--- /dev/null
+From 25f54d08f12feb593e62cc2193fedefaf7825301 Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Thu, 23 Sep 2021 15:13:39 +0800
+Subject: autofs: fix wait name hash calculation in autofs_wait()
+
+From: Ian Kent <raven@themaw.net>
+
+commit 25f54d08f12feb593e62cc2193fedefaf7825301 upstream.
+
+There's a mistake in commit 2be7828c9fefc ("get rid of autofs_getpath()")
+that affects kernels from v5.13.0, basically missed because of me not
+fully testing the change for Al.
+
+The problem is that the hash calculation for the wait name qstr hasn't
+been updated to account for the change to use dentry_path_raw(). This
+prevents the correct matching an existing wait resulting in multiple
+notifications being sent to the daemon for the same mount which must
+not occur.
+
+The problem wasn't discovered earlier because it only occurs when
+multiple processes trigger a request for the same mount concurrently
+so it only shows up in more aggressive testing.
+
+Fixes: 2be7828c9fefc ("get rid of autofs_getpath()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ian Kent <raven@themaw.net>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/autofs/waitq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/autofs/waitq.c
++++ b/fs/autofs/waitq.c
+@@ -358,7 +358,7 @@ int autofs_wait(struct autofs_sb_info *s
+ qstr.len = strlen(p);
+ offset = p - name;
+ }
+- qstr.hash = full_name_hash(dentry, name, qstr.len);
++ qstr.hash = full_name_hash(dentry, qstr.name, qstr.len);
+
+ if (mutex_lock_interruptible(&sbi->wq_mutex)) {
+ kfree(name);
--- /dev/null
+From 02368b7cf6c7badefa13741aed7a8b91d9a11b19 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Fri, 6 Aug 2021 10:28:40 +0200
+Subject: s390/pci: cleanup resources only if necessary
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit 02368b7cf6c7badefa13741aed7a8b91d9a11b19 upstream.
+
+It's currently safe to call zpci_cleanup_bus_resources() even if the
+resources were never created but it makes no sense so check
+zdev->has_resources before we call zpci_cleanup_bus_resources() in
+zpci_release_device().
+
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Acked-by: Pierre Morel <pmorel@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/pci/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -829,7 +829,8 @@ void zpci_release_device(struct kref *kr
+ case ZPCI_FN_STATE_STANDBY:
+ if (zdev->has_hp_slot)
+ zpci_exit_slot(zdev);
+- zpci_cleanup_bus_resources(zdev);
++ if (zdev->has_resources)
++ zpci_cleanup_bus_resources(zdev);
+ zpci_bus_device_unregister(zdev);
+ zpci_destroy_iommu(zdev);
+ fallthrough;
--- /dev/null
+From a46044a92add6a400f4dada7b943b30221f7cc80 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Wed, 22 Sep 2021 15:55:12 +0200
+Subject: s390/pci: fix zpci_zdev_put() on reserve
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit a46044a92add6a400f4dada7b943b30221f7cc80 upstream.
+
+Since commit 2a671f77ee49 ("s390/pci: fix use after free of zpci_dev")
+the reference count of a zpci_dev is incremented between
+pcibios_add_device() and pcibios_release_device() which was supposed to
+prevent the zpci_dev from being freed while the common PCI code has
+access to it. It was missed however that the handling of zPCI
+availability events assumed that once zpci_zdev_put() was called no
+later availability event would still see the device. With the previously
+mentioned commit however this assumption no longer holds and we must
+make sure that we only drop the initial long-lived reference the zPCI
+subsystem holds exactly once.
+
+Do so by introducing a zpci_device_reserved() function that handles when
+a device is reserved. Here we make sure the zpci_dev will not be
+considered for further events by removing it from the zpci_list.
+
+This also means that the device actually stays in the
+ZPCI_FN_STATE_RESERVED state between the time we know it has been
+reserved and the final reference going away. We thus need to consider it
+a real state instead of just a conceptual state after the removal. The
+final cleanup of PCI resources, removal from zbus, and destruction of
+the IOMMU stays in zpci_release_device() to make sure holders of the
+reference do see valid data until the release.
+
+Fixes: 2a671f77ee49 ("s390/pci: fix use after free of zpci_dev")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/pci.h | 2 +
+ arch/s390/pci/pci.c | 45 ++++++++++++++++++++++++++++++++-----
+ arch/s390/pci/pci_event.c | 4 +--
+ drivers/pci/hotplug/s390_pci_hpc.c | 9 -------
+ 4 files changed, 45 insertions(+), 15 deletions(-)
+
+--- a/arch/s390/include/asm/pci.h
++++ b/arch/s390/include/asm/pci.h
+@@ -207,6 +207,8 @@ int zpci_enable_device(struct zpci_dev *
+ int zpci_disable_device(struct zpci_dev *);
+ int zpci_scan_configured_device(struct zpci_dev *zdev, u32 fh);
+ int zpci_deconfigure_device(struct zpci_dev *zdev);
++void zpci_device_reserved(struct zpci_dev *zdev);
++bool zpci_is_device_configured(struct zpci_dev *zdev);
+
+ int zpci_register_ioat(struct zpci_dev *, u8, u64, u64, u64);
+ int zpci_unregister_ioat(struct zpci_dev *, u8);
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -92,7 +92,7 @@ void zpci_remove_reserved_devices(void)
+ spin_unlock(&zpci_list_lock);
+
+ list_for_each_entry_safe(zdev, tmp, &remove, entry)
+- zpci_zdev_put(zdev);
++ zpci_device_reserved(zdev);
+ }
+
+ int pci_domain_nr(struct pci_bus *bus)
+@@ -744,6 +744,14 @@ error:
+ return ERR_PTR(rc);
+ }
+
++bool zpci_is_device_configured(struct zpci_dev *zdev)
++{
++ enum zpci_state state = zdev->state;
++
++ return state != ZPCI_FN_STATE_RESERVED &&
++ state != ZPCI_FN_STATE_STANDBY;
++}
++
+ /**
+ * zpci_scan_configured_device() - Scan a freshly configured zpci_dev
+ * @zdev: The zpci_dev to be configured
+@@ -810,6 +818,31 @@ int zpci_deconfigure_device(struct zpci_
+ return 0;
+ }
+
++/**
++ * zpci_device_reserved() - Mark device as resverved
++ * @zdev: the zpci_dev that was reserved
++ *
++ * Handle the case that a given zPCI function was reserved by another system.
++ * After a call to this function the zpci_dev can not be found via
++ * get_zdev_by_fid() anymore but may still be accessible via existing
++ * references though it will not be functional anymore.
++ */
++void zpci_device_reserved(struct zpci_dev *zdev)
++{
++ if (zdev->has_hp_slot)
++ zpci_exit_slot(zdev);
++ /*
++ * Remove device from zpci_list as it is going away. This also
++ * makes sure we ignore subsequent zPCI events for this device.
++ */
++ spin_lock(&zpci_list_lock);
++ list_del(&zdev->entry);
++ spin_unlock(&zpci_list_lock);
++ zdev->state = ZPCI_FN_STATE_RESERVED;
++ zpci_dbg(3, "rsv fid:%x\n", zdev->fid);
++ zpci_zdev_put(zdev);
++}
++
+ void zpci_release_device(struct kref *kref)
+ {
+ struct zpci_dev *zdev = container_of(kref, struct zpci_dev, kref);
+@@ -829,6 +862,12 @@ void zpci_release_device(struct kref *kr
+ case ZPCI_FN_STATE_STANDBY:
+ if (zdev->has_hp_slot)
+ zpci_exit_slot(zdev);
++ spin_lock(&zpci_list_lock);
++ list_del(&zdev->entry);
++ spin_unlock(&zpci_list_lock);
++ zpci_dbg(3, "rsv fid:%x\n", zdev->fid);
++ fallthrough;
++ case ZPCI_FN_STATE_RESERVED:
+ if (zdev->has_resources)
+ zpci_cleanup_bus_resources(zdev);
+ zpci_bus_device_unregister(zdev);
+@@ -837,10 +876,6 @@ void zpci_release_device(struct kref *kr
+ default:
+ break;
+ }
+-
+- spin_lock(&zpci_list_lock);
+- list_del(&zdev->entry);
+- spin_unlock(&zpci_list_lock);
+ zpci_dbg(3, "rem fid:%x\n", zdev->fid);
+ kfree(zdev);
+ }
+--- a/arch/s390/pci/pci_event.c
++++ b/arch/s390/pci/pci_event.c
+@@ -137,7 +137,7 @@ static void __zpci_event_availability(st
+ /* The 0x0304 event may immediately reserve the device */
+ if (!clp_get_state(zdev->fid, &state) &&
+ state == ZPCI_FN_STATE_RESERVED) {
+- zpci_zdev_put(zdev);
++ zpci_device_reserved(zdev);
+ }
+ }
+ break;
+@@ -148,7 +148,7 @@ static void __zpci_event_availability(st
+ case 0x0308: /* Standby -> Reserved */
+ if (!zdev)
+ break;
+- zpci_zdev_put(zdev);
++ zpci_device_reserved(zdev);
+ break;
+ default:
+ break;
+--- a/drivers/pci/hotplug/s390_pci_hpc.c
++++ b/drivers/pci/hotplug/s390_pci_hpc.c
+@@ -62,14 +62,7 @@ static int get_power_status(struct hotpl
+ struct zpci_dev *zdev = container_of(hotplug_slot, struct zpci_dev,
+ hotplug_slot);
+
+- switch (zdev->state) {
+- case ZPCI_FN_STATE_STANDBY:
+- *value = 0;
+- break;
+- default:
+- *value = 1;
+- break;
+- }
++ *value = zpci_is_device_configured(zdev) ? 1 : 0;
+ return 0;
+ }
+
--- /dev/null
+From 50b6cb3516365cb69753b006be2b61c966b70588 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 7 Oct 2021 21:35:46 -0700
+Subject: scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 50b6cb3516365cb69753b006be2b61c966b70588 upstream.
+
+After commit ea2f0f77538c ("scsi: core: Cap scsi_host cmd_per_lun at
+can_queue"), a 416-CPU VM running on Hyper-V hangs during boot because the
+hv_storvsc driver sets scsi_driver.can_queue to an integer value that
+exceeds SHRT_MAX, and hence scsi_add_host_with_dma() sets
+shost->cmd_per_lun to a negative "short" value.
+
+Use min_t(int, ...) to work around the issue.
+
+Link: https://lore.kernel.org/r/20211008043546.6006-1-decui@microsoft.com
+Fixes: ea2f0f77538c ("scsi: core: Cap scsi_host cmd_per_lun at can_queue")
+Cc: stable@vger.kernel.org
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hosts.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -220,7 +220,8 @@ int scsi_add_host_with_dma(struct Scsi_H
+ goto fail;
+ }
+
+- shost->cmd_per_lun = min_t(short, shost->cmd_per_lun,
++ /* Use min_t(int, ...) in case shost->can_queue exceeds SHRT_MAX */
++ shost->cmd_per_lun = min_t(int, shost->cmd_per_lun,
+ shost->can_queue);
+
+ error = scsi_init_sense_cache(shost);
projects / thirdparty / kernel / stable-queue.git / commitdiff
