From 90a0706942fe5abbf62a7e5511238dd19ed68ce6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 8 Feb 2021 11:46:41 +0100 Subject: [PATCH] 4.14-stable patches added patches: mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch --- ...es-when-analyse-of-sdio-tuples-fails.patch | 50 ++++++++++++ ...t-sleep-state-on-kingston-a2000-ssds.patch | 81 +++++++++++++++++++ queue-4.14/series | 3 + ...-out-of-bounds-bug-in-smb2_negotiate.patch | 64 +++++++++++++++ 4 files changed, 198 insertions(+) create mode 100644 queue-4.14/mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch create mode 100644 queue-4.14/nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch create mode 100644 queue-4.14/smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch diff --git a/queue-4.14/mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch b/queue-4.14/mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch new file mode 100644 index 00000000000..bf7b139a494 --- /dev/null +++ b/queue-4.14/mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch @@ -0,0 +1,50 @@ +From f92e04f764b86e55e522988e6f4b6082d19a2721 Mon Sep 17 00:00:00 2001 +From: Fengnan Chang +Date: Sat, 23 Jan 2021 11:32:31 +0800 +Subject: mmc: core: Limit retries when analyse of SDIO tuples fails + +From: Fengnan Chang + +commit f92e04f764b86e55e522988e6f4b6082d19a2721 upstream. + +When analysing tuples fails we may loop indefinitely to retry. Let's avoid +this by using a 10s timeout and bail if not completed earlier. + +Signed-off-by: Fengnan Chang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210123033230.36442-1-fengnanchang@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sdio_cis.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/core/sdio_cis.c ++++ b/drivers/mmc/core/sdio_cis.c +@@ -24,6 +24,8 @@ + #include "sdio_cis.h" + #include "sdio_ops.h" + ++#define SDIO_READ_CIS_TIMEOUT_MS (10 * 1000) /* 10s */ ++ + static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, + const unsigned char *buf, unsigned size) + { +@@ -270,6 +272,8 @@ static int sdio_read_cis(struct mmc_card + + do { + unsigned char tpl_code, tpl_link; ++ unsigned long timeout = jiffies + ++ msecs_to_jiffies(SDIO_READ_CIS_TIMEOUT_MS); + + ret = mmc_io_rw_direct(card, 0, 0, ptr++, 0, &tpl_code); + if (ret) +@@ -322,6 +326,8 @@ static int sdio_read_cis(struct mmc_card + prev = &this->next; + + if (ret == -ENOENT) { ++ if (time_after(jiffies, timeout)) ++ break; + /* warn about unknown tuples */ + pr_warn_ratelimited("%s: queuing unknown" + " CIS tuple 0x%02x (%u bytes)\n", diff --git a/queue-4.14/nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch b/queue-4.14/nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch new file mode 100644 index 00000000000..75d29538b9e --- /dev/null +++ b/queue-4.14/nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch @@ -0,0 +1,81 @@ +From 538e4a8c571efdf131834431e0c14808bcfb1004 Mon Sep 17 00:00:00 2001 +From: Thorsten Leemhuis +Date: Fri, 29 Jan 2021 06:24:42 +0100 +Subject: nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs + +From: Thorsten Leemhuis + +commit 538e4a8c571efdf131834431e0c14808bcfb1004 upstream. + +Some Kingston A2000 NVMe SSDs sooner or later get confused and stop +working when they use the deepest APST sleep while running Linux. The +system then crashes and one has to cold boot it to get the SSD working +again. + +Kingston seems to known about this since at least mid-September 2020: +https://bbs.archlinux.org/viewtopic.php?pid=1926994#p1926994 + +Someone working for a German company representing Kingston to the German +press confirmed to me Kingston engineering is aware of the issue and +investigating; the person stated that to their current knowledge only +the deepest APST sleep state causes trouble. Therefore, make Linux avoid +it for now by applying the NVME_QUIRK_NO_DEEPEST_PS to this SSD. + +I have two such SSDs, but it seems the problem doesn't occur with them. +I hence couldn't verify if this patch really fixes the problem, but all +the data in front of me suggests it should. + +This patch can easily be reverted or improved upon if a better solution +surfaces. + +FWIW, there are many reports about the issue scattered around the web; +most of the users disabled APST completely to make things work, some +just made Linux avoid the deepest sleep state: + +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c65 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c73 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c74 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c78 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c79 +https://bugzilla.kernel.org/show_bug.cgi?id=195039#c80 +https://askubuntu.com/questions/1222049/nvmekingston-a2000-sometimes-stops-giving-response-in-ubuntu-18-04dell-inspir +https://community.acer.com/en/discussion/604326/m-2-nvme-ssd-aspire-517-51g-issue-compatibility-kingston-a2000-linux-ubuntu + +For the record, some data from 'nvme id-ctrl /dev/nvme0' + +NVME Identify Controller: +vid : 0x2646 +ssvid : 0x2646 +mn : KINGSTON SA2000M81000G +fr : S5Z42105 +[...] +ps 0 : mp:9.00W operational enlat:0 exlat:0 rrt:0 rrl:0 + rwt:0 rwl:0 idle_power:- active_power:- +ps 1 : mp:4.60W operational enlat:0 exlat:0 rrt:1 rrl:1 + rwt:1 rwl:1 idle_power:- active_power:- +ps 2 : mp:3.80W operational enlat:0 exlat:0 rrt:2 rrl:2 + rwt:2 rwl:2 idle_power:- active_power:- +ps 3 : mp:0.0450W non-operational enlat:2000 exlat:2000 rrt:3 rrl:3 + rwt:3 rwl:3 idle_power:- active_power:- +ps 4 : mp:0.0040W non-operational enlat:15000 exlat:15000 rrt:4 rrl:4 + rwt:4 rwl:4 idle_power:- active_power:- + +Cc: stable@vger.kernel.org # 4.14+ +Signed-off-by: Thorsten Leemhuis +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2588,6 +2588,8 @@ static const struct pci_device_id nvme_i + { PCI_DEVICE(0x1d1d, 0x2601), /* CNEX Granby */ + .driver_data = NVME_QUIRK_LIGHTNVM, }, + { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) }, ++ { PCI_DEVICE(0x2646, 0x2263), /* KINGSTON A2000 NVMe SSD */ ++ .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001) }, + { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2003) }, + { 0, } diff --git a/queue-4.14/series b/queue-4.14/series index d195f6b283c..48765303ac0 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -15,3 +15,6 @@ mac80211-fix-station-rate-table-updates-on-assoc.patch kretprobe-avoid-re-registration-of-the-same-kretprobe-earlier.patch xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fails.patch +smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch +mmc-core-limit-retries-when-analyse-of-sdio-tuples-fails.patch +nvme-pci-avoid-the-deepest-sleep-state-on-kingston-a2000-ssds.patch diff --git a/queue-4.14/smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch b/queue-4.14/smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch new file mode 100644 index 00000000000..2bfc64b604e --- /dev/null +++ b/queue-4.14/smb3-fix-out-of-bounds-bug-in-smb2_negotiate.patch @@ -0,0 +1,64 @@ +From 8d8d1dbefc423d42d626cf5b81aac214870ebaab Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 1 Feb 2021 20:36:54 -0600 +Subject: smb3: Fix out-of-bounds bug in SMB2_negotiate() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +commit 8d8d1dbefc423d42d626cf5b81aac214870ebaab upstream. + +While addressing some warnings generated by -Warray-bounds, I found this +bug that was introduced back in 2017: + + CC [M] fs/cifs/smb2pdu.o +fs/cifs/smb2pdu.c: In function ‘SMB2_negotiate’: +fs/cifs/smb2pdu.c:822:16: warning: array subscript 1 is above array bounds +of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] + 822 | req->Dialects[1] = cpu_to_le16(SMB30_PROT_ID); + | ~~~~~~~~~~~~~^~~ +fs/cifs/smb2pdu.c:823:16: warning: array subscript 2 is above array bounds +of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] + 823 | req->Dialects[2] = cpu_to_le16(SMB302_PROT_ID); + | ~~~~~~~~~~~~~^~~ +fs/cifs/smb2pdu.c:824:16: warning: array subscript 3 is above array bounds +of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] + 824 | req->Dialects[3] = cpu_to_le16(SMB311_PROT_ID); + | ~~~~~~~~~~~~~^~~ +fs/cifs/smb2pdu.c:816:16: warning: array subscript 1 is above array bounds +of ‘__le16[1]’ {aka ‘short unsigned int[1]’} [-Warray-bounds] + 816 | req->Dialects[1] = cpu_to_le16(SMB302_PROT_ID); + | ~~~~~~~~~~~~~^~~ + +At the time, the size of array _Dialects_ was changed from 1 to 3 in struct +validate_negotiate_info_req, and then in 2019 it was changed from 3 to 4, +but those changes were never made in struct smb2_negotiate_req, which has +led to a 3 and a half years old out-of-bounds bug in function +SMB2_negotiate() (fs/cifs/smb2pdu.c). + +Fix this by increasing the size of array _Dialects_ in struct +smb2_negotiate_req to 4. + +Fixes: 9764c02fcbad ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)") +Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -206,7 +206,7 @@ struct smb2_negotiate_req { + __le32 NegotiateContextOffset; /* SMB3.1.1 only. MBZ earlier */ + __le16 NegotiateContextCount; /* SMB3.1.1 only. MBZ earlier */ + __le16 Reserved2; +- __le16 Dialects[1]; /* One dialect (vers=) at a time for now */ ++ __le16 Dialects[4]; /* BB expand this if autonegotiate > 4 dialects */ + } __packed; + + /* Dialects */ -- 2.47.3