From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 May 2021 10:48:26 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.270~43
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6516ae6fcf599ff23e4c307cbd875698b2762b55;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch
	dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch
	xen-pciback-reconfigure-also-from-backend-watch-handler.patch
---

diff --git a/queue-4.9/dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch b/queue-4.9/dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch
new file mode 100644
index 00000000000..360f5481148
--- /dev/null
+++ b/queue-4.9/dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch
@@ -0,0 +1,43 @@
+From 7ee06ddc4038f936b0d4459d37a7d4d844fb03db Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 7 May 2021 11:38:10 -0400
+Subject: dm snapshot: fix a crash when an origin has no snapshots
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 7ee06ddc4038f936b0d4459d37a7d4d844fb03db upstream.
+
+If an origin target has no snapshots, o->split_boundary is set to 0.
+This causes BUG_ON(sectors <= 0) in block/bio.c:bio_split().
+
+Fix this by initializing chunk_size, and in turn split_boundary, to
+rounddown_pow_of_two(UINT_MAX) -- the largest power of two that fits
+into "unsigned" type.
+
+Reported-by: Michael Tokarev <mjt@tls.msk.ru>
+Tested-by: Michael Tokarev <mjt@tls.msk.ru>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-snap.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -788,12 +788,11 @@ static int dm_add_exception(void *contex
+ static uint32_t __minimum_chunk_size(struct origin *o)
+ {
+ 	struct dm_snapshot *snap;
+-	unsigned chunk_size = 0;
++	unsigned chunk_size = rounddown_pow_of_two(UINT_MAX);
+ 
+ 	if (o)
+ 		list_for_each_entry(snap, &o->snapshots, list)
+-			chunk_size = min_not_zero(chunk_size,
+-						  snap->store->chunk_size);
++			chunk_size = min(chunk_size, snap->store->chunk_size);
+ 
+ 	return (uint32_t) chunk_size;
+ }
diff --git a/queue-4.9/dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch b/queue-4.9/dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch
new file mode 100644
index 00000000000..19bf3812504
--- /dev/null
+++ b/queue-4.9/dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch
@@ -0,0 +1,41 @@
+From c699a0db2d62e3bbb7f0bf35c87edbc8d23e3062 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 10 May 2021 14:49:05 -0400
+Subject: dm snapshot: fix crash with transient storage and zero chunk size
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit c699a0db2d62e3bbb7f0bf35c87edbc8d23e3062 upstream.
+
+The following commands will crash the kernel:
+
+modprobe brd rd_size=1048576
+dmsetup create o --table "0 `blockdev --getsize /dev/ram0` snapshot-origin /dev/ram0"
+dmsetup create s --table "0 `blockdev --getsize /dev/ram0` snapshot /dev/ram0 /dev/ram1 N 0"
+
+The reason is that when we test for zero chunk size, we jump to the label
+bad_read_metadata without setting the "r" variable. The function
+snapshot_ctr destroys all the structures and then exits with "r == 0". The
+kernel then crashes because it falsely believes that snapshot_ctr
+succeeded.
+
+In order to fix the bug, we set the variable "r" to -EINVAL.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-snap.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -1263,6 +1263,7 @@ static int snapshot_ctr(struct dm_target
+ 
+ 	if (!s->store->chunk_size) {
+ 		ti->error = "Chunk size not set";
++		r = -EINVAL;
+ 		goto bad_read_metadata;
+ 	}
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 45be738e90c..1f84671f7d5 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -9,3 +9,6 @@ alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-d.2-pro.patch
 revert-alsa-sb8-add-a-check-for-request_region.patch
 revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
 rapidio-handle-create_workqueue-failure.patch
+xen-pciback-reconfigure-also-from-backend-watch-handler.patch
+dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch
+dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch
diff --git a/queue-4.9/xen-pciback-reconfigure-also-from-backend-watch-handler.patch b/queue-4.9/xen-pciback-reconfigure-also-from-backend-watch-handler.patch
new file mode 100644
index 00000000000..b1b073986d7
--- /dev/null
+++ b/queue-4.9/xen-pciback-reconfigure-also-from-backend-watch-handler.patch
@@ -0,0 +1,85 @@
+From c81d3d24602540f65256f98831d0a25599ea6b87 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 18 May 2021 18:14:07 +0200
+Subject: xen-pciback: reconfigure also from backend watch handler
+
+From: Jan Beulich <jbeulich@suse.com>
+
+commit c81d3d24602540f65256f98831d0a25599ea6b87 upstream.
+
+When multiple PCI devices get assigned to a guest right at boot, libxl
+incrementally populates the backend tree. The writes for the first of
+the devices trigger the backend watch. In turn xen_pcibk_setup_backend()
+will set the XenBus state to Initialised, at which point no further
+reconfigures would happen unless a device got hotplugged. Arrange for
+reconfigure to also get triggered from the backend watch handler.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/2337cbd6-94b9-4187-9862-c03ea12e0c61@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xen-pciback/xenbus.c |   22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/xen/xen-pciback/xenbus.c
++++ b/drivers/xen/xen-pciback/xenbus.c
+@@ -357,7 +357,8 @@ out:
+ 	return err;
+ }
+ 
+-static int xen_pcibk_reconfigure(struct xen_pcibk_device *pdev)
++static int xen_pcibk_reconfigure(struct xen_pcibk_device *pdev,
++				 enum xenbus_state state)
+ {
+ 	int err = 0;
+ 	int num_devs;
+@@ -371,9 +372,7 @@ static int xen_pcibk_reconfigure(struct
+ 	dev_dbg(&pdev->xdev->dev, "Reconfiguring device ...\n");
+ 
+ 	mutex_lock(&pdev->dev_lock);
+-	/* Make sure we only reconfigure once */
+-	if (xenbus_read_driver_state(pdev->xdev->nodename) !=
+-	    XenbusStateReconfiguring)
++	if (xenbus_read_driver_state(pdev->xdev->nodename) != state)
+ 		goto out;
+ 
+ 	err = xenbus_scanf(XBT_NIL, pdev->xdev->nodename, "num_devs", "%d",
+@@ -500,6 +499,10 @@ static int xen_pcibk_reconfigure(struct
+ 		}
+ 	}
+ 
++	if (state != XenbusStateReconfiguring)
++		/* Make sure we only reconfigure once. */
++		goto out;
++
+ 	err = xenbus_switch_state(pdev->xdev, XenbusStateReconfigured);
+ 	if (err) {
+ 		xenbus_dev_fatal(pdev->xdev, err,
+@@ -525,7 +528,7 @@ static void xen_pcibk_frontend_changed(s
+ 		break;
+ 
+ 	case XenbusStateReconfiguring:
+-		xen_pcibk_reconfigure(pdev);
++		xen_pcibk_reconfigure(pdev, XenbusStateReconfiguring);
+ 		break;
+ 
+ 	case XenbusStateConnected:
+@@ -664,6 +667,15 @@ static void xen_pcibk_be_watch(struct xe
+ 		xen_pcibk_setup_backend(pdev);
+ 		break;
+ 
++	case XenbusStateInitialised:
++		/*
++		 * We typically move to Initialised when the first device was
++		 * added. Hence subsequent devices getting added may need
++		 * reconfiguring.
++		 */
++		xen_pcibk_reconfigure(pdev, XenbusStateInitialised);
++		break;
++
+ 	default:
+ 		break;
+ 	}