From 90ca79b8a7e6e93e582a2214442f610ca9c91f04 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 21 Jul 2023 08:35:07 +0200 Subject: [PATCH] 4.14-stable patches added patches: ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch --- ...alue-of-freeze_bdev-in-ext4_shutdown.patch | 43 +++++++++ ...x-wrong-unit-use-in-ext4_mb_clear_bb.patch | 35 +++++++ ...locks-on-successful-block-allocation.patch | 92 +++++++++++++++++++ ...lidate-db_l2nbperpage-while-mounting.patch | 66 +++++++++++++ ...dma-alias-quirk-for-marvell-88se9235.patch | 36 ++++++++ queue-4.14/series | 5 + 6 files changed, 277 insertions(+) create mode 100644 queue-4.14/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch create mode 100644 queue-4.14/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch create mode 100644 queue-4.14/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch create mode 100644 queue-4.14/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch create mode 100644 queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch diff --git a/queue-4.14/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch b/queue-4.14/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch new file mode 100644 index 00000000000..30d69658797 --- /dev/null +++ b/queue-4.14/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch @@ -0,0 +1,43 @@ +From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 6 Jun 2023 15:32:03 +0800 +Subject: ext4: fix to check return value of freeze_bdev() in ext4_shutdown() + +From: Chao Yu + +commit c4d13222afd8a64bf11bc7ec68645496ee8b54b9 upstream. + +freeze_bdev() can fail due to a lot of reasons, it needs to check its +reason before later process. + +Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl") +Cc: stable@kernel.org +Signed-off-by: Chao Yu +Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -502,6 +502,7 @@ static int ext4_shutdown(struct super_bl + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + __u32 flags; ++ int ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -519,7 +520,9 @@ static int ext4_shutdown(struct super_bl + + switch (flags) { + case EXT4_GOING_FLAGS_DEFAULT: +- freeze_bdev(sb->s_bdev); ++ ret = freeze_bdev(sb->s_bdev); ++ if (ret) ++ return ret; + set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); + thaw_bdev(sb->s_bdev, sb); + break; diff --git a/queue-4.14/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch b/queue-4.14/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch new file mode 100644 index 00000000000..58c75ce30f9 --- /dev/null +++ b/queue-4.14/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch @@ -0,0 +1,35 @@ +From 247c3d214c23dfeeeb892e91a82ac1188bdaec9f Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Sat, 3 Jun 2023 23:03:18 +0800 +Subject: ext4: fix wrong unit use in ext4_mb_clear_bb + +From: Kemeng Shi + +commit 247c3d214c23dfeeeb892e91a82ac1188bdaec9f upstream. + +Function ext4_issue_discard need count in cluster. Pass count_clusters +instead of count to fix the mismatch. + +Signed-off-by: Kemeng Shi +Cc: stable@kernel.org +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-11-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4976,8 +4976,8 @@ do_more: + * them with group lock_held + */ + if (test_opt(sb, DISCARD)) { +- err = ext4_issue_discard(sb, block_group, bit, count, +- NULL); ++ err = ext4_issue_discard(sb, block_group, bit, ++ count_clusters, NULL); + if (err && err != -EOPNOTSUPP) + ext4_msg(sb, KERN_WARNING, "discard request in" + " group:%d block:%d count:%lu failed" diff --git a/queue-4.14/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch b/queue-4.14/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch new file mode 100644 index 00000000000..d9b725ddeb6 --- /dev/null +++ b/queue-4.14/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch @@ -0,0 +1,92 @@ +From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 24 Apr 2023 11:38:35 +0800 +Subject: ext4: only update i_reserved_data_blocks on successful block allocation + +From: Baokun Li + +commit de25d6e9610a8b30cce9bbb19b50615d02ebca02 upstream. + +In our fault injection test, we create an ext4 file, migrate it to +non-extent based file, then punch a hole and finally trigger a WARN_ON +in the ext4_da_update_reserve_space(): + +EXT4-fs warning (device sda): ext4_da_update_reserve_space:369: +ino 14, used 11 with only 10 reserved data blocks + +When writing back a non-extent based file, if we enable delalloc, the +number of reserved blocks will be subtracted from the number of blocks +mapped by ext4_ind_map_blocks(), and the extent status tree will be +updated. We update the extent status tree by first removing the old +extent_status and then inserting the new extent_status. If the block range +we remove happens to be in an extent, then we need to allocate another +extent_status with ext4_es_alloc_extent(). + + use old to remove to add new + |----------|------------|------------| + old extent_status + +The problem is that the allocation of a new extent_status failed due to a +fault injection, and __es_shrink() did not get free memory, resulting in +a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM, +we map to the same extent again, and the number of reserved blocks is again +subtracted from the number of blocks in that extent. Since the blocks in +the same extent are subtracted twice, we end up triggering WARN_ON at +ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks. + +For non-extent based file, we update the number of reserved blocks after +ext4_ind_map_blocks() is executed, which causes a problem that when we call +ext4_ind_map_blocks() to create a block, it doesn't always create a block, +but we always reduce the number of reserved blocks. So we move the logic +for updating reserved blocks to ext4_ind_map_blocks() to ensure that the +number of reserved blocks is updated only after we do succeed in allocating +some new blocks. + +Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/indirect.c | 8 ++++++++ + fs/ext4/inode.c | 10 ---------- + 2 files changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -642,6 +642,14 @@ int ext4_ind_map_blocks(handle_t *handle + + ext4_update_inode_fsync_trans(handle, inode, 1); + count = ar.len; ++ ++ /* ++ * Update reserved blocks/metadata blocks after successful block ++ * allocation which had been deferred till now. ++ */ ++ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) ++ ext4_da_update_reserve_space(inode, count, 1); ++ + got_it: + map->m_flags |= EXT4_MAP_MAPPED; + map->m_pblk = le32_to_cpu(chain[depth-1].key); +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -665,16 +665,6 @@ found: + */ + ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE); + } +- +- /* +- * Update reserved blocks/metadata blocks after successful +- * block allocation which had been deferred till now. We don't +- * support fallocate for non extent files. So we can update +- * reserve space here. +- */ +- if ((retval > 0) && +- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)) +- ext4_da_update_reserve_space(inode, retval, 1); + } + + if (retval > 0) { diff --git a/queue-4.14/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch b/queue-4.14/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch new file mode 100644 index 00000000000..a53faad56d0 --- /dev/null +++ b/queue-4.14/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch @@ -0,0 +1,66 @@ +From 11509910c599cbd04585ec35a6d5e1a0053d84c1 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Tue, 20 Jun 2023 22:17:00 +0530 +Subject: jfs: jfs_dmap: Validate db_l2nbperpage while mounting + +From: Siddh Raman Pant + +commit 11509910c599cbd04585ec35a6d5e1a0053d84c1 upstream. + +In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block +number inside dbFree(). db_l2nbperpage, which is the log2 number of +blocks per page, is passed as an argument to BLKTODMAP which uses it +for shifting. + +Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is +too big. This happens because the large value is set without any +validation in dbMount() at line 181. + +Thus, make sure that db_l2nbperpage is correct while mounting. + +Max number of blocks per page = Page size / Min block size +=> log2(Max num_block per page) = log2(Page size / Min block size) + = log2(Page size) - log2(Min block size) + +=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE + +Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715 +Cc: stable@vger.kernel.org +Suggested-by: Dave Kleikamp +Signed-off-by: Siddh Raman Pant +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dmap.c | 6 ++++++ + fs/jfs/jfs_filsys.h | 2 ++ + 2 files changed, 8 insertions(+) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -191,7 +191,13 @@ int dbMount(struct inode *ipbmap) + dbmp_le = (struct dbmap_disk *) mp->data; + bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); + bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); ++ + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); ++ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); + if (!bmp->db_numag) { + err = -EINVAL; +--- a/fs/jfs/jfs_filsys.h ++++ b/fs/jfs/jfs_filsys.h +@@ -135,7 +135,9 @@ + #define NUM_INODE_PER_IAG INOSPERIAG + + #define MINBLOCKSIZE 512 ++#define L2MINBLOCKSIZE 9 + #define MAXBLOCKSIZE 4096 ++#define L2MAXBLOCKSIZE 12 + #define MAXFILESIZE ((s64)1 << 52) + + #define JFS_LINK_MAX 0xffffffff diff --git a/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch b/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch new file mode 100644 index 00000000000..4cec22a9f52 --- /dev/null +++ b/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch @@ -0,0 +1,36 @@ +From 88d341716b83abd355558523186ca488918627ee Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Wed, 7 Jun 2023 18:18:47 +0100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 + +From: Robin Murphy + +commit 88d341716b83abd355558523186ca488918627ee upstream. + +Marvell's own product brief implies the 92xx series are a closely related +family, and sure enough it turns out that 9235 seems to need the same quirk +as the other three, although possibly only when certain ports are used. + +Link: https://lore.kernel.org/linux-iommu/2a699a99-545c-1324-e052-7d2f41fed1ae@yahoo.co.uk/ +Link: https://lore.kernel.org/r/731507e05d70239aec96fcbfab6e65d8ce00edd2.1686157165.git.robin.murphy@arm.com +Reported-by: Jason Adriaanse +Signed-off-by: Robin Murphy +Signed-off-by: Bjorn Helgaas +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4035,6 +4035,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9235, ++ quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642, + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645, diff --git a/queue-4.14/series b/queue-4.14/series index 38a168b769f..6a3e7fdc7fa 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -102,3 +102,8 @@ net-sched-make-psched_mtu-rtnl-less-safe.patch tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch +ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch +ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch +ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch +jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch -- 2.47.3