--- /dev/null
+From 7ee06ddc4038f936b0d4459d37a7d4d844fb03db Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 7 May 2021 11:38:10 -0400
+Subject: dm snapshot: fix a crash when an origin has no snapshots
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 7ee06ddc4038f936b0d4459d37a7d4d844fb03db upstream.
+
+If an origin target has no snapshots, o->split_boundary is set to 0.
+This causes BUG_ON(sectors <= 0) in block/bio.c:bio_split().
+
+Fix this by initializing chunk_size, and in turn split_boundary, to
+rounddown_pow_of_two(UINT_MAX) -- the largest power of two that fits
+into "unsigned" type.
+
+Reported-by: Michael Tokarev <mjt@tls.msk.ru>
+Tested-by: Michael Tokarev <mjt@tls.msk.ru>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-snap.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -793,12 +793,11 @@ static int dm_add_exception(void *contex
+ static uint32_t __minimum_chunk_size(struct origin *o)
+ {
+ struct dm_snapshot *snap;
+- unsigned chunk_size = 0;
++ unsigned chunk_size = rounddown_pow_of_two(UINT_MAX);
+
+ if (o)
+ list_for_each_entry(snap, &o->snapshots, list)
+- chunk_size = min_not_zero(chunk_size,
+- snap->store->chunk_size);
++ chunk_size = min(chunk_size, snap->store->chunk_size);
+
+ return (uint32_t) chunk_size;
+ }
--- /dev/null
+From c699a0db2d62e3bbb7f0bf35c87edbc8d23e3062 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 10 May 2021 14:49:05 -0400
+Subject: dm snapshot: fix crash with transient storage and zero chunk size
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit c699a0db2d62e3bbb7f0bf35c87edbc8d23e3062 upstream.
+
+The following commands will crash the kernel:
+
+modprobe brd rd_size=1048576
+dmsetup create o --table "0 `blockdev --getsize /dev/ram0` snapshot-origin /dev/ram0"
+dmsetup create s --table "0 `blockdev --getsize /dev/ram0` snapshot /dev/ram0 /dev/ram1 N 0"
+
+The reason is that when we test for zero chunk size, we jump to the label
+bad_read_metadata without setting the "r" variable. The function
+snapshot_ctr destroys all the structures and then exits with "r == 0". The
+kernel then crashes because it falsely believes that snapshot_ctr
+succeeded.
+
+In order to fix the bug, we set the variable "r" to -EINVAL.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-snap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -1285,6 +1285,7 @@ static int snapshot_ctr(struct dm_target
+
+ if (!s->store->chunk_size) {
+ ti->error = "Chunk size not set";
++ r = -EINVAL;
+ goto bad_read_metadata;
+ }
+
alsa-hda-realtek-reset-eapd-coeff-to-default-value-for-alc287.patch
revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
rapidio-handle-create_workqueue-failure.patch
+xen-pciback-reconfigure-also-from-backend-watch-handler.patch
+dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch
+dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch
--- /dev/null
+From c81d3d24602540f65256f98831d0a25599ea6b87 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 18 May 2021 18:14:07 +0200
+Subject: xen-pciback: reconfigure also from backend watch handler
+
+From: Jan Beulich <jbeulich@suse.com>
+
+commit c81d3d24602540f65256f98831d0a25599ea6b87 upstream.
+
+When multiple PCI devices get assigned to a guest right at boot, libxl
+incrementally populates the backend tree. The writes for the first of
+the devices trigger the backend watch. In turn xen_pcibk_setup_backend()
+will set the XenBus state to Initialised, at which point no further
+reconfigures would happen unless a device got hotplugged. Arrange for
+reconfigure to also get triggered from the backend watch handler.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/2337cbd6-94b9-4187-9862-c03ea12e0c61@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xen-pciback/xenbus.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/xen/xen-pciback/xenbus.c
++++ b/drivers/xen/xen-pciback/xenbus.c
+@@ -358,7 +358,8 @@ out:
+ return err;
+ }
+
+-static int xen_pcibk_reconfigure(struct xen_pcibk_device *pdev)
++static int xen_pcibk_reconfigure(struct xen_pcibk_device *pdev,
++ enum xenbus_state state)
+ {
+ int err = 0;
+ int num_devs;
+@@ -372,9 +373,7 @@ static int xen_pcibk_reconfigure(struct
+ dev_dbg(&pdev->xdev->dev, "Reconfiguring device ...\n");
+
+ mutex_lock(&pdev->dev_lock);
+- /* Make sure we only reconfigure once */
+- if (xenbus_read_driver_state(pdev->xdev->nodename) !=
+- XenbusStateReconfiguring)
++ if (xenbus_read_driver_state(pdev->xdev->nodename) != state)
+ goto out;
+
+ err = xenbus_scanf(XBT_NIL, pdev->xdev->nodename, "num_devs", "%d",
+@@ -499,6 +498,10 @@ static int xen_pcibk_reconfigure(struct
+ }
+ }
+
++ if (state != XenbusStateReconfiguring)
++ /* Make sure we only reconfigure once. */
++ goto out;
++
+ err = xenbus_switch_state(pdev->xdev, XenbusStateReconfigured);
+ if (err) {
+ xenbus_dev_fatal(pdev->xdev, err,
+@@ -524,7 +527,7 @@ static void xen_pcibk_frontend_changed(s
+ break;
+
+ case XenbusStateReconfiguring:
+- xen_pcibk_reconfigure(pdev);
++ xen_pcibk_reconfigure(pdev, XenbusStateReconfiguring);
+ break;
+
+ case XenbusStateConnected:
+@@ -663,6 +666,15 @@ static void xen_pcibk_be_watch(struct xe
+ xen_pcibk_setup_backend(pdev);
+ break;
+
++ case XenbusStateInitialised:
++ /*
++ * We typically move to Initialised when the first device was
++ * added. Hence subsequent devices getting added may need
++ * reconfiguring.
++ */
++ xen_pcibk_reconfigure(pdev, XenbusStateInitialised);
++ break;
++
+ default:
+ break;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
