<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/staging, branch v5.0.1</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held.</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@I-love.SAKURA.ne.jp</email>
</author>
<published>2019-02-22T11:03:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b592247edd6ba2498cf4948b61913632443ab782'/>
<id>b592247edd6ba2498cf4948b61913632443ab782</id>
<content type='text'>
commit ecd182cbf4e107928077866399100228d2359c60 upstream.

ashmem_pin() is calling range_shrink() without checking whether
range_alloc() succeeded. Also, doing memory allocation with ashmem_mutex
held should be avoided because ashmem_shrink_scan() tries to hold it.

Therefore, move memory allocation for range_alloc() to ashmem_pin_unpin()
and make range_alloc() not to fail.

This patch is mostly meant for backporting purpose for fuzz testing on
stable/distributor kernels, for there is a plan to remove this code in
near future.

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Cc: stable@vger.kernel.org
Reviewed-by: Joel Fernandes &lt;joel@joelfernandes.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ecd182cbf4e107928077866399100228d2359c60 upstream.

ashmem_pin() is calling range_shrink() without checking whether
range_alloc() succeeded. Also, doing memory allocation with ashmem_mutex
held should be avoided because ashmem_shrink_scan() tries to hold it.

Therefore, move memory allocation for range_alloc() to ashmem_pin_unpin()
and make range_alloc() not to fail.

This patch is mostly meant for backporting purpose for fuzz testing on
stable/distributor kernels, for there is a plan to remove this code in
near future.

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Cc: stable@vger.kernel.org
Reviewed-by: Joel Fernandes &lt;joel@joelfernandes.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: android: ashmem: Don't call fallocate() with ashmem_mutex held.</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@I-love.SAKURA.ne.jp</email>
</author>
<published>2019-02-05T10:28:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6a6b0c1b4731bde4d28e73f7a0eb9d6ddcc84724'/>
<id>6a6b0c1b4731bde4d28e73f7a0eb9d6ddcc84724</id>
<content type='text'>
commit fb4415a12632f0b9078a0aa80c16745d48fcfc74 upstream.

syzbot is hitting lockdep warnings [1][2][3]. This patch tries to fix
the warning by eliminating ashmem_shrink_scan() =&gt; {shmem|vfs}_fallocate()
sequence.

[1] https://syzkaller.appspot.com/bug?id=87c399f6fa6955006080b24142e2ce7680295ad4
[2] https://syzkaller.appspot.com/bug?id=7ebea492de7521048355fc84210220e1038a7908
[3] https://syzkaller.appspot.com/bug?id=e02419c12131c24e2a957ea050c2ab6dcbbc3270

Reported-by: syzbot &lt;syzbot+a76129f18c89f3e2ddd4@syzkaller.appspotmail.com&gt;
Reported-by: syzbot &lt;syzbot+148c2885d71194f18d28@syzkaller.appspotmail.com&gt;
Reported-by: syzbot &lt;syzbot+4b8b031b89e6b96c4b2e@syzkaller.appspotmail.com&gt;
Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Cc: stable@vger.kernel.org
Acked-by: Joel Fernandes (Google) &lt;joel@joelfernandes.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fb4415a12632f0b9078a0aa80c16745d48fcfc74 upstream.

syzbot is hitting lockdep warnings [1][2][3]. This patch tries to fix
the warning by eliminating ashmem_shrink_scan() =&gt; {shmem|vfs}_fallocate()
sequence.

[1] https://syzkaller.appspot.com/bug?id=87c399f6fa6955006080b24142e2ce7680295ad4
[2] https://syzkaller.appspot.com/bug?id=7ebea492de7521048355fc84210220e1038a7908
[3] https://syzkaller.appspot.com/bug?id=e02419c12131c24e2a957ea050c2ab6dcbbc3270

Reported-by: syzbot &lt;syzbot+a76129f18c89f3e2ddd4@syzkaller.appspotmail.com&gt;
Reported-by: syzbot &lt;syzbot+148c2885d71194f18d28@syzkaller.appspotmail.com&gt;
Reported-by: syzbot &lt;syzbot+4b8b031b89e6b96c4b2e@syzkaller.appspotmail.com&gt;
Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Cc: stable@vger.kernel.org
Acked-by: Joel Fernandes (Google) &lt;joel@joelfernandes.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: android: ion: fix sys heap pool's gfp_flags</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Qing Xia</name>
<email>saberlily.xia@hisilicon.com</email>
</author>
<published>2019-02-01T06:59:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6e2cda2e854bbaa3d72b5eff9edf06bac205ccec'/>
<id>6e2cda2e854bbaa3d72b5eff9edf06bac205ccec</id>
<content type='text'>
commit 9bcf065e28122588a6cbee08cf847826dacbb438 upstream.

In the first loop, gfp_flags will be modified to high_order_gfp_flags,
and there will be no chance to change back to low_order_gfp_flags.

Fixes: e7f63771b60e ("ION: Sys_heap: Add cached pool to spead up cached buffer alloc")
Signed-off-by: Qing Xia &lt;saberlily.xia@hisilicon.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Jing Xia &lt;jing.xia@unisoc.com&gt;
Reviewed-by: Yuming Han &lt;yuming.han@unisoc.com&gt;
Reviewed-by: Zhaoyang Huang &lt;zhaoyang.huang@unisoc.com&gt;
Reviewed-by: Orson Zhai &lt;orson.zhai@unisoc.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9bcf065e28122588a6cbee08cf847826dacbb438 upstream.

In the first loop, gfp_flags will be modified to high_order_gfp_flags,
and there will be no chance to change back to low_order_gfp_flags.

Fixes: e7f63771b60e ("ION: Sys_heap: Add cached pool to spead up cached buffer alloc")
Signed-off-by: Qing Xia &lt;saberlily.xia@hisilicon.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Jing Xia &lt;jing.xia@unisoc.com&gt;
Reviewed-by: Yuming Han &lt;yuming.han@unisoc.com&gt;
Reviewed-by: Zhaoyang Huang &lt;zhaoyang.huang@unisoc.com&gt;
Reviewed-by: Orson Zhai &lt;orson.zhai@unisoc.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: wilc1000: fix to set correct value for 'vif_num'</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Ajay Singh</name>
<email>ajay.kathat@microchip.com</email>
</author>
<published>2019-02-07T11:28:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f14ab1e367d2f0623b01780cf3a6a01a1fd16f09'/>
<id>f14ab1e367d2f0623b01780cf3a6a01a1fd16f09</id>
<content type='text'>
commit dda037057a572f5c82ac2499eb4e6fb17600ba3e upstream.

Set correct value in '-&gt;vif_num' for the total number of interfaces and
set '-&gt;idx' value using 'i'.

Fixes: 735bb39ca3be ("staging: wilc1000: simplify vif[i]-&gt;ndev accesses")
Fixes: 0e490657c721 ("staging: wilc1000: Fix problem with wrong vif index")
Cc: &lt;stable@vger.kernel.org&gt;
Suggested-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit dda037057a572f5c82ac2499eb4e6fb17600ba3e upstream.

Set correct value in '-&gt;vif_num' for the total number of interfaces and
set '-&gt;idx' value using 'i'.

Fixes: 735bb39ca3be ("staging: wilc1000: simplify vif[i]-&gt;ndev accesses")
Fixes: 0e490657c721 ("staging: wilc1000: Fix problem with wrong vif index")
Cc: &lt;stable@vger.kernel.org&gt;
Suggested-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Reviewed-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: comedi: ni_660x: fix missing break in switch statement</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Gustavo A. R. Silva</name>
<email>gustavo@embeddedor.com</email>
</author>
<published>2019-02-12T18:44:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e872d586158c27401f98a1f5bedaa6e4b9b1fd63'/>
<id>e872d586158c27401f98a1f5bedaa6e4b9b1fd63</id>
<content type='text'>
commit 479826cc86118e0d87e5cefb3df5b748e0480924 upstream.

Add missing break statement in order to prevent the code from falling
through to the default case and return -EINVAL every time.

This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.

Fixes: aa94f2888825 ("staging: comedi: ni_660x: tidy up ni_660x_set_pfi_routing()")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva &lt;gustavo@embeddedor.com&gt;
Reviewed-by: Ian Abbott &lt;abbotti@mev.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 479826cc86118e0d87e5cefb3df5b748e0480924 upstream.

Add missing break statement in order to prevent the code from falling
through to the default case and return -EINVAL every time.

This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.

Fixes: aa94f2888825 ("staging: comedi: ni_660x: tidy up ni_660x_set_pfi_routing()")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva &lt;gustavo@embeddedor.com&gt;
Reviewed-by: Ian Abbott &lt;abbotti@mev.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix illegal address access under memory pressure</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-02-27T05:33:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=116ad909da648d58a6a84024a537274106c68819'/>
<id>116ad909da648d58a6a84024a537274106c68819</id>
<content type='text'>
commit 1e5ceeab6929585512c63d05911d6657064abf7b upstream.

Considering a read request with two decompressed file pages,
If a decompression work cannot be started on the previous page
due to memory pressure but in-memory LTP map lookup is done,
builder-&gt;work should be still NULL.

Moreover, if the current page also belongs to the same map,
it won't try to start the decompression work again and then
run into trouble.

This patch aims to solve the above issue only with little changes
as much as possible in order to make the fix backport easier.

kernel message is:
&lt;4&gt;[1051408.015930s]SLUB: Unable to allocate memory on node -1, gfp=0x2408040(GFP_NOFS|__GFP_ZERO)
&lt;4&gt;[1051408.015930s]  cache: erofs_compress, object size: 144, buffer size: 144, default order: 0, min order: 0
&lt;4&gt;[1051408.015930s]  node 0: slabs: 98, objs: 2744, free: 0
  * Cannot allocate the decompression work

&lt;3&gt;[1051408.015960s]erofs: z_erofs_vle_normalaccess_readpages, readahead error at page 1008 of nid 5391488
  * Note that the previous page was failed to read

&lt;0&gt;[1051408.015960s]Internal error: Accessing user space memory outside uaccess.h routines: 96000005 [#1] PREEMPT SMP
...
&lt;4&gt;[1051408.015991s]Hardware name: kirin710 (DT)
...
&lt;4&gt;[1051408.016021s]PC is at z_erofs_vle_work_add_page+0xa0/0x17c
&lt;4&gt;[1051408.016021s]LR is at z_erofs_do_read_page+0x12c/0xcf0
...
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6fb0fd4&gt;] z_erofs_vle_work_add_page+0xa0/0x17c
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6fb3814&gt;] z_erofs_vle_normalaccess_readpages+0x1a0/0x37c
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6d670b8&gt;] read_pages+0x70/0x190
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d6736c&gt;] __do_page_cache_readahead+0x194/0x1a8
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d59318&gt;] filemap_fault+0x398/0x684
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8a9e0&gt;] __do_fault+0x8c/0x138
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8f90c&gt;] handle_pte_fault+0x730/0xb7c
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8fe04&gt;] __handle_mm_fault+0xac/0xf4
&lt;4&gt;[1051408.018157s][&lt;ffffff80c6d8fec8&gt;] handle_mm_fault+0x7c/0x118
&lt;4&gt;[1051408.018157s][&lt;ffffff80c8c52998&gt;] do_page_fault+0x354/0x474
&lt;4&gt;[1051408.018157s][&lt;ffffff80c8c52af8&gt;] do_translation_fault+0x40/0x48
&lt;4&gt;[1051408.018157s][&lt;ffffff80c6c002f4&gt;] do_mem_abort+0x80/0x100
&lt;4&gt;[1051408.018310s]---[ end trace 9f4009a3283bd78b ]---

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1e5ceeab6929585512c63d05911d6657064abf7b upstream.

Considering a read request with two decompressed file pages,
If a decompression work cannot be started on the previous page
due to memory pressure but in-memory LTP map lookup is done,
builder-&gt;work should be still NULL.

Moreover, if the current page also belongs to the same map,
it won't try to start the decompression work again and then
run into trouble.

This patch aims to solve the above issue only with little changes
as much as possible in order to make the fix backport easier.

kernel message is:
&lt;4&gt;[1051408.015930s]SLUB: Unable to allocate memory on node -1, gfp=0x2408040(GFP_NOFS|__GFP_ZERO)
&lt;4&gt;[1051408.015930s]  cache: erofs_compress, object size: 144, buffer size: 144, default order: 0, min order: 0
&lt;4&gt;[1051408.015930s]  node 0: slabs: 98, objs: 2744, free: 0
  * Cannot allocate the decompression work

&lt;3&gt;[1051408.015960s]erofs: z_erofs_vle_normalaccess_readpages, readahead error at page 1008 of nid 5391488
  * Note that the previous page was failed to read

&lt;0&gt;[1051408.015960s]Internal error: Accessing user space memory outside uaccess.h routines: 96000005 [#1] PREEMPT SMP
...
&lt;4&gt;[1051408.015991s]Hardware name: kirin710 (DT)
...
&lt;4&gt;[1051408.016021s]PC is at z_erofs_vle_work_add_page+0xa0/0x17c
&lt;4&gt;[1051408.016021s]LR is at z_erofs_do_read_page+0x12c/0xcf0
...
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6fb0fd4&gt;] z_erofs_vle_work_add_page+0xa0/0x17c
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6fb3814&gt;] z_erofs_vle_normalaccess_readpages+0x1a0/0x37c
&lt;4&gt;[1051408.018096s][&lt;ffffff80c6d670b8&gt;] read_pages+0x70/0x190
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d6736c&gt;] __do_page_cache_readahead+0x194/0x1a8
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d59318&gt;] filemap_fault+0x398/0x684
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8a9e0&gt;] __do_fault+0x8c/0x138
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8f90c&gt;] handle_pte_fault+0x730/0xb7c
&lt;4&gt;[1051408.018127s][&lt;ffffff80c6d8fe04&gt;] __handle_mm_fault+0xac/0xf4
&lt;4&gt;[1051408.018157s][&lt;ffffff80c6d8fec8&gt;] handle_mm_fault+0x7c/0x118
&lt;4&gt;[1051408.018157s][&lt;ffffff80c8c52998&gt;] do_page_fault+0x354/0x474
&lt;4&gt;[1051408.018157s][&lt;ffffff80c8c52af8&gt;] do_translation_fault+0x40/0x48
&lt;4&gt;[1051408.018157s][&lt;ffffff80c6c002f4&gt;] do_mem_abort+0x80/0x100
&lt;4&gt;[1051408.018310s]---[ end trace 9f4009a3283bd78b ]---

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix race of initializing xattrs of a inode at the same time</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-02-18T07:19:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fa42199d9dab6c82222d4786ed9674f12909611b'/>
<id>fa42199d9dab6c82222d4786ed9674f12909611b</id>
<content type='text'>
commit 62dc45979f3f8cb0ea67302a93bff686f0c46c5a upstream.

In real scenario, there could be several threads accessing xattrs
of the same xattr-uninitialized inode, and init_inode_xattrs()
almost at the same time.

That's actually an unexpected behavior, this patch closes the race.

Fixes: b17500a0fdba ("staging: erofs: introduce xattr &amp; acl support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 62dc45979f3f8cb0ea67302a93bff686f0c46c5a upstream.

In real scenario, there could be several threads accessing xattrs
of the same xattr-uninitialized inode, and init_inode_xattrs()
almost at the same time.

That's actually an unexpected behavior, this patch closes the race.

Fixes: b17500a0fdba ("staging: erofs: introduce xattr &amp; acl support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix memleak of inode's shared xattr array</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Sheng Yong</name>
<email>shengyong1@huawei.com</email>
</author>
<published>2019-02-14T06:46:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6df0b3ebdade371d94663353654fa6d6f0d1ca1a'/>
<id>6df0b3ebdade371d94663353654fa6d6f0d1ca1a</id>
<content type='text'>
commit 3b1b5291f79d040d549d7c746669fc30e8045b9b upstream.

If it fails to read a shared xattr page, the inode's shared xattr array
is not freed. The next time the inode's xattr is accessed, the previously
allocated array is leaked.

Signed-off-by: Sheng Yong &lt;shengyong1@huawei.com&gt;
Fixes: b17500a0fdba ("staging: erofs: introduce xattr &amp; acl support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Reviewed-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3b1b5291f79d040d549d7c746669fc30e8045b9b upstream.

If it fails to read a shared xattr page, the inode's shared xattr array
is not freed. The next time the inode's xattr is accessed, the previously
allocated array is leaked.

Signed-off-by: Sheng Yong &lt;shengyong1@huawei.com&gt;
Fixes: b17500a0fdba ("staging: erofs: introduce xattr &amp; acl support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Reviewed-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix fast symlink w/o xattr when fs xattr is on</title>
<updated>2019-03-10T06:08:58+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-01-14T11:40:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=27f2f4877a004fa0360d63b8c5baa3ec90e6f022'/>
<id>27f2f4877a004fa0360d63b8c5baa3ec90e6f022</id>
<content type='text'>
commit 7077fffcb0b0b65dc75e341306aeef4d0e7f2ec6 upstream.

Currently, this will hit a BUG_ON for these symlinks as follows:

- kernel message
------------[ cut here ]------------
kernel BUG at drivers/staging/erofs/xattr.c:59!
SMP PTI
CPU: 1 PID: 1170 Comm: getllxattr Not tainted 4.20.0-rc6+ #92
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
RIP: 0010:init_inode_xattrs+0x22b/0x270
Code: 48 0f 45 ea f0 ff 4d 34 74 0d 41 83 4c 24 e0 01 31 c0 e9 00 fe ff ff 48 89 ef e8 e0 31 9e ff eb e9 89 e8 e9 ef fd ff ff 0f 0$
 &lt;0f&gt; 0b 48 89 ef e8 fb f6 9c ff 48 8b 45 08 a8 01 75 24 f0 ff 4d 34
RSP: 0018:ffffa03ac026bdf8 EFLAGS: 00010246
------------[ cut here ]------------
...
Call Trace:
 erofs_listxattr+0x30/0x2c0
 ? selinux_inode_listxattr+0x5a/0x80
 ? kmem_cache_alloc+0x33/0x170
 ? security_inode_listxattr+0x27/0x40
 listxattr+0xaf/0xc0
 path_listxattr+0x5a/0xa0
 do_syscall_64+0x43/0xf0
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
...
---[ end trace 3c24b49408dc0c72 ]---

Fix it by checking -&gt;xattr_isize in init_inode_xattrs(),
and it also fixes improper return value -ENOTSUPP
(it should be -ENODATA if xattr is enabled) for those inodes.

Fixes: b17500a0fdba ("staging: erofs: introduce xattr &amp; acl support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Reported-by: Li Guifu &lt;bluce.liguifu@huawei.com&gt;
Tested-by: Li Guifu &lt;bluce.liguifu@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7077fffcb0b0b65dc75e341306aeef4d0e7f2ec6 upstream.

Currently, this will hit a BUG_ON for these symlinks as follows:

- kernel message
------------[ cut here ]------------
kernel BUG at drivers/staging/erofs/xattr.c:59!
SMP PTI
CPU: 1 PID: 1170 Comm: getllxattr Not tainted 4.20.0-rc6+ #92
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
RIP: 0010:init_inode_xattrs+0x22b/0x270
Code: 48 0f 45 ea f0 ff 4d 34 74 0d 41 83 4c 24 e0 01 31 c0 e9 00 fe ff ff 48 89 ef e8 e0 31 9e ff eb e9 89 e8 e9 ef fd ff ff 0f 0$
 &lt;0f&gt; 0b 48 89 ef e8 fb f6 9c ff 48 8b 45 08 a8 01 75 24 f0 ff 4d 34
RSP: 0018:ffffa03ac026bdf8 EFLAGS: 00010246
------------[ cut here ]------------
...
Call Trace:
 erofs_listxattr+0x30/0x2c0
 ? selinux_inode_listxattr+0x5a/0x80
 ? kmem_cache_alloc+0x33/0x170
 ? security_inode_listxattr+0x27/0x40
 listxattr+0xaf/0xc0
 path_listxattr+0x5a/0xa0
 do_syscall_64+0x43/0xf0
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
...
---[ end trace 3c24b49408dc0c72 ]---

Fix it by checking -&gt;xattr_isize in init_inode_xattrs(),
and it also fixes improper return value -ENOTSUPP
(it should be -ENODATA if xattr is enabled) for those inodes.

Fixes: b17500a0fdba ("staging: erofs: introduce xattr &amp; acl support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Reported-by: Li Guifu &lt;bluce.liguifu@huawei.com&gt;
Tested-by: Li Guifu &lt;bluce.liguifu@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>staging: erofs: fix mis-acted TAIL merging behavior</title>
<updated>2019-03-10T06:08:57+00:00</updated>
<author>
<name>Gao Xiang</name>
<email>gaoxiang25@huawei.com</email>
</author>
<published>2019-02-27T05:33:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e93cd6500ff940c3f394868e31f4036622936c7a'/>
<id>e93cd6500ff940c3f394868e31f4036622936c7a</id>
<content type='text'>
commit a112152f6f3a2a88caa6f414d540bd49e406af60 upstream.

EROFS has an optimized path called TAIL merging, which is designed
to merge multiple reads and the corresponding decompressions into
one if these requests read continuous pages almost at the same time.

In general, it behaves as follows:
 ________________________________________________________________
  ... |  TAIL  .  HEAD  |  PAGE  |  PAGE  |  TAIL    . HEAD | ...
 _____|_combined page A_|________|________|_combined page B_|____
        1  ]  -&gt;  [  2                          ]  -&gt;  [ 3
If the above three reads are requested in the order 1-2-3, it will
generate a large work chain rather than 3 individual work chains
to reduce scheduling overhead and boost up sequential read.

However, if Read 2 is processed slightly earlier than Read 1,
currently it still generates 2 individual work chains (chain 1, 2)
but it does in-place decompression for combined page A, moreover,
if chain 2 decompresses ahead of chain 1, it will be a race and
lead to corrupted decompressed page. This patch fixes it.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a112152f6f3a2a88caa6f414d540bd49e406af60 upstream.

EROFS has an optimized path called TAIL merging, which is designed
to merge multiple reads and the corresponding decompressions into
one if these requests read continuous pages almost at the same time.

In general, it behaves as follows:
 ________________________________________________________________
  ... |  TAIL  .  HEAD  |  PAGE  |  PAGE  |  TAIL    . HEAD | ...
 _____|_combined page A_|________|________|_combined page B_|____
        1  ]  -&gt;  [  2                          ]  -&gt;  [ 3
If the above three reads are requested in the order 1-2-3, it will
generate a large work chain rather than 3 individual work chains
to reduce scheduling overhead and boost up sequential read.

However, if Read 2 is processed slightly earlier than Read 1,
currently it still generates 2 individual work chains (chain 1, 2)
but it does in-place decompression for combined page A, moreover,
if chain 2 decompresses ahead of chain 1, it will be a race and
lead to corrupted decompressed page. This patch fixes it.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: &lt;stable@vger.kernel.org&gt; # 4.19+
Signed-off-by: Gao Xiang &lt;gaoxiang25@huawei.com&gt;
Reviewed-by: Chao Yu &lt;yuchao0@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
