--- /dev/null
+From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Tue, 6 Jun 2023 15:32:03 +0800
+Subject: ext4: fix to check return value of freeze_bdev() in ext4_shutdown()
+
+From: Chao Yu <chao@kernel.org>
+
+commit c4d13222afd8a64bf11bc7ec68645496ee8b54b9 upstream.
+
+freeze_bdev() can fail due to a lot of reasons, it needs to check its
+reason before later process.
+
+Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl")
+Cc: stable@kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ioctl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -502,6 +502,7 @@ static int ext4_shutdown(struct super_bl
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ __u32 flags;
++ int ret;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+@@ -519,7 +520,9 @@ static int ext4_shutdown(struct super_bl
+
+ switch (flags) {
+ case EXT4_GOING_FLAGS_DEFAULT:
+- freeze_bdev(sb->s_bdev);
++ ret = freeze_bdev(sb->s_bdev);
++ if (ret)
++ return ret;
+ set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags);
+ thaw_bdev(sb->s_bdev, sb);
+ break;
--- /dev/null
+From 247c3d214c23dfeeeb892e91a82ac1188bdaec9f Mon Sep 17 00:00:00 2001
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+Date: Sat, 3 Jun 2023 23:03:18 +0800
+Subject: ext4: fix wrong unit use in ext4_mb_clear_bb
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+commit 247c3d214c23dfeeeb892e91a82ac1188bdaec9f upstream.
+
+Function ext4_issue_discard need count in cluster. Pass count_clusters
+instead of count to fix the mismatch.
+
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Cc: stable@kernel.org
+Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230603150327.3596033-11-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mballoc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -4976,8 +4976,8 @@ do_more:
+ * them with group lock_held
+ */
+ if (test_opt(sb, DISCARD)) {
+- err = ext4_issue_discard(sb, block_group, bit, count,
+- NULL);
++ err = ext4_issue_discard(sb, block_group, bit,
++ count_clusters, NULL);
+ if (err && err != -EOPNOTSUPP)
+ ext4_msg(sb, KERN_WARNING, "discard request in"
+ " group:%d block:%d count:%lu failed"
--- /dev/null
+From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Mon, 24 Apr 2023 11:38:35 +0800
+Subject: ext4: only update i_reserved_data_blocks on successful block allocation
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit de25d6e9610a8b30cce9bbb19b50615d02ebca02 upstream.
+
+In our fault injection test, we create an ext4 file, migrate it to
+non-extent based file, then punch a hole and finally trigger a WARN_ON
+in the ext4_da_update_reserve_space():
+
+EXT4-fs warning (device sda): ext4_da_update_reserve_space:369:
+ino 14, used 11 with only 10 reserved data blocks
+
+When writing back a non-extent based file, if we enable delalloc, the
+number of reserved blocks will be subtracted from the number of blocks
+mapped by ext4_ind_map_blocks(), and the extent status tree will be
+updated. We update the extent status tree by first removing the old
+extent_status and then inserting the new extent_status. If the block range
+we remove happens to be in an extent, then we need to allocate another
+extent_status with ext4_es_alloc_extent().
+
+ use old to remove to add new
+ |----------|------------|------------|
+ old extent_status
+
+The problem is that the allocation of a new extent_status failed due to a
+fault injection, and __es_shrink() did not get free memory, resulting in
+a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM,
+we map to the same extent again, and the number of reserved blocks is again
+subtracted from the number of blocks in that extent. Since the blocks in
+the same extent are subtracted twice, we end up triggering WARN_ON at
+ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks.
+
+For non-extent based file, we update the number of reserved blocks after
+ext4_ind_map_blocks() is executed, which causes a problem that when we call
+ext4_ind_map_blocks() to create a block, it doesn't always create a block,
+but we always reduce the number of reserved blocks. So we move the logic
+for updating reserved blocks to ext4_ind_map_blocks() to ensure that the
+number of reserved blocks is updated only after we do succeed in allocating
+some new blocks.
+
+Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate")
+Cc: stable@kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/indirect.c | 8 ++++++++
+ fs/ext4/inode.c | 10 ----------
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+--- a/fs/ext4/indirect.c
++++ b/fs/ext4/indirect.c
+@@ -642,6 +642,14 @@ int ext4_ind_map_blocks(handle_t *handle
+
+ ext4_update_inode_fsync_trans(handle, inode, 1);
+ count = ar.len;
++
++ /*
++ * Update reserved blocks/metadata blocks after successful block
++ * allocation which had been deferred till now.
++ */
++ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)
++ ext4_da_update_reserve_space(inode, count, 1);
++
+ got_it:
+ map->m_flags |= EXT4_MAP_MAPPED;
+ map->m_pblk = le32_to_cpu(chain[depth-1].key);
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -665,16 +665,6 @@ found:
+ */
+ ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE);
+ }
+-
+- /*
+- * Update reserved blocks/metadata blocks after successful
+- * block allocation which had been deferred till now. We don't
+- * support fallocate for non extent files. So we can update
+- * reserve space here.
+- */
+- if ((retval > 0) &&
+- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE))
+- ext4_da_update_reserve_space(inode, retval, 1);
+ }
+
+ if (retval > 0) {
--- /dev/null
+From 11509910c599cbd04585ec35a6d5e1a0053d84c1 Mon Sep 17 00:00:00 2001
+From: Siddh Raman Pant <code@siddh.me>
+Date: Tue, 20 Jun 2023 22:17:00 +0530
+Subject: jfs: jfs_dmap: Validate db_l2nbperpage while mounting
+
+From: Siddh Raman Pant <code@siddh.me>
+
+commit 11509910c599cbd04585ec35a6d5e1a0053d84c1 upstream.
+
+In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block
+number inside dbFree(). db_l2nbperpage, which is the log2 number of
+blocks per page, is passed as an argument to BLKTODMAP which uses it
+for shifting.
+
+Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is
+too big. This happens because the large value is set without any
+validation in dbMount() at line 181.
+
+Thus, make sure that db_l2nbperpage is correct while mounting.
+
+Max number of blocks per page = Page size / Min block size
+=> log2(Max num_block per page) = log2(Page size / Min block size)
+ = log2(Page size) - log2(Min block size)
+
+=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE
+
+Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
+Cc: stable@vger.kernel.org
+Suggested-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Siddh Raman Pant <code@siddh.me>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/jfs_dmap.c | 6 ++++++
+ fs/jfs/jfs_filsys.h | 2 ++
+ 2 files changed, 8 insertions(+)
+
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -191,7 +191,13 @@ int dbMount(struct inode *ipbmap)
+ dbmp_le = (struct dbmap_disk *) mp->data;
+ bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize);
+ bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
++
+ bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
++ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) {
++ err = -EINVAL;
++ goto err_release_metapage;
++ }
++
+ bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+ if (!bmp->db_numag) {
+ err = -EINVAL;
+--- a/fs/jfs/jfs_filsys.h
++++ b/fs/jfs/jfs_filsys.h
+@@ -135,7 +135,9 @@
+ #define NUM_INODE_PER_IAG INOSPERIAG
+
+ #define MINBLOCKSIZE 512
++#define L2MINBLOCKSIZE 9
+ #define MAXBLOCKSIZE 4096
++#define L2MAXBLOCKSIZE 12
+ #define MAXFILESIZE ((s64)1 << 52)
+
+ #define JFS_LINK_MAX 0xffffffff
--- /dev/null
+From 88d341716b83abd355558523186ca488918627ee Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Wed, 7 Jun 2023 18:18:47 +0100
+Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 88d341716b83abd355558523186ca488918627ee upstream.
+
+Marvell's own product brief implies the 92xx series are a closely related
+family, and sure enough it turns out that 9235 seems to need the same quirk
+as the other three, although possibly only when certain ports are used.
+
+Link: https://lore.kernel.org/linux-iommu/2a699a99-545c-1324-e052-7d2f41fed1ae@yahoo.co.uk/
+Link: https://lore.kernel.org/r/731507e05d70239aec96fcbfab6e65d8ce00edd2.1686157165.git.robin.murphy@arm.com
+Reported-by: Jason Adriaanse <jason_a69@yahoo.co.uk>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4035,6 +4035,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M
+ /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230,
+ quirk_dma_func1_alias);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9235,
++ quirk_dma_func1_alias);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642,
+ quirk_dma_func1_alias);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645,
tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch
sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch
perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch
+ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch
+ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch
+ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch
+jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch
+pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
