From 79e57f2c678fa980c1f0722df66eb0004b4b59ea Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Nov 2020 17:25:54 +0100 Subject: [PATCH] 5.4-stable patches added patches: btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch erofs-derive-atime-instead-of-leaving-it-empty.patch ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch jbd2-fix-up-sparse-warnings-in-checkpoint-code.patch kvm-arm64-don-t-hide-id-registers-from-userspace.patch mei-protect-mei_cl_mtu-from-null-dereference.patch mm-slub-fix-panic-in-slab_alloc_node.patch ocfs2-initialize-ip_next_orphan.patch reboot-fix-overflow-parsing-reboot-cpu-number.patch revert-kernel-reboot.c-convert-simple_strtoul-to-kstrtoint.patch thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch uio-fix-use-after-free-in-uio_unregister_device.patch usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch virtio-virtio_console-fix-dma-memory-allocation-for-rproc-serial.patch xhci-hisilicon-fix-refercence-leak-in-xhci_histb_probe.patch --- ...have-replace-item-with-target-device.patch | 146 +++++++++++++++ ...size-calculation-in-merge_reloc_root.patch | 89 +++++++++ ...uster_pages_for_defrag-on-32bit-arch.patch | 68 +++++++ ...ix-memory-leak-in-btrfs_ref_tree_mod.patch | 33 ++++ ...ve-atime-instead-of-leaving-it-empty.patch | 79 ++++++++ ...for-usr-grp-jquota-when-config_quota.patch | 46 +++++ ...roperly-in-ext4_inline_data_truncate.patch | 36 ++++ ...irqs-unconditionally-in-put_pi_state.patch | 49 +++++ ...p-sparse-warnings-in-checkpoint-code.patch | 50 +++++ ...n-t-hide-id-registers-from-userspace.patch | 83 +++++++++ ...ect-mei_cl_mtu-from-null-dereference.patch | 41 +++++ ...mm-slub-fix-panic-in-slab_alloc_node.patch | 126 +++++++++++++ .../ocfs2-initialize-ip_next_orphan.patch | 93 ++++++++++ ...x-overflow-parsing-reboot-cpu-number.patch | 74 ++++++++ ...-convert-simple_strtoul-to-kstrtoint.patch | 86 +++++++++ queue-5.4/series | 21 +++ ...a_simple_remove-in-ring_request_msix.patch | 53 ++++++ ...mple_get-fails-in-enumerate_services.patch | 31 ++++ ...-after-free-in-uio_unregister_device.patch | 172 ++++++++++++++++++ ...e_echo-for-renesas-usb-download-mode.patch | 41 +++++ ...a-memory-allocation-for-rproc-serial.patch | 83 +++++++++ ...-refercence-leak-in-xhci_histb_probe.patch | 40 ++++ 22 files changed, 1540 insertions(+) create mode 100644 queue-5.4/btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch create mode 100644 queue-5.4/btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch create mode 100644 queue-5.4/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch create mode 100644 queue-5.4/btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch create mode 100644 queue-5.4/erofs-derive-atime-instead-of-leaving-it-empty.patch create mode 100644 queue-5.4/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch create mode 100644 queue-5.4/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch create mode 100644 queue-5.4/futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch create mode 100644 queue-5.4/jbd2-fix-up-sparse-warnings-in-checkpoint-code.patch create mode 100644 queue-5.4/kvm-arm64-don-t-hide-id-registers-from-userspace.patch create mode 100644 queue-5.4/mei-protect-mei_cl_mtu-from-null-dereference.patch create mode 100644 queue-5.4/mm-slub-fix-panic-in-slab_alloc_node.patch create mode 100644 queue-5.4/ocfs2-initialize-ip_next_orphan.patch create mode 100644 queue-5.4/reboot-fix-overflow-parsing-reboot-cpu-number.patch create mode 100644 queue-5.4/revert-kernel-reboot.c-convert-simple_strtoul-to-kstrtoint.patch create mode 100644 queue-5.4/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch create mode 100644 queue-5.4/thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch create mode 100644 queue-5.4/uio-fix-use-after-free-in-uio_unregister_device.patch create mode 100644 queue-5.4/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch create mode 100644 queue-5.4/virtio-virtio_console-fix-dma-memory-allocation-for-rproc-serial.patch create mode 100644 queue-5.4/xhci-hisilicon-fix-refercence-leak-in-xhci_histb_probe.patch diff --git a/queue-5.4/btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch b/queue-5.4/btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch new file mode 100644 index 00000000000..6a4006a50c7 --- /dev/null +++ b/queue-5.4/btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch @@ -0,0 +1,146 @@ +From cf89af146b7e62af55470cf5f3ec3c56ec144a5e Mon Sep 17 00:00:00 2001 +From: Anand Jain +Date: Fri, 30 Oct 2020 06:53:56 +0800 +Subject: btrfs: dev-replace: fail mount if we don't have replace item with target device + +From: Anand Jain + +commit cf89af146b7e62af55470cf5f3ec3c56ec144a5e upstream. + +If there is a device BTRFS_DEV_REPLACE_DEVID without the device replace +item, then it means the filesystem is inconsistent state. This is either +corruption or a crafted image. Fail the mount as this needs a closer +look what is actually wrong. + +As of now if BTRFS_DEV_REPLACE_DEVID is present without the replace +item, in __btrfs_free_extra_devids() we determine that there is an +extra device, and free those extra devices but continue to mount the +device. +However, we were wrong in keeping tack of the rw_devices so the syzbot +testcase failed: + + WARNING: CPU: 1 PID: 3612 at fs/btrfs/volumes.c:1166 close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 + Kernel panic - not syncing: panic_on_warn set ... + CPU: 1 PID: 3612 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x198/0x1fd lib/dump_stack.c:118 + panic+0x347/0x7c0 kernel/panic.c:231 + __warn.cold+0x20/0x46 kernel/panic.c:600 + report_bug+0x1bd/0x210 lib/bug.c:198 + handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234 + exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254 + asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 + RIP: 0010:close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166 + RSP: 0018:ffffc900091777e0 EFLAGS: 00010246 + RAX: 0000000000040000 RBX: ffffffffffffffff RCX: ffffc9000c8b7000 + RDX: 0000000000040000 RSI: ffffffff83097f47 RDI: 0000000000000007 + RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff8880988a187f + R10: 0000000000000000 R11: 0000000000000001 R12: ffff88809593a130 + R13: ffff88809593a1ec R14: ffff8880988a1908 R15: ffff88809593a050 + close_fs_devices fs/btrfs/volumes.c:1193 [inline] + btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1179 + open_ctree+0x4984/0x4a2d fs/btrfs/disk-io.c:3434 + btrfs_fill_super fs/btrfs/super.c:1316 [inline] + btrfs_mount_root.cold+0x14/0x165 fs/btrfs/super.c:1672 + +The fix here is, when we determine that there isn't a replace item +then fail the mount if there is a replace target device (devid 0). + +CC: stable@vger.kernel.org # 4.19+ +Reported-by: syzbot+4cfe71a4da060be47502@syzkaller.appspotmail.com +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/dev-replace.c | 26 ++++++++++++++++++++++++-- + fs/btrfs/volumes.c | 26 +++++++------------------- + 2 files changed, 31 insertions(+), 21 deletions(-) + +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -55,6 +55,17 @@ int btrfs_init_dev_replace(struct btrfs_ + ret = btrfs_search_slot(NULL, dev_root, &key, path, 0, 0); + if (ret) { + no_valid_dev_replace_entry_found: ++ /* ++ * We don't have a replace item or it's corrupted. If there is ++ * a replace target, fail the mount. ++ */ ++ if (btrfs_find_device(fs_info->fs_devices, ++ BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) { ++ btrfs_err(fs_info, ++ "found replace target device without a valid replace item"); ++ ret = -EUCLEAN; ++ goto out; ++ } + ret = 0; + dev_replace->replace_state = + BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED; +@@ -107,8 +118,19 @@ no_valid_dev_replace_entry_found: + case BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED: + case BTRFS_IOCTL_DEV_REPLACE_STATE_FINISHED: + case BTRFS_IOCTL_DEV_REPLACE_STATE_CANCELED: +- dev_replace->srcdev = NULL; +- dev_replace->tgtdev = NULL; ++ /* ++ * We don't have an active replace item but if there is a ++ * replace target, fail the mount. ++ */ ++ if (btrfs_find_device(fs_info->fs_devices, ++ BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) { ++ btrfs_err(fs_info, ++ "replace devid present without an active replace item"); ++ ret = -EUCLEAN; ++ } else { ++ dev_replace->srcdev = NULL; ++ dev_replace->tgtdev = NULL; ++ } + break; + case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED: + case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED: +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -1245,22 +1245,13 @@ again: + continue; + } + +- if (device->devid == BTRFS_DEV_REPLACE_DEVID) { +- /* +- * In the first step, keep the device which has +- * the correct fsid and the devid that is used +- * for the dev_replace procedure. +- * In the second step, the dev_replace state is +- * read from the device tree and it is known +- * whether the procedure is really active or +- * not, which means whether this device is +- * used or whether it should be removed. +- */ +- if (step == 0 || test_bit(BTRFS_DEV_STATE_REPLACE_TGT, +- &device->dev_state)) { +- continue; +- } +- } ++ /* ++ * We have already validated the presence of BTRFS_DEV_REPLACE_DEVID, ++ * in btrfs_init_dev_replace() so just continue. ++ */ ++ if (device->devid == BTRFS_DEV_REPLACE_DEVID) ++ continue; ++ + if (device->bdev) { + blkdev_put(device->bdev, device->mode); + device->bdev = NULL; +@@ -1269,9 +1260,6 @@ again: + if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) { + list_del_init(&device->dev_alloc_list); + clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state); +- if (!test_bit(BTRFS_DEV_STATE_REPLACE_TGT, +- &device->dev_state)) +- fs_devices->rw_devices--; + } + list_del_init(&device->dev_list); + fs_devices->num_devices--; diff --git a/queue-5.4/btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch b/queue-5.4/btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch new file mode 100644 index 00000000000..77be81e83b0 --- /dev/null +++ b/queue-5.4/btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch @@ -0,0 +1,89 @@ +From fca3a45d08782a2bb85e048fb8e3128b1388d7b7 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 26 Oct 2020 16:57:27 -0400 +Subject: btrfs: fix min reserved size calculation in merge_reloc_root + +From: Josef Bacik + +commit fca3a45d08782a2bb85e048fb8e3128b1388d7b7 upstream. + +The minimum reserve size was adjusted to take into account the height of +the tree we are merging, however we can have a root with a level == 0. +What we want is root_level + 1 to get the number of nodes we may have to +cow. This fixes the enospc_debug warning pops with btrfs/101. + +Nikolay: this fixes failures on btrfs/060 btrfs/062 btrfs/063 and +btrfs/195 That I was seeing, the call trace was: + + [ 3680.515564] ------------[ cut here ]------------ + [ 3680.515566] BTRFS: block rsv returned -28 + [ 3680.515585] WARNING: CPU: 2 PID: 8339 at fs/btrfs/block-rsv.c:521 btrfs_use_block_rsv+0x162/0x180 + [ 3680.515587] Modules linked in: + [ 3680.515591] CPU: 2 PID: 8339 Comm: btrfs Tainted: G W 5.9.0-rc8-default #95 + [ 3680.515593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 + [ 3680.515595] RIP: 0010:btrfs_use_block_rsv+0x162/0x180 + [ 3680.515600] RSP: 0018:ffffa01ac9753910 EFLAGS: 00010282 + [ 3680.515602] RAX: 0000000000000000 RBX: ffff984b34200000 RCX: 0000000000000027 + [ 3680.515604] RDX: 0000000000000027 RSI: 0000000000000000 RDI: ffff984b3bd19e28 + [ 3680.515606] RBP: 0000000000004000 R08: ffff984b3bd19e20 R09: 0000000000000001 + [ 3680.515608] R10: 0000000000000004 R11: 0000000000000046 R12: ffff984b264fdc00 + [ 3680.515609] R13: ffff984b13149000 R14: 00000000ffffffe4 R15: ffff984b34200000 + [ 3680.515613] FS: 00007f4e2912b8c0(0000) GS:ffff984b3bd00000(0000) knlGS:0000000000000000 + [ 3680.515615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 3680.515617] CR2: 00007fab87122150 CR3: 0000000118e42000 CR4: 00000000000006e0 + [ 3680.515620] Call Trace: + [ 3680.515627] btrfs_alloc_tree_block+0x8b/0x340 + [ 3680.515633] ? __lock_acquire+0x51a/0xac0 + [ 3680.515646] alloc_tree_block_no_bg_flush+0x4f/0x60 + [ 3680.515651] __btrfs_cow_block+0x14e/0x7e0 + [ 3680.515662] btrfs_cow_block+0x144/0x2c0 + [ 3680.515670] merge_reloc_root+0x4d4/0x610 + [ 3680.515675] ? btrfs_lookup_fs_root+0x78/0x90 + [ 3680.515686] merge_reloc_roots+0xee/0x280 + [ 3680.515695] relocate_block_group+0x2ce/0x5e0 + [ 3680.515704] btrfs_relocate_block_group+0x16e/0x310 + [ 3680.515711] btrfs_relocate_chunk+0x38/0xf0 + [ 3680.515716] btrfs_shrink_device+0x200/0x560 + [ 3680.515728] btrfs_rm_device+0x1ae/0x6a6 + [ 3680.515744] ? _copy_from_user+0x6e/0xb0 + [ 3680.515750] btrfs_ioctl+0x1afe/0x28c0 + [ 3680.515755] ? find_held_lock+0x2b/0x80 + [ 3680.515760] ? do_user_addr_fault+0x1f8/0x418 + [ 3680.515773] ? __x64_sys_ioctl+0x77/0xb0 + [ 3680.515775] __x64_sys_ioctl+0x77/0xb0 + [ 3680.515781] do_syscall_64+0x31/0x70 + [ 3680.515785] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: Nikolay Borisov +Fixes: 44d354abf33e ("btrfs: relocation: review the call sites which can be interrupted by signal") +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Nikolay Borisov +Tested-by: Nikolay Borisov +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/relocation.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -2287,6 +2287,7 @@ static noinline_for_stack int merge_relo + struct btrfs_root_item *root_item; + struct btrfs_path *path; + struct extent_buffer *leaf; ++ int reserve_level; + int level; + int max_level; + int replaced = 0; +@@ -2335,7 +2336,8 @@ static noinline_for_stack int merge_relo + * Thus the needed metadata size is at most root_level * nodesize, + * and * 2 since we have two trees to COW. + */ +- min_reserved = fs_info->nodesize * btrfs_root_level(root_item) * 2; ++ reserve_level = max_t(int, 1, btrfs_root_level(root_item)); ++ min_reserved = fs_info->nodesize * reserve_level * 2; + memset(&next_key, 0, sizeof(next_key)); + + while (1) { diff --git a/queue-5.4/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch b/queue-5.4/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch new file mode 100644 index 00000000000..ba8b2074820 --- /dev/null +++ b/queue-5.4/btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch @@ -0,0 +1,68 @@ +From a1fbc6750e212c5675a4e48d7f51d44607eb8756 Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Sun, 4 Oct 2020 19:04:26 +0100 +Subject: btrfs: fix potential overflow in cluster_pages_for_defrag on 32bit arch + +From: Matthew Wilcox (Oracle) + +commit a1fbc6750e212c5675a4e48d7f51d44607eb8756 upstream. + +On 32-bit systems, this shift will overflow for files larger than 4GB as +start_index is unsigned long while the calls to btrfs_delalloc_*_space +expect u64. + +CC: stable@vger.kernel.org # 4.4+ +Fixes: df480633b891 ("btrfs: extent-tree: Switch to new delalloc space reserve and release") +Reviewed-by: Josef Bacik +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: David Sterba +[ define the variable instead of repeating the shift ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + + + +--- + fs/btrfs/ioctl.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1255,6 +1255,7 @@ static int cluster_pages_for_defrag(stru + u64 page_start; + u64 page_end; + u64 page_cnt; ++ u64 start = (u64)start_index << PAGE_SHIFT; + int ret; + int i; + int i_done; +@@ -1271,8 +1272,7 @@ static int cluster_pages_for_defrag(stru + page_cnt = min_t(u64, (u64)num_pages, (u64)file_end - start_index + 1); + + ret = btrfs_delalloc_reserve_space(inode, &data_reserved, +- start_index << PAGE_SHIFT, +- page_cnt << PAGE_SHIFT); ++ start, page_cnt << PAGE_SHIFT); + if (ret) + return ret; + i_done = 0; +@@ -1361,8 +1361,7 @@ again: + btrfs_mod_outstanding_extents(BTRFS_I(inode), 1); + spin_unlock(&BTRFS_I(inode)->lock); + btrfs_delalloc_release_space(inode, data_reserved, +- start_index << PAGE_SHIFT, +- (page_cnt - i_done) << PAGE_SHIFT, true); ++ start, (page_cnt - i_done) << PAGE_SHIFT, true); + } + + +@@ -1389,8 +1388,7 @@ out: + put_page(pages[i]); + } + btrfs_delalloc_release_space(inode, data_reserved, +- start_index << PAGE_SHIFT, +- page_cnt << PAGE_SHIFT, true); ++ start, page_cnt << PAGE_SHIFT, true); + btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT); + extent_changeset_free(data_reserved); + return ret; diff --git a/queue-5.4/btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch b/queue-5.4/btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch new file mode 100644 index 00000000000..95eab20cdda --- /dev/null +++ b/queue-5.4/btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch @@ -0,0 +1,33 @@ +From 468600c6ec28613b756193c5f780aac062f1acdf Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Wed, 21 Oct 2020 13:36:55 +0800 +Subject: btrfs: ref-verify: fix memory leak in btrfs_ref_tree_mod + +From: Dinghao Liu + +commit 468600c6ec28613b756193c5f780aac062f1acdf upstream. + +There is one error handling path that does not free ref, which may cause +a minor memory leak. + +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Josef Bacik +Signed-off-by: Dinghao Liu +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ref-verify.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/ref-verify.c ++++ b/fs/btrfs/ref-verify.c +@@ -851,6 +851,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i + "dropping a ref for a root that doesn't have a ref on the block"); + dump_block_entry(fs_info, be); + dump_ref_action(fs_info, ra); ++ kfree(ref); + kfree(ra); + goto out_unlock; + } diff --git a/queue-5.4/erofs-derive-atime-instead-of-leaving-it-empty.patch b/queue-5.4/erofs-derive-atime-instead-of-leaving-it-empty.patch new file mode 100644 index 00000000000..3e6983e525c --- /dev/null +++ b/queue-5.4/erofs-derive-atime-instead-of-leaving-it-empty.patch @@ -0,0 +1,79 @@ +From d3938ee23e97bfcac2e0eb6b356875da73d700df Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Sun, 1 Nov 2020 03:51:02 +0800 +Subject: erofs: derive atime instead of leaving it empty + +From: Gao Xiang + +commit d3938ee23e97bfcac2e0eb6b356875da73d700df upstream. + +EROFS has _only one_ ondisk timestamp (ctime is currently +documented and recorded, we might also record mtime instead +with a new compat feature if needed) for each extended inode +since EROFS isn't mainly for archival purposes so no need to +keep all timestamps on disk especially for Android scenarios +due to security concerns. Also, romfs/cramfs don't have their +own on-disk timestamp, and squashfs only records mtime instead. + +Let's also derive access time from ondisk timestamp rather than +leaving it empty, and if mtime/atime for each file are really +needed for specific scenarios as well, we can also use xattrs +to record them then. + +Link: https://lore.kernel.org/r/20201031195102.21221-1-hsiangkao@aol.com +[ Gao Xiang: It'd be better to backport for user-friendly concern. ] +Fixes: 431339ba9042 ("staging: erofs: add inode operations") +Cc: stable # 4.19+ +Reported-by: nl6720 +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman + +--- + fs/erofs/inode.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -107,11 +107,9 @@ static struct page *erofs_read_inode(str + i_gid_write(inode, le32_to_cpu(die->i_gid)); + set_nlink(inode, le32_to_cpu(die->i_nlink)); + +- /* ns timestamp */ +- inode->i_mtime.tv_sec = inode->i_ctime.tv_sec = +- le64_to_cpu(die->i_ctime); +- inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec = +- le32_to_cpu(die->i_ctime_nsec); ++ /* extended inode has its own timestamp */ ++ inode->i_ctime.tv_sec = le64_to_cpu(die->i_ctime); ++ inode->i_ctime.tv_nsec = le32_to_cpu(die->i_ctime_nsec); + + inode->i_size = le64_to_cpu(die->i_size); + +@@ -149,11 +147,9 @@ static struct page *erofs_read_inode(str + i_gid_write(inode, le16_to_cpu(dic->i_gid)); + set_nlink(inode, le16_to_cpu(dic->i_nlink)); + +- /* use build time to derive all file time */ +- inode->i_mtime.tv_sec = inode->i_ctime.tv_sec = +- sbi->build_time; +- inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec = +- sbi->build_time_nsec; ++ /* use build time for compact inodes */ ++ inode->i_ctime.tv_sec = sbi->build_time; ++ inode->i_ctime.tv_nsec = sbi->build_time_nsec; + + inode->i_size = le32_to_cpu(dic->i_size); + if (erofs_inode_is_data_compressed(vi->datalayout)) +@@ -167,6 +163,11 @@ static struct page *erofs_read_inode(str + goto err_out; + } + ++ inode->i_mtime.tv_sec = inode->i_ctime.tv_sec; ++ inode->i_atime.tv_sec = inode->i_ctime.tv_sec; ++ inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec; ++ inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec; ++ + if (!nblks) + /* measure inode.i_blocks as generic filesystems */ + inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9; diff --git a/queue-5.4/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch b/queue-5.4/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch new file mode 100644 index 00000000000..ee41d98c7b7 --- /dev/null +++ b/queue-5.4/ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch @@ -0,0 +1,46 @@ +From 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d Mon Sep 17 00:00:00 2001 +From: Kaixu Xia +Date: Thu, 29 Oct 2020 23:46:36 +0800 +Subject: ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA + +From: Kaixu Xia + +commit 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d upstream. + +The macro MOPT_Q is used to indicates the mount option is related to +quota stuff and is defined to be MOPT_NOSUPPORT when CONFIG_QUOTA is +disabled. Normally the quota options are handled explicitly, so it +didn't matter that the MOPT_STRING flag was missing, even though the +usrjquota and grpjquota mount options take a string argument. It's +important that's present in the !CONFIG_QUOTA case, since without +MOPT_STRING, the mount option matcher will match usrjquota= followed +by an integer, and will otherwise skip the table entry, and so "mount +option not supported" error message is never reported. + +[ Fixed up the commit description to better explain why the fix + works. --TYT ] + +Fixes: 26092bf52478 ("ext4: use a table-driven handler for mount options") +Signed-off-by: Kaixu Xia +Link: https://lore.kernel.org/r/1603986396-28917-1-git-send-email-kaixuxia@tencent.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1756,8 +1756,8 @@ static const struct mount_opts { + {Opt_noquota, (EXT4_MOUNT_QUOTA | EXT4_MOUNT_USRQUOTA | + EXT4_MOUNT_GRPQUOTA | EXT4_MOUNT_PRJQUOTA), + MOPT_CLEAR | MOPT_Q}, +- {Opt_usrjquota, 0, MOPT_Q}, +- {Opt_grpjquota, 0, MOPT_Q}, ++ {Opt_usrjquota, 0, MOPT_Q | MOPT_STRING}, ++ {Opt_grpjquota, 0, MOPT_Q | MOPT_STRING}, + {Opt_offusrjquota, 0, MOPT_Q}, + {Opt_offgrpjquota, 0, MOPT_Q}, + {Opt_jqfmt_vfsold, QFMT_VFS_OLD, MOPT_QFMT}, diff --git a/queue-5.4/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch b/queue-5.4/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch new file mode 100644 index 00000000000..6c4a5e47f2b --- /dev/null +++ b/queue-5.4/ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch @@ -0,0 +1,36 @@ +From 7067b2619017d51e71686ca9756b454de0e5826a Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Tue, 3 Nov 2020 10:29:02 +0800 +Subject: ext4: unlock xattr_sem properly in ext4_inline_data_truncate() + +From: Joseph Qi + +commit 7067b2619017d51e71686ca9756b454de0e5826a upstream. + +It takes xattr_sem to check inline data again but without unlock it +in case not have. So unlock it before return. + +Fixes: aef1c8513c1f ("ext4: let ext4_truncate handle inline data correctly") +Reported-by: Dan Carpenter +Cc: Tao Ma +Signed-off-by: Joseph Qi +Reviewed-by: Andreas Dilger +Link: https://lore.kernel.org/r/1604370542-124630-1-git-send-email-joseph.qi@linux.alibaba.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inline.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1918,6 +1918,7 @@ int ext4_inline_data_truncate(struct ino + + ext4_write_lock_xattr(inode, &no_expand); + if (!ext4_has_inline_data(inode)) { ++ ext4_write_unlock_xattr(inode, &no_expand); + *has_inline = 0; + ext4_journal_stop(handle); + return 0; diff --git a/queue-5.4/futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch b/queue-5.4/futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch new file mode 100644 index 00000000000..286d50fcb56 --- /dev/null +++ b/queue-5.4/futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch @@ -0,0 +1,49 @@ +From 1e106aa3509b86738769775969822ffc1ec21bf4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 6 Nov 2020 11:52:05 +0300 +Subject: futex: Don't enable IRQs unconditionally in put_pi_state() + +From: Dan Carpenter + +commit 1e106aa3509b86738769775969822ffc1ec21bf4 upstream. + +The exit_pi_state_list() function calls put_pi_state() with IRQs disabled +and is not expecting that IRQs will be enabled inside the function. + +Use the _irqsave() variant so that IRQs are restored to the original state +instead of being enabled unconditionally. + +Fixes: 153fbd1226fb ("futex: Fix more put_pi_state() vs. exit_pi_state_list() races") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201106085205.GA1159983@mwanda +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -880,8 +880,9 @@ static void put_pi_state(struct futex_pi + */ + if (pi_state->owner) { + struct task_struct *owner; ++ unsigned long flags; + +- raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock); ++ raw_spin_lock_irqsave(&pi_state->pi_mutex.wait_lock, flags); + owner = pi_state->owner; + if (owner) { + raw_spin_lock(&owner->pi_lock); +@@ -889,7 +890,7 @@ static void put_pi_state(struct futex_pi + raw_spin_unlock(&owner->pi_lock); + } + rt_mutex_proxy_unlock(&pi_state->pi_mutex, owner); +- raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); ++ raw_spin_unlock_irqrestore(&pi_state->pi_mutex.wait_lock, flags); + } + + if (current->pi_state_cache) { diff --git a/queue-5.4/jbd2-fix-up-sparse-warnings-in-checkpoint-code.patch b/queue-5.4/jbd2-fix-up-sparse-warnings-in-checkpoint-code.patch new file mode 100644 index 00000000000..26ec017bf86 --- /dev/null +++ b/queue-5.4/jbd2-fix-up-sparse-warnings-in-checkpoint-code.patch @@ -0,0 +1,50 @@ +From 05d5233df85e9621597c5838e95235107eb624a2 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 7 Nov 2020 00:00:49 -0500 +Subject: jbd2: fix up sparse warnings in checkpoint code + +From: Theodore Ts'o + +commit 05d5233df85e9621597c5838e95235107eb624a2 upstream. + +Add missing __acquires() and __releases() annotations. Also, in an +"this should never happen" WARN_ON check, if it *does* actually +happen, we need to release j_state_lock since this function is always +supposed to release that lock. Otherwise, things will quickly grind +to a halt after the WARN_ON trips. + +Fixes: 96f1e0974575 ("jbd2: avoid long hold times of j_state_lock...") +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/checkpoint.c | 2 ++ + fs/jbd2/transaction.c | 4 +++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -106,6 +106,8 @@ static int __try_to_free_cp_buf(struct j + * for a checkpoint to free up some space in the log. + */ + void __jbd2_log_wait_for_space(journal_t *journal) ++__acquires(&journal->j_state_lock) ++__releases(&journal->j_state_lock) + { + int nblocks, space_left; + /* assert_spin_locked(&journal->j_state_lock); */ +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -171,8 +171,10 @@ static void wait_transaction_switching(j + DEFINE_WAIT(wait); + + if (WARN_ON(!journal->j_running_transaction || +- journal->j_running_transaction->t_state != T_SWITCH)) ++ journal->j_running_transaction->t_state != T_SWITCH)) { ++ read_unlock(&journal->j_state_lock); + return; ++ } + prepare_to_wait(&journal->j_wait_transaction_locked, &wait, + TASK_UNINTERRUPTIBLE); + read_unlock(&journal->j_state_lock); diff --git a/queue-5.4/kvm-arm64-don-t-hide-id-registers-from-userspace.patch b/queue-5.4/kvm-arm64-don-t-hide-id-registers-from-userspace.patch new file mode 100644 index 00000000000..d4253fdebd1 --- /dev/null +++ b/queue-5.4/kvm-arm64-don-t-hide-id-registers-from-userspace.patch @@ -0,0 +1,83 @@ +From f81cb2c3ad41ac6d8cb2650e3d72d5f67db1aa28 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Thu, 5 Nov 2020 10:10:19 +0100 +Subject: KVM: arm64: Don't hide ID registers from userspace +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrew Jones + +commit f81cb2c3ad41ac6d8cb2650e3d72d5f67db1aa28 upstream. + +ID registers are RAZ until they've been allocated a purpose, but +that doesn't mean they should be removed from the KVM_GET_REG_LIST +list. So far we only have one register, SYS_ID_AA64ZFR0_EL1, that +is hidden from userspace when its function, SVE, is not present. + +Expose SYS_ID_AA64ZFR0_EL1 to userspace as RAZ when SVE is not +implemented. Removing the userspace visibility checks is enough +to reexpose it, as it will already return zero to userspace when +SVE is not present. The register already behaves as RAZ for the +guest when SVE is not present. + +Fixes: 73433762fcae ("KVM: arm64/sve: System register context switch and access support") +Reported-by: 张东旭 +Signed-off-by: Andrew Jones +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org#v5.2+ +Link: https://lore.kernel.org/r/20201105091022.15373-2-drjones@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/sys_regs.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +--- a/arch/arm64/kvm/sys_regs.c ++++ b/arch/arm64/kvm/sys_regs.c +@@ -1132,16 +1132,6 @@ static unsigned int sve_visibility(const + return REG_HIDDEN_USER | REG_HIDDEN_GUEST; + } + +-/* Visibility overrides for SVE-specific ID registers */ +-static unsigned int sve_id_visibility(const struct kvm_vcpu *vcpu, +- const struct sys_reg_desc *rd) +-{ +- if (vcpu_has_sve(vcpu)) +- return 0; +- +- return REG_HIDDEN_USER; +-} +- + /* Generate the emulated ID_AA64ZFR0_EL1 value exposed to the guest */ + static u64 guest_id_aa64zfr0_el1(const struct kvm_vcpu *vcpu) + { +@@ -1168,9 +1158,6 @@ static int get_id_aa64zfr0_el1(struct kv + { + u64 val; + +- if (WARN_ON(!vcpu_has_sve(vcpu))) +- return -ENOENT; +- + val = guest_id_aa64zfr0_el1(vcpu); + return reg_to_user(uaddr, &val, reg->id); + } +@@ -1183,9 +1170,6 @@ static int set_id_aa64zfr0_el1(struct kv + int err; + u64 val; + +- if (WARN_ON(!vcpu_has_sve(vcpu))) +- return -ENOENT; +- + err = reg_from_user(&val, uaddr, id); + if (err) + return err; +@@ -1448,7 +1432,7 @@ static const struct sys_reg_desc sys_reg + ID_SANITISED(ID_AA64PFR1_EL1), + ID_UNALLOCATED(4,2), + ID_UNALLOCATED(4,3), +- { SYS_DESC(SYS_ID_AA64ZFR0_EL1), access_id_aa64zfr0_el1, .get_user = get_id_aa64zfr0_el1, .set_user = set_id_aa64zfr0_el1, .visibility = sve_id_visibility }, ++ { SYS_DESC(SYS_ID_AA64ZFR0_EL1), access_id_aa64zfr0_el1, .get_user = get_id_aa64zfr0_el1, .set_user = set_id_aa64zfr0_el1, }, + ID_UNALLOCATED(4,5), + ID_UNALLOCATED(4,6), + ID_UNALLOCATED(4,7), diff --git a/queue-5.4/mei-protect-mei_cl_mtu-from-null-dereference.patch b/queue-5.4/mei-protect-mei_cl_mtu-from-null-dereference.patch new file mode 100644 index 00000000000..0248ec330dd --- /dev/null +++ b/queue-5.4/mei-protect-mei_cl_mtu-from-null-dereference.patch @@ -0,0 +1,41 @@ +From bcbc0b2e275f0a797de11a10eff495b4571863fc Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Thu, 29 Oct 2020 11:54:42 +0200 +Subject: mei: protect mei_cl_mtu from null dereference + +From: Alexander Usyskin + +commit bcbc0b2e275f0a797de11a10eff495b4571863fc upstream. + +A receive callback is queued while the client is still connected +but can still be called after the client was disconnected. Upon +disconnect cl->me_cl is set to NULL, hence we need to check +that ME client is not-NULL in mei_cl_mtu to avoid +null dereference. + +Cc: +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20201029095444.957924-2-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/client.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/mei/client.h ++++ b/drivers/misc/mei/client.h +@@ -128,11 +128,11 @@ static inline u8 mei_cl_me_id(const stru + * + * @cl: host client + * +- * Return: mtu ++ * Return: mtu or 0 if client is not connected + */ + static inline size_t mei_cl_mtu(const struct mei_cl *cl) + { +- return cl->me_cl->props.max_msg_length; ++ return cl->me_cl ? cl->me_cl->props.max_msg_length : 0; + } + + /** diff --git a/queue-5.4/mm-slub-fix-panic-in-slab_alloc_node.patch b/queue-5.4/mm-slub-fix-panic-in-slab_alloc_node.patch new file mode 100644 index 00000000000..cd9aaded777 --- /dev/null +++ b/queue-5.4/mm-slub-fix-panic-in-slab_alloc_node.patch @@ -0,0 +1,126 @@ +From 22e4663e916321b72972c69ca0c6b962f529bd78 Mon Sep 17 00:00:00 2001 +From: Laurent Dufour +Date: Fri, 13 Nov 2020 22:51:53 -0800 +Subject: mm/slub: fix panic in slab_alloc_node() + +From: Laurent Dufour + +commit 22e4663e916321b72972c69ca0c6b962f529bd78 upstream. + +While doing memory hot-unplug operation on a PowerPC VM running 1024 CPUs +with 11TB of ram, I hit the following panic: + + BUG: Kernel NULL pointer dereference on read at 0x00000007 + Faulting instruction address: 0xc000000000456048 + Oops: Kernel access of bad area, sig: 11 [#2] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS= 2048 NUMA pSeries + Modules linked in: rpadlpar_io rpaphp + CPU: 160 PID: 1 Comm: systemd Tainted: G D 5.9.0 #1 + NIP: c000000000456048 LR: c000000000455fd4 CTR: c00000000047b350 + REGS: c00006028d1b77a0 TRAP: 0300 Tainted: G D (5.9.0) + MSR: 8000000000009033 CR: 24004228 XER: 00000000 + CFAR: c00000000000f1b0 DAR: 0000000000000007 DSISR: 40000000 IRQMASK: 0 + GPR00: c000000000455fd4 c00006028d1b7a30 c000000001bec800 0000000000000000 + GPR04: 0000000000000dc0 0000000000000000 00000000000374ef c00007c53df99320 + GPR08: 000007c53c980000 0000000000000000 000007c53c980000 0000000000000000 + GPR12: 0000000000004400 c00000001e8e4400 0000000000000000 0000000000000f6a + GPR16: 0000000000000000 c000000001c25930 c000000001d62528 00000000000000c1 + GPR20: c000000001d62538 c00006be469e9000 0000000fffffffe0 c0000000003c0ff8 + GPR24: 0000000000000018 0000000000000000 0000000000000dc0 0000000000000000 + GPR28: c00007c513755700 c000000001c236a4 c00007bc4001f800 0000000000000001 + NIP [c000000000456048] __kmalloc_node+0x108/0x790 + LR [c000000000455fd4] __kmalloc_node+0x94/0x790 + Call Trace: + kvmalloc_node+0x58/0x110 + mem_cgroup_css_online+0x10c/0x270 + online_css+0x48/0xd0 + cgroup_apply_control_enable+0x2c4/0x470 + cgroup_mkdir+0x408/0x5f0 + kernfs_iop_mkdir+0x90/0x100 + vfs_mkdir+0x138/0x250 + do_mkdirat+0x154/0x1c0 + system_call_exception+0xf8/0x200 + system_call_common+0xf0/0x27c + Instruction dump: + e93e0000 e90d0030 39290008 7cc9402a e94d0030 e93e0000 7ce95214 7f89502a + 2fbc0000 419e0018 41920230 e9270010 <89290007> 7f994800 419e0220 7ee6bb78 + +This pointing to the following code: + + mm/slub.c:2851 + if (unlikely(!object || !node_match(page, node))) { + c000000000456038: 00 00 bc 2f cmpdi cr7,r28,0 + c00000000045603c: 18 00 9e 41 beq cr7,c000000000456054 <__kmalloc_node+0x114> + node_match(): + mm/slub.c:2491 + if (node != NUMA_NO_NODE && page_to_nid(page) != node) + c000000000456040: 30 02 92 41 beq cr4,c000000000456270 <__kmalloc_node+0x330> + page_to_nid(): + include/linux/mm.h:1294 + c000000000456044: 10 00 27 e9 ld r9,16(r7) + c000000000456048: 07 00 29 89 lbz r9,7(r9) <<<< r9 = NULL + node_match(): + mm/slub.c:2491 + c00000000045604c: 00 48 99 7f cmpw cr7,r25,r9 + c000000000456050: 20 02 9e 41 beq cr7,c000000000456270 <__kmalloc_node+0x330> + +The panic occurred in slab_alloc_node() when checking for the page's node: + + object = c->freelist; + page = c->page; + if (unlikely(!object || !node_match(page, node))) { + object = __slab_alloc(s, gfpflags, node, addr, c); + stat(s, ALLOC_SLOWPATH); + +The issue is that object is not NULL while page is NULL which is odd but +may happen if the cache flush happened after loading object but before +loading page. Thus checking for the page pointer is required too. + +The cache flush is done through an inter processor interrupt when a +piece of memory is off-lined. That interrupt is triggered when a memory +hot-unplug operation is initiated and offline_pages() is calling the +slub's MEM_GOING_OFFLINE callback slab_mem_going_offline_callback() +which is calling flush_cpu_slab(). If that interrupt is caught between +the reading of c->freelist and the reading of c->page, this could lead +to such a situation. That situation is expected and the later call to +this_cpu_cmpxchg_double() will detect the change to c->freelist and redo +the whole operation. + +In commit 6159d0f5c03e ("mm/slub.c: page is always non-NULL in +node_match()") check on the page pointer has been removed assuming that +page is always valid when it is called. It happens that this is not +true in that particular case, so check for page before calling +node_match() here. + +Fixes: 6159d0f5c03e ("mm/slub.c: page is always non-NULL in node_match()") +Signed-off-by: Laurent Dufour +Signed-off-by: Andrew Morton +Acked-by: Vlastimil Babka +Acked-by: Christoph Lameter +Cc: Wei Yang +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Nathan Lynch +Cc: Scott Cheloha +Cc: Michal Hocko +Cc: +Link: https://lkml.kernel.org/r/20201027190406.33283-1-ldufour@linux.ibm.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2763,7 +2763,7 @@ redo: + + object = c->freelist; + page = c->page; +- if (unlikely(!object || !node_match(page, node))) { ++ if (unlikely(!object || !page || !node_match(page, node))) { + object = __slab_alloc(s, gfpflags, node, addr, c); + stat(s, ALLOC_SLOWPATH); + } else { diff --git a/queue-5.4/ocfs2-initialize-ip_next_orphan.patch b/queue-5.4/ocfs2-initialize-ip_next_orphan.patch new file mode 100644 index 00000000000..f9b09b8d076 --- /dev/null +++ b/queue-5.4/ocfs2-initialize-ip_next_orphan.patch @@ -0,0 +1,93 @@ +From f5785283dd64867a711ca1fb1f5bb172f252ecdf Mon Sep 17 00:00:00 2001 +From: Wengang Wang +Date: Fri, 13 Nov 2020 22:52:23 -0800 +Subject: ocfs2: initialize ip_next_orphan + +From: Wengang Wang + +commit f5785283dd64867a711ca1fb1f5bb172f252ecdf upstream. + +Though problem if found on a lower 4.1.12 kernel, I think upstream has +same issue. + +In one node in the cluster, there is the following callback trace: + + # cat /proc/21473/stack + __ocfs2_cluster_lock.isra.36+0x336/0x9e0 [ocfs2] + ocfs2_inode_lock_full_nested+0x121/0x520 [ocfs2] + ocfs2_evict_inode+0x152/0x820 [ocfs2] + evict+0xae/0x1a0 + iput+0x1c6/0x230 + ocfs2_orphan_filldir+0x5d/0x100 [ocfs2] + ocfs2_dir_foreach_blk+0x490/0x4f0 [ocfs2] + ocfs2_dir_foreach+0x29/0x30 [ocfs2] + ocfs2_recover_orphans+0x1b6/0x9a0 [ocfs2] + ocfs2_complete_recovery+0x1de/0x5c0 [ocfs2] + process_one_work+0x169/0x4a0 + worker_thread+0x5b/0x560 + kthread+0xcb/0xf0 + ret_from_fork+0x61/0x90 + +The above stack is not reasonable, the final iput shouldn't happen in +ocfs2_orphan_filldir() function. Looking at the code, + + 2067 /* Skip inodes which are already added to recover list, since dio may + 2068 * happen concurrently with unlink/rename */ + 2069 if (OCFS2_I(iter)->ip_next_orphan) { + 2070 iput(iter); + 2071 return 0; + 2072 } + 2073 + +The logic thinks the inode is already in recover list on seeing +ip_next_orphan is non-NULL, so it skip this inode after dropping a +reference which incremented in ocfs2_iget(). + +While, if the inode is already in recover list, it should have another +reference and the iput() at line 2070 should not be the final iput +(dropping the last reference). So I don't think the inode is really in +the recover list (no vmcore to confirm). + +Note that ocfs2_queue_orphans(), though not shown up in the call back +trace, is holding cluster lock on the orphan directory when looking up +for unlinked inodes. The on disk inode eviction could involve a lot of +IOs which may need long time to finish. That means this node could hold +the cluster lock for very long time, that can lead to the lock requests +(from other nodes) to the orhpan directory hang for long time. + +Looking at more on ip_next_orphan, I found it's not initialized when +allocating a new ocfs2_inode_info structure. + +This causes te reflink operations from some nodes hang for very long +time waiting for the cluster lock on the orphan directory. + +Fix: initialize ip_next_orphan as NULL. + +Signed-off-by: Wengang Wang +Signed-off-by: Andrew Morton +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Link: https://lkml.kernel.org/r/20201109171746.27884-1-wen.gang.wang@oracle.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -1692,6 +1692,7 @@ static void ocfs2_inode_init_once(void * + + oi->ip_blkno = 0ULL; + oi->ip_clusters = 0; ++ oi->ip_next_orphan = NULL; + + ocfs2_resv_init_once(&oi->ip_la_data_resv); + diff --git a/queue-5.4/reboot-fix-overflow-parsing-reboot-cpu-number.patch b/queue-5.4/reboot-fix-overflow-parsing-reboot-cpu-number.patch new file mode 100644 index 00000000000..efade5136a7 --- /dev/null +++ b/queue-5.4/reboot-fix-overflow-parsing-reboot-cpu-number.patch @@ -0,0 +1,74 @@ +From df5b0ab3e08a156701b537809914b339b0daa526 Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Fri, 13 Nov 2020 22:52:07 -0800 +Subject: reboot: fix overflow parsing reboot cpu number + +From: Matteo Croce + +commit df5b0ab3e08a156701b537809914b339b0daa526 upstream. + +Limit the CPU number to num_possible_cpus(), because setting it to a +value lower than INT_MAX but higher than NR_CPUS produces the following +error on reboot and shutdown: + + BUG: unable to handle page fault for address: ffffffff90ab1bb0 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1c09067 P4D 1c09067 PUD 1c0a063 PMD 0 + Oops: 0000 [#1] SMP + CPU: 1 PID: 1 Comm: systemd-shutdow Not tainted 5.9.0-rc8-kvm #110 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 + RIP: 0010:migrate_to_reboot_cpu+0xe/0x60 + Code: ea ea 00 48 89 fa 48 c7 c7 30 57 f1 81 e9 fa ef ff ff 66 2e 0f 1f 84 00 00 00 00 00 53 8b 1d d5 ea ea 00 e8 14 33 fe ff 89 da <48> 0f a3 15 ea fc bd 00 48 89 d0 73 29 89 c2 c1 e8 06 65 48 8b 3c + RSP: 0018:ffffc90000013e08 EFLAGS: 00010246 + RAX: ffff88801f0a0000 RBX: 0000000077359400 RCX: 0000000000000000 + RDX: 0000000077359400 RSI: 0000000000000002 RDI: ffffffff81c199e0 + RBP: ffffffff81c1e3c0 R08: ffff88801f41f000 R09: ffffffff81c1e348 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: 00007f32bedf8830 R14: 00000000fee1dead R15: 0000000000000000 + FS: 00007f32bedf8980(0000) GS:ffff88801f480000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffff90ab1bb0 CR3: 000000001d057000 CR4: 00000000000006a0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + __do_sys_reboot.cold+0x34/0x5b + do_syscall_64+0x2d/0x40 + +Fixes: 1b3a5d02ee07 ("reboot: move arch/x86 reboot= handling to generic kernel") +Signed-off-by: Matteo Croce +Signed-off-by: Andrew Morton +Cc: Arnd Bergmann +Cc: Fabian Frederick +Cc: Greg Kroah-Hartman +Cc: Guenter Roeck +Cc: Kees Cook +Cc: Mike Rapoport +Cc: Pavel Tatashin +Cc: Petr Mladek +Cc: Robin Holt +Cc: +Link: https://lkml.kernel.org/r/20201103214025.116799-3-mcroce@linux.microsoft.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/reboot.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/reboot.c ++++ b/kernel/reboot.c +@@ -558,6 +558,13 @@ static int __init reboot_setup(char *str + reboot_cpu = simple_strtoul(str+3, NULL, 0); + else + *mode = REBOOT_SOFT; ++ if (reboot_cpu >= num_possible_cpus()) { ++ pr_err("Ignoring the CPU number in reboot= option. " ++ "CPU %d exceeds possible cpu number %d\n", ++ reboot_cpu, num_possible_cpus()); ++ reboot_cpu = 0; ++ break; ++ } + break; + + case 'g': diff --git a/queue-5.4/revert-kernel-reboot.c-convert-simple_strtoul-to-kstrtoint.patch b/queue-5.4/revert-kernel-reboot.c-convert-simple_strtoul-to-kstrtoint.patch new file mode 100644 index 00000000000..0bb1379abe8 --- /dev/null +++ b/queue-5.4/revert-kernel-reboot.c-convert-simple_strtoul-to-kstrtoint.patch @@ -0,0 +1,86 @@ +From 8b92c4ff4423aa9900cf838d3294fcade4dbda35 Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Fri, 13 Nov 2020 22:52:02 -0800 +Subject: Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" + +From: Matteo Croce + +commit 8b92c4ff4423aa9900cf838d3294fcade4dbda35 upstream. + +Patch series "fix parsing of reboot= cmdline", v3. + +The parsing of the reboot= cmdline has two major errors: + + - a missing bound check can crash the system on reboot + + - parsing of the cpu number only works if specified last + +Fix both. + +This patch (of 2): + +This reverts commit 616feab753972b97. + +kstrtoint() and simple_strtoul() have a subtle difference which makes +them non interchangeable: if a non digit character is found amid the +parsing, the former will return an error, while the latter will just +stop parsing, e.g. simple_strtoul("123xyx") = 123. + +The kernel cmdline reboot= argument allows to specify the CPU used for +rebooting, with the syntax `s####` among the other flags, e.g. +"reboot=warm,s31,force", so if this flag is not the last given, it's +silently ignored as well as the subsequent ones. + +Fixes: 616feab75397 ("kernel/reboot.c: convert simple_strtoul to kstrtoint") +Signed-off-by: Matteo Croce +Signed-off-by: Andrew Morton +Cc: Guenter Roeck +Cc: Petr Mladek +Cc: Arnd Bergmann +Cc: Mike Rapoport +Cc: Kees Cook +Cc: Pavel Tatashin +Cc: Robin Holt +Cc: Fabian Frederick +Cc: Greg Kroah-Hartman +Cc: +Link: https://lkml.kernel.org/r/20201103214025.116799-2-mcroce@linux.microsoft.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/reboot.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/kernel/reboot.c ++++ b/kernel/reboot.c +@@ -551,22 +551,15 @@ static int __init reboot_setup(char *str + break; + + case 's': +- { +- int rc; +- +- if (isdigit(*(str+1))) { +- rc = kstrtoint(str+1, 0, &reboot_cpu); +- if (rc) +- return rc; +- } else if (str[1] == 'm' && str[2] == 'p' && +- isdigit(*(str+3))) { +- rc = kstrtoint(str+3, 0, &reboot_cpu); +- if (rc) +- return rc; +- } else ++ if (isdigit(*(str+1))) ++ reboot_cpu = simple_strtoul(str+1, NULL, 0); ++ else if (str[1] == 'm' && str[2] == 'p' && ++ isdigit(*(str+3))) ++ reboot_cpu = simple_strtoul(str+3, NULL, 0); ++ else + *mode = REBOOT_SOFT; + break; +- } ++ + case 'g': + *mode = REBOOT_GPIO; + break; diff --git a/queue-5.4/series b/queue-5.4/series index 0fd6158c595..7fa74e3bbb7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -103,3 +103,24 @@ of-address-fix-of_node-memory-leak-in-of_dma_is_cohe.patch cosa-add-missing-kfree-in-error-path-of-cosa_write.patch vrf-fix-fast-path-output-packet-handling-with-async-.patch perf-fix-get_recursion_context.patch +erofs-derive-atime-instead-of-leaving-it-empty.patch +ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch +ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch +btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch +btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch +btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch +kvm-arm64-don-t-hide-id-registers-from-userspace.patch +thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch +thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch +uio-fix-use-after-free-in-uio_unregister_device.patch +usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch +xhci-hisilicon-fix-refercence-leak-in-xhci_histb_probe.patch +virtio-virtio_console-fix-dma-memory-allocation-for-rproc-serial.patch +mei-protect-mei_cl_mtu-from-null-dereference.patch +futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch +jbd2-fix-up-sparse-warnings-in-checkpoint-code.patch +mm-slub-fix-panic-in-slab_alloc_node.patch +revert-kernel-reboot.c-convert-simple_strtoul-to-kstrtoint.patch +reboot-fix-overflow-parsing-reboot-cpu-number.patch +ocfs2-initialize-ip_next_orphan.patch +btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch diff --git a/queue-5.4/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch b/queue-5.4/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch new file mode 100644 index 00000000000..d4283ccf7b4 --- /dev/null +++ b/queue-5.4/thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch @@ -0,0 +1,53 @@ +From 7342ca34d931a357d408aaa25fadd031e46af137 Mon Sep 17 00:00:00 2001 +From: Jing Xiangfeng +Date: Thu, 15 Oct 2020 16:40:53 +0800 +Subject: thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() + +From: Jing Xiangfeng + +commit 7342ca34d931a357d408aaa25fadd031e46af137 upstream. + +ring_request_msix() misses to call ida_simple_remove() in an error path. +Add a label 'err_ida_remove' and jump to it. + +Fixes: 046bee1f9ab8 ("thunderbolt: Add MSI-X support") +Cc: stable@vger.kernel.org +Signed-off-by: Jing Xiangfeng +Reviewed-by: Andy Shevchenko +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/nhi.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -410,12 +410,23 @@ static int ring_request_msix(struct tb_r + + ring->vector = ret; + +- ring->irq = pci_irq_vector(ring->nhi->pdev, ring->vector); +- if (ring->irq < 0) +- return ring->irq; ++ ret = pci_irq_vector(ring->nhi->pdev, ring->vector); ++ if (ret < 0) ++ goto err_ida_remove; ++ ++ ring->irq = ret; + + irqflags = no_suspend ? IRQF_NO_SUSPEND : 0; +- return request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring); ++ ret = request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring); ++ if (ret) ++ goto err_ida_remove; ++ ++ return 0; ++ ++err_ida_remove: ++ ida_simple_remove(&nhi->msix_ida, ring->vector); ++ ++ return ret; + } + + static void ring_release_msix(struct tb_ring *ring) diff --git a/queue-5.4/thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch b/queue-5.4/thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch new file mode 100644 index 00000000000..e31a50c365a --- /dev/null +++ b/queue-5.4/thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch @@ -0,0 +1,31 @@ +From a663e0df4a374b8537562a44d1cecafb472cd65b Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 7 Oct 2020 17:06:17 +0300 +Subject: thunderbolt: Fix memory leak if ida_simple_get() fails in enumerate_services() + +From: Mika Westerberg + +commit a663e0df4a374b8537562a44d1cecafb472cd65b upstream. + +The svc->key field is not released as it should be if ida_simple_get() +fails so fix that. + +Fixes: 9aabb68568b4 ("thunderbolt: Fix to check return value of ida_simple_get") +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/thunderbolt/xdomain.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -830,6 +830,7 @@ static void enumerate_services(struct tb + + id = ida_simple_get(&xd->service_ids, 0, 0, GFP_KERNEL); + if (id < 0) { ++ kfree(svc->key); + kfree(svc); + break; + } diff --git a/queue-5.4/uio-fix-use-after-free-in-uio_unregister_device.patch b/queue-5.4/uio-fix-use-after-free-in-uio_unregister_device.patch new file mode 100644 index 00000000000..d1ea9e183ba --- /dev/null +++ b/queue-5.4/uio-fix-use-after-free-in-uio_unregister_device.patch @@ -0,0 +1,172 @@ +From 092561f06702dd4fdd7fb74dd3a838f1818529b7 Mon Sep 17 00:00:00 2001 +From: Shin'ichiro Kawasaki +Date: Mon, 2 Nov 2020 21:28:19 +0900 +Subject: uio: Fix use-after-free in uio_unregister_device() + +From: Shin'ichiro Kawasaki + +commit 092561f06702dd4fdd7fb74dd3a838f1818529b7 upstream. + +Commit 8fd0e2a6df26 ("uio: free uio id after uio file node is freed") +triggered KASAN use-after-free failure at deletion of TCM-user +backstores [1]. + +In uio_unregister_device(), struct uio_device *idev is passed to +uio_free_minor() to refer idev->minor. However, before uio_free_minor() +call, idev is already freed by uio_device_release() during call to +device_unregister(). + +To avoid reference to idev->minor after idev free, keep idev->minor +value in a local variable. Also modify uio_free_minor() argument to +receive the value. + +[1] +BUG: KASAN: use-after-free in uio_unregister_device+0x166/0x190 +Read of size 4 at addr ffff888105196508 by task targetcli/49158 + +CPU: 3 PID: 49158 Comm: targetcli Not tainted 5.10.0-rc1 #1 +Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 +Call Trace: + dump_stack+0xae/0xe5 + ? uio_unregister_device+0x166/0x190 + print_address_description.constprop.0+0x1c/0x210 + ? uio_unregister_device+0x166/0x190 + ? uio_unregister_device+0x166/0x190 + kasan_report.cold+0x37/0x7c + ? kobject_put+0x80/0x410 + ? uio_unregister_device+0x166/0x190 + uio_unregister_device+0x166/0x190 + tcmu_destroy_device+0x1c4/0x280 [target_core_user] + ? tcmu_release+0x90/0x90 [target_core_user] + ? __mutex_unlock_slowpath+0xd6/0x5d0 + target_free_device+0xf3/0x2e0 [target_core_mod] + config_item_cleanup+0xea/0x210 + configfs_rmdir+0x651/0x860 + ? detach_groups.isra.0+0x380/0x380 + vfs_rmdir.part.0+0xec/0x3a0 + ? __lookup_hash+0x20/0x150 + do_rmdir+0x252/0x320 + ? do_file_open_root+0x420/0x420 + ? strncpy_from_user+0xbc/0x2f0 + ? getname_flags.part.0+0x8e/0x450 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7f9e2bfc91fb +Code: 73 01 c3 48 8b 0d 9d ec 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6d ec 0c 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffdd2baafe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054 +RAX: ffffffffffffffda RBX: 00007f9e2beb44a0 RCX: 00007f9e2bfc91fb +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f9e1c20be90 +RBP: 00007ffdd2bab000 R08: 0000000000000000 R09: 00007f9e2bdf2440 +R10: 00007ffdd2baaf37 R11: 0000000000000246 R12: 00000000ffffff9c +R13: 000055f9abb7e390 R14: 000055f9abcf9558 R15: 00007f9e2be7a780 + +Allocated by task 34735: + kasan_save_stack+0x1b/0x40 + __kasan_kmalloc.constprop.0+0xc2/0xd0 + __uio_register_device+0xeb/0xd40 + tcmu_configure_device+0x5a0/0xbc0 [target_core_user] + target_configure_device+0x12f/0x760 [target_core_mod] + target_dev_enable_store+0x32/0x50 [target_core_mod] + configfs_write_file+0x2bb/0x450 + vfs_write+0x1ce/0x610 + ksys_write+0xe9/0x1b0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Freed by task 49158: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x1b/0x30 + __kasan_slab_free+0x110/0x150 + slab_free_freelist_hook+0x5a/0x170 + kfree+0xc6/0x560 + device_release+0x9b/0x210 + kobject_put+0x13e/0x410 + uio_unregister_device+0xf9/0x190 + tcmu_destroy_device+0x1c4/0x280 [target_core_user] + target_free_device+0xf3/0x2e0 [target_core_mod] + config_item_cleanup+0xea/0x210 + configfs_rmdir+0x651/0x860 + vfs_rmdir.part.0+0xec/0x3a0 + do_rmdir+0x252/0x320 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +The buggy address belongs to the object at ffff888105196000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 1288 bytes inside of + 2048-byte region [ffff888105196000, ffff888105196800) +The buggy address belongs to the page: +page:0000000098e6ca81 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105190 +head:0000000098e6ca81 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x17ffffc0010200(slab|head) +raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100043040 +raw: 0000000000000000 0000000000080008 00000001ffffffff ffff88810eb55c01 +page dumped because: kasan: bad access detected +page->mem_cgroup:ffff88810eb55c01 + +Memory state around the buggy address: + ffff888105196400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105196480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888105196500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888105196580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105196600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: 8fd0e2a6df26 ("uio: free uio id after uio file node is freed") +Cc: stable +Signed-off-by: Shin'ichiro Kawasaki +Link: https://lore.kernel.org/r/20201102122819.2346270-1-shinichiro.kawasaki@wdc.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -413,10 +413,10 @@ static int uio_get_minor(struct uio_devi + return retval; + } + +-static void uio_free_minor(struct uio_device *idev) ++static void uio_free_minor(unsigned long minor) + { + mutex_lock(&minor_lock); +- idr_remove(&uio_idr, idev->minor); ++ idr_remove(&uio_idr, minor); + mutex_unlock(&minor_lock); + } + +@@ -990,7 +990,7 @@ err_request_irq: + err_uio_dev_add_attributes: + device_del(&idev->dev); + err_device_create: +- uio_free_minor(idev); ++ uio_free_minor(idev->minor); + put_device(&idev->dev); + return ret; + } +@@ -1004,11 +1004,13 @@ EXPORT_SYMBOL_GPL(__uio_register_device) + void uio_unregister_device(struct uio_info *info) + { + struct uio_device *idev; ++ unsigned long minor; + + if (!info || !info->uio_dev) + return; + + idev = info->uio_dev; ++ minor = idev->minor; + + mutex_lock(&idev->info_lock); + uio_dev_del_attributes(idev); +@@ -1024,7 +1026,7 @@ void uio_unregister_device(struct uio_in + + device_unregister(&idev->dev); + +- uio_free_minor(idev); ++ uio_free_minor(minor); + + return; + } diff --git a/queue-5.4/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch b/queue-5.4/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch new file mode 100644 index 00000000000..f75d7205041 --- /dev/null +++ b/queue-5.4/usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch @@ -0,0 +1,41 @@ +From 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 Mon Sep 17 00:00:00 2001 +From: Chris Brandt +Date: Wed, 11 Nov 2020 08:12:09 -0500 +Subject: usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode + +From: Chris Brandt + +commit 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 upstream. + +Renesas R-Car and RZ/G SoCs have a firmware download mode over USB. +However, on reset a banner string is transmitted out which is not expected +to be echoed back and will corrupt the protocol. + +Cc: stable +Acked-by: Oliver Neukum +Signed-off-by: Chris Brandt +Link: https://lore.kernel.org/r/20201111131209.3977903-1-chris.brandt@renesas.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1706,6 +1706,15 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x045b, 0x023c), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x0248), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x024D), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, diff --git a/queue-5.4/virtio-virtio_console-fix-dma-memory-allocation-for-rproc-serial.patch b/queue-5.4/virtio-virtio_console-fix-dma-memory-allocation-for-rproc-serial.patch new file mode 100644 index 00000000000..3b0c7d3434c --- /dev/null +++ b/queue-5.4/virtio-virtio_console-fix-dma-memory-allocation-for-rproc-serial.patch @@ -0,0 +1,83 @@ +From 9d516aa82b7d4fbe7f6303348697960ba03a530b Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Wed, 4 Nov 2020 15:31:36 +0000 +Subject: virtio: virtio_console: fix DMA memory allocation for rproc serial + +From: Alexander Lobakin + +commit 9d516aa82b7d4fbe7f6303348697960ba03a530b upstream. + +Since commit 086d08725d34 ("remoteproc: create vdev subdevice with +specific dma memory pool"), every remoteproc has a DMA subdevice +("remoteprocX#vdevYbuffer") for each virtio device, which inherits +DMA capabilities from the corresponding platform device. This allowed +to associate different DMA pools with each vdev, and required from +virtio drivers to perform DMA operations with the parent device +(vdev->dev.parent) instead of grandparent (vdev->dev.parent->parent). + +virtio_rpmsg_bus was already changed in the same merge cycle with +commit d999b622fcfb ("rpmsg: virtio: allocate buffer from parent"), +but virtio_console did not. In fact, operations using the grandparent +worked fine while the grandparent was the platform device, but since +commit c774ad010873 ("remoteproc: Fix and restore the parenting +hierarchy for vdev") this was changed, and now the grandparent device +is the remoteproc device without any DMA capabilities. +So, starting v5.8-rc1 the following warning is observed: + +[ 2.483925] ------------[ cut here ]------------ +[ 2.489148] WARNING: CPU: 3 PID: 101 at kernel/dma/mapping.c:427 0x80e7eee8 +[ 2.489152] Modules linked in: virtio_console(+) +[ 2.503737] virtio_rpmsg_bus rpmsg_core +[ 2.508903] +[ 2.528898] +[ 2.913043] +[ 2.914907] ---[ end trace 93ac8746beab612c ]--- +[ 2.920102] virtio-ports vport1p0: Error allocating inbufs + +kernel/dma/mapping.c:427 is: + +WARN_ON_ONCE(!dev->coherent_dma_mask); + +obviously because the grandparent now is remoteproc dev without any +DMA caps: + +[ 3.104943] Parent: remoteproc0#vdev1buffer, grandparent: remoteproc0 + +Fix this the same way as it was for virtio_rpmsg_bus, using just the +parent device (vdev->dev.parent, "remoteprocX#vdevYbuffer") for DMA +operations. +This also allows now to reserve DMA pools/buffers for rproc serial +via Device Tree. + +Fixes: c774ad010873 ("remoteproc: Fix and restore the parenting hierarchy for vdev") +Cc: stable@vger.kernel.org # 5.1+ +Reviewed-by: Mathieu Poirier +Acked-by: Jason Wang +Signed-off-by: Alexander Lobakin +Date: Thu, 5 Nov 2020 11:10:24 +0800 +Link: https://lore.kernel.org/r/AOKowLclCbOCKxyiJ71WeNyuAAj2q8EUtxrXbyky5E@cp7-web-042.plabs.ch +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/virtio_console.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -435,12 +435,12 @@ static struct port_buffer *alloc_buf(str + /* + * Allocate DMA memory from ancestor. When a virtio + * device is created by remoteproc, the DMA memory is +- * associated with the grandparent device: +- * vdev => rproc => platform-dev. ++ * associated with the parent device: ++ * virtioY => remoteprocX#vdevYbuffer. + */ +- if (!vdev->dev.parent || !vdev->dev.parent->parent) ++ buf->dev = vdev->dev.parent; ++ if (!buf->dev) + goto free_buf; +- buf->dev = vdev->dev.parent->parent; + + /* Increase device refcnt to avoid freeing it */ + get_device(buf->dev); diff --git a/queue-5.4/xhci-hisilicon-fix-refercence-leak-in-xhci_histb_probe.patch b/queue-5.4/xhci-hisilicon-fix-refercence-leak-in-xhci_histb_probe.patch new file mode 100644 index 00000000000..ba4bce5019c --- /dev/null +++ b/queue-5.4/xhci-hisilicon-fix-refercence-leak-in-xhci_histb_probe.patch @@ -0,0 +1,40 @@ +From 76255470ffa2795a44032e8b3c1ced11d81aa2db Mon Sep 17 00:00:00 2001 +From: Zhang Qilong +Date: Fri, 6 Nov 2020 20:22:21 +0800 +Subject: xhci: hisilicon: fix refercence leak in xhci_histb_probe + +From: Zhang Qilong + +commit 76255470ffa2795a44032e8b3c1ced11d81aa2db upstream. + +pm_runtime_get_sync() will increment pm usage at first and it +will resume the device later. We should decrease the usage count +whetever it succeeded or failed(maybe runtime of the device has +error, or device is in inaccessible state, or other error state). +If we do not call put operation to decrease the reference, it will +result in reference leak in xhci_histb_probe. Moreover, this +device cannot enter the idle state and always stay busy or other +non-idle state later. So we fixed it by jumping to error handling +branch. + +Fixes: c508f41da0788 ("xhci: hisilicon: support HiSilicon STB xHCI host controller") +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20201106122221.2304528-1-zhangqilong3@huawei.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-histb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-histb.c ++++ b/drivers/usb/host/xhci-histb.c +@@ -241,7 +241,7 @@ static int xhci_histb_probe(struct platf + /* Initialize dma_mask and coherent_dma_mask to 32-bits */ + ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(32)); + if (ret) +- return ret; ++ goto disable_pm; + + hcd = usb_create_hcd(driver, dev, dev_name(dev)); + if (!hcd) { -- 2.47.3