diff --git a/0001-xen-balloon-add-late_initcall_sync-for-initial-ballo.patch b/0001-xen-balloon-add-late_initcall_sync-for-initial-ballo.patch deleted file mode 100644 index 2441b415..00000000 --- a/0001-xen-balloon-add-late_initcall_sync-for-initial-ballo.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 30dc0817d3982c77b4eb4d03889eabb49e182371 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Thu, 28 Oct 2021 12:59:52 +0200 -Subject: [PATCH] xen/balloon: add late_initcall_sync() for initial ballooning - done - -When running as PVH or HVM guest with actual memory < max memory the -hypervisor is using "populate on demand" in order to allow the guest -to balloon down from its maximum memory size. For this to work -correctly the guest must not touch more memory pages than its target -memory size as otherwise the PoD cache will be exhausted and the guest -is crashed as a result of that. - -In extreme cases ballooning down might not be finished today before -the init process is started, which can consume lots of memory. - -In order to avoid random boot crashes in such cases, add a late init -call to wait for ballooning down having finished for PVH/HVM guests. - -Cc: -Reported-by: Marek Marczykowski-Górecki -Signed-off-by: Juergen Gross ---- - drivers/xen/balloon.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c -index 1911a62a6d9c..60314e69f7fa 100644 ---- a/drivers/xen/balloon.c -+++ b/drivers/xen/balloon.c -@@ -765,3 +765,23 @@ static int __init balloon_init(void) - return 0; - } - subsys_initcall(balloon_init); -+ -+static int __init balloon_wait_finish(void) -+{ -+ if (!xen_domain()) -+ return -ENODEV; -+ -+ /* PV guests don't need to wait. */ -+ if (xen_pv_domain() || !current_credit()) -+ return 0; -+ -+ pr_info("Waiting for initial ballooning down having finished.\n"); -+ -+ while (current_credit()) -+ schedule_timeout_interruptible(HZ / 10); -+ -+ pr_info("Initial ballooning down finished.\n"); -+ -+ return 0; -+} -+late_initcall_sync(balloon_wait_finish); --- -2.31.1 - diff --git a/0001-xen-netfront-detach-crash.patch b/0001-xen-netfront-detach-crash.patch index 071cf9ba..e1773c0a 100644 --- a/0001-xen-netfront-detach-crash.patch +++ b/0001-xen-netfront-detach-crash.patch @@ -20,8 +20,8 @@ index 482c6c8b0fb7..8f0a790ec5e7 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -1138,9 +1138,10 @@ static void xennet_release_tx_bufs(struct netfront_queue *queue) - - skb = queue->tx_skbs[i].skb; + skb = queue->tx_skbs[i]; + queue->tx_skbs[i] = NULL; get_page(queue->grant_tx_page[i]); - gnttab_end_foreign_access(queue->grant_tx_ref[i], - GNTMAP_readonly, @@ -32,7 +32,7 @@ index 482c6c8b0fb7..8f0a790ec5e7 100644 + &queue->gref_tx_head, queue->grant_tx_ref[i]); queue->grant_tx_page[i] = NULL; queue->grant_tx_ref[i] = GRANT_INVALID_REF; - add_id_to_freelist(&queue->tx_skb_freelist, queue->tx_skbs, i); + add_id_to_list(&queue->tx_skb_freelist, queue->tx_link, i); -- 2.25.4 diff --git a/0006-block-add-no_part_scan-module-parameter.patch b/0006-block-add-no_part_scan-module-parameter.patch index 55f13a59..d867ef9b 100644 --- a/0006-block-add-no_part_scan-module-parameter.patch +++ b/0006-block-add-no_part_scan-module-parameter.patch @@ -19,7 +19,7 @@ index 06b642b23a07..15769cadd687 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -784,6 +784,15 @@ static void register_disk(struct device *parent, struct gendisk *disk, - } + blkdev_put(bdev, FMODE_READ); } +/* copied (not moved) from far down below, to have fewer patch hunks */ @@ -32,11 +32,11 @@ index 06b642b23a07..15769cadd687 100644 +MODULE_PARM_DESC(no_part_scan, "When adding block devices, always mark them as not to be scanned for partitions"); + /** - * __device_add_disk - add disk information to kernel list + * device_add_disk - add disk information to kernel list * @parent: parent device for the disk @@ -812,6 +821,9 @@ static void __device_add_disk(struct device *parent, struct gendisk *disk, - if (register_queue) - elevator_init_mq(disk->queue); + */ + elevator_init_mq(disk->queue); + if (disk_no_part_scan) + disk->flags |= GENHD_FL_NO_PART_SCAN; diff --git a/0008-xen-netfront-copy-response-out-of-shared-buffer-befo.patch b/0008-xen-netfront-copy-response-out-of-shared-buffer-befo.patch deleted file mode 100644 index 7f921398..00000000 --- a/0008-xen-netfront-copy-response-out-of-shared-buffer-befo.patch +++ /dev/null @@ -1,203 +0,0 @@ -From 208d5b6749fd378f88cf29b437bed56a2a193558 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Wed, 16 Dec 2015 05:09:55 +0100 -Subject: [PATCH] xen-netfront: copy response out of shared buffer before - accessing it -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Make local copy of the response, otherwise backend might modify it while -frontend is already processing it - leading to time of check / time of -use issue. - -Signed-off-by: Marek Marczykowski-Górecki ---- - drivers/net/xen-netfront.c | 51 +++++++++++++++++++------------------- - 1 file changed, 25 insertions(+), 26 deletions(-) - -diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c -index 8f0a790ec5e7..abb9b3cd87b8 100644 ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -385,13 +385,13 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue) - rmb(); /* Ensure we see responses up to 'rp'. */ - - for (cons = queue->tx.rsp_cons; cons != prod; cons++) { -- struct xen_netif_tx_response *txrsp; -+ struct xen_netif_tx_response txrsp; - -- txrsp = RING_GET_RESPONSE(&queue->tx, cons); -- if (txrsp->status == XEN_NETIF_RSP_NULL) -+ RING_COPY_RESPONSE(&queue->tx, cons, &txrsp); -+ if (txrsp.status == XEN_NETIF_RSP_NULL) - continue; - -- id = txrsp->id; -+ id = txrsp.id; - skb = queue->tx_skbs[id].skb; - if (unlikely(gnttab_query_foreign_access( - queue->grant_tx_ref[id]) != 0)) { -@@ -739,7 +739,7 @@ static int xennet_get_extras(struct netfront_queue *queue, - RING_IDX rp) - - { -- struct xen_netif_extra_info *extra; -+ struct xen_netif_extra_info extra; - struct device *dev = &queue->info->netdev->dev; - RING_IDX cons = queue->rx.rsp_cons; - int err = 0; -@@ -755,24 +755,23 @@ static int xennet_get_extras(struct netfront_queue *queue, - break; - } - -- extra = (struct xen_netif_extra_info *) -- RING_GET_RESPONSE(&queue->rx, ++cons); -+ RING_COPY_RESPONSE(&queue->rx, ++cons, &extra); - -- if (unlikely(!extra->type || -- extra->type >= XEN_NETIF_EXTRA_TYPE_MAX)) { -+ if (unlikely(!extra.type || -+ extra.type >= XEN_NETIF_EXTRA_TYPE_MAX)) { - if (net_ratelimit()) - dev_warn(dev, "Invalid extra type: %d\n", -- extra->type); -+ extra.type); - err = -EINVAL; - } else { -- memcpy(&extras[extra->type - 1], extra, -- sizeof(*extra)); -+ memcpy(&extras[extra.type - 1], &extra, -+ sizeof(extra)); - } - - skb = xennet_get_rx_skb(queue, cons); - ref = xennet_get_rx_ref(queue, cons); - xennet_move_rx_slot(queue, skb, ref); -- } while (extra->flags & XEN_NETIF_EXTRA_FLAG_MORE); -+ } while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE); - - queue->rx.rsp_cons = cons; - return err; -@@ -782,39 +781,39 @@ static int xennet_get_responses(struct netfront_queue *queue, - struct sk_buff_head *list, - bool *need_xdp_flush) - { -- struct xen_netif_rx_response *rx = &rinfo->rx; -+ struct xen_netif_rx_response rx = rinfo->rx; -- int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD); -+ int max = XEN_NETIF_NR_SLOTS_MIN + (rx.status <= RX_COPY_THRESHOLD); - RING_IDX cons = queue->rx.rsp_cons; - struct sk_buff *skb = xennet_get_rx_skb(queue, cons); - struct xen_netif_extra_info *extras = rinfo->extras; - grant_ref_t ref = xennet_get_rx_ref(queue, cons); - struct device *dev = &queue->info->netdev->dev; - struct bpf_prog *xdp_prog; - struct xdp_buff xdp; - unsigned long ret; - int slots = 1; - int err = 0; - u32 verdict; - -- if (rx->flags & XEN_NETRXF_extra_info) { -+ if (rx.flags & XEN_NETRXF_extra_info) { - err = xennet_get_extras(queue, extras, rp); - if (!err) { - if (extras[XEN_NETIF_EXTRA_TYPE_XDP - 1].type) { - struct xen_netif_extra_info *xdp; - - xdp = &extras[XEN_NETIF_EXTRA_TYPE_XDP - 1]; -- rx->offset = xdp->u.xdp.headroom; -+ rx.offset = xdp->u.xdp.headroom; - } - } - cons = queue->rx.rsp_cons; - } - - for (;;) { -- if (unlikely(rx->status < 0 || -- rx->offset + rx->status > XEN_PAGE_SIZE)) { -+ if (unlikely(rx.status < 0 || -+ rx.offset + rx.status > XEN_PAGE_SIZE)) { - if (net_ratelimit()) - dev_warn(dev, "rx->offset: %u, size: %d\n", -- rx->offset, rx->status); -+ rx.offset, rx.status); - xennet_move_rx_slot(queue, skb, ref); - err = -EINVAL; - goto next; -@@ -817,7 +816,7 @@ static int xennet_get_responses(struct netfront_queue *queue, - if (ref == GRANT_INVALID_REF) { - if (net_ratelimit()) - dev_warn(dev, "Bad rx response id %d.\n", -- rx->id); -+ rx.id); - err = -EINVAL; - goto next; - } -@@ -825,11 +825,11 @@ static int xennet_get_responses(struct netfront_queue *queue, - rcu_read_lock(); - xdp_prog = rcu_dereference(queue->xdp_prog); - if (xdp_prog) { -- if (!(rx->flags & XEN_NETRXF_more_data)) { -+ if (!(rx.flags & XEN_NETRXF_more_data)) { - /* currently only a single page contains data */ - verdict = xennet_run_xdp(queue, - skb_frag_page(&skb_shinfo(skb)->frags[0]), -- rx, xdp_prog, &xdp, need_xdp_flush); -+ &rx, xdp_prog, &xdp, need_xdp_flush); - if (verdict != XDP_PASS) - err = -EINVAL; - } else { -@@ -830,7 +829,7 @@ static int xennet_get_responses(struct netfront_queue *queue, - rcu_read_unlock(); - next: - __skb_queue_tail(list, skb); -- if (!(rx->flags & XEN_NETRXF_more_data)) -+ if (!(rx.flags & XEN_NETRXF_more_data)) - break; - - if (cons + slots == rp) { -@@ -840,7 +839,7 @@ static int xennet_get_responses(struct netfront_queue *queue, - break; - } - -- rx = RING_GET_RESPONSE(&queue->rx, cons + slots); -+ RING_COPY_RESPONSE(&queue->rx, cons + slots, &rx); - skb = xennet_get_rx_skb(queue, cons + slots); - ref = xennet_get_rx_ref(queue, cons + slots); - slots++; -@@ -895,9 +894,9 @@ static int xennet_fill_frags(struct netfront_queue *queue, - struct sk_buff *nskb; - - while ((nskb = __skb_dequeue(list))) { -- struct xen_netif_rx_response *rx = -- RING_GET_RESPONSE(&queue->rx, ++cons); -+ struct xen_netif_rx_response rx; - skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0]; -+ RING_COPY_RESPONSE(&queue->rx, ++cons, &rx); - - if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) { - unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; -@@ -913,7 +912,7 @@ static int xennet_fill_frags(struct netfront_queue *queue, - - skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, - skb_frag_page(nfrag), -- rx->offset, rx->status, PAGE_SIZE); -+ rx.offset, rx.status, PAGE_SIZE); - - skb_shinfo(nskb)->nr_frags = 0; - kfree_skb(nskb); -@@ -1011,7 +1010,7 @@ static int xennet_poll(struct napi_struct *napi, int budget) - i = queue->rx.rsp_cons; - work_done = 0; - while ((i != rp) && (work_done < budget)) { -- memcpy(rx, RING_GET_RESPONSE(&queue->rx, i), sizeof(*rx)); -+ RING_COPY_RESPONSE(&queue->rx, i, rx); - memset(extras, 0, sizeof(rinfo.extras)); - - err = xennet_get_responses(queue, &rinfo, rp, &tmpq, --- -2.25.4 - diff --git a/0009-xen-netfront-do-not-use-data-already-exposed-to-back.patch b/0009-xen-netfront-do-not-use-data-already-exposed-to-back.patch deleted file mode 100644 index 5ece5b1d..00000000 --- a/0009-xen-netfront-do-not-use-data-already-exposed-to-back.patch +++ /dev/null @@ -1,64 +0,0 @@ -From c54a7e94c045efe8f0ddda410fc00049a11d5f34 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Wed, 16 Dec 2015 05:19:37 +0100 -Subject: [PATCH] xen-netfront: do not use data already exposed to backend -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Backend may freely modify anything on shared page, so use data which was -supposed to be written there, instead of reading it back from the shared -page. - -This is part of XSA155. - -CC: stable@vger.kernel.org -Signed-off-by: Marek Marczykowski-Górecki ---- - drivers/net/xen-netfront.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c -index abb9b3cd87b8..56c8a4a32672 100644 ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -456,7 +456,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset, - tx->flags = 0; - - info->tx = tx; -- info->size += tx->size; -+ info->size += len; - } - - static struct xen_netif_tx_request *xennet_make_first_txreq( -@@ -572,7 +572,7 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev - int slots; - struct page *page; - unsigned int offset; -- unsigned int len; -+ unsigned int len, this_len; - unsigned long flags; - struct netfront_queue *queue = NULL; - unsigned int num_queues = dev->real_num_tx_queues; -@@ -632,14 +632,15 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev - } - - /* First request for the linear area. */ -+ this_len = min_t(unsigned int, XEN_PAGE_SIZE - offset, len); - first_tx = tx = xennet_make_first_txreq(queue, skb, - page, offset, len); -- offset += tx->size; -+ offset += this_len; - if (offset == PAGE_SIZE) { - page++; - offset = 0; - } -- len -= tx->size; -+ len -= this_len; - - if (skb->ip_summed == CHECKSUM_PARTIAL) - /* local packet? */ --- -2.25.4 - diff --git a/0010-xen-netfront-add-range-check-for-Tx-response-id.patch b/0010-xen-netfront-add-range-check-for-Tx-response-id.patch deleted file mode 100644 index 60908a27..00000000 --- a/0010-xen-netfront-add-range-check-for-Tx-response-id.patch +++ /dev/null @@ -1,35 +0,0 @@ -From e300ecb886bfb5ee571d28eb06a679a87d8845e9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Wed, 16 Dec 2015 05:22:24 +0100 -Subject: [PATCH] xen-netfront: add range check for Tx response id -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Tx response ID is fetched from shared page, so make sure it is sane -before using it as an array index. - -This is part of XSA155. - -CC: stable@vger.kernel.org -Signed-off-by: Marek Marczykowski-Górecki ---- - drivers/net/xen-netfront.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c -index 56c8a4a32672..e11df925c0dc 100644 ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -392,6 +392,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue) - continue; - - id = txrsp.id; -+ BUG_ON(id >= NET_TX_RING_SIZE); - skb = queue->tx_skbs[id].skb; - if (unlikely(gnttab_query_foreign_access( - queue->grant_tx_ref[id]) != 0)) { --- -2.25.4 - diff --git a/0011-xen-blkfront-make-local-copy-of-response-before-usin.patch b/0011-xen-blkfront-make-local-copy-of-response-before-usin.patch deleted file mode 100644 index a9c95418..00000000 --- a/0011-xen-blkfront-make-local-copy-of-response-before-usin.patch +++ /dev/null @@ -1,128 +0,0 @@ -From cf4f8d62af083a8006a5e437fe02ea27628aa613 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Wed, 16 Dec 2015 05:51:10 +0100 -Subject: [PATCH] xen-blkfront: make local copy of response before using it -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Data on the shared page can be changed at any time by the backend. Make -a local copy, which is no longer controlled by the backend. And only -then access it. - -This is part of XSA155. - -CC: stable@vger.kernel.org -Signed-off-by: Marek Marczykowski-Górecki ---- - drivers/block/xen-blkfront.c | 34 +++++++++++++++++----------------- - 1 file changed, 17 insertions(+), 17 deletions(-) - -diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c -index 1052b95bc9a9..60e4c6f36ba3 100644 ---- a/drivers/block/xen-blkfront.c -+++ b/drivers/block/xen-blkfront.c -@@ -1561,7 +1561,7 @@ static bool blkif_completion(unsigned long *id, - static irqreturn_t blkif_interrupt(int irq, void *dev_id) - { - struct request *req; -- struct blkif_response *bret; -+ struct blkif_response bret; - RING_IDX i, rp; - unsigned long flags; - struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)dev_id; -@@ -1578,8 +1578,8 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) - for (i = rinfo->ring.rsp_cons; i != rp; i++) { - unsigned long id; - -- bret = RING_GET_RESPONSE(&rinfo->ring, i); -- id = bret->id; -+ RING_COPY_RESPONSE(&rinfo->ring, i, &bret); -+ id = bret.id; - /* - * The backend has messed up and given us an id that we would - * never have given to it (we stamp it up to BLK_RING_SIZE - -@@ -1587,39 +1587,39 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) - */ - if (id >= BLK_RING_SIZE(info)) { - WARN(1, "%s: response to %s has incorrect id (%ld)\n", -- info->gd->disk_name, op_name(bret->operation), id); -+ info->gd->disk_name, op_name(bret.operation), id); - /* We can't safely get the 'struct request' as - * the id is busted. */ - continue; - } - req = rinfo->shadow[id].request; - -- if (bret->operation != BLKIF_OP_DISCARD) { -+ if (bret.operation != BLKIF_OP_DISCARD) { - /* - * We may need to wait for an extra response if the - * I/O request is split in 2 - */ -- if (!blkif_completion(&id, rinfo, bret)) -+ if (!blkif_completion(&id, rinfo, &bret)) - continue; - } - - if (add_id_to_freelist(rinfo, id)) { - WARN(1, "%s: response to %s (id %ld) couldn't be recycled!\n", -- info->gd->disk_name, op_name(bret->operation), id); -+ info->gd->disk_name, op_name(bret.operation), id); - continue; - } - -- if (bret->status == BLKIF_RSP_OKAY) -+ if (bret.status == BLKIF_RSP_OKAY) - blkif_req(req)->error = BLK_STS_OK; - else - blkif_req(req)->error = BLK_STS_IOERR; - -- switch (bret->operation) { -+ switch (bret.operation) { - case BLKIF_OP_DISCARD: -- if (unlikely(bret->status == BLKIF_RSP_EOPNOTSUPP)) { -+ if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) { - struct request_queue *rq = info->rq; - printk(KERN_WARNING "blkfront: %s: %s op failed\n", -- info->gd->disk_name, op_name(bret->operation)); -+ info->gd->disk_name, op_name(bret.operation)); - blkif_req(req)->error = BLK_STS_NOTSUPP; - info->feature_discard = 0; - info->feature_secdiscard = 0; -@@ -1629,15 +1629,15 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) - break; - case BLKIF_OP_FLUSH_DISKCACHE: - case BLKIF_OP_WRITE_BARRIER: -- if (unlikely(bret->status == BLKIF_RSP_EOPNOTSUPP)) { -+ if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) { - printk(KERN_WARNING "blkfront: %s: %s op failed\n", -- info->gd->disk_name, op_name(bret->operation)); -+ info->gd->disk_name, op_name(bret.operation)); - blkif_req(req)->error = BLK_STS_NOTSUPP; - } -- if (unlikely(bret->status == BLKIF_RSP_ERROR && -+ if (unlikely(bret.status == BLKIF_RSP_ERROR && - rinfo->shadow[id].req.u.rw.nr_segments == 0)) { - printk(KERN_WARNING "blkfront: %s: empty %s op failed\n", -- info->gd->disk_name, op_name(bret->operation)); -+ info->gd->disk_name, op_name(bret.operation)); - blkif_req(req)->error = BLK_STS_NOTSUPP; - } - if (unlikely(blkif_req(req)->error)) { -@@ -1650,9 +1650,9 @@ static irqreturn_t blkif_interrupt(int irq, void *dev_id) - fallthrough; - case BLKIF_OP_READ: - case BLKIF_OP_WRITE: -- if (unlikely(bret->status != BLKIF_RSP_OKAY)) -+ if (unlikely(bret.status != BLKIF_RSP_OKAY)) - dev_dbg(&info->xbdev->dev, "Bad return from blkdev data " -- "request: %x\n", bret->status); -+ "request: %x\n", bret.status); - - break; - default: --- -2.25.4 - diff --git a/0012-xen-blkfront-prepare-request-locally-only-then-put-i.patch b/0012-xen-blkfront-prepare-request-locally-only-then-put-i.patch deleted file mode 100644 index d20166bf..00000000 --- a/0012-xen-blkfront-prepare-request-locally-only-then-put-i.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 5437e2aca7e2afdbd502075382833fca2d01ec57 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= - -Date: Wed, 16 Dec 2015 06:07:14 +0100 -Subject: [PATCH] xen-blkfront: prepare request locally, only then put it on - the shared ring -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not reuse data which theoretically might be already modified by the -backend. This is mostly about private copy of the request -(info->shadow[id].req) - make sure the request saved there is really the -one just filled. - -This is part of XSA155. - -CC: stable@vger.kernel.org -Signed-off-by: Marek Marczykowski-Górecki ---- - drivers/block/xen-blkfront.c | 76 +++++++++++++++++++++--------------- - 1 file changed, 44 insertions(+), 32 deletions(-) - -diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c -index 60e4c6f36ba3..3a5f111fd5e8 100644 ---- a/drivers/block/xen-blkfront.c -+++ b/drivers/block/xen-blkfront.c -@@ -538,19 +538,16 @@ static int blkif_ioctl(struct block_device *bdev, fmode_t mode, - - static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo, - struct request *req, -- struct blkif_request **ring_req) -+ struct blkif_request *ring_req) - { - unsigned long id; - -- *ring_req = RING_GET_REQUEST(&rinfo->ring, rinfo->ring.req_prod_pvt); -- rinfo->ring.req_prod_pvt++; -- - id = get_id_from_freelist(rinfo); - rinfo->shadow[id].request = req; - rinfo->shadow[id].status = REQ_WAITING; - rinfo->shadow[id].associated_id = NO_ASSOCIATED_ID; - -- (*ring_req)->u.rw.id = id; -+ ring_req->u.rw.id = id; - - return id; - } -@@ -558,23 +555,28 @@ static unsigned long blkif_ring_get_request(struct blkfront_ring_info *rinfo, - static int blkif_queue_discard_req(struct request *req, struct blkfront_ring_info *rinfo) - { - struct blkfront_info *info = rinfo->dev_info; -- struct blkif_request *ring_req; -+ struct blkif_request ring_req = { 0 }; - unsigned long id; - - /* Fill out a communications ring structure. */ - id = blkif_ring_get_request(rinfo, req, &ring_req); - -- ring_req->operation = BLKIF_OP_DISCARD; -- ring_req->u.discard.nr_sectors = blk_rq_sectors(req); -- ring_req->u.discard.id = id; -- ring_req->u.discard.sector_number = (blkif_sector_t)blk_rq_pos(req); -+ ring_req.operation = BLKIF_OP_DISCARD; -+ ring_req.u.discard.nr_sectors = blk_rq_sectors(req); -+ ring_req.u.discard.id = id; -+ ring_req.u.discard.sector_number = (blkif_sector_t)blk_rq_pos(req); - if (req_op(req) == REQ_OP_SECURE_ERASE && info->feature_secdiscard) -- ring_req->u.discard.flag = BLKIF_DISCARD_SECURE; -+ ring_req.u.discard.flag = BLKIF_DISCARD_SECURE; - else -- ring_req->u.discard.flag = 0; -+ ring_req.u.discard.flag = 0; -+ -+ /* make the request available to the backend */ -+ *RING_GET_REQUEST(&rinfo->ring, rinfo->ring.req_prod_pvt) = ring_req; -+ wmb(); -+ rinfo->ring.req_prod_pvt++; - - /* Keep a private copy so we can reissue requests when recovering. */ -- rinfo->shadow[id].req = *ring_req; -+ rinfo->shadow[id].req = ring_req; - - return 0; - } -@@ -706,7 +708,7 @@ static void blkif_setup_extra_req(struct blkif_request *first, - static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *rinfo) - { - struct blkfront_info *info = rinfo->dev_info; -- struct blkif_request *ring_req, *extra_ring_req = NULL; -+ struct blkif_request ring_req = { 0 }, extra_ring_req = { 0 }; - unsigned long id, extra_id = NO_ASSOCIATED_ID; - bool require_extra_req = false; - int i; -@@ -771,16 +773,16 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri - * BLKIF_OP_WRITE - */ - BUG_ON(req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA); -- ring_req->operation = BLKIF_OP_INDIRECT; -- ring_req->u.indirect.indirect_op = rq_data_dir(req) ? -+ ring_req.operation = BLKIF_OP_INDIRECT; -+ ring_req.u.indirect.indirect_op = rq_data_dir(req) ? - BLKIF_OP_WRITE : BLKIF_OP_READ; -- ring_req->u.indirect.sector_number = (blkif_sector_t)blk_rq_pos(req); -- ring_req->u.indirect.handle = info->handle; -- ring_req->u.indirect.nr_segments = num_grant; -+ ring_req.u.indirect.sector_number = (blkif_sector_t)blk_rq_pos(req); -+ ring_req.u.indirect.handle = info->handle; -+ ring_req.u.indirect.nr_segments = num_grant; - } else { -- ring_req->u.rw.sector_number = (blkif_sector_t)blk_rq_pos(req); -- ring_req->u.rw.handle = info->handle; -- ring_req->operation = rq_data_dir(req) ? -+ ring_req.u.rw.sector_number = (blkif_sector_t)blk_rq_pos(req); -+ ring_req.u.rw.handle = info->handle; -+ ring_req.operation = rq_data_dir(req) ? - BLKIF_OP_WRITE : BLKIF_OP_READ; - if (req_op(req) == REQ_OP_FLUSH || req->cmd_flags & REQ_FUA) { - /* -@@ -791,15 +793,15 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri - * since it is guaranteed ordered WRT previous writes.) - */ - if (info->feature_flush && info->feature_fua) -- ring_req->operation = -+ ring_req.operation = - BLKIF_OP_WRITE_BARRIER; - else if (info->feature_flush) -- ring_req->operation = -+ ring_req.operation = - BLKIF_OP_FLUSH_DISKCACHE; - else -- ring_req->operation = 0; -+ ring_req.operation = 0; - } -- ring_req->u.rw.nr_segments = num_grant; -+ ring_req.u.rw.nr_segments = num_grant; - if (unlikely(require_extra_req)) { - extra_id = blkif_ring_get_request(rinfo, req, - &extra_ring_req); -@@ -809,7 +811,7 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri - */ - rinfo->shadow[extra_id].num_sg = 0; - -- blkif_setup_extra_req(ring_req, extra_ring_req); -+ blkif_setup_extra_req(&ring_req, &extra_ring_req); - - /* Link the 2 requests together */ - rinfo->shadow[extra_id].associated_id = id; -@@ -817,12 +819,12 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri - } - } - -- setup.ring_req = ring_req; -+ setup.ring_req = &ring_req; - setup.id = id; - - setup.require_extra_req = require_extra_req; - if (unlikely(require_extra_req)) -- setup.extra_ring_req = extra_ring_req; -+ setup.extra_ring_req = &extra_ring_req; - - for_each_sg(rinfo->shadow[id].sg, sg, num_sg, i) { - BUG_ON(sg->offset + sg->length > PAGE_SIZE); -@@ -844,10 +846,20 @@ static int blkif_queue_rw_req(struct request *req, struct blkfront_ring_info *ri - if (setup.segments) - kunmap_atomic(setup.segments); - -+ /* make the request available to the backend */ -+ *RING_GET_REQUEST(&rinfo->ring, rinfo->ring.req_prod_pvt) = ring_req; -+ wmb(); -+ rinfo->ring.req_prod_pvt++; - /* Keep a private copy so we can reissue requests when recovering. */ -- rinfo->shadow[id].req = *ring_req; -- if (unlikely(require_extra_req)) -- rinfo->shadow[extra_id].req = *extra_ring_req; -+ rinfo->shadow[id].req = ring_req; -+ -+ if (unlikely(require_extra_req)) { -+ *RING_GET_REQUEST(&rinfo->ring, rinfo->ring.req_prod_pvt) = extra_ring_req; -+ wmb(); -+ rinfo->ring.req_prod_pvt++; -+ /* Keep a private copy so we can reissue requests when recovering. */ -+ rinfo->shadow[extra_id].req = extra_ring_req; -+ } - - if (new_persistent_gnts) - gnttab_free_grant_references(setup.gref_head); --- -2.25.4 - diff --git a/kernel.spec.in b/kernel.spec.in index bcf80ca4..c20c1ce3 100644 --- a/kernel.spec.in +++ b/kernel.spec.in @@ -123,15 +123,9 @@ Patch1: 0002-mce-hide-EBUSY-initialization-error-on-Xen.patch Patch2: 0003-Log-error-code-of-EVTCHNOP_bind_pirq-failure.patch Patch3: 0004-pvops-respect-removable-xenstore-flag-for-block-devi.patch Patch5: 0006-block-add-no_part_scan-module-parameter.patch -Patch7: 0008-xen-netfront-copy-response-out-of-shared-buffer-befo.patch -Patch8: 0009-xen-netfront-do-not-use-data-already-exposed-to-back.patch -Patch9: 0010-xen-netfront-add-range-check-for-Tx-response-id.patch -Patch10: 0011-xen-blkfront-make-local-copy-of-response-before-usin.patch -Patch11: 0012-xen-blkfront-prepare-request-locally-only-then-put-i.patch Patch12: 0013-xen-pcifront-pciback-Update-pciif.h-with-err-and-res.patch Patch14: 0001-Revert-xen-netback-Check-for-hotplug-status-existenc.patch Patch15: 0002-Revert-xen-netback-remove-hotplug-status-once-it-has.patch -Patch16: 0001-xen-balloon-add-late_initcall_sync-for-initial-ballo.patch %description Qubes Dom0 kernel.