From: Greg Kroah-Hartman Date: Mon, 25 Apr 2022 10:27:28 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.9.312~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=60bb0daa682f329ca7dcc748576f8051fed296e6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ata-pata_marvell-check-the-bmdma_addr-beforing-reading.patch dma-at_xdmac-fix-a-missing-check-on-list-iterator.patch edac-synopsys-read-the-error-count-from-the-correct-register.patch oom_kill.c-futex-delay-the-oom-reaper-to-allow-time-for-proper-futex-cleanup.patch --- diff --git a/queue-5.4/ata-pata_marvell-check-the-bmdma_addr-beforing-reading.patch b/queue-5.4/ata-pata_marvell-check-the-bmdma_addr-beforing-reading.patch new file mode 100644 index 00000000000..c79f199f64d --- /dev/null +++ b/queue-5.4/ata-pata_marvell-check-the-bmdma_addr-beforing-reading.patch @@ -0,0 +1,40 @@ +From aafa9f958342db36c17ac2a7f1b841032c96feb4 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Thu, 21 Apr 2022 09:39:20 +0800 +Subject: ata: pata_marvell: Check the 'bmdma_addr' beforing reading + +From: Zheyu Ma + +commit aafa9f958342db36c17ac2a7f1b841032c96feb4 upstream. + +Before detecting the cable type on the dma bar, the driver should check +whether the 'bmdma_addr' is zero, which means the adapter does not +support DMA, otherwise we will get the following error: + +[ 5.146634] Bad IO access at port 0x1 (return inb(port)) +[ 5.147206] WARNING: CPU: 2 PID: 303 at lib/iomap.c:44 ioread8+0x4a/0x60 +[ 5.150856] RIP: 0010:ioread8+0x4a/0x60 +[ 5.160238] Call Trace: +[ 5.160470] +[ 5.160674] marvell_cable_detect+0x6e/0xc0 [pata_marvell] +[ 5.161728] ata_eh_recover+0x3520/0x6cc0 +[ 5.168075] ata_do_eh+0x49/0x3c0 + +Signed-off-by: Zheyu Ma +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/pata_marvell.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/pata_marvell.c ++++ b/drivers/ata/pata_marvell.c +@@ -83,6 +83,8 @@ static int marvell_cable_detect(struct a + switch(ap->port_no) + { + case 0: ++ if (!ap->ioaddr.bmdma_addr) ++ return ATA_CBL_PATA_UNK; + if (ioread8(ap->ioaddr.bmdma_addr + 1) & 1) + return ATA_CBL_PATA40; + return ATA_CBL_PATA80; diff --git a/queue-5.4/dma-at_xdmac-fix-a-missing-check-on-list-iterator.patch b/queue-5.4/dma-at_xdmac-fix-a-missing-check-on-list-iterator.patch new file mode 100644 index 00000000000..25b5d4de86a --- /dev/null +++ b/queue-5.4/dma-at_xdmac-fix-a-missing-check-on-list-iterator.patch @@ -0,0 +1,57 @@ +From 206680c4e46b62fd8909385e0874a36952595b85 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Sun, 27 Mar 2022 14:11:54 +0800 +Subject: dma: at_xdmac: fix a missing check on list iterator + +From: Xiaomeng Tong + +commit 206680c4e46b62fd8909385e0874a36952595b85 upstream. + +The bug is here: + __func__, desc, &desc->tx_dma_desc.phys, ret, cookie, residue); + +The list iterator 'desc' will point to a bogus position containing +HEAD if the list is empty or no element is found. To avoid dev_dbg() +prints a invalid address, use a new variable 'iter' as the list +iterator, while use the origin variable 'desc' as a dedicated +pointer to point to the found element. + +Cc: stable@vger.kernel.org +Fixes: 82e2424635f4c ("dmaengine: xdmac: fix print warning on dma_addr_t variable") +Signed-off-by: Xiaomeng Tong +Link: https://lore.kernel.org/r/20220327061154.4867-1-xiam0nd.tong@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/at_xdmac.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1390,7 +1390,7 @@ at_xdmac_tx_status(struct dma_chan *chan + { + struct at_xdmac_chan *atchan = to_at_xdmac_chan(chan); + struct at_xdmac *atxdmac = to_at_xdmac(atchan->chan.device); +- struct at_xdmac_desc *desc, *_desc; ++ struct at_xdmac_desc *desc, *_desc, *iter; + struct list_head *descs_list; + enum dma_status ret; + int residue, retry; +@@ -1505,11 +1505,13 @@ at_xdmac_tx_status(struct dma_chan *chan + * microblock. + */ + descs_list = &desc->descs_list; +- list_for_each_entry_safe(desc, _desc, descs_list, desc_node) { +- dwidth = at_xdmac_get_dwidth(desc->lld.mbr_cfg); +- residue -= (desc->lld.mbr_ubc & 0xffffff) << dwidth; +- if ((desc->lld.mbr_nda & 0xfffffffc) == cur_nda) ++ list_for_each_entry_safe(iter, _desc, descs_list, desc_node) { ++ dwidth = at_xdmac_get_dwidth(iter->lld.mbr_cfg); ++ residue -= (iter->lld.mbr_ubc & 0xffffff) << dwidth; ++ if ((iter->lld.mbr_nda & 0xfffffffc) == cur_nda) { ++ desc = iter; + break; ++ } + } + residue += cur_ubc << dwidth; + diff --git a/queue-5.4/edac-synopsys-read-the-error-count-from-the-correct-register.patch b/queue-5.4/edac-synopsys-read-the-error-count-from-the-correct-register.patch new file mode 100644 index 00000000000..7d6c370eeaf --- /dev/null +++ b/queue-5.4/edac-synopsys-read-the-error-count-from-the-correct-register.patch @@ -0,0 +1,61 @@ +From e2932d1f6f055b2af2114c7e64a26dc1b5593d0c Mon Sep 17 00:00:00 2001 +From: Shubhrajyoti Datta +Date: Thu, 14 Apr 2022 15:58:13 +0530 +Subject: EDAC/synopsys: Read the error count from the correct register + +From: Shubhrajyoti Datta + +commit e2932d1f6f055b2af2114c7e64a26dc1b5593d0c upstream. + +Currently, the error count is read wrongly from the status register. Read +the count from the proper error count register (ERRCNT). + + [ bp: Massage. ] + +Fixes: b500b4a029d5 ("EDAC, synopsys: Add ECC support for ZynqMP DDR controller") +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: Borislav Petkov +Acked-by: Michal Simek +Cc: +Link: https://lore.kernel.org/r/20220414102813.4468-1-shubhrajyoti.datta@xilinx.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/synopsys_edac.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/edac/synopsys_edac.c ++++ b/drivers/edac/synopsys_edac.c +@@ -163,6 +163,11 @@ + #define ECC_STAT_CECNT_SHIFT 8 + #define ECC_STAT_BITNUM_MASK 0x7F + ++/* ECC error count register definitions */ ++#define ECC_ERRCNT_UECNT_MASK 0xFFFF0000 ++#define ECC_ERRCNT_UECNT_SHIFT 16 ++#define ECC_ERRCNT_CECNT_MASK 0xFFFF ++ + /* DDR QOS Interrupt register definitions */ + #define DDR_QOS_IRQ_STAT_OFST 0x20200 + #define DDR_QOSUE_MASK 0x4 +@@ -418,15 +423,16 @@ static int zynqmp_get_error_info(struct + base = priv->baseaddr; + p = &priv->stat; + ++ regval = readl(base + ECC_ERRCNT_OFST); ++ p->ce_cnt = regval & ECC_ERRCNT_CECNT_MASK; ++ p->ue_cnt = (regval & ECC_ERRCNT_UECNT_MASK) >> ECC_ERRCNT_UECNT_SHIFT; ++ if (!p->ce_cnt) ++ goto ue_err; ++ + regval = readl(base + ECC_STAT_OFST); + if (!regval) + return 1; + +- p->ce_cnt = (regval & ECC_STAT_CECNT_MASK) >> ECC_STAT_CECNT_SHIFT; +- p->ue_cnt = (regval & ECC_STAT_UECNT_MASK) >> ECC_STAT_UECNT_SHIFT; +- if (!p->ce_cnt) +- goto ue_err; +- + p->ceinfo.bitpos = (regval & ECC_STAT_BITNUM_MASK); + + regval = readl(base + ECC_CEADDR0_OFST); diff --git a/queue-5.4/oom_kill.c-futex-delay-the-oom-reaper-to-allow-time-for-proper-futex-cleanup.patch b/queue-5.4/oom_kill.c-futex-delay-the-oom-reaper-to-allow-time-for-proper-futex-cleanup.patch new file mode 100644 index 00000000000..71d79b723d1 --- /dev/null +++ b/queue-5.4/oom_kill.c-futex-delay-the-oom-reaper-to-allow-time-for-proper-futex-cleanup.patch @@ -0,0 +1,206 @@ +From e4a38402c36e42df28eb1a5394be87e6571fb48a Mon Sep 17 00:00:00 2001 +From: Nico Pache +Date: Thu, 21 Apr 2022 16:36:01 -0700 +Subject: oom_kill.c: futex: delay the OOM reaper to allow time for proper futex cleanup + +From: Nico Pache + +commit e4a38402c36e42df28eb1a5394be87e6571fb48a upstream. + +The pthread struct is allocated on PRIVATE|ANONYMOUS memory [1] which +can be targeted by the oom reaper. This mapping is used to store the +futex robust list head; the kernel does not keep a copy of the robust +list and instead references a userspace address to maintain the +robustness during a process death. + +A race can occur between exit_mm and the oom reaper that allows the oom +reaper to free the memory of the futex robust list before the exit path +has handled the futex death: + + CPU1 CPU2 + -------------------------------------------------------------------- + page_fault + do_exit "signal" + wake_oom_reaper + oom_reaper + oom_reap_task_mm (invalidates mm) + exit_mm + exit_mm_release + futex_exit_release + futex_cleanup + exit_robust_list + get_user (EFAULT- can't access memory) + +If the get_user EFAULT's, the kernel will be unable to recover the +waiters on the robust_list, leaving userspace mutexes hung indefinitely. + +Delay the OOM reaper, allowing more time for the exit path to perform +the futex cleanup. + +Reproducer: https://gitlab.com/jsavitz/oom_futex_reproducer + +Based on a patch by Michal Hocko. + +Link: https://elixir.bootlin.com/glibc/glibc-2.35/source/nptl/allocatestack.c#L370 [1] +Link: https://lkml.kernel.org/r/20220414144042.677008-1-npache@redhat.com +Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") +Signed-off-by: Joel Savitz +Signed-off-by: Nico Pache +Co-developed-by: Joel Savitz +Suggested-by: Thomas Gleixner +Acked-by: Thomas Gleixner +Acked-by: Michal Hocko +Cc: Rafael Aquini +Cc: Waiman Long +Cc: Herton R. Krzesinski +Cc: Juri Lelli +Cc: Vincent Guittot +Cc: Dietmar Eggemann +Cc: Steven Rostedt +Cc: Ben Segall +Cc: Mel Gorman +Cc: Daniel Bristot de Oliveira +Cc: David Rientjes +Cc: Andrea Arcangeli +Cc: Davidlohr Bueso +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Joel Savitz +Cc: Darren Hart +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 1 + mm/oom_kill.c | 54 +++++++++++++++++++++++++++++++++++++------------- + 2 files changed, 41 insertions(+), 14 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1247,6 +1247,7 @@ struct task_struct { + int pagefault_disabled; + #ifdef CONFIG_MMU + struct task_struct *oom_reaper_list; ++ struct timer_list oom_reaper_timer; + #endif + #ifdef CONFIG_VMAP_STACK + struct vm_struct *stack_vm_area; +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -631,7 +631,7 @@ done: + */ + set_bit(MMF_OOM_SKIP, &mm->flags); + +- /* Drop a reference taken by wake_oom_reaper */ ++ /* Drop a reference taken by queue_oom_reaper */ + put_task_struct(tsk); + } + +@@ -641,12 +641,12 @@ static int oom_reaper(void *unused) + struct task_struct *tsk = NULL; + + wait_event_freezable(oom_reaper_wait, oom_reaper_list != NULL); +- spin_lock(&oom_reaper_lock); ++ spin_lock_irq(&oom_reaper_lock); + if (oom_reaper_list != NULL) { + tsk = oom_reaper_list; + oom_reaper_list = tsk->oom_reaper_list; + } +- spin_unlock(&oom_reaper_lock); ++ spin_unlock_irq(&oom_reaper_lock); + + if (tsk) + oom_reap_task(tsk); +@@ -655,22 +655,48 @@ static int oom_reaper(void *unused) + return 0; + } + +-static void wake_oom_reaper(struct task_struct *tsk) ++static void wake_oom_reaper(struct timer_list *timer) + { +- /* mm is already queued? */ +- if (test_and_set_bit(MMF_OOM_REAP_QUEUED, &tsk->signal->oom_mm->flags)) ++ struct task_struct *tsk = container_of(timer, struct task_struct, ++ oom_reaper_timer); ++ struct mm_struct *mm = tsk->signal->oom_mm; ++ unsigned long flags; ++ ++ /* The victim managed to terminate on its own - see exit_mmap */ ++ if (test_bit(MMF_OOM_SKIP, &mm->flags)) { ++ put_task_struct(tsk); + return; ++ } + +- get_task_struct(tsk); +- +- spin_lock(&oom_reaper_lock); ++ spin_lock_irqsave(&oom_reaper_lock, flags); + tsk->oom_reaper_list = oom_reaper_list; + oom_reaper_list = tsk; +- spin_unlock(&oom_reaper_lock); ++ spin_unlock_irqrestore(&oom_reaper_lock, flags); + trace_wake_reaper(tsk->pid); + wake_up(&oom_reaper_wait); + } + ++/* ++ * Give the OOM victim time to exit naturally before invoking the oom_reaping. ++ * The timers timeout is arbitrary... the longer it is, the longer the worst ++ * case scenario for the OOM can take. If it is too small, the oom_reaper can ++ * get in the way and release resources needed by the process exit path. ++ * e.g. The futex robust list can sit in Anon|Private memory that gets reaped ++ * before the exit path is able to wake the futex waiters. ++ */ ++#define OOM_REAPER_DELAY (2*HZ) ++static void queue_oom_reaper(struct task_struct *tsk) ++{ ++ /* mm is already queued? */ ++ if (test_and_set_bit(MMF_OOM_REAP_QUEUED, &tsk->signal->oom_mm->flags)) ++ return; ++ ++ get_task_struct(tsk); ++ timer_setup(&tsk->oom_reaper_timer, wake_oom_reaper, 0); ++ tsk->oom_reaper_timer.expires = jiffies + OOM_REAPER_DELAY; ++ add_timer(&tsk->oom_reaper_timer); ++} ++ + static int __init oom_init(void) + { + oom_reaper_th = kthread_run(oom_reaper, NULL, "oom_reaper"); +@@ -678,7 +704,7 @@ static int __init oom_init(void) + } + subsys_initcall(oom_init) + #else +-static inline void wake_oom_reaper(struct task_struct *tsk) ++static inline void queue_oom_reaper(struct task_struct *tsk) + { + } + #endif /* CONFIG_MMU */ +@@ -927,7 +953,7 @@ static void __oom_kill_process(struct ta + rcu_read_unlock(); + + if (can_oom_reap) +- wake_oom_reaper(victim); ++ queue_oom_reaper(victim); + + mmdrop(mm); + put_task_struct(victim); +@@ -963,7 +989,7 @@ static void oom_kill_process(struct oom_ + task_lock(victim); + if (task_will_free_mem(victim)) { + mark_oom_victim(victim); +- wake_oom_reaper(victim); ++ queue_oom_reaper(victim); + task_unlock(victim); + put_task_struct(victim); + return; +@@ -1061,7 +1087,7 @@ bool out_of_memory(struct oom_control *o + */ + if (task_will_free_mem(current)) { + mark_oom_victim(current); +- wake_oom_reaper(current); ++ queue_oom_reaper(current); + return true; + } + diff --git a/queue-5.4/series b/queue-5.4/series index 6888b91eeed..487f34f6e98 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -33,3 +33,7 @@ drm-msm-mdp5-check-the-return-of-kzalloc.patch net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch scsi-qedi-fix-failed-disconnect-handling.patch stat-fix-inconsistency-between-struct-stat-and-struc.patch +edac-synopsys-read-the-error-count-from-the-correct-register.patch +oom_kill.c-futex-delay-the-oom-reaper-to-allow-time-for-proper-futex-cleanup.patch +ata-pata_marvell-check-the-bmdma_addr-beforing-reading.patch +dma-at_xdmac-fix-a-missing-check-on-list-iterator.patch