From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 30 Aug 2024 11:14:56 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.19.321~67
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=981d992098f6cd5accf35a134cfce17039865aba;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	dm-suspend-return-erestartsys-instead-of-eintr.patch
	filelock-correct-the-filelock-owner-in-fcntl_setlk-fcntl_setlk64.patch
	scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch
---

diff --git a/queue-4.19/dm-suspend-return-erestartsys-instead-of-eintr.patch b/queue-4.19/dm-suspend-return-erestartsys-instead-of-eintr.patch
new file mode 100644
index 00000000000..1c3863d5cdd
--- /dev/null
+++ b/queue-4.19/dm-suspend-return-erestartsys-instead-of-eintr.patch
@@ -0,0 +1,34 @@
+From 1e1fd567d32fcf7544c6e09e0e5bc6c650da6e23 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 13 Aug 2024 12:38:51 +0200
+Subject: dm suspend: return -ERESTARTSYS instead of -EINTR
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 1e1fd567d32fcf7544c6e09e0e5bc6c650da6e23 upstream.
+
+This commit changes device mapper, so that it returns -ERESTARTSYS
+instead of -EINTR when it is interrupted by a signal (so that the ioctl
+can be restarted).
+
+The manpage signal(7) says that the ioctl function should be restarted if
+the signal was handled with SA_RESTART.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2468,7 +2468,7 @@ static int dm_wait_for_completion(struct
+ 			break;
+ 
+ 		if (signal_pending_state(task_state, current)) {
+-			r = -EINTR;
++			r = -ERESTARTSYS;
+ 			break;
+ 		}
+ 
diff --git a/queue-4.19/filelock-correct-the-filelock-owner-in-fcntl_setlk-fcntl_setlk64.patch b/queue-4.19/filelock-correct-the-filelock-owner-in-fcntl_setlk-fcntl_setlk64.patch
new file mode 100644
index 00000000000..22bebb0d0e2
--- /dev/null
+++ b/queue-4.19/filelock-correct-the-filelock-owner-in-fcntl_setlk-fcntl_setlk64.patch
@@ -0,0 +1,47 @@
+From leo.lilong@huawei.com  Fri Aug 30 13:12:08 2024
+From: Long Li <leo.lilong@huawei.com>
+Date: Fri, 16 Aug 2024 13:08:48 +0800
+Subject: filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64
+To: <stable@vger.kernel.org>
+Cc: <gregkh@linuxfoundation.org>, <jannh@google.com>, <leo.lilong@huawei.com>, <yangerkun@huawei.com>
+Message-ID: <20240816050848.2124829-1-leo.lilong@huawei.com>
+
+From: Long Li <leo.lilong@huawei.com>
+
+The locks_remove_posix() function in fcntl_setlk/fcntl_setlk64 is designed
+to reliably remove locks when an fcntl/close race is detected. However, it
+was passing in the wrong filelock owner, it looks like a mistake and
+resulting in a failure to remove locks. More critically, if the lock
+removal fails, it could lead to a uaf issue while traversing the locks.
+
+This problem occurs only in the 4.19/5.4 stable version.
+
+Fixes: a561145f3ae9 ("filelock: Fix fcntl/close race recovery compat path")
+Fixes: d30ff3304083 ("filelock: Remove locks reliably when fcntl/close race is detected")
+Cc: stable@vger.kernel.org
+Signed-off-by: Long Li <leo.lilong@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/locks.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -2313,7 +2313,7 @@ int fcntl_setlk(unsigned int fd, struct
+ 		f = fcheck(fd);
+ 		spin_unlock(&current->files->file_lock);
+ 		if (f != filp) {
+-			locks_remove_posix(filp, &current->files);
++			locks_remove_posix(filp, current->files);
+ 			error = -EBADF;
+ 		}
+ 	}
+@@ -2443,7 +2443,7 @@ int fcntl_setlk64(unsigned int fd, struc
+ 		f = fcheck(fd);
+ 		spin_unlock(&current->files->file_lock);
+ 		if (f != filp) {
+-			locks_remove_posix(filp, &current->files);
++			locks_remove_posix(filp, current->files);
+ 			error = -EBADF;
+ 		}
+ 	}
diff --git a/queue-4.19/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch b/queue-4.19/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch
new file mode 100644
index 00000000000..7ecea5e1add
--- /dev/null
+++ b/queue-4.19/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch
@@ -0,0 +1,96 @@
+From 82dbb57ac8d06dfe8227ba9ab11a49de2b475ae5 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Fri, 19 Jul 2024 16:39:12 +0900
+Subject: scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 82dbb57ac8d06dfe8227ba9ab11a49de2b475ae5 upstream.
+
+Some firmware versions of the 9600 series SAS HBA byte-swap the REPORT
+ZONES command reply buffer from ATA-ZAC devices by directly accessing the
+buffer in the host memory. This does not respect the default command DMA
+direction and causes IOMMU page faults on architectures with an IOMMU
+enforcing write-only mappings for DMA_FROM_DEVICE DMA driection (e.g. AMD
+hosts).
+
+scsi 18:0:0:0: Direct-Access-ZBC ATA      WDC  WSH722020AL W870 PQ: 0 ANSI: 6
+scsi 18:0:0:0: SATA: handle(0x0027), sas_addr(0x300062b2083e7c40), phy(0), device_name(0x5000cca29dc35e11)
+scsi 18:0:0:0: enclosure logical id (0x300062b208097c40), slot(0)
+scsi 18:0:0:0: enclosure level(0x0000), connector name( C0.0)
+scsi 18:0:0:0: atapi(n), ncq(y), asyn_notify(n), smart(y), fua(y), sw_preserve(y)
+scsi 18:0:0:0: qdepth(32), tagged(1), scsi_level(7), cmd_que(1)
+sd 18:0:0:0: Attached scsi generic sg2 type 20
+sd 18:0:0:0: [sdc] Host-managed zoned block device
+mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b200 flags=0x0050]
+mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b300 flags=0x0050]
+mpt3sas_cm0: mpt3sas_ctl_pre_reset_handler: Releasing the trace buffer due to adapter reset.
+mpt3sas_cm0 fault info from func: mpt3sas_base_make_ioc_ready
+mpt3sas_cm0: fault_state(0x2666)!
+mpt3sas_cm0: sending diag reset !!
+mpt3sas_cm0: diag reset: SUCCESS
+sd 18:0:0:0: [sdc] REPORT ZONES start lba 0 failed
+sd 18:0:0:0: [sdc] REPORT ZONES: Result: hostbyte=DID_RESET driverbyte=DRIVER_OK
+sd 18:0:0:0: [sdc] 0 4096-byte logical blocks: (0 B/0 B)
+
+Avoid such issue by always mapping the buffer of REPORT ZONES commands
+using DMA_BIDIRECTIONAL (read+write IOMMU mapping). This is done by
+introducing the helper function _base_scsi_dma_map() and using this helper
+in _base_build_sg_scmd() and _base_build_sg_scmd_ieee() instead of calling
+directly scsi_dma_map().
+
+Fixes: 471ef9d4e498 ("mpt3sas: Build MPI SGL LIST on GEN2 HBAs and IEEE SGL LIST on GEN3 HBAs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20240719073913.179559-3-dlemoal@kernel.org
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c |   20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -2221,6 +2221,22 @@ _base_build_zero_len_sge_ieee(struct MPT
+ 	_base_add_sg_single_ieee(paddr, sgl_flags, 0, 0, -1);
+ }
+ 
++static inline int _base_scsi_dma_map(struct scsi_cmnd *cmd)
++{
++	/*
++	 * Some firmware versions byte-swap the REPORT ZONES command reply from
++	 * ATA-ZAC devices by directly accessing in the host buffer. This does
++	 * not respect the default command DMA direction and causes IOMMU page
++	 * faults on some architectures with an IOMMU enforcing write mappings
++	 * (e.g. AMD hosts). Avoid such issue by making the report zones buffer
++	 * mapping bi-directional.
++	 */
++	if (cmd->cmnd[0] == ZBC_IN && cmd->cmnd[1] == ZI_REPORT_ZONES)
++		cmd->sc_data_direction = DMA_BIDIRECTIONAL;
++
++	return scsi_dma_map(cmd);
++}
++
+ /**
+  * _base_build_sg_scmd - main sg creation routine
+  *		pcie_device is unused here!
+@@ -2267,7 +2283,7 @@ _base_build_sg_scmd(struct MPT3SAS_ADAPT
+ 	sgl_flags = sgl_flags << MPI2_SGE_FLAGS_SHIFT;
+ 
+ 	sg_scmd = scsi_sglist(scmd);
+-	sges_left = scsi_dma_map(scmd);
++	sges_left = _base_scsi_dma_map(scmd);
+ 	if (sges_left < 0) {
+ 		sdev_printk(KERN_ERR, scmd->device,
+ 		 "pci_map_sg failed: request for %d bytes!\n",
+@@ -2415,7 +2431,7 @@ _base_build_sg_scmd_ieee(struct MPT3SAS_
+ 	}
+ 
+ 	sg_scmd = scsi_sglist(scmd);
+-	sges_left = scsi_dma_map(scmd);
++	sges_left = _base_scsi_dma_map(scmd);
+ 	if (sges_left < 0) {
+ 		sdev_printk(KERN_ERR, scmd->device,
+ 			"pci_map_sg failed: request for %d bytes!\n",
diff --git a/queue-4.19/series b/queue-4.19/series
index 6cfda9f2bb3..073a53349dc 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -73,3 +73,6 @@ drm-amdgpu-using-uninitialized-value-size-when-calling-amdgpu_vce_cs_reloc.patch
 pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch
 pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch
 wifi-mwifiex-duplicate-static-structs-used-in-driver-instances.patch
+dm-suspend-return-erestartsys-instead-of-eintr.patch
+scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch
+filelock-correct-the-filelock-owner-in-fcntl_setlk-fcntl_setlk64.patch