This is the start of the stable review cycle for the 5.5.4 release.
There are 120 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 5.5.4-rc1
Nicolai Stange <[email protected]>
libertas: make lbs_ibss_join_existing() return error code on rates overflow
Nicolai Stange <[email protected]>
libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
Qing Xu <[email protected]>
mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
Qing Xu <[email protected]>
mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
Chuhong Yuan <[email protected]>
dmaengine: axi-dmac: add a check for devm_regmap_init_mmio
Jerome Brunet <[email protected]>
clk: meson: g12a: fix missing uart2 in regmap table
Bartosz Golaszewski <[email protected]>
mfd: max77650: Select REGMAP_IRQ in Kconfig
Ben Whitten <[email protected]>
regmap: fix writes to non incrementing registers
Stephen Boyd <[email protected]>
pinctrl: qcom: Don't lock around irq_set_irq_wake()
Geert Uytterhoeven <[email protected]>
pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B
Geert Uytterhoeven <[email protected]>
pinctrl: sh-pfc: r8a77965: Fix DU_DOTCLKIN3 drive/bias control
Andy Shevchenko <[email protected]>
pinctrl: baytrail: Allocate IRQ chip dynamic
Stephen Smalley <[email protected]>
selinux: fix regression introduced by move_mount(2) syscall
Stephen Smalley <[email protected]>
selinux: revert "stop passing MAY_NOT_BLOCK to the AVC upon follow_link"
Dave Hansen <[email protected]>
x86/alternatives: add missing insn.h include
Coly Li <[email protected]>
bcache: avoid unnecessary btree nodes flushing in btree_flush_write()
Shengjiu Wang <[email protected]>
ASoC: soc-generic-dmaengine-pcm: Fix error handling
Beniamin Bia <[email protected]>
dt-bindings: iio: adc: ad7606: Fix wrong maxItems value
Raul E Rangel <[email protected]>
i2c: cros-ec-tunnel: Fix ACPI identifier
Akshu Agrawal <[email protected]>
i2c: cros-ec-tunnel: Fix slave device enumeration
Gustavo A. R. Silva <[email protected]>
media: i2c: adv748x: Fix unsafe macros
Christophe Roullier <[email protected]>
drivers: watchdog: stm32_iwdg: set WDOG_HW_RUNNING at probe
Horia Geantă <[email protected]>
crypto: caam/qi2 - fix typo in algorithm's driver name
Eric Biggers <[email protected]>
crypto: atmel-sha - fix error handling when setting hmac key
Eric Biggers <[email protected]>
crypto: artpec6 - return correct error code for failed setkey()
Eric Biggers <[email protected]>
crypto: testmgr - don't try to decrypt uninitialized buffers
YueHaibing <[email protected]>
mtd: sharpslpart: Fix unsigned comparison to zero
Nathan Chancellor <[email protected]>
mtd: onenand_base: Adjust indentation in onenand_read_ops_nolock
Russell King <[email protected]>
arm64: kvm: Fix IDMAP overlap with HYP VA
Suzuki K Poulose <[email protected]>
arm64: nofpsmid: Handle TIF_FOREIGN_FPSTATE flag cleanly
Alexandru Elisei <[email protected]>
KVM: arm64: Treat emulated TVAL TimerValue as a signed 32-bit integer
Eric Auger <[email protected]>
KVM: arm64: pmu: Fix chained SW_INCR counters
Eric Auger <[email protected]>
KVM: arm64: pmu: Don't increment SW_INCR if PMCR.E is unset
James Morse <[email protected]>
KVM: arm: Make inject_abt32() inject an external abort instead
James Morse <[email protected]>
KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests
Gavin Shan <[email protected]>
KVM: arm/arm64: Fix young bit from mmu notifier
Ard Biesheuvel <[email protected]>
crypto: arm/chacha - fix build failured when kernel mode NEON is disabled
Suzuki K Poulose <[email protected]>
arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations
Suzuki K Poulose <[email protected]>
arm64: cpufeature: Set the FP/SIMD compat HWCAP bits properly
Suzuki K Poulose <[email protected]>
arm64: cpufeature: Fix the type of no FP/SIMD capability
Mark Brown <[email protected]>
arm64: kernel: Correct annotation of end of el0_sync
Qais Yousef <[email protected]>
sched/uclamp: Fix a bug in propagating uclamp value in new cgroups
Olof Johansson <[email protected]>
ARM: 8949/1: mm: mark free_memmap as __init
Eric Auger <[email protected]>
KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections
Claudiu Beznea <[email protected]>
ARM: at91: pm: use of_device_id array to find the proper shdwc node
Claudiu Beznea <[email protected]>
ARM: at91: pm: use SAM9X60 PMC's compatible
Shameer Kolothum <[email protected]>
iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA
Alexey Kardashevskiy <[email protected]>
powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW
Tyrel Datwyler <[email protected]>
powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning
Vaibhav Jain <[email protected]>
powerpc/papr_scm: Fix leaking 'bus_desc.provider_name' in some paths
Christophe Leroy <[email protected]>
powerpc/ptdump: Only enable PPC_CHECK_WX with STRICT_KERNEL_RWX
Christophe Leroy <[email protected]>
powerpc/ptdump: Fix W+X verification call in mark_rodata_ro()
Ram Pai <[email protected]>
Revert "powerpc/pseries/iommu: Don't use dma_iommu_ops on secure guests"
Douglas Anderson <[email protected]>
soc: qcom: rpmhpd: Set 'active_only' for active only power domains
Zhengyuan Liu <[email protected]>
tools/power/acpi: fix compilation error
Alexandre Belloni <[email protected]>
ARM: dts: at91: sama5d3: define clock rate range for tcb1
Alexandre Belloni <[email protected]>
ARM: dts: at91: sama5d3: fix maximum peripheral clock rates
Martin Blumenstingl <[email protected]>
ARM: dts: meson8b: use the actual frequency for the GPU's 364MHz OPP
Martin Blumenstingl <[email protected]>
ARM: dts: meson8: use the actual frequency for the GPU's 182.1MHz OPP
Baruch Siach <[email protected]>
arm64: dts: marvell: clearfog-gt-8k: fix switch cpu port node
Kuninori Morimoto <[email protected]>
arm64: dts: renesas: r8a77990: ebisu: Remove clkout-lr-synchronous from sound
Tero Kristo <[email protected]>
ARM: dts: am43xx: add support for clkout1 clock
Ingo van Lil <[email protected]>
ARM: dts: at91: Reenable UART TX pull-ups
Bjorn Andersson <[email protected]>
arm64: dts: qcom: msm8998-mtp: Add alias for blsp1_uart3
Russell King <[email protected]>
arm64: dts: uDPU: fix broken ethernet
Jeffrey Hugo <[email protected]>
arm64: dts: qcom: msm8998: Fix tcsr syscon size
Mika Westerberg <[email protected]>
platform/x86: intel_mid_powerbtn: Take a copy of ddata
Jose Abreu <[email protected]>
ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node
Tiezhu Yang <[email protected]>
MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
Sai Prakash Ranjan <[email protected]>
watchdog: qcom: Use platform_get_irq_optional() for bark irq
Andy Shevchenko <[email protected]>
rtc: cmos: Stop using shared IRQ
Geert Uytterhoeven <[email protected]>
rtc: i2c/spi: Avoid inclusion of REGMAP support when not needed
Paul Kocialkowski <[email protected]>
rtc: hym8563: Return -EINVAL if the time is known to be invalid
Wei Yongjun <[email protected]>
rtc: mt6397: drop free_irq of devm_ allocated irq
Taehee Yoo <[email protected]>
netdevsim: use __GFP_NOWARN to avoid memalloc warning
Taehee Yoo <[email protected]>
netdevsim: fix panic in nsim_dev_take_snapshot_write()
Taehee Yoo <[email protected]>
netdevsim: disable devlink reload when resources are being used
Taehee Yoo <[email protected]>
netdevsim: fix using uninitialized resources
Lorenzo Bianconi <[email protected]>
mt76: mt7615: fix max_nss in mt7615_eeprom_parse_hw_cap
Lorenz Bauer <[email protected]>
bpf, sockmap: Check update requirements after locking
Martin KaFai Lau <[email protected]>
bpf: Improve bucket_log calculation logic
Jakub Sitnicki <[email protected]>
selftests/bpf: Test freeing sockmap/sockhash with a socket in it
Jakub Sitnicki <[email protected]>
bpf, sockhash: Synchronize_rcu before free'ing map
Jakub Sitnicki <[email protected]>
bpf, sockmap: Don't sleep while holding RCU lock on tear-down
Toke Høiland-Jørgensen <[email protected]>
bpftool: Don't crash on missing xlated program instructions
Steven Clarkson <[email protected]>
x86/boot: Handle malformed SRAT tables during early ACPI parsing
Robert Milkowski <[email protected]>
NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals
Robert Milkowski <[email protected]>
NFSv4: try lease recovery on NFS4ERR_EXPIRED
Trond Myklebust <[email protected]>
NFSv4: pnfs_roc() must use cred_fscmp() to compare creds
Trond Myklebust <[email protected]>
NFS: Fix fix of show_nfs_errors
Trond Myklebust <[email protected]>
NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes()
Trond Myklebust <[email protected]>
NFS: Revalidate the file size on a fatal write error
Geert Uytterhoeven <[email protected]>
nfs: NFS_SWAP should depend on SWAP
Olga Kornievskaia <[email protected]>
NFSv4.x recover from pre-mature loss of openstateid
Paul Blakey <[email protected]>
netfilter: flowtable: Fix missing flush hardware on table free
Paul Blakey <[email protected]>
netfilter: flowtable: Fix hardware flush order on nf_flow_table_cleanup
Pablo Neira Ayuso <[email protected]>
netfilter: flowtable: restrict flow dissector match on meta ingress device
Pablo Neira Ayuso <[email protected]>
netfilter: flowtable: fetch stats only if flow is still alive
Emmanuel Grumbach <[email protected]>
iwlwifi: mvm: fix TDLS discovery with the new firmware API
Avraham Stern <[email protected]>
iwlwifi: mvm: avoid use after free for pmsr request
Dongdong Liu <[email protected]>
PCI/AER: Initialize aer_fifo
Logan Gunthorpe <[email protected]>
PCI: Don't disable bridge BARs when assigning bus resources
Marcel Ziswiler <[email protected]>
PCI: tegra: Fix afi_pex2_ctrl reg offset for Tegra30
Logan Gunthorpe <[email protected]>
PCI/switchtec: Fix vep_vector_number ioread width
Wesley Sheng <[email protected]>
PCI/switchtec: Use dma_set_mask_and_coherent()
Bryan O'Donoghue <[email protected]>
ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe
Navid Emamdoost <[email protected]>
PCI/IOV: Fix memory leak in pci_iov_add_virtfn()
Bean Huo <[email protected]>
scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails
Artemy Kovalyov <[email protected]>
RDMA/umem: Fix ib_umem_find_best_pgsz()
Parav Pandit <[email protected]>
RDMA/cma: Fix unbalanced cm_id reference count during address resolve
Jason Gunthorpe <[email protected]>
RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence
Jason Gunthorpe <[email protected]>
RDMA/mlx5: Fix handling of IOVA != user_va in ODP paths
Michael Guralnik <[email protected]>
RDMA/uverbs: Verify MR access flags
Jason Gunthorpe <[email protected]>
RDMA/core: Fix locking in ib_uverbs_event_read
Xiyu Yang <[email protected]>
RDMA/i40iw: fix a potential NULL pointer dereference
Håkon Bugge <[email protected]>
RDMA/netlink: Do not always generate an ACK for some netlink operations
Håkon Bugge <[email protected]>
IB/mlx4: Fix leak in id_map_find_del
Danit Goldberg <[email protected]>
IB/mlx5: Return the administrative GUID if exists
Sergey Gorenko <[email protected]>
IB/srp: Never use immediate data if it is disabled by a user
Jack Morgenstein <[email protected]>
IB/mlx4: Fix memory leak in add_gid error flow
-------------
Diffstat:
.../devicetree/bindings/iio/adc/adi,ad7606.yaml | 8 +--
Makefile | 4 +-
arch/arc/boot/dts/axs10x_mb.dtsi | 1 +
arch/arm/boot/dts/am43xx-clocks.dtsi | 54 ++++++++++++++
arch/arm/boot/dts/at91sam9260.dtsi | 12 ++--
arch/arm/boot/dts/at91sam9261.dtsi | 6 +-
arch/arm/boot/dts/at91sam9263.dtsi | 6 +-
arch/arm/boot/dts/at91sam9g45.dtsi | 8 +--
arch/arm/boot/dts/at91sam9rl.dtsi | 8 +--
arch/arm/boot/dts/meson8.dtsi | 4 +-
arch/arm/boot/dts/meson8b.dtsi | 4 +-
arch/arm/boot/dts/sama5d3.dtsi | 28 ++++----
arch/arm/boot/dts/sama5d3_can.dtsi | 4 +-
arch/arm/boot/dts/sama5d3_tcb1.dtsi | 1 +
arch/arm/boot/dts/sama5d3_uart.dtsi | 4 +-
arch/arm/crypto/chacha-glue.c | 4 +-
arch/arm/mach-at91/pm.c | 9 ++-
arch/arm/mm/init.c | 2 +-
arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts | 4 ++
.../dts/marvell/armada-8040-clearfog-gt-8k.dts | 2 +
arch/arm64/boot/dts/qcom/msm8998-mtp.dtsi | 1 +
arch/arm64/boot/dts/qcom/msm8998.dtsi | 2 +-
arch/arm64/boot/dts/renesas/r8a77990-ebisu.dts | 1 -
arch/arm64/kernel/cpufeature.c | 39 ++++++++--
arch/arm64/kernel/entry.S | 5 +-
arch/arm64/kernel/fpsimd.c | 30 +++++++-
arch/arm64/kernel/ptrace.c | 21 ++++++
arch/arm64/kvm/hyp/switch.c | 10 ++-
arch/arm64/kvm/va_layout.c | 56 +++++++--------
arch/mips/loongson64/platform.c | 3 +
arch/powerpc/Kconfig.debug | 2 +-
arch/powerpc/mm/pgtable_32.c | 1 +
arch/powerpc/platforms/pseries/iommu.c | 54 +++++++-------
arch/powerpc/platforms/pseries/papr_scm.c | 2 +
arch/powerpc/platforms/pseries/vio.c | 2 +
arch/x86/boot/compressed/acpi.c | 6 ++
arch/x86/kernel/alternative.c | 1 +
crypto/testmgr.c | 20 ++++--
drivers/base/regmap/regmap.c | 17 +++--
drivers/clk/meson/g12a.c | 1 +
drivers/crypto/atmel-sha.c | 7 +-
drivers/crypto/axis/artpec6_crypto.c | 2 +-
drivers/crypto/caam/caamalg_qi2.c | 2 +-
drivers/dma/dma-axi-dmac.c | 10 ++-
drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +-
drivers/infiniband/core/addr.c | 2 +-
drivers/infiniband/core/cma.c | 2 +
drivers/infiniband/core/ib_core_uverbs.c | 2 +
drivers/infiniband/core/sa_query.c | 4 +-
drivers/infiniband/core/umem.c | 9 ++-
drivers/infiniband/core/uverbs_main.c | 32 ++++-----
drivers/infiniband/hw/i40iw/i40iw_main.c | 2 +
drivers/infiniband/hw/mlx4/cm.c | 29 +-------
drivers/infiniband/hw/mlx4/main.c | 20 ++++--
drivers/infiniband/hw/mlx5/ib_virt.c | 28 ++++----
drivers/infiniband/hw/mlx5/mr.c | 2 +
drivers/infiniband/hw/mlx5/odp.c | 19 +++--
drivers/infiniband/ulp/srp/ib_srp.c | 3 +-
drivers/iommu/arm-smmu-v3.c | 1 +
drivers/md/bcache/journal.c | 80 +++++++++++++++++++--
drivers/media/i2c/adv748x/adv748x.h | 8 +--
drivers/mfd/Kconfig | 1 +
drivers/mtd/nand/onenand/onenand_base.c | 82 +++++++++++-----------
drivers/mtd/parsers/sharpslpart.c | 4 +-
drivers/net/netdevsim/bus.c | 64 +++++++++++++++--
drivers/net/netdevsim/dev.c | 13 +++-
drivers/net/netdevsim/health.c | 2 +-
drivers/net/netdevsim/netdevsim.h | 4 ++
drivers/net/wireless/ath/ath10k/pci.c | 19 ++++-
.../net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 5 +-
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/tdls.c | 10 ++-
.../net/wireless/intel/iwlwifi/mvm/time-event.c | 71 ++++++++++++++++---
.../net/wireless/intel/iwlwifi/mvm/time-event.h | 4 +-
drivers/net/wireless/marvell/libertas/cfg.c | 2 +
drivers/net/wireless/marvell/mwifiex/scan.c | 7 ++
drivers/net/wireless/marvell/mwifiex/wmm.c | 4 ++
drivers/net/wireless/mediatek/mt76/mt7615/eeprom.c | 3 +-
drivers/pci/controller/pci-tegra.c | 2 +-
drivers/pci/iov.c | 9 ++-
drivers/pci/pcie/aer.c | 1 +
drivers/pci/setup-bus.c | 20 ++++--
drivers/pci/switch/switchtec.c | 4 +-
drivers/pinctrl/intel/pinctrl-baytrail.c | 19 +++--
drivers/pinctrl/qcom/pinctrl-msm.c | 5 --
drivers/pinctrl/sh-pfc/pfc-r8a7778.c | 4 +-
drivers/pinctrl/sh-pfc/pfc-r8a77965.c | 6 +-
drivers/platform/x86/intel_mid_powerbtn.c | 5 +-
drivers/rtc/Kconfig | 8 ++-
drivers/rtc/rtc-cmos.c | 2 +-
drivers/rtc/rtc-hym8563.c | 2 +-
drivers/rtc/rtc-mt6397.c | 10 +--
drivers/scsi/ufs/ufshcd.c | 3 +-
drivers/soc/qcom/rpmhpd.c | 2 +
drivers/watchdog/qcom-wdt.c | 2 +-
drivers/watchdog/stm32_iwdg.c | 18 +++++
fs/nfs/Kconfig | 2 +-
fs/nfs/direct.c | 4 +-
fs/nfs/nfs3xdr.c | 5 +-
fs/nfs/nfs42proc.c | 36 +++++++---
fs/nfs/nfs4_fs.h | 4 +-
fs/nfs/nfs4proc.c | 19 +++--
fs/nfs/nfs4renewd.c | 5 +-
fs/nfs/nfs4state.c | 4 +-
fs/nfs/nfs4trace.h | 33 ++++-----
fs/nfs/nfs4xdr.c | 5 +-
fs/nfs/pnfs.c | 4 +-
fs/nfs/pnfs_nfs.c | 7 +-
fs/nfs/write.c | 12 +++-
include/linux/mlx5/driver.h | 5 ++
include/rdma/ib_verbs.h | 3 +
kernel/sched/core.c | 6 ++
net/core/bpf_sk_storage.c | 5 +-
net/core/sock_map.c | 28 +++++---
net/netfilter/nf_flow_table_core.c | 8 +--
net/netfilter/nf_flow_table_offload.c | 11 ++-
security/selinux/avc.c | 24 ++++++-
security/selinux/hooks.c | 15 +++-
security/selinux/include/avc.h | 5 ++
sound/soc/soc-generic-dmaengine-pcm.c | 16 +++--
tools/bpf/bpftool/prog.c | 2 +-
tools/power/acpi/Makefile.config | 2 +-
.../selftests/bpf/prog_tests/sockmap_basic.c | 74 +++++++++++++++++++
virt/kvm/arm/aarch32.c | 14 ++--
virt/kvm/arm/arch_timer.c | 3 +-
virt/kvm/arm/mmu.c | 3 +-
virt/kvm/arm/pmu.c | 42 ++++++++---
virt/kvm/arm/vgic/vgic-its.c | 3 +-
128 files changed, 1099 insertions(+), 443 deletions(-)
From: Taehee Yoo <[email protected]>
commit 8526ad9646b17c59b6d430d8baa8f152a14fe177 upstream.
nsim_dev_take_snapshot_write() uses nsim_dev and nsim_dev->dummy_region.
So, during this function, these data shouldn't be removed.
But there is no protecting stuff in this function.
There are two similar cases.
1. reload case
reload could be called during nsim_dev_take_snapshot_write().
When reload is being executed, nsim_dev_reload_down() is called and it
calls nsim_dev_reload_destroy(). nsim_dev_reload_destroy() calls
devlink_region_destroy() to destroy nsim_dev->dummy_region.
So, during nsim_dev_take_snapshot_write(), nsim_dev->dummy_region()
would be removed.
At this point, snapshot_write() would access freed pointer.
In order to fix this case, take_snapshot file will be removed before
devlink_region_destroy().
The take_snapshot file will be re-created by ->reload_up().
2. del_device_store case
del_device_store() also could call nsim_dev_reload_destroy()
during nsim_dev_take_snapshot_write(). If so, panic would occur.
This problem is actually the same problem with the first case.
So, this problem will be fixed by the first case's solution.
Test commands:
modprobe netdevsim
while :
do
echo 1 > /sys/bus/netdevsim/new_device &
echo 1 > /sys/bus/netdevsim/del_device &
devlink dev reload netdevsim/netdevsim1 &
echo 1 > /sys/kernel/debug/netdevsim/netdevsim1/take_snapshot &
done
Splat looks like:
[ 45.564513][ T975] general protection fault, probably for non-canonical address 0xdffffc000000003a: 0000 [#1] SMP DEI
[ 45.566131][ T975] KASAN: null-ptr-deref in range [0x00000000000001d0-0x00000000000001d7]
[ 45.566135][ T975] CPU: 1 PID: 975 Comm: bash Not tainted 5.5.0+ #322
[ 45.569020][ T975] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 45.569026][ T975] RIP: 0010:__mutex_lock+0x10a/0x14b0
[ 45.570518][ T975] Code: 08 84 d2 0f 85 7f 12 00 00 44 8b 0d 10 23 65 02 45 85 c9 75 29 49 8d 7f 68 48 b8 00 00 00 0f
[ 45.570522][ T975] RSP: 0018:ffff888046ccfbf0 EFLAGS: 00010206
[ 45.572305][ T975] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 45.572308][ T975] RDX: 000000000000003a RSI: ffffffffac926440 RDI: 00000000000001d0
[ 45.576843][ T975] RBP: ffff888046ccfd70 R08: ffffffffab610645 R09: 0000000000000000
[ 45.576847][ T975] R10: ffff888046ccfd90 R11: ffffed100d6360ad R12: 0000000000000000
[ 45.578471][ T975] R13: dffffc0000000000 R14: ffffffffae1976c0 R15: 0000000000000168
[ 45.578475][ T975] FS: 00007f614d6e7740(0000) GS:ffff88806c400000(0000) knlGS:0000000000000000
[ 45.581492][ T975] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 45.582942][ T975] CR2: 00005618677d1cf0 CR3: 000000005fb9c002 CR4: 00000000000606e0
[ 45.584543][ T975] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 45.586633][ T975] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 45.589889][ T975] Call Trace:
[ 45.591445][ T975] ? devlink_region_snapshot_create+0x55/0x4a0
[ 45.601250][ T975] ? mutex_lock_io_nested+0x1380/0x1380
[ 45.602817][ T975] ? mutex_lock_io_nested+0x1380/0x1380
[ 45.603875][ T975] ? mark_held_locks+0xa5/0xe0
[ 45.604769][ T975] ? _raw_spin_unlock_irqrestore+0x2d/0x50
[ 45.606147][ T975] ? __mutex_unlock_slowpath+0xd0/0x670
[ 45.607723][ T975] ? crng_backtrack_protect+0x80/0x80
[ 45.613530][ T975] ? wait_for_completion+0x390/0x390
[ 45.615152][ T975] ? devlink_region_snapshot_create+0x55/0x4a0
[ 45.616834][ T975] devlink_region_snapshot_create+0x55/0x4a0
[ ... ]
Fixes: 4418f862d675 ("netdevsim: implement support for devlink region and snapshots")
Signed-off-by: Taehee Yoo <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/netdevsim/dev.c | 13 +++++++++++--
drivers/net/netdevsim/netdevsim.h | 1 +
2 files changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -88,8 +88,11 @@ static int nsim_dev_debugfs_init(struct
&nsim_dev->max_macs);
debugfs_create_bool("test1", 0600, nsim_dev->ddir,
&nsim_dev->test1);
- debugfs_create_file("take_snapshot", 0200, nsim_dev->ddir, nsim_dev,
- &nsim_dev_take_snapshot_fops);
+ nsim_dev->take_snapshot = debugfs_create_file("take_snapshot",
+ 0200,
+ nsim_dev->ddir,
+ nsim_dev,
+ &nsim_dev_take_snapshot_fops);
debugfs_create_bool("dont_allow_reload", 0600, nsim_dev->ddir,
&nsim_dev->dont_allow_reload);
debugfs_create_bool("fail_reload", 0600, nsim_dev->ddir,
@@ -740,6 +743,11 @@ static int nsim_dev_reload_create(struct
if (err)
goto err_health_exit;
+ nsim_dev->take_snapshot = debugfs_create_file("take_snapshot",
+ 0200,
+ nsim_dev->ddir,
+ nsim_dev,
+ &nsim_dev_take_snapshot_fops);
return 0;
err_health_exit:
@@ -853,6 +861,7 @@ static void nsim_dev_reload_destroy(stru
if (devlink_is_reload_failed(devlink))
return;
+ debugfs_remove(nsim_dev->take_snapshot);
nsim_dev_port_del_all(nsim_dev);
nsim_dev_health_exit(nsim_dev);
nsim_dev_traps_exit(devlink);
--- a/drivers/net/netdevsim/netdevsim.h
+++ b/drivers/net/netdevsim/netdevsim.h
@@ -160,6 +160,7 @@ struct nsim_dev {
struct nsim_trap_data *trap_data;
struct dentry *ddir;
struct dentry *ports_ddir;
+ struct dentry *take_snapshot;
struct bpf_offload_dev *bpf_dev;
bool bpf_bind_accept;
u32 bpf_bind_verifier_delay;
From: Bean Huo <[email protected]>
commit b9fc5320212efdfb4e08b825aaa007815fd11d16 upstream.
A non-zero error value likely being returned by ufshcd_scsi_add_wlus() in
case of failure of adding the WLs, but ufshcd_probe_hba() doesn't use this
value, and doesn't report this failure to upper caller. This patch is to
fix this issue.
Fixes: 2a8fa600445c ("ufs: manually add well known logical units")
Link: https://lore.kernel.org/r/[email protected]
Reviewed-by: Asutosh Das <[email protected]>
Reviewed-by: Alim Akhtar <[email protected]>
Reviewed-by: Stanley Chu <[email protected]>
Signed-off-by: Bean Huo <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/ufs/ufshcd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -7030,7 +7030,8 @@ static int ufshcd_probe_hba(struct ufs_h
ufshcd_init_icc_levels(hba);
/* Add required well known logical units to scsi mid layer */
- if (ufshcd_scsi_add_wlus(hba))
+ ret = ufshcd_scsi_add_wlus(hba);
+ if (ret)
goto out;
/* Initialize devfreq after UFS device is detected */
From: Trond Myklebust <[email protected]>
commit 221203ce6406273cf00e5c6397257d986c003ee6 upstream.
Instead of making assumptions about the commit verifier contents, change
the commit code to ensure we always check that the verifier was set
by the XDR code.
Fixes: f54bcf2ecee9 ("pnfs: Prepare for flexfiles by pulling out common code")
Signed-off-by: Trond Myklebust <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/nfs/direct.c | 4 ++--
fs/nfs/nfs3xdr.c | 5 ++++-
fs/nfs/nfs4xdr.c | 5 ++++-
fs/nfs/pnfs_nfs.c | 7 +++----
fs/nfs/write.c | 4 +++-
5 files changed, 16 insertions(+), 9 deletions(-)
--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -245,10 +245,10 @@ static int nfs_direct_cmp_commit_data_ve
data->ds_commit_index);
/* verifier not set so always fail */
- if (verfp->committed < 0)
+ if (verfp->committed < 0 || data->res.verf->committed <= NFS_UNSTABLE)
return 1;
- return nfs_direct_cmp_verf(verfp, &data->verf);
+ return nfs_direct_cmp_verf(verfp, data->res.verf);
}
/**
--- a/fs/nfs/nfs3xdr.c
+++ b/fs/nfs/nfs3xdr.c
@@ -2334,6 +2334,7 @@ static int nfs3_xdr_dec_commit3res(struc
void *data)
{
struct nfs_commitres *result = data;
+ struct nfs_writeverf *verf = result->verf;
enum nfs_stat status;
int error;
@@ -2346,7 +2347,9 @@ static int nfs3_xdr_dec_commit3res(struc
result->op_status = status;
if (status != NFS3_OK)
goto out_status;
- error = decode_writeverf3(xdr, &result->verf->verifier);
+ error = decode_writeverf3(xdr, &verf->verifier);
+ if (!error)
+ verf->committed = NFS_FILE_SYNC;
out:
return error;
out_status:
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -4313,11 +4313,14 @@ static int decode_write_verifier(struct
static int decode_commit(struct xdr_stream *xdr, struct nfs_commitres *res)
{
+ struct nfs_writeverf *verf = res->verf;
int status;
status = decode_op_hdr(xdr, OP_COMMIT);
if (!status)
- status = decode_write_verifier(xdr, &res->verf->verifier);
+ status = decode_write_verifier(xdr, &verf->verifier);
+ if (!status)
+ verf->committed = NFS_FILE_SYNC;
return status;
}
--- a/fs/nfs/pnfs_nfs.c
+++ b/fs/nfs/pnfs_nfs.c
@@ -31,12 +31,11 @@ EXPORT_SYMBOL_GPL(pnfs_generic_rw_releas
/* Fake up some data that will cause nfs_commit_release to retry the writes. */
void pnfs_generic_prepare_to_resend_writes(struct nfs_commit_data *data)
{
- struct nfs_page *first = nfs_list_entry(data->pages.next);
+ struct nfs_writeverf *verf = data->res.verf;
data->task.tk_status = 0;
- memcpy(&data->verf.verifier, &first->wb_verf,
- sizeof(data->verf.verifier));
- data->verf.verifier.data[0]++; /* ensure verifier mismatch */
+ memset(&verf->verifier, 0, sizeof(verf->verifier));
+ verf->committed = NFS_UNSTABLE;
}
EXPORT_SYMBOL_GPL(pnfs_generic_prepare_to_resend_writes);
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -1837,6 +1837,7 @@ static void nfs_commit_done(struct rpc_t
static void nfs_commit_release_pages(struct nfs_commit_data *data)
{
+ const struct nfs_writeverf *verf = data->res.verf;
struct nfs_page *req;
int status = data->task.tk_status;
struct nfs_commit_info cinfo;
@@ -1864,7 +1865,8 @@ static void nfs_commit_release_pages(str
/* Okay, COMMIT succeeded, apparently. Check the verifier
* returned by the server against all stored verfs. */
- if (!nfs_write_verifier_cmp(&req->wb_verf, &data->verf.verifier)) {
+ if (verf->committed > NFS_UNSTABLE &&
+ !nfs_write_verifier_cmp(&req->wb_verf, &verf->verifier)) {
/* We have a match */
if (req->wb_page)
nfs_inode_remove_request(req);
From: Sergey Gorenko <[email protected]>
commit 0fbb37dd82998b5c83355997b3bdba2806968ac7 upstream.
Some SRP targets that do not support specification SRP-2, put the garbage
to the reserved bits of the SRP login response. The problem was not
detected for a long time because the SRP initiator ignored those bits. But
now one of them is used as SRP_LOGIN_RSP_IMMED_SUPP. And it causes a
critical error on the target when the initiator sends immediate data.
The ib_srp module has a use_imm_date parameter to enable or disable
immediate data manually. But it does not help in the above case, because
use_imm_date is ignored at handling the SRP login response. The problem is
definitely caused by a bug on the target side, but the initiator's
behavior also does not look correct. The initiator should not use
immediate data if use_imm_date is disabled by a user.
This commit adds an additional checking of use_imm_date at the handling of
SRP login response to avoid unexpected use of immediate data.
Fixes: 882981f4a411 ("RDMA/srp: Add support for immediate data")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sergey Gorenko <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/infiniband/ulp/srp/ib_srp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -2546,7 +2546,8 @@ static void srp_cm_rep_handler(struct ib
if (lrsp->opcode == SRP_LOGIN_RSP) {
ch->max_ti_iu_len = be32_to_cpu(lrsp->max_ti_iu_len);
ch->req_lim = be32_to_cpu(lrsp->req_lim_delta);
- ch->use_imm_data = lrsp->rsp_flags & SRP_LOGIN_RSP_IMMED_SUPP;
+ ch->use_imm_data = srp_use_imm_data &&
+ (lrsp->rsp_flags & SRP_LOGIN_RSP_IMMED_SUPP);
ch->max_it_iu_len = srp_max_it_iu_len(target->cmd_sg_cnt,
ch->use_imm_data,
target->max_it_iu_size);
From: Avraham Stern <[email protected]>
commit cc4255eff523f25187bb95561642941de0e57497 upstream.
When a FTM request is aborted, the driver sends the abort command to
the fw and waits for a response. When the response arrives, the driver
calls cfg80211_pmsr_complete() for that request.
However, cfg80211 frees the requested data immediately after sending
the abort command, so this may lead to use after free.
Fix it by clearing the request data in the driver when the abort
command arrives and ignoring the fw notification that will come
afterwards.
Signed-off-by: Avraham Stern <[email protected]>
Fixes: fc36ffda3267 ("iwlwifi: mvm: support FTM initiator")
Signed-off-by: Luca Coelho <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
@@ -8,6 +8,7 @@
* Copyright(c) 2015 - 2017 Intel Deutschland GmbH
* Copyright (C) 2018 Intel Corporation
* Copyright (C) 2019 Intel Corporation
+ * Copyright (C) 2020 Intel Corporation
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of version 2 of the GNU General Public License as
@@ -30,6 +31,7 @@
* Copyright(c) 2015 - 2017 Intel Deutschland GmbH
* Copyright (C) 2018 Intel Corporation
* Copyright (C) 2019 Intel Corporation
+ * Copyright (C) 2020 Intel Corporation
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -389,6 +391,8 @@ void iwl_mvm_ftm_abort(struct iwl_mvm *m
if (req != mvm->ftm_initiator.req)
return;
+ iwl_mvm_ftm_reset(mvm);
+
if (iwl_mvm_send_cmd_pdu(mvm, iwl_cmd_id(TOF_RANGE_ABORT_CMD,
LOCATION_GROUP, 0),
0, sizeof(cmd), &cmd))
@@ -502,7 +506,6 @@ void iwl_mvm_ftm_range_resp(struct iwl_m
lockdep_assert_held(&mvm->mutex);
if (!mvm->ftm_initiator.req) {
- IWL_ERR(mvm, "Got FTM response but have no request?\n");
return;
}
From: Olga Kornievskaia <[email protected]>
commit d826e5b827641ae1bebb33d23a774f4e9bb8e94f upstream.
Ever since the commit 0e0cb35b417f, it's possible to lose an open stateid
while retrying a CLOSE due to ERR_OLD_STATEID. Once that happens,
operations that require openstateid fail with EAGAIN which is propagated
to the application then tests like generic/446 and generic/168 fail with
"Resource temporarily unavailable".
Instead of returning this error, initiate state recovery when possible to
recover the open stateid and then try calling nfs4_select_rw_stateid()
again.
Fixes: 0e0cb35b417f ("NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE")
Signed-off-by: Olga Kornievskaia <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/nfs/nfs42proc.c | 36 ++++++++++++++++++++++++++++--------
fs/nfs/nfs4proc.c | 2 ++
fs/nfs/pnfs.c | 2 --
3 files changed, 30 insertions(+), 10 deletions(-)
--- a/fs/nfs/nfs42proc.c
+++ b/fs/nfs/nfs42proc.c
@@ -61,8 +61,11 @@ static int _nfs42_proc_fallocate(struct
status = nfs4_set_rw_stateid(&args.falloc_stateid, lock->open_context,
lock, FMODE_WRITE);
- if (status)
+ if (status) {
+ if (status == -EAGAIN)
+ status = -NFS4ERR_BAD_STATEID;
return status;
+ }
res.falloc_fattr = nfs_alloc_fattr();
if (!res.falloc_fattr)
@@ -287,8 +290,11 @@ static ssize_t _nfs42_proc_copy(struct f
} else {
status = nfs4_set_rw_stateid(&args->src_stateid,
src_lock->open_context, src_lock, FMODE_READ);
- if (status)
+ if (status) {
+ if (status == -EAGAIN)
+ status = -NFS4ERR_BAD_STATEID;
return status;
+ }
}
status = nfs_filemap_write_and_wait_range(file_inode(src)->i_mapping,
pos_src, pos_src + (loff_t)count - 1);
@@ -297,8 +303,11 @@ static ssize_t _nfs42_proc_copy(struct f
status = nfs4_set_rw_stateid(&args->dst_stateid, dst_lock->open_context,
dst_lock, FMODE_WRITE);
- if (status)
+ if (status) {
+ if (status == -EAGAIN)
+ status = -NFS4ERR_BAD_STATEID;
return status;
+ }
status = nfs_sync_inode(dst_inode);
if (status)
@@ -546,8 +555,11 @@ static int _nfs42_proc_copy_notify(struc
status = nfs4_set_rw_stateid(&args->cna_src_stateid, ctx, l_ctx,
FMODE_READ);
nfs_put_lock_context(l_ctx);
- if (status)
+ if (status) {
+ if (status == -EAGAIN)
+ status = -NFS4ERR_BAD_STATEID;
return status;
+ }
status = nfs4_call_sync(src_server->client, src_server, &msg,
&args->cna_seq_args, &res->cnr_seq_res, 0);
@@ -618,8 +630,11 @@ static loff_t _nfs42_proc_llseek(struct
status = nfs4_set_rw_stateid(&args.sa_stateid, lock->open_context,
lock, FMODE_READ);
- if (status)
+ if (status) {
+ if (status == -EAGAIN)
+ status = -NFS4ERR_BAD_STATEID;
return status;
+ }
status = nfs_filemap_write_and_wait_range(inode->i_mapping,
offset, LLONG_MAX);
@@ -994,13 +1009,18 @@ static int _nfs42_proc_clone(struct rpc_
status = nfs4_set_rw_stateid(&args.src_stateid, src_lock->open_context,
src_lock, FMODE_READ);
- if (status)
+ if (status) {
+ if (status == -EAGAIN)
+ status = -NFS4ERR_BAD_STATEID;
return status;
-
+ }
status = nfs4_set_rw_stateid(&args.dst_stateid, dst_lock->open_context,
dst_lock, FMODE_WRITE);
- if (status)
+ if (status) {
+ if (status == -EAGAIN)
+ status = -NFS4ERR_BAD_STATEID;
return status;
+ }
res.dst_fattr = nfs_alloc_fattr();
if (!res.dst_fattr)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3239,6 +3239,8 @@ static int _nfs4_do_setattr(struct inode
nfs_put_lock_context(l_ctx);
if (status == -EIO)
return -EBADF;
+ else if (status == -EAGAIN)
+ goto zero_stateid;
} else {
zero_stateid:
nfs4_stateid_copy(&arg->stateid, &zero_stateid);
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1998,8 +1998,6 @@ lookup_again:
trace_pnfs_update_layout(ino, pos, count,
iomode, lo, lseg,
PNFS_UPDATE_LAYOUT_INVALID_OPEN);
- if (status != -EAGAIN)
- goto out_unlock;
spin_unlock(&ino->i_lock);
nfs4_schedule_stateid_recovery(server, ctx->state);
pnfs_clear_first_layoutget(lo);
From: Jason Gunthorpe <[email protected]>
commit 14e23bd6d22123f6f3b2747701fa6cd4c6d05873 upstream.
This should not be using ib_dev to test for disassociation, during
disassociation is_closed is set under lock and the waitq is triggered.
Instead check is_closed and be sure to re-obtain the lock to test the
value after the wait_event returns.
Fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Yishai Hadas <[email protected]>
Reviewed-by: Håkon Bugge <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/infiniband/core/uverbs_main.c | 32 ++++++++++++++------------------
1 file changed, 14 insertions(+), 18 deletions(-)
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -220,7 +220,6 @@ void ib_uverbs_release_file(struct kref
}
static ssize_t ib_uverbs_event_read(struct ib_uverbs_event_queue *ev_queue,
- struct ib_uverbs_file *uverbs_file,
struct file *filp, char __user *buf,
size_t count, loff_t *pos,
size_t eventsz)
@@ -238,19 +237,16 @@ static ssize_t ib_uverbs_event_read(stru
if (wait_event_interruptible(ev_queue->poll_wait,
(!list_empty(&ev_queue->event_list) ||
- /* The barriers built into wait_event_interruptible()
- * and wake_up() guarentee this will see the null set
- * without using RCU
- */
- !uverbs_file->device->ib_dev)))
+ ev_queue->is_closed)))
return -ERESTARTSYS;
+ spin_lock_irq(&ev_queue->lock);
+
/* If device was disassociated and no event exists set an error */
- if (list_empty(&ev_queue->event_list) &&
- !uverbs_file->device->ib_dev)
+ if (list_empty(&ev_queue->event_list) && ev_queue->is_closed) {
+ spin_unlock_irq(&ev_queue->lock);
return -EIO;
-
- spin_lock_irq(&ev_queue->lock);
+ }
}
event = list_entry(ev_queue->event_list.next, struct ib_uverbs_event, list);
@@ -285,8 +281,7 @@ static ssize_t ib_uverbs_async_event_rea
{
struct ib_uverbs_async_event_file *file = filp->private_data;
- return ib_uverbs_event_read(&file->ev_queue, file->uverbs_file, filp,
- buf, count, pos,
+ return ib_uverbs_event_read(&file->ev_queue, filp, buf, count, pos,
sizeof(struct ib_uverbs_async_event_desc));
}
@@ -296,9 +291,8 @@ static ssize_t ib_uverbs_comp_event_read
struct ib_uverbs_completion_event_file *comp_ev_file =
filp->private_data;
- return ib_uverbs_event_read(&comp_ev_file->ev_queue,
- comp_ev_file->uobj.ufile, filp,
- buf, count, pos,
+ return ib_uverbs_event_read(&comp_ev_file->ev_queue, filp, buf, count,
+ pos,
sizeof(struct ib_uverbs_comp_event_desc));
}
@@ -321,7 +315,9 @@ static __poll_t ib_uverbs_event_poll(str
static __poll_t ib_uverbs_async_event_poll(struct file *filp,
struct poll_table_struct *wait)
{
- return ib_uverbs_event_poll(filp->private_data, filp, wait);
+ struct ib_uverbs_async_event_file *file = filp->private_data;
+
+ return ib_uverbs_event_poll(&file->ev_queue, filp, wait);
}
static __poll_t ib_uverbs_comp_event_poll(struct file *filp,
@@ -335,9 +331,9 @@ static __poll_t ib_uverbs_comp_event_pol
static int ib_uverbs_async_event_fasync(int fd, struct file *filp, int on)
{
- struct ib_uverbs_event_queue *ev_queue = filp->private_data;
+ struct ib_uverbs_async_event_file *file = filp->private_data;
- return fasync_helper(fd, filp, on, &ev_queue->async_queue);
+ return fasync_helper(fd, filp, on, &file->ev_queue.async_queue);
}
static int ib_uverbs_comp_event_fasync(int fd, struct file *filp, int on)
From: Parav Pandit <[email protected]>
commit b4fb4cc5ba83b20dae13cef116c33648e81d2f44 upstream.
Below commit missed the AF_IB and loopback code flow in
rdma_resolve_addr(). This leads to an unbalanced cm_id refcount in
cma_work_handler() which puts the refcount which was not incremented prior
to queuing the work.
A call trace is observed with such code flow:
BUG: unable to handle kernel NULL pointer dereference at (null)
[<ffffffff96b67e16>] __mutex_lock_slowpath+0x166/0x1d0
[<ffffffff96b6715f>] mutex_lock+0x1f/0x2f
[<ffffffffc0beabb5>] cma_work_handler+0x25/0xa0
[<ffffffff964b9ebf>] process_one_work+0x17f/0x440
[<ffffffff964baf56>] worker_thread+0x126/0x3c0
Hence, hold the cm_id reference when scheduling the resolve work item.
Fixes: 722c7b2bfead ("RDMA/{cma, core}: Avoid callback on rdma_addr_cancel()")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Parav Pandit <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Reviewed-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/infiniband/core/cma.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -3118,6 +3118,7 @@ static int cma_resolve_loopback(struct r
rdma_addr_get_sgid(&id_priv->id.route.addr.dev_addr, &gid);
rdma_addr_set_dgid(&id_priv->id.route.addr.dev_addr, &gid);
+ atomic_inc(&id_priv->refcount);
cma_init_resolve_addr_work(work, id_priv);
queue_work(cma_wq, &work->work);
return 0;
@@ -3144,6 +3145,7 @@ static int cma_resolve_ib_addr(struct rd
rdma_addr_set_dgid(&id_priv->id.route.addr.dev_addr, (union ib_gid *)
&(((struct sockaddr_ib *) &id_priv->id.route.addr.dst_addr)->sib_addr));
+ atomic_inc(&id_priv->refcount);
cma_init_resolve_addr_work(work, id_priv);
queue_work(cma_wq, &work->work);
return 0;
On 2/13/20 8:19 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.5.4 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
thanks,
-- Shuah
On Thu, 13 Feb 2020 at 21:00, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.5.4 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Summary
------------------------------------------------------------------------
kernel: 5.5.4-rc2
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.5.y
git commit: ed6d023a1817c7e6a969bda2fd46d6a161cfd914
git describe: v5.5.3-121-ged6d023a1817
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.5-oe/build/v5.5.3-121-ged6d023a1817
No regressions (compared to build v5.5.3)
No fixes (compared to build v5.5.3)
Ran 24221 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libgpiod
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* v4l2-compliance
* ltp-commands-tests
* ltp-math-tests
* ltp-cve-tests
* ltp-fs-tests
* ltp-open-posix-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* kvm-unit-tests
* ssuite
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
--
Linaro LKFT
https://lkft.linaro.org
On 13/02/2020 15:19, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.5.4 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests are passing for Tegra ...
Test results for stable-v5.5:
13 builds: 13 pass, 0 fail
22 boots: 22 pass, 0 fail
40 tests: 40 pass, 0 fail
Linux version: 5.5.4-rc2-ged6d023a1817
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Cheers
Jon
--
nvpublic
On Thu, Feb 13, 2020 at 07:19:56AM -0800, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.5.4 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> Anything received after that time might be too late.
>
For v5.5.3-121-ged6d023a1817:
Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 400 pass: 400 fail: 0
Guenter
On Thu, Feb 13, 2020 at 07:19:56AM -0800, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.5.4 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
> and the diffstat can be found below.
>
hello,
compiled and booted 5.5.4-rc1+ . No new errors according to "dmesg -l err"
--
software engineer
rajagiri school of engineering and technology
On Thu, Feb 13, 2020 at 05:40:48PM -0700, shuah wrote:
> On 2/13/20 8:19 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.5.4 release.
> > There are 120 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
>
> Compiled and booted on my test system. No dmesg regressions.
Thanks for testing all of these and letting me know.
greg k-h
On Fri, Feb 14, 2020 at 10:27:39AM +0000, Jon Hunter wrote:
>
> On 13/02/2020 15:19, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.5.4 release.
> > There are 120 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> All tests are passing for Tegra ...
>
> Test results for stable-v5.5:
> 13 builds: 13 pass, 0 fail
> 22 boots: 22 pass, 0 fail
> 40 tests: 40 pass, 0 fail
>
> Linux version: 5.5.4-rc2-ged6d023a1817
> Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
> tegra194-p2972-0000, tegra20-ventana,
> tegra210-p2371-2180, tegra210-p3450-0000,
> tegra30-cardhu-a04
>
Thanks for testing all of these and letting me know.
greg k-h
On Fri, Feb 14, 2020 at 03:50:33PM +0530, Naresh Kamboju wrote:
> On Thu, 13 Feb 2020 at 21:00, Greg Kroah-Hartman
> <[email protected]> wrote:
> >
> > This is the start of the stable review cycle for the 5.5.4 release.
> > There are 120 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.
Thanks for testing all of tehse and letting me know.
greg k-h
On Fri, Feb 14, 2020 at 08:28:29AM -0800, Guenter Roeck wrote:
> On Thu, Feb 13, 2020 at 07:19:56AM -0800, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.5.4 release.
> > There are 120 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> > Anything received after that time might be too late.
> >
>
> For v5.5.3-121-ged6d023a1817:
>
> Build results:
> total: 157 pass: 157 fail: 0
> Qemu test results:
> total: 400 pass: 400 fail: 0
Great, thanks for testing all of these and letting me know.
greg k-h
On Fri, Feb 14, 2020 at 09:28:34PM +0530, Jeffrin Jose wrote:
> On Thu, Feb 13, 2020 at 07:19:56AM -0800, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.5.4 release.
> > There are 120 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 15 Feb 2020 15:16:41 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.5.4-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.5.y
> > and the diffstat can be found below.
> >
>
> hello,
>
> compiled and booted 5.5.4-rc1+ . No new errors according to "dmesg -l err"
Wonderful, thanks for testing and letting me know.
greg k-h