From: Greg Kroah-Hartman Date: Wed, 26 Oct 2022 15:27:05 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.10.151~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=728a586bdbd140b13a654ed59d581aa95143ee4e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: ata-ahci-imx-fix-module_alias.patch ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch ocfs2-clear-dinode-links-count-in-case-of-error.patch ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch --- diff --git a/queue-4.14/ata-ahci-imx-fix-module_alias.patch b/queue-4.14/ata-ahci-imx-fix-module_alias.patch new file mode 100644 index 00000000000..7f754b05f79 --- /dev/null +++ b/queue-4.14/ata-ahci-imx-fix-module_alias.patch @@ -0,0 +1,30 @@ +From 979556f1521a835a059de3b117b9c6c6642c7d58 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Wed, 12 Oct 2022 15:11:05 +0200 +Subject: ata: ahci-imx: Fix MODULE_ALIAS + +From: Alexander Stein + +commit 979556f1521a835a059de3b117b9c6c6642c7d58 upstream. + +'ahci:' is an invalid prefix, preventing the module from autoloading. +Fix this by using the 'platform:' prefix and DRV_NAME. + +Fixes: 9e54eae23bc9 ("ahci_imx: add ahci sata support on imx platforms") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Stein +Reviewed-by: Fabio Estevam +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci_imx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ahci_imx.c ++++ b/drivers/ata/ahci_imx.c +@@ -887,4 +887,4 @@ module_platform_driver(imx_ahci_driver); + MODULE_DESCRIPTION("Freescale i.MX AHCI SATA platform driver"); + MODULE_AUTHOR("Richard Zhu "); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS("ahci:imx"); ++MODULE_ALIAS("platform:" DRV_NAME); diff --git a/queue-4.14/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch b/queue-4.14/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch new file mode 100644 index 00000000000..1022bb89a33 --- /dev/null +++ b/queue-4.14/ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch @@ -0,0 +1,76 @@ +From 1e41e693f458eef2d5728207dbd327cd3b16580a Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 11 Oct 2022 10:46:17 +0800 +Subject: ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS + +From: Kai-Heng Feng + +commit 1e41e693f458eef2d5728207dbd327cd3b16580a upstream. + +UBSAN complains about array-index-out-of-bounds: +[ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41 +[ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]' +[ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu +[ 1.980716] kernel: Hardware name: System manufacturer System Product Name/P5Q3, BIOS 1102 06/11/2010 +[ 1.980718] kernel: Call Trace: +[ 1.980721] kernel: +[ 1.980723] kernel: show_stack+0x52/0x58 +[ 1.980729] kernel: dump_stack_lvl+0x4a/0x5f +[ 1.980734] kernel: dump_stack+0x10/0x12 +[ 1.980736] kernel: ubsan_epilogue+0x9/0x45 +[ 1.980739] kernel: __ubsan_handle_out_of_bounds.cold+0x44/0x49 +[ 1.980742] kernel: ahci_qc_issue+0x166/0x170 [libahci] +[ 1.980748] kernel: ata_qc_issue+0x135/0x240 +[ 1.980752] kernel: ata_exec_internal_sg+0x2c4/0x580 +[ 1.980754] kernel: ? vprintk_default+0x1d/0x20 +[ 1.980759] kernel: ata_exec_internal+0x67/0xa0 +[ 1.980762] kernel: sata_pmp_read+0x8d/0xc0 +[ 1.980765] kernel: sata_pmp_read_gscr+0x3c/0x90 +[ 1.980768] kernel: sata_pmp_attach+0x8b/0x310 +[ 1.980771] kernel: ata_eh_revalidate_and_attach+0x28c/0x4b0 +[ 1.980775] kernel: ata_eh_recover+0x6b6/0xb30 +[ 1.980778] kernel: ? ahci_do_hardreset+0x180/0x180 [libahci] +[ 1.980783] kernel: ? ahci_stop_engine+0xb0/0xb0 [libahci] +[ 1.980787] kernel: ? ahci_do_softreset+0x290/0x290 [libahci] +[ 1.980792] kernel: ? trace_event_raw_event_ata_eh_link_autopsy_qc+0xe0/0xe0 +[ 1.980795] kernel: sata_pmp_eh_recover.isra.0+0x214/0x560 +[ 1.980799] kernel: sata_pmp_error_handler+0x23/0x40 +[ 1.980802] kernel: ahci_error_handler+0x43/0x80 [libahci] +[ 1.980806] kernel: ata_scsi_port_error_handler+0x2b1/0x600 +[ 1.980810] kernel: ata_scsi_error+0x9c/0xd0 +[ 1.980813] kernel: scsi_error_handler+0xa1/0x180 +[ 1.980817] kernel: ? scsi_unjam_host+0x1c0/0x1c0 +[ 1.980820] kernel: kthread+0x12a/0x150 +[ 1.980823] kernel: ? set_kthread_struct+0x50/0x50 +[ 1.980826] kernel: ret_from_fork+0x22/0x30 +[ 1.980831] kernel: + +This happens because sata_pmp_init_links() initialize link->pmp up to +SATA_PMP_MAX_PORTS while em_priv is declared as 8 elements array. + +I can't find the maximum Enclosure Management ports specified in AHCI +spec v1.3.1, but "12.2.1 LED message type" states that "Port Multiplier +Information" can utilize 4 bits, which implies it can support up to 16 +ports. Hence, use SATA_PMP_MAX_PORTS as EM_MAX_SLOTS to resolve the +issue. + +BugLink: https://bugs.launchpad.net/bugs/1970074 +Cc: stable@vger.kernel.org +Signed-off-by: Kai-Heng Feng +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ahci.h ++++ b/drivers/ata/ahci.h +@@ -260,7 +260,7 @@ enum { + ICH_MAP = 0x90, /* ICH MAP register */ + + /* em constants */ +- EM_MAX_SLOTS = 8, ++ EM_MAX_SLOTS = SATA_PMP_MAX_PORTS, + EM_MAX_RETRY = 5, + + /* em_ctl bits */ diff --git a/queue-4.14/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch b/queue-4.14/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch new file mode 100644 index 00000000000..3cff374067f --- /dev/null +++ b/queue-4.14/kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch @@ -0,0 +1,81 @@ +From c000a2607145d28b06c697f968491372ea56c23a Mon Sep 17 00:00:00 2001 +From: Eric Ren +Date: Sat, 15 Oct 2022 11:19:28 +0800 +Subject: KVM: arm64: vgic: Fix exit condition in scan_its_table() + +From: Eric Ren + +commit c000a2607145d28b06c697f968491372ea56c23a upstream. + +With some PCIe topologies, restoring a guest fails while +parsing the ITS device tables. + +Reproducer hints: +1. Create ARM virt VM with pxb-pcie bus which adds + extra host bridges, with qemu command like: + +``` + -device pxb-pcie,bus_nr=8,id=pci.x,numa_node=0,bus=pcie.0 \ + -device pcie-root-port,..,bus=pci.x \ + ... + -device pxb-pcie,bus_nr=37,id=pci.y,numa_node=1,bus=pcie.0 \ + -device pcie-root-port,..,bus=pci.y \ + ... + +``` +2. Ensure the guest uses 2-level device table +3. Perform VM migration which calls save/restore device tables + +In that setup, we get a big "offset" between 2 device_ids, +which makes unsigned "len" round up a big positive number, +causing the scan loop to continue with a bad GPA. For example: + +1. L1 table has 2 entries; +2. and we are now scanning at L2 table entry index 2075 (pointed + to by L1 first entry) +3. if next device id is 9472, we will get a big offset: 7397; +4. with unsigned 'len', 'len -= offset * esz', len will underflow to a + positive number, mistakenly into next iteration with a bad GPA; + (It should break out of the current L2 table scanning, and jump + into the next L1 table entry) +5. that bad GPA fails the guest read. + +Fix it by stopping the L2 table scan when the next device id is +outside of the current table, allowing the scan to continue from +the next L1 table entry. + +Thanks to Eric Auger for the fix suggestion. + +Fixes: 920a7a8fa92a ("KVM: arm64: vgic-its: Add infrastructure for tableookup") +Suggested-by: Eric Auger +Signed-off-by: Eric Ren +[maz: commit message tidy-up] +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/d9c3a564af9e2c5bf63f48a7dcbf08cd593c5c0b.1665802985.git.renzhengeek@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/vgic/vgic-its.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/virt/kvm/arm/vgic/vgic-its.c ++++ b/virt/kvm/arm/vgic/vgic-its.c +@@ -1835,7 +1835,7 @@ static int scan_its_table(struct vgic_it + + memset(entry, 0, esz); + +- while (len > 0) { ++ while (true) { + int next_offset; + size_t byte_offset; + +@@ -1848,6 +1848,9 @@ static int scan_its_table(struct vgic_it + return next_offset; + + byte_offset = next_offset * esz; ++ if (byte_offset >= len) ++ break; ++ + id += next_offset; + gpa += byte_offset; + len -= byte_offset; diff --git a/queue-4.14/ocfs2-clear-dinode-links-count-in-case-of-error.patch b/queue-4.14/ocfs2-clear-dinode-links-count-in-case-of-error.patch new file mode 100644 index 00000000000..c00074ee9a7 --- /dev/null +++ b/queue-4.14/ocfs2-clear-dinode-links-count-in-case-of-error.patch @@ -0,0 +1,77 @@ +From 28f4821b1b53e0649706912e810c6c232fc506f9 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Mon, 17 Oct 2022 21:02:27 +0800 +Subject: ocfs2: clear dinode links count in case of error + +From: Joseph Qi + +commit 28f4821b1b53e0649706912e810c6c232fc506f9 upstream. + +In ocfs2_mknod(), if error occurs after dinode successfully allocated, +ocfs2 i_links_count will not be 0. + +So even though we clear inode i_nlink before iput in error handling, it +still won't wipe inode since we'll refresh inode from dinode during inode +lock. So just like clear inode i_nlink, we clear ocfs2 i_links_count as +well. Also do the same change for ocfs2_symlink(). + +Link: https://lkml.kernel.org/r/20221017130227.234480-2-joseph.qi@linux.alibaba.com +Signed-off-by: Joseph Qi +Reported-by: Yan Wang +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/namei.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -244,6 +244,7 @@ static int ocfs2_mknod(struct inode *dir + handle_t *handle = NULL; + struct ocfs2_super *osb; + struct ocfs2_dinode *dirfe; ++ struct ocfs2_dinode *fe = NULL; + struct buffer_head *new_fe_bh = NULL; + struct inode *inode = NULL; + struct ocfs2_alloc_context *inode_ac = NULL; +@@ -394,6 +395,7 @@ static int ocfs2_mknod(struct inode *dir + goto leave; + } + ++ fe = (struct ocfs2_dinode *) new_fe_bh->b_data; + if (S_ISDIR(mode)) { + status = ocfs2_fill_new_dir(osb, handle, dir, inode, + new_fe_bh, data_ac, meta_ac); +@@ -459,8 +461,11 @@ static int ocfs2_mknod(struct inode *dir + leave: + if (status < 0 && did_quota_inode) + dquot_free_inode(inode); +- if (handle) ++ if (handle) { ++ if (status < 0 && fe) ++ ocfs2_set_links_count(fe, 0); + ocfs2_commit_trans(osb, handle); ++ } + + ocfs2_inode_unlock(dir, 1); + if (did_block_signals) +@@ -2030,8 +2035,11 @@ bail: + ocfs2_clusters_to_bytes(osb->sb, 1)); + if (status < 0 && did_quota_inode) + dquot_free_inode(inode); +- if (handle) ++ if (handle) { ++ if (status < 0 && fe) ++ ocfs2_set_links_count(fe, 0); + ocfs2_commit_trans(osb, handle); ++ } + + ocfs2_inode_unlock(dir, 1); + if (did_block_signals) diff --git a/queue-4.14/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch b/queue-4.14/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch new file mode 100644 index 00000000000..6abff61b250 --- /dev/null +++ b/queue-4.14/ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch @@ -0,0 +1,60 @@ +From 759a7c6126eef5635506453e9b9d55a6a3ac2084 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Mon, 17 Oct 2022 21:02:26 +0800 +Subject: ocfs2: fix BUG when iput after ocfs2_mknod fails + +From: Joseph Qi + +commit 759a7c6126eef5635506453e9b9d55a6a3ac2084 upstream. + +Commit b1529a41f777 "ocfs2: should reclaim the inode if +'__ocfs2_mknod_locked' returns an error" tried to reclaim the claimed +inode if __ocfs2_mknod_locked() fails later. But this introduce a race, +the freed bit may be reused immediately by another thread, which will +update dinode, e.g. i_generation. Then iput this inode will lead to BUG: +inode->i_generation != le32_to_cpu(fe->i_generation) + +We could make this inode as bad, but we did want to do operations like +wipe in some cases. Since the claimed inode bit can only affect that an +dinode is missing and will return back after fsck, it seems not a big +problem. So just leave it as is by revert the reclaim logic. + +Link: https://lkml.kernel.org/r/20221017130227.234480-1-joseph.qi@linux.alibaba.com +Fixes: b1529a41f777 ("ocfs2: should reclaim the inode if '__ocfs2_mknod_locked' returns an error") +Signed-off-by: Joseph Qi +Reported-by: Yan Wang +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/namei.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -643,18 +643,9 @@ static int ocfs2_mknod_locked(struct ocf + return status; + } + +- status = __ocfs2_mknod_locked(dir, inode, dev, new_fe_bh, ++ return __ocfs2_mknod_locked(dir, inode, dev, new_fe_bh, + parent_fe_bh, handle, inode_ac, + fe_blkno, suballoc_loc, suballoc_bit); +- if (status < 0) { +- u64 bg_blkno = ocfs2_which_suballoc_group(fe_blkno, suballoc_bit); +- int tmp = ocfs2_free_suballoc_bits(handle, inode_ac->ac_inode, +- inode_ac->ac_bh, suballoc_bit, bg_blkno, 1); +- if (tmp) +- mlog_errno(tmp); +- } +- +- return status; + } + + static int ocfs2_mkdir(struct inode *dir, diff --git a/queue-4.14/series b/queue-4.14/series index e69de29bb2d..241b960b855 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -0,0 +1,6 @@ +ocfs2-clear-dinode-links-count-in-case-of-error.patch +ocfs2-fix-bug-when-iput-after-ocfs2_mknod-fails.patch +x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch +ata-ahci-imx-fix-module_alias.patch +ata-ahci-match-em_max_slots-with-sata_pmp_max_ports.patch +kvm-arm64-vgic-fix-exit-condition-in-scan_its_table.patch diff --git a/queue-4.14/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch b/queue-4.14/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch new file mode 100644 index 00000000000..5c94e799c53 --- /dev/null +++ b/queue-4.14/x86-microcode-amd-apply-the-patch-early-on-every-logical-thread.patch @@ -0,0 +1,76 @@ +From e7ad18d1169c62e6c78c01ff693fd362d9d65278 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 5 Oct 2022 12:00:08 +0200 +Subject: x86/microcode/AMD: Apply the patch early on every logical thread +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +commit e7ad18d1169c62e6c78c01ff693fd362d9d65278 upstream. + +Currently, the patch application logic checks whether the revision +needs to be applied on each logical CPU (SMT thread). Therefore, on SMT +designs where the microcode engine is shared between the two threads, +the application happens only on one of them as that is enough to update +the shared microcode engine. + +However, there are microcode patches which do per-thread modification, +see Link tag below. + +Therefore, drop the revision check and try applying on each thread. This +is what the BIOS does too so this method is very much tested. + +Btw, change only the early paths. On the late loading paths, there's no +point in doing per-thread modification because if is it some case like +in the bugzilla below - removing a CPUID flag - the kernel cannot go and +un-use features it has detected are there early. For that, one should +use early loading anyway. + + [ bp: Fixes does not contain the oldest commit which did check for + equality but that is good enough. ] + +Fixes: 8801b3fcb574 ("x86/microcode/AMD: Rework container parsing") +Reported-by: Ștefan Talpalaru +Signed-off-by: Borislav Petkov +Tested-by: Ștefan Talpalaru +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216211 +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -222,7 +222,13 @@ apply_microcode_early_amd(u32 cpuid_1_ea + return ret; + + native_rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); +- if (rev >= mc->hdr.patch_id) ++ ++ /* ++ * Allow application of the same revision to pick up SMT-specific ++ * changes even if the revision of the other SMT thread is already ++ * up-to-date. ++ */ ++ if (rev > mc->hdr.patch_id) + return ret; + + if (!__apply_microcode_amd(mc)) { +@@ -304,8 +310,12 @@ void load_ucode_amd_ap(unsigned int cpui + + native_rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); + +- /* Check whether we have saved a new patch already: */ +- if (*new_rev && rev < mc->hdr.patch_id) { ++ /* ++ * Check whether a new patch has been saved already. Also, allow application of ++ * the same revision in order to pick up SMT-thread-specific configuration even ++ * if the sibling SMT thread already has an up-to-date revision. ++ */ ++ if (*new_rev && rev <= mc->hdr.patch_id) { + if (!__apply_microcode_amd(mc)) { + *new_rev = mc->hdr.patch_id; + return;