From: Greg Kroah-Hartman Date: Sun, 17 Nov 2024 20:37:17 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v6.12.1~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bcadeb4773ba9ef7bdfccfbc43f09a228d148358;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume.patch ocfs2-uncache-inode-which-has-failed-entering-the-group.patch revert-mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch --- diff --git a/queue-4.19/netlink-terminate-outstanding-dump-on-socket-close.patch b/queue-4.19/netlink-terminate-outstanding-dump-on-socket-close.patch index 765e166fb30..4ed58a109c2 100644 --- a/queue-4.19/netlink-terminate-outstanding-dump-on-socket-close.patch +++ b/queue-4.19/netlink-terminate-outstanding-dump-on-socket-close.patch @@ -50,15 +50,13 @@ Link: https://patch.msgid.link/20241106015235.2458807-1-kuba@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- - net/netlink/af_netlink.c | 31 ++++++++----------------------- - net/netlink/af_netlink.h | 2 -- + net/netlink/af_netlink.c | 31 ++++++++----------------------- + net/netlink/af_netlink.h | 2 -- 2 files changed, 8 insertions(+), 25 deletions(-) -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 2e26ecb46707c..8c397697e47fa 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c -@@ -393,15 +393,6 @@ static void netlink_skb_set_owner_r(struct sk_buff *skb, struct sock *sk) +@@ -393,15 +393,6 @@ static void netlink_skb_set_owner_r(stru static void netlink_sock_destruct(struct sock *sk) { @@ -74,7 +72,7 @@ index 2e26ecb46707c..8c397697e47fa 100644 skb_queue_purge(&sk->sk_receive_queue); if (!sock_flag(sk, SOCK_DEAD)) { -@@ -414,14 +405,6 @@ static void netlink_sock_destruct(struct sock *sk) +@@ -414,14 +405,6 @@ static void netlink_sock_destruct(struct WARN_ON(nlk_sk(sk)->groups); } @@ -89,7 +87,7 @@ index 2e26ecb46707c..8c397697e47fa 100644 /* This lock without WQ_FLAG_EXCLUSIVE is good on UP and it is _very_ bad on * SMP. Look, when several writers sleep and reader wakes them up, all but one * immediately hit write lock and grab all the cpus. Exclusive sleep solves -@@ -738,12 +721,6 @@ static void deferred_put_nlk_sk(struct rcu_head *head) +@@ -738,12 +721,6 @@ static void deferred_put_nlk_sk(struct r if (!refcount_dec_and_test(&sk->sk_refcnt)) return; @@ -102,7 +100,7 @@ index 2e26ecb46707c..8c397697e47fa 100644 sk_free(sk); } -@@ -793,6 +770,14 @@ static int netlink_release(struct socket *sock) +@@ -793,6 +770,14 @@ static int netlink_release(struct socket NETLINK_URELEASE, &n); } @@ -117,8 +115,6 @@ index 2e26ecb46707c..8c397697e47fa 100644 module_put(nlk->module); if (netlink_is_kernel(sk)) { -diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h -index 962de7b3c023d..c61e634693eaa 100644 --- a/net/netlink/af_netlink.h +++ b/net/netlink/af_netlink.h @@ -4,7 +4,6 @@ @@ -137,6 +133,3 @@ index 962de7b3c023d..c61e634693eaa 100644 }; static inline struct netlink_sock *nlk_sk(struct sock *sk) --- -2.43.0 - diff --git a/queue-4.19/nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch b/queue-4.19/nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch new file mode 100644 index 00000000000..e517ccdf2c7 --- /dev/null +++ b/queue-4.19/nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch @@ -0,0 +1,100 @@ +From 2026559a6c4ce34db117d2db8f710fe2a9420d5a Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 7 Nov 2024 01:07:33 +0900 +Subject: nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint + +From: Ryusuke Konishi + +commit 2026559a6c4ce34db117d2db8f710fe2a9420d5a upstream. + +When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty() +may cause a NULL pointer dereference, or a general protection fault when +KASAN is enabled. + +This happens because, since the tracepoint was added in +mark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev +regardless of whether the buffer head has a pointer to a block_device +structure. + +In the current implementation, nilfs_grab_buffer(), which grabs a buffer +to read (or create) a block of metadata, including b-tree node blocks, +does not set the block device, but instead does so only if the buffer is +not in the "uptodate" state for each of its caller block reading +functions. However, if the uptodate flag is set on a folio/page, and the +buffer heads are detached from it by try_to_free_buffers(), and new buffer +heads are then attached by create_empty_buffers(), the uptodate flag may +be restored to each buffer without the block device being set to +bh->b_bdev, and mark_buffer_dirty() may be called later in that state, +resulting in the bug mentioned above. + +Fix this issue by making nilfs_grab_buffer() always set the block device +of the super block structure to the buffer head, regardless of the state +of the buffer's uptodate flag. + +Link: https://lkml.kernel.org/r/20241106160811.3316-3-konishi.ryusuke@gmail.com +Fixes: 5305cb830834 ("block: add block_{touch|dirty}_buffer tracepoint") +Signed-off-by: Ryusuke Konishi +Cc: Tejun Heo +Cc: Ubisectech Sirius +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btnode.c | 2 -- + fs/nilfs2/gcinode.c | 4 +--- + fs/nilfs2/mdt.c | 1 - + fs/nilfs2/page.c | 1 + + 4 files changed, 2 insertions(+), 6 deletions(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -68,7 +68,6 @@ nilfs_btnode_create_block(struct address + goto failed; + } + memset(bh->b_data, 0, i_blocksize(inode)); +- bh->b_bdev = inode->i_sb->s_bdev; + bh->b_blocknr = blocknr; + set_buffer_mapped(bh); + set_buffer_uptodate(bh); +@@ -133,7 +132,6 @@ int nilfs_btnode_submit_block(struct add + goto found; + } + set_buffer_mapped(bh); +- bh->b_bdev = inode->i_sb->s_bdev; + bh->b_blocknr = pblocknr; /* set block address for read */ + bh->b_end_io = end_buffer_read_sync; + get_bh(bh); +--- a/fs/nilfs2/gcinode.c ++++ b/fs/nilfs2/gcinode.c +@@ -83,10 +83,8 @@ int nilfs_gccache_submit_read_data(struc + goto out; + } + +- if (!buffer_mapped(bh)) { +- bh->b_bdev = inode->i_sb->s_bdev; ++ if (!buffer_mapped(bh)) + set_buffer_mapped(bh); +- } + bh->b_blocknr = pbn; + bh->b_end_io = end_buffer_read_sync; + get_bh(bh); +--- a/fs/nilfs2/mdt.c ++++ b/fs/nilfs2/mdt.c +@@ -89,7 +89,6 @@ static int nilfs_mdt_create_block(struct + if (buffer_uptodate(bh)) + goto failed_bh; + +- bh->b_bdev = sb->s_bdev; + err = nilfs_mdt_insert_new_block(inode, block, bh, init_block); + if (likely(!err)) { + get_bh(bh); +--- a/fs/nilfs2/page.c ++++ b/fs/nilfs2/page.c +@@ -63,6 +63,7 @@ struct buffer_head *nilfs_grab_buffer(st + put_page(page); + return NULL; + } ++ bh->b_bdev = inode->i_sb->s_bdev; + return bh; + } + diff --git a/queue-4.19/nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch b/queue-4.19/nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch new file mode 100644 index 00000000000..e7341d83ce4 --- /dev/null +++ b/queue-4.19/nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch @@ -0,0 +1,63 @@ +From cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 7 Nov 2024 01:07:32 +0900 +Subject: nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint + +From: Ryusuke Konishi + +commit cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471 upstream. + +Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints". + +This series fixes null pointer dereference bugs that occur when using +nilfs2 and two block-related tracepoints. + + +This patch (of 2): + +It has been reported that when using "block:block_touch_buffer" +tracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a +NULL pointer dereference, or a general protection fault when KASAN is +enabled. + +This happens because since the tracepoint was added in touch_buffer(), it +references the dev_t member bh->b_bdev->bd_dev regardless of whether the +buffer head has a pointer to a block_device structure. In the current +implementation, the block_device structure is set after the function +returns to the caller. + +Here, touch_buffer() is used to mark the folio/page that owns the buffer +head as accessed, but the common search helper for folio/page used by the +caller function was optimized to mark the folio/page as accessed when it +was reimplemented a long time ago, eliminating the need to call +touch_buffer() here in the first place. + +So this solves the issue by eliminating the touch_buffer() call itself. + +Link: https://lkml.kernel.org/r/20241106160811.3316-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20241106160811.3316-2-konishi.ryusuke@gmail.com +Fixes: 5305cb830834 ("block: add block_{touch|dirty}_buffer tracepoint") +Signed-off-by: Ryusuke Konishi +Reported-by: Ubisectech Sirius +Closes: https://lkml.kernel.org/r/86bd3013-887e-4e38-960f-ca45c657f032.bugreport@valiantsec.com +Reported-by: syzbot+9982fb8d18eba905abe2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9982fb8d18eba905abe2 +Tested-by: syzbot+9982fb8d18eba905abe2@syzkaller.appspotmail.com +Cc: Tejun Heo +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/page.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/nilfs2/page.c ++++ b/fs/nilfs2/page.c +@@ -39,7 +39,6 @@ __nilfs_get_page_block(struct page *page + first_block = (unsigned long)index << (PAGE_SHIFT - blkbits); + bh = nilfs_page_get_nth_block(page, block - first_block); + +- touch_buffer(bh); + wait_on_buffer(bh); + return bh; + } diff --git a/queue-4.19/ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume.patch b/queue-4.19/ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume.patch new file mode 100644 index 00000000000..48b30539a08 --- /dev/null +++ b/queue-4.19/ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume.patch @@ -0,0 +1,125 @@ +From 23aab037106d46e6168ce1214a958ce9bf317f2e Mon Sep 17 00:00:00 2001 +From: Dmitry Antipov +Date: Wed, 6 Nov 2024 12:21:00 +0300 +Subject: ocfs2: fix UBSAN warning in ocfs2_verify_volume() + +From: Dmitry Antipov + +commit 23aab037106d46e6168ce1214a958ce9bf317f2e upstream. + +Syzbot has reported the following splat triggered by UBSAN: + +UBSAN: shift-out-of-bounds in fs/ocfs2/super.c:2336:10 +shift exponent 32768 is too large for 32-bit type 'int' +CPU: 2 UID: 0 PID: 5255 Comm: repro Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 +Call Trace: + + dump_stack_lvl+0x241/0x360 + ? __pfx_dump_stack_lvl+0x10/0x10 + ? __pfx__printk+0x10/0x10 + ? __asan_memset+0x23/0x50 + ? lockdep_init_map_type+0xa1/0x910 + __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 + ocfs2_fill_super+0xf9c/0x5750 + ? __pfx_ocfs2_fill_super+0x10/0x10 + ? __pfx_validate_chain+0x10/0x10 + ? __pfx_validate_chain+0x10/0x10 + ? validate_chain+0x11e/0x5920 + ? __lock_acquire+0x1384/0x2050 + ? __pfx_validate_chain+0x10/0x10 + ? string+0x26a/0x2b0 + ? widen_string+0x3a/0x310 + ? string+0x26a/0x2b0 + ? bdev_name+0x2b1/0x3c0 + ? pointer+0x703/0x1210 + ? __pfx_pointer+0x10/0x10 + ? __pfx_format_decode+0x10/0x10 + ? __lock_acquire+0x1384/0x2050 + ? vsnprintf+0x1ccd/0x1da0 + ? snprintf+0xda/0x120 + ? __pfx_lock_release+0x10/0x10 + ? do_raw_spin_lock+0x14f/0x370 + ? __pfx_snprintf+0x10/0x10 + ? set_blocksize+0x1f9/0x360 + ? sb_set_blocksize+0x98/0xf0 + ? setup_bdev_super+0x4e6/0x5d0 + mount_bdev+0x20c/0x2d0 + ? __pfx_ocfs2_fill_super+0x10/0x10 + ? __pfx_mount_bdev+0x10/0x10 + ? vfs_parse_fs_string+0x190/0x230 + ? __pfx_vfs_parse_fs_string+0x10/0x10 + legacy_get_tree+0xf0/0x190 + ? __pfx_ocfs2_mount+0x10/0x10 + vfs_get_tree+0x92/0x2b0 + do_new_mount+0x2be/0xb40 + ? __pfx_do_new_mount+0x10/0x10 + __se_sys_mount+0x2d6/0x3c0 + ? __pfx___se_sys_mount+0x10/0x10 + ? do_syscall_64+0x100/0x230 + ? __x64_sys_mount+0x20/0xc0 + do_syscall_64+0xf3/0x230 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f37cae96fda +Code: 48 8b 0d 51 ce 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e ce 0c 00 f7 d8 64 89 01 48 +RSP: 002b:00007fff6c1aa228 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 00007fff6c1aa240 RCX: 00007f37cae96fda +RDX: 00000000200002c0 RSI: 0000000020000040 RDI: 00007fff6c1aa240 +RBP: 0000000000000004 R08: 00007fff6c1aa280 R09: 0000000000000000 +R10: 00000000000008c0 R11: 0000000000000206 R12: 00000000000008c0 +R13: 00007fff6c1aa280 R14: 0000000000000003 R15: 0000000001000000 + + +For a really damaged superblock, the value of 'i_super.s_blocksize_bits' +may exceed the maximum possible shift for an underlying 'int'. So add an +extra check whether the aforementioned field represents the valid block +size, which is 512 bytes, 1K, 2K, or 4K. + +Link: https://lkml.kernel.org/r/20241106092100.2661330-1-dmantipov@yandex.ru +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+56f7cd1abe4b8e475180@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=56f7cd1abe4b8e475180 +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -2374,6 +2374,7 @@ static int ocfs2_verify_volume(struct oc + struct ocfs2_blockcheck_stats *stats) + { + int status = -EAGAIN; ++ u32 blksz_bits; + + if (memcmp(di->i_signature, OCFS2_SUPER_BLOCK_SIGNATURE, + strlen(OCFS2_SUPER_BLOCK_SIGNATURE)) == 0) { +@@ -2388,11 +2389,15 @@ static int ocfs2_verify_volume(struct oc + goto out; + } + status = -EINVAL; +- if ((1 << le32_to_cpu(di->id2.i_super.s_blocksize_bits)) != blksz) { ++ /* Acceptable block sizes are 512 bytes, 1K, 2K and 4K. */ ++ blksz_bits = le32_to_cpu(di->id2.i_super.s_blocksize_bits); ++ if (blksz_bits < 9 || blksz_bits > 12) { + mlog(ML_ERROR, "found superblock with incorrect block " +- "size: found %u, should be %u\n", +- 1 << le32_to_cpu(di->id2.i_super.s_blocksize_bits), +- blksz); ++ "size bits: found %u, should be 9, 10, 11, or 12\n", ++ blksz_bits); ++ } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) { ++ mlog(ML_ERROR, "found superblock with incorrect block " ++ "size: found %u, should be %u\n", 1 << blksz_bits, blksz); + } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) != + OCFS2_MAJOR_REV_LEVEL || + le16_to_cpu(di->id2.i_super.s_minor_rev_level) != diff --git a/queue-4.19/ocfs2-uncache-inode-which-has-failed-entering-the-group.patch b/queue-4.19/ocfs2-uncache-inode-which-has-failed-entering-the-group.patch new file mode 100644 index 00000000000..a22cf48fbed --- /dev/null +++ b/queue-4.19/ocfs2-uncache-inode-which-has-failed-entering-the-group.patch @@ -0,0 +1,91 @@ +From 737f34137844d6572ab7d473c998c7f977ff30eb Mon Sep 17 00:00:00 2001 +From: Dmitry Antipov +Date: Thu, 14 Nov 2024 07:38:44 +0300 +Subject: ocfs2: uncache inode which has failed entering the group + +From: Dmitry Antipov + +commit 737f34137844d6572ab7d473c998c7f977ff30eb upstream. + +Syzbot has reported the following BUG: + +kernel BUG at fs/ocfs2/uptodate.c:509! +... +Call Trace: + + ? __die_body+0x5f/0xb0 + ? die+0x9e/0xc0 + ? do_trap+0x15a/0x3a0 + ? ocfs2_set_new_buffer_uptodate+0x145/0x160 + ? do_error_trap+0x1dc/0x2c0 + ? ocfs2_set_new_buffer_uptodate+0x145/0x160 + ? __pfx_do_error_trap+0x10/0x10 + ? handle_invalid_op+0x34/0x40 + ? ocfs2_set_new_buffer_uptodate+0x145/0x160 + ? exc_invalid_op+0x38/0x50 + ? asm_exc_invalid_op+0x1a/0x20 + ? ocfs2_set_new_buffer_uptodate+0x2e/0x160 + ? ocfs2_set_new_buffer_uptodate+0x144/0x160 + ? ocfs2_set_new_buffer_uptodate+0x145/0x160 + ocfs2_group_add+0x39f/0x15a0 + ? __pfx_ocfs2_group_add+0x10/0x10 + ? __pfx_lock_acquire+0x10/0x10 + ? mnt_get_write_access+0x68/0x2b0 + ? __pfx_lock_release+0x10/0x10 + ? rcu_read_lock_any_held+0xb7/0x160 + ? __pfx_rcu_read_lock_any_held+0x10/0x10 + ? smack_log+0x123/0x540 + ? mnt_get_write_access+0x68/0x2b0 + ? mnt_get_write_access+0x68/0x2b0 + ? mnt_get_write_access+0x226/0x2b0 + ocfs2_ioctl+0x65e/0x7d0 + ? __pfx_ocfs2_ioctl+0x10/0x10 + ? smack_file_ioctl+0x29e/0x3a0 + ? __pfx_smack_file_ioctl+0x10/0x10 + ? lockdep_hardirqs_on_prepare+0x43d/0x780 + ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 + ? __pfx_ocfs2_ioctl+0x10/0x10 + __se_sys_ioctl+0xfb/0x170 + do_syscall_64+0xf3/0x230 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + + +When 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular +inode in 'ocfs2_verify_group_and_input()', corresponding buffer head +remains cached and subsequent call to the same 'ioctl()' for the same +inode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying +to cache the same buffer head of that inode). Fix this by uncaching +the buffer head with 'ocfs2_remove_from_cache()' on error path in +'ocfs2_group_add()'. + +Link: https://lkml.kernel.org/r/20241114043844.111847-1-dmantipov@yandex.ru +Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize") +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+453873f1588c2d75b447@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=453873f1588c2d75b447 +Reviewed-by: Joseph Qi +Cc: Dmitry Antipov +Cc: Joel Becker +Cc: Mark Fasheh +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/resize.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ocfs2/resize.c ++++ b/fs/ocfs2/resize.c +@@ -582,6 +582,8 @@ out_commit: + ocfs2_commit_trans(osb, handle); + + out_free_group_bh: ++ if (ret < 0) ++ ocfs2_remove_from_cache(INODE_CACHE(inode), group_bh); + brelse(group_bh); + + out_unlock: diff --git a/queue-4.19/revert-mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch b/queue-4.19/revert-mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch new file mode 100644 index 00000000000..cc9f81d39ab --- /dev/null +++ b/queue-4.19/revert-mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch @@ -0,0 +1,47 @@ +From 1635e407a4a64d08a8517ac59ca14ad4fc785e75 Mon Sep 17 00:00:00 2001 +From: Aurelien Jarno +Date: Sun, 10 Nov 2024 12:46:36 +0100 +Subject: Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" + +From: Aurelien Jarno + +commit 1635e407a4a64d08a8517ac59ca14ad4fc785e75 upstream. + +The commit 8396c793ffdf ("mmc: dw_mmc: Fix IDMAC operation with pages +bigger than 4K") increased the max_req_size, even for 4K pages, causing +various issues: +- Panic booting the kernel/rootfs from an SD card on Rockchip RK3566 +- Panic booting the kernel/rootfs from an SD card on StarFive JH7100 +- "swiotlb buffer is full" and data corruption on StarFive JH7110 + +At this stage no fix have been found, so it's probably better to just +revert the change. + +This reverts commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890. + +Cc: stable@vger.kernel.org +Cc: Sam Protsenko +Fixes: 8396c793ffdf ("mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K") +Closes: https://lore.kernel.org/linux-mmc/614692b4-1dbe-31b8-a34d-cb6db1909bb7@w6rz.net/ +Closes: https://lore.kernel.org/linux-mmc/CAC8uq=Ppnmv98mpa1CrWLawWoPnu5abtU69v-=G-P7ysATQ2Pw@mail.gmail.com/ +Signed-off-by: Aurelien Jarno +Message-ID: <20241110114700.622372-1-aurelien@aurel32.net> +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/dw_mmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2857,8 +2857,8 @@ static int dw_mci_init_slot(struct dw_mc + if (host->use_dma == TRANS_MODE_IDMAC) { + mmc->max_segs = host->ring_size; + mmc->max_blk_size = 65535; +- mmc->max_req_size = DW_MCI_DESC_DATA_LENGTH * host->ring_size; +- mmc->max_seg_size = mmc->max_req_size; ++ mmc->max_seg_size = 0x1000; ++ mmc->max_req_size = mmc->max_seg_size * host->ring_size; + mmc->max_blk_count = mmc->max_req_size / 512; + } else if (host->use_dma == TRANS_MODE_EDMAC) { + mmc->max_segs = 64; diff --git a/queue-4.19/series b/queue-4.19/series index a8381bddbc7..702102ecdb6 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1 +1,6 @@ netlink-terminate-outstanding-dump-on-socket-close.patch +ocfs2-uncache-inode-which-has-failed-entering-the-group.patch +nilfs2-fix-null-ptr-deref-in-block_touch_buffer-tracepoint.patch +ocfs2-fix-ubsan-warning-in-ocfs2_verify_volume.patch +nilfs2-fix-null-ptr-deref-in-block_dirty_buffer-tracepoint.patch +revert-mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch