From: Sasha Levin Date: Mon, 12 Aug 2024 10:01:54 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.1.105~81^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e42b4e4859a6e8d5c8796e02eea16296c91890c0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/ntp-clamp-maxerror-and-esterror-to-operating-range.patch b/queue-5.4/ntp-clamp-maxerror-and-esterror-to-operating-range.patch new file mode 100644 index 00000000000..d3038542f92 --- /dev/null +++ b/queue-5.4/ntp-clamp-maxerror-and-esterror-to-operating-range.patch @@ -0,0 +1,74 @@ +From 62c54b4b1871ab6dd7a1ec9d3e820612ccb82202 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 20:22:44 +0000 +Subject: ntp: Clamp maxerror and esterror to operating range + +From: Justin Stitt + +[ Upstream commit 87d571d6fb77ec342a985afa8744bb9bb75b3622 ] + +Using syzkaller alongside the newly reintroduced signed integer overflow +sanitizer spits out this report: + +UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16 +9223372036854775807 + 500 cannot be represented in type 'long' +Call Trace: + handle_overflow+0x171/0x1b0 + second_overflow+0x2d6/0x500 + accumulate_nsecs_to_secs+0x60/0x160 + timekeeping_advance+0x1fe/0x890 + update_wall_time+0x10/0x30 + +time_maxerror is unconditionally incremented and the result is checked +against NTP_PHASE_LIMIT, but the increment itself can overflow, resulting +in wrap-around to negative space. + +Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user +supplied value was sanity checked to be in the operating range. That change +removed the sanity check and relied on clamping in handle_overflow() which +does not work correctly when the user supplied value is in the overflow +zone of the '+ 500' operation. + +The operation requires CAP_SYS_TIME and the side effect of the overflow is +NTP getting out of sync. + +Miroslav confirmed that the input value should be clamped to the operating +range and the same applies to time_esterror. The latter is not used by the +kernel, but the value still should be in the operating range as it was +before the sanity check got removed. + +Clamp them to the operating range. + +[ tglx: Changed it to clamping and included time_esterror ] + +Fixes: eea83d896e31 ("ntp: NTP4 user space bits update") +Signed-off-by: Justin Stitt +Signed-off-by: Thomas Gleixner +Cc: Miroslav Lichvar +Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-usec-v2-1-d539180f2b79@google.com +Closes: https://github.com/KSPP/linux/issues/354 +Signed-off-by: Sasha Levin +--- + kernel/time/ntp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c +index 069ca78fb0bfa..568bf37849aea 100644 +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -679,10 +679,10 @@ static inline void process_adjtimex_modes(const struct __kernel_timex *txc, + } + + if (txc->modes & ADJ_MAXERROR) +- time_maxerror = txc->maxerror; ++ time_maxerror = clamp(txc->maxerror, 0, NTP_PHASE_LIMIT); + + if (txc->modes & ADJ_ESTERROR) +- time_esterror = txc->esterror; ++ time_esterror = clamp(txc->esterror, 0, NTP_PHASE_LIMIT); + + if (txc->modes & ADJ_TIMECONST) { + time_constant = txc->constant; +-- +2.43.0 + diff --git a/queue-5.4/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch b/queue-5.4/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch new file mode 100644 index 00000000000..873a1e5d35b --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch @@ -0,0 +1,101 @@ +From 581bf886c24873db672d51d04dad3933f69e008e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 16:39:12 +0900 +Subject: scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES + +From: Damien Le Moal + +[ Upstream commit 82dbb57ac8d06dfe8227ba9ab11a49de2b475ae5 ] + +Some firmware versions of the 9600 series SAS HBA byte-swap the REPORT +ZONES command reply buffer from ATA-ZAC devices by directly accessing the +buffer in the host memory. This does not respect the default command DMA +direction and causes IOMMU page faults on architectures with an IOMMU +enforcing write-only mappings for DMA_FROM_DEVICE DMA driection (e.g. AMD +hosts). + +scsi 18:0:0:0: Direct-Access-ZBC ATA WDC WSH722020AL W870 PQ: 0 ANSI: 6 +scsi 18:0:0:0: SATA: handle(0x0027), sas_addr(0x300062b2083e7c40), phy(0), device_name(0x5000cca29dc35e11) +scsi 18:0:0:0: enclosure logical id (0x300062b208097c40), slot(0) +scsi 18:0:0:0: enclosure level(0x0000), connector name( C0.0) +scsi 18:0:0:0: atapi(n), ncq(y), asyn_notify(n), smart(y), fua(y), sw_preserve(y) +scsi 18:0:0:0: qdepth(32), tagged(1), scsi_level(7), cmd_que(1) +sd 18:0:0:0: Attached scsi generic sg2 type 20 +sd 18:0:0:0: [sdc] Host-managed zoned block device +mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b200 flags=0x0050] +mpt3sas 0000:41:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0021 address=0xfff9b300 flags=0x0050] +mpt3sas_cm0: mpt3sas_ctl_pre_reset_handler: Releasing the trace buffer due to adapter reset. +mpt3sas_cm0 fault info from func: mpt3sas_base_make_ioc_ready +mpt3sas_cm0: fault_state(0x2666)! +mpt3sas_cm0: sending diag reset !! +mpt3sas_cm0: diag reset: SUCCESS +sd 18:0:0:0: [sdc] REPORT ZONES start lba 0 failed +sd 18:0:0:0: [sdc] REPORT ZONES: Result: hostbyte=DID_RESET driverbyte=DRIVER_OK +sd 18:0:0:0: [sdc] 0 4096-byte logical blocks: (0 B/0 B) + +Avoid such issue by always mapping the buffer of REPORT ZONES commands +using DMA_BIDIRECTIONAL (read+write IOMMU mapping). This is done by +introducing the helper function _base_scsi_dma_map() and using this helper +in _base_build_sg_scmd() and _base_build_sg_scmd_ieee() instead of calling +directly scsi_dma_map(). + +Fixes: 471ef9d4e498 ("mpt3sas: Build MPI SGL LIST on GEN2 HBAs and IEEE SGL LIST on GEN3 HBAs") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20240719073913.179559-3-dlemoal@kernel.org +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 8d161d6075b78..1bc23e8ee748a 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -2371,6 +2371,22 @@ _base_build_zero_len_sge_ieee(struct MPT3SAS_ADAPTER *ioc, void *paddr) + _base_add_sg_single_ieee(paddr, sgl_flags, 0, 0, -1); + } + ++static inline int _base_scsi_dma_map(struct scsi_cmnd *cmd) ++{ ++ /* ++ * Some firmware versions byte-swap the REPORT ZONES command reply from ++ * ATA-ZAC devices by directly accessing in the host buffer. This does ++ * not respect the default command DMA direction and causes IOMMU page ++ * faults on some architectures with an IOMMU enforcing write mappings ++ * (e.g. AMD hosts). Avoid such issue by making the report zones buffer ++ * mapping bi-directional. ++ */ ++ if (cmd->cmnd[0] == ZBC_IN && cmd->cmnd[1] == ZI_REPORT_ZONES) ++ cmd->sc_data_direction = DMA_BIDIRECTIONAL; ++ ++ return scsi_dma_map(cmd); ++} ++ + /** + * _base_build_sg_scmd - main sg creation routine + * pcie_device is unused here! +@@ -2417,7 +2433,7 @@ _base_build_sg_scmd(struct MPT3SAS_ADAPTER *ioc, + sgl_flags = sgl_flags << MPI2_SGE_FLAGS_SHIFT; + + sg_scmd = scsi_sglist(scmd); +- sges_left = scsi_dma_map(scmd); ++ sges_left = _base_scsi_dma_map(scmd); + if (sges_left < 0) + return -ENOMEM; + +@@ -2561,7 +2577,7 @@ _base_build_sg_scmd_ieee(struct MPT3SAS_ADAPTER *ioc, + } + + sg_scmd = scsi_sglist(scmd); +- sges_left = scsi_dma_map(scmd); ++ sges_left = _base_scsi_dma_map(scmd); + if (sges_left < 0) + return -ENOMEM; + +-- +2.43.0 + diff --git a/queue-5.4/scsi-mpt3sas-remove-scsi_dma_map-error-messages.patch b/queue-5.4/scsi-mpt3sas-remove-scsi_dma_map-error-messages.patch new file mode 100644 index 00000000000..2e66e1df3ac --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-remove-scsi_dma_map-error-messages.patch @@ -0,0 +1,75 @@ +From e112aed2473aef377a98501a4116c15023c10741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 19:32:03 +0530 +Subject: scsi: mpt3sas: Remove scsi_dma_map() error messages + +From: Sreekanth Reddy + +[ Upstream commit 0c25422d34b4726b2707d5f38560943155a91b80 ] + +When scsi_dma_map() fails by returning a sges_left value less than zero, +the amount of logging produced can be extremely high. In a recent end-user +environment, 1200 messages per second were being sent to the log buffer. +This eventually overwhelmed the system and it stalled. + +These error messages are not needed. Remove them. + +Link: https://lore.kernel.org/r/20220303140203.12642-1-sreekanth.reddy@broadcom.com +Suggested-by: Christoph Hellwig +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Stable-dep-of: 82dbb57ac8d0 ("scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES") +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 35c97bc660bd8..8d161d6075b78 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -2310,12 +2310,8 @@ _base_check_pcie_native_sgl(struct MPT3SAS_ADAPTER *ioc, + + /* Get the SG list pointer and info. */ + sges_left = scsi_dma_map(scmd); +- if (sges_left < 0) { +- sdev_printk(KERN_ERR, scmd->device, +- "scsi_dma_map failed: request for %d bytes!\n", +- scsi_bufflen(scmd)); ++ if (sges_left < 0) + return 1; +- } + + /* Check if we need to build a native SG list. */ + if (base_is_prp_possible(ioc, pcie_device, +@@ -2422,12 +2418,8 @@ _base_build_sg_scmd(struct MPT3SAS_ADAPTER *ioc, + + sg_scmd = scsi_sglist(scmd); + sges_left = scsi_dma_map(scmd); +- if (sges_left < 0) { +- sdev_printk(KERN_ERR, scmd->device, +- "scsi_dma_map failed: request for %d bytes!\n", +- scsi_bufflen(scmd)); ++ if (sges_left < 0) + return -ENOMEM; +- } + + sg_local = &mpi_request->SGL; + sges_in_segment = ioc->max_sges_in_main_message; +@@ -2570,12 +2562,8 @@ _base_build_sg_scmd_ieee(struct MPT3SAS_ADAPTER *ioc, + + sg_scmd = scsi_sglist(scmd); + sges_left = scsi_dma_map(scmd); +- if (sges_left < 0) { +- sdev_printk(KERN_ERR, scmd->device, +- "scsi_dma_map failed: request for %d bytes!\n", +- scsi_bufflen(scmd)); ++ if (sges_left < 0) + return -ENOMEM; +- } + + sg_local = &mpi_request->SGL; + sges_in_segment = (ioc->request_sz - +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index be45deebc09..94e6e00c826 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -230,3 +230,6 @@ alsa-line6-fix-racy-access-to-midibuf.patch alsa-hda-add-hp-mp9-g4-retail-system-ams-to-force-connect-list.patch alsa-hda-hdmi-yet-more-pin-fix-for-hp-elitedesk-800-g4.patch usb-vhci-hcd-do-not-drop-references-before-new-references-are-gained.patch +ntp-clamp-maxerror-and-esterror-to-operating-range.patch +scsi-mpt3sas-remove-scsi_dma_map-error-messages.patch +scsi-mpt3sas-avoid-iommu-page-faults-on-report-zones.patch