From: Greg Kroah-Hartman Date: Mon, 22 Feb 2021 09:18:17 +0000 (+0100) Subject: 5.11-stable patches X-Git-Tag: v5.11.1~1^2~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4481978b0b091fd7a04ccae4d2560c18a76e6fe6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.11-stable patches added patches: xen-arm-don-t-ignore-return-errors-from-set_phys_to_machine.patch xen-blkback-don-t-handle-error-by-bug.patch xen-blkback-fix-error-handling-in-xen_blkbk_map.patch xen-gntdev-correct-error-checking-in-gntdev_map_grant_pages.patch xen-netback-don-t-handle-error-by-bug.patch xen-scsiback-don-t-handle-error-by-bug.patch --- diff --git a/queue-5.11/series b/queue-5.11/series index e98a59a94a2..4e4a359cbd7 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -1,3 +1,9 @@ xen-x86-don-t-bail-early-from-clear_foreign_p2m_mapping.patch xen-x86-also-check-kernel-mapping-in-set_foreign_p2m_mapping.patch xen-gntdev-correct-dev_bus_addr-handling-in-gntdev_map_grant_pages.patch +xen-gntdev-correct-error-checking-in-gntdev_map_grant_pages.patch +xen-arm-don-t-ignore-return-errors-from-set_phys_to_machine.patch +xen-blkback-don-t-handle-error-by-bug.patch +xen-netback-don-t-handle-error-by-bug.patch +xen-scsiback-don-t-handle-error-by-bug.patch +xen-blkback-fix-error-handling-in-xen_blkbk_map.patch diff --git a/queue-5.11/xen-arm-don-t-ignore-return-errors-from-set_phys_to_machine.patch b/queue-5.11/xen-arm-don-t-ignore-return-errors-from-set_phys_to_machine.patch new file mode 100644 index 00000000000..96cac33303a --- /dev/null +++ b/queue-5.11/xen-arm-don-t-ignore-return-errors-from-set_phys_to_machine.patch @@ -0,0 +1,42 @@ +From 36bf1dfb8b266e089afa9b7b984217f17027bf35 Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Mon, 15 Feb 2021 08:53:44 +0100 +Subject: xen/arm: don't ignore return errors from set_phys_to_machine + +From: Stefano Stabellini + +commit 36bf1dfb8b266e089afa9b7b984217f17027bf35 upstream. + +set_phys_to_machine can fail due to lack of memory, see the kzalloc call +in arch/arm/xen/p2m.c:__set_phys_to_machine_multi. + +Don't ignore the potential return error in set_foreign_p2m_mapping, +returning it to the caller instead. + +This is part of XSA-361. + +Signed-off-by: Stefano Stabellini +Cc: stable@vger.kernel.org +Reviewed-by: Julien Grall +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/xen/p2m.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm/xen/p2m.c ++++ b/arch/arm/xen/p2m.c +@@ -95,8 +95,10 @@ int set_foreign_p2m_mapping(struct gntta + for (i = 0; i < count; i++) { + if (map_ops[i].status) + continue; +- set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT, +- map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT); ++ if (unlikely(!set_phys_to_machine(map_ops[i].host_addr >> XEN_PAGE_SHIFT, ++ map_ops[i].dev_bus_addr >> XEN_PAGE_SHIFT))) { ++ return -ENOMEM; ++ } + } + + return 0; diff --git a/queue-5.11/xen-blkback-don-t-handle-error-by-bug.patch b/queue-5.11/xen-blkback-don-t-handle-error-by-bug.patch new file mode 100644 index 00000000000..306792ebd77 --- /dev/null +++ b/queue-5.11/xen-blkback-don-t-handle-error-by-bug.patch @@ -0,0 +1,50 @@ +From 5a264285ed1cd32e26d9de4f3c8c6855e467fd63 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 15 Feb 2021 08:54:51 +0100 +Subject: xen-blkback: don't "handle" error by BUG() + +From: Jan Beulich + +commit 5a264285ed1cd32e26d9de4f3c8c6855e467fd63 upstream. + +In particular -ENOMEM may come back here, from set_foreign_p2m_mapping(). +Don't make problems worse, the more that handling elsewhere (together +with map's status fields now indicating whether a mapping wasn't even +attempted, and hence has to be considered failed) doesn't require this +odd way of dealing with errors. + +This is part of XSA-362. + +Signed-off-by: Jan Beulich +Cc: stable@vger.kernel.org +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/blkback.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -811,10 +811,8 @@ again: + break; + } + +- if (segs_to_map) { ++ if (segs_to_map) + ret = gnttab_map_refs(map, NULL, pages_to_gnt, segs_to_map); +- BUG_ON(ret); +- } + + /* + * Now swizzle the MFN in our domain with the MFN from the other domain +@@ -830,7 +828,7 @@ again: + gnttab_page_cache_put(&ring->free_pages, + &pages[seg_idx]->page, 1); + pages[seg_idx]->handle = BLKBACK_INVALID_HANDLE; +- ret |= 1; ++ ret |= !ret; + goto next; + } + pages[seg_idx]->handle = map[new_map_idx].handle; diff --git a/queue-5.11/xen-blkback-fix-error-handling-in-xen_blkbk_map.patch b/queue-5.11/xen-blkback-fix-error-handling-in-xen_blkbk_map.patch new file mode 100644 index 00000000000..65d5ac46d62 --- /dev/null +++ b/queue-5.11/xen-blkback-fix-error-handling-in-xen_blkbk_map.patch @@ -0,0 +1,80 @@ +From 871997bc9e423f05c7da7c9178e62dde5df2a7f8 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 15 Feb 2021 08:56:44 +0100 +Subject: xen-blkback: fix error handling in xen_blkbk_map() + +From: Jan Beulich + +commit 871997bc9e423f05c7da7c9178e62dde5df2a7f8 upstream. + +The function uses a goto-based loop, which may lead to an earlier error +getting discarded by a later iteration. Exit this ad-hoc loop when an +error was encountered. + +The out-of-memory error path additionally fails to fill a structure +field looked at by xen_blkbk_unmap_prepare() before inspecting the +handle which does get properly set (to BLKBACK_INVALID_HANDLE). + +Since the earlier exiting from the ad-hoc loop requires the same field +filling (invalidation) as that on the out-of-memory path, fold both +paths. While doing so, drop the pr_alert(), as extra log messages aren't +going to help the situation (the kernel will log oom conditions already +anyway). + +This is XSA-365. + +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross +Reviewed-by: Julien Grall +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/blkback.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -794,8 +794,13 @@ again: + pages[i]->persistent_gnt = persistent_gnt; + } else { + if (gnttab_page_cache_get(&ring->free_pages, +- &pages[i]->page)) +- goto out_of_memory; ++ &pages[i]->page)) { ++ gnttab_page_cache_put(&ring->free_pages, ++ pages_to_gnt, ++ segs_to_map); ++ ret = -ENOMEM; ++ goto out; ++ } + addr = vaddr(pages[i]->page); + pages_to_gnt[segs_to_map] = pages[i]->page; + pages[i]->persistent_gnt = NULL; +@@ -880,17 +885,18 @@ next: + } + segs_to_map = 0; + last_map = map_until; +- if (map_until != num) ++ if (!ret && map_until != num) + goto again; + +- return ret; +- +-out_of_memory: +- pr_alert("%s: out of memory\n", __func__); +- gnttab_page_cache_put(&ring->free_pages, pages_to_gnt, segs_to_map); +- for (i = last_map; i < num; i++) ++out: ++ for (i = last_map; i < num; i++) { ++ /* Don't zap current batch's valid persistent grants. */ ++ if(i >= last_map + segs_to_map) ++ pages[i]->persistent_gnt = NULL; + pages[i]->handle = BLKBACK_INVALID_HANDLE; +- return -ENOMEM; ++ } ++ ++ return ret; + } + + static int xen_blkbk_map_seg(struct pending_req *pending_req) diff --git a/queue-5.11/xen-gntdev-correct-error-checking-in-gntdev_map_grant_pages.patch b/queue-5.11/xen-gntdev-correct-error-checking-in-gntdev_map_grant_pages.patch new file mode 100644 index 00000000000..3696a89577f --- /dev/null +++ b/queue-5.11/xen-gntdev-correct-error-checking-in-gntdev_map_grant_pages.patch @@ -0,0 +1,77 @@ +From ebee0eab08594b2bd5db716288a4f1ae5936e9bc Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 15 Feb 2021 08:52:27 +0100 +Subject: Xen/gntdev: correct error checking in gntdev_map_grant_pages() + +From: Jan Beulich + +commit ebee0eab08594b2bd5db716288a4f1ae5936e9bc upstream. + +Failure of the kernel part of the mapping operation should also be +indicated as an error to the caller, or else it may assume the +respective kernel VA is okay to access. + +Furthermore gnttab_map_refs() failing still requires recording +successfully mapped handles, so they can be unmapped subsequently. This +in turn requires there to be a way to tell full hypercall failure from +partial success - preset map_op status fields such that they won't +"happen" to look as if the operation succeeded. + +Also again use GNTST_okay instead of implying its value (zero). + +This is part of XSA-361. + +Signed-off-by: Jan Beulich +Cc: stable@vger.kernel.org +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/gntdev.c | 17 +++++++++-------- + include/xen/grant_table.h | 1 + + 2 files changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -334,21 +334,22 @@ int gntdev_map_grant_pages(struct gntdev + pr_debug("map %d+%d\n", map->index, map->count); + err = gnttab_map_refs(map->map_ops, use_ptemod ? map->kmap_ops : NULL, + map->pages, map->count); +- if (err) +- return err; + + for (i = 0; i < map->count; i++) { +- if (map->map_ops[i].status) { ++ if (map->map_ops[i].status == GNTST_okay) ++ map->unmap_ops[i].handle = map->map_ops[i].handle; ++ else if (!err) + err = -EINVAL; +- continue; +- } + + if (map->flags & GNTMAP_device_map) + map->unmap_ops[i].dev_bus_addr = map->map_ops[i].dev_bus_addr; + +- map->unmap_ops[i].handle = map->map_ops[i].handle; +- if (use_ptemod) +- map->kunmap_ops[i].handle = map->kmap_ops[i].handle; ++ if (use_ptemod) { ++ if (map->kmap_ops[i].status == GNTST_okay) ++ map->kunmap_ops[i].handle = map->kmap_ops[i].handle; ++ else if (!err) ++ err = -EINVAL; ++ } + } + return err; + } +--- a/include/xen/grant_table.h ++++ b/include/xen/grant_table.h +@@ -157,6 +157,7 @@ gnttab_set_map_op(struct gnttab_map_gran + map->flags = flags; + map->ref = ref; + map->dom = domid; ++ map->status = 1; /* arbitrary positive value */ + } + + static inline void diff --git a/queue-5.11/xen-netback-don-t-handle-error-by-bug.patch b/queue-5.11/xen-netback-don-t-handle-error-by-bug.patch new file mode 100644 index 00000000000..9b954dec714 --- /dev/null +++ b/queue-5.11/xen-netback-don-t-handle-error-by-bug.patch @@ -0,0 +1,44 @@ +From 3194a1746e8aabe86075fd3c5e7cf1f4632d7f16 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 15 Feb 2021 08:55:31 +0100 +Subject: xen-netback: don't "handle" error by BUG() + +From: Jan Beulich + +commit 3194a1746e8aabe86075fd3c5e7cf1f4632d7f16 upstream. + +In particular -ENOMEM may come back here, from set_foreign_p2m_mapping(). +Don't make problems worse, the more that handling elsewhere (together +with map's status fields now indicating whether a mapping wasn't even +attempted, and hence has to be considered failed) doesn't require this +odd way of dealing with errors. + +This is part of XSA-362. + +Signed-off-by: Jan Beulich +Cc: stable@vger.kernel.org +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netback/netback.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1342,13 +1342,11 @@ int xenvif_tx_action(struct xenvif_queue + return 0; + + gnttab_batch_copy(queue->tx_copy_ops, nr_cops); +- if (nr_mops != 0) { ++ if (nr_mops != 0) + ret = gnttab_map_refs(queue->tx_map_ops, + NULL, + queue->pages_to_map, + nr_mops); +- BUG_ON(ret); +- } + + work_done = xenvif_tx_submit(queue); + diff --git a/queue-5.11/xen-scsiback-don-t-handle-error-by-bug.patch b/queue-5.11/xen-scsiback-don-t-handle-error-by-bug.patch new file mode 100644 index 00000000000..41add2f2873 --- /dev/null +++ b/queue-5.11/xen-scsiback-don-t-handle-error-by-bug.patch @@ -0,0 +1,44 @@ +From 7c77474b2d22176d2bfb592ec74e0f2cb71352c9 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 15 Feb 2021 08:55:57 +0100 +Subject: xen-scsiback: don't "handle" error by BUG() + +From: Jan Beulich + +commit 7c77474b2d22176d2bfb592ec74e0f2cb71352c9 upstream. + +In particular -ENOMEM may come back here, from set_foreign_p2m_mapping(). +Don't make problems worse, the more that handling elsewhere (together +with map's status fields now indicating whether a mapping wasn't even +attempted, and hence has to be considered failed) doesn't require this +odd way of dealing with errors. + +This is part of XSA-362. + +Signed-off-by: Jan Beulich +Cc: stable@vger.kernel.org +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-scsiback.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/xen-scsiback.c ++++ b/drivers/xen/xen-scsiback.c +@@ -386,12 +386,12 @@ static int scsiback_gnttab_data_map_batc + return 0; + + err = gnttab_map_refs(map, NULL, pg, cnt); +- BUG_ON(err); + for (i = 0; i < cnt; i++) { + if (unlikely(map[i].status != GNTST_okay)) { + pr_err("invalid buffer -- could not remap it\n"); + map[i].handle = SCSIBACK_INVALID_HANDLE; +- err = -ENOMEM; ++ if (!err) ++ err = -ENOMEM; + } else { + get_page(pg[i]); + }