From: Greg Kroah-Hartman Date: Tue, 29 Apr 2025 07:41:19 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.293~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=10d3e8f8a5a3e82f42a993f52c7140a3c6a22296;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: jfs-define-xtree-root-and-page-independently.patch s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch --- diff --git a/queue-5.15/jfs-define-xtree-root-and-page-independently.patch b/queue-5.15/jfs-define-xtree-root-and-page-independently.patch new file mode 100644 index 0000000000..5d1718347a --- /dev/null +++ b/queue-5.15/jfs-define-xtree-root-and-page-independently.patch @@ -0,0 +1,168 @@ +From a779ed754e52d582b8c0e17959df063108bd0656 Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Thu, 5 Oct 2023 09:16:14 -0500 +Subject: jfs: define xtree root and page independently + +From: Dave Kleikamp + +commit a779ed754e52d582b8c0e17959df063108bd0656 upstream. + +In order to make array bounds checking sane, provide a separate +definition of the in-inode xtree root and the external xtree page. + +Signed-off-by: Dave Kleikamp +Tested-by: Manas Ghandat +Closes: https://syzkaller.appspot.com/bug?extid=ccb458b6679845ee0bae +Reported-by: syzbot+ccb458b6679845ee0bae@syzkaller.appspotmail.com +Signed-off-by: Aditya Dutt +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dinode.h | 2 +- + fs/jfs/jfs_imap.c | 6 +++--- + fs/jfs/jfs_incore.h | 2 +- + fs/jfs/jfs_txnmgr.c | 4 ++-- + fs/jfs/jfs_xtree.c | 4 ++-- + fs/jfs/jfs_xtree.h | 37 +++++++++++++++++++++++-------------- + 6 files changed, 32 insertions(+), 23 deletions(-) + +--- a/fs/jfs/jfs_dinode.h ++++ b/fs/jfs/jfs_dinode.h +@@ -96,7 +96,7 @@ struct dinode { + #define di_gengen u._file._u1._imap._gengen + + union { +- xtpage_t _xtroot; ++ xtroot_t _xtroot; + struct { + u8 unused[16]; /* 16: */ + dxd_t _dxd; /* 16: */ +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -673,7 +673,7 @@ int diWrite(tid_t tid, struct inode *ip) + * This is the special xtree inside the directory for storing + * the directory table + */ +- xtpage_t *p, *xp; ++ xtroot_t *p, *xp; + xad_t *xad; + + jfs_ip->xtlid = 0; +@@ -687,7 +687,7 @@ int diWrite(tid_t tid, struct inode *ip) + * copy xtree root from inode to dinode: + */ + p = &jfs_ip->i_xtroot; +- xp = (xtpage_t *) &dp->di_dirtable; ++ xp = (xtroot_t *) &dp->di_dirtable; + lv = ilinelock->lv; + for (n = 0; n < ilinelock->index; n++, lv++) { + memcpy(&xp->xad[lv->offset], &p->xad[lv->offset], +@@ -716,7 +716,7 @@ int diWrite(tid_t tid, struct inode *ip) + * regular file: 16 byte (XAD slot) granularity + */ + if (type & tlckXTREE) { +- xtpage_t *p, *xp; ++ xtroot_t *p, *xp; + xad_t *xad; + + /* +--- a/fs/jfs/jfs_incore.h ++++ b/fs/jfs/jfs_incore.h +@@ -66,7 +66,7 @@ struct jfs_inode_info { + lid_t xtlid; /* lid of xtree lock on directory */ + union { + struct { +- xtpage_t _xtroot; /* 288: xtree root */ ++ xtroot_t _xtroot; /* 288: xtree root */ + struct inomap *_imap; /* 4: inode map header */ + } file; + struct { +--- a/fs/jfs/jfs_txnmgr.c ++++ b/fs/jfs/jfs_txnmgr.c +@@ -783,7 +783,7 @@ struct tlock *txLock(tid_t tid, struct i + if (mp->xflag & COMMIT_PAGE) + p = (xtpage_t *) mp->data; + else +- p = &jfs_ip->i_xtroot; ++ p = (xtpage_t *) &jfs_ip->i_xtroot; + xtlck->lwm.offset = + le16_to_cpu(p->header.nextindex); + } +@@ -1710,7 +1710,7 @@ static void xtLog(struct jfs_log * log, + + if (tlck->type & tlckBTROOT) { + lrd->log.redopage.type |= cpu_to_le16(LOG_BTROOT); +- p = &JFS_IP(ip)->i_xtroot; ++ p = (xtpage_t *) &JFS_IP(ip)->i_xtroot; + if (S_ISDIR(ip->i_mode)) + lrd->log.redopage.type |= + cpu_to_le16(LOG_DIR_XTREE); +--- a/fs/jfs/jfs_xtree.c ++++ b/fs/jfs/jfs_xtree.c +@@ -1224,7 +1224,7 @@ xtSplitRoot(tid_t tid, + struct xtlock *xtlck; + int rc; + +- sp = &JFS_IP(ip)->i_xtroot; ++ sp = (xtpage_t *) &JFS_IP(ip)->i_xtroot; + + INCREMENT(xtStat.split); + +@@ -3059,7 +3059,7 @@ static int xtRelink(tid_t tid, struct in + */ + void xtInitRoot(tid_t tid, struct inode *ip) + { +- xtpage_t *p; ++ xtroot_t *p; + + /* + * acquire a transaction lock on the root +--- a/fs/jfs/jfs_xtree.h ++++ b/fs/jfs/jfs_xtree.h +@@ -65,24 +65,33 @@ struct xadlist { + #define XTPAGEMAXSLOT 256 + #define XTENTRYSTART 2 + ++struct xtheader { ++ __le64 next; /* 8: */ ++ __le64 prev; /* 8: */ ++ ++ u8 flag; /* 1: */ ++ u8 rsrvd1; /* 1: */ ++ __le16 nextindex; /* 2: next index = number of entries */ ++ __le16 maxentry; /* 2: max number of entries */ ++ __le16 rsrvd2; /* 2: */ ++ ++ pxd_t self; /* 8: self */ ++}; ++ + /* +- * xtree page: ++ * xtree root (in inode): + */ + typedef union { +- struct xtheader { +- __le64 next; /* 8: */ +- __le64 prev; /* 8: */ +- +- u8 flag; /* 1: */ +- u8 rsrvd1; /* 1: */ +- __le16 nextindex; /* 2: next index = number of entries */ +- __le16 maxentry; /* 2: max number of entries */ +- __le16 rsrvd2; /* 2: */ +- +- pxd_t self; /* 8: self */ +- } header; /* (32) */ +- ++ struct xtheader header; + xad_t xad[XTROOTMAXSLOT]; /* 16 * maxentry: xad array */ ++} xtroot_t; ++ ++/* ++ * xtree page: ++ */ ++typedef union { ++ struct xtheader header; ++ xad_t xad[XTPAGEMAXSLOT]; /* 16 * maxentry: xad array */ + } xtpage_t; + + /* diff --git a/queue-5.15/s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch b/queue-5.15/s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch new file mode 100644 index 0000000000..33e68ef2f7 --- /dev/null +++ b/queue-5.15/s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch @@ -0,0 +1,141 @@ +From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 2 Apr 2025 22:36:21 +0200 +Subject: s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues + +From: David Hildenbrand + +commit 2ccd42b959aaf490333dbd3b9b102eaf295c036a upstream. + +If we finds a vq without a name in our input array in +virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer +to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. + +Consequently, we create only a queue if it actually exists (name != NULL) +and assign an incremental queue index to each such existing queue. + +However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we +will not ignore these "non-existing queues", but instead assign an airq +indicator to them. + +Besides never releasing them in virtio_ccw_drop_indicators() (because +there is no virtqueue), the bigger issue seems to be that there will be a +disagreement between the device and the Linux guest about the airq +indicator to be used for notifying a queue, because the indicator bit +for adapter I/O interrupt is derived from the queue index. + +The virtio spec states under "Setting Up Two-Stage Queue Indicators": + + ... indicator contains the guest address of an area wherein the + indicators for the devices are contained, starting at bit_nr, one + bit per virtqueue of the device. + +And further in "Notification via Adapter I/O Interrupts": + + For notifying the driver of virtqueue buffers, the device sets the + bit in the guest-provided indicator area at the corresponding + offset. + +For example, QEMU uses in virtio_ccw_notify() the queue index (passed as +"vector") to select the relevant indicator bit. If a queue does not exist, +it does not have a corresponding indicator bit assigned, because it +effectively doesn't have a queue index. + +Using a virtio-balloon-ccw device under QEMU with free-page-hinting +disabled ("free-page-hint=off") but free-page-reporting enabled +("free-page-reporting=on") will result in free page reporting +not working as expected: in the virtio_balloon driver, we'll be stuck +forever in virtballoon_free_page_report()->wait_event(), because the +waitqueue will not be woken up as the notification from the device is +lost: it would use the wrong indicator bit. + +Free page reporting stops working and we get splats (when configured to +detect hung wqs) like: + + INFO: task kworker/1:3:463 blocked for more than 61 seconds. + Not tainted 6.14.0 #4 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/1:3 [...] + Workqueue: events page_reporting_process + Call Trace: + [<000002f404e6dfb2>] __schedule+0x402/0x1640 + [<000002f404e6f22e>] schedule+0x3e/0xe0 + [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] + [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 + [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 + [<000002f403fd4b96>] worker_thread+0x296/0x420 + [<000002f403fe10b4>] kthread+0x124/0x290 + [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 + [<000002f404e77272>] ret_from_fork+0xa/0x38 + +There was recently a discussion [1] whether the "holes" should be +treated differently again, effectively assigning also non-existing +queues a queue index: that should also fix the issue, but requires other +workarounds to not break existing setups. + +Let's fix it without affecting existing setups for now by properly ignoring +the non-existing queues, so the indicator bits will match the queue +indexes. + +[1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ + +Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") +Reported-by: Chandra Merla +Cc: stable@vger.kernel.org +Signed-off-by: David Hildenbrand +Tested-by: Thomas Huth +Reviewed-by: Thomas Huth +Reviewed-by: Cornelia Huck +Acked-by: Michael S. Tsirkin +Acked-by: Christian Borntraeger +Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com +Signed-off-by: Heiko Carstens +Signed-off-by: David Hildenbrand +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/virtio/virtio_ccw.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/s390/virtio/virtio_ccw.c ++++ b/drivers/s390/virtio/virtio_ccw.c +@@ -261,11 +261,17 @@ static struct airq_info *new_airq_info(i + static unsigned long get_airq_indicator(struct virtqueue *vqs[], int nvqs, + u64 *first, void **airq_info) + { +- int i, j; ++ int i, j, queue_idx, highest_queue_idx = -1; + struct airq_info *info; + unsigned long indicator_addr = 0; + unsigned long bit, flags; + ++ /* Array entries without an actual queue pointer must be ignored. */ ++ for (i = 0; i < nvqs; i++) { ++ if (vqs[i]) ++ highest_queue_idx++; ++ } ++ + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { + mutex_lock(&airq_areas_lock); + if (!airq_areas[i]) +@@ -275,7 +281,7 @@ static unsigned long get_airq_indicator( + if (!info) + return 0; + write_lock_irqsave(&info->lock, flags); +- bit = airq_iv_alloc(info->aiv, nvqs); ++ bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); + if (bit == -1UL) { + /* Not enough vacancies. */ + write_unlock_irqrestore(&info->lock, flags); +@@ -284,8 +290,10 @@ static unsigned long get_airq_indicator( + *first = bit; + *airq_info = info; + indicator_addr = (unsigned long)info->aiv->vector; +- for (j = 0; j < nvqs; j++) { +- airq_iv_set_ptr(info->aiv, bit + j, ++ for (j = 0, queue_idx = 0; j < nvqs; j++) { ++ if (!vqs[j]) ++ continue; ++ airq_iv_set_ptr(info->aiv, bit + queue_idx++, + (unsigned long)vqs[j]); + } + write_unlock_irqrestore(&info->lock, flags); diff --git a/queue-5.15/series b/queue-5.15/series index f4873349a5..e235617bce 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -357,3 +357,5 @@ scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch loop-aio-inherit-the-ioprio-of-original-request.patch ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch md-raid1-add-check-for-missing-source-disk-in-proces.patch +s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch +jfs-define-xtree-root-and-page-independently.patch