From 30dae170aadfa58d3795c55d28aefbbb87d3072c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 20 Sep 2023 09:06:54 +0200
Subject: [PATCH] 6.5-stable patches

added patches:
	blk-mq-prealloc-tags-when-increase-tagset-nr_hw_queues.patch
---
 ...gs-uaf-when-shrinking-q-nr_hw_queues.patch | 15 ++----
 ...gs-when-increase-tagset-nr_hw_queues.patch | 47 +++++++++++++++++++
 queue-6.5/series                              |  1 +
 3 files changed, 53 insertions(+), 10 deletions(-)
 create mode 100644 queue-6.5/blk-mq-prealloc-tags-when-increase-tagset-nr_hw_queues.patch

diff --git a/queue-6.5/blk-mq-fix-tags-uaf-when-shrinking-q-nr_hw_queues.patch b/queue-6.5/blk-mq-fix-tags-uaf-when-shrinking-q-nr_hw_queues.patch
index 492efd140c5..926754130d4 100644
--- a/queue-6.5/blk-mq-fix-tags-uaf-when-shrinking-q-nr_hw_queues.patch
+++ b/queue-6.5/blk-mq-fix-tags-uaf-when-shrinking-q-nr_hw_queues.patch
@@ -24,14 +24,12 @@ Link: https://lore.kernel.org/r/20230908005702.2183908-1-chengming.zhou@linux.de
 Signed-off-by: Jens Axboe <axboe@kernel.dk>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
- block/blk-mq.c | 13 +++++++------
+ block/blk-mq.c |   13 +++++++------
  1 file changed, 7 insertions(+), 6 deletions(-)
 
-diff --git a/block/blk-mq.c b/block/blk-mq.c
-index d9b365c2eaa0d..a90f1efb1c978 100644
 --- a/block/blk-mq.c
 +++ b/block/blk-mq.c
-@@ -4404,11 +4404,8 @@ static int blk_mq_realloc_tag_set_tags(struct blk_mq_tag_set *set,
+@@ -4404,11 +4404,8 @@ static int blk_mq_realloc_tag_set_tags(s
  	struct blk_mq_tags **new_tags;
  	int i;
  
@@ -44,7 +42,7 @@ index d9b365c2eaa0d..a90f1efb1c978 100644
  
  	new_tags = kcalloc_node(new_nr_hw_queues, sizeof(struct blk_mq_tags *),
  				GFP_KERNEL, set->numa_node);
-@@ -4708,7 +4705,8 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+@@ -4718,7 +4715,8 @@ static void __blk_mq_update_nr_hw_queues
  {
  	struct request_queue *q;
  	LIST_HEAD(head);
@@ -54,7 +52,7 @@ index d9b365c2eaa0d..a90f1efb1c978 100644
  
  	lockdep_assert_held(&set->tag_list_lock);
  
-@@ -4735,7 +4733,6 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+@@ -4745,7 +4743,6 @@ static void __blk_mq_update_nr_hw_queues
  		blk_mq_sysfs_unregister_hctxs(q);
  	}
  
@@ -62,7 +60,7 @@ index d9b365c2eaa0d..a90f1efb1c978 100644
  	if (blk_mq_realloc_tag_set_tags(set, nr_hw_queues) < 0)
  		goto reregister;
  
-@@ -4771,6 +4768,10 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+@@ -4781,6 +4778,10 @@ switch_back:
  
  	list_for_each_entry(q, &set->tag_list, tag_set_list)
  		blk_mq_unfreeze_queue(q);
@@ -73,6 +71,3 @@ index d9b365c2eaa0d..a90f1efb1c978 100644
  }
  
  void blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set, int nr_hw_queues)
--- 
-2.40.1
-
diff --git a/queue-6.5/blk-mq-prealloc-tags-when-increase-tagset-nr_hw_queues.patch b/queue-6.5/blk-mq-prealloc-tags-when-increase-tagset-nr_hw_queues.patch
new file mode 100644
index 00000000000..c07a82248b0
--- /dev/null
+++ b/queue-6.5/blk-mq-prealloc-tags-when-increase-tagset-nr_hw_queues.patch
@@ -0,0 +1,47 @@
+From 7222657e51b5626d10154b3e48ad441c33b5da96 Mon Sep 17 00:00:00 2001
+From: Chengming Zhou <zhouchengming@bytedance.com>
+Date: Mon, 21 Aug 2023 17:56:02 +0800
+Subject: blk-mq: prealloc tags when increase tagset nr_hw_queues
+
+From: Chengming Zhou <zhouchengming@bytedance.com>
+
+commit 7222657e51b5626d10154b3e48ad441c33b5da96 upstream.
+
+Just like blk_mq_alloc_tag_set(), it's better to prepare all tags before
+using to map to queue ctxs in blk_mq_map_swqueue(), which now have to
+consider empty set->tags[].
+
+The good point is that we can fallback easily if increasing nr_hw_queues
+fail, instead of just mapping to hctx[0] when fail in blk_mq_map_swqueue().
+
+And the fallback path already has tags free & clean handling, so all
+is good.
+
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20230821095602.70742-3-chengming.zhou@linux.dev
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -4420,6 +4420,16 @@ static int blk_mq_realloc_tag_set_tags(s
+ 		       sizeof(*set->tags));
+ 	kfree(set->tags);
+ 	set->tags = new_tags;
++
++	for (i = set->nr_hw_queues; i < new_nr_hw_queues; i++) {
++		if (!__blk_mq_alloc_map_and_rqs(set, i)) {
++			while (--i >= set->nr_hw_queues)
++				__blk_mq_free_map_and_rqs(set, i);
++			return -ENOMEM;
++		}
++		cond_resched();
++	}
++
+ done:
+ 	set->nr_hw_queues = new_nr_hw_queues;
+ 	return 0;
diff --git a/queue-6.5/series b/queue-6.5/series
index 69e080f454a..fc849f93d0b 100644
--- a/queue-6.5/series
+++ b/queue-6.5/series
@@ -162,5 +162,6 @@ ata-libata-core-fetch-sense-data-for-successful-comm.patch
 x86-boot-compressed-reserve-more-memory-for-page-tab.patch
 x86-purgatory-remove-lto-flags.patch
 samples-hw_breakpoint-fix-building-without-module-un.patch
+blk-mq-prealloc-tags-when-increase-tagset-nr_hw_queues.patch
 blk-mq-fix-tags-uaf-when-shrinking-q-nr_hw_queues.patch
 md-raid1-fix-error-iso-c90-forbids-mixed-declaration.patch
-- 
2.47.3