From ec7eeec0731b6452efd31b11f8b6bd4348764706 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 28 Dec 2022 14:13:41 +0100 Subject: [PATCH] 5.15-stable patches added patches: btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch gcov-add-support-for-checksum-field.patch ovl-fix-use-inode-directly-in-rcu-walk-mode.patch scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch --- ...en-dropping-extent-items-for-a-range.patch | 64 +++++++++++++ ...buffer-when-fbcon_do_set_font-failed.patch | 38 ++++++++ .../gcov-add-support-for-checksum-field.patch | 49 ++++++++++ ...-use-inode-directly-in-rcu-walk-mode.patch | 45 +++++++++ ...x-fix-crash-when-i-o-abort-times-out.patch | 94 +++++++++++++++++++ queue-5.15/series | 5 + 6 files changed, 295 insertions(+) create mode 100644 queue-5.15/btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch create mode 100644 queue-5.15/fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch create mode 100644 queue-5.15/gcov-add-support-for-checksum-field.patch create mode 100644 queue-5.15/ovl-fix-use-inode-directly-in-rcu-walk-mode.patch create mode 100644 queue-5.15/scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch diff --git a/queue-5.15/btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch b/queue-5.15/btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch new file mode 100644 index 00000000000..6518c597228 --- /dev/null +++ b/queue-5.15/btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch @@ -0,0 +1,64 @@ +From 162d053e15fe985f754ef495a96eb3db970c43ed Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 28 Nov 2022 15:07:30 +0000 +Subject: btrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range + +From: Filipe Manana + +commit 162d053e15fe985f754ef495a96eb3db970c43ed upstream. + +If we get -ENOMEM while dropping file extent items in a given range, at +btrfs_drop_extents(), due to failure to allocate memory when attempting to +increment the reference count for an extent or drop the reference count, +we handle it with a BUG_ON(). This is excessive, instead we can simply +abort the transaction and return the error to the caller. In fact most +callers of btrfs_drop_extents(), directly or indirectly, already abort +the transaction if btrfs_drop_extents() returns any error. + +Also, we already have error paths at btrfs_drop_extents() that may return +-ENOMEM and in those cases we abort the transaction, like for example +anything that changes the b+tree may return -ENOMEM due to a failure to +allocate a new extent buffer when COWing an existing extent buffer, such +as a call to btrfs_duplicate_item() for example. + +So replace the BUG_ON() calls with proper logic to abort the transaction +and return the error. + +Reported-by: syzbot+0b1fb6b0108c27419f9f@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/00000000000089773e05ee4b9cb4@google.com/ +CC: stable@vger.kernel.org # 5.4+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -872,7 +872,10 @@ next_slot: + args->start - extent_offset, + 0, false); + ret = btrfs_inc_extent_ref(trans, &ref); +- BUG_ON(ret); /* -ENOMEM */ ++ if (ret) { ++ btrfs_abort_transaction(trans, ret); ++ break; ++ } + } + key.offset = args->start; + } +@@ -959,7 +962,10 @@ delete_extent_item: + key.offset - extent_offset, 0, + false); + ret = btrfs_free_extent(trans, &ref); +- BUG_ON(ret); /* -ENOMEM */ ++ if (ret) { ++ btrfs_abort_transaction(trans, ret); ++ break; ++ } + args->bytes_found += extent_end - key.offset; + } + diff --git a/queue-5.15/fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch b/queue-5.15/fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch new file mode 100644 index 00000000000..268b1f31c49 --- /dev/null +++ b/queue-5.15/fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch @@ -0,0 +1,38 @@ +From 3c3bfb8586f848317ceba5d777e11204ba3e5758 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 6 Dec 2022 07:10:31 +0900 +Subject: fbdev: fbcon: release buffer when fbcon_do_set_font() failed + +From: Tetsuo Handa + +commit 3c3bfb8586f848317ceba5d777e11204ba3e5758 upstream. + +syzbot is reporting memory leak at fbcon_do_set_font() [1], for +commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when +vc_resize() failed") missed that the buffer might be newly allocated +by fbcon_set_font(). + +Link: https://syzkaller.appspot.com/bug?extid=25bdb7b1703639abd498 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Tested-by: syzbot +Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") +CC: stable@vger.kernel.org # 5.15+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2462,7 +2462,8 @@ err_out: + + if (userfont) { + p->userfont = old_userfont; +- REFCOUNT(data)--; ++ if (--REFCOUNT(data) == 0) ++ kfree(data - FONT_EXTRA_WORDS * sizeof(int)); + } + + vc->vc_font.width = old_width; diff --git a/queue-5.15/gcov-add-support-for-checksum-field.patch b/queue-5.15/gcov-add-support-for-checksum-field.patch new file mode 100644 index 00000000000..e5d06496330 --- /dev/null +++ b/queue-5.15/gcov-add-support-for-checksum-field.patch @@ -0,0 +1,49 @@ +From e96b95c2b7a63a454b6498e2df67aac14d046d13 Mon Sep 17 00:00:00 2001 +From: Rickard x Andersson +Date: Tue, 20 Dec 2022 11:23:18 +0100 +Subject: gcov: add support for checksum field + +From: Rickard x Andersson + +commit e96b95c2b7a63a454b6498e2df67aac14d046d13 upstream. + +In GCC version 12.1 a checksum field was added. + +This patch fixes a kernel crash occurring during boot when using +gcov-kernel with GCC version 12.2. The crash occurred on a system running +on i.MX6SX. + +Link: https://lkml.kernel.org/r/20221220102318.3418501-1-rickaran@axis.com +Fixes: 977ef30a7d88 ("gcov: support GCC 12.1 and newer compilers") +Signed-off-by: Rickard x Andersson +Reviewed-by: Peter Oberparleiter +Tested-by: Peter Oberparleiter +Reviewed-by: Martin Liska +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/gcov/gcc_4_7.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/gcov/gcc_4_7.c ++++ b/kernel/gcov/gcc_4_7.c +@@ -82,6 +82,7 @@ struct gcov_fn_info { + * @version: gcov version magic indicating the gcc version used for compilation + * @next: list head for a singly-linked list + * @stamp: uniquifying time stamp ++ * @checksum: unique object checksum + * @filename: name of the associated gcov data file + * @merge: merge functions (null for unused counter type) + * @n_functions: number of instrumented functions +@@ -94,6 +95,10 @@ struct gcov_info { + unsigned int version; + struct gcov_info *next; + unsigned int stamp; ++ /* Since GCC 12.1 a checksum field is added. */ ++#if (__GNUC__ >= 12) ++ unsigned int checksum; ++#endif + const char *filename; + void (*merge[GCOV_COUNTERS])(gcov_type *, unsigned int); + unsigned int n_functions; diff --git a/queue-5.15/ovl-fix-use-inode-directly-in-rcu-walk-mode.patch b/queue-5.15/ovl-fix-use-inode-directly-in-rcu-walk-mode.patch new file mode 100644 index 00000000000..e49ff259e6f --- /dev/null +++ b/queue-5.15/ovl-fix-use-inode-directly-in-rcu-walk-mode.patch @@ -0,0 +1,45 @@ +From 672e4268b2863d7e4978dfed29552b31c2f9bd4e Mon Sep 17 00:00:00 2001 +From: Chen Zhongjin +Date: Mon, 28 Nov 2022 11:33:05 +0100 +Subject: ovl: fix use inode directly in rcu-walk mode + +From: Chen Zhongjin + +commit 672e4268b2863d7e4978dfed29552b31c2f9bd4e upstream. + +ovl_dentry_revalidate_common() can be called in rcu-walk mode. As document +said, "in rcu-walk mode, d_parent and d_inode should not be used without +care". + +Check inode here to protect access under rcu-walk mode. + +Fixes: bccece1ead36 ("ovl: allow remote upper") +Reported-and-tested-by: syzbot+a4055c78774bbf3498bb@syzkaller.appspotmail.com +Signed-off-by: Chen Zhongjin +Cc: # v5.7 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/super.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -138,11 +138,16 @@ static int ovl_dentry_revalidate_common( + unsigned int flags, bool weak) + { + struct ovl_entry *oe = dentry->d_fsdata; ++ struct inode *inode = d_inode_rcu(dentry); + struct dentry *upper; + unsigned int i; + int ret = 1; + +- upper = ovl_dentry_upper(dentry); ++ /* Careful in RCU mode */ ++ if (!inode) ++ return -ECHILD; ++ ++ upper = ovl_i_dentry_upper(inode); + if (upper) + ret = ovl_revalidate_real(upper, flags, weak); + diff --git a/queue-5.15/scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch b/queue-5.15/scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch new file mode 100644 index 00000000000..c25a7c998c6 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch @@ -0,0 +1,94 @@ +From 68ad83188d782b2ecef2e41ac245d27e0710fe8e Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Tue, 29 Nov 2022 01:26:34 -0800 +Subject: scsi: qla2xxx: Fix crash when I/O abort times out + +From: Arun Easi + +commit 68ad83188d782b2ecef2e41ac245d27e0710fe8e upstream. + +While performing CPU hotplug, a crash with the following stack was seen: + +Call Trace: + qla24xx_process_response_queue+0x42a/0x970 [qla2xxx] + qla2x00_start_nvme_mq+0x3a2/0x4b0 [qla2xxx] + qla_nvme_post_cmd+0x166/0x240 [qla2xxx] + nvme_fc_start_fcp_op.part.0+0x119/0x2e0 [nvme_fc] + blk_mq_dispatch_rq_list+0x17b/0x610 + __blk_mq_sched_dispatch_requests+0xb0/0x140 + blk_mq_sched_dispatch_requests+0x30/0x60 + __blk_mq_run_hw_queue+0x35/0x90 + __blk_mq_delay_run_hw_queue+0x161/0x180 + blk_execute_rq+0xbe/0x160 + __nvme_submit_sync_cmd+0x16f/0x220 [nvme_core] + nvmf_connect_admin_queue+0x11a/0x170 [nvme_fabrics] + nvme_fc_create_association.cold+0x50/0x3dc [nvme_fc] + nvme_fc_connect_ctrl_work+0x19/0x30 [nvme_fc] + process_one_work+0x1e8/0x3c0 + +On abort timeout, completion was called without checking if the I/O was +already completed. + +Verify that I/O and abort request are indeed outstanding before attempting +completion. + +Fixes: 71c80b75ce8f ("scsi: qla2xxx: Do command completion on abort timeout") +Reported-by: Marco Patalano +Tested-by: Marco Patalano +Cc: stable@vger.kernel.org +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20221129092634.15347-1-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_init.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -110,6 +110,7 @@ static void qla24xx_abort_iocb_timeout(v + struct qla_qpair *qpair = sp->qpair; + u32 handle; + unsigned long flags; ++ int sp_found = 0, cmdsp_found = 0; + + if (sp->cmd_sp) + ql_dbg(ql_dbg_async, sp->vha, 0x507c, +@@ -124,18 +125,21 @@ static void qla24xx_abort_iocb_timeout(v + spin_lock_irqsave(qpair->qp_lock_ptr, flags); + for (handle = 1; handle < qpair->req->num_outstanding_cmds; handle++) { + if (sp->cmd_sp && (qpair->req->outstanding_cmds[handle] == +- sp->cmd_sp)) ++ sp->cmd_sp)) { + qpair->req->outstanding_cmds[handle] = NULL; ++ cmdsp_found = 1; ++ } + + /* removing the abort */ + if (qpair->req->outstanding_cmds[handle] == sp) { + qpair->req->outstanding_cmds[handle] = NULL; ++ sp_found = 1; + break; + } + } + spin_unlock_irqrestore(qpair->qp_lock_ptr, flags); + +- if (sp->cmd_sp) { ++ if (cmdsp_found && sp->cmd_sp) { + /* + * This done function should take care of + * original command ref: INIT +@@ -143,8 +147,10 @@ static void qla24xx_abort_iocb_timeout(v + sp->cmd_sp->done(sp->cmd_sp, QLA_OS_TIMER_EXPIRED); + } + +- abt->u.abt.comp_status = cpu_to_le16(CS_TIMEOUT); +- sp->done(sp, QLA_OS_TIMER_EXPIRED); ++ if (sp_found) { ++ abt->u.abt.comp_status = cpu_to_le16(CS_TIMEOUT); ++ sp->done(sp, QLA_OS_TIMER_EXPIRED); ++ } + } + + static void qla24xx_abort_sp_done(srb_t *sp, int res) diff --git a/queue-5.15/series b/queue-5.15/series index 1934f3e4904..a9d21daad02 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -720,3 +720,8 @@ iio-adc-ad_sigma_delta-do-not-use-internal-iio_dev-lock.patch iio-adc128s052-add-proper-.data-members-in-adc128_of_match-table.patch regulator-core-fix-deadlock-on-regulator-enable.patch floppy-fix-memory-leak-in-do_floppy_init.patch +gcov-add-support-for-checksum-field.patch +fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch +ovl-fix-use-inode-directly-in-rcu-walk-mode.patch +btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch +scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch -- 2.47.3