1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/scripts/mkcompile_h b/scripts/mkcompile_h
-index 4ae735039daf..5a1abe7b4169 100755
+index a72b154de7b0..4dd111086466 100755
--- a/scripts/mkcompile_h
+++ b/scripts/mkcompile_h
@@ -24,10 +24,14 @@ else
2 files changed, 111 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index ee85be64b680..a38a8e44422e 100644
+index 8deb4cd7b133..291885ea26dd 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -3653,6 +3653,15 @@
+@@ -3808,6 +3808,15 @@
Also, it enforces the PCI Local Bus spec
rule that those bits should be 0 in system reset
events (useful for kexec/kdump cases).
Safety option to keep boot IRQs enabled. This
should never be necessary.
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index f32e521ade1e..4f3558d0c00a 100644
+index cf71505ab0b9..7f381969e705 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
-@@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void)
+@@ -193,6 +193,106 @@ static int __init pci_apply_final_quirks(void)
}
fs_initcall_sync(pci_apply_final_quirks);
/*
* Decoding should be disabled for a PCI device during BAR sizing to avoid
* conflict. But doing so may cause problems on host bridge and perhaps other
-@@ -4857,6 +4957,8 @@ static const struct pci_dev_acs_enabled {
+@@ -4858,6 +4958,8 @@ static const struct pci_dev_acs_enabled {
{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
/* APM X-Gene */
{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 14e6c73a6031..c191c9e50735 100644
+index 1dcc66060a19..c0ca4f494a02 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
-@@ -77,7 +77,7 @@ module_param(halt_poll_ns, uint, 0644);
+@@ -78,7 +78,7 @@ module_param(halt_poll_ns, uint, 0644);
EXPORT_SYMBOL_GPL(halt_poll_ns);
/* Default doubles per-vcpu halt_poll_ns. */
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
-index b91b76890cbc..cb7ffc3e848b 100644
+index 04c4e236952f..3ff0e01f5cbf 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -10517,7 +10517,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Mon, 27 Sep 2021 11:28:39 +0200
+Subject: [PATCH] Revert "PCI: Coalesce host bridge contiguous apertures"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit ab20e43b20b60f5cc8e2ea3763ffa388158469ac.
+
+was reverted upstream because of reports similar to
+
+Link: https://bugzilla.proxmox.com/show_bug.cgi?id=3552
+Link: https://lore.kernel.org/r/20210709231529.GA3270116@roeck-us.net
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/pci/probe.c | 50 ++++-----------------------------------------
+ 1 file changed, 4 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index f6046a16dac1..275204646c68 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -19,7 +19,6 @@
+ #include <linux/hypervisor.h>
+ #include <linux/irqdomain.h>
+ #include <linux/pm_runtime.h>
+-#include <linux/list_sort.h>
+ #include "pci.h"
+
+ #define CARDBUS_LATENCY_TIMER 176 /* secondary latency timer */
+@@ -875,31 +874,14 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
+ dev_set_msi_domain(&bus->dev, d);
+ }
+
+-static int res_cmp(void *priv, const struct list_head *a,
+- const struct list_head *b)
+-{
+- struct resource_entry *entry1, *entry2;
+-
+- entry1 = container_of(a, struct resource_entry, node);
+- entry2 = container_of(b, struct resource_entry, node);
+-
+- if (entry1->res->flags != entry2->res->flags)
+- return entry1->res->flags > entry2->res->flags;
+-
+- if (entry1->offset != entry2->offset)
+- return entry1->offset > entry2->offset;
+-
+- return entry1->res->start > entry2->res->start;
+-}
+-
+ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
+ {
+ struct device *parent = bridge->dev.parent;
+- struct resource_entry *window, *next, *n;
++ struct resource_entry *window, *n;
+ struct pci_bus *bus, *b;
+- resource_size_t offset, next_offset;
++ resource_size_t offset;
+ LIST_HEAD(resources);
+- struct resource *res, *next_res;
++ struct resource *res;
+ char addr[64], *fmt;
+ const char *name;
+ int err;
+@@ -979,35 +961,11 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
+ if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
+ dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
+
+- /* Sort and coalesce contiguous windows */
+- list_sort(NULL, &resources, res_cmp);
+- resource_list_for_each_entry_safe(window, n, &resources) {
+- if (list_is_last(&window->node, &resources))
+- break;
+-
+- next = list_next_entry(window, node);
+- offset = window->offset;
+- res = window->res;
+- next_offset = next->offset;
+- next_res = next->res;
+-
+- if (res->flags != next_res->flags || offset != next_offset)
+- continue;
+-
+- if (res->end + 1 == next_res->start) {
+- next_res->start = res->start;
+- res->flags = res->start = res->end = 0;
+- }
+- }
+-
+ /* Add initial resources to the bus */
+ resource_list_for_each_entry_safe(window, n, &resources) {
++ list_move_tail(&window->node, &bridge->windows);
+ offset = window->offset;
+ res = window->res;
+- if (!res->end)
+- continue;
+-
+- list_move_tail(&window->node, &bridge->windows);
+
+ if (res->flags & IORESOURCE_BUS)
+ pci_bus_insert_busn_res(bus, bus->number, res->end);
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 13 Jul 2021 20:50:07 +0800
+Subject: [PATCH] PCI: Reinstate "PCI: Coalesce host bridge contiguous
+ apertures"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Built-in graphics on HP EliteDesk 805 G6 doesn't work because graphics
+can't get the BAR it needs:
+ pci_bus 0000:00: root bus resource [mem 0x10020200000-0x100303fffff window]
+ pci_bus 0000:00: root bus resource [mem 0x10030400000-0x100401fffff window]
+
+ pci 0000:00:08.1: bridge window [mem 0xd2000000-0xd23fffff]
+ pci 0000:00:08.1: bridge window [mem 0x10030000000-0x100401fffff 64bit pref]
+ pci 0000:00:08.1: can't claim BAR 15 [mem 0x10030000000-0x100401fffff 64bit pref]: no compatible bridge window
+ pci 0000:00:08.1: [mem 0x10030000000-0x100401fffff 64bit pref] clipped to [mem 0x10030000000-0x100303fffff 64bit pref]
+ pci 0000:00:08.1: bridge window [mem 0x10030000000-0x100303fffff 64bit pref]
+ pci 0000:07:00.0: can't claim BAR 0 [mem 0x10030000000-0x1003fffffff 64bit pref]: no compatible bridge window
+ pci 0000:07:00.0: can't claim BAR 2 [mem 0x10040000000-0x100401fffff 64bit pref]: no compatible bridge window
+
+However, the root bus has two contiguous apertures that can contain the
+child resource requested.
+
+Coalesce contiguous apertures so we can allocate from the entire contiguous
+region.
+
+This is the second take of commit 65db04053efe ("PCI: Coalesce host
+bridge contiguous apertures"). The original approach sorts the apertures
+by address, but that makes NVMe stop working on QEMU ppc:sam460ex:
+ PCI host bridge to bus 0002:00
+ pci_bus 0002:00: root bus resource [io 0x0000-0xffff]
+ pci_bus 0002:00: root bus resource [mem 0xd80000000-0xdffffffff] (bus address [0x80000000-0xffffffff])
+ pci_bus 0002:00: root bus resource [mem 0xc0ee00000-0xc0eefffff] (bus address [0x00000000-0x000fffff])
+
+After the offending commit:
+ PCI host bridge to bus 0002:00
+ pci_bus 0002:00: root bus resource [io 0x0000-0xffff]
+ pci_bus 0002:00: root bus resource [mem 0xc0ee00000-0xc0eefffff] (bus address [0x00000000-0x000fffff])
+ pci_bus 0002:00: root bus resource [mem 0xd80000000-0xdffffffff] (bus address [0x80000000-0xffffffff])
+
+Since the apertures on HP EliteDesk 805 G6 are already in ascending
+order, doing a precautious sorting is not necessary.
+
+Remove the sorting part to avoid the regression on ppc:sam460ex.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212013
+Cc: Guenter Roeck <linux@roeck-us.net>
+Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ drivers/pci/probe.c | 31 +++++++++++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 275204646c68..944c35d87258 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -877,11 +877,11 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
+ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
+ {
+ struct device *parent = bridge->dev.parent;
+- struct resource_entry *window, *n;
++ struct resource_entry *window, *next, *n;
+ struct pci_bus *bus, *b;
+- resource_size_t offset;
++ resource_size_t offset, next_offset;
+ LIST_HEAD(resources);
+- struct resource *res;
++ struct resource *res, *next_res;
+ char addr[64], *fmt;
+ const char *name;
+ int err;
+@@ -961,11 +961,34 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
+ if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
+ dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
+
++ /* Coalesce contiguous windows */
++ resource_list_for_each_entry_safe(window, n, &resources) {
++ if (list_is_last(&window->node, &resources))
++ break;
++
++ next = list_next_entry(window, node);
++ offset = window->offset;
++ res = window->res;
++ next_offset = next->offset;
++ next_res = next->res;
++
++ if (res->flags != next_res->flags || offset != next_offset)
++ continue;
++
++ if (res->end + 1 == next_res->start) {
++ next_res->start = res->start;
++ res->flags = res->start = res->end = 0;
++ }
++ }
++
+ /* Add initial resources to the bus */
+ resource_list_for_each_entry_safe(window, n, &resources) {
+- list_move_tail(&window->node, &bridge->windows);
+ offset = window->offset;
+ res = window->res;
++ if (!res->end)
++ continue;
++
++ list_move_tail(&window->node, &bridge->windows);
+
+ if (res->flags & IORESOURCE_BUS)
+ pci_bus_insert_busn_res(bus, bus->number, res->end);
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Mon, 27 Sep 2021 11:28:39 +0200
-Subject: [PATCH] Revert "PCI: Coalesce host bridge contiguous apertures"
-
-This reverts commit ab20e43b20b60f5cc8e2ea3763ffa388158469ac.
-
-was reverted upstream because of reports similar to
-
-Link: https://bugzilla.proxmox.com/show_bug.cgi?id=3552
-Link: https://lore.kernel.org/r/20210709231529.GA3270116@roeck-us.net
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- drivers/pci/probe.c | 52 +++++----------------------------------------
- 1 file changed, 5 insertions(+), 47 deletions(-)
-
-diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index f6046a16dac1..275204646c68 100644
---- a/drivers/pci/probe.c
-+++ b/drivers/pci/probe.c
-@@ -19,7 +19,6 @@
- #include <linux/hypervisor.h>
- #include <linux/irqdomain.h>
- #include <linux/pm_runtime.h>
--#include <linux/list_sort.h>
- #include "pci.h"
-
- #define CARDBUS_LATENCY_TIMER 176 /* secondary latency timer */
-@@ -875,31 +874,14 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
- dev_set_msi_domain(&bus->dev, d);
- }
-
--static int res_cmp(void *priv, const struct list_head *a,
-- const struct list_head *b)
--{
-- struct resource_entry *entry1, *entry2;
--
-- entry1 = container_of(a, struct resource_entry, node);
-- entry2 = container_of(b, struct resource_entry, node);
--
-- if (entry1->res->flags != entry2->res->flags)
-- return entry1->res->flags > entry2->res->flags;
--
-- if (entry1->offset != entry2->offset)
-- return entry1->offset > entry2->offset;
--
-- return entry1->res->start > entry2->res->start;
--}
--
- static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- {
- struct device *parent = bridge->dev.parent;
-- struct resource_entry *window, *next, *n;
-+ struct resource_entry *window, *n;
- struct pci_bus *bus, *b;
-- resource_size_t offset, next_offset;
-+ resource_size_t offset;
- LIST_HEAD(resources);
-- struct resource *res, *next_res;
-+ struct resource *res;
- char addr[64], *fmt;
- const char *name;
- int err;
-@@ -979,35 +961,11 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
- dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
-
-- /* Sort and coalesce contiguous windows */
-- list_sort(NULL, &resources, res_cmp);
-- resource_list_for_each_entry_safe(window, n, &resources) {
-- if (list_is_last(&window->node, &resources))
-- break;
--
-- next = list_next_entry(window, node);
-- offset = window->offset;
-- res = window->res;
-- next_offset = next->offset;
-- next_res = next->res;
--
-- if (res->flags != next_res->flags || offset != next_offset)
-- continue;
--
-- if (res->end + 1 == next_res->start) {
-- next_res->start = res->start;
-- res->flags = res->start = res->end = 0;
-- }
-- }
--
- /* Add initial resources to the bus */
- resource_list_for_each_entry_safe(window, n, &resources) {
-- offset = window->offset;
-- res = window->res;
-- if (!res->end)
-- continue;
--
- list_move_tail(&window->node, &bridge->windows);
-+ offset = window->offset;
-+ res = window->res;
-
- if (res->flags & IORESOURCE_BUS)
- pci_bus_insert_busn_res(bus, bus->number, res->end);
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Date: Mon, 27 Sep 2021 17:44:59 +0200
+Subject: [PATCH] ocfs2: mount fails with buffer overflow in strlen
+
+Starting with kernel v5.11 mouting an ocfs2 filesystem with either o2cb
+or pcmk cluster stack fails with the trace below. Problem seems to be
+that strings for cluster stack and cluster name are not guaranteed to be
+null terminated in the disk representation, while strlcpy assumes that
+the source string is always null terminated. This causes a read outside
+of the source string triggering the buffer overflow detection.
+
+detected buffer overflow in strlen
+------------[ cut here ]------------
+kernel BUG at lib/string.c:1149!
+invalid opcode: 0000 [#1] SMP PTI
+CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1
+ Debian 5.14.6-2
+RIP: 0010:fortify_panic+0xf/0x11
+...
+Call Trace:
+ ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]
+ ocfs2_fill_super+0x359/0x19b0 [ocfs2]
+ mount_bdev+0x185/0x1b0
+ ? ocfs2_remount+0x440/0x440 [ocfs2]
+ legacy_get_tree+0x27/0x40
+ vfs_get_tree+0x25/0xb0
+ path_mount+0x454/0xa20
+ __x64_sys_mount+0x103/0x140
+ do_syscall_64+0x3b/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ fs/ocfs2/super.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
+index c86bd4e60e20..1dea535224df 100644
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -2169,9 +2169,10 @@ static int ocfs2_initialize_super(struct super_block *sb,
+ if (ocfs2_clusterinfo_valid(osb)) {
+ osb->osb_stackflags =
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags;
+- strlcpy(osb->osb_cluster_stack,
++ memcpy(osb->osb_cluster_stack,
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_stack,
+- OCFS2_STACK_LABEL_LEN + 1);
++ OCFS2_STACK_LABEL_LEN);
++ osb->osb_cluster_stack[OCFS2_STACK_LABEL_LEN] = '\0';
+ if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) {
+ mlog(ML_ERROR,
+ "couldn't mount because of an invalid "
+@@ -2180,9 +2181,10 @@ static int ocfs2_initialize_super(struct super_block *sb,
+ status = -EINVAL;
+ goto bail;
+ }
+- strlcpy(osb->osb_cluster_name,
++ memcpy(osb->osb_cluster_name,
+ OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster,
+- OCFS2_CLUSTER_NAME_LEN + 1);
++ OCFS2_CLUSTER_NAME_LEN);
++ osb->osb_cluster_name[OCFS2_CLUSTER_NAME_LEN] = '\0';
+ } else {
+ /* The empty string is identical with classic tools that
+ * don't know about s_cluster_info. */
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Date: Tue, 13 Jul 2021 20:50:07 +0800
-Subject: [PATCH] PCI: Reinstate "PCI: Coalesce host bridge contiguous
- apertures"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Built-in graphics on HP EliteDesk 805 G6 doesn't work because graphics
-can't get the BAR it needs:
- pci_bus 0000:00: root bus resource [mem 0x10020200000-0x100303fffff window]
- pci_bus 0000:00: root bus resource [mem 0x10030400000-0x100401fffff window]
-
- pci 0000:00:08.1: bridge window [mem 0xd2000000-0xd23fffff]
- pci 0000:00:08.1: bridge window [mem 0x10030000000-0x100401fffff 64bit pref]
- pci 0000:00:08.1: can't claim BAR 15 [mem 0x10030000000-0x100401fffff 64bit pref]: no compatible bridge window
- pci 0000:00:08.1: [mem 0x10030000000-0x100401fffff 64bit pref] clipped to [mem 0x10030000000-0x100303fffff 64bit pref]
- pci 0000:00:08.1: bridge window [mem 0x10030000000-0x100303fffff 64bit pref]
- pci 0000:07:00.0: can't claim BAR 0 [mem 0x10030000000-0x1003fffffff 64bit pref]: no compatible bridge window
- pci 0000:07:00.0: can't claim BAR 2 [mem 0x10040000000-0x100401fffff 64bit pref]: no compatible bridge window
-
-However, the root bus has two contiguous apertures that can contain the
-child resource requested.
-
-Coalesce contiguous apertures so we can allocate from the entire contiguous
-region.
-
-This is the second take of commit 65db04053efe ("PCI: Coalesce host
-bridge contiguous apertures"). The original approach sorts the apertures
-by address, but that makes NVMe stop working on QEMU ppc:sam460ex:
- PCI host bridge to bus 0002:00
- pci_bus 0002:00: root bus resource [io 0x0000-0xffff]
- pci_bus 0002:00: root bus resource [mem 0xd80000000-0xdffffffff] (bus address [0x80000000-0xffffffff])
- pci_bus 0002:00: root bus resource [mem 0xc0ee00000-0xc0eefffff] (bus address [0x00000000-0x000fffff])
-
-After the offending commit:
- PCI host bridge to bus 0002:00
- pci_bus 0002:00: root bus resource [io 0x0000-0xffff]
- pci_bus 0002:00: root bus resource [mem 0xc0ee00000-0xc0eefffff] (bus address [0x00000000-0x000fffff])
- pci_bus 0002:00: root bus resource [mem 0xd80000000-0xdffffffff] (bus address [0x80000000-0xffffffff])
-
-Since the apertures on HP EliteDesk 805 G6 are already in ascending
-order, doing a precautious sorting is not necessary.
-
-Remove the sorting part to avoid the regression on ppc:sam460ex.
-
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212013
-Cc: Guenter Roeck <linux@roeck-us.net>
-Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
-Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- drivers/pci/probe.c | 31 +++++++++++++++++++++++++++----
- 1 file changed, 27 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index be51670572fa..133f5d2b189d 100644
---- a/drivers/pci/probe.c
-+++ b/drivers/pci/probe.c
-@@ -877,11 +877,11 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
- static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- {
- struct device *parent = bridge->dev.parent;
-- struct resource_entry *window, *n;
-+ struct resource_entry *window, *next, *n;
- struct pci_bus *bus, *b;
-- resource_size_t offset;
-+ resource_size_t offset, next_offset;
- LIST_HEAD(resources);
-- struct resource *res;
-+ struct resource *res, *next_res;
- char addr[64], *fmt;
- const char *name;
- int err;
-@@ -959,11 +959,34 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
- dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
-
-+ /* Coalesce contiguous windows */
-+ resource_list_for_each_entry_safe(window, n, &resources) {
-+ if (list_is_last(&window->node, &resources))
-+ break;
-+
-+ next = list_next_entry(window, node);
-+ offset = window->offset;
-+ res = window->res;
-+ next_offset = next->offset;
-+ next_res = next->res;
-+
-+ if (res->flags != next_res->flags || offset != next_offset)
-+ continue;
-+
-+ if (res->end + 1 == next_res->start) {
-+ next_res->start = res->start;
-+ res->flags = res->start = res->end = 0;
-+ }
-+ }
-+
- /* Add initial resources to the bus */
- resource_list_for_each_entry_safe(window, n, &resources) {
-- list_move_tail(&window->node, &bridge->windows);
- offset = window->offset;
- res = window->res;
-+ if (!res->end)
-+ continue;
-+
-+ list_move_tail(&window->node, &bridge->windows);
-
- if (res->flags & IORESOURCE_BUS)
- pci_bus_insert_busn_res(bus, bus->number, res->end);
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Ming Lei <ming.lei@redhat.com>
-Date: Fri, 10 Sep 2021 14:30:15 +0200
-Subject: [PATCH] blk-mq: fix kernel panic during iterating over flush request
-
-commit c2da19ed50554ce52ecbad3655c98371fe58599f upstream.
-
-For fixing use-after-free during iterating over requests, we grabbed
-request's refcount before calling ->fn in commit 2e315dc07df0 ("blk-mq:
-grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter").
-Turns out this way may cause kernel panic when iterating over one flush
-request:
-
-1) old flush request's tag is just released, and this tag is reused by
-one new request, but ->rqs[] isn't updated yet
-
-2) the flush request can be re-used for submitting one new flush command,
-so blk_rq_init() is called at the same time
-
-3) meantime blk_mq_queue_tag_busy_iter() is called, and old flush request
-is retrieved from ->rqs[tag]; when blk_mq_put_rq_ref() is called,
-flush_rq->end_io may not be updated yet, so NULL pointer dereference
-is triggered in blk_mq_put_rq_ref().
-
-Fix the issue by calling refcount_set(&flush_rq->ref, 1) after
-flush_rq->end_io is set. So far the only other caller of blk_rq_init() is
-scsi_ioctl_reset() in which the request doesn't enter block IO stack and
-the request reference count isn't used, so the change is safe.
-
-Fixes: 2e315dc07df0 ("blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter")
-Reported-by: "Blank-Burian, Markus, Dr." <blankburian@uni-muenster.de>
-Tested-by: "Blank-Burian, Markus, Dr." <blankburian@uni-muenster.de>
-Signed-off-by: Ming Lei <ming.lei@redhat.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: John Garry <john.garry@huawei.com>
-Link: https://lore.kernel.org/r/20210811142624.618598-1-ming.lei@redhat.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Cc: Yi Zhang <yi.zhang@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- block/blk-core.c | 1 -
- block/blk-flush.c | 8 ++++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/block/blk-core.c b/block/blk-core.c
-index 7663a9b94b80..debdf9b0bf30 100644
---- a/block/blk-core.c
-+++ b/block/blk-core.c
-@@ -121,7 +121,6 @@ void blk_rq_init(struct request_queue *q, struct request *rq)
- rq->internal_tag = BLK_MQ_NO_TAG;
- rq->start_time_ns = ktime_get_ns();
- rq->part = NULL;
-- refcount_set(&rq->ref, 1);
- blk_crypto_rq_set_defaults(rq);
- }
- EXPORT_SYMBOL(blk_rq_init);
-diff --git a/block/blk-flush.c b/block/blk-flush.c
-index e89d007dbf6a..8b11ab3b3762 100644
---- a/block/blk-flush.c
-+++ b/block/blk-flush.c
-@@ -329,6 +329,14 @@ static void blk_kick_flush(struct request_queue *q, struct blk_flush_queue *fq,
- flush_rq->rq_flags |= RQF_FLUSH_SEQ;
- flush_rq->rq_disk = first_rq->rq_disk;
- flush_rq->end_io = flush_end_io;
-+ /*
-+ * Order WRITE ->end_io and WRITE rq->ref, and its pair is the one
-+ * implied in refcount_inc_not_zero() called from
-+ * blk_mq_find_and_get_req(), which orders WRITE/READ flush_rq->ref
-+ * and READ flush_rq->end_io
-+ */
-+ smp_wmb();
-+ refcount_set(&flush_rq->ref, 1);
-
- blk_flush_queue_rq(flush_rq, false);
- }
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Ming Lei <ming.lei@redhat.com>
-Date: Fri, 10 Sep 2021 14:30:16 +0200
-Subject: [PATCH] blk-mq: fix is_flush_rq
-
-commit a9ed27a764156929efe714033edb3e9023c5f321 upstream.
-
-is_flush_rq() is called from bt_iter()/bt_tags_iter(), and runs the
-following check:
-
- hctx->fq->flush_rq == req
-
-but the passed hctx from bt_iter()/bt_tags_iter() may be NULL because:
-
-1) memory re-order in blk_mq_rq_ctx_init():
-
- rq->mq_hctx = data->hctx;
- ...
- refcount_set(&rq->ref, 1);
-
-OR
-
-2) tag re-use and ->rqs[] isn't updated with new request.
-
-Fix the issue by re-writing is_flush_rq() as:
-
- return rq->end_io == flush_end_io;
-
-which turns out simpler to follow and immune to data race since we have
-ordered WRITE rq->end_io and refcount_set(&rq->ref, 1).
-
-Fixes: 2e315dc07df0 ("blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter")
-Cc: "Blank-Burian, Markus, Dr." <blankburian@uni-muenster.de>
-Cc: Yufen Yu <yuyufen@huawei.com>
-Signed-off-by: Ming Lei <ming.lei@redhat.com>
-Link: https://lore.kernel.org/r/20210818010925.607383-1-ming.lei@redhat.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Cc: Yi Zhang <yi.zhang@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- block/blk-flush.c | 5 +++++
- block/blk-mq.c | 2 +-
- block/blk.h | 6 +-----
- 3 files changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/block/blk-flush.c b/block/blk-flush.c
-index 8b11ab3b3762..705ee6c99020 100644
---- a/block/blk-flush.c
-+++ b/block/blk-flush.c
-@@ -262,6 +262,11 @@ static void flush_end_io(struct request *flush_rq, blk_status_t error)
- spin_unlock_irqrestore(&fq->mq_flush_lock, flags);
- }
-
-+bool is_flush_rq(struct request *rq)
-+{
-+ return rq->end_io == flush_end_io;
-+}
-+
- /**
- * blk_kick_flush - consider issuing flush request
- * @q: request_queue being kicked
-diff --git a/block/blk-mq.c b/block/blk-mq.c
-index cb619ec8aaf2..601e40204d06 100644
---- a/block/blk-mq.c
-+++ b/block/blk-mq.c
-@@ -937,7 +937,7 @@ static bool blk_mq_req_expired(struct request *rq, unsigned long *next)
-
- void blk_mq_put_rq_ref(struct request *rq)
- {
-- if (is_flush_rq(rq, rq->mq_hctx))
-+ if (is_flush_rq(rq))
- rq->end_io(rq, 0);
- else if (refcount_dec_and_test(&rq->ref))
- __blk_mq_free_request(rq);
-diff --git a/block/blk.h b/block/blk.h
-index 7550364c326c..4a4ffd992790 100644
---- a/block/blk.h
-+++ b/block/blk.h
-@@ -43,11 +43,7 @@ static inline void __blk_get_queue(struct request_queue *q)
- kobject_get(&q->kobj);
- }
-
--static inline bool
--is_flush_rq(struct request *req, struct blk_mq_hw_ctx *hctx)
--{
-- return hctx->fq->flush_rq == req;
--}
-+bool is_flush_rq(struct request *req);
-
- struct blk_flush_queue *blk_alloc_flush_queue(int node, int cmd_size,
- gfp_t flags);
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
-Date: Mon, 27 Sep 2021 17:44:59 +0200
-Subject: [PATCH] ocfs2: mount fails with buffer overflow in strlen
-
-Starting with kernel v5.11 mouting an ocfs2 filesystem with either o2cb
-or pcmk cluster stack fails with the trace below. Problem seems to be
-that strings for cluster stack and cluster name are not guaranteed to be
-null terminated in the disk representation, while strlcpy assumes that
-the source string is always null terminated. This causes a read outside
-of the source string triggering the buffer overflow detection.
-
-detected buffer overflow in strlen
-------------[ cut here ]------------
-kernel BUG at lib/string.c:1149!
-invalid opcode: 0000 [#1] SMP PTI
-CPU: 1 PID: 910 Comm: mount.ocfs2 Not tainted 5.14.0-1-amd64 #1
- Debian 5.14.6-2
-RIP: 0010:fortify_panic+0xf/0x11
-...
-Call Trace:
- ocfs2_initialize_super.isra.0.cold+0xc/0x18 [ocfs2]
- ocfs2_fill_super+0x359/0x19b0 [ocfs2]
- mount_bdev+0x185/0x1b0
- ? ocfs2_remount+0x440/0x440 [ocfs2]
- legacy_get_tree+0x27/0x40
- vfs_get_tree+0x25/0xb0
- path_mount+0x454/0xa20
- __x64_sys_mount+0x103/0x140
- do_syscall_64+0x3b/0xc0
- entry_SYSCALL_64_after_hwframe+0x44/0xae
-
-Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- fs/ocfs2/super.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
-index c86bd4e60e20..1dea535224df 100644
---- a/fs/ocfs2/super.c
-+++ b/fs/ocfs2/super.c
-@@ -2169,9 +2169,10 @@ static int ocfs2_initialize_super(struct super_block *sb,
- if (ocfs2_clusterinfo_valid(osb)) {
- osb->osb_stackflags =
- OCFS2_RAW_SB(di)->s_cluster_info.ci_stackflags;
-- strlcpy(osb->osb_cluster_stack,
-+ memcpy(osb->osb_cluster_stack,
- OCFS2_RAW_SB(di)->s_cluster_info.ci_stack,
-- OCFS2_STACK_LABEL_LEN + 1);
-+ OCFS2_STACK_LABEL_LEN);
-+ osb->osb_cluster_stack[OCFS2_STACK_LABEL_LEN] = '\0';
- if (strlen(osb->osb_cluster_stack) != OCFS2_STACK_LABEL_LEN) {
- mlog(ML_ERROR,
- "couldn't mount because of an invalid "
-@@ -2180,9 +2181,10 @@ static int ocfs2_initialize_super(struct super_block *sb,
- status = -EINVAL;
- goto bail;
- }
-- strlcpy(osb->osb_cluster_name,
-+ memcpy(osb->osb_cluster_name,
- OCFS2_RAW_SB(di)->s_cluster_info.ci_cluster,
-- OCFS2_CLUSTER_NAME_LEN + 1);
-+ OCFS2_CLUSTER_NAME_LEN);
-+ osb->osb_cluster_name[OCFS2_CLUSTER_NAME_LEN] = '\0';
- } else {
- /* The empty string is identical with classic tools that
- * don't know about s_cluster_info. */
projects / pve-kernel.git / commitdiff