From 7ddd966fb6ff06cce013e06051d2f37b6c8f2778 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 17 Oct 2021 12:49:04 +0200 Subject: [PATCH] 5.10-stable patches added patches: arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch btrfs-unlock-newly-allocated-extent-buffer-after-error.patch btrfs-update-refs-for-any-root-except-tree-log-roots.patch clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch csky-fixup-regs.sr-broken-in-ptrace.patch drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch s390-fix-strrchr-implementation.patch --- ...ntic-page-order-for-non-4k-page_size.patch | 42 ++++++++ ...ing-up-inode-during-dir-entry-replay.patch | 53 ++++++++++ ...ng-inode-reference-during-log-replay.patch | 51 ++++++++++ ...eplaying-dir-entry-during-log-replay.patch | 44 +++++++++ ...-logic-in-btrfs_replace_file_extents.patch | 56 +++++++++++ ...-allocated-extent-buffer-after-error.patch | 96 +++++++++++++++++++ ...s-for-any-root-except-tree-log-roots.patch | 62 ++++++++++++ ...a-agilex-fix-duplicate-s2f_user0_clk.patch | 46 +++++++++ ...h-priveleged-bits-of-status-register.patch | 43 +++++++++ .../csky-fixup-regs.sr-broken-in-ptrace.patch | 35 +++++++ ...ntial-overflow-in-timeout_to_jiffies.patch | 64 +++++++++++++ ...id-operands-und-and-und-sections-for.patch | 85 ++++++++++++++++ .../s390-fix-strrchr-implementation.patch | 49 ++++++++++ queue-5.10/series | 13 +++ 14 files changed, 739 insertions(+) create mode 100644 queue-5.10/arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch create mode 100644 queue-5.10/btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch create mode 100644 queue-5.10/btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch create mode 100644 queue-5.10/btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch create mode 100644 queue-5.10/btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch create mode 100644 queue-5.10/btrfs-unlock-newly-allocated-extent-buffer-after-error.patch create mode 100644 queue-5.10/btrfs-update-refs-for-any-root-except-tree-log-roots.patch create mode 100644 queue-5.10/clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch create mode 100644 queue-5.10/csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch create mode 100644 queue-5.10/csky-fixup-regs.sr-broken-in-ptrace.patch create mode 100644 queue-5.10/drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch create mode 100644 queue-5.10/nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch create mode 100644 queue-5.10/s390-fix-strrchr-implementation.patch diff --git a/queue-5.10/arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch b/queue-5.10/arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch new file mode 100644 index 00000000000..f5225c69963 --- /dev/null +++ b/queue-5.10/arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch @@ -0,0 +1,42 @@ +From 2e5809a4ddb15969503e43b06662a9a725f613ea Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Tue, 5 Oct 2021 13:25:29 -0700 +Subject: arm64/hugetlb: fix CMA gigantic page order for non-4K PAGE_SIZE + +From: Mike Kravetz + +commit 2e5809a4ddb15969503e43b06662a9a725f613ea upstream. + +For non-4K PAGE_SIZE configs, the largest gigantic huge page size is +CONT_PMD_SHIFT order. On arm64 with 64K PAGE_SIZE, the gigantic page is +16G. Therefore, one should be able to specify 'hugetlb_cma=16G' on the +kernel command line so that one gigantic page can be allocated from CMA. +However, when adding such an option the following message is produced: + +hugetlb_cma: cma area should be at least 8796093022208 MiB + +This is because the calculation for non-4K gigantic page order is +incorrect in the arm64 specific routine arm64_hugetlb_cma_reserve(). + +Fixes: abb7962adc80 ("arm64/hugetlb: Reserve CMA areas for gigantic pages on 16K and 64K configs") +Cc: # 5.9.x +Signed-off-by: Mike Kravetz +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20211005202529.213812-1-mike.kravetz@oracle.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/hugetlbpage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/mm/hugetlbpage.c ++++ b/arch/arm64/mm/hugetlbpage.c +@@ -43,7 +43,7 @@ void __init arm64_hugetlb_cma_reserve(vo + #ifdef CONFIG_ARM64_4K_PAGES + order = PUD_SHIFT - PAGE_SHIFT; + #else +- order = CONT_PMD_SHIFT + PMD_SHIFT - PAGE_SHIFT; ++ order = CONT_PMD_SHIFT - PAGE_SHIFT; + #endif + /* + * HugeTLB CMA reservation is required for gigantic diff --git a/queue-5.10/btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch b/queue-5.10/btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch new file mode 100644 index 00000000000..63f9526a54a --- /dev/null +++ b/queue-5.10/btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch @@ -0,0 +1,53 @@ +From cfd312695b71df04c3a2597859ff12c470d1e2e4 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 1 Oct 2021 13:48:18 +0100 +Subject: btrfs: check for error when looking up inode during dir entry replay + +From: Filipe Manana + +commit cfd312695b71df04c3a2597859ff12c470d1e2e4 upstream. + +At replay_one_name(), we are treating any error from btrfs_lookup_inode() +as if the inode does not exists. Fix this by checking for an error and +returning it to the caller. + +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1902,8 +1902,8 @@ static noinline int replay_one_name(stru + struct btrfs_key log_key; + struct inode *dir; + u8 log_type; +- int exists; +- int ret = 0; ++ bool exists; ++ int ret; + bool update_size = (key->type == BTRFS_DIR_INDEX_KEY); + bool name_added = false; + +@@ -1923,12 +1923,12 @@ static noinline int replay_one_name(stru + name_len); + + btrfs_dir_item_key_to_cpu(eb, di, &log_key); +- exists = btrfs_lookup_inode(trans, root, path, &log_key, 0); +- if (exists == 0) +- exists = 1; +- else +- exists = 0; ++ ret = btrfs_lookup_inode(trans, root, path, &log_key, 0); + btrfs_release_path(path); ++ if (ret < 0) ++ goto out; ++ exists = (ret == 0); ++ ret = 0; + + if (key->type == BTRFS_DIR_ITEM_KEY) { + dst_di = btrfs_lookup_dir_item(trans, root, path, key->objectid, diff --git a/queue-5.10/btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch b/queue-5.10/btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch new file mode 100644 index 00000000000..991aa53d9b6 --- /dev/null +++ b/queue-5.10/btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch @@ -0,0 +1,51 @@ +From 52db77791fe24538c8aa2a183248399715f6b380 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 1 Oct 2021 13:52:32 +0100 +Subject: btrfs: deal with errors when adding inode reference during log replay + +From: Filipe Manana + +commit 52db77791fe24538c8aa2a183248399715f6b380 upstream. + +At __inode_add_ref(), we treating any error returned from +btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning +that there is no existing directory entry in the fs/subvolume tree. +This is not correct since we can get errors such as, for example, -EIO +when reading extent buffers while searching the fs/subvolume's btree. + +So fix that and return the error to the caller when it is not -ENOENT. + +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1137,7 +1137,10 @@ next: + /* look for a conflicting sequence number */ + di = btrfs_lookup_dir_index_item(trans, root, path, btrfs_ino(dir), + ref_index, name, namelen, 0); +- if (di && !IS_ERR(di)) { ++ if (IS_ERR(di)) { ++ if (PTR_ERR(di) != -ENOENT) ++ return PTR_ERR(di); ++ } else if (di) { + ret = drop_one_dir_item(trans, root, path, dir, di); + if (ret) + return ret; +@@ -1147,7 +1150,9 @@ next: + /* look for a conflicting name */ + di = btrfs_lookup_dir_item(trans, root, path, btrfs_ino(dir), + name, namelen, 0); +- if (di && !IS_ERR(di)) { ++ if (IS_ERR(di)) { ++ return PTR_ERR(di); ++ } else if (di) { + ret = drop_one_dir_item(trans, root, path, dir, di); + if (ret) + return ret; diff --git a/queue-5.10/btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch b/queue-5.10/btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch new file mode 100644 index 00000000000..580de0ea5a8 --- /dev/null +++ b/queue-5.10/btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch @@ -0,0 +1,44 @@ +From e15ac6413745e3def00e663de00aea5a717311c1 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 1 Oct 2021 13:52:31 +0100 +Subject: btrfs: deal with errors when replaying dir entry during log replay + +From: Filipe Manana + +commit e15ac6413745e3def00e663de00aea5a717311c1 upstream. + +At replay_one_one(), we are treating any error returned from +btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning +that there is no existing directory entry in the fs/subvolume tree. +This is not correct since we can get errors such as, for example, -EIO +when reading extent buffers while searching the fs/subvolume's btree. + +So fix that and return the error to the caller when it is not -ENOENT. + +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1938,7 +1938,14 @@ static noinline int replay_one_name(stru + ret = -EINVAL; + goto out; + } +- if (IS_ERR_OR_NULL(dst_di)) { ++ ++ if (dst_di == ERR_PTR(-ENOENT)) ++ dst_di = NULL; ++ ++ if (IS_ERR(dst_di)) { ++ ret = PTR_ERR(dst_di); ++ goto out; ++ } else if (!dst_di) { + /* we need a sequence number to insert, so we only + * do inserts for the BTRFS_DIR_INDEX_KEY types + */ diff --git a/queue-5.10/btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch b/queue-5.10/btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch new file mode 100644 index 00000000000..39c63daad81 --- /dev/null +++ b/queue-5.10/btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch @@ -0,0 +1,56 @@ +From 4afb912f439c4bc4e6a4f3e7547f2e69e354108f Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Tue, 5 Oct 2021 16:35:27 -0400 +Subject: btrfs: fix abort logic in btrfs_replace_file_extents + +From: Josef Bacik + +commit 4afb912f439c4bc4e6a4f3e7547f2e69e354108f upstream. + +Error injection testing uncovered a case where we'd end up with a +corrupt file system with a missing extent in the middle of a file. This +occurs because the if statement to decide if we should abort is wrong. + +The only way we would abort in this case is if we got a ret != +-EOPNOTSUPP and we called from the file clone code. However the +prealloc code uses this path too. Instead we need to abort if there is +an error, and the only error we _don't_ abort on is -EOPNOTSUPP and only +if we came from the clone file code. + +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Nikolay Borisov +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2661,14 +2661,16 @@ int btrfs_replace_file_extents(struct in + 1, 0, 0, NULL); + if (ret != -ENOSPC) { + /* +- * When cloning we want to avoid transaction aborts when +- * nothing was done and we are attempting to clone parts +- * of inline extents, in such cases -EOPNOTSUPP is +- * returned by __btrfs_drop_extents() without having +- * changed anything in the file. ++ * The only time we don't want to abort is if we are ++ * attempting to clone a partial inline extent, in which ++ * case we'll get EOPNOTSUPP. However if we aren't ++ * clone we need to abort no matter what, because if we ++ * got EOPNOTSUPP via prealloc then we messed up and ++ * need to abort. + */ +- if (extent_info && !extent_info->is_new_extent && +- ret && ret != -EOPNOTSUPP) ++ if (ret && ++ (ret != -EOPNOTSUPP || ++ (extent_info && extent_info->is_new_extent))) + btrfs_abort_transaction(trans, ret); + break; + } diff --git a/queue-5.10/btrfs-unlock-newly-allocated-extent-buffer-after-error.patch b/queue-5.10/btrfs-unlock-newly-allocated-extent-buffer-after-error.patch new file mode 100644 index 00000000000..f8fdabbb438 --- /dev/null +++ b/queue-5.10/btrfs-unlock-newly-allocated-extent-buffer-after-error.patch @@ -0,0 +1,96 @@ +From 19ea40dddf1833db868533958ca066f368862211 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 14 Sep 2021 14:57:59 +0800 +Subject: btrfs: unlock newly allocated extent buffer after error + +From: Qu Wenruo + +commit 19ea40dddf1833db868533958ca066f368862211 upstream. + +[BUG] +There is a bug report that injected ENOMEM error could leave a tree +block locked while we return to user-space: + + BTRFS info (device loop0): enabling ssd optimizations + FAULT_INJECTION: forcing a failure. + name failslab, interval 1, probability 0, space 0, times 0 + CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS + rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 + Call Trace: + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106 + fail_dump lib/fault-inject.c:52 [inline] + should_fail+0x13c/0x160 lib/fault-inject.c:146 + should_failslab+0x5/0x10 mm/slab_common.c:1328 + slab_pre_alloc_hook.constprop.99+0x4e/0xc0 mm/slab.h:494 + slab_alloc_node mm/slub.c:3120 [inline] + slab_alloc mm/slub.c:3214 [inline] + kmem_cache_alloc+0x44/0x280 mm/slub.c:3219 + btrfs_alloc_delayed_extent_op fs/btrfs/delayed-ref.h:299 [inline] + btrfs_alloc_tree_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833 + __btrfs_cow_block+0x16f/0x7d0 fs/btrfs/ctree.c:415 + btrfs_cow_block+0x12a/0x300 fs/btrfs/ctree.c:570 + btrfs_search_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768 + btrfs_insert_empty_items+0x80/0xf0 fs/btrfs/ctree.c:3905 + btrfs_new_inode+0x311/0xa60 fs/btrfs/inode.c:6530 + btrfs_create+0x12b/0x270 fs/btrfs/inode.c:6783 + lookup_open+0x660/0x780 fs/namei.c:3282 + open_last_lookups fs/namei.c:3352 [inline] + path_openat+0x465/0xe20 fs/namei.c:3557 + do_filp_open+0xe3/0x170 fs/namei.c:3588 + do_sys_openat2+0x357/0x4a0 fs/open.c:1200 + do_sys_open+0x87/0xd0 fs/open.c:1216 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x46ae99 + Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 + 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d + 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 + RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99 + RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800 + RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017 + R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0 + + ================================================ + WARNING: lock held when returning to user space! + 5.15.0-rc1 #16 Not tainted + ------------------------------------------------ + syz-executor/7579 is leaving the kernel with locks still held! + 1 lock held by syz-executor/7579: + #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at: + __btrfs_tree_lock+0x2e/0x1a0 fs/btrfs/locking.c:112 + +[CAUSE] +In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new +extent buffer @buf is locked, but if later operations like adding +delayed tree ref fail, we just free @buf without unlocking it, +resulting above warning. + +[FIX] +Unlock @buf in out_free_buf: label. + +Reported-by: Hao Sun +Link: https://lore.kernel.org/linux-btrfs/CACkBjsZ9O6Zr0KK1yGn=1rQi6Crh1yeCRdTSBxx9R99L4xdn-Q@mail.gmail.com/ +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4715,6 +4715,7 @@ struct extent_buffer *btrfs_alloc_tree_b + out_free_delayed: + btrfs_free_delayed_extent_op(extent_op); + out_free_buf: ++ btrfs_tree_unlock(buf); + free_extent_buffer(buf); + out_free_reserved: + btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 0); diff --git a/queue-5.10/btrfs-update-refs-for-any-root-except-tree-log-roots.patch b/queue-5.10/btrfs-update-refs-for-any-root-except-tree-log-roots.patch new file mode 100644 index 00000000000..27e43de1141 --- /dev/null +++ b/queue-5.10/btrfs-update-refs-for-any-root-except-tree-log-roots.patch @@ -0,0 +1,62 @@ +From d175209be04d7d263fa1a54cde7608c706c9d0d7 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 1 Oct 2021 13:57:18 -0400 +Subject: btrfs: update refs for any root except tree log roots + +From: Josef Bacik + +commit d175209be04d7d263fa1a54cde7608c706c9d0d7 upstream. + +I hit a stuck relocation on btrfs/061 during my overnight testing. This +turned out to be because we had left over extent entries in our extent +root for a data reloc inode that no longer existed. This happened +because in btrfs_drop_extents() we only update refs if we have SHAREABLE +set or we are the tree_root. This regression was introduced by +aeb935a45581 ("btrfs: don't set SHAREABLE flag for data reloc tree") +where we stopped setting SHAREABLE for the data reloc tree. + +The problem here is we actually do want to update extent references for +data extents in the data reloc tree, in fact we only don't want to +update extent references if the file extents are in the log tree. +Update this check to only skip updating references in the case of the +log tree. + +This is relatively rare, because you have to be running scrub at the +same time, which is what btrfs/061 does. The data reloc inode has its +extents pre-allocated, and then we copy the extent into the +pre-allocated chunks. We theoretically should never be calling +btrfs_drop_extents() on a data reloc inode. The exception of course is +with scrub, if our pre-allocated extent falls inside of the block group +we are scrubbing, then the block group will be marked read only and we +will be forced to cow that extent. This means we will call +btrfs_drop_extents() on that range when we COW that file extent. + +This isn't really problematic if we do this, the data reloc inode +requires that our extent lengths match exactly with the extent we are +copying, thankfully we validate the extent is correct with +get_new_location(), so if we happen to COW only part of the extent we +won't link it in when we do the relocation, so we are safe from any +other shenanigans that arise because of this interaction with scrub. + +Fixes: aeb935a45581 ("btrfs: don't set SHAREABLE flag for data reloc tree") +CC: stable@vger.kernel.org # 5.8+ +Reviewed-by: Qu Wenruo +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -710,8 +710,7 @@ int __btrfs_drop_extents(struct btrfs_tr + if (start >= inode->disk_i_size && !replace_extent) + modify_tree = 0; + +- update_refs = (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) || +- root == fs_info->tree_root); ++ update_refs = (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID); + while (1) { + recow = 0; + ret = btrfs_lookup_file_extent(trans, root, path, ino, diff --git a/queue-5.10/clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch b/queue-5.10/clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch new file mode 100644 index 00000000000..a9afd768282 --- /dev/null +++ b/queue-5.10/clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch @@ -0,0 +1,46 @@ +From 09540fa337196be20e9f0241652364f09275d374 Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Thu, 16 Sep 2021 17:51:26 -0500 +Subject: clk: socfpga: agilex: fix duplicate s2f_user0_clk + +From: Dinh Nguyen + +commit 09540fa337196be20e9f0241652364f09275d374 upstream. + +Remove the duplicate s2f_user0_clk and the unused s2f_usr0_mux define. + +Fixes: f817c132db67 ("clk: socfpga: agilex: fix up s2f_user0_clk representation") +Cc: stable@vger.kernel.org +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20210916225126.1427700-1-dinguyen@kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/socfpga/clk-agilex.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/clk/socfpga/clk-agilex.c ++++ b/drivers/clk/socfpga/clk-agilex.c +@@ -165,13 +165,6 @@ static const struct clk_parent_data mpu_ + .name = "boot_clk", }, + }; + +-static const struct clk_parent_data s2f_usr0_mux[] = { +- { .fw_name = "f2s-free-clk", +- .name = "f2s-free-clk", }, +- { .fw_name = "boot_clk", +- .name = "boot_clk", }, +-}; +- + static const struct clk_parent_data emac_mux[] = { + { .fw_name = "emaca_free_clk", + .name = "emaca_free_clk", }, +@@ -299,8 +292,6 @@ static const struct stratix10_gate_clock + 4, 0x44, 28, 1, 0, 0, 0}, + { AGILEX_CS_TIMER_CLK, "cs_timer_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24, + 5, 0, 0, 0, 0x30, 1, 0}, +- { AGILEX_S2F_USER0_CLK, "s2f_user0_clk", NULL, s2f_usr0_mux, ARRAY_SIZE(s2f_usr0_mux), 0, 0x24, +- 6, 0, 0, 0, 0, 0, 0}, + { AGILEX_EMAC0_CLK, "emac0_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C, + 0, 0, 0, 0, 0x94, 26, 0}, + { AGILEX_EMAC1_CLK, "emac1_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C, diff --git a/queue-5.10/csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch b/queue-5.10/csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch new file mode 100644 index 00000000000..6893dbc8347 --- /dev/null +++ b/queue-5.10/csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch @@ -0,0 +1,43 @@ +From fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 24 Sep 2021 00:35:42 +0000 +Subject: csky: don't let sigreturn play with priveleged bits of status register + +From: Al Viro + +commit fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f upstream. + +csky restore_sigcontext() blindly overwrites regs->sr with the value +it finds in sigcontext. Attacker can store whatever they want in there, +which includes things like S-bit. Userland shouldn't be able to set +that, or anything other than C flag (bit 0). + +Do the same thing other architectures with protected bits in flags +register do - preserve everything that shouldn't be settable in +user mode, picking the rest from the value saved is sigcontext. + +Signed-off-by: Al Viro +Signed-off-by: Guo Ren +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/kernel/signal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/csky/kernel/signal.c ++++ b/arch/csky/kernel/signal.c +@@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt + struct sigcontext __user *sc) + { + int err = 0; ++ unsigned long sr = regs->sr; + + /* sc_pt_regs is structured the same as the start of pt_regs */ + err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs)); + ++ /* BIT(0) of regs->sr is Condition Code/Carry bit */ ++ regs->sr = (sr & ~1) | (regs->sr & 1); ++ + /* Restore the floating-point state. */ + err |= restore_fpu_state(sc); + diff --git a/queue-5.10/csky-fixup-regs.sr-broken-in-ptrace.patch b/queue-5.10/csky-fixup-regs.sr-broken-in-ptrace.patch new file mode 100644 index 00000000000..47bd709dc87 --- /dev/null +++ b/queue-5.10/csky-fixup-regs.sr-broken-in-ptrace.patch @@ -0,0 +1,35 @@ +From af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 Mon Sep 17 00:00:00 2001 +From: Guo Ren +Date: Fri, 24 Sep 2021 15:33:38 +0800 +Subject: csky: Fixup regs.sr broken in ptrace + +From: Guo Ren + +commit af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 upstream. + +gpr_get() return the entire pt_regs (include sr) to userspace, if we +don't restore the C bit in gpr_set, it may break the ALU result in +that context. So the C flag bit is part of gpr context, that's why +riscv totally remove the C bit in the ISA. That makes sr reg clear +from userspace to supervisor privilege. + +Signed-off-by: Guo Ren +Cc: Al Viro +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/kernel/ptrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/csky/kernel/ptrace.c ++++ b/arch/csky/kernel/ptrace.c +@@ -98,7 +98,8 @@ static int gpr_set(struct task_struct *t + if (ret) + return ret; + +- regs.sr = task_pt_regs(target)->sr; ++ /* BIT(0) of regs.sr is Condition Code/Carry bit */ ++ regs.sr = (regs.sr & BIT(0)) | (task_pt_regs(target)->sr & ~BIT(0)); + #ifdef CONFIG_CPU_HAS_HILO + regs.dcsr = task_pt_regs(target)->dcsr; + #endif diff --git a/queue-5.10/drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch b/queue-5.10/drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch new file mode 100644 index 00000000000..a71a9944192 --- /dev/null +++ b/queue-5.10/drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch @@ -0,0 +1,64 @@ +From 171316a68d9a8e0d9e28b7cf4c15afc4c6244a4e Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Fri, 17 Sep 2021 02:59:13 +0200 +Subject: drm/msm: Avoid potential overflow in timeout_to_jiffies() + +From: Marek Vasut + +commit 171316a68d9a8e0d9e28b7cf4c15afc4c6244a4e upstream. + +The return type of ktime_divns() is s64. The timeout_to_jiffies() currently +assigns the result of this ktime_divns() to unsigned long, which on 32 bit +systems may overflow. Furthermore, the result of this function is sometimes +also passed to functions which expect signed long, dma_fence_wait_timeout() +is one such example. + +Fix this by adjusting the type of remaining_jiffies to s64, so we do not +suffer overflow there, and return a value limited to range of 0..INT_MAX, +which is safe for all usecases of this timeout. + +The above overflow can be triggered if userspace passes in too large timeout +value, larger than INT_MAX / HZ seconds. The kernel detects it and complains +about "schedule_timeout: wrong timeout value %lx" and generates a warning +backtrace. + +Note that this fixes commit 6cedb8b377bb ("drm/msm: avoid using 'timespec'"), +because the previously used timespec_to_jiffies() function returned unsigned +long instead of s64: +static inline unsigned long timespec_to_jiffies(const struct timespec *value) + +Fixes: 6cedb8b377bb ("drm/msm: avoid using 'timespec'") +Signed-off-by: Marek Vasut +Cc: Arnd Bergmann +Cc: Jordan Crouse +Cc: Rob Clark +Cc: stable@vger.kernel.org # 5.6+ +Acked-by: Arnd Bergmann +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210917005913.157379-1-marex@denx.de +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_drv.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_drv.h ++++ b/drivers/gpu/drm/msm/msm_drv.h +@@ -543,7 +543,7 @@ static inline int align_pitch(int width, + static inline unsigned long timeout_to_jiffies(const ktime_t *timeout) + { + ktime_t now = ktime_get(); +- unsigned long remaining_jiffies; ++ s64 remaining_jiffies; + + if (ktime_compare(*timeout, now) < 0) { + remaining_jiffies = 0; +@@ -552,7 +552,7 @@ static inline unsigned long timeout_to_j + remaining_jiffies = ktime_divns(rem, NSEC_PER_SEC / HZ); + } + +- return remaining_jiffies; ++ return clamp(remaining_jiffies, 0LL, (s64)INT_MAX); + } + + #endif /* __MSM_DRV_H__ */ diff --git a/queue-5.10/nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch b/queue-5.10/nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch new file mode 100644 index 00000000000..80bc4475e87 --- /dev/null +++ b/queue-5.10/nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch @@ -0,0 +1,85 @@ +From be358af1191b1b2fedebd8f3421cafdc8edacc7d Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 14 Oct 2021 14:35:07 -0400 +Subject: nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^' + +From: Steven Rostedt + +commit be358af1191b1b2fedebd8f3421cafdc8edacc7d upstream. + +I received a build failure for a new patch I'm working on the nds32 +architecture, and when I went to test it, I couldn't get to my build error, +because it failed to build with a bunch of: + + Error: invalid operands (*UND* and *UND* sections) for `^' + +issues with various files. Those files were temporary asm files that looked +like: kernel/.tmp_mc_fork.s + +I decided to look deeper, and found that the "mc" portion of that name +stood for "mcount", and was created by the recordmcount.pl script. One that +I wrote over a decade ago. Once I knew the source of the problem, I was +able to investigate it further. + +The way the recordmcount.pl script works (BTW, there's a C version that +simply modifies the ELF object) is by doing an "objdump" on the object +file. Looks for all the calls to "mcount", and creates an offset of those +locations from some global variable it can use (usually a global function +name, found with <.*>:). Creates a asm file that is a table of references +to these locations, using the found variable/function. Compiles it and +links it back into the original object file. This asm file is called +".tmp_mc_.s". + +The problem here is that the objdump produced by the nds32 object file, +contains things that look like: + + 0000159a <.L3^B1>: + 159a: c6 00 beqz38 $r6, 159a <.L3^B1> + 159a: R_NDS32_9_PCREL_RELA .text+0x159e + 159c: 84 d2 movi55 $r6, #-14 + 159e: 80 06 mov55 $r0, $r6 + 15a0: ec 3c addi10.sp #0x3c + +Where ".L3^B1 is somehow selected as the "global" variable to index off of. + +Then the assembly file that holds the mcount locations looks like this: + + .section __mcount_loc,"a",@progbits + .align 2 + .long .L3^B1 + -5522 + .long .L3^B1 + -5384 + .long .L3^B1 + -5270 + .long .L3^B1 + -5098 + .long .L3^B1 + -4970 + .long .L3^B1 + -4758 + .long .L3^B1 + -4122 + [...] + +And when it is compiled back to an object to link to the original object, +the compile fails on the "^" symbol. + +Simple solution for now, is to have the perl script ignore using function +symbols that have an "^" in the name. + +Link: https://lkml.kernel.org/r/20211014143507.4ad2c0f7@gandalf.local.home + +Cc: stable@vger.kernel.org +Acked-by: Greentime Hu +Fixes: fbf58a52ac088 ("nds32/ftrace: Add RECORD_MCOUNT support") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + scripts/recordmcount.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/recordmcount.pl ++++ b/scripts/recordmcount.pl +@@ -222,7 +222,7 @@ if ($arch =~ /(x86(_64)?)|(i386)/) { + $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\S+)"; + $weak_regex = "^[0-9a-fA-F]+\\s+([wW])\\s+(\\S+)"; + $section_regex = "Disassembly of section\\s+(\\S+):"; +-$function_regex = "^([0-9a-fA-F]+)\\s+<(.*?)>:"; ++$function_regex = "^([0-9a-fA-F]+)\\s+<([^^]*?)>:"; + $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s(mcount|__fentry__)\$"; + $section_type = '@progbits'; + $mcount_adjust = 0; diff --git a/queue-5.10/s390-fix-strrchr-implementation.patch b/queue-5.10/s390-fix-strrchr-implementation.patch new file mode 100644 index 00000000000..d6f43510fdd --- /dev/null +++ b/queue-5.10/s390-fix-strrchr-implementation.patch @@ -0,0 +1,49 @@ +From 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Tue, 5 Oct 2021 14:08:36 +0200 +Subject: s390: fix strrchr() implementation + +From: Roberto Sassu + +commit 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d upstream. + +Fix two problems found in the strrchr() implementation for s390 +architectures: evaluate empty strings (return the string address instead of +NULL, if '\0' is passed as second argument); evaluate the first character +of non-empty strings (the current implementation stops at the second). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reported-by: Heiko Carstens (incorrect behavior with empty strings) +Signed-off-by: Roberto Sassu +Link: https://lore.kernel.org/r/20211005120836.60630-1-roberto.sassu@huawei.com +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/lib/string.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/arch/s390/lib/string.c ++++ b/arch/s390/lib/string.c +@@ -246,14 +246,13 @@ EXPORT_SYMBOL(strcmp); + #ifdef __HAVE_ARCH_STRRCHR + char *strrchr(const char *s, int c) + { +- size_t len = __strend(s) - s; ++ ssize_t len = __strend(s) - s; + +- if (len) +- do { +- if (s[len] == (char) c) +- return (char *) s + len; +- } while (--len > 0); +- return NULL; ++ do { ++ if (s[len] == (char)c) ++ return (char *)s + len; ++ } while (--len >= 0); ++ return NULL; + } + EXPORT_SYMBOL(strrchr); + #endif diff --git a/queue-5.10/series b/queue-5.10/series index 495c9de25b7..e12f02492c8 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -9,3 +9,16 @@ alsa-hda-realtek-alc236-headset-mic-recording-issue.patch alsa-hda-realtek-add-quirk-for-tongfang-phxtxx1.patch alsa-hda-realtek-fix-for-quirk-to-enable-speaker-output-on-the-lenovo-13s-gen2.patch alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch +nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch +s390-fix-strrchr-implementation.patch +clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch +csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch +csky-fixup-regs.sr-broken-in-ptrace.patch +arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch +drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch +btrfs-unlock-newly-allocated-extent-buffer-after-error.patch +btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch +btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch +btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch +btrfs-update-refs-for-any-root-except-tree-log-roots.patch +btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch -- 2.47.3