From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 1 May 2020 13:09:23 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.4.37~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=66e948670b9fb970406314cb9c03c732f35be0a1;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	ext4-check-for-non-zero-journal-inum-in-ext4_calculate_overhead.patch
	qed-fix-use-after-free-in-qed_chain_free.patch
---

diff --git a/queue-4.14/ext4-check-for-non-zero-journal-inum-in-ext4_calculate_overhead.patch b/queue-4.14/ext4-check-for-non-zero-journal-inum-in-ext4_calculate_overhead.patch
new file mode 100644
index 00000000000..56c5c52f119
--- /dev/null
+++ b/queue-4.14/ext4-check-for-non-zero-journal-inum-in-ext4_calculate_overhead.patch
@@ -0,0 +1,73 @@
+From f1eec3b0d0a849996ebee733b053efa71803dad5 Mon Sep 17 00:00:00 2001
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+Date: Mon, 16 Mar 2020 15:00:38 +0530
+Subject: ext4: check for non-zero journal inum in ext4_calculate_overhead
+
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+
+commit f1eec3b0d0a849996ebee733b053efa71803dad5 upstream.
+
+While calculating overhead for internal journal, also check
+that j_inum shouldn't be 0. Otherwise we get below error with
+xfstests generic/050 with external journal (XXX_LOGDEV config) enabled.
+
+It could be simply reproduced with loop device with an external journal
+and marking blockdev as RO before mounting.
+
+[ 3337.146838] EXT4-fs error (device pmem1p2): ext4_get_journal_inode:4634: comm mount: inode #0: comm mount: iget: illegal inode #
+------------[ cut here ]------------
+generic_make_request: Trying to write to read-only block-device pmem1p2 (partno 2)
+WARNING: CPU: 107 PID: 115347 at block/blk-core.c:788 generic_make_request_checks+0x6b4/0x7d0
+CPU: 107 PID: 115347 Comm: mount Tainted: G             L   --------- -t - 4.18.0-167.el8.ppc64le #1
+NIP:  c0000000006f6d44 LR: c0000000006f6d40 CTR: 0000000030041dd4
+<...>
+NIP [c0000000006f6d44] generic_make_request_checks+0x6b4/0x7d0
+LR [c0000000006f6d40] generic_make_request_checks+0x6b0/0x7d0
+<...>
+Call Trace:
+generic_make_request_checks+0x6b0/0x7d0 (unreliable)
+generic_make_request+0x3c/0x420
+submit_bio+0xd8/0x200
+submit_bh_wbc+0x1e8/0x250
+__sync_dirty_buffer+0xd0/0x210
+ext4_commit_super+0x310/0x420 [ext4]
+__ext4_error+0xa4/0x1e0 [ext4]
+__ext4_iget+0x388/0xe10 [ext4]
+ext4_get_journal_inode+0x40/0x150 [ext4]
+ext4_calculate_overhead+0x5a8/0x610 [ext4]
+ext4_fill_super+0x3188/0x3260 [ext4]
+mount_bdev+0x778/0x8f0
+ext4_mount+0x28/0x50 [ext4]
+mount_fs+0x74/0x230
+vfs_kern_mount.part.6+0x6c/0x250
+do_mount+0x2fc/0x1280
+sys_mount+0x158/0x180
+system_call+0x5c/0x70
+EXT4-fs (pmem1p2): no journal found
+EXT4-fs (pmem1p2): can't get journal size
+EXT4-fs (pmem1p2): mounted filesystem without journal. Opts: dax,norecovery
+
+Fixes: 3c816ded78bb ("ext4: use journal inode to determine journal overhead")
+Reported-by: Harish Sriram <harish@linux.ibm.com>
+Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20200316093038.25485-1-riteshh@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3456,7 +3456,8 @@ int ext4_calculate_overhead(struct super
+ 	 */
+ 	if (sbi->s_journal && !sbi->journal_bdev)
+ 		overhead += EXT4_NUM_B2C(sbi, sbi->s_journal->j_maxlen);
+-	else if (ext4_has_feature_journal(sb) && !sbi->s_journal) {
++	else if (ext4_has_feature_journal(sb) && !sbi->s_journal && j_inum) {
++		/* j_inum for internal journal is non-zero */
+ 		j_inode = ext4_get_journal_inode(sb, j_inum);
+ 		if (j_inode) {
+ 			j_blocks = j_inode->i_size >> sb->s_blocksize_bits;
diff --git a/queue-4.14/qed-fix-use-after-free-in-qed_chain_free.patch b/queue-4.14/qed-fix-use-after-free-in-qed_chain_free.patch
new file mode 100644
index 00000000000..6b66f3c2262
--- /dev/null
+++ b/queue-4.14/qed-fix-use-after-free-in-qed_chain_free.patch
@@ -0,0 +1,206 @@
+From 8063f761cd7c17fc1d0018728936e0c33a25388a Mon Sep 17 00:00:00 2001
+From: Yuval Basson <ybason@marvell.com>
+Date: Sun, 29 Mar 2020 20:32:49 +0300
+Subject: qed: Fix use after free in qed_chain_free
+
+From: Yuval Basson <ybason@marvell.com>
+
+commit 8063f761cd7c17fc1d0018728936e0c33a25388a upstream.
+
+The qed_chain data structure was modified in
+commit 1a4a69751f4d ("qed: Chain support for external PBL") to support
+receiving an external pbl (due to iWARP FW requirements).
+The pages pointed to by the pbl are allocated in qed_chain_alloc
+and their virtual address are stored in an virtual addresses array to
+enable accessing and freeing the data. The physical addresses however
+weren't stored and were accessed directly from the external-pbl
+during free.
+
+Destroy-qp flow, leads to freeing the external pbl before the chain is
+freed, when the chain is freed it tries accessing the already freed
+external pbl, leading to a use-after-free. Therefore we need to store
+the physical addresses in additional to the virtual addresses in a
+new data structure.
+
+Fixes: 1a4a69751f4d ("qed: Chain support for external PBL")
+Signed-off-by: Michal Kalderon <mkalderon@marvell.com>
+Signed-off-by: Yuval Bason <ybason@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c |   38 ++++++++++++------------------
+ include/linux/qed/qed_chain.h             |   24 +++++++++++-------
+ 2 files changed, 31 insertions(+), 31 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -3151,26 +3151,20 @@ static void qed_chain_free_single(struct
+ 
+ static void qed_chain_free_pbl(struct qed_dev *cdev, struct qed_chain *p_chain)
+ {
+-	void **pp_virt_addr_tbl = p_chain->pbl.pp_virt_addr_tbl;
++	struct addr_tbl_entry *pp_addr_tbl = p_chain->pbl.pp_addr_tbl;
+ 	u32 page_cnt = p_chain->page_cnt, i, pbl_size;
+-	u8 *p_pbl_virt = p_chain->pbl_sp.p_virt_table;
+ 
+-	if (!pp_virt_addr_tbl)
++	if (!pp_addr_tbl)
+ 		return;
+ 
+-	if (!p_pbl_virt)
+-		goto out;
+-
+ 	for (i = 0; i < page_cnt; i++) {
+-		if (!pp_virt_addr_tbl[i])
++		if (!pp_addr_tbl[i].virt_addr || !pp_addr_tbl[i].dma_map)
+ 			break;
+ 
+ 		dma_free_coherent(&cdev->pdev->dev,
+ 				  QED_CHAIN_PAGE_SIZE,
+-				  pp_virt_addr_tbl[i],
+-				  *(dma_addr_t *)p_pbl_virt);
+-
+-		p_pbl_virt += QED_CHAIN_PBL_ENTRY_SIZE;
++				  pp_addr_tbl[i].virt_addr,
++				  pp_addr_tbl[i].dma_map);
+ 	}
+ 
+ 	pbl_size = page_cnt * QED_CHAIN_PBL_ENTRY_SIZE;
+@@ -3180,9 +3174,9 @@ static void qed_chain_free_pbl(struct qe
+ 				  pbl_size,
+ 				  p_chain->pbl_sp.p_virt_table,
+ 				  p_chain->pbl_sp.p_phys_table);
+-out:
+-	vfree(p_chain->pbl.pp_virt_addr_tbl);
+-	p_chain->pbl.pp_virt_addr_tbl = NULL;
++
++	vfree(p_chain->pbl.pp_addr_tbl);
++	p_chain->pbl.pp_addr_tbl = NULL;
+ }
+ 
+ void qed_chain_free(struct qed_dev *cdev, struct qed_chain *p_chain)
+@@ -3283,19 +3277,19 @@ qed_chain_alloc_pbl(struct qed_dev *cdev
+ {
+ 	u32 page_cnt = p_chain->page_cnt, size, i;
+ 	dma_addr_t p_phys = 0, p_pbl_phys = 0;
+-	void **pp_virt_addr_tbl = NULL;
++	struct addr_tbl_entry *pp_addr_tbl;
+ 	u8 *p_pbl_virt = NULL;
+ 	void *p_virt = NULL;
+ 
+-	size = page_cnt * sizeof(*pp_virt_addr_tbl);
+-	pp_virt_addr_tbl = vzalloc(size);
+-	if (!pp_virt_addr_tbl)
++	size = page_cnt * sizeof(*pp_addr_tbl);
++	pp_addr_tbl =  vzalloc(size);
++	if (!pp_addr_tbl)
+ 		return -ENOMEM;
+ 
+ 	/* The allocation of the PBL table is done with its full size, since it
+ 	 * is expected to be successive.
+ 	 * qed_chain_init_pbl_mem() is called even in a case of an allocation
+-	 * failure, since pp_virt_addr_tbl was previously allocated, and it
++	 * failure, since tbl was previously allocated, and it
+ 	 * should be saved to allow its freeing during the error flow.
+ 	 */
+ 	size = page_cnt * QED_CHAIN_PBL_ENTRY_SIZE;
+@@ -3309,8 +3303,7 @@ qed_chain_alloc_pbl(struct qed_dev *cdev
+ 		p_chain->b_external_pbl = true;
+ 	}
+ 
+-	qed_chain_init_pbl_mem(p_chain, p_pbl_virt, p_pbl_phys,
+-			       pp_virt_addr_tbl);
++	qed_chain_init_pbl_mem(p_chain, p_pbl_virt, p_pbl_phys, pp_addr_tbl);
+ 	if (!p_pbl_virt)
+ 		return -ENOMEM;
+ 
+@@ -3329,7 +3322,8 @@ qed_chain_alloc_pbl(struct qed_dev *cdev
+ 		/* Fill the PBL table with the physical address of the page */
+ 		*(dma_addr_t *)p_pbl_virt = p_phys;
+ 		/* Keep the virtual address of the page */
+-		p_chain->pbl.pp_virt_addr_tbl[i] = p_virt;
++		p_chain->pbl.pp_addr_tbl[i].virt_addr = p_virt;
++		p_chain->pbl.pp_addr_tbl[i].dma_map = p_phys;
+ 
+ 		p_pbl_virt += QED_CHAIN_PBL_ENTRY_SIZE;
+ 	}
+--- a/include/linux/qed/qed_chain.h
++++ b/include/linux/qed/qed_chain.h
+@@ -97,6 +97,11 @@ struct qed_chain_u32 {
+ 	u32 cons_idx;
+ };
+ 
++struct addr_tbl_entry {
++	void *virt_addr;
++	dma_addr_t dma_map;
++};
++
+ struct qed_chain {
+ 	/* fastpath portion of the chain - required for commands such
+ 	 * as produce / consume.
+@@ -107,10 +112,11 @@ struct qed_chain {
+ 
+ 	/* Fastpath portions of the PBL [if exists] */
+ 	struct {
+-		/* Table for keeping the virtual addresses of the chain pages,
+-		 * respectively to the physical addresses in the pbl table.
++		/* Table for keeping the virtual and physical addresses of the
++		 * chain pages, respectively to the physical addresses
++		 * in the pbl table.
+ 		 */
+-		void **pp_virt_addr_tbl;
++		struct addr_tbl_entry *pp_addr_tbl;
+ 
+ 		union {
+ 			struct qed_chain_pbl_u16 u16;
+@@ -287,7 +293,7 @@ qed_chain_advance_page(struct qed_chain
+ 				*(u32 *)page_to_inc = 0;
+ 			page_index = *(u32 *)page_to_inc;
+ 		}
+-		*p_next_elem = p_chain->pbl.pp_virt_addr_tbl[page_index];
++		*p_next_elem = p_chain->pbl.pp_addr_tbl[page_index].virt_addr;
+ 	}
+ }
+ 
+@@ -537,7 +543,7 @@ static inline void qed_chain_init_params
+ 
+ 	p_chain->pbl_sp.p_phys_table = 0;
+ 	p_chain->pbl_sp.p_virt_table = NULL;
+-	p_chain->pbl.pp_virt_addr_tbl = NULL;
++	p_chain->pbl.pp_addr_tbl = NULL;
+ }
+ 
+ /**
+@@ -575,11 +581,11 @@ static inline void qed_chain_init_mem(st
+ static inline void qed_chain_init_pbl_mem(struct qed_chain *p_chain,
+ 					  void *p_virt_pbl,
+ 					  dma_addr_t p_phys_pbl,
+-					  void **pp_virt_addr_tbl)
++					  struct addr_tbl_entry *pp_addr_tbl)
+ {
+ 	p_chain->pbl_sp.p_phys_table = p_phys_pbl;
+ 	p_chain->pbl_sp.p_virt_table = p_virt_pbl;
+-	p_chain->pbl.pp_virt_addr_tbl = pp_virt_addr_tbl;
++	p_chain->pbl.pp_addr_tbl = pp_addr_tbl;
+ }
+ 
+ /**
+@@ -644,7 +650,7 @@ static inline void *qed_chain_get_last_e
+ 		break;
+ 	case QED_CHAIN_MODE_PBL:
+ 		last_page_idx = p_chain->page_cnt - 1;
+-		p_virt_addr = p_chain->pbl.pp_virt_addr_tbl[last_page_idx];
++		p_virt_addr = p_chain->pbl.pp_addr_tbl[last_page_idx].virt_addr;
+ 		break;
+ 	}
+ 	/* p_virt_addr points at this stage to the last page of the chain */
+@@ -716,7 +722,7 @@ static inline void qed_chain_pbl_zero_me
+ 	page_cnt = qed_chain_get_page_cnt(p_chain);
+ 
+ 	for (i = 0; i < page_cnt; i++)
+-		memset(p_chain->pbl.pp_virt_addr_tbl[i], 0,
++		memset(p_chain->pbl.pp_addr_tbl[i].virt_addr, 0,
+ 		       QED_CHAIN_PAGE_SIZE);
+ }
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index 28d7cddbb5c..61a3786f92d 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -113,3 +113,5 @@ ext4-protect-journal-inode-s-blocks-using-block_validity.patch
 ext4-don-t-perform-block-validity-checks-on-the-journal-inode.patch
 ext4-fix-block-validity-checks-for-journal-inodes-using-indirect-blocks.patch
 ext4-unsigned-int-compared-against-zero.patch
+qed-fix-use-after-free-in-qed_chain_free.patch
+ext4-check-for-non-zero-journal-inum-in-ext4_calculate_overhead.patch