]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.19-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 26 Oct 2022 15:33:06 +0000 (17:33 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 26 Oct 2022 15:33:06 +0000 (17:33 +0200)
added patches:
ata-ahci-imx-fix-module_alias.patch
ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch
hwmon-coretemp-handle-large-core-id-value.patch
kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch
media-venus-dec-handle-the-case-where-find_format-fails.patch
ocfs2-clear-dinode-links-count-in-case-of-error.patch
ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch
x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch

queue-4.19/ata-ahci-imx-fix-module_alias.patch [new file with mode: 0644]
queue-4.19/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch [new file with mode: 0644]
queue-4.19/hwmon-coretemp-handle-large-core-id-value.patch [new file with mode: 0644]
queue-4.19/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch [new file with mode: 0644]
queue-4.19/media-venus-dec-handle-the-case-where-find_format-fails.patch [new file with mode: 0644]
queue-4.19/ocfs2-clear-dinode-links-count-in-case-of-error.patch [new file with mode: 0644]
queue-4.19/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch [new file with mode: 0644]
queue-4.19/series [new file with mode: 0644]
queue-4.19/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch [new file with mode: 0644]

diff --git a/queue-4.19/ata-ahci-imx-fix-module_alias.patch b/queue-4.19/ata-ahci-imx-fix-module_alias.patch
new file mode 100644 (file)
index 0000000..d8323a0
--- /dev/null
@@ -0,0 +1,30 @@
+From 979556f1521a835a059de3b117b9c6c6642c7d58 Mon Sep 17 00:00:00 2001
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+Date: Wed, 12 Oct 2022 15:11:05 +0200
+Subject: ata: ahci-imx: Fix MODULE_ALIAS
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+commit 979556f1521a835a059de3b117b9c6c6642c7d58 upstream.
+
+'ahci:' is an invalid prefix, preventing the module from autoloading.
+Fix this by using the 'platform:' prefix and DRV_NAME.
+
+Fixes: 9e54eae23bc9 ("ahci_imx: add ahci sata support on imx platforms")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci_imx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/ahci_imx.c
++++ b/drivers/ata/ahci_imx.c
+@@ -1250,4 +1250,4 @@ module_platform_driver(imx_ahci_driver);
+ MODULE_DESCRIPTION("Freescale i.MX AHCI SATA platform driver");
+ MODULE_AUTHOR("Richard Zhu <Hong-Xing.Zhu@freescale.com>");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS("ahci:imx");
++MODULE_ALIAS("platform:" DRV_NAME);
diff --git a/queue-4.19/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch b/queue-4.19/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch
new file mode 100644 (file)
index 0000000..c445e54
--- /dev/null
@@ -0,0 +1,76 @@
+From 1e41e693f458eef2d5728207dbd327cd3b16580a Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 11 Oct 2022 10:46:17 +0800
+Subject: ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 1e41e693f458eef2d5728207dbd327cd3b16580a upstream.
+
+UBSAN complains about array-index-out-of-bounds:
+[ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41
+[ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]'
+[ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu
+[ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010
+[ 1.980718] kernel: Call Trace:
+[ 1.980721] kernel: <TASK>
+[ 1.980723] kernel: show_stack+0x52/0x58
+[ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f
+[ 1.980734] kernel: dump_stack+0x10/0x12
+[ 1.980736] kernel: ubsan_epilogue+0x9/0x45
+[ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49
+[ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci]
+[ 1.980748] kernel: ata_qc_issue+0x135/0x240
+[ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580
+[ 1.980754] kernel: ? vprintk_default+0x1d/0x20
+[ 1.980759] kernel: ata_exec_internal+0x67/0xa0
+[ 1.980762] kernel: sata_pmp_read+0x8d/0xc0
+[ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90
+[ 1.980768] kernel: sata_pmp_attach+0x8b/0x310
+[ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0
+[ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30
+[ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci]
+[ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci]
+[ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci]
+[ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0
+[ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560
+[ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40
+[ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci]
+[ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600
+[ 1.980810] kernel: ata_scsi_error+0x9c/0xd0
+[ 1.980813] kernel: scsi_error_handler+0xa1/0x180
+[ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0
+[ 1.980820] kernel: kthread+0x12a/0x150
+[ 1.980823] kernel: ? set_kthread_struct+0x50/0x50
+[ 1.980826] kernel: ret_from_fork+0x22/0x30
+[ 1.980831] kernel: </TASK>
+
+This happens because sata_pmp_init_links() initialize link->pmp up to
+SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array.
+
+I can't find the maximum Enclosure Management ports specified in AHCI
+spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier
+Information" can utilize 4 bits, which implies it can support up to 16
+ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the
+issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1970074
+Cc: stable@vger.kernel.org
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/ahci.h
++++ b/drivers/ata/ahci.h
+@@ -265,7 +265,7 @@ enum {
+       PCS_7                           = 0x94, /* 7+ port PCS (Denverton) */
+       /* em constants */
+-      EM_MAX_SLOTS                    = 8,
++      EM_MAX_SLOTS                    = SATA_PMP_MAX_PORTS,
+       EM_MAX_RETRY                    = 5,
+       /* em_ctl bits */
diff --git a/queue-4.19/hwmon-coretemp-handle-large-core-id-value.patch b/queue-4.19/hwmon-coretemp-handle-large-core-id-value.patch
new file mode 100644 (file)
index 0000000..baf194a
--- /dev/null
@@ -0,0 +1,170 @@
+From 7108b80a542b9d65e44b36d64a700a83658c0b73 Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Fri, 14 Oct 2022 17:01:45 +0800
+Subject: hwmon/coretemp: Handle large core ID value
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+commit 7108b80a542b9d65e44b36d64a700a83658c0b73 upstream.
+
+The coretemp driver supports up to a hard-coded limit of 128 cores.
+
+Today, the driver can not support a core with an ID above that limit.
+Yet, the encoding of core ID's is arbitrary (BIOS APIC-ID) and so they
+may be sparse and they may be large.
+
+Update the driver to map arbitrary core ID numbers into appropriate
+array indexes so that 128 cores can be supported, no matter the encoding
+of core ID's.
+
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Len Brown <len.brown@intel.com>
+Acked-by: Guenter Roeck <linux@roeck-us.net>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20221014090147.1836-3-rui.zhang@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/coretemp.c |   56 ++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 41 insertions(+), 15 deletions(-)
+
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -59,9 +59,6 @@ MODULE_PARM_DESC(tjmax, "TjMax value in
+ #define TOTAL_ATTRS           (MAX_CORE_ATTRS + 1)
+ #define MAX_CORE_DATA         (NUM_REAL_CORES + BASE_SYSFS_ATTR_NO)
+-#define TO_CORE_ID(cpu)               (cpu_data(cpu).cpu_core_id)
+-#define TO_ATTR_NO(cpu)               (TO_CORE_ID(cpu) + BASE_SYSFS_ATTR_NO)
+-
+ #ifdef CONFIG_SMP
+ #define for_each_sibling(i, cpu) \
+       for_each_cpu(i, topology_sibling_cpumask(cpu))
+@@ -104,6 +101,8 @@ struct temp_data {
+ struct platform_data {
+       struct device           *hwmon_dev;
+       u16                     pkg_id;
++      u16                     cpu_map[NUM_REAL_CORES];
++      struct ida              ida;
+       struct cpumask          cpumask;
+       struct temp_data        *core_data[MAX_CORE_DATA];
+       struct device_attribute name_attr;
+@@ -454,7 +453,7 @@ static struct temp_data *init_temp_data(
+                                                       MSR_IA32_THERM_STATUS;
+       tdata->is_pkg_data = pkg_flag;
+       tdata->cpu = cpu;
+-      tdata->cpu_core_id = TO_CORE_ID(cpu);
++      tdata->cpu_core_id = topology_core_id(cpu);
+       tdata->attr_size = MAX_CORE_ATTRS;
+       mutex_init(&tdata->update_lock);
+       return tdata;
+@@ -467,7 +466,7 @@ static int create_core_data(struct platf
+       struct platform_data *pdata = platform_get_drvdata(pdev);
+       struct cpuinfo_x86 *c = &cpu_data(cpu);
+       u32 eax, edx;
+-      int err, attr_no;
++      int err, index, attr_no;
+       /*
+        * Find attr number for sysfs:
+@@ -475,14 +474,26 @@ static int create_core_data(struct platf
+        * The attr number is always core id + 2
+        * The Pkgtemp will always show up as temp1_*, if available
+        */
+-      attr_no = pkg_flag ? PKG_SYSFS_ATTR_NO : TO_ATTR_NO(cpu);
++      if (pkg_flag) {
++              attr_no = PKG_SYSFS_ATTR_NO;
++      } else {
++              index = ida_alloc(&pdata->ida, GFP_KERNEL);
++              if (index < 0)
++                      return index;
++              pdata->cpu_map[index] = topology_core_id(cpu);
++              attr_no = index + BASE_SYSFS_ATTR_NO;
++      }
+-      if (attr_no > MAX_CORE_DATA - 1)
+-              return -ERANGE;
++      if (attr_no > MAX_CORE_DATA - 1) {
++              err = -ERANGE;
++              goto ida_free;
++      }
+       tdata = init_temp_data(cpu, pkg_flag);
+-      if (!tdata)
+-              return -ENOMEM;
++      if (!tdata) {
++              err = -ENOMEM;
++              goto ida_free;
++      }
+       /* Test if we can access the status register */
+       err = rdmsr_safe_on_cpu(cpu, tdata->status_reg, &eax, &edx);
+@@ -518,6 +529,9 @@ static int create_core_data(struct platf
+ exit_free:
+       pdata->core_data[attr_no] = NULL;
+       kfree(tdata);
++ida_free:
++      if (!pkg_flag)
++              ida_free(&pdata->ida, index);
+       return err;
+ }
+@@ -537,6 +551,9 @@ static void coretemp_remove_core(struct
+       kfree(pdata->core_data[indx]);
+       pdata->core_data[indx] = NULL;
++
++      if (indx >= BASE_SYSFS_ATTR_NO)
++              ida_free(&pdata->ida, indx - BASE_SYSFS_ATTR_NO);
+ }
+ static int coretemp_probe(struct platform_device *pdev)
+@@ -550,6 +567,7 @@ static int coretemp_probe(struct platfor
+               return -ENOMEM;
+       pdata->pkg_id = pdev->id;
++      ida_init(&pdata->ida);
+       platform_set_drvdata(pdev, pdata);
+       pdata->hwmon_dev = devm_hwmon_device_register_with_groups(dev, DRVNAME,
+@@ -566,6 +584,7 @@ static int coretemp_remove(struct platfo
+               if (pdata->core_data[i])
+                       coretemp_remove_core(pdata, i);
++      ida_destroy(&pdata->ida);
+       return 0;
+ }
+@@ -660,7 +679,7 @@ static int coretemp_cpu_offline(unsigned
+       struct platform_device *pdev = coretemp_get_pdev(cpu);
+       struct platform_data *pd;
+       struct temp_data *tdata;
+-      int indx, target;
++      int i, indx = -1, target;
+       /*
+        * Don't execute this on suspend as the device remove locks
+@@ -673,12 +692,19 @@ static int coretemp_cpu_offline(unsigned
+       if (!pdev)
+               return 0;
+-      /* The core id is too big, just return */
+-      indx = TO_ATTR_NO(cpu);
+-      if (indx > MAX_CORE_DATA - 1)
++      pd = platform_get_drvdata(pdev);
++
++      for (i = 0; i < NUM_REAL_CORES; i++) {
++              if (pd->cpu_map[i] == topology_core_id(cpu)) {
++                      indx = i + BASE_SYSFS_ATTR_NO;
++                      break;
++              }
++      }
++
++      /* Too many cores and this core is not populated, just return */
++      if (indx < 0)
+               return 0;
+-      pd = platform_get_drvdata(pdev);
+       tdata = pd->core_data[indx];
+       cpumask_clear_cpu(cpu, &pd->cpumask);
diff --git a/queue-4.19/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch b/queue-4.19/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch
new file mode 100644 (file)
index 0000000..01fe519
--- /dev/null
@@ -0,0 +1,81 @@
+From c000a2607145d28b06c697f968491372ea56c23a Mon Sep 17 00:00:00 2001
+From: Eric Ren <renzhengeek@gmail.com>
+Date: Sat, 15 Oct 2022 11:19:28 +0800
+Subject: KVM: arm64: vgic: Fix exit condition in scan_its_table()
+
+From: Eric Ren <renzhengeek@gmail.com>
+
+commit c000a2607145d28b06c697f968491372ea56c23a upstream.
+
+With some PCIe topologies, restoring a guest fails while
+parsing the ITS device tables.
+
+Reproducer hints:
+1. Create ARM virt VM with pxb-pcie bus which adds
+   extra host bridges, with qemu command like:
+
+```
+  -device pxb-pcie,bus_nr=8,id=pci.x,numa_node=0,bus=pcie.0 \
+  -device pcie-root-port,..,bus=pci.x \
+  ...
+  -device pxb-pcie,bus_nr=37,id=pci.y,numa_node=1,bus=pcie.0 \
+  -device pcie-root-port,..,bus=pci.y \
+  ...
+
+```
+2. Ensure the guest uses 2-level device table
+3. Perform VM migration which calls save/restore device tables
+
+In that setup, we get a big "offset" between 2 device_ids,
+which makes unsigned "len" round up a big positive number,
+causing the scan loop to continue with a bad GPA. For example:
+
+1. L1 table has 2 entries;
+2. and we are now scanning at L2 table entry index 2075 (pointed
+   to by L1 first entry)
+3. if next device id is 9472, we will get a big offset: 7397;
+4. with unsigned 'len', 'len -= offset * esz', len will underflow to a
+   positive number, mistakenly into next iteration with a bad GPA;
+   (It should break out of the current L2 table scanning, and jump
+   into the next L1 table entry)
+5. that bad GPA fails the guest read.
+
+Fix it by stopping the L2 table scan when the next device id is
+outside of the current table, allowing the scan to continue from
+the next L1 table entry.
+
+Thanks to Eric Auger for the fix suggestion.
+
+Fixes: 920a7a8fa92a ("KVM: arm64: vgic-its: Add infrastructure for tableookup")
+Suggested-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Eric Ren <renzhengeek@gmail.com>
+[maz: commit message tidy-up]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/d9c3a564af9e2c5bf63f48a7dcbf08cd593c5c0b.1665802985.git.renzhengeek@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/vgic/vgic-its.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -1915,7 +1915,7 @@ static int scan_its_table(struct vgic_it
+       memset(entry, 0, esz);
+-      while (len > 0) {
++      while (true) {
+               int next_offset;
+               size_t byte_offset;
+@@ -1928,6 +1928,9 @@ static int scan_its_table(struct vgic_it
+                       return next_offset;
+               byte_offset = next_offset * esz;
++              if (byte_offset >= len)
++                      break;
++
+               id += next_offset;
+               gpa += byte_offset;
+               len -= byte_offset;
diff --git a/queue-4.19/media-venus-dec-handle-the-case-where-find_format-fails.patch b/queue-4.19/media-venus-dec-handle-the-case-where-find_format-fails.patch
new file mode 100644 (file)
index 0000000..0706c2c
--- /dev/null
@@ -0,0 +1,36 @@
+From 06a2da340f762addc5935bf851d95b14d4692db2 Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Tue, 26 Jul 2022 04:14:54 +0200
+Subject: media: venus: dec: Handle the case where find_format fails
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 06a2da340f762addc5935bf851d95b14d4692db2 upstream.
+
+Debugging the decoder on msm8916 I noticed the vdec probe was crashing if
+the fmt pointer was NULL.
+
+A similar fix from Colin Ian King found by Coverity was implemented for the
+encoder. Implement the same fix on the decoder.
+
+Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
+Cc: stable@vger.kernel.org  # v4.13+
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/vdec.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -155,6 +155,8 @@ vdec_try_fmt_common(struct venus_inst *i
+               else
+                       return NULL;
+               fmt = find_format(inst, pixmp->pixelformat, f->type);
++              if (!fmt)
++                      return NULL;
+       }
+       pixmp->width = clamp(pixmp->width, frame_width_min(inst),
diff --git a/queue-4.19/ocfs2-clear-dinode-links-count-in-case-of-error.patch b/queue-4.19/ocfs2-clear-dinode-links-count-in-case-of-error.patch
new file mode 100644 (file)
index 0000000..37e8e33
--- /dev/null
@@ -0,0 +1,77 @@
+From 28f4821b1b53e0649706912e810c6c232fc506f9 Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Mon, 17 Oct 2022 21:02:27 +0800
+Subject: ocfs2: clear dinode links count in case of error
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 28f4821b1b53e0649706912e810c6c232fc506f9 upstream.
+
+In ocfs2_mknod(), if error occurs after dinode successfully allocated,
+ocfs2 i_links_count will not be 0.
+
+So even though we clear inode i_nlink before iput in error handling, it
+still won't wipe inode since we'll refresh inode from dinode during inode
+lock.  So just like clear inode i_nlink, we clear ocfs2 i_links_count as
+well.  Also do the same change for ocfs2_symlink().
+
+Link: https://lkml.kernel.org/r/20221017130227.234480-2-joseph.qi@linux.alibaba.com
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: Yan Wang <wangyan122@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/namei.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/namei.c
++++ b/fs/ocfs2/namei.c
+@@ -245,6 +245,7 @@ static int ocfs2_mknod(struct inode *dir
+       handle_t *handle = NULL;
+       struct ocfs2_super *osb;
+       struct ocfs2_dinode *dirfe;
++      struct ocfs2_dinode *fe = NULL;
+       struct buffer_head *new_fe_bh = NULL;
+       struct inode *inode = NULL;
+       struct ocfs2_alloc_context *inode_ac = NULL;
+@@ -395,6 +396,7 @@ static int ocfs2_mknod(struct inode *dir
+               goto leave;
+       }
++      fe = (struct ocfs2_dinode *) new_fe_bh->b_data;
+       if (S_ISDIR(mode)) {
+               status = ocfs2_fill_new_dir(osb, handle, dir, inode,
+                                           new_fe_bh, data_ac, meta_ac);
+@@ -460,8 +462,11 @@ static int ocfs2_mknod(struct inode *dir
+ leave:
+       if (status < 0 && did_quota_inode)
+               dquot_free_inode(inode);
+-      if (handle)
++      if (handle) {
++              if (status < 0 && fe)
++                      ocfs2_set_links_count(fe, 0);
+               ocfs2_commit_trans(osb, handle);
++      }
+       ocfs2_inode_unlock(dir, 1);
+       if (did_block_signals)
+@@ -2031,8 +2036,11 @@ bail:
+                                       ocfs2_clusters_to_bytes(osb->sb, 1));
+       if (status < 0 && did_quota_inode)
+               dquot_free_inode(inode);
+-      if (handle)
++      if (handle) {
++              if (status < 0 && fe)
++                      ocfs2_set_links_count(fe, 0);
+               ocfs2_commit_trans(osb, handle);
++      }
+       ocfs2_inode_unlock(dir, 1);
+       if (did_block_signals)
diff --git a/queue-4.19/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch b/queue-4.19/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch
new file mode 100644 (file)
index 0000000..23e2d90
--- /dev/null
@@ -0,0 +1,60 @@
+From 759a7c6126eef5635506453e9b9d55a6a3ac2084 Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Mon, 17 Oct 2022 21:02:26 +0800
+Subject: ocfs2: fix BUG when iput after ocfs2_mknod fails
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 759a7c6126eef5635506453e9b9d55a6a3ac2084 upstream.
+
+Commit b1529a41f777 "ocfs2: should reclaim the inode if
+'__ocfs2_mknod_locked' returns an error" tried to reclaim the claimed
+inode if __ocfs2_mknod_locked() fails later.  But this introduce a race,
+the freed bit may be reused immediately by another thread, which will
+update dinode, e.g.  i_generation.  Then iput this inode will lead to BUG:
+inode->i_generation != le32_to_cpu(fe->i_generation)
+
+We could make this inode as bad, but we did want to do operations like
+wipe in some cases.  Since the claimed inode bit can only affect that an
+dinode is missing and will return back after fsck, it seems not a big
+problem.  So just leave it as is by revert the reclaim logic.
+
+Link: https://lkml.kernel.org/r/20221017130227.234480-1-joseph.qi@linux.alibaba.com
+Fixes: b1529a41f777 ("ocfs2: should reclaim the inode if '__ocfs2_mknod_locked' returns an error")
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: Yan Wang <wangyan122@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/namei.c |   11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+--- a/fs/ocfs2/namei.c
++++ b/fs/ocfs2/namei.c
+@@ -644,18 +644,9 @@ static int ocfs2_mknod_locked(struct ocf
+               return status;
+       }
+-      status = __ocfs2_mknod_locked(dir, inode, dev, new_fe_bh,
++      return __ocfs2_mknod_locked(dir, inode, dev, new_fe_bh,
+                                   parent_fe_bh, handle, inode_ac,
+                                   fe_blkno, suballoc_loc, suballoc_bit);
+-      if (status < 0) {
+-              u64 bg_blkno = ocfs2_which_suballoc_group(fe_blkno, suballoc_bit);
+-              int tmp = ocfs2_free_suballoc_bits(handle, inode_ac->ac_inode,
+-                              inode_ac->ac_bh, suballoc_bit, bg_blkno, 1);
+-              if (tmp)
+-                      mlog_errno(tmp);
+-      }
+-
+-      return status;
+ }
+ static int ocfs2_mkdir(struct inode *dir,
diff --git a/queue-4.19/series b/queue-4.19/series
new file mode 100644 (file)
index 0000000..063a0df
--- /dev/null
@@ -0,0 +1,8 @@
+ocfs2-clear-dinode-links-count-in-case-of-error.patch
+ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch
+x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch
+hwmon-coretemp-handle-large-core-id-value.patch
+ata-ahci-imx-fix-module_alias.patch
+ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch
+kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch
+media-venus-dec-handle-the-case-where-find_format-fails.patch
diff --git a/queue-4.19/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch b/queue-4.19/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch
new file mode 100644 (file)
index 0000000..5c94e79
--- /dev/null
@@ -0,0 +1,76 @@
+From e7ad18d1169c62e6c78c01ff693fd362d9d65278 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 5 Oct 2022 12:00:08 +0200
+Subject: x86/microcode/AMD: Apply the patch early on every logical thread
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@suse.de>
+
+commit e7ad18d1169c62e6c78c01ff693fd362d9d65278 upstream.
+
+Currently, the patch application logic checks whether the revision
+needs to be applied on each logical CPU (SMT thread). Therefore, on SMT
+designs where the microcode engine is shared between the two threads,
+the application happens only on one of them as that is enough to update
+the shared microcode engine.
+
+However, there are microcode patches which do per-thread modification,
+see Link tag below.
+
+Therefore, drop the revision check and try applying on each thread. This
+is what the BIOS does too so this method is very much tested.
+
+Btw, change only the early paths. On the late loading paths, there's no
+point in doing per-thread modification because if is it some case like
+in the bugzilla below - removing a CPUID flag - the kernel cannot go and
+un-use features it has detected are there early. For that, one should
+use early loading anyway.
+
+  [ bp: Fixes does not contain the oldest commit which did check for
+    equality but that is good enough. ]
+
+Fixes: 8801b3fcb574 ("x86/microcode/AMD: Rework container parsing")
+Reported-by:  Ștefan Talpalaru <stefantalpalaru@yahoo.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by:  Ștefan Talpalaru <stefantalpalaru@yahoo.com>
+Cc: <stable@vger.kernel.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216211
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/microcode/amd.c |   16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -222,7 +222,13 @@ apply_microcode_early_amd(u32 cpuid_1_ea
+               return ret;
+       native_rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy);
+-      if (rev >= mc->hdr.patch_id)
++
++      /*
++       * Allow application of the same revision to pick up SMT-specific
++       * changes even if the revision of the other SMT thread is already
++       * up-to-date.
++       */
++      if (rev > mc->hdr.patch_id)
+               return ret;
+       if (!__apply_microcode_amd(mc)) {
+@@ -304,8 +310,12 @@ void load_ucode_amd_ap(unsigned int cpui
+       native_rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy);
+-      /* Check whether we have saved a new patch already: */
+-      if (*new_rev && rev < mc->hdr.patch_id) {
++      /*
++       * Check whether a new patch has been saved already. Also, allow application of
++       * the same revision in order to pick up SMT-thread-specific configuration even
++       * if the sibling SMT thread already has an up-to-date revision.
++       */
++      if (*new_rev && rev <= mc->hdr.patch_id) {
+               if (!__apply_microcode_amd(mc)) {
+                       *new_rev = mc->hdr.patch_id;
+                       return;