From 624bfc39d033938079a73f67b8021b4903df81af Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Apr 2020 16:54:13 +0200 Subject: [PATCH] 4.14-stable patches added patches: arm-bpf-fix-bugs-with-alu64-rsh-arsh-bpf_k-shift-by-0.patch ext4-use-non-movable-memory-for-superblock-readahead.patch objtool-fix-switch-table-detection-in-.text.unlikely.patch scsi-sg-add-sg_remove_request-in-sg_common_write.patch --- ...with-alu64-rsh-arsh-bpf_k-shift-by-0.patch | 63 +++++++++++ ...able-memory-for-superblock-readahead.patch | 107 ++++++++++++++++++ ...ch-table-detection-in-.text.unlikely.patch | 45 ++++++++ ...sg_remove_request-in-sg_common_write.patch | 37 ++++++ queue-4.14/series | 4 + 5 files changed, 256 insertions(+) create mode 100644 queue-4.14/arm-bpf-fix-bugs-with-alu64-rsh-arsh-bpf_k-shift-by-0.patch create mode 100644 queue-4.14/ext4-use-non-movable-memory-for-superblock-readahead.patch create mode 100644 queue-4.14/objtool-fix-switch-table-detection-in-.text.unlikely.patch create mode 100644 queue-4.14/scsi-sg-add-sg_remove_request-in-sg_common_write.patch diff --git a/queue-4.14/arm-bpf-fix-bugs-with-alu64-rsh-arsh-bpf_k-shift-by-0.patch b/queue-4.14/arm-bpf-fix-bugs-with-alu64-rsh-arsh-bpf_k-shift-by-0.patch new file mode 100644 index 00000000000..c76b4ff08b7 --- /dev/null +++ b/queue-4.14/arm-bpf-fix-bugs-with-alu64-rsh-arsh-bpf_k-shift-by-0.patch @@ -0,0 +1,63 @@ +From bb9562cf5c67813034c96afb50bd21130a504441 Mon Sep 17 00:00:00 2001 +From: Luke Nelson +Date: Wed, 8 Apr 2020 18:12:29 +0000 +Subject: arm, bpf: Fix bugs with ALU64 {RSH, ARSH} BPF_K shift by 0 + +From: Luke Nelson + +commit bb9562cf5c67813034c96afb50bd21130a504441 upstream. + +The current arm BPF JIT does not correctly compile RSH or ARSH when the +immediate shift amount is 0. This causes the "rsh64 by 0 imm" and "arsh64 +by 0 imm" BPF selftests to hang the kernel by reaching an instruction +the verifier determines to be unreachable. + +The root cause is in how immediate right shifts are encoded on arm. +For LSR and ASR (logical and arithmetic right shift), a bit-pattern +of 00000 in the immediate encodes a shift amount of 32. When the BPF +immediate is 0, the generated code shifts by 32 instead of the expected +behavior (a no-op). + +This patch fixes the bugs by adding an additional check if the BPF +immediate is 0. After the change, the above mentioned BPF selftests pass. + +Fixes: 39c13c204bb11 ("arm: eBPF JIT compiler") +Co-developed-by: Xi Wang +Signed-off-by: Xi Wang +Signed-off-by: Luke Nelson +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20200408181229.10909-1-luke.r.nels@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/net/bpf_jit_32.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/arm/net/bpf_jit_32.c ++++ b/arch/arm/net/bpf_jit_32.c +@@ -796,7 +796,11 @@ static inline void emit_a32_rsh_i64(cons + } + + /* Do LSR operation */ +- if (val < 32) { ++ if (val == 0) { ++ /* An immediate value of 0 encodes a shift amount of 32 ++ * for LSR. To shift by 0, don't do anything. ++ */ ++ } else if (val < 32) { + emit(ARM_MOV_SI(tmp2[1], rd, SRTYPE_LSR, val), ctx); + emit(ARM_ORR_SI(rd, tmp2[1], rm, SRTYPE_ASL, 32 - val), ctx); + emit(ARM_MOV_SI(rm, rm, SRTYPE_LSR, val), ctx); +@@ -829,7 +833,11 @@ static inline void emit_a32_arsh_i64(con + } + + /* Do ARSH operation */ +- if (val < 32) { ++ if (val == 0) { ++ /* An immediate value of 0 encodes a shift amount of 32 ++ * for ASR. To shift by 0, don't do anything. ++ */ ++ } else if (val < 32) { + emit(ARM_MOV_SI(tmp2[1], rd, SRTYPE_LSR, val), ctx); + emit(ARM_ORR_SI(rd, tmp2[1], rm, SRTYPE_ASL, 32 - val), ctx); + emit(ARM_MOV_SI(rm, rm, SRTYPE_ASR, val), ctx); diff --git a/queue-4.14/ext4-use-non-movable-memory-for-superblock-readahead.patch b/queue-4.14/ext4-use-non-movable-memory-for-superblock-readahead.patch new file mode 100644 index 00000000000..6c3651c2eb8 --- /dev/null +++ b/queue-4.14/ext4-use-non-movable-memory-for-superblock-readahead.patch @@ -0,0 +1,107 @@ +From d87f639258a6a5980183f11876c884931ad93da2 Mon Sep 17 00:00:00 2001 +From: Roman Gushchin +Date: Fri, 28 Feb 2020 16:14:11 -0800 +Subject: ext4: use non-movable memory for superblock readahead + +From: Roman Gushchin + +commit d87f639258a6a5980183f11876c884931ad93da2 upstream. + +Since commit a8ac900b8163 ("ext4: use non-movable memory for the +superblock") buffers for ext4 superblock were allocated using +the sb_bread_unmovable() helper which allocated buffer heads +out of non-movable memory blocks. It was necessarily to not block +page migrations and do not cause cma allocation failures. + +However commit 85c8f176a611 ("ext4: preload block group descriptors") +broke this by introducing pre-reading of the ext4 superblock. +The problem is that __breadahead() is using __getblk() underneath, +which allocates buffer heads out of movable memory. + +It resulted in page migration failures I've seen on a machine +with an ext4 partition and a preallocated cma area. + +Fix this by introducing sb_breadahead_unmovable() and +__breadahead_gfp() helpers which use non-movable memory for buffer +head allocations and use them for the ext4 superblock readahead. + +Reviewed-by: Andreas Dilger +Fixes: 85c8f176a611 ("ext4: preload block group descriptors") +Signed-off-by: Roman Gushchin +Link: https://lore.kernel.org/r/20200229001411.128010-1-guro@fb.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/buffer.c | 11 +++++++++++ + fs/ext4/inode.c | 2 +- + fs/ext4/super.c | 2 +- + include/linux/buffer_head.h | 8 ++++++++ + 4 files changed, 21 insertions(+), 2 deletions(-) + +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -1398,6 +1398,17 @@ void __breadahead(struct block_device *b + } + EXPORT_SYMBOL(__breadahead); + ++void __breadahead_gfp(struct block_device *bdev, sector_t block, unsigned size, ++ gfp_t gfp) ++{ ++ struct buffer_head *bh = __getblk_gfp(bdev, block, size, gfp); ++ if (likely(bh)) { ++ ll_rw_block(REQ_OP_READ, REQ_RAHEAD, 1, &bh); ++ brelse(bh); ++ } ++} ++EXPORT_SYMBOL(__breadahead_gfp); ++ + /** + * __bread_gfp() - reads a specified block and returns the bh + * @bdev: the block_device to read from +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4593,7 +4593,7 @@ make_io: + if (end > table) + end = table; + while (b <= end) +- sb_breadahead(sb, b++); ++ sb_breadahead_unmovable(sb, b++); + } + + /* +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -4145,7 +4145,7 @@ static int ext4_fill_super(struct super_ + /* Pre-read the descriptors into the buffer cache */ + for (i = 0; i < db_count; i++) { + block = descriptor_loc(sb, logical_sb_block, i); +- sb_breadahead(sb, block); ++ sb_breadahead_unmovable(sb, block); + } + + for (i = 0; i < db_count; i++) { +--- a/include/linux/buffer_head.h ++++ b/include/linux/buffer_head.h +@@ -187,6 +187,8 @@ struct buffer_head *__getblk_gfp(struct + void __brelse(struct buffer_head *); + void __bforget(struct buffer_head *); + void __breadahead(struct block_device *, sector_t block, unsigned int size); ++void __breadahead_gfp(struct block_device *, sector_t block, unsigned int size, ++ gfp_t gfp); + struct buffer_head *__bread_gfp(struct block_device *, + sector_t block, unsigned size, gfp_t gfp); + void invalidate_bh_lrus(void); +@@ -319,6 +321,12 @@ sb_breadahead(struct super_block *sb, se + __breadahead(sb->s_bdev, block, sb->s_blocksize); + } + ++static inline void ++sb_breadahead_unmovable(struct super_block *sb, sector_t block) ++{ ++ __breadahead_gfp(sb->s_bdev, block, sb->s_blocksize, 0); ++} ++ + static inline struct buffer_head * + sb_getblk(struct super_block *sb, sector_t block) + { diff --git a/queue-4.14/objtool-fix-switch-table-detection-in-.text.unlikely.patch b/queue-4.14/objtool-fix-switch-table-detection-in-.text.unlikely.patch new file mode 100644 index 00000000000..cc46597a5bb --- /dev/null +++ b/queue-4.14/objtool-fix-switch-table-detection-in-.text.unlikely.patch @@ -0,0 +1,45 @@ +From b401efc120a399dfda1f4d2858a4de365c9b08ef Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Wed, 1 Apr 2020 13:23:28 -0500 +Subject: objtool: Fix switch table detection in .text.unlikely + +From: Josh Poimboeuf + +commit b401efc120a399dfda1f4d2858a4de365c9b08ef upstream. + +If a switch jump table's indirect branch is in a ".cold" subfunction in +.text.unlikely, objtool doesn't detect it, and instead prints a false +warning: + + drivers/media/v4l2-core/v4l2-ioctl.o: warning: objtool: v4l_print_format.cold()+0xd6: sibling call from callable instruction with modified stack frame + drivers/hwmon/max6650.o: warning: objtool: max6650_probe.cold()+0xa5: sibling call from callable instruction with modified stack frame + drivers/media/dvb-frontends/drxk_hard.o: warning: objtool: init_drxk.cold()+0x16f: sibling call from callable instruction with modified stack frame + +Fix it by comparing the function, instead of the section and offset. + +Fixes: 13810435b9a7 ("objtool: Support GCC 8's cold subfunctions") +Signed-off-by: Josh Poimboeuf +Signed-off-by: Borislav Petkov +Reviewed-by: Miroslav Benes +Acked-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/157c35d42ca9b6354bbb1604fe9ad7d1153ccb21.1585761021.git.jpoimboe@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/objtool/check.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -915,10 +915,7 @@ static struct rela *find_switch_table(st + * it. + */ + for (; +- &insn->list != &file->insn_list && +- insn->sec == func->sec && +- insn->offset >= func->offset; +- ++ &insn->list != &file->insn_list && insn->func && insn->func->pfunc == func; + insn = insn->first_jump_src ?: list_prev_entry(insn, list)) { + + if (insn != orig_insn && insn->type == INSN_JUMP_DYNAMIC) diff --git a/queue-4.14/scsi-sg-add-sg_remove_request-in-sg_common_write.patch b/queue-4.14/scsi-sg-add-sg_remove_request-in-sg_common_write.patch new file mode 100644 index 00000000000..40b91040fbc --- /dev/null +++ b/queue-4.14/scsi-sg-add-sg_remove_request-in-sg_common_write.patch @@ -0,0 +1,37 @@ +From 849f8583e955dbe3a1806e03ecacd5e71cce0a08 Mon Sep 17 00:00:00 2001 +From: Li Bin +Date: Mon, 13 Apr 2020 19:29:21 +0800 +Subject: scsi: sg: add sg_remove_request in sg_common_write + +From: Li Bin + +commit 849f8583e955dbe3a1806e03ecacd5e71cce0a08 upstream. + +If the dxfer_len is greater than 256M then the request is invalid and we +need to call sg_remove_request in sg_common_write. + +Link: https://lore.kernel.org/r/1586777361-17339-1-git-send-email-huawei.libin@huawei.com +Fixes: f930c7043663 ("scsi: sg: only check for dxfer_len greater than 256M") +Acked-by: Douglas Gilbert +Signed-off-by: Li Bin +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -809,8 +809,10 @@ sg_common_write(Sg_fd * sfp, Sg_request + "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n", + (int) cmnd[0], (int) hp->cmd_len)); + +- if (hp->dxfer_len >= SZ_256M) ++ if (hp->dxfer_len >= SZ_256M) { ++ sg_remove_request(sfp, srp); + return -EINVAL; ++ } + + k = sg_start_req(srp, cmnd); + if (k) { diff --git a/queue-4.14/series b/queue-4.14/series index 268461b6a33..5b53fb82a47 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -133,3 +133,7 @@ x86-intel_rdt-enable-l2-cdp-in-msr-ia32_l2_qos_cfg.patch x86-resctrl-preserve-cdp-enable-over-cpu-hotplug.patch x86-resctrl-fix-invalid-attempt-at-removing-the-default-resource-group.patch mm-vmalloc.c-move-area-pages-after-if-statement.patch +objtool-fix-switch-table-detection-in-.text.unlikely.patch +scsi-sg-add-sg_remove_request-in-sg_common_write.patch +ext4-use-non-movable-memory-for-superblock-readahead.patch +arm-bpf-fix-bugs-with-alu64-rsh-arsh-bpf_k-shift-by-0.patch -- 2.47.3