From: Greg Kroah-Hartman Date: Wed, 21 Feb 2024 08:52:38 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v4.19.307~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=822353828bc6aa566fee5971fc56cd32e33d16bd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: dm-limit-the-number-of-targets-and-parameter-size-area.patch nilfs2-fix-potential-bug-in-end_buffer_async_write.patch of-property-add-in-ports-out-ports-support-to-of_graph_get_port_parent.patch sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch --- diff --git a/queue-6.6/dm-limit-the-number-of-targets-and-parameter-size-area.patch b/queue-6.6/dm-limit-the-number-of-targets-and-parameter-size-area.patch new file mode 100644 index 00000000000..48230ea8b06 --- /dev/null +++ b/queue-6.6/dm-limit-the-number-of-targets-and-parameter-size-area.patch @@ -0,0 +1,72 @@ +From bd504bcfec41a503b32054da5472904b404341a4 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 9 Jan 2024 15:57:56 +0100 +Subject: dm: limit the number of targets and parameter size area + +From: Mikulas Patocka + +commit bd504bcfec41a503b32054da5472904b404341a4 upstream. + +The kvmalloc function fails with a warning if the size is larger than +INT_MAX. The warning was triggered by a syscall testing robot. + +In order to avoid the warning, this commit limits the number of targets to +1048576 and the size of the parameter area to 1073741824. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-core.h | 2 ++ + drivers/md/dm-ioctl.c | 3 ++- + drivers/md/dm-table.c | 9 +++++++-- + 3 files changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-core.h ++++ b/drivers/md/dm-core.h +@@ -22,6 +22,8 @@ + #include "dm-ima.h" + + #define DM_RESERVED_MAX_IOS 1024 ++#define DM_MAX_TARGETS 1048576 ++#define DM_MAX_TARGET_PARAMS 1024 + + struct dm_io; + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1941,7 +1941,8 @@ static int copy_params(struct dm_ioctl _ + minimum_data_size - sizeof(param_kernel->version))) + return -EFAULT; + +- if (param_kernel->data_size < minimum_data_size) { ++ if (unlikely(param_kernel->data_size < minimum_data_size) || ++ unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) { + DMERR("Invalid data size in the ioctl structure: %u", + param_kernel->data_size); + return -EINVAL; +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -129,7 +129,12 @@ static int alloc_targets(struct dm_table + int dm_table_create(struct dm_table **result, blk_mode_t mode, + unsigned int num_targets, struct mapped_device *md) + { +- struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL); ++ struct dm_table *t; ++ ++ if (num_targets > DM_MAX_TARGETS) ++ return -EOVERFLOW; ++ ++ t = kzalloc(sizeof(*t), GFP_KERNEL); + + if (!t) + return -ENOMEM; +@@ -144,7 +149,7 @@ int dm_table_create(struct dm_table **re + + if (!num_targets) { + kfree(t); +- return -ENOMEM; ++ return -EOVERFLOW; + } + + if (alloc_targets(t, num_targets)) { diff --git a/queue-6.6/nilfs2-fix-potential-bug-in-end_buffer_async_write.patch b/queue-6.6/nilfs2-fix-potential-bug-in-end_buffer_async_write.patch new file mode 100644 index 00000000000..d28755e85b1 --- /dev/null +++ b/queue-6.6/nilfs2-fix-potential-bug-in-end_buffer_async_write.patch @@ -0,0 +1,99 @@ +From 5bc09b397cbf1221f8a8aacb1152650c9195b02b Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sun, 4 Feb 2024 01:16:45 +0900 +Subject: nilfs2: fix potential bug in end_buffer_async_write + +From: Ryusuke Konishi + +commit 5bc09b397cbf1221f8a8aacb1152650c9195b02b upstream. + +According to a syzbot report, end_buffer_async_write(), which handles the +completion of block device writes, may detect abnormal condition of the +buffer async_write flag and cause a BUG_ON failure when using nilfs2. + +Nilfs2 itself does not use end_buffer_async_write(). But, the async_write +flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue +with race condition of competition between segments for dirty blocks") as +a means of resolving double list insertion of dirty blocks in +nilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the +resulting crash. + +This modification is safe as long as it is used for file data and b-tree +node blocks where the page caches are independent. However, it was +irrelevant and redundant to also introduce async_write for segment summary +and super root blocks that share buffers with the backing device. This +led to the possibility that the BUG_ON check in end_buffer_async_write +would fail as described above, if independent writebacks of the backing +device occurred in parallel. + +The use of async_write for segment summary buffers has already been +removed in a previous change. + +Fix this issue by removing the manipulation of the async_write flag for +the remaining super root block buffer. + +Link: https://lkml.kernel.org/r/20240203161645.4992-1-konishi.ryusuke@gmail.com +Fixes: 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+5c04210f7c7f897c1e7f@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/00000000000019a97c05fd42f8c8@google.com +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -1704,7 +1704,6 @@ static void nilfs_segctor_prepare_write( + + list_for_each_entry(bh, &segbuf->sb_payload_buffers, + b_assoc_buffers) { +- set_buffer_async_write(bh); + if (bh == segbuf->sb_super_root) { + if (bh->b_page != bd_page) { + lock_page(bd_page); +@@ -1715,6 +1714,7 @@ static void nilfs_segctor_prepare_write( + } + break; + } ++ set_buffer_async_write(bh); + if (bh->b_page != fs_page) { + nilfs_begin_page_io(fs_page); + fs_page = bh->b_page; +@@ -1800,7 +1800,6 @@ static void nilfs_abort_logs(struct list + + list_for_each_entry(bh, &segbuf->sb_payload_buffers, + b_assoc_buffers) { +- clear_buffer_async_write(bh); + if (bh == segbuf->sb_super_root) { + clear_buffer_uptodate(bh); + if (bh->b_page != bd_page) { +@@ -1809,6 +1808,7 @@ static void nilfs_abort_logs(struct list + } + break; + } ++ clear_buffer_async_write(bh); + if (bh->b_page != fs_page) { + nilfs_end_page_io(fs_page, err); + fs_page = bh->b_page; +@@ -1896,8 +1896,9 @@ static void nilfs_segctor_complete_write + BIT(BH_Delay) | BIT(BH_NILFS_Volatile) | + BIT(BH_NILFS_Redirected)); + +- set_mask_bits(&bh->b_state, clear_bits, set_bits); + if (bh == segbuf->sb_super_root) { ++ set_buffer_uptodate(bh); ++ clear_buffer_dirty(bh); + if (bh->b_page != bd_page) { + end_page_writeback(bd_page); + bd_page = bh->b_page; +@@ -1905,6 +1906,7 @@ static void nilfs_segctor_complete_write + update_sr = true; + break; + } ++ set_mask_bits(&bh->b_state, clear_bits, set_bits); + if (bh->b_page != fs_page) { + nilfs_end_page_io(fs_page, 0); + fs_page = bh->b_page; diff --git a/queue-6.6/of-property-add-in-ports-out-ports-support-to-of_graph_get_port_parent.patch b/queue-6.6/of-property-add-in-ports-out-ports-support-to-of_graph_get_port_parent.patch new file mode 100644 index 00000000000..fab115ca991 --- /dev/null +++ b/queue-6.6/of-property-add-in-ports-out-ports-support-to-of_graph_get_port_parent.patch @@ -0,0 +1,38 @@ +From 8f1e0d791b5281f3a38620bc7c57763dc551be15 Mon Sep 17 00:00:00 2001 +From: Saravana Kannan +Date: Tue, 6 Feb 2024 17:18:02 -0800 +Subject: of: property: Add in-ports/out-ports support to of_graph_get_port_parent() + +From: Saravana Kannan + +commit 8f1e0d791b5281f3a38620bc7c57763dc551be15 upstream. + +Similar to the existing "ports" node name, coresight device tree bindings +have added "in-ports" and "out-ports" as standard node names for a +collection of ports. + +Add support for these name to of_graph_get_port_parent() so that +remote-endpoint parsing can find the correct parent node for these +coresight ports too. + +Signed-off-by: Saravana Kannan +Link: https://lore.kernel.org/r/20240207011803.2637531-4-saravanak@google.com +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/property.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/of/property.c ++++ b/drivers/of/property.c +@@ -762,7 +762,9 @@ struct device_node *of_graph_get_port_pa + /* Walk 3 levels up only if there is 'ports' node. */ + for (depth = 3; depth && node; depth--) { + node = of_get_next_parent(node); +- if (depth == 2 && !of_node_name_eq(node, "ports")) ++ if (depth == 2 && !of_node_name_eq(node, "ports") && ++ !of_node_name_eq(node, "in-ports") && ++ !of_node_name_eq(node, "out-ports")) + break; + } + return node; diff --git a/queue-6.6/sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch b/queue-6.6/sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch new file mode 100644 index 00000000000..dc6efdef8cc --- /dev/null +++ b/queue-6.6/sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch @@ -0,0 +1,60 @@ +From 944d5fe50f3f03daacfea16300e656a1691c4a23 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sun, 4 Feb 2024 15:25:12 +0000 +Subject: sched/membarrier: reduce the ability to hammer on sys_membarrier + +From: Linus Torvalds + +commit 944d5fe50f3f03daacfea16300e656a1691c4a23 upstream. + +On some systems, sys_membarrier can be very expensive, causing overall +slowdowns for everything. So put a lock on the path in order to +serialize the accesses to prevent the ability for this to be called at +too high of a frequency and saturate the machine. + +Reviewed-and-tested-by: Mathieu Desnoyers +Acked-by: Borislav Petkov +Fixes: 22e4ebb97582 ("membarrier: Provide expedited private command") +Fixes: c5f58bd58f43 ("membarrier: Provide GLOBAL_EXPEDITED command") +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/membarrier.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/sched/membarrier.c ++++ b/kernel/sched/membarrier.c +@@ -162,6 +162,9 @@ + | MEMBARRIER_PRIVATE_EXPEDITED_RSEQ_BITMASK \ + | MEMBARRIER_CMD_GET_REGISTRATIONS) + ++static DEFINE_MUTEX(membarrier_ipi_mutex); ++#define SERIALIZE_IPI() guard(mutex)(&membarrier_ipi_mutex) ++ + static void ipi_mb(void *info) + { + smp_mb(); /* IPIs should be serializing but paranoid. */ +@@ -259,6 +262,7 @@ static int membarrier_global_expedited(v + if (!zalloc_cpumask_var(&tmpmask, GFP_KERNEL)) + return -ENOMEM; + ++ SERIALIZE_IPI(); + cpus_read_lock(); + rcu_read_lock(); + for_each_online_cpu(cpu) { +@@ -347,6 +351,7 @@ static int membarrier_private_expedited( + if (cpu_id < 0 && !zalloc_cpumask_var(&tmpmask, GFP_KERNEL)) + return -ENOMEM; + ++ SERIALIZE_IPI(); + cpus_read_lock(); + + if (cpu_id >= 0) { +@@ -460,6 +465,7 @@ static int sync_runqueues_membarrier_sta + * between threads which are users of @mm has its membarrier state + * updated. + */ ++ SERIALIZE_IPI(); + cpus_read_lock(); + rcu_read_lock(); + for_each_online_cpu(cpu) { diff --git a/queue-6.6/series b/queue-6.6/series index 670429e01f2..a2fe973ddaf 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -328,3 +328,7 @@ x86-boot-drop-pe-coff-.reloc-section.patch x86-boot-split-off-pe-coff-.data-section.patch x86-boot-increase-section-and-file-alignment-to-4k-512.patch x86-efistub-use-1-1-file-memory-mapping-for-pe-coff-.compat-section.patch +sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch +of-property-add-in-ports-out-ports-support-to-of_graph_get_port_parent.patch +nilfs2-fix-potential-bug-in-end_buffer_async_write.patch +dm-limit-the-number-of-targets-and-parameter-size-area.patch