From 503369dba41c5acb4444971349705703d1273b34 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 10:58:36 +0100 Subject: [PATCH] 6.6-stable patches added patches: mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch nvme-fix-metadata-handling-in-nvme-passthrough.patch scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch xfs-add-bounds-checking-to-xlog_recover_process_data.patch --- ...egister-after-devm_pm_runtime_enable.patch | 75 ++++++++++++++++ ...etadata-handling-in-nvme-passthrough.patch | 70 +++++++++++++++ ...-dereferencing-in-reset-errata-paths.patch | 86 +++++++++++++++++++ queue-6.6/series | 4 + ...hecking-to-xlog_recover_process_data.patch | 53 ++++++++++++ 5 files changed, 288 insertions(+) create mode 100644 queue-6.6/mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch create mode 100644 queue-6.6/nvme-fix-metadata-handling-in-nvme-passthrough.patch create mode 100644 queue-6.6/scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch create mode 100644 queue-6.6/xfs-add-bounds-checking-to-xlog_recover_process_data.patch diff --git a/queue-6.6/mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch b/queue-6.6/mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch new file mode 100644 index 00000000000..7f55e9d4036 --- /dev/null +++ b/queue-6.6/mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch @@ -0,0 +1,75 @@ +From a8bd68e4329f9a0ad1b878733e0f80be6a971649 Mon Sep 17 00:00:00 2001 +From: "Jason-JH.Lin" +Date: Thu, 18 Jul 2024 22:17:04 +0800 +Subject: mailbox: mtk-cmdq: Move devm_mbox_controller_register() after devm_pm_runtime_enable() + +From: Jason-JH.Lin + +commit a8bd68e4329f9a0ad1b878733e0f80be6a971649 upstream. + +When mtk-cmdq unbinds, a WARN_ON message with condition +pm_runtime_get_sync() < 0 occurs. + +According to the call tracei below: + cmdq_mbox_shutdown + mbox_free_channel + mbox_controller_unregister + __devm_mbox_controller_unregister + ... + +The root cause can be deduced to be calling pm_runtime_get_sync() after +calling pm_runtime_disable() as observed below: +1. CMDQ driver uses devm_mbox_controller_register() in cmdq_probe() + to bind the cmdq device to the mbox_controller, so + devm_mbox_controller_unregister() will automatically unregister + the device bound to the mailbox controller when the device-managed + resource is removed. That means devm_mbox_controller_unregister() + and cmdq_mbox_shoutdown() will be called after cmdq_remove(). +2. CMDQ driver also uses devm_pm_runtime_enable() in cmdq_probe() after + devm_mbox_controller_register(), so that devm_pm_runtime_disable() + will be called after cmdq_remove(), but before + devm_mbox_controller_unregister(). + +To fix this problem, cmdq_probe() needs to move +devm_mbox_controller_register() after devm_pm_runtime_enable() to make +devm_pm_runtime_disable() be called after +devm_mbox_controller_unregister(). + +Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver") +Signed-off-by: Jason-JH.Lin +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Jassi Brar +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/mtk-cmdq-mailbox.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/mailbox/mtk-cmdq-mailbox.c ++++ b/drivers/mailbox/mtk-cmdq-mailbox.c +@@ -623,12 +623,6 @@ static int cmdq_probe(struct platform_de + cmdq->mbox.chans[i].con_priv = (void *)&cmdq->thread[i]; + } + +- err = devm_mbox_controller_register(dev, &cmdq->mbox); +- if (err < 0) { +- dev_err(dev, "failed to register mailbox: %d\n", err); +- return err; +- } +- + platform_set_drvdata(pdev, cmdq); + + WARN_ON(clk_bulk_prepare(cmdq->pdata->gce_num, cmdq->clocks)); +@@ -642,6 +636,12 @@ static int cmdq_probe(struct platform_de + return err; + } + ++ err = devm_mbox_controller_register(dev, &cmdq->mbox); ++ if (err < 0) { ++ dev_err(dev, "failed to register mailbox: %d\n", err); ++ return err; ++ } ++ + return 0; + } + diff --git a/queue-6.6/nvme-fix-metadata-handling-in-nvme-passthrough.patch b/queue-6.6/nvme-fix-metadata-handling-in-nvme-passthrough.patch new file mode 100644 index 00000000000..0701c927e1f --- /dev/null +++ b/queue-6.6/nvme-fix-metadata-handling-in-nvme-passthrough.patch @@ -0,0 +1,70 @@ +From 7c2fd76048e95dd267055b5f5e0a48e6e7c81fd9 Mon Sep 17 00:00:00 2001 +From: Puranjay Mohan +Date: Thu, 29 Aug 2024 13:32:17 +0000 +Subject: nvme: fix metadata handling in nvme-passthrough + +From: Puranjay Mohan + +commit 7c2fd76048e95dd267055b5f5e0a48e6e7c81fd9 upstream. + +On an NVMe namespace that does not support metadata, it is possible to +send an IO command with metadata through io-passthru. This allows issues +like [1] to trigger in the completion code path. +nvme_map_user_request() doesn't check if the namespace supports metadata +before sending it forward. It also allows admin commands with metadata to +be processed as it ignores metadata when bdev == NULL and may report +success. + +Reject an IO command with metadata when the NVMe namespace doesn't +support it and reject an admin command if it has metadata. + +[1] https://lore.kernel.org/all/mb61pcylvnym8.fsf@amazon.com/ + +Suggested-by: Christoph Hellwig +Signed-off-by: Puranjay Mohan +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Reviewed-by: Anuj Gupta +Signed-off-by: Keith Busch +[ Minor changes to make it work on 6.6 ] +Signed-off-by: Hagar Hemdan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/ioctl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/ioctl.c ++++ b/drivers/nvme/host/ioctl.c +@@ -3,6 +3,7 @@ + * Copyright (c) 2011-2014, Intel Corporation. + * Copyright (c) 2017-2021 Christoph Hellwig. + */ ++#include + #include /* for force_successful_syscall_return */ + #include + #include +@@ -171,10 +172,15 @@ static int nvme_map_user_request(struct + struct request_queue *q = req->q; + struct nvme_ns *ns = q->queuedata; + struct block_device *bdev = ns ? ns->disk->part0 : NULL; ++ bool supports_metadata = bdev && blk_get_integrity(bdev->bd_disk); ++ bool has_metadata = meta_buffer && meta_len; + struct bio *bio = NULL; + void *meta = NULL; + int ret; + ++ if (has_metadata && !supports_metadata) ++ return -EINVAL; ++ + if (ioucmd && (ioucmd->flags & IORING_URING_CMD_FIXED)) { + struct iov_iter iter; + +@@ -198,7 +204,7 @@ static int nvme_map_user_request(struct + if (bdev) + bio_set_dev(bio, bdev); + +- if (bdev && meta_buffer && meta_len) { ++ if (has_metadata) { + meta = nvme_add_user_metadata(req, meta_buffer, meta_len, + meta_seed); + if (IS_ERR(meta)) { diff --git a/queue-6.6/scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch b/queue-6.6/scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch new file mode 100644 index 00000000000..c87be93b5b8 --- /dev/null +++ b/queue-6.6/scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch @@ -0,0 +1,86 @@ +From 2be1d4f11944cd6283cb97268b3e17c4424945ca Mon Sep 17 00:00:00 2001 +From: Justin Tee +Date: Fri, 26 Jul 2024 16:15:07 -0700 +Subject: scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths + +From: Justin Tee + +commit 2be1d4f11944cd6283cb97268b3e17c4424945ca upstream. + +When the HBA is undergoing a reset or is handling an errata event, NULL ptr +dereference crashes may occur in routines such as +lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or +lpfc_abort_handler(). + +Add NULL ptr checks before dereferencing hdwq pointers that may have been +freed due to operations colliding with a reset or errata event handler. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20240726231512.92867-4-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +[Xiangyu: BP to fix CVE: CVE-2024-49891, no test_bit() conflict resolution] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++- + drivers/scsi/lpfc/lpfc_scsi.c | 13 +++++++++++-- + drivers/scsi/lpfc/lpfc_sli.c | 11 +++++++++++ + 3 files changed, 24 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -175,7 +175,8 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport + ndlp->nlp_state, ndlp->fc4_xpt_flags); + + /* Don't schedule a worker thread event if the vport is going down. */ +- if (vport->load_flag & FC_UNLOADING) { ++ if ((vport->load_flag & FC_UNLOADING) || ++ !(phba->hba_flag & HBA_SETUP)) { + spin_lock_irqsave(&ndlp->lock, iflags); + ndlp->rport = NULL; + +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -5546,11 +5546,20 @@ lpfc_abort_handler(struct scsi_cmnd *cmn + + iocb = &lpfc_cmd->cur_iocbq; + if (phba->sli_rev == LPFC_SLI_REV4) { +- pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring; +- if (!pring_s4) { ++ /* if the io_wq & pring are gone, the port was reset. */ ++ if (!phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq || ++ !phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring) { ++ lpfc_printf_vlog(vport, KERN_WARNING, LOG_FCP, ++ "2877 SCSI Layer I/O Abort Request " ++ "IO CMPL Status x%x ID %d LUN %llu " ++ "HBA_SETUP %d\n", FAILED, ++ cmnd->device->id, ++ (u64)cmnd->device->lun, ++ (HBA_SETUP & phba->hba_flag)); + ret = FAILED; + goto out_unlock_hba; + } ++ pring_s4 = phba->sli4_hba.hdwq[iocb->hba_wqidx].io_wq->pring; + spin_lock(&pring_s4->ring_lock); + } + /* the command is in process of being cancelled */ +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -4684,6 +4684,17 @@ lpfc_sli_flush_io_rings(struct lpfc_hba + /* Look on all the FCP Rings for the iotag */ + if (phba->sli_rev >= LPFC_SLI_REV4) { + for (i = 0; i < phba->cfg_hdw_queue; i++) { ++ if (!phba->sli4_hba.hdwq || ++ !phba->sli4_hba.hdwq[i].io_wq) { ++ lpfc_printf_log(phba, KERN_ERR, LOG_SLI, ++ "7777 hdwq's deleted %lx " ++ "%lx %x %x\n", ++ (unsigned long)phba->pport->load_flag, ++ (unsigned long)phba->hba_flag, ++ phba->link_state, ++ phba->sli.sli_flag); ++ return; ++ } + pring = phba->sli4_hba.hdwq[i].io_wq->pring; + + spin_lock_irq(&pring->ring_lock); diff --git a/queue-6.6/series b/queue-6.6/series index 4c19a4adea0..97c7f687814 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -451,3 +451,7 @@ asoc-amd-yc-fix-for-enabling-dmic-on-acp6x-via-_dsd-.patch gfs2-don-t-set-glf_lock-in-gfs2_dispose_glock_lru.patch gfs2-remove-and-replace-gfs2_glock_queue_work.patch f2fs-fix-fiemap-failure-issue-when-page-size-is-16kb.patch +mailbox-mtk-cmdq-move-devm_mbox_controller_register-after-devm_pm_runtime_enable.patch +scsi-lpfc-validate-hdwq-pointers-before-dereferencing-in-reset-errata-paths.patch +nvme-fix-metadata-handling-in-nvme-passthrough.patch +xfs-add-bounds-checking-to-xlog_recover_process_data.patch diff --git a/queue-6.6/xfs-add-bounds-checking-to-xlog_recover_process_data.patch b/queue-6.6/xfs-add-bounds-checking-to-xlog_recover_process_data.patch new file mode 100644 index 00000000000..8ec0d654824 --- /dev/null +++ b/queue-6.6/xfs-add-bounds-checking-to-xlog_recover_process_data.patch @@ -0,0 +1,53 @@ +From fb63435b7c7dc112b1ae1baea5486e0a6e27b196 Mon Sep 17 00:00:00 2001 +From: lei lu +Date: Mon, 3 Jun 2024 17:46:08 +0800 +Subject: xfs: add bounds checking to xlog_recover_process_data + +From: lei lu + +commit fb63435b7c7dc112b1ae1baea5486e0a6e27b196 upstream. + +There is a lack of verification of the space occupied by fixed members +of xlog_op_header in the xlog_recover_process_data. + +We can create a crafted image to trigger an out of bounds read by +following these steps: + 1) Mount an image of xfs, and do some file operations to leave records + 2) Before umounting, copy the image for subsequent steps to simulate + abnormal exit. Because umount will ensure that tail_blk and + head_blk are the same, which will result in the inability to enter + xlog_recover_process_data + 3) Write a tool to parse and modify the copied image in step 2 + 4) Make the end of the xlog_op_header entries only 1 byte away from + xlog_rec_header->h_size + 5) xlog_rec_header->h_num_logops++ + 6) Modify xlog_rec_header->h_crc + +Fix: +Add a check to make sure there is sufficient space to access fixed members +of xlog_op_header. + +Signed-off-by: lei lu +Reviewed-by: Dave Chinner +Reviewed-by: Darrick J. Wong +Signed-off-by: Chandan Babu R +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_log_recover.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_log_recover.c ++++ b/fs/xfs/xfs_log_recover.c +@@ -2456,7 +2456,10 @@ xlog_recover_process_data( + + ohead = (struct xlog_op_header *)dp; + dp += sizeof(*ohead); +- ASSERT(dp <= end); ++ if (dp > end) { ++ xfs_warn(log->l_mp, "%s: op header overrun", __func__); ++ return -EFSCORRUPTED; ++ } + + /* errors will abort recovery */ + error = xlog_recover_process_ophdr(log, rhash, rhead, ohead, -- 2.47.3