This is the start of the stable review cycle for the 4.9.316 release.
There are 25 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 25 May 2022 16:56:55 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.316-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.9.316-rc1
Yang Yingliang <[email protected]>
net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe()
Yang Yingliang <[email protected]>
ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one()
Felix Fietkau <[email protected]>
mac80211: fix rx reordering with non explicit / psmp ack policy
Gleb Chesnokov <[email protected]>
scsi: qla2xxx: Fix missed DMA unmap for aborted commands
Thomas Richter <[email protected]>
perf bench numa: Address compiler error on s390
Kevin Mitchell <[email protected]>
igb: skip phy status check where unavailable
Ard Biesheuvel <[email protected]>
ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2
Ard Biesheuvel <[email protected]>
ARM: 9196/1: spectre-bhb: enable for Cortex-A15
Jiasheng Jiang <[email protected]>
net: af_key: add check for pfkey_broadcast in function pfkey_process
Duoming Zhou <[email protected]>
NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc
Christophe JAILLET <[email protected]>
net/qla3xxx: Fix a test in ql_reset_work()
Zixuan Fu <[email protected]>
net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup()
Zixuan Fu <[email protected]>
net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf()
Hangyu Hua <[email protected]>
drm/dp/mst: fix a possible memory leak in fetch_monitor_name()
Peter Zijlstra <[email protected]>
perf: Fix sys_perf_event_open() race against self
Takashi Iwai <[email protected]>
ALSA: wavefront: Proper check of get_user() error
Ulf Hansson <[email protected]>
mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch()
Ulf Hansson <[email protected]>
mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD
Ulf Hansson <[email protected]>
mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC
linyujun <[email protected]>
ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame()
Jakob Koschel <[email protected]>
drbd: remove usage of list iterator variable after loop
Xiaoke Wang <[email protected]>
MIPS: lantiq: check the return value of kzalloc()
Jeff LaBundy <[email protected]>
Input: add bounds checking to input_set_capability()
David Gow <[email protected]>
um: Cleanup syscall_handler_t definition/cast, fix warning
Willy Tarreau <[email protected]>
floppy: use a statically allocated error counter
-------------
Diffstat:
Makefile | 4 +--
arch/arm/kernel/entry-armv.S | 2 +-
arch/arm/kernel/stacktrace.c | 10 +++---
arch/arm/mm/proc-v7-bugs.c | 1 +
arch/mips/lantiq/falcon/sysctrl.c | 2 ++
arch/mips/lantiq/xway/gptu.c | 2 ++
arch/mips/lantiq/xway/sysctrl.c | 46 +++++++++++++++---------
arch/x86/um/shared/sysdep/syscalls_64.h | 5 ++-
drivers/block/drbd/drbd_main.c | 7 ++--
drivers/block/floppy.c | 19 +++++-----
drivers/gpu/drm/drm_dp_mst_topology.c | 1 +
drivers/input/input.c | 19 ++++++++++
drivers/mmc/card/block.c | 6 ++--
drivers/mmc/core/core.c | 5 ++-
drivers/mmc/core/mmc_ops.c | 9 ++---
drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++-
drivers/net/ethernet/intel/igb/igb_main.c | 3 +-
drivers/net/ethernet/qlogic/qla3xxx.c | 3 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +--
drivers/net/vmxnet3/vmxnet3_drv.c | 6 ++++
drivers/scsi/qla2xxx/qla_target.c | 3 ++
kernel/events/core.c | 14 ++++++++
net/key/af_key.c | 6 ++--
net/mac80211/rx.c | 3 +-
net/nfc/nci/data.c | 2 +-
net/nfc/nci/hci.c | 4 +--
sound/isa/wavefront/wavefront_synth.c | 3 +-
tools/perf/bench/numa.c | 2 +-
28 files changed, 134 insertions(+), 62 deletions(-)
From: Jeff LaBundy <[email protected]>
[ Upstream commit 409353cbe9fe48f6bc196114c442b1cff05a39bc ]
Update input_set_capability() to prevent kernel panic in case the
event code exceeds the bitmap for the given event type.
Suggested-by: Tomasz Moń <[email protected]>
Signed-off-by: Jeff LaBundy <[email protected]>
Reviewed-by: Tomasz Moń <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/input/input.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/input/input.c b/drivers/input/input.c
index 5d94fc3fce0b..378717d1b3b4 100644
--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -50,6 +50,17 @@ static DEFINE_MUTEX(input_mutex);
static const struct input_value input_value_sync = { EV_SYN, SYN_REPORT, 1 };
+static const unsigned int input_max_code[EV_CNT] = {
+ [EV_KEY] = KEY_MAX,
+ [EV_REL] = REL_MAX,
+ [EV_ABS] = ABS_MAX,
+ [EV_MSC] = MSC_MAX,
+ [EV_SW] = SW_MAX,
+ [EV_LED] = LED_MAX,
+ [EV_SND] = SND_MAX,
+ [EV_FF] = FF_MAX,
+};
+
static inline int is_event_supported(unsigned int code,
unsigned long *bm, unsigned int max)
{
@@ -1913,6 +1924,14 @@ EXPORT_SYMBOL(input_free_device);
*/
void input_set_capability(struct input_dev *dev, unsigned int type, unsigned int code)
{
+ if (type < EV_CNT && input_max_code[type] &&
+ code > input_max_code[type]) {
+ pr_err("%s: invalid code %u for type %u\n", __func__, code,
+ type);
+ dump_stack();
+ return;
+ }
+
switch (type) {
case EV_KEY:
__set_bit(code, dev->keybit);
--
2.35.1
From: David Gow <[email protected]>
[ Upstream commit f4f03f299a56ce4d73c5431e0327b3b6cb55ebb9 ]
The syscall_handler_t type for x86_64 was defined as 'long (*)(void)',
but always cast to 'long (*)(long, long, long, long, long, long)' before
use. This now triggers a warning (see below).
Define syscall_handler_t as the latter instead, and remove the cast.
This simplifies the code, and fixes the warning.
Warning:
In file included from ../arch/um/include/asm/processor-generic.h:13
from ../arch/x86/um/asm/processor.h:41
from ../include/linux/rcupdate.h:30
from ../include/linux/rculist.h:11
from ../include/linux/pid.h:5
from ../include/linux/sched.h:14
from ../include/linux/ptrace.h:6
from ../arch/um/kernel/skas/syscall.c:7:
../arch/um/kernel/skas/syscall.c: In function ‘handle_syscall’:
../arch/x86/um/shared/sysdep/syscalls_64.h:18:11: warning: cast between incompatible function types from ‘long int (*)(void)’ to ‘long int (*)(long int, long int, long int, long int, long int, long int)’ [
-Wcast-function-type]
18 | (((long (*)(long, long, long, long, long, long)) \
| ^
../arch/x86/um/asm/ptrace.h:36:62: note: in definition of macro ‘PT_REGS_SET_SYSCALL_RETURN’
36 | #define PT_REGS_SET_SYSCALL_RETURN(r, res) (PT_REGS_AX(r) = (res))
| ^~~
../arch/um/kernel/skas/syscall.c:46:33: note: in expansion of macro ‘EXECUTE_SYSCALL’
46 | EXECUTE_SYSCALL(syscall, regs));
| ^~~~~~~~~~~~~~~
Signed-off-by: David Gow <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/x86/um/shared/sysdep/syscalls_64.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/x86/um/shared/sysdep/syscalls_64.h b/arch/x86/um/shared/sysdep/syscalls_64.h
index 8a7d5e1da98e..1e6875b4ffd8 100644
--- a/arch/x86/um/shared/sysdep/syscalls_64.h
+++ b/arch/x86/um/shared/sysdep/syscalls_64.h
@@ -10,13 +10,12 @@
#include <linux/msg.h>
#include <linux/shm.h>
-typedef long syscall_handler_t(void);
+typedef long syscall_handler_t(long, long, long, long, long, long);
extern syscall_handler_t *sys_call_table[];
#define EXECUTE_SYSCALL(syscall, regs) \
- (((long (*)(long, long, long, long, long, long)) \
- (*sys_call_table[syscall]))(UPT_SYSCALL_ARG1(®s->regs), \
+ (((*sys_call_table[syscall]))(UPT_SYSCALL_ARG1(®s->regs), \
UPT_SYSCALL_ARG2(®s->regs), \
UPT_SYSCALL_ARG3(®s->regs), \
UPT_SYSCALL_ARG4(®s->regs), \
--
2.35.1
From: linyujun <[email protected]>
[ Upstream commit 9be4c88bb7924f68f88cfd47d925c2d046f51a73 ]
The following KASAN warning is detected by QEMU.
==================================================================
BUG: KASAN: stack-out-of-bounds in unwind_frame+0x508/0x870
Read of size 4 at addr c36bba90 by task cat/163
CPU: 1 PID: 163 Comm: cat Not tainted 5.10.0-rc1 #40
Hardware name: ARM-Versatile Express
[<c0113fac>] (unwind_backtrace) from [<c010e71c>] (show_stack+0x10/0x14)
[<c010e71c>] (show_stack) from [<c0b805b4>] (dump_stack+0x98/0xb0)
[<c0b805b4>] (dump_stack) from [<c0b7d658>] (print_address_description.constprop.0+0x58/0x4bc)
[<c0b7d658>] (print_address_description.constprop.0) from [<c031435c>] (kasan_report+0x154/0x170)
[<c031435c>] (kasan_report) from [<c0113c44>] (unwind_frame+0x508/0x870)
[<c0113c44>] (unwind_frame) from [<c010e298>] (__save_stack_trace+0x110/0x134)
[<c010e298>] (__save_stack_trace) from [<c01ce0d8>] (stack_trace_save+0x8c/0xb4)
[<c01ce0d8>] (stack_trace_save) from [<c0313520>] (kasan_set_track+0x38/0x60)
[<c0313520>] (kasan_set_track) from [<c0314cb8>] (kasan_set_free_info+0x20/0x2c)
[<c0314cb8>] (kasan_set_free_info) from [<c0313474>] (__kasan_slab_free+0xec/0x120)
[<c0313474>] (__kasan_slab_free) from [<c0311e20>] (kmem_cache_free+0x7c/0x334)
[<c0311e20>] (kmem_cache_free) from [<c01c35dc>] (rcu_core+0x390/0xccc)
[<c01c35dc>] (rcu_core) from [<c01013a8>] (__do_softirq+0x180/0x518)
[<c01013a8>] (__do_softirq) from [<c0135214>] (irq_exit+0x9c/0xe0)
[<c0135214>] (irq_exit) from [<c01a40e4>] (__handle_domain_irq+0xb0/0x110)
[<c01a40e4>] (__handle_domain_irq) from [<c0691248>] (gic_handle_irq+0xa0/0xb8)
[<c0691248>] (gic_handle_irq) from [<c0100b0c>] (__irq_svc+0x6c/0x94)
Exception stack(0xc36bb928 to 0xc36bb970)
b920: c36bb9c0 00000000 c0126919 c0101228 c36bb9c0 b76d7730
b940: c36b8000 c36bb9a0 c3335b00 c01ce0d8 00000003 c36bba3c c36bb940 c36bb978
b960: c010e298 c011373c 60000013 ffffffff
[<c0100b0c>] (__irq_svc) from [<c011373c>] (unwind_frame+0x0/0x870)
[<c011373c>] (unwind_frame) from [<00000000>] (0x0)
The buggy address belongs to the page:
page:(ptrval) refcount:0 mapcount:0 mapping:00000000 index:0x0 pfn:0x636bb
flags: 0x0()
raw: 00000000 00000000 ef867764 00000000 00000000 00000000 ffffffff 00000000
page dumped because: kasan: bad access detected
addr c36bba90 is located in stack of task cat/163 at offset 48 in frame:
stack_trace_save+0x0/0xb4
this frame has 1 object:
[32, 48) 'trace'
Memory state around the buggy address:
c36bb980: f1 f1 f1 f1 00 04 f2 f2 00 00 f3 f3 00 00 00 00
c36bba00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>c36bba80: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
c36bbb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
c36bbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
There is a same issue on x86 and has been resolved by the commit f7d27c35ddff
("x86/mm, kasan: Silence KASAN warnings in get_wchan()").
The solution could be applied to arm architecture too.
Signed-off-by: Lin Yujun <[email protected]>
Reported-by: He Ying <[email protected]>
Signed-off-by: Russell King (Oracle) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm/kernel/stacktrace.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c
index c10c1de244eb..83d0aa217bb2 100644
--- a/arch/arm/kernel/stacktrace.c
+++ b/arch/arm/kernel/stacktrace.c
@@ -50,17 +50,17 @@ int notrace unwind_frame(struct stackframe *frame)
return -EINVAL;
frame->sp = frame->fp;
- frame->fp = *(unsigned long *)(fp);
- frame->pc = *(unsigned long *)(fp + 4);
+ frame->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp));
+ frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp + 4));
#else
/* check current frame pointer is within bounds */
if (fp < low + 12 || fp > high - 4)
return -EINVAL;
/* restore the registers from the stack frame */
- frame->fp = *(unsigned long *)(fp - 12);
- frame->sp = *(unsigned long *)(fp - 8);
- frame->pc = *(unsigned long *)(fp - 4);
+ frame->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 12));
+ frame->sp = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 8));
+ frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 4));
#endif
return 0;
--
2.35.1
From: Christophe JAILLET <[email protected]>
[ Upstream commit 5361448e45fac6fb96738df748229432a62d78b6 ]
test_bit() tests if one bit is set or not.
Here the logic seems to check of bit QL_RESET_PER_SCSI (i.e. 4) OR bit
QL_RESET_START (i.e. 3) is set.
In fact, it checks if bit 7 (4 | 3 = 7) is set, that is to say
QL_ADAPTER_UP.
This looks harmless, because this bit is likely be set, and when the
ql_reset_work() delayed work is scheduled in ql3xxx_isr() (the only place
that schedule this work), QL_RESET_START or QL_RESET_PER_SCSI is set.
This has been spotted by smatch.
Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver")
Signed-off-by: Christophe JAILLET <[email protected]>
Link: https://lore.kernel.org/r/80e73e33f390001d9c0140ffa9baddf6466a41a2.1652637337.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/qlogic/qla3xxx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
index 147effc16316..e62e3a9d5249 100644
--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -3625,7 +3625,8 @@ static void ql_reset_work(struct work_struct *work)
qdev->mem_map_registers;
unsigned long hw_flags;
- if (test_bit((QL_RESET_PER_SCSI | QL_RESET_START), &qdev->flags)) {
+ if (test_bit(QL_RESET_PER_SCSI, &qdev->flags) ||
+ test_bit(QL_RESET_START, &qdev->flags)) {
clear_bit(QL_LINK_MASTER, &qdev->flags);
/*
--
2.35.1
From: Duoming Zhou <[email protected]>
[ Upstream commit 23dd4581350d4ffa23d58976ec46408f8f4c1e16 ]
There are sleep in atomic context bugs when the request to secure
element of st-nci is timeout. The root cause is that nci_skb_alloc
with GFP_KERNEL parameter is called in st_nci_se_wt_timeout which is
a timer handler. The call paths that could trigger bugs are shown below:
(interrupt context 1)
st_nci_se_wt_timeout
nci_hci_send_event
nci_hci_send_data
nci_skb_alloc(..., GFP_KERNEL) //may sleep
(interrupt context 2)
st_nci_se_wt_timeout
nci_hci_send_event
nci_hci_send_data
nci_send_data
nci_queue_tx_data_frags
nci_skb_alloc(..., GFP_KERNEL) //may sleep
This patch changes allocation mode of nci_skb_alloc from GFP_KERNEL to
GFP_ATOMIC in order to prevent atomic context sleeping. The GFP_ATOMIC
flag makes memory allocation operation could be used in atomic context.
Fixes: ed06aeefdac3 ("nfc: st-nci: Rename st21nfcb to st-nci")
Signed-off-by: Duoming Zhou <[email protected]>
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/nfc/nci/data.c | 2 +-
net/nfc/nci/hci.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
index d20383779710..b8a295dd15d8 100644
--- a/net/nfc/nci/data.c
+++ b/net/nfc/nci/data.c
@@ -130,7 +130,7 @@ static int nci_queue_tx_data_frags(struct nci_dev *ndev,
skb_frag = nci_skb_alloc(ndev,
(NCI_DATA_HDR_SIZE + frag_len),
- GFP_KERNEL);
+ GFP_ATOMIC);
if (skb_frag == NULL) {
rc = -ENOMEM;
goto free_exit;
diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
index 5fae3f064ad0..9c37618f36c6 100644
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -165,7 +165,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe,
i = 0;
skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len +
- NCI_DATA_HDR_SIZE, GFP_KERNEL);
+ NCI_DATA_HDR_SIZE, GFP_ATOMIC);
if (!skb)
return -ENOMEM;
@@ -198,7 +198,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe,
if (i < data_len) {
skb = nci_skb_alloc(ndev,
conn_info->max_pkt_payload_len +
- NCI_DATA_HDR_SIZE, GFP_KERNEL);
+ NCI_DATA_HDR_SIZE, GFP_ATOMIC);
if (!skb)
return -ENOMEM;
--
2.35.1
From: Xiaoke Wang <[email protected]>
[ Upstream commit 34123208bbcc8c884a0489f543a23fe9eebb5514 ]
kzalloc() is a memory allocation function which can return NULL when
some internal memory errors happen. So it is better to check the
return value of it to prevent potential wrong memory access or
memory leak.
Signed-off-by: Xiaoke Wang <[email protected]>
Signed-off-by: Thomas Bogendoerfer <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/mips/lantiq/falcon/sysctrl.c | 2 ++
arch/mips/lantiq/xway/gptu.c | 2 ++
arch/mips/lantiq/xway/sysctrl.c | 46 ++++++++++++++++++++-----------
3 files changed, 34 insertions(+), 16 deletions(-)
diff --git a/arch/mips/lantiq/falcon/sysctrl.c b/arch/mips/lantiq/falcon/sysctrl.c
index 82bbd0e2e298..714d92659489 100644
--- a/arch/mips/lantiq/falcon/sysctrl.c
+++ b/arch/mips/lantiq/falcon/sysctrl.c
@@ -169,6 +169,8 @@ static inline void clkdev_add_sys(const char *dev, unsigned int module,
{
struct clk *clk = kzalloc(sizeof(struct clk), GFP_KERNEL);
+ if (!clk)
+ return;
clk->cl.dev_id = dev;
clk->cl.con_id = NULL;
clk->cl.clk = clk;
diff --git a/arch/mips/lantiq/xway/gptu.c b/arch/mips/lantiq/xway/gptu.c
index 0f1bbea1a816..955d0d5cfbdb 100644
--- a/arch/mips/lantiq/xway/gptu.c
+++ b/arch/mips/lantiq/xway/gptu.c
@@ -124,6 +124,8 @@ static inline void clkdev_add_gptu(struct device *dev, const char *con,
{
struct clk *clk = kzalloc(sizeof(struct clk), GFP_KERNEL);
+ if (!clk)
+ return;
clk->cl.dev_id = dev_name(dev);
clk->cl.con_id = con;
clk->cl.clk = clk;
diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c
index 95bec460b651..dd7c36a193e3 100644
--- a/arch/mips/lantiq/xway/sysctrl.c
+++ b/arch/mips/lantiq/xway/sysctrl.c
@@ -331,6 +331,8 @@ static void clkdev_add_pmu(const char *dev, const char *con, bool deactivate,
{
struct clk *clk = kzalloc(sizeof(struct clk), GFP_KERNEL);
+ if (!clk)
+ return;
clk->cl.dev_id = dev;
clk->cl.con_id = con;
clk->cl.clk = clk;
@@ -354,6 +356,8 @@ static void clkdev_add_cgu(const char *dev, const char *con,
{
struct clk *clk = kzalloc(sizeof(struct clk), GFP_KERNEL);
+ if (!clk)
+ return;
clk->cl.dev_id = dev;
clk->cl.con_id = con;
clk->cl.clk = clk;
@@ -372,24 +376,28 @@ static void clkdev_add_pci(void)
struct clk *clk_ext = kzalloc(sizeof(struct clk), GFP_KERNEL);
/* main pci clock */
- clk->cl.dev_id = "17000000.pci";
- clk->cl.con_id = NULL;
- clk->cl.clk = clk;
- clk->rate = CLOCK_33M;
- clk->rates = valid_pci_rates;
- clk->enable = pci_enable;
- clk->disable = pmu_disable;
- clk->module = 0;
- clk->bits = PMU_PCI;
- clkdev_add(&clk->cl);
+ if (clk) {
+ clk->cl.dev_id = "17000000.pci";
+ clk->cl.con_id = NULL;
+ clk->cl.clk = clk;
+ clk->rate = CLOCK_33M;
+ clk->rates = valid_pci_rates;
+ clk->enable = pci_enable;
+ clk->disable = pmu_disable;
+ clk->module = 0;
+ clk->bits = PMU_PCI;
+ clkdev_add(&clk->cl);
+ }
/* use internal/external bus clock */
- clk_ext->cl.dev_id = "17000000.pci";
- clk_ext->cl.con_id = "external";
- clk_ext->cl.clk = clk_ext;
- clk_ext->enable = pci_ext_enable;
- clk_ext->disable = pci_ext_disable;
- clkdev_add(&clk_ext->cl);
+ if (clk_ext) {
+ clk_ext->cl.dev_id = "17000000.pci";
+ clk_ext->cl.con_id = "external";
+ clk_ext->cl.clk = clk_ext;
+ clk_ext->enable = pci_ext_enable;
+ clk_ext->disable = pci_ext_disable;
+ clkdev_add(&clk_ext->cl);
+ }
}
/* xway socs can generate clocks on gpio pins */
@@ -409,9 +417,15 @@ static void clkdev_add_clkout(void)
char *name;
name = kzalloc(sizeof("clkout0"), GFP_KERNEL);
+ if (!name)
+ continue;
sprintf(name, "clkout%d", i);
clk = kzalloc(sizeof(struct clk), GFP_KERNEL);
+ if (!clk) {
+ kfree(name);
+ continue;
+ }
clk->cl.dev_id = "1f103000.cgu";
clk->cl.con_id = name;
clk->cl.clk = clk;
--
2.35.1
From: Jiasheng Jiang <[email protected]>
[ Upstream commit 4dc2a5a8f6754492180741facf2a8787f2c415d7 ]
If skb_clone() returns null pointer, pfkey_broadcast() will
return error.
Therefore, it should be better to check the return value of
pfkey_broadcast() and return error if fails.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jiasheng Jiang <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/key/af_key.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c9cc9f75b099..776f94ecbfe6 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2861,8 +2861,10 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb
void *ext_hdrs[SADB_EXT_MAX];
int err;
- pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
+ err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
+ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
+ if (err)
+ return err;
memset(ext_hdrs, 0, sizeof(ext_hdrs));
err = parse_exthdrs(skb, hdr, ext_hdrs);
--
2.35.1
From: Ard Biesheuvel <[email protected]>
[ Upstream commit 0dc14aa94ccd8ba35eb17a0f9b123d1566efd39e ]
The Spectre-BHB mitigations were inadvertently left disabled for
Cortex-A15, due to the fact that cpu_v7_bugs_init() is not called in
that case. So fix that.
Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround")
Signed-off-by: Ard Biesheuvel <[email protected]>
Signed-off-by: Russell King (Oracle) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm/mm/proc-v7-bugs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c
index 1b6e770bc1cd..8b78694d56b8 100644
--- a/arch/arm/mm/proc-v7-bugs.c
+++ b/arch/arm/mm/proc-v7-bugs.c
@@ -297,6 +297,7 @@ void cpu_v7_ca15_ibe(void)
{
if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0)))
cpu_v7_spectre_v2_init();
+ cpu_v7_spectre_bhb_init();
}
void cpu_v7_bugs_init(void)
--
2.35.1
From: Ard Biesheuvel <[email protected]>
[ Upstream commit 3cfb3019979666bdf33a1010147363cf05e0f17b ]
In Thumb2, 'b . + 4' produces a branch instruction that uses a narrow
encoding, and so it does not jump to the following instruction as
expected. So use W(b) instead.
Fixes: 6c7cb60bff7a ("ARM: fix Thumb2 regression with Spectre BHB")
Signed-off-by: Ard Biesheuvel <[email protected]>
Signed-off-by: Russell King (Oracle) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm/kernel/entry-armv.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index 77ec669fd5ee..247229e69322 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -1074,7 +1074,7 @@ vector_bhb_loop8_\name:
@ bhb workaround
mov r0, #8
-3: b . + 4
+3: W(b) . + 4
subs r0, r0, #1
bne 3b
dsb
--
2.35.1
From: Gleb Chesnokov <[email protected]>
[ Upstream commit 26f9ce53817a8fd84b69a73473a7de852a24c897 ]
Aborting commands that have already been sent to the firmware can
cause BUG in qlt_free_cmd(): BUG_ON(cmd->sg_mapped)
For instance:
- Command passes rdx_to_xfer state, maps sgl, sends to the firmware
- Reset occurs, qla2xxx performs ISP error recovery, aborts the command
- Target stack calls qlt_abort_cmd() and then qlt_free_cmd()
- BUG_ON(cmd->sg_mapped) in qlt_free_cmd() occurs because sgl was not
unmapped
Thus, unmap sgl in qlt_abort_cmd() for commands with the aborted flag set.
Link: https://lore.kernel.org/r/AS8PR10MB4952D545F84B6B1DFD39EC1E9DEE9@AS8PR10MB4952.EURPRD10.PROD.OUTLOOK.COM
Reviewed-by: Himanshu Madhani <[email protected]>
Signed-off-by: Gleb Chesnokov <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/scsi/qla2xxx/qla_target.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
index 6ef7a094ee51..b4a21adb3e73 100644
--- a/drivers/scsi/qla2xxx/qla_target.c
+++ b/drivers/scsi/qla2xxx/qla_target.c
@@ -3286,6 +3286,9 @@ int qlt_abort_cmd(struct qla_tgt_cmd *cmd)
spin_lock_irqsave(&cmd->cmd_lock, flags);
if (cmd->aborted) {
+ if (cmd->sg_mapped)
+ qlt_unmap_sg(vha, cmd);
+
spin_unlock_irqrestore(&cmd->cmd_lock, flags);
/*
* It's normal to see 2 calls in this path:
--
2.35.1
From: Kevin Mitchell <[email protected]>
[ Upstream commit 942d2ad5d2e0df758a645ddfadffde2795322728 ]
igb_read_phy_reg() will silently return, leaving phy_data untouched, if
hw->ops.read_reg isn't set. Depending on the uninitialized value of
phy_data, this led to the phy status check either succeeding immediately
or looping continuously for 2 seconds before emitting a noisy err-level
timeout. This message went out to the console even though there was no
actual problem.
Instead, first check if there is read_reg function pointer. If not,
proceed without trying to check the phy status register.
Fixes: b72f3f72005d ("igb: When GbE link up, wait for Remote receiver status condition")
Signed-off-by: Kevin Mitchell <[email protected]>
Tested-by: Gurucharan <[email protected]> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/intel/igb/igb_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 6bede6774486..d825e527ec1a 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -4546,7 +4546,8 @@ static void igb_watchdog_task(struct work_struct *work)
break;
}
- if (adapter->link_speed != SPEED_1000)
+ if (adapter->link_speed != SPEED_1000 ||
+ !hw->phy.ops.read_reg)
goto no_wait;
/* wait for Remote receiver status OK */
--
2.35.1
From: Yang Yingliang <[email protected]>
[ Upstream commit 51ca86b4c9c7c75f5630fa0dbe5f8f0bd98e3c3e ]
Fix the missing pci_disable_device() before return
from tulip_init_one() in the error handling case.
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Yang Yingliang <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/dec/tulip/tulip_core.c b/drivers/net/ethernet/dec/tulip/tulip_core.c
index bbde90bc74fe..6224f9d22298 100644
--- a/drivers/net/ethernet/dec/tulip/tulip_core.c
+++ b/drivers/net/ethernet/dec/tulip/tulip_core.c
@@ -1412,8 +1412,10 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
/* alloc_etherdev ensures aligned and zeroed private structures */
dev = alloc_etherdev (sizeof (*tp));
- if (!dev)
+ if (!dev) {
+ pci_disable_device(pdev);
return -ENOMEM;
+ }
SET_NETDEV_DEV(dev, &pdev->dev);
if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size) {
@@ -1792,6 +1794,7 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
err_out_free_netdev:
free_netdev (dev);
+ pci_disable_device(pdev);
return -ENODEV;
}
--
2.35.1
From: Thomas Richter <[email protected]>
[ Upstream commit f8ac1c478424a9a14669b8cef7389b1e14e5229d ]
The compilation on s390 results in this error:
# make DEBUG=y bench/numa.o
...
bench/numa.c: In function ‘__bench_numa’:
bench/numa.c:1749:81: error: ‘%d’ directive output may be truncated
writing between 1 and 11 bytes into a region of size between
10 and 20 [-Werror=format-truncation=]
1749 | snprintf(tname, sizeof(tname), "process%d:thread%d", p, t);
^~
...
bench/numa.c:1749:64: note: directive argument in the range
[-2147483647, 2147483646]
...
#
The maximum length of the %d replacement is 11 characters because of the
negative sign. Therefore extend the array by two more characters.
Output after:
# make DEBUG=y bench/numa.o > /dev/null 2>&1; ll bench/numa.o
-rw-r--r-- 1 root root 418320 May 19 09:11 bench/numa.o
#
Fixes: 3aff8ba0a4c9c919 ("perf bench numa: Avoid possible truncation when using snprintf()")
Suggested-by: Namhyung Kim <[email protected]>
Signed-off-by: Thomas Richter <[email protected]>
Cc: Heiko Carstens <[email protected]>
Cc: Sumanth Korikkar <[email protected]>
Cc: Sven Schnelle <[email protected]>
Cc: Vasily Gorbik <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
tools/perf/bench/numa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
index 7b364f2926d4..901e9d6efcec 100644
--- a/tools/perf/bench/numa.c
+++ b/tools/perf/bench/numa.c
@@ -1626,7 +1626,7 @@ static int __bench_numa(const char *name)
"GB/sec,", "total-speed", "GB/sec total speed");
if (g->p.show_details >= 2) {
- char tname[14 + 2 * 10 + 1];
+ char tname[14 + 2 * 11 + 1];
struct thread_data *td;
for (p = 0; p < g->p.nr_proc; p++) {
for (t = 0; t < g->p.nr_threads; t++) {
--
2.35.1
From: Yang Yingliang <[email protected]>
[ Upstream commit 0807ce0b010418a191e0e4009803b2d74c3245d5 ]
Switch to using pcim_enable_device() to avoid missing pci_disable_device().
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Yang Yingliang <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
index 49eaede34eea..9beb93479e28 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
@@ -183,7 +183,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev,
return -ENOMEM;
/* Enable pci device */
- ret = pci_enable_device(pdev);
+ ret = pcim_enable_device(pdev);
if (ret) {
dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
__func__);
@@ -241,8 +241,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev)
pcim_iounmap_regions(pdev, BIT(i));
break;
}
-
- pci_disable_device(pdev);
}
static int stmmac_pci_suspend(struct device *dev)
--
2.35.1
From: Ulf Hansson <[email protected]>
commit 24ed3bd01d6a844fd5e8a75f48d0a3d10ed71bf9 upstream
The timeout values used while waiting for a CMD6 for BKOPS or a CACHE_FLUSH
to complete, are not defined by the eMMC spec. However, a timeout of 10
minutes as is currently being used, is just silly for both of these cases.
Instead, let's specify more reasonable timeouts, 120s for BKOPS and 30s for
CACHE_FLUSH.
Signed-off-by: Ulf Hansson <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Kamal Dasu <[email protected]>
[kamal: Drop mmc_run_bkops hunk, non-existent]
Signed-off-by: Florian Fainelli <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/mmc/core/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/core.c
+++ b/drivers/mmc/core/core.c
@@ -61,6 +61,8 @@
/* The max erase timeout, used when host->max_busy_timeout isn't specified */
#define MMC_ERASE_TIMEOUT_MS (60 * 1000) /* 60 s */
+#define MMC_CACHE_FLUSH_TIMEOUT_MS (30 * 1000) /* 30s */
+
static const unsigned freqs[] = { 400000, 300000, 200000, 100000 };
/*
@@ -2936,7 +2938,8 @@ int mmc_flush_cache(struct mmc_card *car
(card->ext_csd.cache_size > 0) &&
(card->ext_csd.cache_ctrl & 1)) {
err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
- EXT_CSD_FLUSH_CACHE, 1, 0);
+ EXT_CSD_FLUSH_CACHE, 1,
+ MMC_CACHE_FLUSH_TIMEOUT_MS);
if (err)
pr_err("%s: cache flush error %d\n",
mmc_hostname(card->host), err);
From: Felix Fietkau <[email protected]>
[ Upstream commit 5e469ed9764d4722c59562da13120bd2dc6834c5 ]
When the QoS ack policy was set to non explicit / psmp ack, frames are treated
as not being part of a BA session, which causes extra latency on reordering.
Fix this by only bypassing reordering for packets with no-ack policy
Signed-off-by: Felix Fietkau <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/mac80211/rx.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 41af02a70742..02845bed07d7 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1179,8 +1179,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
goto dont_reorder;
/* not part of a BA session */
- if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
- ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
+ if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK)
goto dont_reorder;
/* new, potentially un-ordered, ampdu frame - process it */
--
2.35.1
From: Ulf Hansson <[email protected]>
commit ad91619aa9d78ab1c6d4a969c3db68bc331ae76c upstream
The INAND_CMD38_ARG_EXT_CSD is a vendor specific EXT_CSD register, which is
used to prepare an erase/trim operation. However, it doesn't make sense to
use a timeout of 10 minutes while updating the register, which becomes the
case when the timeout_ms argument for mmc_switch() is set to zero.
Instead, let's use the generic_cmd6_time, as that seems like a reasonable
timeout to use for these cases.
Signed-off-by: Ulf Hansson <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Kamal Dasu <[email protected]>
Signed-off-by: Florian Fainelli <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/mmc/card/block.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -1192,7 +1192,7 @@ retry:
arg == MMC_TRIM_ARG ?
INAND_CMD38_ARG_TRIM :
INAND_CMD38_ARG_ERASE,
- 0);
+ card->ext_csd.generic_cmd6_time);
if (err)
goto out;
}
@@ -1235,7 +1235,7 @@ retry:
arg == MMC_SECURE_TRIM1_ARG ?
INAND_CMD38_ARG_SECTRIM1 :
INAND_CMD38_ARG_SECERASE,
- 0);
+ card->ext_csd.generic_cmd6_time);
if (err)
goto out_retry;
}
@@ -1251,7 +1251,7 @@ retry:
err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
INAND_CMD38_ARG_EXT_CSD,
INAND_CMD38_ARG_SECTRIM2,
- 0);
+ card->ext_csd.generic_cmd6_time);
if (err)
goto out_retry;
}
From: Ulf Hansson <[email protected]>
commit 533a6cfe08f96a7b5c65e06d20916d552c11b256 upstream
All callers of __mmc_switch() should now be specifying a valid timeout for
the CMD6 command. However, just to be sure, let's print a warning and
default to use the generic_cmd6_time in case the provided timeout_ms
argument is zero.
In this context, let's also simplify some of the corresponding code and
clarify some related comments.
Signed-off-by: Ulf Hansson <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Kamal Dasu <[email protected]>
[kamal: Drop non-existent hunks in 4.9's __mmc_switch]
Signed-off-by: Florian Fainelli <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/mmc/core/mmc_ops.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/mmc/core/mmc_ops.c
+++ b/drivers/mmc/core/mmc_ops.c
@@ -22,8 +22,6 @@
#include "host.h"
#include "mmc_ops.h"
-#define MMC_OPS_TIMEOUT_MS (10 * 60 * 1000) /* 10 minute timeout */
-
static const u8 tuning_blk_pattern_4bit[] = {
0xff, 0x0f, 0xff, 0x00, 0xff, 0xcc, 0xc3, 0xcc,
0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
@@ -530,8 +528,11 @@ int __mmc_switch(struct mmc_card *card,
ignore_crc = false;
/* We have an unspecified cmd timeout, use the fallback value. */
- if (!timeout_ms)
- timeout_ms = MMC_OPS_TIMEOUT_MS;
+ if (!timeout_ms) {
+ pr_warn("%s: unspecified timeout for CMD6 - use generic\n",
+ mmc_hostname(host));
+ timeout_ms = card->ext_csd.generic_cmd6_time;
+ }
/* Must check status to be sure of no errors. */
timeout = jiffies + msecs_to_jiffies(timeout_ms) + 1;
From: Peter Zijlstra <[email protected]>
commit 3ac6487e584a1eb54071dbe1212e05b884136704 upstream.
Norbert reported that it's possible to race sys_perf_event_open() such
that the looser ends up in another context from the group leader,
triggering many WARNs.
The move_group case checks for races against itself, but the
!move_group case doesn't, seemingly relying on the previous
group_leader->ctx == ctx check. However, that check is racy due to not
holding any locks at that time.
Therefore, re-check the result after acquiring locks and bailing
if they no longer match.
Additionally, clarify the not_move_group case from the
move_group-vs-move_group race.
Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
Reported-by: Norbert Slusarek <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/events/core.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -9903,6 +9903,9 @@ SYSCALL_DEFINE5(perf_event_open,
* Do not allow to attach to a group in a different task
* or CPU context. If we're moving SW events, we'll fix
* this up later, so allow that.
+ *
+ * Racy, not holding group_leader->ctx->mutex, see comment with
+ * perf_event_ctx_lock().
*/
if (!move_group && group_leader->ctx != ctx)
goto err_context;
@@ -9952,11 +9955,22 @@ SYSCALL_DEFINE5(perf_event_open,
} else {
perf_event_ctx_unlock(group_leader, gctx);
move_group = 0;
+ goto not_move_group;
}
}
} else {
mutex_lock(&ctx->mutex);
+
+ /*
+ * Now that we hold ctx->lock, (re)validate group_leader->ctx == ctx,
+ * see the group_leader && !move_group test earlier.
+ */
+ if (group_leader && group_leader->ctx != ctx) {
+ err = -EINVAL;
+ goto err_locked;
+ }
}
+not_move_group:
if (ctx->task == TASK_TOMBSTONE) {
err = -ESRCH;
From: Hangyu Hua <[email protected]>
commit 6e03b13cc7d9427c2c77feed1549191015615202 upstream.
drm_dp_mst_get_edid call kmemdup to create mst_edid. So mst_edid need to be
freed after use.
Signed-off-by: Hangyu Hua <[email protected]>
Reviewed-by: Lyude Paul <[email protected]>
Signed-off-by: Lyude Paul <[email protected]>
Cc: [email protected]
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpu/drm/drm_dp_mst_topology.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -2830,6 +2830,7 @@ static void fetch_monitor_name(struct dr
mst_edid = drm_dp_mst_get_edid(port->connector, mgr, port);
drm_edid_get_monitor_name(mst_edid, name, namelen);
+ kfree(mst_edid);
}
/**
From: Takashi Iwai <[email protected]>
commit a34ae6c0660d3b96b0055f68ef74dc9478852245 upstream.
The antient ISA wavefront driver reads its sample patch data (uploaded
over an ioctl) via __get_user() with no good reason; likely just for
some performance optimizations in the past. Let's change this to the
standard get_user() and the error check for handling the fault case
properly.
Reported-by: Linus Torvalds <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/isa/wavefront/wavefront_synth.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -1091,7 +1091,8 @@ wavefront_send_sample (snd_wavefront_t *
if (dataptr < data_end) {
- __get_user (sample_short, dataptr);
+ if (get_user(sample_short, dataptr))
+ return -EFAULT;
dataptr += skip;
if (data_is_unsigned) { /* GUS ? */
From: Zixuan Fu <[email protected]>
[ Upstream commit edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd ]
In vmxnet3_rq_create(), when dma_alloc_coherent() fails,
vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then
vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all()
-> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls
vmxnet3_force_close() -> dev_close() in error handling code. And the driver
calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all()
-> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(),
rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing
a NULL pointer dereference.
To fix this possible bug, an if statement is added to check whether
rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so.
The error log in our fault-injection testing is shown as follows:
[ 65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008
...
[ 65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3]
...
[ 65.227977] Call Trace:
...
[ 65.228262] vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3]
[ 65.228580] vmxnet3_close+0x2c4/0x3f0 [vmxnet3]
[ 65.228866] __dev_close_many+0x288/0x350
[ 65.229607] dev_close_many+0xa4/0x480
[ 65.231124] dev_close+0x138/0x230
[ 65.231933] vmxnet3_force_close+0x1f0/0x240 [vmxnet3]
[ 65.232248] vmxnet3_change_mtu+0x75d/0x920 [vmxnet3]
...
Fixes: d1a890fa37f27 ("net: VMware virtual Ethernet NIC driver: vmxnet3")
Reported-by: TOTE Robot <[email protected]>
Signed-off-by: Zixuan Fu <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/vmxnet3/vmxnet3_drv.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index b76404d0657e..cce959f281b7 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -1573,6 +1573,10 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq,
u32 i, ring_idx;
struct Vmxnet3_RxDesc *rxd;
+ /* ring has already been cleaned up */
+ if (!rq->rx_ring[0].base)
+ return;
+
for (ring_idx = 0; ring_idx < 2; ring_idx++) {
for (i = 0; i < rq->rx_ring[ring_idx].size; i++) {
#ifdef __BIG_ENDIAN_BITFIELD
--
2.35.1
From: Jakob Koschel <[email protected]>
[ Upstream commit 901aeda62efa21f2eae937bccb71b49ae531be06 ]
In preparation to limit the scope of a list iterator to the list
traversal loop, use a dedicated pointer to iterate through the list [1].
Since that variable should not be used past the loop iteration, a
separate variable is used to 'remember the current location within the
loop'.
To either continue iterating from that position or skip the iteration
(if the previous iteration was complete) list_prepare_entry() is used.
Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1]
Signed-off-by: Jakob Koschel <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/block/drbd/drbd_main.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
index daa9cef96ec6..f4537a5eef02 100644
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -193,7 +193,7 @@ void tl_release(struct drbd_connection *connection, unsigned int barrier_nr,
unsigned int set_size)
{
struct drbd_request *r;
- struct drbd_request *req = NULL;
+ struct drbd_request *req = NULL, *tmp = NULL;
int expect_epoch = 0;
int expect_size = 0;
@@ -247,8 +247,11 @@ void tl_release(struct drbd_connection *connection, unsigned int barrier_nr,
* to catch requests being barrier-acked "unexpectedly".
* It usually should find the same req again, or some READ preceding it. */
list_for_each_entry(req, &connection->transfer_log, tl_requests)
- if (req->epoch == expect_epoch)
+ if (req->epoch == expect_epoch) {
+ tmp = req;
break;
+ }
+ req = list_prepare_entry(tmp, &connection->transfer_log, tl_requests);
list_for_each_entry_safe_from(req, r, &connection->transfer_log, tl_requests) {
if (req->epoch != expect_epoch)
break;
--
2.35.1
From: Zixuan Fu <[email protected]>
[ Upstream commit 9e7fef9521e73ca8afd7da9e58c14654b02dfad8 ]
In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is
freed immediately. Similarly, in another branch, when dma_map_page() fails,
rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf()
returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all()
-> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls
vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page
are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs.
To fix these possible bugs, rbi->skb and rbi->page should be cleared after
they are freed.
The error log in our fault-injection testing is shown as follows:
[ 14.319016] BUG: KASAN: use-after-free in consume_skb+0x2f/0x150
...
[ 14.321586] Call Trace:
...
[ 14.325357] consume_skb+0x2f/0x150
[ 14.325671] vmxnet3_rq_cleanup_all+0x33a/0x4e0 [vmxnet3]
[ 14.326150] vmxnet3_activate_dev+0xb9d/0x2ca0 [vmxnet3]
[ 14.326616] vmxnet3_open+0x387/0x470 [vmxnet3]
...
[ 14.361675] Allocated by task 351:
...
[ 14.362688] __netdev_alloc_skb+0x1b3/0x6f0
[ 14.362960] vmxnet3_rq_alloc_rx_buf+0x1b0/0x8d0 [vmxnet3]
[ 14.363317] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3]
[ 14.363661] vmxnet3_open+0x387/0x470 [vmxnet3]
...
[ 14.367309]
[ 14.367412] Freed by task 351:
...
[ 14.368932] __dev_kfree_skb_any+0xd2/0xe0
[ 14.369193] vmxnet3_rq_alloc_rx_buf+0x71e/0x8d0 [vmxnet3]
[ 14.369544] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3]
[ 14.369883] vmxnet3_open+0x387/0x470 [vmxnet3]
[ 14.370174] __dev_open+0x28a/0x420
[ 14.370399] __dev_change_flags+0x192/0x590
[ 14.370667] dev_change_flags+0x7a/0x180
[ 14.370919] do_setlink+0xb28/0x3570
[ 14.371150] rtnl_newlink+0x1160/0x1740
[ 14.371399] rtnetlink_rcv_msg+0x5bf/0xa50
[ 14.371661] netlink_rcv_skb+0x1cd/0x3e0
[ 14.371913] netlink_unicast+0x5dc/0x840
[ 14.372169] netlink_sendmsg+0x856/0xc40
[ 14.372420] ____sys_sendmsg+0x8a7/0x8d0
[ 14.372673] __sys_sendmsg+0x1c2/0x270
[ 14.372914] do_syscall_64+0x41/0x90
[ 14.373145] entry_SYSCALL_64_after_hwframe+0x44/0xae
...
Fixes: 5738a09d58d5a ("vmxnet3: fix checks for dma mapping errors")
Reported-by: TOTE Robot <[email protected]>
Signed-off-by: Zixuan Fu <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/vmxnet3/vmxnet3_drv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index 56a8031b56b3..b76404d0657e 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -595,6 +595,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx,
if (dma_mapping_error(&adapter->pdev->dev,
rbi->dma_addr)) {
dev_kfree_skb_any(rbi->skb);
+ rbi->skb = NULL;
rq->stats.rx_buf_alloc_failure++;
break;
}
@@ -619,6 +620,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx,
if (dma_mapping_error(&adapter->pdev->dev,
rbi->dma_addr)) {
put_page(rbi->page);
+ rbi->page = NULL;
rq->stats.rx_buf_alloc_failure++;
break;
}
--
2.35.1
On 5/23/22 10:03, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.316 release.
> There are 25 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 May 2022 16:56:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.316-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels:
Tested-by: Florian Fainelli <[email protected]>
--
Florian
On 5/23/22 11:03 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.316 release.
> There are 25 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 May 2022 16:56:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.316-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
Hi Greg,
On 23/05/2022 18:03, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.316 release.
> There are 25 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 May 2022 16:56:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.316-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
...
> Ard Biesheuvel <[email protected]>
> ARM: 9196/1: spectre-bhb: enable for Cortex-A15
I am seeing a boot regression on tegra124-jetson-tk1 and reverting the
above commit is fixing the problem. This also appears to impact
linux-4.14.y, 4.19.y and 5.4.y.
Test results for stable-v4.9:
8 builds: 8 pass, 0 fail
18 boots: 16 pass, 2 fail
18 tests: 18 pass, 0 fail
Linux version: 4.9.316-rc1-gbe4ec3e3faa1
Boards tested: tegra124-jetson-tk1, tegra20-ventana,
tegra210-p2371-2180, tegra30-cardhu-a04
Boot failures: tegra124-jetson-tk1
Thanks
Jon
--
nvpublic
On Tue, May 24, 2022 at 03:55:58PM +0100, Jon Hunter wrote:
>
> On 24/05/2022 13:09, Greg Kroah-Hartman wrote:
>
> ...
>
> > > I am seeing a boot regression on tegra124-jetson-tk1 and reverting the above
> > > commit is fixing the problem. This also appears to impact linux-4.14.y,
> > > 4.19.y and 5.4.y.
> > >
> > > Test results for stable-v4.9:
> > > 8 builds: 8 pass, 0 fail
> > > 18 boots: 16 pass, 2 fail
> > > 18 tests: 18 pass, 0 fail
> > >
> > > Linux version: 4.9.316-rc1-gbe4ec3e3faa1
> > > Boards tested: tegra124-jetson-tk1, tegra20-ventana,
> > > tegra210-p2371-2180, tegra30-cardhu-a04
> > >
> > > Boot failures: tegra124-jetson-tk1
> >
> > Odd. This is also in 5.10.y, right? No issues there? Are we missing
> > something?
>
>
> Actually, the more I look at this, the more I see various intermittent
> reports with this and it is also impacting the mainline.
>
> The problem is that the commit in question is causing a ton of messages to
> be printed a boot and this sometimes is causing the boot test to fail
> because the boot is taking too long. The console shows ...
>
> [ 1233.327547] CPU0: Spectre BHB: using loop workaround
> [ 1233.327795] CPU1: Spectre BHB: using loop workaround
> [ 1233.328270] CPU1: Spectre BHB: using loop workaround
> [ 1233.328700] CPU1: Spectre BHB: using loop workaround
> [ 1233.355477] CPU2: Spectre BHB: using loop workaround
> ** 7 printk messages dropped **
> [ 1233.366271] CPU0: Spectre BHB: using loop workaround
> [ 1233.366580] CPU0: Spectre BHB: using loop workaround
> [ 1233.366815] CPU1: Spectre BHB: using loop workaround
> [ 1233.405475] CPU1: Spectre BHB: using loop workaround
> [ 1233.405874] CPU0: Spectre BHB: using loop workaround
> [ 1233.406041] CPU1: Spectre BHB: using loop workaround
> ** 1 printk messages dropped **
>
> There is a similar report of this [0] and I believe that we need a similar
> fix for the above prints as well. I have reported this to Ard [1]. So I am
> not sure that these Spectre BHB patches are quite ready for stable.
These patches are quite small, and just enable it for this known-broken
cpu type.
If there is an issue enabling it for this cpu type, then we can work on
that upstream, but there shouldn't be a reason to prevent this from
being merged now, especially given that it is supposed to be fixing a
known issue.
thanks,
greg k-h
On 24/05/2022 17:30, Florian Fainelli wrote:
...
> Jonathan any chance this is Tegra specific? Our ARCH_BRCMSTB SoCs which
> use a Brahma-B15 which uses nearly the same ca15 processor functions
> defined in arch/arm/mm/proc-v7.S reports the following *before* changes:
>
> [ 0.001641] CPU: Testing write buffer coherency: ok
> [ 0.001685] CPU0: Spectre v2: using ICIALLU workaround
> [ 0.001703] ftrace: allocating 30541 entries in 120 pages
> [ 0.044600] CPU0: update cpu_capacity 1024
> [ 0.044633] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
> [ 0.044662] Setting up static identity map for 0x200000 - 0x200060
> [ 0.047410] brcmstb: biuctrl: MCP: Write pairing already disabled
> [ 0.048974] CPU1: update cpu_capacity 1024
> [ 0.048978] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
> [ 0.048981] CPU1: Spectre v2: using ICIALLU workaround
> [ 0.050234] CPU2: update cpu_capacity 1024
> [ 0.050238] CPU2: thread -1, cpu 2, socket 0, mpidr 80000002
> [ 0.050241] CPU2: Spectre v2: using ICIALLU workaround
> [ 0.051437] CPU3: update cpu_capacity 1024
> [ 0.051441] CPU3: thread -1, cpu 3, socket 0, mpidr 80000003
> [ 0.051444] CPU3: Spectre v2: using ICIALLU workaround
> [ 0.051532] Brought up 4 CPUs
>
> and this *after* merging 4.9.316-rc1:
>
> [ 0.001626] CPU: Testing write buffer coherency: ok
> [ 0.001670] CPU0: Spectre v2: using ICIALLU workaround
> [ 0.001689] CPU0: Spectre BHB: using loop workaround
> [ 0.001705] ftrace: allocating 30542 entries in 120 pages
> [ 0.043752] CPU0: update cpu_capacity 1024
> [ 0.043784] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
> [ 0.043813] Setting up static identity map for 0x200000 - 0x200060
> [ 0.046547] brcmstb: biuctrl: MCP: Write pairing already disabled
> [ 0.048121] CPU1: update cpu_capacity 1024
> [ 0.048124] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
> [ 0.048129] CPU1: Spectre v2: using ICIALLU workaround
> [ 0.048165] CPU1: Spectre BHB: using loop workaround
> [ 0.049398] CPU2: update cpu_capacity 1024
> [ 0.049402] CPU2: thread -1, cpu 2, socket 0, mpidr 80000002
> [ 0.049405] CPU2: Spectre v2: using ICIALLU workaround
> [ 0.049440] CPU2: Spectre BHB: using loop workaround
> [ 0.050613] CPU3: update cpu_capacity 1024
> [ 0.050617] CPU3: thread -1, cpu 3, socket 0, mpidr 80000003
> [ 0.050619] CPU3: Spectre v2: using ICIALLU workaround
> [ 0.050653] CPU3: Spectre BHB: using loop workaround
> [ 0.050722] Brought up 4 CPUs
> [ 0.050738] SMP: Total of 4 processors activated (216.00 BogoMIPS).
> [ 0.050753] CPU: All CPU(s) started in HYP mode.
Does your platform support CPU idle? I see this being triggered
during CPU idle transitions ...
[ 4.415167] CPU0: Spectre BHB: using loop workaround
[ 4.417621] [<c01109a0>] (unwind_backtrace) from [<c010b7ac>] (show_stack+0x10/0x14)
[ 4.430291] [<c010b7ac>] (show_stack) from [<c09c2b38>] (dump_stack+0xc0/0xd4)
[ 4.437512] [<c09c2b38>] (dump_stack) from [<c011a6c8>] (cpu_v7_spectre_bhb_init+0xd8/0x190)
[ 4.445943] [<c011a6c8>] (cpu_v7_spectre_bhb_init) from [<c010dee8>] (cpu_suspend+0xac/0xc8)
[ 4.454377] [<c010dee8>] (cpu_suspend) from [<c011e7e4>] (tegra114_idle_power_down+0x74/0x78)
[ 4.462898] [<c011e7e4>] (tegra114_idle_power_down) from [<c06d3b44>] (cpuidle_enter_state+0x130/0x524)
[ 4.472286] [<c06d3b44>] (cpuidle_enter_state) from [<c0164a30>] (do_idle+0x1b0/0x200)
[ 4.480199] [<c0164a30>] (do_idle) from [<c0164d28>] (cpu_startup_entry+0x18/0x1c)
[ 4.487762] [<c0164d28>] (cpu_startup_entry) from [<801018cc>] (0x801018cc)
Jon
--
nvpublic
On Mon, May 23, 2022 at 07:03:18PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.316 release.
> There are 25 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 May 2022 16:56:55 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 163 pass: 163 fail: 0
Qemu test results:
total: 397 pass: 397 fail: 0
Tested-by: Guenter Roeck <[email protected]>
Guenter
On 24/05/2022 13:09, Greg Kroah-Hartman wrote:
...
>> I am seeing a boot regression on tegra124-jetson-tk1 and reverting the above
>> commit is fixing the problem. This also appears to impact linux-4.14.y,
>> 4.19.y and 5.4.y.
>>
>> Test results for stable-v4.9:
>> 8 builds: 8 pass, 0 fail
>> 18 boots: 16 pass, 2 fail
>> 18 tests: 18 pass, 0 fail
>>
>> Linux version: 4.9.316-rc1-gbe4ec3e3faa1
>> Boards tested: tegra124-jetson-tk1, tegra20-ventana,
>> tegra210-p2371-2180, tegra30-cardhu-a04
>>
>> Boot failures: tegra124-jetson-tk1
>
> Odd. This is also in 5.10.y, right? No issues there? Are we missing
> something?
Actually, the more I look at this, the more I see various intermittent
reports with this and it is also impacting the mainline.
The problem is that the commit in question is causing a ton of messages
to be printed a boot and this sometimes is causing the boot test to fail
because the boot is taking too long. The console shows ...
[ 1233.327547] CPU0: Spectre BHB: using loop workaround
[ 1233.327795] CPU1: Spectre BHB: using loop workaround
[ 1233.328270] CPU1: Spectre BHB: using loop workaround
[ 1233.328700] CPU1: Spectre BHB: using loop workaround
[ 1233.355477] CPU2: Spectre BHB: using loop workaround
** 7 printk messages dropped **
[ 1233.366271] CPU0: Spectre BHB: using loop workaround
[ 1233.366580] CPU0: Spectre BHB: using loop workaround
[ 1233.366815] CPU1: Spectre BHB: using loop workaround
[ 1233.405475] CPU1: Spectre BHB: using loop workaround
[ 1233.405874] CPU0: Spectre BHB: using loop workaround
[ 1233.406041] CPU1: Spectre BHB: using loop workaround
** 1 printk messages dropped **
There is a similar report of this [0] and I believe that we need a
similar fix for the above prints as well. I have reported this to Ard
[1]. So I am not sure that these Spectre BHB patches are quite ready for
stable.
Cheers
Jon
[0]
https://lore.kernel.org/linux-arm-kernel/[email protected]/T/
[1]
https://lore.kernel.org/linux-arm-kernel/[email protected]/
--
nvpublic
On Tue, May 24, 2022 at 09:32:07AM +0100, Jon Hunter wrote:
> Hi Greg,
>
> On 23/05/2022 18:03, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.9.316 release.
> > There are 25 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed, 25 May 2022 16:56:55 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.316-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
> > -------------
> > Pseudo-Shortlog of commits:
>
> ...
>
> > Ard Biesheuvel <[email protected]>
> > ARM: 9196/1: spectre-bhb: enable for Cortex-A15
>
>
> I am seeing a boot regression on tegra124-jetson-tk1 and reverting the above
> commit is fixing the problem. This also appears to impact linux-4.14.y,
> 4.19.y and 5.4.y.
>
> Test results for stable-v4.9:
> 8 builds: 8 pass, 0 fail
> 18 boots: 16 pass, 2 fail
> 18 tests: 18 pass, 0 fail
>
> Linux version: 4.9.316-rc1-gbe4ec3e3faa1
> Boards tested: tegra124-jetson-tk1, tegra20-ventana,
> tegra210-p2371-2180, tegra30-cardhu-a04
>
> Boot failures: tegra124-jetson-tk1
Odd. This is also in 5.10.y, right? No issues there? Are we missing
something?
On Mon, 23 May 2022 at 22:33, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.9.316 release.
> There are 25 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 May 2022 16:56:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.316-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
## Build
* kernel: 4.9.316-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-4.9.y
* git commit: be4ec3e3faa1cfbe1ee62a6f6dc29c1b341a90f0
* git describe: v4.9.315-26-gbe4ec3e3faa1
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.9.y/build/v4.9.315-26-gbe4ec3e3faa1
## Test Regressions (compared to v4.9.315)
No test regressions found.
## Metric Regressions (compared to v4.9.315)
No metric regressions found.
## Test Fixes (compared to v4.9.315)
No test fixes found.
## Metric Fixes (compared to v4.9.315)
No metric fixes found.
## Test result summary
total: 72713, pass: 57877, fail: 683, skip: 11880, xfail: 2273
## Build Summary
* arm: 238 total, 238 passed, 0 failed
* arm64: 32 total, 32 passed, 0 failed
* i386: 18 total, 18 passed, 0 failed
* mips: 22 total, 22 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x86_64: 31 total, 31 passed, 0 failed
## Test suites summary
* fwts
* kselftest-android
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* log-parser-boot
* log-parser-test
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* ssuite
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
On 5/24/22 08:06, Greg Kroah-Hartman wrote:
> On Tue, May 24, 2022 at 03:55:58PM +0100, Jon Hunter wrote:
>>
>> On 24/05/2022 13:09, Greg Kroah-Hartman wrote:
>>
>> ...
>>
>>>> I am seeing a boot regression on tegra124-jetson-tk1 and reverting the above
>>>> commit is fixing the problem. This also appears to impact linux-4.14.y,
>>>> 4.19.y and 5.4.y.
>>>>
>>>> Test results for stable-v4.9:
>>>> 8 builds: 8 pass, 0 fail
>>>> 18 boots: 16 pass, 2 fail
>>>> 18 tests: 18 pass, 0 fail
>>>>
>>>> Linux version: 4.9.316-rc1-gbe4ec3e3faa1
>>>> Boards tested: tegra124-jetson-tk1, tegra20-ventana,
>>>> tegra210-p2371-2180, tegra30-cardhu-a04
>>>>
>>>> Boot failures: tegra124-jetson-tk1
>>>
>>> Odd. This is also in 5.10.y, right? No issues there? Are we missing
>>> something?
>>
>>
>> Actually, the more I look at this, the more I see various intermittent
>> reports with this and it is also impacting the mainline.
>>
>> The problem is that the commit in question is causing a ton of messages to
>> be printed a boot and this sometimes is causing the boot test to fail
>> because the boot is taking too long. The console shows ...
>>
>> [ 1233.327547] CPU0: Spectre BHB: using loop workaround
>> [ 1233.327795] CPU1: Spectre BHB: using loop workaround
>> [ 1233.328270] CPU1: Spectre BHB: using loop workaround
>> [ 1233.328700] CPU1: Spectre BHB: using loop workaround
>> [ 1233.355477] CPU2: Spectre BHB: using loop workaround
>> ** 7 printk messages dropped **
>> [ 1233.366271] CPU0: Spectre BHB: using loop workaround
>> [ 1233.366580] CPU0: Spectre BHB: using loop workaround
>> [ 1233.366815] CPU1: Spectre BHB: using loop workaround
>> [ 1233.405475] CPU1: Spectre BHB: using loop workaround
>> [ 1233.405874] CPU0: Spectre BHB: using loop workaround
>> [ 1233.406041] CPU1: Spectre BHB: using loop workaround
>> ** 1 printk messages dropped **
>>
>> There is a similar report of this [0] and I believe that we need a similar
>> fix for the above prints as well. I have reported this to Ard [1]. So I am
>> not sure that these Spectre BHB patches are quite ready for stable.
>
> These patches are quite small, and just enable it for this known-broken
> cpu type.
>
> If there is an issue enabling it for this cpu type, then we can work on
> that upstream, but there shouldn't be a reason to prevent this from
> being merged now, especially given that it is supposed to be fixing a
> known issue.
Jonathan any chance this is Tegra specific? Our ARCH_BRCMSTB SoCs which
use a Brahma-B15 which uses nearly the same ca15 processor functions
defined in arch/arm/mm/proc-v7.S reports the following *before* changes:
[ 0.001641] CPU: Testing write buffer coherency: ok
[ 0.001685] CPU0: Spectre v2: using ICIALLU workaround
[ 0.001703] ftrace: allocating 30541 entries in 120 pages
[ 0.044600] CPU0: update cpu_capacity 1024
[ 0.044633] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[ 0.044662] Setting up static identity map for 0x200000 - 0x200060
[ 0.047410] brcmstb: biuctrl: MCP: Write pairing already disabled
[ 0.048974] CPU1: update cpu_capacity 1024
[ 0.048978] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
[ 0.048981] CPU1: Spectre v2: using ICIALLU workaround
[ 0.050234] CPU2: update cpu_capacity 1024
[ 0.050238] CPU2: thread -1, cpu 2, socket 0, mpidr 80000002
[ 0.050241] CPU2: Spectre v2: using ICIALLU workaround
[ 0.051437] CPU3: update cpu_capacity 1024
[ 0.051441] CPU3: thread -1, cpu 3, socket 0, mpidr 80000003
[ 0.051444] CPU3: Spectre v2: using ICIALLU workaround
[ 0.051532] Brought up 4 CPUs
and this *after* merging 4.9.316-rc1:
[ 0.001626] CPU: Testing write buffer coherency: ok
[ 0.001670] CPU0: Spectre v2: using ICIALLU workaround
[ 0.001689] CPU0: Spectre BHB: using loop workaround
[ 0.001705] ftrace: allocating 30542 entries in 120 pages
[ 0.043752] CPU0: update cpu_capacity 1024
[ 0.043784] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[ 0.043813] Setting up static identity map for 0x200000 - 0x200060
[ 0.046547] brcmstb: biuctrl: MCP: Write pairing already disabled
[ 0.048121] CPU1: update cpu_capacity 1024
[ 0.048124] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
[ 0.048129] CPU1: Spectre v2: using ICIALLU workaround
[ 0.048165] CPU1: Spectre BHB: using loop workaround
[ 0.049398] CPU2: update cpu_capacity 1024
[ 0.049402] CPU2: thread -1, cpu 2, socket 0, mpidr 80000002
[ 0.049405] CPU2: Spectre v2: using ICIALLU workaround
[ 0.049440] CPU2: Spectre BHB: using loop workaround
[ 0.050613] CPU3: update cpu_capacity 1024
[ 0.050617] CPU3: thread -1, cpu 3, socket 0, mpidr 80000003
[ 0.050619] CPU3: Spectre v2: using ICIALLU workaround
[ 0.050653] CPU3: Spectre BHB: using loop workaround
[ 0.050722] Brought up 4 CPUs
[ 0.050738] SMP: Total of 4 processors activated (216.00 BogoMIPS).
[ 0.050753] CPU: All CPU(s) started in HYP mode.
--
Florian
Hi!
> This is the start of the stable review cycle for the 4.9.316 release.
> There are 25 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.9.y
Tested-by: Pavel Machek (CIP) <[email protected]>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
On 24/05/2022 16:06, Greg Kroah-Hartman wrote:
> On Tue, May 24, 2022 at 03:55:58PM +0100, Jon Hunter wrote:
>>
>> On 24/05/2022 13:09, Greg Kroah-Hartman wrote:
>>
>> ...
>>
>>>> I am seeing a boot regression on tegra124-jetson-tk1 and reverting the above
>>>> commit is fixing the problem. This also appears to impact linux-4.14.y,
>>>> 4.19.y and 5.4.y.
>>>>
>>>> Test results for stable-v4.9:
>>>> 8 builds: 8 pass, 0 fail
>>>> 18 boots: 16 pass, 2 fail
>>>> 18 tests: 18 pass, 0 fail
>>>>
>>>> Linux version: 4.9.316-rc1-gbe4ec3e3faa1
>>>> Boards tested: tegra124-jetson-tk1, tegra20-ventana,
>>>> tegra210-p2371-2180, tegra30-cardhu-a04
>>>>
>>>> Boot failures: tegra124-jetson-tk1
>>>
>>> Odd. This is also in 5.10.y, right? No issues there? Are we missing
>>> something?
>>
>>
>> Actually, the more I look at this, the more I see various intermittent
>> reports with this and it is also impacting the mainline.
>>
>> The problem is that the commit in question is causing a ton of messages to
>> be printed a boot and this sometimes is causing the boot test to fail
>> because the boot is taking too long. The console shows ...
>>
>> [ 1233.327547] CPU0: Spectre BHB: using loop workaround
>> [ 1233.327795] CPU1: Spectre BHB: using loop workaround
>> [ 1233.328270] CPU1: Spectre BHB: using loop workaround
>> [ 1233.328700] CPU1: Spectre BHB: using loop workaround
>> [ 1233.355477] CPU2: Spectre BHB: using loop workaround
>> ** 7 printk messages dropped **
>> [ 1233.366271] CPU0: Spectre BHB: using loop workaround
>> [ 1233.366580] CPU0: Spectre BHB: using loop workaround
>> [ 1233.366815] CPU1: Spectre BHB: using loop workaround
>> [ 1233.405475] CPU1: Spectre BHB: using loop workaround
>> [ 1233.405874] CPU0: Spectre BHB: using loop workaround
>> [ 1233.406041] CPU1: Spectre BHB: using loop workaround
>> ** 1 printk messages dropped **
>>
>> There is a similar report of this [0] and I believe that we need a similar
>> fix for the above prints as well. I have reported this to Ard [1]. So I am
>> not sure that these Spectre BHB patches are quite ready for stable.
>
> These patches are quite small, and just enable it for this known-broken
> cpu type.
>
> If there is an issue enabling it for this cpu type, then we can work on
> that upstream, but there shouldn't be a reason to prevent this from
> being merged now, especially given that it is supposed to be fixing a
> known issue.
Yes understand. I have been doing some more testing and with v4.9, this
is triggering a boot timeout 100% of the time. So with 20 boots, all 20
timeout. Note the timeout is 2 mins. With v4.14, I saw only 5 out of 20
timeouts and so it would seem that v4.9 is slower to boot in general. I
think that the more recent kernels show intermittent timeouts.
We have some verbose logging enabled on this platform, which until now
has not been a problem, but I will disable this and that should resolve
this for now.
Cheers
Jon
--
nvpublic
On 5/24/22 10:50, Jon Hunter wrote:
>
> On 24/05/2022 17:30, Florian Fainelli wrote:
>
> ...
>
>> Jonathan any chance this is Tegra specific? Our ARCH_BRCMSTB SoCs
>> which use a Brahma-B15 which uses nearly the same ca15 processor
>> functions defined in arch/arm/mm/proc-v7.S reports the following
>> *before* changes:
>>
>> [ 0.001641] CPU: Testing write buffer coherency: ok
>> [ 0.001685] CPU0: Spectre v2: using ICIALLU workaround
>> [ 0.001703] ftrace: allocating 30541 entries in 120 pages
>> [ 0.044600] CPU0: update cpu_capacity 1024
>> [ 0.044633] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
>> [ 0.044662] Setting up static identity map for 0x200000 - 0x200060
>> [ 0.047410] brcmstb: biuctrl: MCP: Write pairing already disabled
>> [ 0.048974] CPU1: update cpu_capacity 1024
>> [ 0.048978] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
>> [ 0.048981] CPU1: Spectre v2: using ICIALLU workaround
>> [ 0.050234] CPU2: update cpu_capacity 1024
>> [ 0.050238] CPU2: thread -1, cpu 2, socket 0, mpidr 80000002
>> [ 0.050241] CPU2: Spectre v2: using ICIALLU workaround
>> [ 0.051437] CPU3: update cpu_capacity 1024
>> [ 0.051441] CPU3: thread -1, cpu 3, socket 0, mpidr 80000003
>> [ 0.051444] CPU3: Spectre v2: using ICIALLU workaround
>> [ 0.051532] Brought up 4 CPUs
>>
>> and this *after* merging 4.9.316-rc1:
>>
>> [ 0.001626] CPU: Testing write buffer coherency: ok
>> [ 0.001670] CPU0: Spectre v2: using ICIALLU workaround
>> [ 0.001689] CPU0: Spectre BHB: using loop workaround
>> [ 0.001705] ftrace: allocating 30542 entries in 120 pages
>> [ 0.043752] CPU0: update cpu_capacity 1024
>> [ 0.043784] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
>> [ 0.043813] Setting up static identity map for 0x200000 - 0x200060
>> [ 0.046547] brcmstb: biuctrl: MCP: Write pairing already disabled
>> [ 0.048121] CPU1: update cpu_capacity 1024
>> [ 0.048124] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
>> [ 0.048129] CPU1: Spectre v2: using ICIALLU workaround
>> [ 0.048165] CPU1: Spectre BHB: using loop workaround
>> [ 0.049398] CPU2: update cpu_capacity 1024
>> [ 0.049402] CPU2: thread -1, cpu 2, socket 0, mpidr 80000002
>> [ 0.049405] CPU2: Spectre v2: using ICIALLU workaround
>> [ 0.049440] CPU2: Spectre BHB: using loop workaround
>> [ 0.050613] CPU3: update cpu_capacity 1024
>> [ 0.050617] CPU3: thread -1, cpu 3, socket 0, mpidr 80000003
>> [ 0.050619] CPU3: Spectre v2: using ICIALLU workaround
>> [ 0.050653] CPU3: Spectre BHB: using loop workaround
>> [ 0.050722] Brought up 4 CPUs
>> [ 0.050738] SMP: Total of 4 processors activated (216.00 BogoMIPS).
>> [ 0.050753] CPU: All CPU(s) started in HYP mode.
>
>
> Does your platform support CPU idle? I see this being triggered
> during CPU idle transitions ...
It does, but not with an idle state resulting in powering down secondary
cores. We do have CPU hotplug with power gating as well as system wide
suspend states that result in power gating secondaries and they appear
to be working fine.
I use the attached script to randomly cycle hot plug/unplug through each
4 cores and it has been running over 10k cycles.
>
> [ 4.415167] CPU0: Spectre BHB: using loop workaround
> [ 4.417621] [<c01109a0>] (unwind_backtrace) from [<c010b7ac>]
> (show_stack+0x10/0x14)
> [ 4.430291] [<c010b7ac>] (show_stack) from [<c09c2b38>]
> (dump_stack+0xc0/0xd4)
> [ 4.437512] [<c09c2b38>] (dump_stack) from [<c011a6c8>]
> (cpu_v7_spectre_bhb_init+0xd8/0x190)
> [ 4.445943] [<c011a6c8>] (cpu_v7_spectre_bhb_init) from [<c010dee8>]
> (cpu_suspend+0xac/0xc8)
> [ 4.454377] [<c010dee8>] (cpu_suspend) from [<c011e7e4>]
> (tegra114_idle_power_down+0x74/0x78)
> [ 4.462898] [<c011e7e4>] (tegra114_idle_power_down) from [<c06d3b44>]
> (cpuidle_enter_state+0x130/0x524)
> [ 4.472286] [<c06d3b44>] (cpuidle_enter_state) from [<c0164a30>]
> (do_idle+0x1b0/0x200)
> [ 4.480199] [<c0164a30>] (do_idle) from [<c0164d28>]
> (cpu_startup_entry+0x18/0x1c)
> [ 4.487762] [<c0164d28>] (cpu_startup_entry) from [<801018cc>]
> (0x801018cc)
>
> Jon
>
--
Florian