--- /dev/null
+From a8bd68e4329f9a0ad1b878733e0f80be6a971649 Mon Sep 17 00:00:00 2001
+From: "Jason-JH.Lin" <jason-jh.lin@mediatek.com>
+Date: Thu, 18 Jul 2024 22:17:04 +0800
+Subject: mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable()
+
+From: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+
+commit a8bd68e4329f9a0ad1b878733e0f80be6a971649 upstream.
+
+When mtk-cmdq unbinds, a WARN_ON message with condition
+pm_runtime_get_sync() < 0 occurs.
+
+According to the call tracei below:
+ cmdq_mbox_shutdown
+ mbox_free_channel
+ mbox_controller_unregister
+ __devm_mbox_controller_unregister
+ ...
+
+The root cause can be deduced to be calling pm_runtime_get_sync() after
+calling pm_runtime_disable() as observed below:
+1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe()
+ to bind the cmdq device to the mbox_controller, so
+ devm_mbox_controller_unregister() will automatically unregister
+ the device bound to the mailbox controller when the device-managed
+ resource is removed. That means devm_mbox_controller_unregister()
+ and cmdq_mbox_shoutdown() will be called after cmdq_remove().
+2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after
+ devm_mbox_controller_register(), so that devm_pm_runtime_disable()
+ will be called after cmdq_remove(), but before
+ devm_mbox_controller_unregister().
+
+To fix this problem, cmdq_probe() needs to move
+devm_mbox_controller_register() after devm_pm_runtime_enable() to make
+devm_pm_runtime_disable() be called after
+devm_mbox_controller_unregister().
+
+Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver")
+Signed-off-by: Jason-JH.Lin <jason-jh.lin@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mailbox/mtk-cmdq-mailbox.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/mailbox/mtk-cmdq-mailbox.c
++++ b/drivers/mailbox/mtk-cmdq-mailbox.c
+@@ -623,12 +623,6 @@ static int cmdq_probe(struct platform_de
+ cmdq->mbox.chans[i].con_priv = (void *)&cmdq->thread[i];
+ }
+
+- err = devm_mbox_controller_register(dev, &cmdq->mbox);
+- if (err < 0) {
+- dev_err(dev, "failed to register mailbox: %d\n", err);
+- return err;
+- }
+-
+ platform_set_drvdata(pdev, cmdq);
+
+ WARN_ON(clk_bulk_prepare(cmdq->pdata->gce_num, cmdq->clocks));
+@@ -642,6 +636,12 @@ static int cmdq_probe(struct platform_de
+ return err;
+ }
+
++ err = devm_mbox_controller_register(dev, &cmdq->mbox);
++ if (err < 0) {
++ dev_err(dev, "failed to register mailbox: %d\n", err);
++ return err;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From 7c2fd76048e95dd267055b5f5e0a48e6e7c81fd9 Mon Sep 17 00:00:00 2001
+From: Puranjay Mohan <pjy@amazon.com>
+Date: Thu, 29 Aug 2024 13:32:17 +0000
+Subject: nvme: fix metadata handling in nvme-passthrough
+
+From: Puranjay Mohan <pjy@amazon.com>
+
+commit 7c2fd76048e95dd267055b5f5e0a48e6e7c81fd9 upstream.
+
+On an NVMe namespace that does not support metadata, it is possible to
+send an IO command with metadata through io-passthru. This allows issues
+like [1] to trigger in the completion code path.
+nvme_map_user_request() doesn't check if the namespace supports metadata
+before sending it forward. It also allows admin commands with metadata to
+be processed as it ignores metadata when bdev == NULL and may report
+success.
+
+Reject an IO command with metadata when the NVMe namespace doesn't
+support it and reject an admin command if it has metadata.
+
+[1] https://lore.kernel.org/all/mb61pcylvnym8.fsf@amazon.com/
+
+Suggested-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Puranjay Mohan <pjy@amazon.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+[ Minor changes to make it work on 6.6 ]
+Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/ioctl.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/ioctl.c
++++ b/drivers/nvme/host/ioctl.c
+@@ -3,6 +3,7 @@
+ * Copyright (c) 2011-2014, Intel Corporation.
+ * Copyright (c) 2017-2021 Christoph Hellwig.
+ */
++#include <linux/blk-integrity.h>
+ #include <linux/ptrace.h> /* for force_successful_syscall_return */
+ #include <linux/nvme_ioctl.h>
+ #include <linux/io_uring.h>
+@@ -171,10 +172,15 @@ static int nvme_map_user_request(struct
+ struct request_queue *q = req->q;
+ struct nvme_ns *ns = q->queuedata;
+ struct block_device *bdev = ns ? ns->disk->part0 : NULL;
++ bool supports_metadata = bdev && blk_get_integrity(bdev->bd_disk);
++ bool has_metadata = meta_buffer && meta_len;
+ struct bio *bio = NULL;
+ void *meta = NULL;
+ int ret;
+
++ if (has_metadata && !supports_metadata)
++ return -EINVAL;
++
+ if (ioucmd && (ioucmd->flags & IORING_URING_CMD_FIXED)) {
+ struct iov_iter iter;
+
+@@ -198,7 +204,7 @@ static int nvme_map_user_request(struct
+ if (bdev)
+ bio_set_dev(bio, bdev);
+
+- if (bdev && meta_buffer && meta_len) {
++ if (has_metadata) {
+ meta = nvme_add_user_metadata(req, meta_buffer, meta_len,
+ meta_seed);
+ if (IS_ERR(meta)) {
--- /dev/null
+From 2be1d4f11944cd6283cb97268b3e17c4424945ca Mon Sep 17 00:00:00 2001
+From: Justin Tee <justin.tee@broadcom.com>
+Date: Fri, 26 Jul 2024 16:15:07 -0700
+Subject: scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+commit 2be1d4f11944cd6283cb97268b3e17c4424945ca upstream.
+
+When the HBA is undergoing a reset or is handling an errata event, NULL ptr
+dereference crashes may occur in routines such as
+lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or
+lpfc_abort_handler().
+
+Add NULL ptr checks before dereferencing hdwq pointers that may have been
+freed due to operations colliding with a reset or errata event handler.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240726231512.92867-4-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[Xiangyu: BP to fix CVE: CVE-2024-49891, no test_bit() conflict resolution]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++-
+ drivers/scsi/lpfc/lpfc_scsi.c | 13 +++++++++++--
+ drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++++
+ 3 files changed, 24 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -175,7 +175,8 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport
+ ndlp->nlp_state, ndlp->fc4_xpt_flags);
+
+ /* Don't schedule a worker thread event if the vport is going down. */
+- if (vport->load_flag & FC_UNLOADING) {
++ if ((vport->load_flag & FC_UNLOADING) ||
++ !(phba->hba_flag & HBA_SETUP)) {
+ spin_lock_irqsave(&ndlp->lock, iflags);
+ ndlp->rport = NULL;
+
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -5546,11 +5546,20 @@ lpfc_abort_handler(struct scsi_cmnd *cmn
+
+ iocb = &lpfc_cmd->cur_iocbq;
+ if (phba->sli_rev == LPFC_SLI_REV4) {
+- pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring;
+- if (!pring_s4) {
++ /* if the io_wq & pring are gone, the port was reset. */
++ if (!phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq ||
++ !phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring) {
++ lpfc_printf_vlog(vport, KERN_WARNING, LOG_FCP,
++ "2877 SCSI Layer I/O Abort Request "
++ "IO CMPL Status x%x ID %d LUN %llu "
++ "HBA_SETUP %d\n", FAILED,
++ cmnd->device->id,
++ (u64)cmnd->device->lun,
++ (HBA_SETUP & phba->hba_flag));
+ ret = FAILED;
+ goto out_unlock_hba;
+ }
++ pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring;
+ spin_lock(&pring_s4->ring_lock);
+ }
+ /* the command is in process of being cancelled */
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -4684,6 +4684,17 @@ lpfc_sli_flush_io_rings(struct lpfc_hba
+ /* Look on all the FCP Rings for the iotag */
+ if (phba->sli_rev >= LPFC_SLI_REV4) {
+ for (i = 0; i < phba->cfg_hdw_queue; i++) {
++ if (!phba->sli4_hba.hdwq ||
++ !phba->sli4_hba.hdwq[i].io_wq) {
++ lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
++ "7777 hdwq's deleted %lx "
++ "%lx %x %x\n",
++ (unsigned long)phba->pport->load_flag,
++ (unsigned long)phba->hba_flag,
++ phba->link_state,
++ phba->sli.sli_flag);
++ return;
++ }
+ pring = phba->sli4_hba.hdwq[i].io_wq->pring;
+
+ spin_lock_irq(&pring->ring_lock);
gfs2-don-t-set-glf_lock-in-gfs2_dispose_glock_lru.patch
gfs2-remove-and-replace-gfs2_glock_queue_work.patch
f2fs-fix-fiemap-failure-issue-when-page-size-is-16kb.patch
+mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch
+scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch
+nvme-fix-metadata-handling-in-nvme-passthrough.patch
+xfs-add-bounds-checking-to-xlog_recover_process_data.patch
--- /dev/null
+From fb63435b7c7dc112b1ae1baea5486e0a6e27b196 Mon Sep 17 00:00:00 2001
+From: lei lu <llfamsec@gmail.com>
+Date: Mon, 3 Jun 2024 17:46:08 +0800
+Subject: xfs: add bounds checking to xlog_recover_process_data
+
+From: lei lu <llfamsec@gmail.com>
+
+commit fb63435b7c7dc112b1ae1baea5486e0a6e27b196 upstream.
+
+There is a lack of verification of the space occupied by fixed members
+of xlog_op_header in the xlog_recover_process_data.
+
+We can create a crafted image to trigger an out of bounds read by
+following these steps:
+ 1) Mount an image of xfs, and do some file operations to leave records
+ 2) Before umounting, copy the image for subsequent steps to simulate
+ abnormal exit. Because umount will ensure that tail_blk and
+ head_blk are the same, which will result in the inability to enter
+ xlog_recover_process_data
+ 3) Write a tool to parse and modify the copied image in step 2
+ 4) Make the end of the xlog_op_header entries only 1 byte away from
+ xlog_rec_header->h_size
+ 5) xlog_rec_header->h_num_logops++
+ 6) Modify xlog_rec_header->h_crc
+
+Fix:
+Add a check to make sure there is sufficient space to access fixed members
+of xlog_op_header.
+
+Signed-off-by: lei lu <llfamsec@gmail.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_log_recover.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -2456,7 +2456,10 @@ xlog_recover_process_data(
+
+ ohead = (struct xlog_op_header *)dp;
+ dp += sizeof(*ohead);
+- ASSERT(dp <= end);
++ if (dp > end) {
++ xfs_warn(log->l_mp, "%s: op header overrun", __func__);
++ return -EFSCORRUPTED;
++ }
+
+ /* errors will abort recovery */
+ error = xlog_recover_process_ophdr(log, rhash, rhead, ohead,
projects / thirdparty / kernel / stable-queue.git / commitdiff
