-it-empty.patch @@ -0,0 +1,79 @@ +From d3938ee23e97bfcac2e0eb6b356875da73d700df Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Sun, 1 Nov 2020 03:51:02 +0800 +Subject: erofs: derive atime instead of leaving it empty + +From: Gao Xiang + +commit d3938ee23e97bfcac2e0eb6b356875da73d700df upstream. + +EROFS has _only one_ ondisk timestamp (ctime is currently +documented and recorded, we might also record mtime instead +with a new compat feature if needed) for each extended inode +since EROFS isn't mainly for archival purposes so no need to +keep all timestamps on disk especially for Android scenarios +due to security concerns. Also, romfs/cramfs don't have their +own on-disk timestamp, and squashfs only records mtime instead. + +Let's also derive access time from ondisk timestamp rather than +leaving it empty, and if mtime/atime for each file are really +needed for specific scenarios as well, we can also use xattrs +to record them then. + +Link: https://lore.kernel.org/r/20201031195102.21221-1-hsiangkao@aol.com +[ Gao Xiang: It'd be better to backport for user-friendly concern. ] +Fixes: 431339ba9042 ("staging: erofs: add inode operations") +Cc: stable # 4.19+ +Reported-by: nl6720 +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman + +--- + fs/erofs/inode.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -107,11 +107,9 @@ static struct page *erofs_read_inode(str + i_gid_write(inode, le32_to_cpu(die->i_gid)); + set_nlink(inode, le32_to_cpu(die->i_nlink)); + +- /* ns timestamp */ +- inode->i_mtime.tv_sec = inode->i_ctime.tv_sec = +- le64_to_cpu(die->i_ctime); +- inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec = +- le32_to_cpu(die->i_ctime_nsec); ++ /* extended inode has its own timestamp */ ++ inode->i_ctime.tv_sec = le64_to_cpu(die->i_ctime); ++ inode->i_ctime.tv_nsec = le32_to_cpu(die->i_ctime_nsec); + + inode->i_size = le64_to_cpu(die->i_size); + +@@ -149,11 +147,9 @@ static struct page *erofs_read_inode(str + i_gid_write(inode, le16_to_cpu(dic->i_gid)); + set_nlink(inode, le16_to_cpu(dic->i_nlink)); + +- /* use build time to derive all file time */ +- inode->i_mtime.tv_sec = inode->i_ctime.tv_sec = +- sbi->build_time; +- inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec = +- sbi->build_time_nsec; ++ /* use build time for compact inodes */ ++ inode->i_ctime.tv_sec = sbi->build_time; ++ inode->i_ctime.tv_nsec = sbi->build_time_nsec; + + inode->i_size = le32_to_cpu(dic->i_size); + if (erofs_inode_is_data_compressed(vi->datalayout)) +@@ -167,6 +163,11 @@ static struct page *erofs_read_inode(str + goto err_out; + } + ++ inode->i_mtime.tv_sec = inode->i_ctime.tv_sec; ++ inode->i_atime.tv_sec = inode->i_ctime.tv_sec; ++ inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec; ++ inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec; ++ + if (!nblks) + /* measure inode.i_blocks as generic filesystems */ + inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9; diff --git a/queue-5.9/erofs-fix-setting-up-pcluster-for-temporary-pages.patch b/queue-5.9/erofs-fix-setting-up-pcluster-for-temporary-pages.patch new file mode 100644 index 00000000000..c92c0514a99 --- /dev/null +++ b/queue-5.9/erofs-fix-setting-up-pcluster-for-temporary-pages.patch @@ -0,0 +1,45 @@ +From a30573b3cdc77b8533d004ece1ea7c0146b437a0 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Thu, 22 Oct 2020 22:57:21 +0800 +Subject: erofs: fix setting up pcluster for temporary pages + +From: Gao Xiang + +commit a30573b3cdc77b8533d004ece1ea7c0146b437a0 upstream. + +pcluster should be only set up for all managed pages instead of +temporary pages. Since it currently uses page->mapping to identify, +the impact is minor for now. + +[ Update: Vladimir reported the kernel log becomes polluted + because PAGE_FLAGS_CHECK_AT_FREE flag(s) set if the page + allocation debug option is enabled. ] + +Link: https://lore.kernel.org/r/20201022145724.27284-1-hsiangkao@aol.com +Fixes: 5ddcee1f3a1c ("erofs: get rid of __stagingpage_alloc helper") +Cc: # 5.5+ +Tested-by: Vladimir Zapolskiy +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman + +--- + fs/erofs/zdata.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1080,8 +1080,11 @@ out_allocpage: + cond_resched(); + goto repeat; + } +- set_page_private(page, (unsigned long)pcl); +- SetPagePrivate(page); ++ ++ if (tocache) { ++ set_page_private(page, (unsigned long)pcl); ++ SetPagePrivate(page); ++ } + out: /* the only exit (for tracing and debugging) */ + return page; + } diff --git a/queue-5.9/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch b/queue-5.9/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch new file mode 100644 index 00000000000..7b34e12e3a5 --- /dev/null +++ b/queue-5.9/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch @@ -0,0 +1,46 @@ +From 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d Mon Sep 17 00:00:00 2001 +From: Kaixu Xia +Date: Thu, 29 Oct 2020 23:46:36 +0800 +Subject: ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA + +From: Kaixu Xia + +commit 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d upstream. + +The macro MOPT_Q is used to indicates the mount option is related to +quota stuff and is defined to be MOPT_NOSUPPORT when CONFIG_QUOTA is +disabled. Normally the quota options are handled explicitly, so it +didn't matter that the MOPT_STRING flag was missing, even though the +usrjquota and grpjquota mount options take a string argument. It's +important that's present in the !CONFIG_QUOTA case, since without +MOPT_STRING, the mount option matcher will match usrjquota= followed +by an integer, and will otherwise skip the table entry, and so "mount +option not supported" error message is never reported. + +[ Fixed up the commit description to better explain why the fix + works. --TYT ] + +Fixes: 26092bf52478 ("ext4: use a table-driven handler for mount options") +Signed-off-by: Kaixu Xia +Link: https://lore.kernel.org/r/1603986396-28917-1-git-send-email-kaixuxia@tencent.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1829,8 +1829,8 @@ static const struct mount_opts { + {Opt_noquota, (EXT4_MOUNT_QUOTA | EXT4_MOUNT_USRQUOTA | + EXT4_MOUNT_GRPQUOTA | EXT4_MOUNT_PRJQUOTA), + MOPT_CLEAR | MOPT_Q}, +- {Opt_usrjquota, 0, MOPT_Q}, +- {Opt_grpjquota, 0, MOPT_Q}, ++ {Opt_usrjquota, 0, MOPT_Q | MOPT_STRING}, ++ {Opt_grpjquota, 0, MOPT_Q | MOPT_STRING}, + {Opt_offusrjquota, 0, MOPT_Q}, + {Opt_offgrpjquota, 0, MOPT_Q}, + {Opt_jqfmt_vfsold, QFMT_VFS_OLD, MOPT_QFMT}, diff --git a/queue-5.9/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch b/queue-5.9/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch new file mode 100644 index 00000000000..e8b48075e60 --- /dev/null +++ b/queue-5.9/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch @@ -0,0 +1,36 @@ +From 7067b2619017d51e71686ca9756b454de0e5826a Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Tue, 3 Nov 2020 10:29:02 +0800 +Subject: ext4: unlock xattr_sem properly in ext4_inline_data_truncate() + +From: Joseph Qi + +commit 7067b2619017d51e71686ca9756b454de0e5826a upstream. + +It takes xattr_sem to check inline data again but without unlock it +in case not have. So unlock it before return. + +Fixes: aef1c8513c1f ("ext4: let ext4_truncate handle inline data correctly") +Reported-by: Dan Carpenter +Cc: Tao Ma +Signed-off-by: Joseph Qi +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/1604370542-124630-1-git-send-email-joseph.qi@linux.alibaba.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1880,6 +1880,7 @@ int ext4_inline_data_truncate(struct ino + + ext4_write_lock_xattr(inode, &no_expand); + if (!ext4_has_inline_data(inode)) { ++ ext4_write_unlock_xattr(inode, &no_expand); + *has_inline = 0; + ext4_journal_stop(handle); + return 0; diff --git a/queue-5.9/firmware-xilinx-fix-out-of-bounds-access.patch b/queue-5.9/firmware-xilinx-fix-out-of-bounds-access.patch new file mode 100644 index 00000000000..08a64c64619 --- /dev/null +++ b/queue-5.9/firmware-xilinx-fix-out-of-bounds-access.patch @@ -0,0 +1,51 @@ +From f3217d6f2f7a76b36a3326ad58c8897f4d5fbe31 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 26 Oct 2020 16:54:36 +0100 +Subject: firmware: xilinx: fix out-of-bounds access + +From: Arnd Bergmann + +commit f3217d6f2f7a76b36a3326ad58c8897f4d5fbe31 upstream. + +The zynqmp_pm_set_suspend_mode() and zynqmp_pm_get_trustzone_version() +functions pass values as api_id into zynqmp_pm_invoke_fn +that are beyond PM_API_MAX, resulting in an out-of-bounds access: + +drivers/firmware/xilinx/zynqmp.c: In function 'zynqmp_pm_set_suspend_mode': +drivers/firmware/xilinx/zynqmp.c:150:24: warning: array subscript 2562 is above array bounds of 'u32[64]' {aka 'unsigned int[64]'} [-Warray-bounds] + 150 | if (zynqmp_pm_features[api_id] != PM_FEATURE_UNCHECKED) + | ~~~~~~~~~~~~~~~~~~^~~~~~~~ +drivers/firmware/xilinx/zynqmp.c:28:12: note: while referencing 'zynqmp_pm_features' + 28 | static u32 zynqmp_pm_features[PM_API_MAX]; + | ^~~~~~~~~~~~~~~~~~ + +Replace the resulting undefined behavior with an error return. +This may break some things that happen to work at the moment +but seems better than randomly overwriting kernel data. + +I assume we need additional fixes for the two functions that now +return an error. + +Fixes: 76582671eb5d ("firmware: xilinx: Add Zynqmp firmware driver") +Fixes: e178df31cf41 ("firmware: xilinx: Implement ZynqMP power management APIs") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20201026155449.3703142-1-arnd@kernel.org +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/xilinx/zynqmp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/firmware/xilinx/zynqmp.c ++++ b/drivers/firmware/xilinx/zynqmp.c +@@ -147,6 +147,9 @@ static int zynqmp_pm_feature(u32 api_id) + return 0; + + /* Return value if feature is already checked */ ++ if (api_id > ARRAY_SIZE(zynqmp_pm_features)) ++ return PM_FEATURE_INVALID; ++ + if (zynqmp_pm_features[api_id] != PM_FEATURE_UNCHECKED) + return zynqmp_pm_features[api_id]; + diff --git a/queue-5.9/kvm-arm64-don-t-hide-id-registers-from-userspace.patch b/queue-5.9/kvm-arm64-don-t-hide-id-registers-from-userspace.patch new file mode 100644 index 00000000000..c51e871d63e --- /dev/null +++ b/queue-5.9/kvm-arm64-don-t-hide-id-registers-from-userspace.patch @@ -0,0 +1,83 @@ +From f81cb2c3ad41ac6d8cb2650e3d72d5f67db1aa28 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 5 Nov 2020 10:10:19 +0100 +Subject: KVM: arm64: Don't hide ID registers from userspace +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrew Jones + +commit f81cb2c3ad41ac6d8cb2650e3d72d5f67db1aa28 upstream. + +ID registers are RAZ until they've been allocated a purpose, but +that doesn't mean they should be removed from the KVM_GET_REG_LIST +list. So far we only have one register, SYS_ID_AA64ZFR0_EL1, that +is hidden from userspace when its function, SVE, is not present. + +Expose SYS_ID_AA64ZFR0_EL1 to userspace as RAZ when SVE is not +implemented. Removing the userspace visibility checks is enough +to reexpose it, as it will already return zero to userspace when +SVE is not present. The register already behaves as RAZ for the +guest when SVE is not present. + +Fixes: 73433762fcae ("KVM: arm64/sve: System register context switch and access support") +Reported-by: 张东旭 +Signed-off-by: Andrew Jones +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org#v5.2+ +Link: https://lore.kernel.org/r/20201105091022.15373-2-drjones@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/sys_regs.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +--- a/arch/arm64/kvm/sys_regs.c ++++ b/arch/arm64/kvm/sys_regs.c +@@ -1193,16 +1193,6 @@ static unsigned int sve_visibility(const + return REG_HIDDEN_USER | REG_HIDDEN_GUEST; + } + +-/* Visibility overrides for SVE-specific ID registers */ +-static unsigned int sve_id_visibility(const struct kvm_vcpu *vcpu, +- const struct sys_reg_desc *rd) +-{ +- if (vcpu_has_sve(vcpu)) +- return 0; +- +- return REG_HIDDEN_USER; +-} +- + /* Generate the emulated ID_AA64ZFR0_EL1 value exposed to the guest */ + static u64 guest_id_aa64zfr0_el1(const struct kvm_vcpu *vcpu) + { +@@ -1229,9 +1219,6 @@ static int get_id_aa64zfr0_el1(struct kv + { + u64 val; + +- if (WARN_ON(!vcpu_has_sve(vcpu))) +- return -ENOENT; +- + val = guest_id_aa64zfr0_el1(vcpu); + return reg_to_user(uaddr, &val, reg->id); + } +@@ -1244,9 +1231,6 @@ static int set_id_aa64zfr0_el1(struct kv + int err; + u64 val; + +- if (WARN_ON(!vcpu_has_sve(vcpu))) +- return -ENOENT; +- + err = reg_from_user(&val, uaddr, id); + if (err) + return err; +@@ -1509,7 +1493,7 @@ static const struct sys_reg_desc sys_reg + ID_SANITISED(ID_AA64PFR1_EL1), + ID_UNALLOCATED(4,2), + ID_UNALLOCATED(4,3), +- { SYS_DESC(SYS_ID_AA64ZFR0_EL1), access_id_aa64zfr0_el1, .get_user = get_id_aa64zfr0_el1, .set_user = set_id_aa64zfr0_el1, .visibility = sve_id_visibility }, ++ { SYS_DESC(SYS_ID_AA64ZFR0_EL1), access_id_aa64zfr0_el1, .get_user = get_id_aa64zfr0_el1, .set_user = set_id_aa64zfr0_el1, }, + ID_UNALLOCATED(4,5), + ID_UNALLOCATED(4,6), + ID_UNALLOCATED(4,7), diff --git a/queue-5.9/loop-fix-occasional-uevent-drop.patch b/queue-5.9/loop-fix-occasional-uevent-drop.patch new file mode 100644 index 00000000000..86fd96d1bd0 --- /dev/null +++ b/queue-5.9/loop-fix-occasional-uevent-drop.patch @@ -0,0 +1,55 @@ +From c01a21b77722db0474bbcc4eafc8c4e0d8fed6d8 Mon Sep 17 00:00:00 2001 +From: Petr Vorel +Date: Thu, 12 Nov 2020 17:50:05 +0100 +Subject: loop: Fix occasional uevent drop + +From: Petr Vorel + +commit c01a21b77722db0474bbcc4eafc8c4e0d8fed6d8 upstream. + +Commit 716ad0986cbd ("loop: Switch to set_capacity_revalidate_and_notify") +causes an occasional drop of loop device uevent, which are no longer +triggered in loop_set_size() but in a different part of code. + +Bug is reproducible with LTP test uevent01 [1]: + +i=0; while true; do + i=$((i+1)); echo "== $i ==" + lsmod |grep -q loop && rmmod -f loop + ./uevent01 || break +done + +Put back triggering through code called in loop_set_size(). + +Fix required to add yet another parameter to +set_capacity_revalidate_and_notify(). + +[1] https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/uevents/uevent01.c + +[hch: rebased on a different change to the prototype of + set_capacity_revalidate_and_notify] + +Cc: stable@vger.kernel.org # v5.9 +Fixes: 716ad0986cbd ("loop: Switch to set_capacity_revalidate_and_notify") +Reported-by: +Signed-off-by: Petr Vorel +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -255,7 +255,8 @@ static void loop_set_size(struct loop_de + + bd_set_size(bdev, size << SECTOR_SHIFT); + +- set_capacity_revalidate_and_notify(lo->lo_disk, size, false); ++ if (!set_capacity_revalidate_and_notify(lo->lo_disk, size, false)) ++ kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE); + } + + static inline int diff --git a/queue-5.9/revert-usb-musb-convert-to-devm_platform_ioremap_resource_byname.patch b/queue-5.9/revert-usb-musb-convert-to-devm_platform_ioremap_resource_byname.patch new file mode 100644 index 00000000000..fd7ceb883ce --- /dev/null +++ b/queue-5.9/revert-usb-musb-convert-to-devm_platform_ioremap_resource_byname.patch @@ -0,0 +1,50 @@ +From ffa13d2d94029882eca22a565551783787f121e5 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 12 Nov 2020 14:59:00 +0100 +Subject: Revert "usb: musb: convert to devm_platform_ioremap_resource_byname" + +From: Geert Uytterhoeven + +commit ffa13d2d94029882eca22a565551783787f121e5 upstream. + +This reverts commit 2d30e408a2a6b3443d3232593e3d472584a3e9f8. + +On Beaglebone Black, where each interface has 2 children: + + musb-dsps 47401c00.usb: can't request region for resource [mem 0x47401800-0x474019ff] + musb-hdrc musb-hdrc.1: musb_init_controller failed with status -16 + musb-hdrc: probe of musb-hdrc.1 failed with error -16 + musb-dsps 47401400.usb: can't request region for resource [mem 0x47401000-0x474011ff] + musb-hdrc musb-hdrc.0: musb_init_controller failed with status -16 + musb-hdrc: probe of musb-hdrc.0 failed with error -16 + +Before, devm_ioremap_resource() was called on "dev" ("musb-hdrc.0" or +"musb-hdrc.1"), after it is called on "&pdev->dev" ("47401400.usb" or +"47401c00.usb"), leading to a duplicate region request, which fails. + +Signed-off-by: Geert Uytterhoeven +Fixes: 2d30e408a2a6 ("usb: musb: convert to devm_platform_ioremap_resource_byname") +Cc: stable +Link: https://lore.kernel.org/r/20201112135900.3822599-1-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_dsps.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -429,10 +429,12 @@ static int dsps_musb_init(struct musb *m + struct platform_device *parent = to_platform_device(dev->parent); + const struct dsps_musb_wrapper *wrp = glue->wrp; + void __iomem *reg_base; ++ struct resource *r; + u32 rev, val; + int ret; + +- reg_base = devm_platform_ioremap_resource_byname(parent, "control"); ++ r = platform_get_resource_byname(parent, IORESOURCE_MEM, "control"); ++ reg_base = devm_ioremap_resource(dev, r); + if (IS_ERR(reg_base)) + return PTR_ERR(reg_base); + musb->ctrl_base = reg_base; diff --git a/queue-5.9/series b/queue-5.9/series index 219915805e6..d5fbe708955 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -179,3 +179,24 @@ nvme-freeze-the-queue-over-lba_shift-updates.patch nvme-fix-incorrect-behavior-when-blkroset-is-called-.patch perf-simplify-group_sched_in.patch perf-fix-event-multiplexing-for-exclusive-groups.patch +firmware-xilinx-fix-out-of-bounds-access.patch +erofs-fix-setting-up-pcluster-for-temporary-pages.patch +erofs-derive-atime-instead-of-leaving-it-empty.patch +ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch +ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch +btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch +btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch +btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch +btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch +kvm-arm64-don-t-hide-id-registers-from-userspace.patch +speakup-fix-var_id_t-values-and-thus-keymap.patch +speakup-ttyio-do-not-schedule-in-ttyio_in_nowait.patch +speakup-fix-clearing-selection-in-safe-context.patch +thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch +thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch +block-add-a-return-value-to-set_capacity_revalidate_and_notify.patch +loop-fix-occasional-uevent-drop.patch +uio-fix-use-after-free-in-uio_unregister_device.patch +revert-usb-musb-convert-to-devm_platform_ioremap_resource_byname.patch +usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch +usb-typec-ucsi-report-power-supply-changes.patch diff --git a/queue-5.9/speakup-fix-clearing-selection-in-safe-context.patch b/queue-5.9/speakup-fix-clearing-selection-in-safe-context.patch new file mode 100644 index 00000000000..a58727f7b5d --- /dev/null +++ b/queue-5.9/speakup-fix-clearing-selection-in-safe-context.patch @@ -0,0 +1,139 @@ +From 640969a69ca4dd2ac025fe873c6bf25eba8f11b3 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Sun, 8 Nov 2020 00:33:10 +0100 +Subject: speakup: Fix clearing selection in safe context + +From: Samuel Thibault + +commit 640969a69ca4dd2ac025fe873c6bf25eba8f11b3 upstream. + +speakup_cut() calls speakup_clear_selection() which calls console_lock. +Problem is: speakup_cut() is called from a keyboard interrupt +context. This would hang if speakup_cut is pressed while the console +lock is unfortunately already held. + +We can however as well just defer calling clear_selection() until the +already-deferred set_selection_kernel() call. + +This was spotted by the lock hardener: + + Possible unsafe locking scenario:\x0a + CPU0 + ---- + lock(console_lock); + + lock(console_lock); +\x0a *** DEADLOCK ***\x0a +[...] +Call Trace: + + dump_stack+0xc2/0x11a + print_usage_bug.cold+0x3e0/0x4b1 + mark_lock+0xd95/0x1390 + ? print_irq_inversion_bug+0xa0/0xa0 + __lock_acquire+0x21eb/0x5730 + ? __kasan_check_read+0x11/0x20 + ? check_chain_key+0x215/0x5e0 + ? register_lock_class+0x1580/0x1580 + ? lock_downgrade+0x7a0/0x7a0 + ? __rwlock_init+0x140/0x140 + lock_acquire+0x13f/0x370 + ? speakup_clear_selection+0xe/0x20 [speakup] + console_lock+0x33/0x50 + ? speakup_clear_selection+0xe/0x20 [speakup] + speakup_clear_selection+0xe/0x20 [speakup] + speakup_cut+0x19e/0x4b0 [speakup] + keyboard_notifier_call+0x1f04/0x4a40 [speakup] + ? read_all_doc+0x240/0x240 [speakup] + notifier_call_chain+0xbf/0x130 + __atomic_notifier_call_chain+0x80/0x130 + atomic_notifier_call_chain+0x16/0x20 + kbd_event+0x7d7/0x3b20 + ? k_pad+0x850/0x850 + ? sysrq_filter+0x450/0xd40 + input_to_handler+0x362/0x4b0 + ? rcu_read_lock_sched_held+0xe0/0xe0 + input_pass_values+0x408/0x5a0 + ? __rwlock_init+0x140/0x140 + ? lock_acquire+0x13f/0x370 + input_handle_event+0x70e/0x1380 + input_event+0x67/0x90 + atkbd_interrupt+0xe62/0x1d4e [atkbd] + ? __kasan_check_write+0x14/0x20 + ? atkbd_event_work+0x130/0x130 [atkbd] + ? _raw_spin_lock_irqsave+0x26/0x70 + serio_interrupt+0x93/0x120 [serio] + i8042_interrupt+0x232/0x510 [i8042] + ? rcu_read_lock_bh_held+0xd0/0xd0 + ? handle_irq_event+0xa5/0x13a + ? i8042_remove+0x1f0/0x1f0 [i8042] + __handle_irq_event_percpu+0xe6/0x6c0 + handle_irq_event_percpu+0x71/0x150 + ? __handle_irq_event_percpu+0x6c0/0x6c0 + ? __kasan_check_read+0x11/0x20 + ? do_raw_spin_unlock+0x5c/0x240 + handle_irq_event+0xad/0x13a + handle_edge_irq+0x233/0xa90 + do_IRQ+0x10b/0x310 + common_interrupt+0xf/0xf + + +Cc: stable@vger.kernel.org +Reported-by: Jookia +Signed-off-by: Samuel Thibault +Link: https://lore.kernel.org/r/20201107233310.7iisvaozpiqj3yvy@function +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/accessibility/speakup/main.c | 1 - + drivers/accessibility/speakup/selection.c | 11 ++++------- + drivers/accessibility/speakup/speakup.h | 1 - + 3 files changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/accessibility/speakup/main.c ++++ b/drivers/accessibility/speakup/main.c +@@ -357,7 +357,6 @@ static void speakup_cut(struct vc_data * + mark_cut_flag = 0; + synth_printf("%s\n", spk_msg_get(MSG_CUT)); + +- speakup_clear_selection(); + ret = speakup_set_selection(tty); + + switch (ret) { +--- a/drivers/accessibility/speakup/selection.c ++++ b/drivers/accessibility/speakup/selection.c +@@ -22,13 +22,6 @@ struct speakup_selection_work { + struct tty_struct *tty; + }; + +-void speakup_clear_selection(void) +-{ +- console_lock(); +- clear_selection(); +- console_unlock(); +-} +- + static void __speakup_set_selection(struct work_struct *work) + { + struct speakup_selection_work *ssw = +@@ -51,6 +44,10 @@ static void __speakup_set_selection(stru + goto unref; + } + ++ console_lock(); ++ clear_selection(); ++ console_unlock(); ++ + set_selection_kernel(&sel, tty); + + unref: +--- a/drivers/accessibility/speakup/speakup.h ++++ b/drivers/accessibility/speakup/speakup.h +@@ -70,7 +70,6 @@ void spk_do_flush(void); + void speakup_start_ttys(void); + void synth_buffer_add(u16 ch); + void synth_buffer_clear(void); +-void speakup_clear_selection(void); + int speakup_set_selection(struct tty_struct *tty); + void speakup_cancel_selection(void); + int speakup_paste_selection(struct tty_struct *tty); diff --git a/queue-5.9/speakup-fix-var_id_t-values-and-thus-keymap.patch b/queue-5.9/speakup-fix-var_id_t-values-and-thus-keymap.patch new file mode 100644 index 00000000000..f0df40c3835 --- /dev/null +++ b/queue-5.9/speakup-fix-var_id_t-values-and-thus-keymap.patch @@ -0,0 +1,56 @@ +From d7012df3c9aecdcfb50f7a2ebad766952fd1410e Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Mon, 12 Oct 2020 18:06:46 +0200 +Subject: speakup: Fix var_id_t values and thus keymap + +From: Samuel Thibault + +commit d7012df3c9aecdcfb50f7a2ebad766952fd1410e upstream. + +commit d97a9d7aea04 ("staging/speakup: Add inflection synth parameter") +introduced a new "inflection" speakup parameter next to "pitch", but +the values of the var_id_t enum are actually used by the keymap tables +so we must not renumber them. The effect was that notably the volume +control shortcut (speakup-1 or 2) was actually changing the inflection. + +This moves the INFLECTION value at the end of the var_id_t enum to +fix back the enum values. This also adds a warning about it. + +Fixes: d97a9d7aea04 ("staging/speakup: Add inflection synth parameter") +Cc: stable@vger.kernel.org +Reported-by: Kirk Reiser +Reported-by: Gregory Nowak +Tested-by: Gregory Nowak +Signed-off-by: Samuel Thibault +Link: https://lore.kernel.org/r/20201012160646.qmdo4eqtj24hpch4@function +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/accessibility/speakup/spk_types.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/accessibility/speakup/spk_types.h ++++ b/drivers/accessibility/speakup/spk_types.h +@@ -32,6 +32,10 @@ enum { + E_NEW_DEFAULT, + }; + ++/* ++ * Note: add new members at the end, speakupmap.h depends on the values of the ++ * enum starting from SPELL_DELAY (see inc_dec_var) ++ */ + enum var_id_t { + VERSION = 0, SYNTH, SILENT, SYNTH_DIRECT, + KEYMAP, CHARS, +@@ -42,9 +46,9 @@ enum var_id_t { + SAY_CONTROL, SAY_WORD_CTL, NO_INTERRUPT, KEY_ECHO, + SPELL_DELAY, PUNC_LEVEL, READING_PUNC, + ATTRIB_BLEEP, BLEEPS, +- RATE, PITCH, INFLECTION, VOL, TONE, PUNCT, VOICE, FREQUENCY, LANG, ++ RATE, PITCH, VOL, TONE, PUNCT, VOICE, FREQUENCY, LANG, + DIRECT, PAUSE, +- CAPS_START, CAPS_STOP, CHARTAB, ++ CAPS_START, CAPS_STOP, CHARTAB, INFLECTION, + MAXVARS + }; + diff --git a/queue-5.9/speakup-ttyio-do-not-schedule-in-ttyio_in_nowait.patch b/queue-5.9/speakup-ttyio-do-not-schedule-in-ttyio_in_nowait.patch new file mode 100644 index 00000000000..37e87caed4e --- /dev/null +++ b/queue-5.9/speakup-ttyio-do-not-schedule-in-ttyio_in_nowait.patch @@ -0,0 +1,78 @@ +From 3ed1cfb2cee4355ddef49489897bfe474daeeaec Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Sun, 8 Nov 2020 14:12:33 +0100 +Subject: speakup ttyio: Do not schedule() in ttyio_in_nowait + +From: Samuel Thibault + +commit 3ed1cfb2cee4355ddef49489897bfe474daeeaec upstream. + +With the ltlk and spkout drivers, the index read function, i.e. +in_nowait, is getting called from the read_all_doc mechanism, from +the timer softirq: + +Call Trace: + + dump_stack+0x71/0x98 + dequeue_task_idle+0x1f/0x28 + __schedule+0x167/0x5d6 + ? trace_hardirqs_on+0x2e/0x3a + ? usleep_range+0x7f/0x7f + schedule+0x8a/0xae + schedule_timeout+0xb1/0xea + ? del_timer_sync+0x31/0x31 + do_wait_for_common+0xba/0x12b + ? wake_up_q+0x45/0x45 + wait_for_common+0x37/0x50 + ttyio_in+0x2a/0x6b + spk_ttyio_in_nowait+0xc/0x13 + spk_get_index_count+0x20/0x93 + cursor_done+0x1c6/0x4c6 + ? read_all_doc+0xb1/0xb1 + call_timer_fn+0x89/0x140 + run_timer_softirq+0x164/0x1a5 + ? read_all_doc+0xb1/0xb1 + ? hrtimer_forward+0x7b/0x87 + ? timerqueue_add+0x62/0x68 + ? enqueue_hrtimer+0x95/0x9f + __do_softirq+0x181/0x31f + irq_exit+0x6a/0x86 +smp_apic_timer_interrupt+0x15e/0x183 + apic_timer_interrupt+0xf/0x20 + + +We thus should not schedule() at all, even with timeout == 0, this +crashes the kernel. We can however use try_wait_for_completion() +instead of wait_for_completion_timeout(0). + +Cc: stable@vger.kernel.org +Reported-by: John Covici +Tested-by: John Covici +Signed-off-by: Samuel Thibault +Link: https://lore.kernel.org/r/20201108131233.tadycr73sxlvodgo@function +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/accessibility/speakup/spk_ttyio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/accessibility/speakup/spk_ttyio.c ++++ b/drivers/accessibility/speakup/spk_ttyio.c +@@ -298,11 +298,13 @@ static unsigned char ttyio_in(int timeou + struct spk_ldisc_data *ldisc_data = speakup_tty->disc_data; + char rv; + +- if (wait_for_completion_timeout(&ldisc_data->completion, ++ if (!timeout) { ++ if (!try_wait_for_completion(&ldisc_data->completion)) ++ return 0xff; ++ } else if (wait_for_completion_timeout(&ldisc_data->completion, + usecs_to_jiffies(timeout)) == 0) { +- if (timeout) +- pr_warn("spk_ttyio: timeout (%d) while waiting for input\n", +- timeout); ++ pr_warn("spk_ttyio: timeout (%d) while waiting for input\n", ++ timeout); + return 0xff; + } + diff --git a/queue-5.9/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch b/queue-5.9/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch new file mode 100644 index 00000000000..1799a63d168 --- /dev/null +++ b/queue-5.9/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch @@ -0,0 +1,53 @@ +From 7342ca34d931a357d408aaa25fadd031e46af137 Mon Sep 17 00:00:00 2001 +From: Jing Xiangfeng +Date: Thu, 15 Oct 2020 16:40:53 +0800 +Subject: thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() + +From: Jing Xiangfeng + +commit 7342ca34d931a357d408aaa25fadd031e46af137 upstream. + +ring_request_msix() misses to call ida_simple_remove() in an error path. +Add a label 'err_ida_remove' and jump to it. + +Fixes: 046bee1f9ab8 ("thunderbolt: Add MSI-X support") +Cc: stable@vger.kernel.org +Signed-off-by: Jing Xiangfeng +Reviewed-by: Andy Shevchenko +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/nhi.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -405,12 +405,23 @@ static int ring_request_msix(struct tb_r + + ring->vector = ret; + +- ring->irq = pci_irq_vector(ring->nhi->pdev, ring->vector); +- if (ring->irq < 0) +- return ring->irq; ++ ret = pci_irq_vector(ring->nhi->pdev, ring->vector); ++ if (ret < 0) ++ goto err_ida_remove; ++ ++ ring->irq = ret; + + irqflags = no_suspend ? IRQF_NO_SUSPEND : 0; +- return request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring); ++ ret = request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring); ++ if (ret) ++ goto err_ida_remove; ++ ++ return 0; ++ ++err_ida_remove: ++ ida_simple_remove(&nhi->msix_ida, ring->vector); ++ ++ return ret; + } + + static void ring_release_msix(struct tb_ring *ring) diff --git a/queue-5.9/thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch b/queue-5.9/thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch new file mode 100644 index 00000000000..678573f8c20 --- /dev/null +++ b/queue-5.9/thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch @@ -0,0 +1,31 @@ +From a663e0df4a374b8537562a44d1cecafb472cd65b Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 7 Oct 2020 17:06:17 +0300 +Subject: thunderbolt: Fix memory leak if ida_simple_get() fails in enumerate_services() + +From: Mika Westerberg + +commit a663e0df4a374b8537562a44d1cecafb472cd65b upstream. + +The svc->key field is not released as it should be if ida_simple_get() +fails so fix that. + +Fixes: 9aabb68568b4 ("thunderbolt: Fix to check return value of ida_simple_get") +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/xdomain.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -881,6 +881,7 @@ static void enumerate_services(struct tb + + id = ida_simple_get(&xd->service_ids, 0, 0, GFP_KERNEL); + if (id < 0) { ++ kfree(svc->key); + kfree(svc); + break; + } diff --git a/queue-5.9/uio-fix-use-after-free-in-uio_unregister_device.patch b/queue-5.9/uio-fix-use-after-free-in-uio_unregister_device.patch new file mode 100644 index 00000000000..bbf87c30dec --- /dev/null +++ b/queue-5.9/uio-fix-use-after-free-in-uio_unregister_device.patch @@ -0,0 +1,172 @@ +From 092561f06702dd4fdd7fb74dd3a838f1818529b7 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Mon, 2 Nov 2020 21:28:19 +0900 +Subject: uio: Fix use-after-free in uio_unregister_device() + +From: Shin'ichiro Kawasaki + +commit 092561f06702dd4fdd7fb74dd3a838f1818529b7 upstream. + +Commit 8fd0e2a6df26 ("uio: free uio id after uio file node is freed") +triggered KASAN use-after-free failure at deletion of TCM-user +backstores [1]. + +In uio_unregister_device(), struct uio_device *idev is passed to +uio_free_minor() to refer idev->minor. However, before uio_free_minor() +call, idev is already freed by uio_device_release() during call to +device_unregister(). + +To avoid reference to idev->minor after idev free, keep idev->minor +value in a local variable. Also modify uio_free_minor() argument to +receive the value. + +[1] +BUG: KASAN: use-after-free in uio_unregister_device+0x166/0x190 +Read of size 4 at addr ffff888105196508 by task targetcli/49158 + +CPU: 3 PID: 49158 Comm: targetcli Not tainted 5.10.0-rc1 #1 +Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 +Call Trace: + dump_stack+0xae/0xe5 + ? uio_unregister_device+0x166/0x190 + print_address_description.constprop.0+0x1c/0x210 + ? uio_unregister_device+0x166/0x190 + ? uio_unregister_device+0x166/0x190 + kasan_report.cold+0x37/0x7c + ? kobject_put+0x80/0x410 + ? uio_unregister_device+0x166/0x190 + uio_unregister_device+0x166/0x190 + tcmu_destroy_device+0x1c4/0x280 [target_core_user] + ? tcmu_release+0x90/0x90 [target_core_user] + ? __mutex_unlock_slowpath+0xd6/0x5d0 + target_free_device+0xf3/0x2e0 [target_core_mod] + config_item_cleanup+0xea/0x210 + configfs_rmdir+0x651/0x860 + ? detach_groups.isra.0+0x380/0x380 + vfs_rmdir.part.0+0xec/0x3a0 + ? __lookup_hash+0x20/0x150 + do_rmdir+0x252/0x320 + ? do_file_open_root+0x420/0x420 + ? strncpy_from_user+0xbc/0x2f0 + ? getname_flags.part.0+0x8e/0x450 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7f9e2bfc91fb +Code: 73 01 c3 48 8b 0d 9d ec 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6d ec 0c 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffdd2baafe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 +RAX: ffffffffffffffda RBX: 00007f9e2beb44a0 RCX: 00007f9e2bfc91fb +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f9e1c20be90 +RBP: 00007ffdd2bab000 R08: 0000000000000000 R09: 00007f9e2bdf2440 +R10: 00007ffdd2baaf37 R11: 0000000000000246 R12: 00000000ffffff9c +R13: 000055f9abb7e390 R14: 000055f9abcf9558 R15: 00007f9e2be7a780 + +Allocated by task 34735: + kasan_save_stack+0x1b/0x40 + __kasan_kmalloc.constprop.0+0xc2/0xd0 + __uio_register_device+0xeb/0xd40 + tcmu_configure_device+0x5a0/0xbc0 [target_core_user] + target_configure_device+0x12f/0x760 [target_core_mod] + target_dev_enable_store+0x32/0x50 [target_core_mod] + configfs_write_file+0x2bb/0x450 + vfs_write+0x1ce/0x610 + ksys_write+0xe9/0x1b0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 49158: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x1b/0x30 + __kasan_slab_free+0x110/0x150 + slab_free_freelist_hook+0x5a/0x170 + kfree+0xc6/0x560 + device_release+0x9b/0x210 + kobject_put+0x13e/0x410 + uio_unregister_device+0xf9/0x190 + tcmu_destroy_device+0x1c4/0x280 [target_core_user] + target_free_device+0xf3/0x2e0 [target_core_mod] + config_item_cleanup+0xea/0x210 + configfs_rmdir+0x651/0x860 + vfs_rmdir.part.0+0xec/0x3a0 + do_rmdir+0x252/0x320 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff888105196000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 1288 bytes inside of + 2048-byte region [ffff888105196000, ffff888105196800) +The buggy address belongs to the page: +page:0000000098e6ca81 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105190 +head:0000000098e6ca81 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x17ffffc0010200(slab|head) +raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100043040 +raw: 0000000000000000 0000000000080008 00000001ffffffff ffff88810eb55c01 +page dumped because: kasan: bad access detected +page->mem_cgroup:ffff88810eb55c01 + +Memory state around the buggy address: + ffff888105196400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105196480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888105196500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888105196580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105196600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 8fd0e2a6df26 ("uio: free uio id after uio file node is freed") +Cc: stable +Signed-off-by: Shin'ichiro Kawasaki +Link: https://lore.kernel.org/r/20201102122819.2346270-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -413,10 +413,10 @@ static int uio_get_minor(struct uio_devi + return retval; + } + +-static void uio_free_minor(struct uio_device *idev) ++static void uio_free_minor(unsigned long minor) + { + mutex_lock(&minor_lock); +- idr_remove(&uio_idr, idev->minor); ++ idr_remove(&uio_idr, minor); + mutex_unlock(&minor_lock); + } + +@@ -990,7 +990,7 @@ err_request_irq: + err_uio_dev_add_attributes: + device_del(&idev->dev); + err_device_create: +- uio_free_minor(idev); ++ uio_free_minor(idev->minor); + put_device(&idev->dev); + return ret; + } +@@ -1042,11 +1042,13 @@ EXPORT_SYMBOL_GPL(__devm_uio_register_de + void uio_unregister_device(struct uio_info *info) + { + struct uio_device *idev; ++ unsigned long minor; + + if (!info || !info->uio_dev) + return; + + idev = info->uio_dev; ++ minor = idev->minor; + + mutex_lock(&idev->info_lock); + uio_dev_del_attributes(idev); +@@ -1062,7 +1064,7 @@ void uio_unregister_device(struct uio_in + + device_unregister(&idev->dev); + +- uio_free_minor(idev); ++ uio_free_minor(minor); + + return; + } diff --git a/queue-5.9/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch b/queue-5.9/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch new file mode 100644 index 00000000000..f75d7205041 --- /dev/null +++ b/queue-5.9/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch @@ -0,0 +1,41 @@ +From 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 Mon Sep 17 00:00:00 2001 +From: Chris Brandt +Date: Wed, 11 Nov 2020 08:12:09 -0500 +Subject: usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode + +From: Chris Brandt + +commit 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 upstream. + +Renesas R-Car and RZ/G SoCs have a firmware download mode over USB. +However, on reset a banner string is transmitted out which is not expected +to be echoed back and will corrupt the protocol. + +Cc: stable +Acked-by: Oliver Neukum +Signed-off-by: Chris Brandt +Link: https://lore.kernel.org/r/20201111131209.3977903-1-chris.brandt@renesas.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1706,6 +1706,15 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x045b, 0x023c), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x0248), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x024D), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, diff --git a/queue-5.9/usb-typec-ucsi-report-power-supply-changes.patch b/queue-5.9/usb-typec-ucsi-report-power-supply-changes.patch new file mode 100644 index 00000000000..0ffc2840efd --- /dev/null +++ b/queue-5.9/usb-typec-ucsi-report-power-supply-changes.patch @@ -0,0 +1,87 @@ +From 0e6371fbfba3a4f76489e6e97c1c7f8386ad5fd2 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Tue, 10 Nov 2020 15:05:47 +0300 +Subject: usb: typec: ucsi: Report power supply changes + +From: Heikki Krogerus + +commit 0e6371fbfba3a4f76489e6e97c1c7f8386ad5fd2 upstream. + +When the ucsi power supply goes online/offline, and when the +power levels change, the power supply class needs to be +notified so it can inform the user space. + +Fixes: 992a60ed0d5e ("usb: typec: ucsi: register with power_supply class") +Cc: stable@vger.kernel.org +Reported-and-tested-by: Vladimir Yerilov +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20201110120547.67922-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/ucsi/psy.c | 9 +++++++++ + drivers/usb/typec/ucsi/ucsi.c | 7 ++++++- + drivers/usb/typec/ucsi/ucsi.h | 2 ++ + 3 files changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/ucsi/psy.c ++++ b/drivers/usb/typec/ucsi/psy.c +@@ -238,4 +238,13 @@ void ucsi_unregister_port_psy(struct ucs + return; + + power_supply_unregister(con->psy); ++ con->psy = NULL; ++} ++ ++void ucsi_port_psy_changed(struct ucsi_connector *con) ++{ ++ if (IS_ERR_OR_NULL(con->psy)) ++ return; ++ ++ power_supply_changed(con->psy); + } +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -643,8 +643,10 @@ static void ucsi_handle_connector_change + role = !!(con->status.flags & UCSI_CONSTAT_PWR_DIR); + + if (con->status.change & UCSI_CONSTAT_POWER_OPMODE_CHANGE || +- con->status.change & UCSI_CONSTAT_POWER_LEVEL_CHANGE) ++ con->status.change & UCSI_CONSTAT_POWER_LEVEL_CHANGE) { + ucsi_pwr_opmode_change(con); ++ ucsi_port_psy_changed(con); ++ } + + if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) { + typec_set_pwr_role(con->port, role); +@@ -674,6 +676,8 @@ static void ucsi_handle_connector_change + ucsi_register_partner(con); + else + ucsi_unregister_partner(con); ++ ++ ucsi_port_psy_changed(con); + } + + if (con->status.change & UCSI_CONSTAT_CAM_CHANGE) { +@@ -994,6 +998,7 @@ static int ucsi_register_port(struct ucs + !!(con->status.flags & UCSI_CONSTAT_PWR_DIR)); + ucsi_pwr_opmode_change(con); + ucsi_register_partner(con); ++ ucsi_port_psy_changed(con); + } + + if (con->partner) { +--- a/drivers/usb/typec/ucsi/ucsi.h ++++ b/drivers/usb/typec/ucsi/ucsi.h +@@ -340,9 +340,11 @@ int ucsi_resume(struct ucsi *ucsi); + #if IS_ENABLED(CONFIG_POWER_SUPPLY) + int ucsi_register_port_psy(struct ucsi_connector *con); + void ucsi_unregister_port_psy(struct ucsi_connector *con); ++void ucsi_port_psy_changed(struct ucsi_connector *con); + #else + static inline int ucsi_register_port_psy(struct ucsi_connector *con) { return 0; } + static inline void ucsi_unregister_port_psy(struct ucsi_connector *con) { } ++static inline void ucsi_port_psy_changed(struct ucsi_connector *con) { } + #endif /* CONFIG_POWER_SUPPLY */ + + #if IS_ENABLED(CONFIG_TYPEC_DP_ALTMODE) -- 2.47.3