2020-11-17 14:06:54

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 00/78] 4.9.244-rc1 review

This is the start of the stable review cycle for the 4.9.244 release.
There are 78 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu, 19 Nov 2020 12:20:51 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.244-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <[email protected]>
Linux 4.9.244-rc1

Boris Protopopov <[email protected]>
Convert trailing spaces and periods in path components

Eric Biggers <[email protected]>
ext4: fix leaking sysfs kobject after failed mount

Matteo Croce <[email protected]>
reboot: fix overflow parsing reboot cpu number

Matteo Croce <[email protected]>
Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint"

Jiri Olsa <[email protected]>
perf/core: Fix race in the perf_mmap_close() function

Juergen Gross <[email protected]>
xen/events: block rogue events for some time

Juergen Gross <[email protected]>
xen/events: defer eoi in case of excessive number of events

Juergen Gross <[email protected]>
xen/events: use a common cpu hotplug hook for event channels

Juergen Gross <[email protected]>
xen/events: switch user event channels to lateeoi model

Juergen Gross <[email protected]>
xen/pciback: use lateeoi irq binding

Juergen Gross <[email protected]>
xen/scsiback: use lateeoi irq binding

Juergen Gross <[email protected]>
xen/netback: use lateeoi irq binding

Juergen Gross <[email protected]>
xen/blkback: use lateeoi irq binding

Juergen Gross <[email protected]>
xen/events: add a new "late EOI" evtchn framework

Juergen Gross <[email protected]>
xen/events: fix race in evtchn_fifo_unmask()

Juergen Gross <[email protected]>
xen/events: add a proper barrier to 2-level uevent unmasking

Juergen Gross <[email protected]>
xen/events: avoid removing an event channel while handling it

kiyin(尹亮) <[email protected]>
perf/core: Fix a memory leak in perf_event_parse_addr_filter()

Mathieu Poirier <[email protected]>
perf/core: Fix crash when using HW tracing kernel filters

Song Liu <[email protected]>
perf/core: Fix bad use of igrab()

Anand K Mistry <[email protected]>
x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP

George Spelvin <[email protected]>
random32: make prandom_u32() output unpredictable

Mao Wenan <[email protected]>
net: Update window_clamp if SOCK_RCVBUF is set

Martin Schiller <[email protected]>
net/x25: Fix null-ptr-deref in x25_connect

Ursula Braun <[email protected]>
net/af_iucv: fix null pointer dereference on shutdown

Oliver Herms <[email protected]>
IPv6: Set SIT tunnel hard_header_len to zero

Stefano Stabellini <[email protected]>
swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb"

Coiby Xu <[email protected]>
pinctrl: amd: fix incorrect way to disable debounce filter

Coiby Xu <[email protected]>
pinctrl: amd: use higher precision for 512 RtcClk

Thomas Zimmermann <[email protected]>
drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[]

Al Viro <[email protected]>
don't dump the threads that had been already exiting when zapped.

Wengang Wang <[email protected]>
ocfs2: initialize ip_next_orphan

Alexander Usyskin <[email protected]>
mei: protect mei_cl_mtu from null dereference

Chris Brandt <[email protected]>
usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode

Joseph Qi <[email protected]>
ext4: unlock xattr_sem properly in ext4_inline_data_truncate()

Kaixu Xia <[email protected]>
ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA

Peter Zijlstra <[email protected]>
perf: Fix get_recursion_context()

Wang Hai <[email protected]>
cosa: Add missing kfree in error path of cosa_write

Evan Nimmo <[email protected]>
of/address: Fix of_node memory leak in of_dma_is_coherent

Christoph Hellwig <[email protected]>
xfs: fix a missing unlock on error in xfs_fs_map_blocks

Darrick J. Wong <[email protected]>
xfs: fix rmap key and record comparison functions

Darrick J. Wong <[email protected]>
xfs: fix flags argument to rmap lookup when converting shared file rmaps

Billy Tsai <[email protected]>
pinctrl: aspeed: Fix GPI only function problem.

Suravee Suthikulpanit <[email protected]>
iommu/amd: Increase interrupt remapping table limit to 512 entries

Hannes Reinecke <[email protected]>
scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()

Ye Bin <[email protected]>
cfg80211: regulatory: Fix inconsistent format argument

Johannes Berg <[email protected]>
mac80211: always wind down STA state

Johannes Berg <[email protected]>
mac80211: fix use of skb payload instead of header

Evan Quan <[email protected]>
drm/amdgpu: perform srbm soft reset always on SDMA resume

Keita Suzuki <[email protected]>
scsi: hpsa: Fix memory leak in hpsa_init_one()

Bob Peterson <[email protected]>
gfs2: check for live vs. read-only file system in gfs2_fitrim

Bob Peterson <[email protected]>
gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free

Evgeny Novikov <[email protected]>
usb: gadget: goku_udc: fix potential crashes in probe

Masashi Honma <[email protected]>
ath9k_htc: Use appropriate rs_datalen type

Mark Gray <[email protected]>
geneve: add transport ports in route lookup for geneve

Martyna Szapar <[email protected]>
i40e: Memory leak in i40e_config_iwarp_qvlist

Martyna Szapar <[email protected]>
i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c

Grzegorz Siwik <[email protected]>
i40e: Wrong truncation from u16 to u8

Sergey Nemov <[email protected]>
i40e: add num_vectors checker in iwarp handler

Christophe JAILLET <[email protected]>
i40e: Fix a potential NULL pointer dereference

Will Deacon <[email protected]>
pinctrl: devicetree: Avoid taking direct reference to device name string

Filipe Manana <[email protected]>
Btrfs: fix missing error return if writeback for extent buffer never started

Brian Foster <[email protected]>
xfs: flush new eof page on truncate to avoid post-eof corruption

Stephane Grosjean <[email protected]>
can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping

Dan Carpenter <[email protected]>
can: peak_usb: add range checking in decode operations

Oleksij Rempel <[email protected]>
can: can_create_echo_skb(): fix echo skb generation: always use skb_clone()

Oliver Hartkopp <[email protected]>
can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames

Vincent Mailhol <[email protected]>
can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context

Dan Carpenter <[email protected]>
ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()

Jiri Olsa <[email protected]>
perf tools: Add missing swap for ino_generation

zhuoliang zhang <[email protected]>
net: xfrm: fix a race condition during allocing spi

Marc Zyngier <[email protected]>
genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY

Johannes Thumshirn <[email protected]>
btrfs: reschedule when cloning lots of extents

Zeng Tao <[email protected]>
time: Prevent undefined behaviour in timespec64_to_ns()

Shijie Luo <[email protected]>
mm: mempolicy: fix potential pte_unmap_unlock pte error

Alexander Aring <[email protected]>
gfs2: Wake up when sd_glock_disposal becomes zero

Steven Rostedt (VMware) <[email protected]>
ring-buffer: Fix recursion protection transitions between interrupt context

Michał Mirosław <[email protected]>
regulator: defer probe when trying to get voltage from unresolved supply


-------------

Diffstat:

Documentation/kernel-parameters.txt | 8 +
Makefile | 4 +-
arch/x86/events/intel/pt.c | 4 +-
arch/x86/kernel/cpu/bugs.c | 52 ++-
drivers/block/xen-blkback/blkback.c | 22 +-
drivers/block/xen-blkback/xenbus.c | 5 +-
drivers/char/random.c | 1 -
drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 27 +-
drivers/gpu/drm/gma500/psb_irq.c | 34 +-
drivers/iommu/amd_iommu_types.h | 6 +-
drivers/misc/mei/client.h | 4 +-
drivers/net/can/dev.c | 14 +-
drivers/net/can/usb/peak_usb/pcan_usb_core.c | 51 ++-
drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 48 ++-
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 32 +-
drivers/net/geneve.c | 36 +-
drivers/net/wan/cosa.c | 1 +
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 2 +-
drivers/net/xen-netback/common.h | 15 +
drivers/net/xen-netback/interface.c | 61 ++-
drivers/net/xen-netback/netback.c | 11 +-
drivers/net/xen-netback/rx.c | 13 +-
drivers/of/address.c | 4 +-
drivers/pinctrl/aspeed/pinctrl-aspeed.c | 7 +-
drivers/pinctrl/devicetree.c | 26 +-
drivers/pinctrl/pinctrl-amd.c | 6 +-
drivers/regulator/core.c | 2 +
drivers/scsi/device_handler/scsi_dh_alua.c | 9 +-
drivers/scsi/hpsa.c | 4 +-
drivers/usb/class/cdc-acm.c | 9 +
drivers/usb/gadget/udc/goku_udc.c | 2 +-
drivers/xen/events/events_2l.c | 9 +-
drivers/xen/events/events_base.c | 422 +++++++++++++++++--
drivers/xen/events/events_fifo.c | 82 ++--
drivers/xen/events/events_internal.h | 20 +-
drivers/xen/evtchn.c | 7 +-
drivers/xen/xen-pciback/pci_stub.c | 14 +-
drivers/xen/xen-pciback/pciback.h | 12 +-
drivers/xen/xen-pciback/pciback_ops.c | 48 ++-
drivers/xen/xen-pciback/xenbus.c | 2 +-
drivers/xen/xen-scsiback.c | 23 +-
fs/btrfs/extent_io.c | 4 +
fs/btrfs/ioctl.c | 2 +
fs/cifs/cifs_unicode.c | 8 +-
fs/ext4/inline.c | 1 +
fs/ext4/super.c | 5 +-
fs/gfs2/glock.c | 3 +-
fs/gfs2/rgrp.c | 5 +-
fs/ocfs2/super.c | 1 +
fs/xfs/libxfs/xfs_rmap.c | 2 +-
fs/xfs/libxfs/xfs_rmap_btree.c | 16 +-
fs/xfs/xfs_iops.c | 10 +
fs/xfs/xfs_pnfs.c | 2 +-
include/linux/can/skb.h | 20 +-
include/linux/perf_event.h | 2 +-
include/linux/prandom.h | 36 +-
include/linux/time64.h | 4 +
include/xen/events.h | 29 +-
kernel/events/core.c | 42 +-
kernel/events/internal.h | 2 +-
kernel/exit.c | 5 +-
kernel/irq/Kconfig | 1 +
kernel/reboot.c | 28 +-
kernel/time/timer.c | 7 -
kernel/trace/ring_buffer.c | 54 ++-
lib/random32.c | 462 +++++++++++++--------
lib/swiotlb.c | 6 +-
mm/mempolicy.c | 6 +-
net/ipv4/syncookies.c | 9 +-
net/ipv6/sit.c | 2 -
net/ipv6/syncookies.c | 10 +-
net/iucv/af_iucv.c | 3 +-
net/mac80211/sta_info.c | 18 +
net/mac80211/tx.c | 35 +-
net/wireless/reg.c | 2 +-
net/x25/af_x25.c | 2 +-
net/xfrm/xfrm_state.c | 8 +-
sound/hda/ext/hdac_ext_controller.c | 2 +
tools/perf/util/session.c | 1 +
79 files changed, 1465 insertions(+), 549 deletions(-)



2020-11-17 14:07:03

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 35/78] iommu/amd: Increase interrupt remapping table limit to 512 entries

From: Suravee Suthikulpanit <[email protected]>

[ Upstream commit 73db2fc595f358460ce32bcaa3be1f0cce4a2db1 ]

Certain device drivers allocate IO queues on a per-cpu basis.
On AMD EPYC platform, which can support up-to 256 cpu threads,
this can exceed the current MAX_IRQ_PER_TABLE limit of 256,
and result in the error message:

AMD-Vi: Failed to allocate IRTE

This has been observed with certain NVME devices.

AMD IOMMU hardware can actually support upto 512 interrupt
remapping table entries. Therefore, update the driver to
match the hardware limit.

Please note that this also increases the size of interrupt remapping
table to 8KB per device when using the 128-bit IRTE format.

Signed-off-by: Suravee Suthikulpanit <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Joerg Roedel <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/iommu/amd_iommu_types.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
index da3fbf82d1cf4..e19c05d9e84ba 100644
--- a/drivers/iommu/amd_iommu_types.h
+++ b/drivers/iommu/amd_iommu_types.h
@@ -383,7 +383,11 @@ extern bool amd_iommu_np_cache;
/* Only true if all IOMMUs support device IOTLBs */
extern bool amd_iommu_iotlb_sup;

-#define MAX_IRQS_PER_TABLE 256
+/*
+ * AMD IOMMU hardware only support 512 IRTEs despite
+ * the architectural limitation of 2048 entries.
+ */
+#define MAX_IRQS_PER_TABLE 512
#define IRQ_TABLE_ALIGNMENT 128

struct irq_remap_table {
--
2.27.0



2020-11-17 14:07:07

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 70/78] xen/events: switch user event channels to lateeoi model

From: Juergen Gross <[email protected]>

commit c44b849cee8c3ac587da3b0980e01f77500d158c upstream.

Instead of disabling the irq when an event is received and enabling
it again when handled by the user process use the lateeoi model.

This is part of XSA-332.

Cc: [email protected]
Reported-by: Julien Grall <[email protected]>
Signed-off-by: Juergen Gross <[email protected]>
Tested-by: Stefano Stabellini <[email protected]>
Reviewed-by: Stefano Stabellini <[email protected]>
Reviewed-by: Jan Beulich <[email protected]>
Reviewed-by: Wei Liu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/xen/evtchn.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/xen/evtchn.c
+++ b/drivers/xen/evtchn.c
@@ -178,7 +178,6 @@ static irqreturn_t evtchn_interrupt(int
"Interrupt for port %d, but apparently not enabled; per-user %p\n",
evtchn->port, u);

- disable_irq_nosync(irq);
evtchn->enabled = false;

spin_lock(&u->ring_prod_lock);
@@ -304,7 +303,7 @@ static ssize_t evtchn_write(struct file
evtchn = find_evtchn(u, port);
if (evtchn && !evtchn->enabled) {
evtchn->enabled = true;
- enable_irq(irq_from_evtchn(port));
+ xen_irq_lateeoi(irq_from_evtchn(port), 0);
}
}

@@ -404,8 +403,8 @@ static int evtchn_bind_to_user(struct pe
if (rc < 0)
goto err;

- rc = bind_evtchn_to_irqhandler(port, evtchn_interrupt, 0,
- u->name, evtchn);
+ rc = bind_evtchn_to_irqhandler_lateeoi(port, evtchn_interrupt, 0,
+ u->name, evtchn);
if (rc < 0)
goto err;



2020-11-17 14:07:09

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 36/78] pinctrl: aspeed: Fix GPI only function problem.

From: Billy Tsai <[email protected]>

[ Upstream commit 9b92f5c51e9a41352d665f6f956bd95085a56a83 ]

Some gpio pin at aspeed soc is input only and the prefix name of these
pin is "GPI" only.
This patch fine-tune the condition of GPIO check from "GPIO" to "GPI"
and it will fix the usage error of banks D and E in the AST2400/AST2500
and banks T and U in the AST2600.

Fixes: 4d3d0e4272d8 ("pinctrl: Add core support for Aspeed SoCs")
Signed-off-by: Billy Tsai <[email protected]>
Reviewed-by: Andrew Jeffery <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Linus Walleij <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/pinctrl/aspeed/pinctrl-aspeed.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed.c b/drivers/pinctrl/aspeed/pinctrl-aspeed.c
index 49aeba9125319..23d2f0ba12db5 100644
--- a/drivers/pinctrl/aspeed/pinctrl-aspeed.c
+++ b/drivers/pinctrl/aspeed/pinctrl-aspeed.c
@@ -387,13 +387,14 @@ int aspeed_pinmux_set_mux(struct pinctrl_dev *pctldev, unsigned int function,
static bool aspeed_expr_is_gpio(const struct aspeed_sig_expr *expr)
{
/*
- * The signal type is GPIO if the signal name has "GPIO" as a prefix.
+ * The signal type is GPIO if the signal name has "GPI" as a prefix.
* strncmp (rather than strcmp) is used to implement the prefix
* requirement.
*
- * expr->signal might look like "GPIOT3" in the GPIO case.
+ * expr->signal might look like "GPIOB1" in the GPIO case.
+ * expr->signal might look like "GPIT0" in the GPI case.
*/
- return strncmp(expr->signal, "GPIO", 4) == 0;
+ return strncmp(expr->signal, "GPI", 3) == 0;
}

static bool aspeed_gpio_in_exprs(const struct aspeed_sig_expr **exprs)
--
2.27.0



2020-11-17 14:07:14

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 77/78] ext4: fix leaking sysfs kobject after failed mount

From: Eric Biggers <[email protected]>

commit cb8d53d2c97369029cc638c9274ac7be0a316c75 upstream.

ext4_unregister_sysfs() only deletes the kobject. The reference to it
needs to be put separately, like ext4_put_super() does.

This addresses the syzbot report
"memory leak in kobject_set_name_vargs (3)"
(https://syzkaller.appspot.com/bug?extid=9f864abad79fae7c17e1).

Reported-by: [email protected]
Fixes: 72ba74508b28 ("ext4: release sysfs kobject when failing to enable quotas on mount")
Cc: [email protected]
Signed-off-by: Eric Biggers <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Reviewed-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
[sudip: adjust context]
Signed-off-by: Sudip Mukherjee <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/ext4/super.c | 1 +
1 file changed, 1 insertion(+)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4336,6 +4336,7 @@ cantfind_ext4:
#ifdef CONFIG_QUOTA
failed_mount8:
ext4_unregister_sysfs(sb);
+ kobject_put(&sbi->s_kobj);
#endif
failed_mount7:
ext4_unregister_li_request(sb);


2020-11-17 14:07:15

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 04/78] mm: mempolicy: fix potential pte_unmap_unlock pte error

From: Shijie Luo <[email protected]>

[ Upstream commit 3f08842098e842c51e3b97d0dcdebf810b32558e ]

When flags in queue_pages_pte_range don't have MPOL_MF_MOVE or
MPOL_MF_MOVE_ALL bits, code breaks and passing origin pte - 1 to
pte_unmap_unlock seems like not a good idea.

queue_pages_pte_range can run in MPOL_MF_MOVE_ALL mode which doesn't
migrate misplaced pages but returns with EIO when encountering such a
page. Since commit a7f40cfe3b7a ("mm: mempolicy: make mbind() return
-EIO when MPOL_MF_STRICT is specified") and early break on the first pte
in the range results in pte_unmap_unlock on an underflow pte. This can
lead to lockups later on when somebody tries to lock the pte resp.
page_table_lock again..

Fixes: a7f40cfe3b7a ("mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified")
Signed-off-by: Shijie Luo <[email protected]>
Signed-off-by: Miaohe Lin <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Reviewed-by: Oscar Salvador <[email protected]>
Acked-by: Michal Hocko <[email protected]>
Cc: Miaohe Lin <[email protected]>
Cc: Feilong Lin <[email protected]>
Cc: Shijie Luo <[email protected]>
Cc: <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
mm/mempolicy.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index a2be65bf5d8cc..2f443767fd1b4 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -487,7 +487,7 @@ static int queue_pages_pte_range(pmd_t *pmd, unsigned long addr,
struct queue_pages *qp = walk->private;
unsigned long flags = qp->flags;
int nid, ret;
- pte_t *pte;
+ pte_t *pte, *mapped_pte;
spinlock_t *ptl;

if (pmd_trans_huge(*pmd)) {
@@ -515,7 +515,7 @@ static int queue_pages_pte_range(pmd_t *pmd, unsigned long addr,
if (pmd_trans_unstable(pmd))
return 0;
retry:
- pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
+ mapped_pte = pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
for (; addr != end; pte++, addr += PAGE_SIZE) {
if (!pte_present(*pte))
continue;
@@ -554,7 +554,7 @@ retry:
} else
break;
}
- pte_unmap_unlock(pte - 1, ptl);
+ pte_unmap_unlock(mapped_pte, ptl);
cond_resched();
return addr != end ? -EIO : 0;
}
--
2.27.0



2020-11-17 14:07:15

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 59/78] perf/core: Fix bad use of igrab()

From: Song Liu <[email protected]>

commit 9511bce9fe8e5e6c0f923c09243a713eba560141 upstream

As Miklos reported and suggested:

"This pattern repeats two times in trace_uprobe.c and in
kernel/events/core.c as well:

ret = kern_path(filename, LOOKUP_FOLLOW, &path);
if (ret)
goto fail_address_parse;

inode = igrab(d_inode(path.dentry));
path_put(&path);

And it's wrong. You can only hold a reference to the inode if you
have an active ref to the superblock as well (which is normally
through path.mnt) or holding s_umount.

This way unmounting the containing filesystem while the tracepoint is
active will give you the "VFS: Busy inodes after unmount..." message
and a crash when the inode is finally put.

Solution: store path instead of inode."

This patch fixes the issue in kernel/event/core.c.

Reviewed-and-tested-by: Alexander Shishkin <[email protected]>
Reported-by: Miklos Szeredi <[email protected]>
Signed-off-by: Song Liu <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Stephane Eranian <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Vince Weaver <[email protected]>
Fixes: 375637bc5249 ("perf/core: Introduce address range filtering")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
[sudip: Backported to 4.9: use file_inode()]
Signed-off-by: Sudip Mukherjee <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/events/intel/pt.c | 4 ++--
include/linux/perf_event.h | 2 +-
kernel/events/core.c | 21 +++++++++------------
3 files changed, 12 insertions(+), 15 deletions(-)

--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1117,7 +1117,7 @@ static int pt_event_addr_filters_validat
if (!filter->range || !filter->size)
return -EOPNOTSUPP;

- if (!filter->inode) {
+ if (!filter->path.dentry) {
if (!valid_kernel_ip(filter->offset))
return -EINVAL;

@@ -1144,7 +1144,7 @@ static void pt_event_addr_filters_sync(s
return;

list_for_each_entry(filter, &head->list, entry) {
- if (filter->inode && !offs[range]) {
+ if (filter->path.dentry && !offs[range]) {
msr_a = msr_b = 0;
} else {
/* apply the offset */
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -475,7 +475,7 @@ struct pmu {
*/
struct perf_addr_filter {
struct list_head entry;
- struct inode *inode;
+ struct path path;
unsigned long offset;
unsigned long size;
unsigned int range : 1,
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6271,7 +6271,7 @@ static void perf_event_addr_filters_exec

raw_spin_lock_irqsave(&ifh->lock, flags);
list_for_each_entry(filter, &ifh->list, entry) {
- if (filter->inode) {
+ if (filter->path.dentry) {
event->addr_filters_offs[count] = 0;
restart++;
}
@@ -6814,7 +6814,7 @@ static bool perf_addr_filter_match(struc
struct file *file, unsigned long offset,
unsigned long size)
{
- if (filter->inode != file->f_inode)
+ if (d_inode(filter->path.dentry) != file_inode(file))
return false;

if (filter->offset > offset + size)
@@ -8028,8 +8028,7 @@ static void free_filters_list(struct lis
struct perf_addr_filter *filter, *iter;

list_for_each_entry_safe(filter, iter, filters, entry) {
- if (filter->inode)
- iput(filter->inode);
+ path_put(&filter->path);
list_del(&filter->entry);
kfree(filter);
}
@@ -8123,7 +8122,7 @@ static void perf_event_addr_filters_appl
* Adjust base offset if the filter is associated to a binary
* that needs to be mapped:
*/
- if (filter->inode)
+ if (filter->path.dentry)
event->addr_filters_offs[count] =
perf_addr_filter_apply(filter, mm);

@@ -8196,7 +8195,6 @@ perf_event_parse_addr_filter(struct perf
{
struct perf_addr_filter *filter = NULL;
char *start, *orig, *filename = NULL;
- struct path path;
substring_t args[MAX_OPT_ARGS];
int state = IF_STATE_ACTION, token;
unsigned int kernel = 0;
@@ -8287,19 +8285,18 @@ perf_event_parse_addr_filter(struct perf
goto fail;

/* look up the path and grab its inode */
- ret = kern_path(filename, LOOKUP_FOLLOW, &path);
+ ret = kern_path(filename, LOOKUP_FOLLOW,
+ &filter->path);
if (ret)
goto fail_free_name;

- filter->inode = igrab(d_inode(path.dentry));
- path_put(&path);
kfree(filename);
filename = NULL;

ret = -EINVAL;
- if (!filter->inode ||
- !S_ISREG(filter->inode->i_mode))
- /* free_filters_list() will iput() */
+ if (!filter->path.dentry ||
+ !S_ISREG(d_inode(filter->path.dentry)
+ ->i_mode))
goto fail;
}



2020-11-17 14:07:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 61/78] perf/core: Fix a memory leak in perf_event_parse_addr_filter()

From: "kiyin(尹亮)" <[email protected]>

commit 7bdb157cdebbf95a1cd94ed2e01b338714075d00 upstream

As shown through runtime testing, the "filename" allocation is not
always freed in perf_event_parse_addr_filter().

There are three possible ways that this could happen:

- It could be allocated twice on subsequent iterations through the loop,
- or leaked on the success path,
- or on the failure path.

Clean up the code flow to make it obvious that 'filename' is always
freed in the reallocation path and in the two return paths as well.

We rely on the fact that kfree(NULL) is NOP and filename is initialized
with NULL.

This fixes the leak. No other side effects expected.

[ Dan Carpenter: cleaned up the code flow & added a changelog. ]
[ Ingo Molnar: updated the changelog some more. ]

Fixes: 375637bc5249 ("perf/core: Introduce address range filtering")
Signed-off-by: "kiyin(尹亮)" <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Cc: "Srivatsa S. Bhat" <[email protected]>
Cc: Anthony Liguori <[email protected]>
[sudip: Backported to 4.9: adjust context]
Signed-off-by: Sudip Mukherjee <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/events/core.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -8261,6 +8261,7 @@ perf_event_parse_addr_filter(struct perf
if (token == IF_SRC_FILE || token == IF_SRC_FILEADDR) {
int fpos = filter->range ? 2 : 1;

+ kfree(filename);
filename = match_strdup(&args[fpos]);
if (!filename) {
ret = -ENOMEM;
@@ -8292,10 +8293,7 @@ perf_event_parse_addr_filter(struct perf
ret = kern_path(filename, LOOKUP_FOLLOW,
&filter->path);
if (ret)
- goto fail_free_name;
-
- kfree(filename);
- filename = NULL;
+ goto fail;

ret = -EINVAL;
if (!filter->path.dentry ||
@@ -8313,13 +8311,13 @@ perf_event_parse_addr_filter(struct perf
if (state != IF_STATE_ACTION)
goto fail;

+ kfree(filename);
kfree(orig);

return 0;

-fail_free_name:
- kfree(filename);
fail:
+ kfree(filename);
free_filters_list(filters);
kfree(orig);



2020-11-17 14:07:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 30/78] drm/amdgpu: perform srbm soft reset always on SDMA resume

From: Evan Quan <[email protected]>

[ Upstream commit 253475c455eb5f8da34faa1af92709e7bb414624 ]

This can address the random SDMA hang after pci config reset
seen on Hawaii.

Signed-off-by: Evan Quan <[email protected]>
Tested-by: Sandeep Raghuraman <[email protected]>
Reviewed-by: Alex Deucher <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
index cb952acc71339..2934443fbd4dc 100644
--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
+++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c
@@ -1053,22 +1053,19 @@ static int cik_sdma_soft_reset(void *handle)
{
u32 srbm_soft_reset = 0;
struct amdgpu_device *adev = (struct amdgpu_device *)handle;
- u32 tmp = RREG32(mmSRBM_STATUS2);
+ u32 tmp;

- if (tmp & SRBM_STATUS2__SDMA_BUSY_MASK) {
- /* sdma0 */
- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET);
- tmp |= SDMA0_F32_CNTL__HALT_MASK;
- WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp);
- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK;
- }
- if (tmp & SRBM_STATUS2__SDMA1_BUSY_MASK) {
- /* sdma1 */
- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET);
- tmp |= SDMA0_F32_CNTL__HALT_MASK;
- WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp);
- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK;
- }
+ /* sdma0 */
+ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET);
+ tmp |= SDMA0_F32_CNTL__HALT_MASK;
+ WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp);
+ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK;
+
+ /* sdma1 */
+ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET);
+ tmp |= SDMA0_F32_CNTL__HALT_MASK;
+ WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp);
+ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK;

if (srbm_soft_reset) {
tmp = RREG32(mmSRBM_SOFT_RESET);
--
2.27.0



2020-11-17 14:07:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 19/78] i40e: Fix a potential NULL pointer dereference

From: Christophe JAILLET <[email protected]>

commit 54902349ee95045b67e2f0c39b75f5418540064b upstream.

If 'kzalloc()' fails, a NULL pointer will be dereferenced.
Return an error code (-ENOMEM) instead.

Signed-off-by: Christophe JAILLET <[email protected]>
Tested-by: Andrew Bowers <[email protected]>
Signed-off-by: Jeff Kirsher <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 7484ad3c955db..0f54269ffc463 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -422,6 +422,9 @@ static int i40e_config_iwarp_qvlist(struct i40e_vf *vf,
(sizeof(struct i40e_virtchnl_iwarp_qv_info) *
(qvlist_info->num_vectors - 1));
vf->qvlist_info = kzalloc(size, GFP_KERNEL);
+ if (!vf->qvlist_info)
+ return -ENOMEM;
+
vf->qvlist_info->num_vectors = qvlist_info->num_vectors;

msix_vf = pf->hw.func_caps.num_msix_vectors_vf;
--
2.27.0



2020-11-17 14:07:48

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 75/78] Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint"

From: Matteo Croce <[email protected]>

commit 8b92c4ff4423aa9900cf838d3294fcade4dbda35 upstream.

Patch series "fix parsing of reboot= cmdline", v3.

The parsing of the reboot= cmdline has two major errors:

- a missing bound check can crash the system on reboot

- parsing of the cpu number only works if specified last

Fix both.

This patch (of 2):

This reverts commit 616feab753972b97.

kstrtoint() and simple_strtoul() have a subtle difference which makes
them non interchangeable: if a non digit character is found amid the
parsing, the former will return an error, while the latter will just
stop parsing, e.g. simple_strtoul("123xyx") = 123.

The kernel cmdline reboot= argument allows to specify the CPU used for
rebooting, with the syntax `s####` among the other flags, e.g.
"reboot=warm,s31,force", so if this flag is not the last given, it's
silently ignored as well as the subsequent ones.

Fixes: 616feab75397 ("kernel/reboot.c: convert simple_strtoul to kstrtoint")
Signed-off-by: Matteo Croce <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Cc: Guenter Roeck <[email protected]>
Cc: Petr Mladek <[email protected]>
Cc: Arnd Bergmann <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Pavel Tatashin <[email protected]>
Cc: Robin Holt <[email protected]>
Cc: Fabian Frederick <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Linus Torvalds <[email protected]>
[sudip: use reboot_mode instead of mode]
Signed-off-by: Sudip Mukherjee <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/reboot.c | 21 +++++++--------------
1 file changed, 7 insertions(+), 14 deletions(-)

--- a/kernel/reboot.c
+++ b/kernel/reboot.c
@@ -512,22 +512,15 @@ static int __init reboot_setup(char *str
break;

case 's':
- {
- int rc;
-
- if (isdigit(*(str+1))) {
- rc = kstrtoint(str+1, 0, &reboot_cpu);
- if (rc)
- return rc;
- } else if (str[1] == 'm' && str[2] == 'p' &&
- isdigit(*(str+3))) {
- rc = kstrtoint(str+3, 0, &reboot_cpu);
- if (rc)
- return rc;
- } else
+ if (isdigit(*(str+1)))
+ reboot_cpu = simple_strtoul(str+1, NULL, 0);
+ else if (str[1] == 'm' && str[2] == 'p' &&
+ isdigit(*(str+3)))
+ reboot_cpu = simple_strtoul(str+3, NULL, 0);
+ else
reboot_mode = REBOOT_SOFT;
break;
- }
+
case 'g':
reboot_mode = REBOOT_GPIO;
break;


2020-11-17 14:07:55

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 20/78] i40e: add num_vectors checker in iwarp handler

From: Sergey Nemov <[email protected]>

commit 7015ca3df965378bcef072cca9cd63ed098665b5 upstream.

Field num_vectors from struct virtchnl_iwarp_qvlist_info should not be
larger than num_msix_vectors_vf in the hw struct. The iwarp uses the
same set of vectors as the LAN VF driver.

Signed-off-by: Sergey Nemov <[email protected]>
Tested-by: Andrew Bowers <[email protected]>
Signed-off-by: Jeff Kirsher <[email protected]>
[bwh: Backported to 4.9: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 0f54269ffc463..0ac09c9e4aaac 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -418,6 +418,16 @@ static int i40e_config_iwarp_qvlist(struct i40e_vf *vf,
u32 next_q_idx, next_q_type;
u32 msix_vf, size;

+ msix_vf = pf->hw.func_caps.num_msix_vectors_vf;
+
+ if (qvlist_info->num_vectors > msix_vf) {
+ dev_warn(&pf->pdev->dev,
+ "Incorrect number of iwarp vectors %u. Maximum %u allowed.\n",
+ qvlist_info->num_vectors,
+ msix_vf);
+ goto err;
+ }
+
size = sizeof(struct i40e_virtchnl_iwarp_qvlist_info) +
(sizeof(struct i40e_virtchnl_iwarp_qv_info) *
(qvlist_info->num_vectors - 1));
--
2.27.0



2020-11-17 14:07:56

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 16/78] xfs: flush new eof page on truncate to avoid post-eof corruption

From: Brian Foster <[email protected]>

[ Upstream commit 869ae85dae64b5540e4362d7fe4cd520e10ec05c ]

It is possible to expose non-zeroed post-EOF data in XFS if the new
EOF page is dirty, backed by an unwritten block and the truncate
happens to race with writeback. iomap_truncate_page() will not zero
the post-EOF portion of the page if the underlying block is
unwritten. The subsequent call to truncate_setsize() will, but
doesn't dirty the page. Therefore, if writeback happens to complete
after iomap_truncate_page() (so it still sees the unwritten block)
but before truncate_setsize(), the cached page becomes inconsistent
with the on-disk block. A mapped read after the associated page is
reclaimed or invalidated exposes non-zero post-EOF data.

For example, consider the following sequence when run on a kernel
modified to explicitly flush the new EOF page within the race
window:

$ xfs_io -fc "falloc 0 4k" -c fsync /mnt/file
$ xfs_io -c "pwrite 0 4k" -c "truncate 1k" /mnt/file
...
$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file
00000400: 00 00 00 00 00 00 00 00 ........
$ umount /mnt/; mount <dev> /mnt/
$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file
00000400: cd cd cd cd cd cd cd cd ........

Update xfs_setattr_size() to explicitly flush the new EOF page prior
to the page truncate to ensure iomap has the latest state of the
underlying block.

Fixes: 68a9f5e7007c ("xfs: implement iomap based buffered write path")
Signed-off-by: Brian Foster <[email protected]>
Reviewed-by: Darrick J. Wong <[email protected]>
Signed-off-by: Darrick J. Wong <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/xfs/xfs_iops.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index 7bfddcd32d73e..0d587657056d8 100644
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -864,6 +864,16 @@ xfs_setattr_size(
if (newsize > oldsize) {
error = xfs_zero_eof(ip, newsize, oldsize, &did_zeroing);
} else {
+ /*
+ * iomap won't detect a dirty page over an unwritten block (or a
+ * cow block over a hole) and subsequently skips zeroing the
+ * newly post-EOF portion of the page. Flush the new EOF to
+ * convert the block before the pagecache truncate.
+ */
+ error = filemap_write_and_wait_range(inode->i_mapping, newsize,
+ newsize);
+ if (error)
+ return error;
error = iomap_truncate_page(inode, newsize, &did_zeroing,
&xfs_iomap_ops);
}
--
2.27.0



2020-11-17 14:08:05

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 01/78] regulator: defer probe when trying to get voltage from unresolved supply

From: Michał Mirosław <[email protected]>

[ Upstream commit cf1ad559a20d1930aa7b47a52f54e1f8718de301 ]

regulator_get_voltage_rdev() is called in regulator probe() when
applying machine constraints. The "fixed" commit exposed the problem
that non-bypassed regulators can forward the request to its parent
(like bypassed ones) supply. Return -EPROBE_DEFER when the supply
is expected but not resolved yet.

Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator")
Cc: [email protected]
Signed-off-by: Michał Mirosław <[email protected]>
Reported-by: Ondřej Jirman <[email protected]>
Reported-by: Corentin Labbe <[email protected]>
Tested-by: Ondřej Jirman <[email protected]>
Link: https://lore.kernel.org/r/a9041d68b4d35e4a2dd71629c8a6422662acb5ee.1604351936.git.mirq-linux@rere.qmqm.pl
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/regulator/core.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 0f730e4bf6bcb..0caf751d85ded 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -3185,6 +3185,8 @@ static int _regulator_get_voltage(struct regulator_dev *rdev)
ret = rdev->desc->fixed_uV;
} else if (rdev->supply) {
ret = _regulator_get_voltage(rdev->supply->rdev);
+ } else if (rdev->supply_name) {
+ return -EPROBE_DEFER;
} else {
return -EINVAL;
}
--
2.27.0



2020-11-17 14:08:43

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 31/78] mac80211: fix use of skb payload instead of header

From: Johannes Berg <[email protected]>

[ Upstream commit 14f46c1e5108696ec1e5a129e838ecedf108c7bf ]

When ieee80211_skb_resize() is called from ieee80211_build_hdr()
the skb has no 802.11 header yet, in fact it consist only of the
payload as the ethernet frame is removed. As such, we're using
the payload data for ieee80211_is_mgmt(), which is of course
completely wrong. This didn't really hurt us because these are
always data frames, so we could only have added more tailroom
than we needed if we determined it was a management frame and
sdata->crypto_tx_tailroom_needed_cnt was false.

However, syzbot found that of course there need not be any payload,
so we're using at best uninitialized memory for the check.

Fix this to pass explicitly the kind of frame that we have instead
of checking there, by replacing the "bool may_encrypt" argument
with an argument that can carry the three possible states - it's
not going to be encrypted, it's a management frame, or it's a data
frame (and then we check sdata->crypto_tx_tailroom_needed_cnt).

Reported-by: [email protected]
Signed-off-by: Johannes Berg <[email protected]>
Link: https://lore.kernel.org/r/20201009132538.e1fd7f802947.I799b288466ea2815f9d4c84349fae697dca2f189@changeid
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/mac80211/tx.c | 35 +++++++++++++++++++++++------------
1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 6216279efc468..eebbddccb47b7 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1847,19 +1847,24 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,

/* device xmit handlers */

+enum ieee80211_encrypt {
+ ENCRYPT_NO,
+ ENCRYPT_MGMT,
+ ENCRYPT_DATA,
+};
+
static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
struct sk_buff *skb,
- int head_need, bool may_encrypt)
+ int head_need,
+ enum ieee80211_encrypt encrypt)
{
struct ieee80211_local *local = sdata->local;
- struct ieee80211_hdr *hdr;
bool enc_tailroom;
int tail_need = 0;

- hdr = (struct ieee80211_hdr *) skb->data;
- enc_tailroom = may_encrypt &&
- (sdata->crypto_tx_tailroom_needed_cnt ||
- ieee80211_is_mgmt(hdr->frame_control));
+ enc_tailroom = encrypt == ENCRYPT_MGMT ||
+ (encrypt == ENCRYPT_DATA &&
+ sdata->crypto_tx_tailroom_needed_cnt);

if (enc_tailroom) {
tail_need = IEEE80211_ENCRYPT_TAILROOM;
@@ -1892,21 +1897,27 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata,
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
int headroom;
- bool may_encrypt;
+ enum ieee80211_encrypt encrypt;

- may_encrypt = !(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT);
+ if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)
+ encrypt = ENCRYPT_NO;
+ else if (ieee80211_is_mgmt(hdr->frame_control))
+ encrypt = ENCRYPT_MGMT;
+ else
+ encrypt = ENCRYPT_DATA;

headroom = local->tx_headroom;
- if (may_encrypt)
+ if (encrypt != ENCRYPT_NO)
headroom += sdata->encrypt_headroom;
headroom -= skb_headroom(skb);
headroom = max_t(int, 0, headroom);

- if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) {
+ if (ieee80211_skb_resize(sdata, skb, headroom, encrypt)) {
ieee80211_free_txskb(&local->hw, skb);
return;
}

+ /* reload after potential resize */
hdr = (struct ieee80211_hdr *) skb->data;
info->control.vif = &sdata->vif;

@@ -2688,7 +2699,7 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata,
head_need += sdata->encrypt_headroom;
head_need += local->tx_headroom;
head_need = max_t(int, 0, head_need);
- if (ieee80211_skb_resize(sdata, skb, head_need, true)) {
+ if (ieee80211_skb_resize(sdata, skb, head_need, ENCRYPT_DATA)) {
ieee80211_free_txskb(&local->hw, skb);
skb = NULL;
return ERR_PTR(-ENOMEM);
@@ -3313,7 +3324,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
if (unlikely(ieee80211_skb_resize(sdata, skb,
max_t(int, extra_head + hw_headroom -
skb_headroom(skb), 0),
- false))) {
+ ENCRYPT_NO))) {
kfree_skb(skb);
return true;
}
--
2.27.0



2020-11-17 14:08:51

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 24/78] geneve: add transport ports in route lookup for geneve

From: Mark Gray <[email protected]>

commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 upstream.

This patch adds transport ports information for route lookup so that
IPsec can select Geneve tunnel traffic to do encryption. This is
needed for OVS/OVN IPsec with encrypted Geneve tunnels.

This can be tested by configuring a host-host VPN using an IKE
daemon and specifying port numbers. For example, for an
Openswan-type configuration, the following parameters should be
configured on both hosts and IPsec set up as-per normal:

$ cat /etc/ipsec.conf

conn in
...
left=$IP1
right=$IP2
...
leftprotoport=udp/6081
rightprotoport=udp
...
conn out
...
left=$IP1
right=$IP2
...
leftprotoport=udp
rightprotoport=udp/6081
...

The tunnel can then be setup using "ip" on both hosts (but
changing the relevant IP addresses):

$ ip link add tun type geneve id 1000 remote $IP2
$ ip addr add 192.168.0.1/24 dev tun
$ ip link set tun up

This can then be tested by pinging from $IP1:

$ ping 192.168.0.2

Without this patch the traffic is unencrypted on the wire.

Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
Signed-off-by: Qiuyu Xiao <[email protected]>
Signed-off-by: Mark Gray <[email protected]>
Reviewed-by: Greg Rose <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 4.9:
- Use geneve->dst_port instead of geneve->cfg.info.key.tp_dst
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/geneve.c | 36 ++++++++++++++++++++++++++----------
1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index 35d8c636de123..d89995f4bd433 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -732,7 +732,8 @@ static int geneve6_build_skb(struct dst_entry *dst, struct sk_buff *skb,
static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
struct net_device *dev,
struct flowi4 *fl4,
- struct ip_tunnel_info *info)
+ struct ip_tunnel_info *info,
+ __be16 dport, __be16 sport)
{
bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
struct geneve_dev *geneve = netdev_priv(dev);
@@ -746,6 +747,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
memset(fl4, 0, sizeof(*fl4));
fl4->flowi4_mark = skb->mark;
fl4->flowi4_proto = IPPROTO_UDP;
+ fl4->fl4_dport = dport;
+ fl4->fl4_sport = sport;

if (info) {
fl4->daddr = info->key.u.ipv4.dst;
@@ -791,7 +794,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb,
static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
struct net_device *dev,
struct flowi6 *fl6,
- struct ip_tunnel_info *info)
+ struct ip_tunnel_info *info,
+ __be16 dport, __be16 sport)
{
bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
struct geneve_dev *geneve = netdev_priv(dev);
@@ -807,6 +811,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
memset(fl6, 0, sizeof(*fl6));
fl6->flowi6_mark = skb->mark;
fl6->flowi6_proto = IPPROTO_UDP;
+ fl6->fl6_dport = dport;
+ fl6->fl6_sport = sport;

if (info) {
fl6->daddr = info->key.u.ipv6.dst;
@@ -894,13 +900,14 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
goto tx_error;
}

- rt = geneve_get_v4_rt(skb, dev, &fl4, info);
+ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ rt = geneve_get_v4_rt(skb, dev, &fl4, info,
+ geneve->dst_port, sport);
if (IS_ERR(rt)) {
err = PTR_ERR(rt);
goto tx_error;
}

- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
skb_reset_mac_header(skb);

if (info) {
@@ -983,13 +990,14 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
}
}

- dst = geneve_get_v6_dst(skb, dev, &fl6, info);
+ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ dst = geneve_get_v6_dst(skb, dev, &fl6, info,
+ geneve->dst_port, sport);
if (IS_ERR(dst)) {
err = PTR_ERR(dst);
goto tx_error;
}

- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
skb_reset_mac_header(skb);

if (info) {
@@ -1114,9 +1122,14 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
struct dst_entry *dst;
struct flowi6 fl6;
#endif
+ __be16 sport;

if (ip_tunnel_info_af(info) == AF_INET) {
- rt = geneve_get_v4_rt(skb, dev, &fl4, info);
+ sport = udp_flow_src_port(geneve->net, skb,
+ 1, USHRT_MAX, true);
+
+ rt = geneve_get_v4_rt(skb, dev, &fl4, info,
+ geneve->dst_port, sport);
if (IS_ERR(rt))
return PTR_ERR(rt);

@@ -1124,7 +1137,11 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
info->key.u.ipv4.src = fl4.saddr;
#if IS_ENABLED(CONFIG_IPV6)
} else if (ip_tunnel_info_af(info) == AF_INET6) {
- dst = geneve_get_v6_dst(skb, dev, &fl6, info);
+ sport = udp_flow_src_port(geneve->net, skb,
+ 1, USHRT_MAX, true);
+
+ dst = geneve_get_v6_dst(skb, dev, &fl6, info,
+ geneve->dst_port, sport);
if (IS_ERR(dst))
return PTR_ERR(dst);

@@ -1135,8 +1152,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
return -EINVAL;
}

- info->key.tp_src = udp_flow_src_port(geneve->net, skb,
- 1, USHRT_MAX, true);
+ info->key.tp_src = sport;
info->key.tp_dst = geneve->dst_port;
return 0;
}
--
2.27.0



2020-11-17 14:09:00

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 51/78] pinctrl: amd: fix incorrect way to disable debounce filter

From: Coiby Xu <[email protected]>

commit 06abe8291bc31839950f7d0362d9979edc88a666 upstream.

The correct way to disable debounce filter is to clear bit 5 and 6
of the register.

Cc: [email protected]
Signed-off-by: Coiby Xu <[email protected]>
Reviewed-by: Hans de Goede <[email protected]>
Cc: Hans de Goede <[email protected]>
Link: https://lore.kernel.org/linux-gpio/[email protected]/
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Linus Walleij <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/pinctrl/pinctrl-amd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/pinctrl/pinctrl-amd.c
+++ b/drivers/pinctrl/pinctrl-amd.c
@@ -150,14 +150,14 @@ static int amd_gpio_set_debounce(struct
pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF);
pin_reg |= BIT(DB_TMR_LARGE_OFF);
} else {
- pin_reg &= ~DB_CNTRl_MASK;
+ pin_reg &= ~(DB_CNTRl_MASK << DB_CNTRL_OFF);
ret = -EINVAL;
}
} else {
pin_reg &= ~BIT(DB_TMR_OUT_UNIT_OFF);
pin_reg &= ~BIT(DB_TMR_LARGE_OFF);
pin_reg &= ~DB_TMR_OUT_MASK;
- pin_reg &= ~DB_CNTRl_MASK;
+ pin_reg &= ~(DB_CNTRl_MASK << DB_CNTRL_OFF);
}
writel(pin_reg, gpio_dev->base + offset * 4);
spin_unlock_irqrestore(&gpio_dev->lock, flags);


2020-11-17 14:09:11

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 06/78] btrfs: reschedule when cloning lots of extents

From: Johannes Thumshirn <[email protected]>

[ Upstream commit 6b613cc97f0ace77f92f7bc112b8f6ad3f52baf8 ]

We have several occurrences of a soft lockup from fstest's generic/175
testcase, which look more or less like this one:

watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [xfs_io:10030]
Kernel panic - not syncing: softlockup: hung tasks
CPU: 0 PID: 10030 Comm: xfs_io Tainted: G L 5.9.0-rc5+ #768
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
Call Trace:
<IRQ>
dump_stack+0x77/0xa0
panic+0xfa/0x2cb
watchdog_timer_fn.cold+0x85/0xa5
? lockup_detector_update_enable+0x50/0x50
__hrtimer_run_queues+0x99/0x4c0
? recalibrate_cpu_khz+0x10/0x10
hrtimer_run_queues+0x9f/0xb0
update_process_times+0x28/0x80
tick_handle_periodic+0x1b/0x60
__sysvec_apic_timer_interrupt+0x76/0x210
asm_call_on_stack+0x12/0x20
</IRQ>
sysvec_apic_timer_interrupt+0x7f/0x90
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:btrfs_tree_unlock+0x91/0x1a0 [btrfs]
RSP: 0018:ffffc90007123a58 EFLAGS: 00000282
RAX: ffff8881cea2fbe0 RBX: ffff8881cea2fbe0 RCX: 0000000000000000
RDX: ffff8881d23fd200 RSI: ffffffff82045220 RDI: ffff8881cea2fba0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000032
R10: 0000160000000000 R11: 0000000000001000 R12: 0000000000001000
R13: ffff8882357fd5b0 R14: ffff88816fa76e70 R15: ffff8881cea2fad0
? btrfs_tree_unlock+0x15b/0x1a0 [btrfs]
btrfs_release_path+0x67/0x80 [btrfs]
btrfs_insert_replace_extent+0x177/0x2c0 [btrfs]
btrfs_replace_file_extents+0x472/0x7c0 [btrfs]
btrfs_clone+0x9ba/0xbd0 [btrfs]
btrfs_clone_files.isra.0+0xeb/0x140 [btrfs]
? file_update_time+0xcd/0x120
btrfs_remap_file_range+0x322/0x3b0 [btrfs]
do_clone_file_range+0xb7/0x1e0
vfs_clone_file_range+0x30/0xa0
ioctl_file_clone+0x8a/0xc0
do_vfs_ioctl+0x5b2/0x6f0
__x64_sys_ioctl+0x37/0xa0
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f87977fc247
RSP: 002b:00007ffd51a2f6d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f87977fc247
RDX: 00007ffd51a2f710 RSI: 000000004020940d RDI: 0000000000000003
RBP: 0000000000000004 R08: 00007ffd51a79080 R09: 0000000000000000
R10: 00005621f11352f2 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00005621f128b958 R15: 0000000080000000
Kernel Offset: disabled
---[ end Kernel panic - not syncing: softlockup: hung tasks ]---

All of these lockup reports have the call chain btrfs_clone_files() ->
btrfs_clone() in common. btrfs_clone_files() calls btrfs_clone() with
both source and destination extents locked and loops over the source
extent to create the clones.

Conditionally reschedule in the btrfs_clone() loop, to give some time back
to other processes.

CC: [email protected] # 4.4+
Reviewed-by: Josef Bacik <[email protected]>
Signed-off-by: Johannes Thumshirn <[email protected]>
Reviewed-by: David Sterba <[email protected]>
Signed-off-by: David Sterba <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/btrfs/ioctl.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 981091bd6c3c4..ebca009030c3a 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3854,6 +3854,8 @@ process_slot:
ret = -EINTR;
goto out;
}
+
+ cond_resched();
}
ret = 0;

--
2.27.0



2020-11-17 14:09:40

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 03/78] gfs2: Wake up when sd_glock_disposal becomes zero

From: Alexander Aring <[email protected]>

[ Upstream commit da7d554f7c62d0c17c1ac3cc2586473c2d99f0bd ]

Commit fc0e38dae645 ("GFS2: Fix glock deallocation race") fixed a
sd_glock_disposal accounting bug by adding a missing atomic_dec
statement, but it failed to wake up sd_glock_wait when that decrement
causes sd_glock_disposal to reach zero. As a consequence,
gfs2_gl_hash_clear can now run into a 10-minute timeout instead of
being woken up. Add the missing wakeup.

Fixes: fc0e38dae645 ("GFS2: Fix glock deallocation race")
Cc: [email protected] # v2.6.39+
Signed-off-by: Alexander Aring <[email protected]>
Signed-off-by: Andreas Gruenbacher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/gfs2/glock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index efd44d5645d83..f19e49a5d032b 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -758,7 +758,8 @@ again:
}
kfree(gl->gl_lksb.sb_lvbptr);
kmem_cache_free(cachep, gl);
- atomic_dec(&sdp->sd_glock_disposal);
+ if (atomic_dec_and_test(&sdp->sd_glock_disposal))
+ wake_up(&sdp->sd_glock_wait);
*glp = tmp;

return ret;
--
2.27.0



2020-11-17 14:09:56

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 18/78] pinctrl: devicetree: Avoid taking direct reference to device name string

From: Will Deacon <[email protected]>

commit be4c60b563edee3712d392aaeb0943a768df7023 upstream.

When populating the pinctrl mapping table entries for a device, the
'dev_name' field for each entry is initialised to point directly at the
string returned by 'dev_name()' for the device and subsequently used by
'create_pinctrl()' when looking up the mappings for the device being
probed.

This is unreliable in the presence of calls to 'dev_set_name()', which may
reallocate the device name string leaving the pinctrl mappings with a
dangling reference. This then leads to a use-after-free every time the
name is dereferenced by a device probe:

| BUG: KASAN: invalid-access in strcmp+0x20/0x64
| Read of size 1 at addr 13ffffc153494b00 by task modprobe/590
| Pointer tag: [13], memory tag: [fe]
|
| Call trace:
| __kasan_report+0x16c/0x1dc
| kasan_report+0x10/0x18
| check_memory_region
| __hwasan_load1_noabort+0x4c/0x54
| strcmp+0x20/0x64
| create_pinctrl+0x18c/0x7f4
| pinctrl_get+0x90/0x114
| devm_pinctrl_get+0x44/0x98
| pinctrl_bind_pins+0x5c/0x450
| really_probe+0x1c8/0x9a4
| driver_probe_device+0x120/0x1d8

Follow the example of sysfs, and duplicate the device name string before
stashing it away in the pinctrl mapping entries.

Cc: Linus Walleij <[email protected]>
Reported-by: Elena Petrova <[email protected]>
Tested-by: Elena Petrova <[email protected]>
Signed-off-by: Will Deacon <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Linus Walleij <[email protected]>
[bwh: Backported to 4.9: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/pinctrl/devicetree.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c
index 54dad89fc9bfe..d32aedfc6dd03 100644
--- a/drivers/pinctrl/devicetree.c
+++ b/drivers/pinctrl/devicetree.c
@@ -40,6 +40,13 @@ struct pinctrl_dt_map {
static void dt_free_map(struct pinctrl_dev *pctldev,
struct pinctrl_map *map, unsigned num_maps)
{
+ int i;
+
+ for (i = 0; i < num_maps; ++i) {
+ kfree_const(map[i].dev_name);
+ map[i].dev_name = NULL;
+ }
+
if (pctldev) {
const struct pinctrl_ops *ops = pctldev->desc->pctlops;
ops->dt_free_map(pctldev, map, num_maps);
@@ -73,7 +80,13 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename,

/* Initialize common mapping table entry fields */
for (i = 0; i < num_maps; i++) {
- map[i].dev_name = dev_name(p->dev);
+ const char *devname;
+
+ devname = kstrdup_const(dev_name(p->dev), GFP_KERNEL);
+ if (!devname)
+ goto err_free_map;
+
+ map[i].dev_name = devname;
map[i].name = statename;
if (pctldev)
map[i].ctrl_dev_name = dev_name(pctldev->dev);
@@ -81,11 +94,8 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename,

/* Remember the converted mapping table entries */
dt_map = kzalloc(sizeof(*dt_map), GFP_KERNEL);
- if (!dt_map) {
- dev_err(p->dev, "failed to alloc struct pinctrl_dt_map\n");
- dt_free_map(pctldev, map, num_maps);
- return -ENOMEM;
- }
+ if (!dt_map)
+ goto err_free_map;

dt_map->pctldev = pctldev;
dt_map->map = map;
@@ -93,6 +103,10 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename,
list_add_tail(&dt_map->node, &p->dt_maps);

return pinctrl_register_map(map, num_maps, false);
+
+err_free_map:
+ dt_free_map(pctldev, map, num_maps);
+ return -ENOMEM;
}

struct pinctrl_dev *of_pinctrl_get(struct device_node *np)
--
2.27.0



2020-11-17 16:13:05

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.9 49/78] drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[]

From: Thomas Zimmermann <[email protected]>

commit 06ad8d339524bf94b89859047822c31df6ace239 upstream.

The gma500 driver expects 3 pipelines in several it's IRQ functions.
Accessing struct drm_device.vblank[], this fails with devices that only
have 2 pipelines. An example KASAN report is shown below.

[ 62.267688] ==================================================================
[ 62.268856] BUG: KASAN: slab-out-of-bounds in psb_irq_postinstall+0x250/0x3c0 [gma500_gfx]
[ 62.269450] Read of size 1 at addr ffff8880012bc6d0 by task systemd-udevd/285
[ 62.269949]
[ 62.270192] CPU: 0 PID: 285 Comm: systemd-udevd Tainted: G E 5.10.0-rc1-1-default+ #572
[ 62.270807] Hardware name: /DN2800MT, BIOS MTCDT10N.86A.0164.2012.1213.1024 12/13/2012
[ 62.271366] Call Trace:
[ 62.271705] dump_stack+0xae/0xe5
[ 62.272180] print_address_description.constprop.0+0x17/0xf0
[ 62.272987] ? psb_irq_postinstall+0x250/0x3c0 [gma500_gfx]
[ 62.273474] __kasan_report.cold+0x20/0x38
[ 62.273989] ? psb_irq_postinstall+0x250/0x3c0 [gma500_gfx]
[ 62.274460] kasan_report+0x3a/0x50
[ 62.274891] psb_irq_postinstall+0x250/0x3c0 [gma500_gfx]
[ 62.275380] drm_irq_install+0x131/0x1f0
<...>
[ 62.300751] Allocated by task 285:
[ 62.301223] kasan_save_stack+0x1b/0x40
[ 62.301731] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 62.302293] drmm_kmalloc+0x55/0x100
[ 62.302773] drm_vblank_init+0x77/0x210

Resolve the issue by only handling vblank entries up to the number of
CRTCs.

I'm adding a Fixes tag for reference, although the bug has been present
since the driver's initial commit.

Signed-off-by: Thomas Zimmermann <[email protected]>
Reviewed-by: Daniel Vetter <[email protected]>
Fixes: 5c49fd3aa0ab ("gma500: Add the core DRM files and headers")
Cc: Alan Cox <[email protected]>
Cc: Dave Airlie <[email protected]>
Cc: Patrik Jakobsson <[email protected]>
Cc: [email protected]
Cc: [email protected]#v3.3+
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/gpu/drm/gma500/psb_irq.c | 34 ++++++++++++----------------------
1 file changed, 12 insertions(+), 22 deletions(-)

--- a/drivers/gpu/drm/gma500/psb_irq.c
+++ b/drivers/gpu/drm/gma500/psb_irq.c
@@ -350,6 +350,7 @@ int psb_irq_postinstall(struct drm_devic
{
struct drm_psb_private *dev_priv = dev->dev_private;
unsigned long irqflags;
+ unsigned int i;

spin_lock_irqsave(&dev_priv->irqmask_lock, irqflags);

@@ -362,20 +363,12 @@ int psb_irq_postinstall(struct drm_devic
PSB_WVDC32(dev_priv->vdc_irq_mask, PSB_INT_ENABLE_R);
PSB_WVDC32(0xFFFFFFFF, PSB_HWSTAM);

- if (dev->vblank[0].enabled)
- psb_enable_pipestat(dev_priv, 0, PIPE_VBLANK_INTERRUPT_ENABLE);
- else
- psb_disable_pipestat(dev_priv, 0, PIPE_VBLANK_INTERRUPT_ENABLE);
-
- if (dev->vblank[1].enabled)
- psb_enable_pipestat(dev_priv, 1, PIPE_VBLANK_INTERRUPT_ENABLE);
- else
- psb_disable_pipestat(dev_priv, 1, PIPE_VBLANK_INTERRUPT_ENABLE);
-
- if (dev->vblank[2].enabled)
- psb_enable_pipestat(dev_priv, 2, PIPE_VBLANK_INTERRUPT_ENABLE);
- else
- psb_disable_pipestat(dev_priv, 2, PIPE_VBLANK_INTERRUPT_ENABLE);
+ for (i = 0; i < dev->num_crtcs; ++i) {
+ if (dev->vblank[i].enabled)
+ psb_enable_pipestat(dev_priv, i, PIPE_VBLANK_INTERRUPT_ENABLE);
+ else
+ psb_disable_pipestat(dev_priv, i, PIPE_VBLANK_INTERRUPT_ENABLE);
+ }

if (dev_priv->ops->hotplug_enable)
dev_priv->ops->hotplug_enable(dev, true);
@@ -388,6 +381,7 @@ void psb_irq_uninstall(struct drm_device
{
struct drm_psb_private *dev_priv = dev->dev_private;
unsigned long irqflags;
+ unsigned int i;

spin_lock_irqsave(&dev_priv->irqmask_lock, irqflags);

@@ -396,14 +390,10 @@ void psb_irq_uninstall(struct drm_device

PSB_WVDC32(0xFFFFFFFF, PSB_HWSTAM);

- if (dev->vblank[0].enabled)
- psb_disable_pipestat(dev_priv, 0, PIPE_VBLANK_INTERRUPT_ENABLE);
-
- if (dev->vblank[1].enabled)
- psb_disable_pipestat(dev_priv, 1, PIPE_VBLANK_INTERRUPT_ENABLE);
-
- if (dev->vblank[2].enabled)
- psb_disable_pipestat(dev_priv, 2, PIPE_VBLANK_INTERRUPT_ENABLE);
+ for (i = 0; i < dev->num_crtcs; ++i) {
+ if (dev->vblank[i].enabled)
+ psb_disable_pipestat(dev_priv, i, PIPE_VBLANK_INTERRUPT_ENABLE);
+ }

dev_priv->vdc_irq_mask &= _PSB_IRQ_SGX_FLAG |
_PSB_IRQ_MSVDX_FLAG |


2020-11-17 22:10:55

by Shuah Khan

[permalink] [raw]
Subject: Re: [PATCH 4.9 00/78] 4.9.244-rc1 review

On 11/17/20 6:04 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.244 release.
> There are 78 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Nov 2020 12:20:51 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.244-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <[email protected]>

thanks,
-- Shuah

2020-11-18 11:18:28

by Naresh Kamboju

[permalink] [raw]
Subject: Re: [PATCH 4.9 00/78] 4.9.244-rc1 review

On Tue, 17 Nov 2020 at 18:41, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.9.244 release.
> There are 78 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Nov 2020 12:20:51 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.244-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <[email protected]>

NOTE:
qemu_x86_64-clang-10 boot failed with below error.
* We are not booting on real hardware.

PANIC: double fault, error_code: 0x0
Kernel panic - not syncing: Machine halted.
http://ix.io/2Ezr

Summary
------------------------------------------------------------------------

kernel: 4.9.244-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.9.y
git commit: d3e70b39d31a36dd7611410e535bd0762f3824f9
git describe: v4.9.243-79-gd3e70b39d31a
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.9.y/build/v4.9.243-79-gd3e70b39d31a

No regressions (compared to build v4.9.243)

No fixes (compared to build v4.9.243)


Ran 40883 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- qemu-arm64-clang
- qemu-arm64-kasan
- qemu-x86_64-clang
- qemu-x86_64-kasan
- qemu_arm
- qemu_arm64
- qemu_arm64-compat
- qemu_i386
- qemu_x86_64
- qemu_x86_64-compat
- x15 - arm
- x86_64
- x86-kasan

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* perf
* v4l2-compliance
* ltp-cve-tests
* network-basic-tests
* ltp-open-posix-tests
* kvm-unit-tests

--
Linaro LKFT
https://lkft.linaro.org

2020-11-18 15:48:30

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 4.9 00/78] 4.9.244-rc1 review

On Tue, Nov 17, 2020 at 02:04:26PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.244 release.
> There are 78 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 19 Nov 2020 12:20:51 +0000.
> Anything received after that time might be too late.
>

Build results:
total: 168 pass: 168 fail: 0
Qemu test results:
total: 382 pass: 382 fail: 0

Reviewed-by: Guenter Roeck <[email protected]>

Guenter