From: Greg Kroah-Hartman Date: Mon, 24 May 2021 10:48:58 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.4.270~41 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=be8fc0c43e66992d0e6c0361071633a6439b6582;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch xen-pciback-reconfigure-also-from-backend-watch-handler.patch --- diff --git a/queue-4.19/dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch b/queue-4.19/dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch new file mode 100644 index 00000000000..08f3d5d9f22 --- /dev/null +++ b/queue-4.19/dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch @@ -0,0 +1,43 @@ +From 7ee06ddc4038f936b0d4459d37a7d4d844fb03db Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 7 May 2021 11:38:10 -0400 +Subject: dm snapshot: fix a crash when an origin has no snapshots + +From: Mikulas Patocka + +commit 7ee06ddc4038f936b0d4459d37a7d4d844fb03db upstream. + +If an origin target has no snapshots, o->split_boundary is set to 0. +This causes BUG_ON(sectors <= 0) in block/bio.c:bio_split(). + +Fix this by initializing chunk_size, and in turn split_boundary, to +rounddown_pow_of_two(UINT_MAX) -- the largest power of two that fits +into "unsigned" type. + +Reported-by: Michael Tokarev +Tested-by: Michael Tokarev +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-snap.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -794,12 +794,11 @@ static int dm_add_exception(void *contex + static uint32_t __minimum_chunk_size(struct origin *o) + { + struct dm_snapshot *snap; +- unsigned chunk_size = 0; ++ unsigned chunk_size = rounddown_pow_of_two(UINT_MAX); + + if (o) + list_for_each_entry(snap, &o->snapshots, list) +- chunk_size = min_not_zero(chunk_size, +- snap->store->chunk_size); ++ chunk_size = min(chunk_size, snap->store->chunk_size); + + return (uint32_t) chunk_size; + } diff --git a/queue-4.19/dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch b/queue-4.19/dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch new file mode 100644 index 00000000000..be15d0600b4 --- /dev/null +++ b/queue-4.19/dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch @@ -0,0 +1,41 @@ +From c699a0db2d62e3bbb7f0bf35c87edbc8d23e3062 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 10 May 2021 14:49:05 -0400 +Subject: dm snapshot: fix crash with transient storage and zero chunk size + +From: Mikulas Patocka + +commit c699a0db2d62e3bbb7f0bf35c87edbc8d23e3062 upstream. + +The following commands will crash the kernel: + +modprobe brd rd_size=1048576 +dmsetup create o --table "0 `blockdev --getsize /dev/ram0` snapshot-origin /dev/ram0" +dmsetup create s --table "0 `blockdev --getsize /dev/ram0` snapshot /dev/ram0 /dev/ram1 N 0" + +The reason is that when we test for zero chunk size, we jump to the label +bad_read_metadata without setting the "r" variable. The function +snapshot_ctr destroys all the structures and then exits with "r == 0". The +kernel then crashes because it falsely believes that snapshot_ctr +succeeded. + +In order to fix the bug, we set the variable "r" to -EINVAL. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-snap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/dm-snap.c ++++ b/drivers/md/dm-snap.c +@@ -1285,6 +1285,7 @@ static int snapshot_ctr(struct dm_target + + if (!s->store->chunk_size) { + ti->error = "Chunk size not set"; ++ r = -EINVAL; + goto bad_read_metadata; + } + diff --git a/queue-4.19/series b/queue-4.19/series index c44238ff04c..5d05c58453e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -19,3 +19,6 @@ alsa-hda-realtek-add-some-clove-ssids-of-alc293.patch revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch rapidio-handle-create_workqueue-failure.patch revert-serial-mvebu-uart-fix-to-avoid-a-potential-null-pointer-dereference.patch +xen-pciback-reconfigure-also-from-backend-watch-handler.patch +dm-snapshot-fix-a-crash-when-an-origin-has-no-snapshots.patch +dm-snapshot-fix-crash-with-transient-storage-and-zero-chunk-size.patch diff --git a/queue-4.19/xen-pciback-reconfigure-also-from-backend-watch-handler.patch b/queue-4.19/xen-pciback-reconfigure-also-from-backend-watch-handler.patch new file mode 100644 index 00000000000..c2967a57b9d --- /dev/null +++ b/queue-4.19/xen-pciback-reconfigure-also-from-backend-watch-handler.patch @@ -0,0 +1,85 @@ +From c81d3d24602540f65256f98831d0a25599ea6b87 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 18 May 2021 18:14:07 +0200 +Subject: xen-pciback: reconfigure also from backend watch handler + +From: Jan Beulich + +commit c81d3d24602540f65256f98831d0a25599ea6b87 upstream. + +When multiple PCI devices get assigned to a guest right at boot, libxl +incrementally populates the backend tree. The writes for the first of +the devices trigger the backend watch. In turn xen_pcibk_setup_backend() +will set the XenBus state to Initialised, at which point no further +reconfigures would happen unless a device got hotplugged. Arrange for +reconfigure to also get triggered from the backend watch handler. + +Signed-off-by: Jan Beulich +Cc: stable@vger.kernel.org +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/r/2337cbd6-94b9-4187-9862-c03ea12e0c61@suse.com +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xen-pciback/xenbus.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/xen/xen-pciback/xenbus.c ++++ b/drivers/xen/xen-pciback/xenbus.c +@@ -358,7 +358,8 @@ out: + return err; + } + +-static int xen_pcibk_reconfigure(struct xen_pcibk_device *pdev) ++static int xen_pcibk_reconfigure(struct xen_pcibk_device *pdev, ++ enum xenbus_state state) + { + int err = 0; + int num_devs; +@@ -372,9 +373,7 @@ static int xen_pcibk_reconfigure(struct + dev_dbg(&pdev->xdev->dev, "Reconfiguring device ...\n"); + + mutex_lock(&pdev->dev_lock); +- /* Make sure we only reconfigure once */ +- if (xenbus_read_driver_state(pdev->xdev->nodename) != +- XenbusStateReconfiguring) ++ if (xenbus_read_driver_state(pdev->xdev->nodename) != state) + goto out; + + err = xenbus_scanf(XBT_NIL, pdev->xdev->nodename, "num_devs", "%d", +@@ -499,6 +498,10 @@ static int xen_pcibk_reconfigure(struct + } + } + ++ if (state != XenbusStateReconfiguring) ++ /* Make sure we only reconfigure once. */ ++ goto out; ++ + err = xenbus_switch_state(pdev->xdev, XenbusStateReconfigured); + if (err) { + xenbus_dev_fatal(pdev->xdev, err, +@@ -524,7 +527,7 @@ static void xen_pcibk_frontend_changed(s + break; + + case XenbusStateReconfiguring: +- xen_pcibk_reconfigure(pdev); ++ xen_pcibk_reconfigure(pdev, XenbusStateReconfiguring); + break; + + case XenbusStateConnected: +@@ -663,6 +666,15 @@ static void xen_pcibk_be_watch(struct xe + xen_pcibk_setup_backend(pdev); + break; + ++ case XenbusStateInitialised: ++ /* ++ * We typically move to Initialised when the first device was ++ * added. Hence subsequent devices getting added may need ++ * reconfiguring. ++ */ ++ xen_pcibk_reconfigure(pdev, XenbusStateInitialised); ++ break; ++ + default: + break; + }