From a23acc1a0206db50babf45bfc30255ef2e9a3260 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 27 Sep 2019 20:58:08 -0400 Subject: [PATCH] fixes for 4.14 Signed-off-by: Sasha Levin --- ...el-of-requeue_work-to-the-front-of-b.patch | 61 +++++++++++++++++++ .../dm-zoned-fix-invalid-memory-access.patch | 59 ++++++++++++++++++ ...he-data-segments-against-all-node-on.patch | 44 +++++++++++++ ...ts-fix-lpi-release-for-multi-msi-dev.patch | 54 ++++++++++++++++ ...-of-hv_pci_dev-pci_slot-after-freein.patch | 38 ++++++++++++ ...2fs-avoid-out-of-range-memory-access.patch | 61 +++++++++++++++++++ queue-4.14/series | 6 ++ 7 files changed, 323 insertions(+) create mode 100644 queue-4.14/blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch create mode 100644 queue-4.14/dm-zoned-fix-invalid-memory-access.patch create mode 100644 queue-4.14/f2fs-check-all-the-data-segments-against-all-node-on.patch create mode 100644 queue-4.14/irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch create mode 100644 queue-4.14/pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch create mode 100644 queue-4.14/revert-f2fs-avoid-out-of-range-memory-access.patch diff --git a/queue-4.14/blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch b/queue-4.14/blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch new file mode 100644 index 00000000000..cd17aa41ca3 --- /dev/null +++ b/queue-4.14/blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch @@ -0,0 +1,61 @@ +From 4ecce4118e71bd069019bc05c539842350b18b6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 20:36:55 +0800 +Subject: blk-mq: move cancel of requeue_work to the front of blk_exit_queue + +From: zhengbin + +[ Upstream commit e26cc08265dda37d2acc8394604f220ef412299d ] + +blk_exit_queue will free elevator_data, while blk_mq_requeue_work +will access it. Move cancel of requeue_work to the front of +blk_exit_queue to avoid use-after-free. + +blk_exit_queue blk_mq_requeue_work + __elevator_exit blk_mq_run_hw_queues + blk_mq_exit_sched blk_mq_run_hw_queue + dd_exit_queue blk_mq_hctx_has_pending + kfree(elevator_data) blk_mq_sched_has_work + dd_has_work + +Fixes: fbc2a15e3433 ("blk-mq: move cancel of requeue_work into blk_mq_release") +Cc: stable@vger.kernel.org +Reviewed-by: Ming Lei +Signed-off-by: zhengbin +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 2 -- + block/blk-sysfs.c | 3 +++ + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 55139d2fca3e0..eac4448047366 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2294,8 +2294,6 @@ void blk_mq_release(struct request_queue *q) + struct blk_mq_hw_ctx *hctx; + unsigned int i; + +- cancel_delayed_work_sync(&q->requeue_work); +- + /* hctx kobj stays in hctx */ + queue_for_each_hw_ctx(q, hctx, i) { + if (!hctx) +diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c +index e54be402899da..9caf96c2c1081 100644 +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -811,6 +811,9 @@ static void __blk_release_queue(struct work_struct *work) + + blk_free_queue_stats(q->stats); + ++ if (q->mq_ops) ++ cancel_delayed_work_sync(&q->requeue_work); ++ + blk_exit_rl(q, &q->root_rl); + + if (q->queue_tags) +-- +2.20.1 + diff --git a/queue-4.14/dm-zoned-fix-invalid-memory-access.patch b/queue-4.14/dm-zoned-fix-invalid-memory-access.patch new file mode 100644 index 00000000000..414554628e4 --- /dev/null +++ b/queue-4.14/dm-zoned-fix-invalid-memory-access.patch @@ -0,0 +1,59 @@ +From d63455fd23aabbbbca8df04d212d7eea03bcc692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 02:41:17 -0400 +Subject: dm zoned: fix invalid memory access + +From: Mikulas Patocka + +[ Upstream commit 0c8e9c2d668278652af028c3cc068c65f66342f4 ] + +Commit 75d66ffb48efb30f2dd42f041ba8b39c5b2bd115 ("dm zoned: properly +handle backing device failure") triggers a coverity warning: + +*** CID 1452808: Memory - illegal accesses (USE_AFTER_FREE) +/drivers/md/dm-zoned-target.c: 137 in dmz_submit_bio() +131 clone->bi_private = bioctx; +132 +133 bio_advance(bio, clone->bi_iter.bi_size); +134 +135 refcount_inc(&bioctx->ref); +136 generic_make_request(clone); +>>> CID 1452808: Memory - illegal accesses (USE_AFTER_FREE) +>>> Dereferencing freed pointer "clone". +137 if (clone->bi_status == BLK_STS_IOERR) +138 return -EIO; +139 +140 if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone)) +141 zone->wp_block += nr_blocks; +142 + +The "clone" bio may be processed and freed before the check +"clone->bi_status == BLK_STS_IOERR" - so this check can access invalid +memory. + +Fixes: 75d66ffb48efb3 ("dm zoned: properly handle backing device failure") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Reviewed-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-zoned-target.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c +index 1e004d975e786..4694763f9d404 100644 +--- a/drivers/md/dm-zoned-target.c ++++ b/drivers/md/dm-zoned-target.c +@@ -133,8 +133,6 @@ static int dmz_submit_bio(struct dmz_target *dmz, struct dm_zone *zone, + + atomic_inc(&bioctx->ref); + generic_make_request(clone); +- if (clone->bi_status == BLK_STS_IOERR) +- return -EIO; + + if (bio_op(bio) == REQ_OP_WRITE && dmz_is_seq(zone)) + zone->wp_block += nr_blocks; +-- +2.20.1 + diff --git a/queue-4.14/f2fs-check-all-the-data-segments-against-all-node-on.patch b/queue-4.14/f2fs-check-all-the-data-segments-against-all-node-on.patch new file mode 100644 index 00000000000..976dabf10f3 --- /dev/null +++ b/queue-4.14/f2fs-check-all-the-data-segments-against-all-node-on.patch @@ -0,0 +1,44 @@ +From 5a8bd11faba2e12406a9f5a934e5478f6b731be0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2019 15:40:45 -0700 +Subject: f2fs: check all the data segments against all node ones + +From: Surbhi Palande + +[ Upstream commit 1166c1f2f69117ad254189ca781287afa6e550b6 ] + +As a part of the sanity checking while mounting, distinct segment number +assignment to data and node segments is verified. Fixing a small bug in +this verification between node and data segments. We need to check all +the data segments with all the node segments. + +Fixes: 042be0f849e5f ("f2fs: fix to do sanity check with current segment number") +Signed-off-by: Surbhi Palande +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 4c169ba50c0f4..ad839a7996e9b 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2027,11 +2027,11 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi) + } + } + for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) { +- for (j = i; j < NR_CURSEG_DATA_TYPE; j++) { ++ for (j = 0; j < NR_CURSEG_DATA_TYPE; j++) { + if (le32_to_cpu(ckpt->cur_node_segno[i]) == + le32_to_cpu(ckpt->cur_data_segno[j])) { + f2fs_msg(sbi->sb, KERN_ERR, +- "Data segment (%u) and Data segment (%u)" ++ "Node segment (%u) and Data segment (%u)" + " has the same segno: %u", i, j, + le32_to_cpu(ckpt->cur_node_segno[i])); + return 1; +-- +2.20.1 + diff --git a/queue-4.14/irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch b/queue-4.14/irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch new file mode 100644 index 00000000000..173d6bb9fc4 --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch @@ -0,0 +1,54 @@ +From 767bfcca0fc42a1c56fae83f4b8ac7c7bd80b5af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2019 14:56:47 +0100 +Subject: irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices + +From: Marc Zyngier + +[ Upstream commit c9c96e30ecaa0aafa225aa1a5392cb7db17c7a82 ] + +When allocating a range of LPIs for a Multi-MSI capable device, +this allocation extended to the closest power of 2. + +But on the release path, the interrupts are released one by +one. This results in not releasing the "extra" range, leaking +the its_device. Trying to reprobe the device will then fail. + +Fix it by releasing the LPIs the same way we allocate them. + +Fixes: 8208d1708b88 ("irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size") +Reported-by: Jiaxing Luo +Tested-by: John Garry +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/f5e948aa-e32f-3f74-ae30-31fee06c2a74@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-v3-its.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index f80666acb9efd..52238e6bed392 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -2269,14 +2269,13 @@ static void its_irq_domain_free(struct irq_domain *domain, unsigned int virq, + struct its_node *its = its_dev->its; + int i; + ++ bitmap_release_region(its_dev->event_map.lpi_map, ++ its_get_event_id(irq_domain_get_irq_data(domain, virq)), ++ get_count_order(nr_irqs)); ++ + for (i = 0; i < nr_irqs; i++) { + struct irq_data *data = irq_domain_get_irq_data(domain, + virq + i); +- u32 event = its_get_event_id(data); +- +- /* Mark interrupt index as unused */ +- clear_bit(event, its_dev->event_map.lpi_map); +- + /* Nuke the entry in the domain */ + irq_domain_reset_irq_data(data); + } +-- +2.20.1 + diff --git a/queue-4.14/pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch b/queue-4.14/pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch new file mode 100644 index 00000000000..88bc7a45b7e --- /dev/null +++ b/queue-4.14/pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch @@ -0,0 +1,38 @@ +From 4d225f8942e4b1c591ad502c702c0ff4d9c388ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2019 22:50:20 +0000 +Subject: PCI: hv: Avoid use of hv_pci_dev->pci_slot after freeing it + +From: Dexuan Cui + +[ Upstream commit 533ca1feed98b0bf024779a14760694c7cb4d431 ] + +The slot must be removed before the pci_dev is removed, otherwise a panic +can happen due to use-after-free. + +Fixes: 15becc2b56c6 ("PCI: hv: Add hv_pci_remove_slots() when we unload the driver") +Signed-off-by: Dexuan Cui +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pci-hyperv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c +index 5a9d945122327..70825689e5a08 100644 +--- a/drivers/pci/host/pci-hyperv.c ++++ b/drivers/pci/host/pci-hyperv.c +@@ -2740,8 +2740,8 @@ static int hv_pci_remove(struct hv_device *hdev) + /* Remove the bus from PCI's point of view. */ + pci_lock_rescan_remove(); + pci_stop_root_bus(hbus->pci_bus); +- pci_remove_root_bus(hbus->pci_bus); + hv_pci_remove_slots(hbus); ++ pci_remove_root_bus(hbus->pci_bus); + pci_unlock_rescan_remove(); + hbus->state = hv_pcibus_removed; + } +-- +2.20.1 + diff --git a/queue-4.14/revert-f2fs-avoid-out-of-range-memory-access.patch b/queue-4.14/revert-f2fs-avoid-out-of-range-memory-access.patch new file mode 100644 index 00000000000..8ad850aaa61 --- /dev/null +++ b/queue-4.14/revert-f2fs-avoid-out-of-range-memory-access.patch @@ -0,0 +1,61 @@ +From d76993baff0c41138fda34c891077bea365f9bc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Aug 2019 18:15:48 +0800 +Subject: Revert "f2fs: avoid out-of-range memory access" + +From: Chao Yu + +[ Upstream commit a37d0862d17411edb67677a580a6f505ec2225f6 ] + +As Pavel Machek reported: + +"We normally use -EUCLEAN to signal filesystem corruption. Plus, it is +good idea to report it to the syslog and mark filesystem as "needing +fsck" if filesystem can do that." + +Still we need improve the original patch with: +- use unlikely keyword +- add message print +- return EUCLEAN + +However, after rethink this patch, I don't think we should add such +condition check here as below reasons: +- We have already checked the field in f2fs_sanity_check_ckpt(), +- If there is fs corrupt or security vulnerability, there is nothing +to guarantee the field is integrated after the check, unless we do +the check before each of its use, however no filesystem does that. +- We only have similar check for bitmap, which was added due to there +is bitmap corruption happened on f2fs' runtime in product. +- There are so many key fields in SB/CP/NAT did have such check +after f2fs_sanity_check_{sb,cp,..}. + +So I propose to revert this unneeded check. + +This reverts commit 56f3ce675103e3fb9e631cfb4131fc768bc23e9a. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/segment.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 18d51c36a5e32..70bd15cadb44e 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -2612,11 +2612,6 @@ static int read_compacted_summaries(struct f2fs_sb_info *sbi) + seg_i = CURSEG_I(sbi, i); + segno = le32_to_cpu(ckpt->cur_data_segno[i]); + blk_off = le16_to_cpu(ckpt->cur_data_blkoff[i]); +- if (blk_off > ENTRIES_IN_SUM) { +- f2fs_bug_on(sbi, 1); +- f2fs_put_page(page, 1); +- return -EFAULT; +- } + seg_i->next_segno = segno; + reset_curseg(sbi, i, 0); + seg_i->alloc_type = ckpt->alloc_type[i]; +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 3b02cb678ba..eed60df09fa 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -20,3 +20,9 @@ pinctrl-sprd-use-define-directive-for-sprd_pinconf_p.patch power-supply-sysfs-ratelimit-property-read-error-mes.patch locking-lockdep-add-debug_locks-check-in-__lock_down.patch locking-lockdep-add-debug_locks-check-in-__lock_down.patch-14091 +irqchip-gic-v3-its-fix-lpi-release-for-multi-msi-dev.patch +f2fs-check-all-the-data-segments-against-all-node-on.patch +pci-hv-avoid-use-of-hv_pci_dev-pci_slot-after-freein.patch +blk-mq-move-cancel-of-requeue_work-to-the-front-of-b.patch +revert-f2fs-avoid-out-of-range-memory-access.patch +dm-zoned-fix-invalid-memory-access.patch -- 2.47.2