--- /dev/null
+From 235d2e739fcbe964c9ce179b4c991025662dcdb6 Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:12:22 +0800
+Subject: dm cache: correct the number of origin blocks to match the target length
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit 235d2e739fcbe964c9ce179b4c991025662dcdb6 upstream.
+
+When creating a cache device, the actual size of the cache origin might
+be greater than the specified cache target length. In such case, the
+number of origin blocks should match the cache target length, not the
+full size of the origin device, since access beyond the cache target is
+not possible. This issue occurs when reducing the origin device size
+using lvm, as lvreduce preloads the new cache table before resuming the
+cache origin, which can result in incorrect sizes for the discard bitset
+and smq hotspot blocks.
+
+Reproduce steps:
+
+1. create a cache device consists of 4096 origin blocks
+
+dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
+dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
+dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
+dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
+dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+
+2. reduce the cache origin to 2048 oblocks, in lvreduce's approach
+
+dmsetup reload corig --table "0 262144 linear /dev/sdc 262144"
+dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+dmsetup suspend cache
+dmsetup suspend corig
+dmsetup suspend cdata
+dmsetup suspend cmeta
+dmsetup resume corig
+dmsetup resume cdata
+dmsetup resume cmeta
+dmsetup resume cache
+
+3. shutdown the cache, and check the number of discard blocks in
+ superblock. The value is expected to be 2048, but actually is 4096.
+
+dmsetup remove cache corig cdata cmeta
+dd if=/dev/sdc bs=1c count=8 skip=224 2>/dev/null | hexdump -e '1/8 "%u\n"'
+
+Fix by correcting the origin_blocks initialization in cache_create and
+removing the unused origin_sectors from struct cache_args accordingly.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: c6b4fcbad044 ("dm: add cache target")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -2080,7 +2080,6 @@ struct cache_args {
+ sector_t cache_sectors;
+
+ struct dm_dev *origin_dev;
+- sector_t origin_sectors;
+
+ uint32_t block_size;
+
+@@ -2162,6 +2161,7 @@ static int parse_cache_dev(struct cache_
+ static int parse_origin_dev(struct cache_args *ca, struct dm_arg_set *as,
+ char **error)
+ {
++ sector_t origin_sectors;
+ int r;
+
+ if (!at_least_one_arg(as, error))
+@@ -2174,8 +2174,8 @@ static int parse_origin_dev(struct cache
+ return r;
+ }
+
+- ca->origin_sectors = get_dev_size(ca->origin_dev);
+- if (ca->ti->len > ca->origin_sectors) {
++ origin_sectors = get_dev_size(ca->origin_dev);
++ if (ca->ti->len > origin_sectors) {
+ *error = "Device size larger than cached device";
+ return -EINVAL;
+ }
+@@ -2498,7 +2498,7 @@ static int cache_create(struct cache_arg
+
+ ca->metadata_dev = ca->origin_dev = ca->cache_dev = NULL;
+
+- origin_blocks = cache->origin_sectors = ca->origin_sectors;
++ origin_blocks = cache->origin_sectors = ti->len;
+ origin_blocks = block_div(origin_blocks, ca->block_size);
+ cache->origin_blocks = to_oblock(origin_blocks);
+
--- /dev/null
+From 792227719725497ce10a8039803bec13f89f8910 Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:13:16 +0800
+Subject: dm cache: fix out-of-bounds access to the dirty bitset when resizing
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit 792227719725497ce10a8039803bec13f89f8910 upstream.
+
+dm-cache checks the dirty bits of the cache blocks to be dropped when
+shrinking the fast device, but an index bug in bitset iteration causes
+out-of-bounds access.
+
+Reproduce steps:
+
+1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)
+
+dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
+dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
+dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
+dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
+dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+
+2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
+ access to the dirty bitset (offset 0x80)
+
+dmsetup suspend cache
+dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
+dmsetup resume cdata
+dmsetup resume cache
+
+KASAN reports:
+
+ BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
+ Read of size 8 at addr ffffc900000f3080 by task dmsetup/131
+
+ (...snip...)
+ The buggy address belongs to the virtual mapping at
+ [ffffc900000f3000, ffffc900000f5000) created by:
+ cache_ctr+0x176a/0x35f0
+
+ (...snip...)
+ Memory state around the buggy address:
+ ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ^
+ ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+
+Fix by making the index post-incremented.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -3002,13 +3002,13 @@ static bool can_resize(struct cache *cac
+ * We can't drop a dirty block when shrinking the cache.
+ */
+ while (from_cblock(new_size) < from_cblock(cache->cache_size)) {
+- new_size = to_cblock(from_cblock(new_size) + 1);
+ if (is_dirty(cache, new_size)) {
+ DMERR("%s: unable to shrink cache; cache block %llu is dirty",
+ cache_device_name(cache),
+ (unsigned long long) from_cblock(new_size));
+ return false;
+ }
++ new_size = to_cblock(from_cblock(new_size) + 1);
+ }
+
+ return true;
--- /dev/null
+From c0ade5d98979585d4f5a93e4514c2e9a65afa08d Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:13:54 +0800
+Subject: dm cache: fix potential out-of-bounds access on the first resume
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit c0ade5d98979585d4f5a93e4514c2e9a65afa08d upstream.
+
+Out-of-bounds access occurs if the fast device is expanded unexpectedly
+before the first-time resume of the cache table. This happens because
+expanding the fast device requires reloading the cache table for
+cache_create to allocate new in-core data structures that fit the new
+size, and the check in cache_preresume is not performed during the
+first resume, leading to the issue.
+
+Reproduce steps:
+
+1. prepare component devices:
+
+dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
+dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
+dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
+dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
+
+2. load a cache table of 512 cache blocks, and deliberately expand the
+ fast device before resuming the cache, making the in-core data
+ structures inadequate.
+
+dmsetup create cache --notable
+dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
+/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
+dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
+dmsetup resume cdata
+dmsetup resume cache
+
+3. suspend the cache to write out the in-core dirty bitset and hint
+ array, leading to out-of-bounds access to the dirty bitset at offset
+ 0x40:
+
+dmsetup suspend cache
+
+KASAN reports:
+
+ BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
+ Read of size 8 at addr ffffc90000085040 by task dmsetup/90
+
+ (...snip...)
+ The buggy address belongs to the virtual mapping at
+ [ffffc90000085000, ffffc90000087000) created by:
+ cache_ctr+0x176a/0x35f0
+
+ (...snip...)
+ Memory state around the buggy address:
+ ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
+ ^
+ ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+
+Fix by checking the size change on the first resume.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 37 ++++++++++++++++---------------------
+ 1 file changed, 16 insertions(+), 21 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -2991,24 +2991,24 @@ static dm_cblock_t get_cache_dev_size(st
+ static bool can_resize(struct cache *cache, dm_cblock_t new_size)
+ {
+ if (from_cblock(new_size) > from_cblock(cache->cache_size)) {
+- if (cache->sized) {
+- DMERR("%s: unable to extend cache due to missing cache table reload",
+- cache_device_name(cache));
+- return false;
+- }
++ DMERR("%s: unable to extend cache due to missing cache table reload",
++ cache_device_name(cache));
++ return false;
+ }
+
+ /*
+ * We can't drop a dirty block when shrinking the cache.
+ */
+- new_size = to_cblock(find_next_bit(cache->dirty_bitset,
+- from_cblock(cache->cache_size),
+- from_cblock(new_size)));
+- if (new_size != cache->cache_size) {
+- DMERR("%s: unable to shrink cache; cache block %llu is dirty",
+- cache_device_name(cache),
+- (unsigned long long) from_cblock(new_size));
+- return false;
++ if (cache->loaded_mappings) {
++ new_size = to_cblock(find_next_bit(cache->dirty_bitset,
++ from_cblock(cache->cache_size),
++ from_cblock(new_size)));
++ if (new_size != cache->cache_size) {
++ DMERR("%s: unable to shrink cache; cache block %llu is dirty",
++ cache_device_name(cache),
++ (unsigned long long) from_cblock(new_size));
++ return false;
++ }
+ }
+
+ return true;
+@@ -3039,20 +3039,15 @@ static int cache_preresume(struct dm_tar
+ /*
+ * Check to see if the cache has resized.
+ */
+- if (!cache->sized) {
+- r = resize_cache_dev(cache, csize);
+- if (r)
+- return r;
+-
+- cache->sized = true;
+-
+- } else if (csize != cache->cache_size) {
++ if (!cache->sized || csize != cache->cache_size) {
+ if (!can_resize(cache, csize))
+ return -EINVAL;
+
+ r = resize_cache_dev(cache, csize);
+ if (r)
+ return r;
++
++ cache->sized = true;
+ }
+
+ if (!cache->loaded_mappings) {
--- /dev/null
+From f484697e619a83ecc370443a34746379ad99d204 Mon Sep 17 00:00:00 2001
+From: Ming-Hung Tsai <mtsai@redhat.com>
+Date: Tue, 22 Oct 2024 15:13:39 +0800
+Subject: dm cache: optimize dirty bit checking with find_next_bit when resizing
+
+From: Ming-Hung Tsai <mtsai@redhat.com>
+
+commit f484697e619a83ecc370443a34746379ad99d204 upstream.
+
+When shrinking the fast device, dm-cache iteratively searches for a
+dirty bit among the cache blocks to be dropped, which is less efficient.
+Use find_next_bit instead, as it is twice as fast as the iterative
+approach with test_bit.
+
+Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
+Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Acked-by: Joe Thornber <thornber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-cache-target.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-cache-target.c
++++ b/drivers/md/dm-cache-target.c
+@@ -3001,14 +3001,14 @@ static bool can_resize(struct cache *cac
+ /*
+ * We can't drop a dirty block when shrinking the cache.
+ */
+- while (from_cblock(new_size) < from_cblock(cache->cache_size)) {
+- if (is_dirty(cache, new_size)) {
+- DMERR("%s: unable to shrink cache; cache block %llu is dirty",
+- cache_device_name(cache),
+- (unsigned long long) from_cblock(new_size));
+- return false;
+- }
+- new_size = to_cblock(from_cblock(new_size) + 1);
++ new_size = to_cblock(find_next_bit(cache->dirty_bitset,
++ from_cblock(cache->cache_size),
++ from_cblock(new_size)));
++ if (new_size != cache->cache_size) {
++ DMERR("%s: unable to shrink cache; cache block %llu is dirty",
++ cache_device_name(cache),
++ (unsigned long long) from_cblock(new_size));
++ return false;
+ }
+
+ return true;
--- /dev/null
+From 5a4510c762fc04c74cff264cd4d9e9f5bf364bae Mon Sep 17 00:00:00 2001
+From: Zichen Xie <zichenxie0106@gmail.com>
+Date: Mon, 21 Oct 2024 14:54:45 -0500
+Subject: dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+commit 5a4510c762fc04c74cff264cd4d9e9f5bf364bae upstream.
+
+This was found by a static analyzer.
+There may be a potential integer overflow issue in
+unstripe_ctr(). uc->unstripe_offset and uc->unstripe_width are
+defined as "sector_t"(uint64_t), while uc->unstripe,
+uc->chunk_size and uc->stripes are all defined as "uint32_t".
+The result of the calculation will be limited to "uint32_t"
+without correct casting.
+So, we recommend adding an extra cast to prevent potential
+integer overflow.
+
+Fixes: 18a5bf270532 ("dm: add unstriped target")
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-unstripe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-unstripe.c
++++ b/drivers/md/dm-unstripe.c
+@@ -84,8 +84,8 @@ static int unstripe_ctr(struct dm_target
+ }
+ uc->physical_start = start;
+
+- uc->unstripe_offset = uc->unstripe * uc->chunk_size;
+- uc->unstripe_width = (uc->stripes - 1) * uc->chunk_size;
++ uc->unstripe_offset = (sector_t)uc->unstripe * uc->chunk_size;
++ uc->unstripe_width = (sector_t)(uc->stripes - 1) * uc->chunk_size;
+ uc->chunk_shift = is_power_of_2(uc->chunk_size) ? fls(uc->chunk_size) - 1 : 0;
+
+ tmp_len = ti->len;
--- /dev/null
+From 4d75b9468021c73108b4439794d69e892b1d24e3 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 23 Oct 2024 16:52:08 -0400
+Subject: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 4d75b9468021c73108b4439794d69e892b1d24e3 upstream.
+
+Avoid a possible buffer overflow if size is larger than 4K.
+
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+@@ -394,7 +394,7 @@ static ssize_t amdgpu_debugfs_regs_smc_r
+ if (!adev->smc_rreg)
+ return -EOPNOTSUPP;
+
+- if (size & 0x3 || *pos & 0x3)
++ if (size > 4096 || size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+
+ while (size) {
--- /dev/null
+From a6dd15981c03f2cdc9a351a278f09b5479d53d2e Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <antonio@mandelbit.com>
+Date: Thu, 31 Oct 2024 16:28:48 +0100
+Subject: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
+
+From: Antonio Quartulli <antonio@mandelbit.com>
+
+commit a6dd15981c03f2cdc9a351a278f09b5479d53d2e upstream.
+
+acpi_evaluate_object() may return AE_NOT_FOUND (failure), which
+would result in dereferencing buffer.pointer (obj) while being NULL.
+
+Although this case may be unrealistic for the current code, it is
+still better to protect against possible bugs.
+
+Bail out also when status is AE_NOT_FOUND.
+
+This fixes 1 FORWARD_NULL issue reported by Coverity
+Report: CID 1600951: Null pointer dereferences (FORWARD_NULL)
+
+Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
+Fixes: c9b7c809b89f ("drm/amd: Guard against bad data for ATIF ACPI method")
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20241031152848.4716-1-antonio@mandelbit.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -115,8 +115,8 @@ static union acpi_object *amdgpu_atif_ca
+ &buffer);
+ obj = (union acpi_object *)buffer.pointer;
+
+- /* Fail if calling the method fails and ATIF is supported */
+- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
++ /* Fail if calling the method fails */
++ if (ACPI_FAILURE(status)) {
+ DRM_DEBUG_DRIVER("failed to evaluate ATIF got %s\n",
+ acpi_format_exception(status));
+ kfree(obj);
media-s5p-jpeg-prevent-buffer-overflows.patch
media-cx24116-prevent-overflows-on-snr-calculus.patch
media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
+drm-amdgpu-add-missing-size-check-in-amdgpu_debugfs_gprwave_read.patch
+drm-amdgpu-prevent-null-pointer-dereference-if-atif-is-not-supported.patch
+dm-cache-correct-the-number-of-origin-blocks-to-match-the-target-length.patch
+dm-cache-fix-out-of-bounds-access-to-the-dirty-bitset-when-resizing.patch
+dm-cache-optimize-dirty-bit-checking-with-find_next_bit-when-resizing.patch
+dm-cache-fix-potential-out-of-bounds-access-on-the-first-resume.patch
+dm-unstriped-cast-an-operand-to-sector_t-to-prevent-potential-uint32_t-overflow.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
