From: Sasha Levin Date: Tue, 7 Jan 2020 18:07:24 +0000 (-0500) Subject: fixes for 4.14 X-Git-Tag: v4.14.163~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=650c50078cb57a28748ae63a4a722e3907999fe6;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm64-dts-meson-odroid-c2-disable-usb_otg-bus-to-avo.patch b/queue-4.14/arm64-dts-meson-odroid-c2-disable-usb_otg-bus-to-avo.patch new file mode 100644 index 00000000000..0c45e878d27 --- /dev/null +++ b/queue-4.14/arm64-dts-meson-odroid-c2-disable-usb_otg-bus-to-avo.patch @@ -0,0 +1,147 @@ +From ab0458cd225e3990881989a66c0461a188a0df4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2019 05:49:35 +0000 +Subject: arm64: dts: meson: odroid-c2: Disable usb_otg bus to avoid power + failed warning + +From: Anand Moon + +[ Upstream commit 72c9b5f6f75fbc6c47e0a2d02bc3838a2a47c90a ] + +usb_otg bus needs to get initialize from the u-boot to be configured +to used as power source to SBC or usb otg port will get configured +as host device. Right now this support is missing in the u-boot and +phy driver so to avoid power failed warning, we would disable this +feature until proper fix is found. + +[ 2.716048] phy phy-c0000000.phy.0: USB ID detect failed! +[ 2.720186] phy phy-c0000000.phy.0: phy poweron failed --> -22 +[ 2.726001] ------------[ cut here ]------------ +[ 2.730583] WARNING: CPU: 0 PID: 12 at drivers/regulator/core.c:2039 _regulator_put+0x3c/0xe8 +[ 2.738983] Modules linked in: +[ 2.742005] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.9-1-ARCH #1 +[ 2.748643] Hardware name: Hardkernel ODROID-C2 (DT) +[ 2.753566] Workqueue: events deferred_probe_work_func +[ 2.758649] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 2.763394] pc : _regulator_put+0x3c/0xe8 +[ 2.767361] lr : _regulator_put+0x3c/0xe8 +[ 2.771326] sp : ffff000011aa3a50 +[ 2.774604] x29: ffff000011aa3a50 x28: ffff80007ed1b600 +[ 2.779865] x27: ffff80007f7036a8 x26: ffff80007f7036a8 +[ 2.785126] x25: 0000000000000000 x24: ffff000011a44458 +[ 2.790387] x23: ffff000011344218 x22: 0000000000000009 +[ 2.795649] x21: ffff000011aa3b68 x20: ffff80007ed1b500 +[ 2.800910] x19: ffff80007ed1b500 x18: 0000000000000010 +[ 2.806171] x17: 000000005be5943c x16: 00000000f1c73b29 +[ 2.811432] x15: ffffffffffffffff x14: ffff0000117396c8 +[ 2.816694] x13: ffff000091aa37a7 x12: ffff000011aa37af +[ 2.821955] x11: ffff000011763000 x10: ffff000011aa3730 +[ 2.827216] x9 : 00000000ffffffd0 x8 : ffff000010871760 +[ 2.832477] x7 : 00000000000000d0 x6 : ffff0000119d151b +[ 2.837739] x5 : 000000000000000f x4 : 0000000000000000 +[ 2.843000] x3 : 0000000000000000 x2 : 38104b2678c20100 +[ 2.848261] x1 : 0000000000000000 x0 : 0000000000000024 +[ 2.853523] Call trace: +[ 2.855940] _regulator_put+0x3c/0xe8 +[ 2.859562] regulator_put+0x34/0x48 +[ 2.863098] regulator_bulk_free+0x40/0x58 +[ 2.867153] devm_regulator_bulk_release+0x24/0x30 +[ 2.871896] release_nodes+0x1f0/0x2e0 +[ 2.875604] devres_release_all+0x64/0xa4 +[ 2.879571] really_probe+0x1c8/0x3e0 +[ 2.883194] driver_probe_device+0xe4/0x138 +[ 2.887334] __device_attach_driver+0x90/0x110 +[ 2.891733] bus_for_each_drv+0x8c/0xd8 +[ 2.895527] __device_attach+0xdc/0x160 +[ 2.899322] device_initial_probe+0x24/0x30 +[ 2.903463] bus_probe_device+0x9c/0xa8 +[ 2.907258] deferred_probe_work_func+0xa0/0xf0 +[ 2.911745] process_one_work+0x1b4/0x408 +[ 2.915711] worker_thread+0x54/0x4b8 +[ 2.919334] kthread+0x12c/0x130 +[ 2.922526] ret_from_fork+0x10/0x1c +[ 2.926060] ---[ end trace 51a68f4c0035d6c0 ]--- +[ 2.930691] ------------[ cut here ]------------ +[ 2.935242] WARNING: CPU: 0 PID: 12 at drivers/regulator/core.c:2039 _regulator_put+0x3c/0xe8 +[ 2.943653] Modules linked in: +[ 2.946675] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G W 5.2.9-1-ARCH #1 +[ 2.954694] Hardware name: Hardkernel ODROID-C2 (DT) +[ 2.959613] Workqueue: events deferred_probe_work_func +[ 2.964700] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 2.969445] pc : _regulator_put+0x3c/0xe8 +[ 2.973412] lr : _regulator_put+0x3c/0xe8 +[ 2.977377] sp : ffff000011aa3a50 +[ 2.980655] x29: ffff000011aa3a50 x28: ffff80007ed1b600 +[ 2.985916] x27: ffff80007f7036a8 x26: ffff80007f7036a8 +[ 2.991177] x25: 0000000000000000 x24: ffff000011a44458 +[ 2.996439] x23: ffff000011344218 x22: 0000000000000009 +[ 3.001700] x21: ffff000011aa3b68 x20: ffff80007ed1bd00 +[ 3.006961] x19: ffff80007ed1bd00 x18: 0000000000000010 +[ 3.012222] x17: 000000005be5943c x16: 00000000f1c73b29 +[ 3.017484] x15: ffffffffffffffff x14: ffff0000117396c8 +[ 3.022745] x13: ffff000091aa37a7 x12: ffff000011aa37af +[ 3.028006] x11: ffff000011763000 x10: ffff000011aa3730 +[ 3.033267] x9 : 00000000ffffffd0 x8 : ffff000010871760 +[ 3.038528] x7 : 00000000000000fd x6 : ffff0000119d151b +[ 3.043790] x5 : 000000000000000f x4 : 0000000000000000 +[ 3.049051] x3 : 0000000000000000 x2 : 38104b2678c20100 +[ 3.054312] x1 : 0000000000000000 x0 : 0000000000000024 +[ 3.059574] Call trace: +[ 3.061991] _regulator_put+0x3c/0xe8 +[ 3.065613] regulator_put+0x34/0x48 +[ 3.069149] regulator_bulk_free+0x40/0x58 +[ 3.073203] devm_regulator_bulk_release+0x24/0x30 +[ 3.077947] release_nodes+0x1f0/0x2e0 +[ 3.081655] devres_release_all+0x64/0xa4 +[ 3.085622] really_probe+0x1c8/0x3e0 +[ 3.089245] driver_probe_device+0xe4/0x138 +[ 3.093385] __device_attach_driver+0x90/0x110 +[ 3.097784] bus_for_each_drv+0x8c/0xd8 +[ 3.101578] __device_attach+0xdc/0x160 +[ 3.105373] device_initial_probe+0x24/0x30 +[ 3.109514] bus_probe_device+0x9c/0xa8 +[ 3.113309] deferred_probe_work_func+0xa0/0xf0 +[ 3.117796] process_one_work+0x1b4/0x408 +[ 3.121762] worker_thread+0x54/0x4b8 +[ 3.125384] kthread+0x12c/0x130 +[ 3.128575] ret_from_fork+0x10/0x1c +[ 3.132110] ---[ end trace 51a68f4c0035d6c1 ]--- +[ 3.136753] dwc2: probe of c9000000.usb failed with error -22 + +Fixes: 5a0803bd5ae2 ("ARM64: dts: meson-gxbb-odroidc2: Enable USB Nodes") +Cc: Martin Blumenstingl +Cc: Jerome Brunet +Cc: Neil Armstrong +Acked-by: Martin Blumenstingl +Signed-off-by: Anand Moon +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts b/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts +index 4ea23df81f21..5da604e5cf28 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-gxbb-odroidc2.dts +@@ -295,7 +295,7 @@ + }; + + &usb0_phy { +- status = "okay"; ++ status = "disabled"; + phy-supply = <&usb_otg_pwr>; + }; + +@@ -305,7 +305,7 @@ + }; + + &usb0 { +- status = "okay"; ++ status = "disabled"; + }; + + &usb1 { +-- +2.20.1 + diff --git a/queue-4.14/ath9k_htc-discard-undersized-packets.patch b/queue-4.14/ath9k_htc-discard-undersized-packets.patch new file mode 100644 index 00000000000..eb5711f8e2f --- /dev/null +++ b/queue-4.14/ath9k_htc-discard-undersized-packets.patch @@ -0,0 +1,124 @@ +From 95dca0be5558a6d3c742d01f760667c0040f4d60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 11:51:46 +0900 +Subject: ath9k_htc: Discard undersized packets + +From: Masashi Honma + +[ Upstream commit cd486e627e67ee9ab66914d36d3127ef057cc010 ] + +Sometimes the hardware will push small packets that trigger a WARN_ON +in mac80211. Discard them early to avoid this issue. + +This patch ports 2 patches from ath9k to ath9k_htc. +commit 3c0efb745a172bfe96459e20cbd37b0c945d5f8d "ath9k: discard +undersized packets". +commit df5c4150501ee7e86383be88f6490d970adcf157 "ath9k: correctly +handle short radar pulses". + +[ 112.835889] ------------[ cut here ]------------ +[ 112.835971] WARNING: CPU: 5 PID: 0 at net/mac80211/rx.c:804 ieee80211_rx_napi+0xaac/0xb40 [mac80211] +[ 112.835973] Modules linked in: ath9k_htc ath9k_common ath9k_hw ath mac80211 cfg80211 libarc4 nouveau snd_hda_codec_hdmi intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec video snd_hda_core ttm snd_hwdep drm_kms_helper snd_pcm crct10dif_pclmul snd_seq_midi drm snd_seq_midi_event crc32_pclmul snd_rawmidi ghash_clmulni_intel snd_seq aesni_intel aes_x86_64 crypto_simd cryptd snd_seq_device glue_helper snd_timer sch_fq_codel i2c_algo_bit fb_sys_fops snd input_leds syscopyarea sysfillrect sysimgblt intel_cstate mei_me intel_rapl_perf soundcore mxm_wmi lpc_ich mei kvm_intel kvm mac_hid irqbypass parport_pc ppdev lp parport ip_tables x_tables autofs4 hid_generic usbhid hid raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear e1000e ahci libahci wmi +[ 112.836022] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 5.3.0-wt #1 +[ 112.836023] Hardware name: MouseComputer Co.,Ltd. X99-S01/X99-S01, BIOS 1.0C-W7 04/01/2015 +[ 112.836056] RIP: 0010:ieee80211_rx_napi+0xaac/0xb40 [mac80211] +[ 112.836059] Code: 00 00 66 41 89 86 b0 00 00 00 e9 c8 fa ff ff 4c 89 b5 40 ff ff ff 49 89 c6 e9 c9 fa ff ff 48 c7 c7 e0 a2 a5 c0 e8 47 41 b0 e9 <0f> 0b 48 89 df e8 5a 94 2d ea e9 02 f9 ff ff 41 39 c1 44 89 85 60 +[ 112.836060] RSP: 0018:ffffaa6180220da8 EFLAGS: 00010286 +[ 112.836062] RAX: 0000000000000024 RBX: ffff909a20eeda00 RCX: 0000000000000000 +[ 112.836064] RDX: 0000000000000000 RSI: ffff909a2f957448 RDI: ffff909a2f957448 +[ 112.836065] RBP: ffffaa6180220e78 R08: 00000000000006e9 R09: 0000000000000004 +[ 112.836066] R10: 000000000000000a R11: 0000000000000001 R12: 0000000000000000 +[ 112.836068] R13: ffff909a261a47a0 R14: 0000000000000000 R15: 0000000000000004 +[ 112.836070] FS: 0000000000000000(0000) GS:ffff909a2f940000(0000) knlGS:0000000000000000 +[ 112.836071] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 112.836073] CR2: 00007f4e3ffffa08 CR3: 00000001afc0a006 CR4: 00000000001606e0 +[ 112.836074] Call Trace: +[ 112.836076] +[ 112.836083] ? finish_td+0xb3/0xf0 +[ 112.836092] ? ath9k_rx_prepare.isra.11+0x22f/0x2a0 [ath9k_htc] +[ 112.836099] ath9k_rx_tasklet+0x10b/0x1d0 [ath9k_htc] +[ 112.836105] tasklet_action_common.isra.22+0x63/0x110 +[ 112.836108] tasklet_action+0x22/0x30 +[ 112.836115] __do_softirq+0xe4/0x2da +[ 112.836118] irq_exit+0xae/0xb0 +[ 112.836121] do_IRQ+0x86/0xe0 +[ 112.836125] common_interrupt+0xf/0xf +[ 112.836126] +[ 112.836130] RIP: 0010:cpuidle_enter_state+0xa9/0x440 +[ 112.836133] Code: 3d bc 20 38 55 e8 f7 1d 84 ff 49 89 c7 0f 1f 44 00 00 31 ff e8 28 29 84 ff 80 7d d3 00 0f 85 e6 01 00 00 fb 66 0f 1f 44 00 00 <45> 85 ed 0f 89 ff 01 00 00 41 c7 44 24 10 00 00 00 00 48 83 c4 18 +[ 112.836134] RSP: 0018:ffffaa61800e3e48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde +[ 112.836136] RAX: ffff909a2f96b340 RBX: ffffffffabb58200 RCX: 000000000000001f +[ 112.836137] RDX: 0000001a458adc5d RSI: 0000000026c9b581 RDI: 0000000000000000 +[ 112.836139] RBP: ffffaa61800e3e88 R08: 0000000000000002 R09: 000000000002abc0 +[ 112.836140] R10: ffffaa61800e3e18 R11: 000000000000002d R12: ffffca617fb40b00 +[ 112.836141] R13: 0000000000000002 R14: ffffffffabb582d8 R15: 0000001a458adc5d +[ 112.836145] ? cpuidle_enter_state+0x98/0x440 +[ 112.836149] ? menu_select+0x370/0x600 +[ 112.836151] cpuidle_enter+0x2e/0x40 +[ 112.836154] call_cpuidle+0x23/0x40 +[ 112.836156] do_idle+0x204/0x280 +[ 112.836159] cpu_startup_entry+0x1d/0x20 +[ 112.836164] start_secondary+0x167/0x1c0 +[ 112.836169] secondary_startup_64+0xa4/0xb0 +[ 112.836173] ---[ end trace 9f4cd18479cc5ae5 ]--- + +Signed-off-by: Masashi Honma +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 23 +++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index d913b9e9bd8f..4748f557c753 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -973,6 +973,8 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + struct ath_htc_rx_status *rxstatus; + struct ath_rx_status rx_stats; + bool decrypt_error = false; ++ __be16 rs_datalen; ++ bool is_phyerr; + + if (skb->len < HTC_RX_FRAME_HEADER_SIZE) { + ath_err(common, "Corrupted RX frame, dropping (len: %d)\n", +@@ -982,11 +984,24 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + + rxstatus = (struct ath_htc_rx_status *)skb->data; + +- if (be16_to_cpu(rxstatus->rs_datalen) - +- (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0) { ++ rs_datalen = be16_to_cpu(rxstatus->rs_datalen); ++ if (unlikely(rs_datalen - ++ (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0)) { + ath_err(common, + "Corrupted RX data len, dropping (dlen: %d, skblen: %d)\n", +- be16_to_cpu(rxstatus->rs_datalen), skb->len); ++ rs_datalen, skb->len); ++ goto rx_next; ++ } ++ ++ is_phyerr = rxstatus->rs_status & ATH9K_RXERR_PHY; ++ /* ++ * Discard zero-length packets and packets smaller than an ACK ++ * which are not PHY_ERROR (short radar pulses have a length of 3) ++ */ ++ if (unlikely(!rs_datalen || (rs_datalen < 10 && !is_phyerr))) { ++ ath_warn(common, ++ "Short RX data len, dropping (dlen: %d)\n", ++ rs_datalen); + goto rx_next; + } + +@@ -1011,7 +1026,7 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + * Process PHY errors and return so that the packet + * can be dropped. + */ +- if (rx_stats.rs_status & ATH9K_RXERR_PHY) { ++ if (unlikely(is_phyerr)) { + /* TODO: Not using DFS processing now. */ + if (ath_cmn_process_fft(&priv->spec_priv, hdr, + &rx_stats, rx_status->mactime)) { +-- +2.20.1 + diff --git a/queue-4.14/ath9k_htc-modify-byte-order-for-an-error-message.patch b/queue-4.14/ath9k_htc-modify-byte-order-for-an-error-message.patch new file mode 100644 index 00000000000..390d7e96341 --- /dev/null +++ b/queue-4.14/ath9k_htc-modify-byte-order-for-an-error-message.patch @@ -0,0 +1,34 @@ +From 64b7fc75076720cd79ecf70bc93484e9d677e837 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Sep 2019 11:51:45 +0900 +Subject: ath9k_htc: Modify byte order for an error message + +From: Masashi Honma + +[ Upstream commit e01fddc19d215f6ad397894ec2a851d99bf154e2 ] + +rs_datalen is be16 so we need to convert it before printing. + +Signed-off-by: Masashi Honma +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index b38a586ea59a..d913b9e9bd8f 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -986,7 +986,7 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0) { + ath_err(common, + "Corrupted RX data len, dropping (dlen: %d, skblen: %d)\n", +- rxstatus->rs_datalen, skb->len); ++ be16_to_cpu(rxstatus->rs_datalen), skb->len); + goto rx_next; + } + +-- +2.20.1 + diff --git a/queue-4.14/coresight-etb10-do-not-call-smp_processor_id-from-pr.patch b/queue-4.14/coresight-etb10-do-not-call-smp_processor_id-from-pr.patch new file mode 100644 index 00000000000..edeba19547b --- /dev/null +++ b/queue-4.14/coresight-etb10-do-not-call-smp_processor_id-from-pr.patch @@ -0,0 +1,49 @@ +From 4f7479df039493522f0f808e9f56d3d2085fa851 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2019 16:12:36 -0600 +Subject: coresight: etb10: Do not call smp_processor_id from preemptible + +From: Suzuki K Poulose + +[ Upstream commit 730766bae3280a25d40ea76a53dc6342e84e6513 ] + +During a perf session we try to allocate buffers on the "node" associated +with the CPU the event is bound to. If it is not bound to a CPU, we +use the current CPU node, using smp_processor_id(). However this is unsafe +in a pre-emptible context and could generate the splats as below : + + BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544 + +Use NUMA_NO_NODE hint instead of using the current node for events +not bound to CPUs. + +Fixes: 2997aa4063d97fdb39 ("coresight: etb10: implementing AUX API") +Cc: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Cc: stable # 4.6+ +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-etb10.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-etb10.c b/drivers/hwtracing/coresight/coresight-etb10.c +index d14a9cb7959a..7fcf70b2163d 100644 +--- a/drivers/hwtracing/coresight/coresight-etb10.c ++++ b/drivers/hwtracing/coresight/coresight-etb10.c +@@ -287,9 +287,7 @@ static void *etb_alloc_buffer(struct coresight_device *csdev, int cpu, + int node; + struct cs_buffers *buf; + +- if (cpu == -1) +- cpu = smp_processor_id(); +- node = cpu_to_node(cpu); ++ node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu); + + buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node); + if (!buf) +-- +2.20.1 + diff --git a/queue-4.14/coresight-tmc-etf-do-not-call-smp_processor_id-from-.patch b/queue-4.14/coresight-tmc-etf-do-not-call-smp_processor_id-from-.patch new file mode 100644 index 00000000000..cfd02aeabcd --- /dev/null +++ b/queue-4.14/coresight-tmc-etf-do-not-call-smp_processor_id-from-.patch @@ -0,0 +1,68 @@ +From a389808695944a7ed4615bb4fcf553ed9d618e2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jun 2019 16:12:35 -0600 +Subject: coresight: tmc-etf: Do not call smp_processor_id from preemptible + +From: Suzuki K Poulose + +[ Upstream commit 024c1fd9dbcc1d8a847f1311f999d35783921b7f ] + +During a perf session we try to allocate buffers on the "node" associated +with the CPU the event is bound to. If it is not bound to a CPU, we +use the current CPU node, using smp_processor_id(). However this is unsafe +in a pre-emptible context and could generate the splats as below : + + BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544 + caller is tmc_alloc_etf_buffer+0x5c/0x60 + CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344 + Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 + Call trace: + dump_backtrace+0x0/0x150 + show_stack+0x14/0x20 + dump_stack+0x9c/0xc4 + debug_smp_processor_id+0x10c/0x110 + tmc_alloc_etf_buffer+0x5c/0x60 + etm_setup_aux+0x1c4/0x230 + rb_alloc_aux+0x1b8/0x2b8 + perf_mmap+0x35c/0x478 + mmap_region+0x34c/0x4f0 + do_mmap+0x2d8/0x418 + vm_mmap_pgoff+0xd0/0xf8 + ksys_mmap_pgoff+0x88/0xf8 + __arm64_sys_mmap+0x28/0x38 + el0_svc_handler+0xd8/0x138 + el0_svc+0x8/0xc + +Use NUMA_NO_NODE hint instead of using the current node for events +not bound to CPUs. + +Fixes: 2e499bbc1a929ac ("coresight: tmc: implementing TMC-ETF AUX space API") +Cc: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Cc: stable # 4.7+ +Signed-off-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-tmc-etf.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-tmc-etf.c b/drivers/hwtracing/coresight/coresight-tmc-etf.c +index 336194d059fe..329a201c0c19 100644 +--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c +@@ -308,9 +308,7 @@ static void *tmc_alloc_etf_buffer(struct coresight_device *csdev, int cpu, + int node; + struct cs_buffers *buf; + +- if (cpu == -1) +- cpu = smp_processor_id(); +- node = cpu_to_node(cpu); ++ node = (event->cpu == -1) ? NUMA_NO_NODE : cpu_to_node(event->cpu); + + /* Allocate memory structure for interaction with Perf */ + buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node); +-- +2.20.1 + diff --git a/queue-4.14/drm-mst-fix-mst-sideband-up-reply-failure-handling.patch b/queue-4.14/drm-mst-fix-mst-sideband-up-reply-failure-handling.patch new file mode 100644 index 00000000000..f95c5ae9ea6 --- /dev/null +++ b/queue-4.14/drm-mst-fix-mst-sideband-up-reply-failure-handling.patch @@ -0,0 +1,83 @@ +From c635f9f9f60864387ef2cf46e392fc14d3820391 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 May 2019 00:24:33 +0300 +Subject: drm/mst: Fix MST sideband up-reply failure handling + +From: Imre Deak + +[ Upstream commit d8fd3722207f154b53c80eee2cf4977c3fc25a92 ] + +Fix the breakage resulting in the stacktrace below, due to tx queue +being full when trying to send an up-reply. txmsg->seqno is -1 in this +case leading to a corruption of the mstb object by + + txmsg->dst->tx_slots[txmsg->seqno] = NULL; + +in process_single_up_tx_qlock(). + +[ +0,005162] [drm:process_single_tx_qlock [drm_kms_helper]] set_hdr_from_dst_qlock: failed to find slot +[ +0,000015] [drm:drm_dp_send_up_ack_reply.constprop.19 [drm_kms_helper]] failed to send msg in q -11 +[ +0,000939] BUG: kernel NULL pointer dereference, address: 00000000000005a0 +[ +0,006982] #PF: supervisor write access in kernel mode +[ +0,005223] #PF: error_code(0x0002) - not-present page +[ +0,005135] PGD 0 P4D 0 +[ +0,002581] Oops: 0002 [#1] PREEMPT SMP NOPTI +[ +0,004359] CPU: 1 PID: 1200 Comm: kworker/u16:3 Tainted: G U 5.2.0-rc1+ #410 +[ +0,008433] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP, BIOS ICLSFWR1.R00.3175.A00.1904261428 04/26/2019 +[ +0,013323] Workqueue: i915-dp i915_digport_work_func [i915] +[ +0,005676] RIP: 0010:queue_work_on+0x19/0x70 +[ +0,004372] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 41 56 49 89 f6 41 55 41 89 fd 41 54 55 53 48 89 d3 9c 5d fa e8 e7 81 0c 00 48 0f ba 2b 00 73 31 45 31 e4 f7 c5 00 02 00 00 74 13 e8 cf 7f +[ +0,018750] RSP: 0018:ffffc900007dfc50 EFLAGS: 00010006 +[ +0,005222] RAX: 0000000000000046 RBX: 00000000000005a0 RCX: 0000000000000001 +[ +0,007133] RDX: 000000000001b608 RSI: 0000000000000000 RDI: ffffffff82121972 +[ +0,007129] RBP: 0000000000000202 R08: 0000000000000000 R09: 0000000000000001 +[ +0,007129] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88847bfa5096 +[ +0,007131] R13: 0000000000000010 R14: ffff88849c08f3f8 R15: 0000000000000000 +[ +0,007128] FS: 0000000000000000(0000) GS:ffff88849dc80000(0000) knlGS:0000000000000000 +[ +0,008083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0,005749] CR2: 00000000000005a0 CR3: 0000000005210006 CR4: 0000000000760ee0 +[ +0,007128] PKRU: 55555554 +[ +0,002722] Call Trace: +[ +0,002458] drm_dp_mst_handle_up_req+0x517/0x540 [drm_kms_helper] +[ +0,006197] ? drm_dp_mst_hpd_irq+0x5b/0x9c0 [drm_kms_helper] +[ +0,005764] drm_dp_mst_hpd_irq+0x5b/0x9c0 [drm_kms_helper] +[ +0,005623] ? intel_dp_hpd_pulse+0x205/0x370 [i915] +[ +0,005018] intel_dp_hpd_pulse+0x205/0x370 [i915] +[ +0,004836] i915_digport_work_func+0xbb/0x140 [i915] +[ +0,005108] process_one_work+0x245/0x610 +[ +0,004027] worker_thread+0x37/0x380 +[ +0,003684] ? process_one_work+0x610/0x610 +[ +0,004184] kthread+0x119/0x130 +[ +0,003240] ? kthread_park+0x80/0x80 +[ +0,003668] ret_from_fork+0x24/0x50 + +Cc: Lyude Paul +Cc: Dave Airlie +Signed-off-by: Imre Deak +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190523212433.9058-1-imre.deak@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index bb9a9852ec22..ef86721c06f3 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -1540,7 +1540,11 @@ static void process_single_up_tx_qlock(struct drm_dp_mst_topology_mgr *mgr, + if (ret != 1) + DRM_DEBUG_KMS("failed to send msg in q %d\n", ret); + +- txmsg->dst->tx_slots[txmsg->seqno] = NULL; ++ if (txmsg->seqno != -1) { ++ WARN_ON((unsigned int)txmsg->seqno > ++ ARRAY_SIZE(txmsg->dst->tx_slots)); ++ txmsg->dst->tx_slots[txmsg->seqno] = NULL; ++ } + } + + static void drm_dp_queue_down_tx(struct drm_dp_mst_topology_mgr *mgr, +-- +2.20.1 + diff --git a/queue-4.14/net-add-annotations-on-hh-hh_len-lockless-accesses.patch b/queue-4.14/net-add-annotations-on-hh-hh_len-lockless-accesses.patch new file mode 100644 index 00000000000..5327dd86177 --- /dev/null +++ b/queue-4.14/net-add-annotations-on-hh-hh_len-lockless-accesses.patch @@ -0,0 +1,149 @@ +From 651b5e3dd4a475139a43dc299309663a40d8d6f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 18:29:11 -0800 +Subject: net: add annotations on hh->hh_len lockless accesses + +From: Eric Dumazet + +[ Upstream commit c305c6ae79e2ce20c22660ceda94f0d86d639a82 ] + +KCSAN reported a data-race [1] + +While we can use READ_ONCE() on the read sides, +we need to make sure hh->hh_len is written last. + +[1] + +BUG: KCSAN: data-race in eth_header_cache / neigh_resolve_output + +write to 0xffff8880b9dedcb8 of 4 bytes by task 29760 on cpu 0: + eth_header_cache+0xa9/0xd0 net/ethernet/eth.c:247 + neigh_hh_init net/core/neighbour.c:1463 [inline] + neigh_resolve_output net/core/neighbour.c:1480 [inline] + neigh_resolve_output+0x415/0x470 net/core/neighbour.c:1470 + neigh_output include/net/neighbour.h:511 [inline] + ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116 + __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] + __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 + ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 + dst_output include/net/dst.h:436 [inline] + NF_HOOK include/linux/netfilter.h:305 [inline] + ndisc_send_skb+0x459/0x5f0 net/ipv6/ndisc.c:505 + ndisc_send_ns+0x207/0x430 net/ipv6/ndisc.c:647 + rt6_probe_deferred+0x98/0xf0 net/ipv6/route.c:615 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +read to 0xffff8880b9dedcb8 of 4 bytes by task 29572 on cpu 1: + neigh_resolve_output net/core/neighbour.c:1479 [inline] + neigh_resolve_output+0x113/0x470 net/core/neighbour.c:1470 + neigh_output include/net/neighbour.h:511 [inline] + ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116 + __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] + __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 + ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 + dst_output include/net/dst.h:436 [inline] + NF_HOOK include/linux/netfilter.h:305 [inline] + ndisc_send_skb+0x459/0x5f0 net/ipv6/ndisc.c:505 + ndisc_send_ns+0x207/0x430 net/ipv6/ndisc.c:647 + rt6_probe_deferred+0x98/0xf0 net/ipv6/route.c:615 + process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 + worker_thread+0xa0/0x800 kernel/workqueue.c:2415 + kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 29572 Comm: kworker/1:4 Not tainted 5.4.0-rc6+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events rt6_probe_deferred + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/firewire/net.c | 6 +++++- + include/net/neighbour.h | 2 +- + net/core/neighbour.c | 4 ++-- + net/ethernet/eth.c | 7 ++++++- + 4 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c +index 242359c2d1f1..215f4f71b943 100644 +--- a/drivers/firewire/net.c ++++ b/drivers/firewire/net.c +@@ -249,7 +249,11 @@ static int fwnet_header_cache(const struct neighbour *neigh, + h = (struct fwnet_header *)((u8 *)hh->hh_data + HH_DATA_OFF(sizeof(*h))); + h->h_proto = type; + memcpy(h->h_dest, neigh->ha, net->addr_len); +- hh->hh_len = FWNET_HLEN; ++ ++ /* Pairs with the READ_ONCE() in neigh_resolve_output(), ++ * neigh_hh_output() and neigh_update_hhs(). ++ */ ++ smp_store_release(&hh->hh_len, FWNET_HLEN); + + return 0; + } +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index 1d6b98119a1d..e89273f9a0bc 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -458,7 +458,7 @@ static inline int neigh_hh_output(const struct hh_cache *hh, struct sk_buff *skb + + do { + seq = read_seqbegin(&hh->hh_lock); +- hh_len = hh->hh_len; ++ hh_len = READ_ONCE(hh->hh_len); + if (likely(hh_len <= HH_DATA_MOD)) { + hh_alen = HH_DATA_MOD; + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 2664ad58e5c0..16ac50b1b9a7 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1094,7 +1094,7 @@ static void neigh_update_hhs(struct neighbour *neigh) + + if (update) { + hh = &neigh->hh; +- if (hh->hh_len) { ++ if (READ_ONCE(hh->hh_len)) { + write_seqlock_bh(&hh->hh_lock); + update(hh, neigh->dev, neigh->ha); + write_sequnlock_bh(&hh->hh_lock); +@@ -1355,7 +1355,7 @@ int neigh_resolve_output(struct neighbour *neigh, struct sk_buff *skb) + struct net_device *dev = neigh->dev; + unsigned int seq; + +- if (dev->header_ops->cache && !neigh->hh.hh_len) ++ if (dev->header_ops->cache && !READ_ONCE(neigh->hh.hh_len)) + neigh_hh_init(neigh); + + do { +diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c +index eaeba9b99a73..7e0e5f2706ba 100644 +--- a/net/ethernet/eth.c ++++ b/net/ethernet/eth.c +@@ -239,7 +239,12 @@ int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh, __be16 + eth->h_proto = type; + memcpy(eth->h_source, dev->dev_addr, ETH_ALEN); + memcpy(eth->h_dest, neigh->ha, ETH_ALEN); +- hh->hh_len = ETH_HLEN; ++ ++ /* Pairs with READ_ONCE() in neigh_resolve_output(), ++ * neigh_hh_output() and neigh_update_hhs(). ++ */ ++ smp_store_release(&hh->hh_len, ETH_HLEN); ++ + return 0; + } + EXPORT_SYMBOL(eth_header_cache); +-- +2.20.1 + diff --git a/queue-4.14/perf-x86-intel-bts-fix-the-use-of-page_private.patch b/queue-4.14/perf-x86-intel-bts-fix-the-use-of-page_private.patch new file mode 100644 index 00000000000..ef19b36088d --- /dev/null +++ b/queue-4.14/perf-x86-intel-bts-fix-the-use-of-page_private.patch @@ -0,0 +1,95 @@ +From 77a01f7b59e6a95e155456622d0157123f4e323f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 17:28:52 +0300 +Subject: perf/x86/intel/bts: Fix the use of page_private() + +From: Alexander Shishkin + +[ Upstream commit ff61541cc6c1962957758ba433c574b76f588d23 ] + +Commit + + 8062382c8dbe2 ("perf/x86/intel/bts: Add BTS PMU driver") + +brought in a warning with the BTS buffer initialization +that is easily tripped with (assuming KPTI is disabled): + +instantly throwing: + +> ------------[ cut here ]------------ +> WARNING: CPU: 2 PID: 326 at arch/x86/events/intel/bts.c:86 bts_buffer_setup_aux+0x117/0x3d0 +> Modules linked in: +> CPU: 2 PID: 326 Comm: perf Not tainted 5.4.0-rc8-00291-gceb9e77324fa #904 +> RIP: 0010:bts_buffer_setup_aux+0x117/0x3d0 +> Call Trace: +> rb_alloc_aux+0x339/0x550 +> perf_mmap+0x607/0xc70 +> mmap_region+0x76b/0xbd0 +... + +It appears to assume (for lost raisins) that PagePrivate() is set, +while later it actually tests for PagePrivate() before using +page_private(). + +Make it consistent and always check PagePrivate() before using +page_private(). + +Fixes: 8062382c8dbe2 ("perf/x86/intel/bts: Add BTS PMU driver") +Signed-off-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Jiri Olsa +Cc: Vince Weaver +Cc: Ingo Molnar +Cc: Arnaldo Carvalho de Melo +Link: https://lkml.kernel.org/r/20191205142853.28894-2-alexander.shishkin@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/bts.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/events/intel/bts.c b/arch/x86/events/intel/bts.c +index 24ffa1e88cf9..4d3399405d06 100644 +--- a/arch/x86/events/intel/bts.c ++++ b/arch/x86/events/intel/bts.c +@@ -71,9 +71,17 @@ struct bts_buffer { + + static struct pmu bts_pmu; + ++static int buf_nr_pages(struct page *page) ++{ ++ if (!PagePrivate(page)) ++ return 1; ++ ++ return 1 << page_private(page); ++} ++ + static size_t buf_size(struct page *page) + { +- return 1 << (PAGE_SHIFT + page_private(page)); ++ return buf_nr_pages(page) * PAGE_SIZE; + } + + static void * +@@ -89,9 +97,7 @@ bts_buffer_setup_aux(int cpu, void **pages, int nr_pages, bool overwrite) + /* count all the high order buffers */ + for (pg = 0, nbuf = 0; pg < nr_pages;) { + page = virt_to_page(pages[pg]); +- if (WARN_ON_ONCE(!PagePrivate(page) && nr_pages > 1)) +- return NULL; +- pg += 1 << page_private(page); ++ pg += buf_nr_pages(page); + nbuf++; + } + +@@ -115,7 +121,7 @@ bts_buffer_setup_aux(int cpu, void **pages, int nr_pages, bool overwrite) + unsigned int __nr_pages; + + page = virt_to_page(pages[pg]); +- __nr_pages = PagePrivate(page) ? 1 << page_private(page) : 1; ++ __nr_pages = buf_nr_pages(page); + buf->buf[nbuf].page = page; + buf->buf[nbuf].offset = offset; + buf->buf[nbuf].displacement = (pad ? BTS_RECORD_SIZE - pad : 0); +-- +2.20.1 + diff --git a/queue-4.14/powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch b/queue-4.14/powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch new file mode 100644 index 00000000000..dd7ca22ab6e --- /dev/null +++ b/queue-4.14/powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch @@ -0,0 +1,116 @@ +From 76db170bae9c9893b8679ad454f0244a4739884d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2019 16:56:57 +1000 +Subject: powerpc/pseries/hvconsole: Fix stack overread via udbg + +From: Daniel Axtens + +[ Upstream commit 934bda59f286d0221f1a3ebab7f5156a996cc37d ] + +While developing KASAN for 64-bit book3s, I hit the following stack +over-read. + +It occurs because the hypercall to put characters onto the terminal +takes 2 longs (128 bits/16 bytes) of characters at a time, and so +hvc_put_chars() would unconditionally copy 16 bytes from the argument +buffer, regardless of supplied length. However, udbg_hvc_putc() can +call hvc_put_chars() with a single-byte buffer, leading to the error. + + ================================================================== + BUG: KASAN: stack-out-of-bounds in hvc_put_chars+0xdc/0x110 + Read of size 8 at addr c0000000023e7a90 by task swapper/0 + + CPU: 0 PID: 0 Comm: swapper Not tainted 5.2.0-rc2-next-20190528-02824-g048a6ab4835b #113 + Call Trace: + dump_stack+0x104/0x154 (unreliable) + print_address_description+0xa0/0x30c + __kasan_report+0x20c/0x224 + kasan_report+0x18/0x30 + __asan_report_load8_noabort+0x24/0x40 + hvc_put_chars+0xdc/0x110 + hvterm_raw_put_chars+0x9c/0x110 + udbg_hvc_putc+0x154/0x200 + udbg_write+0xf0/0x240 + console_unlock+0x868/0xd30 + register_console+0x970/0xe90 + register_early_udbg_console+0xf8/0x114 + setup_arch+0x108/0x790 + start_kernel+0x104/0x784 + start_here_common+0x1c/0x534 + + Memory state around the buggy address: + c0000000023e7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + c0000000023e7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 + >c0000000023e7a80: f1 f1 01 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 + ^ + c0000000023e7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + c0000000023e7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ================================================================== + +Document that a 16-byte buffer is requred, and provide it in udbg. + +Signed-off-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/hvconsole.c | 2 +- + drivers/tty/hvc/hvc_vio.c | 16 +++++++++++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hvconsole.c b/arch/powerpc/platforms/pseries/hvconsole.c +index 74da18de853a..73ec15cd2708 100644 +--- a/arch/powerpc/platforms/pseries/hvconsole.c ++++ b/arch/powerpc/platforms/pseries/hvconsole.c +@@ -62,7 +62,7 @@ EXPORT_SYMBOL(hvc_get_chars); + * @vtermno: The vtermno or unit_address of the adapter from which the data + * originated. + * @buf: The character buffer that contains the character data to send to +- * firmware. ++ * firmware. Must be at least 16 bytes, even if count is less than 16. + * @count: Send this number of characters. + */ + int hvc_put_chars(uint32_t vtermno, const char *buf, int count) +diff --git a/drivers/tty/hvc/hvc_vio.c b/drivers/tty/hvc/hvc_vio.c +index a1d272ac82bb..c33150fcd964 100644 +--- a/drivers/tty/hvc/hvc_vio.c ++++ b/drivers/tty/hvc/hvc_vio.c +@@ -120,6 +120,14 @@ static int hvterm_raw_get_chars(uint32_t vtermno, char *buf, int count) + return got; + } + ++/** ++ * hvterm_raw_put_chars: send characters to firmware for given vterm adapter ++ * @vtermno: The virtual terminal number. ++ * @buf: The characters to send. Because of the underlying hypercall in ++ * hvc_put_chars(), this buffer must be at least 16 bytes long, even if ++ * you are sending fewer chars. ++ * @count: number of chars to send. ++ */ + static int hvterm_raw_put_chars(uint32_t vtermno, const char *buf, int count) + { + struct hvterm_priv *pv = hvterm_privs[vtermno]; +@@ -232,6 +240,7 @@ static const struct hv_ops hvterm_hvsi_ops = { + static void udbg_hvc_putc(char c) + { + int count = -1; ++ unsigned char bounce_buffer[16]; + + if (!hvterm_privs[0]) + return; +@@ -242,7 +251,12 @@ static void udbg_hvc_putc(char c) + do { + switch(hvterm_privs[0]->proto) { + case HV_PROTOCOL_RAW: +- count = hvterm_raw_put_chars(0, &c, 1); ++ /* ++ * hvterm_raw_put_chars requires at least a 16-byte ++ * buffer, so go via the bounce buffer ++ */ ++ bounce_buffer[0] = c; ++ count = hvterm_raw_put_chars(0, bounce_buffer, 1); + break; + case HV_PROTOCOL_HVSI: + count = hvterm_hvsi_put_chars(0, &c, 1); +-- +2.20.1 + diff --git a/queue-4.14/rxrpc-fix-possible-null-pointer-access-in-icmp-handl.patch b/queue-4.14/rxrpc-fix-possible-null-pointer-access-in-icmp-handl.patch new file mode 100644 index 00000000000..b280f886506 --- /dev/null +++ b/queue-4.14/rxrpc-fix-possible-null-pointer-access-in-icmp-handl.patch @@ -0,0 +1,68 @@ +From 1bcff3580326ea38a91d431e3535a53e11b53b06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2019 15:52:34 +0100 +Subject: rxrpc: Fix possible NULL pointer access in ICMP handling + +From: David Howells + +[ Upstream commit f0308fb0708078d6c1d8a4d533941a7a191af634 ] + +If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as +the UDP socket is being shut down, rxrpc_error_report() may get called to +deal with it after sk_user_data on the UDP socket has been cleared, leading +to a NULL pointer access when this local endpoint record gets accessed. + +Fix this by just returning immediately if sk_user_data was NULL. + +The oops looks like the following: + +#PF: supervisor read access in kernel mode +#PF: error_code(0x0000) - not-present page +... +RIP: 0010:rxrpc_error_report+0x1bd/0x6a9 +... +Call Trace: + ? sock_queue_err_skb+0xbd/0xde + ? __udp4_lib_err+0x313/0x34d + __udp4_lib_err+0x313/0x34d + icmp_unreach+0x1ee/0x207 + icmp_rcv+0x25b/0x28f + ip_protocol_deliver_rcu+0x95/0x10e + ip_local_deliver+0xe9/0x148 + __netif_receive_skb_one_core+0x52/0x6e + process_backlog+0xdc/0x177 + net_rx_action+0xf9/0x270 + __do_softirq+0x1b6/0x39a + ? smpboot_register_percpu_thread+0xce/0xce + run_ksoftirqd+0x1d/0x42 + smpboot_thread_fn+0x19e/0x1b3 + kthread+0xf1/0xf6 + ? kthread_delayed_work_timer_fn+0x83/0x83 + ret_from_fork+0x24/0x30 + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Reported-by: syzbot+611164843bd48cc2190c@syzkaller.appspotmail.com +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/peer_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c +index 7f749505e699..7d73e8ce6660 100644 +--- a/net/rxrpc/peer_event.c ++++ b/net/rxrpc/peer_event.c +@@ -150,6 +150,9 @@ void rxrpc_error_report(struct sock *sk) + struct rxrpc_peer *peer; + struct sk_buff *skb; + ++ if (unlikely(!local)) ++ return; ++ + _enter("%p{%d}", sk, local->debug_id); + + skb = sock_dequeue_err_skb(sk); +-- +2.20.1 + diff --git a/queue-4.14/s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch b/queue-4.14/s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch new file mode 100644 index 00000000000..64eabd6e164 --- /dev/null +++ b/queue-4.14/s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch @@ -0,0 +1,155 @@ +From 2467bcd817759b1b43a30eaa485c4cd43c6a86e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Nov 2019 14:55:38 +0100 +Subject: s390/smp: fix physical to logical CPU map for SMT + +From: Heiko Carstens + +[ Upstream commit 72a81ad9d6d62dcb79f7e8ad66ffd1c768b72026 ] + +If an SMT capable system is not IPL'ed from the first CPU the setup of +the physical to logical CPU mapping is broken: the IPL core gets CPU +number 0, but then the next core gets CPU number 1. Correct would be +that all SMT threads of CPU 0 get the subsequent logical CPU numbers. + +This is important since a lot of code (like e.g. the CPU topology +code) assumes that CPU maps are setup like this. If the mapping is +broken the system will not IPL due to broken topology masks: + +[ 1.716341] BUG: arch topology broken +[ 1.716342] the SMT domain not a subset of the MC domain +[ 1.716343] BUG: arch topology broken +[ 1.716344] the MC domain not a subset of the BOOK domain + +This scenario can usually not happen since LPARs are always IPL'ed +from CPU 0 and also re-IPL is intiated from CPU 0. However older +kernels did initiate re-IPL on an arbitrary CPU. If therefore a re-IPL +from an old kernel into a new kernel is initiated this may lead to +crash. + +Fix this by setting up the physical to logical CPU mapping correctly. + +Signed-off-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/smp.c | 80 ++++++++++++++++++++++++++++-------------- + 1 file changed, 54 insertions(+), 26 deletions(-) + +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c +index 27258db640d7..b649a6538350 100644 +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -725,39 +725,67 @@ static void __ref smp_get_core_info(struct sclp_core_info *info, int early) + + static int smp_add_present_cpu(int cpu); + +-static int __smp_rescan_cpus(struct sclp_core_info *info, int sysfs_add) ++static int smp_add_core(struct sclp_core_entry *core, cpumask_t *avail, ++ bool configured, bool early) + { + struct pcpu *pcpu; +- cpumask_t avail; +- int cpu, nr, i, j; ++ int cpu, nr, i; + u16 address; + + nr = 0; +- cpumask_xor(&avail, cpu_possible_mask, cpu_present_mask); +- cpu = cpumask_first(&avail); +- for (i = 0; (i < info->combined) && (cpu < nr_cpu_ids); i++) { +- if (sclp.has_core_type && info->core[i].type != boot_core_type) ++ if (sclp.has_core_type && core->type != boot_core_type) ++ return nr; ++ cpu = cpumask_first(avail); ++ address = core->core_id << smp_cpu_mt_shift; ++ for (i = 0; (i <= smp_cpu_mtid) && (cpu < nr_cpu_ids); i++) { ++ if (pcpu_find_address(cpu_present_mask, address + i)) + continue; +- address = info->core[i].core_id << smp_cpu_mt_shift; +- for (j = 0; j <= smp_cpu_mtid; j++) { +- if (pcpu_find_address(cpu_present_mask, address + j)) +- continue; +- pcpu = pcpu_devices + cpu; +- pcpu->address = address + j; +- pcpu->state = +- (cpu >= info->configured*(smp_cpu_mtid + 1)) ? +- CPU_STATE_STANDBY : CPU_STATE_CONFIGURED; +- smp_cpu_set_polarization(cpu, POLARIZATION_UNKNOWN); +- set_cpu_present(cpu, true); +- if (sysfs_add && smp_add_present_cpu(cpu) != 0) +- set_cpu_present(cpu, false); +- else +- nr++; +- cpu = cpumask_next(cpu, &avail); +- if (cpu >= nr_cpu_ids) ++ pcpu = pcpu_devices + cpu; ++ pcpu->address = address + i; ++ if (configured) ++ pcpu->state = CPU_STATE_CONFIGURED; ++ else ++ pcpu->state = CPU_STATE_STANDBY; ++ smp_cpu_set_polarization(cpu, POLARIZATION_UNKNOWN); ++ set_cpu_present(cpu, true); ++ if (!early && smp_add_present_cpu(cpu) != 0) ++ set_cpu_present(cpu, false); ++ else ++ nr++; ++ cpumask_clear_cpu(cpu, avail); ++ cpu = cpumask_next(cpu, avail); ++ } ++ return nr; ++} ++ ++static int __smp_rescan_cpus(struct sclp_core_info *info, bool early) ++{ ++ struct sclp_core_entry *core; ++ cpumask_t avail; ++ bool configured; ++ u16 core_id; ++ int nr, i; ++ ++ nr = 0; ++ cpumask_xor(&avail, cpu_possible_mask, cpu_present_mask); ++ /* ++ * Add IPL core first (which got logical CPU number 0) to make sure ++ * that all SMT threads get subsequent logical CPU numbers. ++ */ ++ if (early) { ++ core_id = pcpu_devices[0].address >> smp_cpu_mt_shift; ++ for (i = 0; i < info->configured; i++) { ++ core = &info->core[i]; ++ if (core->core_id == core_id) { ++ nr += smp_add_core(core, &avail, true, early); + break; ++ } + } + } ++ for (i = 0; i < info->combined; i++) { ++ configured = i < info->configured; ++ nr += smp_add_core(&info->core[i], &avail, configured, early); ++ } + return nr; + } + +@@ -803,7 +831,7 @@ void __init smp_detect_cpus(void) + + /* Add CPUs present at boot */ + get_online_cpus(); +- __smp_rescan_cpus(info, 0); ++ __smp_rescan_cpus(info, true); + put_online_cpus(); + memblock_free_early((unsigned long)info, sizeof(*info)); + } +@@ -1156,7 +1184,7 @@ int __ref smp_rescan_cpus(void) + smp_get_core_info(info, 0); + get_online_cpus(); + mutex_lock(&smp_cpu_state_mutex); +- nr = __smp_rescan_cpus(info, 1); ++ nr = __smp_rescan_cpus(info, false); + mutex_unlock(&smp_cpu_state_mutex); + put_online_cpus(); + kfree(info); +-- +2.20.1 + diff --git a/queue-4.14/scsi-qedf-do-not-retry-els-request-if-qedf_alloc_cmd.patch b/queue-4.14/scsi-qedf-do-not-retry-els-request-if-qedf_alloc_cmd.patch new file mode 100644 index 00000000000..c63477d1d7b --- /dev/null +++ b/queue-4.14/scsi-qedf-do-not-retry-els-request-if-qedf_alloc_cmd.patch @@ -0,0 +1,93 @@ +From e1abeac8d30522835a67464d002cb2b83ee4abc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Mar 2019 00:38:33 -0700 +Subject: scsi: qedf: Do not retry ELS request if qedf_alloc_cmd fails + +From: Chad Dupuis + +[ Upstream commit f1c43590365bac054d753d808dbbd207d09e088d ] + +If we cannot allocate an ELS middlepath request, simply fail instead of +trying to delay and then reallocate. This delay logic is causing soft +lockup messages: + +NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [kworker/2:1:7639] +Modules linked in: xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun devlink ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter dm_service_time vfat fat rpcrdma sunrpc ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm +irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt iTCO_vendor_support qedr(OE) ib_core joydev ipmi_ssif pcspkr hpilo hpwdt sg ipmi_si ipmi_devintf ipmi_msghandler ioatdma shpchp lpc_ich wmi dca acpi_power_meter dm_multipath ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic qedf(OE) libfcoe mgag200 libfc i2c_algo_bit drm_kms_helper scsi_transport_fc qede(OE) syscopyarea sysfillrect sysimgblt fb_sys_fops ttm qed(OE) drm crct10dif_pclmul e1000e crct10dif_common crc32c_intel scsi_tgt hpsa i2c_core ptp scsi_transport_sas pps_core dm_mirror dm_region_hash dm_log dm_mod +CPU: 2 PID: 7639 Comm: kworker/2:1 Kdump: loaded Tainted: G OEL ------------ 3.10.0-861.el7.x86_64 #1 +Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 07/21/2016 +Workqueue: qedf_2_dpc qedf_handle_rrq [qedf] +task: ffff959edd628fd0 ti: ffff959ed6f08000 task.ti: ffff959ed6f08000 +RIP: 0010:[] [] delay_tsc+0x3a/0x60 +RSP: 0018:ffff959ed6f0bd30 EFLAGS: 00000246 +RAX: 000000008ef5f791 RBX: 5f646d635f666465 RCX: 0000025b8ededa2f +RDX: 000000000000025b RSI: 0000000000000002 RDI: 0000000000217d1e +RBP: ffff959ed6f0bd30 R08: ffffffffc079aae8 R09: 0000000000000200 +R10: ffffffffc07952c6 R11: 0000000000000000 R12: 6c6c615f66646571 +R13: ffff959ed6f0bcc8 R14: ffff959ed6f0bd08 R15: ffff959e00000028 +FS: 0000000000000000(0000) GS:ffff959eff480000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f4117fa1eb0 CR3: 0000002039e66000 CR4: 00000000003607e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: +[] __const_udelay+0x2d/0x30 +[] qedf_initiate_els+0x13a/0x450 [qedf] +[] ? qedf_srr_compl+0x2a0/0x2a0 [qedf] +[] qedf_send_rrq+0x127/0x230 [qedf] +[] qedf_handle_rrq+0x15/0x20 [qedf] +[] process_one_work+0x17f/0x440 +[] worker_thread+0x126/0x3c0 +[] ? manage_workers.isra.24+0x2a0/0x2a0 +[] kthread+0xd1/0xe0 +[] ? insert_kthread_work+0x40/0x40 +[] ret_from_fork_nospec_begin+0x21/0x21 +[] ? insert_kthread_work+0x40/0x40 + +Signed-off-by: Chad Dupuis +Signed-off-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_els.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_els.c b/drivers/scsi/qedf/qedf_els.c +index 59c18ca4cda9..e5927a09f7bc 100644 +--- a/drivers/scsi/qedf/qedf_els.c ++++ b/drivers/scsi/qedf/qedf_els.c +@@ -23,8 +23,6 @@ static int qedf_initiate_els(struct qedf_rport *fcport, unsigned int op, + int rc = 0; + uint32_t did, sid; + uint16_t xid; +- uint32_t start_time = jiffies / HZ; +- uint32_t current_time; + struct fcoe_wqe *sqe; + unsigned long flags; + u16 sqe_idx; +@@ -50,18 +48,12 @@ static int qedf_initiate_els(struct qedf_rport *fcport, unsigned int op, + goto els_err; + } + +-retry_els: + els_req = qedf_alloc_cmd(fcport, QEDF_ELS); + if (!els_req) { +- current_time = jiffies / HZ; +- if ((current_time - start_time) > 10) { +- QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_ELS, +- "els: Failed els 0x%x\n", op); +- rc = -ENOMEM; +- goto els_err; +- } +- mdelay(20 * USEC_PER_MSEC); +- goto retry_els; ++ QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_ELS, ++ "Failed to alloc ELS request 0x%x\n", op); ++ rc = -ENOMEM; ++ goto els_err; + } + + QEDF_INFO(&(qedf->dbg_ctx), QEDF_LOG_ELS, "initiate_els els_req = " +-- +2.20.1 + diff --git a/queue-4.14/selftests-rtnetlink-add-addresses-with-fixed-life-ti.patch b/queue-4.14/selftests-rtnetlink-add-addresses-with-fixed-life-ti.patch new file mode 100644 index 00000000000..e6fc7c578cb --- /dev/null +++ b/queue-4.14/selftests-rtnetlink-add-addresses-with-fixed-life-ti.patch @@ -0,0 +1,65 @@ +From 72322c58473e4f32b12485a299af1ee1774e85c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2019 16:02:28 +0200 +Subject: selftests: rtnetlink: add addresses with fixed life time + +From: Florian Westphal + +[ Upstream commit 3cfa148826e3c666da1cc2a43fbe8689e2650636 ] + +This exercises kernel code path that deal with addresses that have +a limited lifetime. + +Without previous fix, this triggers following crash on net-next: + BUG: KASAN: null-ptr-deref in check_lifetime+0x403/0x670 + Read of size 8 at addr 0000000000000010 by task kworker [..] + +Signed-off-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index 891130daac7c..8a5066d98e72 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -195,6 +195,26 @@ kci_test_route_get() + echo "PASS: route get" + } + ++kci_test_addrlft() ++{ ++ for i in $(seq 10 100) ;do ++ lft=$(((RANDOM%3) + 1)) ++ ip addr add 10.23.11.$i/32 dev "$devdummy" preferred_lft $lft valid_lft $((lft+1)) ++ check_err $? ++ done ++ ++ sleep 5 ++ ++ ip addr show dev "$devdummy" | grep "10.23.11." ++ if [ $? -eq 0 ]; then ++ echo "FAIL: preferred_lft addresses remaining" ++ check_err 1 ++ return ++ fi ++ ++ echo "PASS: preferred_lft addresses have expired" ++} ++ + kci_test_addrlabel() + { + ret=0 +@@ -245,6 +265,7 @@ kci_test_rtnl() + + kci_test_polrouting + kci_test_route_get ++ kci_test_addrlft + kci_test_tc + kci_test_gre + kci_test_bridge +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 36054260554..f6a79179fd6 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -57,3 +57,17 @@ media-usb-fix-memory-leak-in-af9005_identify_state.patch dt-bindings-clock-renesas-rcar-usb2-clock-sel-fix-typo-in-example.patch tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch fix-compat-handling-of-ficlonerange-fideduperange-and-fs_ioc_fiemap.patch +scsi-qedf-do-not-retry-els-request-if-qedf_alloc_cmd.patch +drm-mst-fix-mst-sideband-up-reply-failure-handling.patch +powerpc-pseries-hvconsole-fix-stack-overread-via-udb.patch +selftests-rtnetlink-add-addresses-with-fixed-life-ti.patch +coresight-tmc-etf-do-not-call-smp_processor_id-from-.patch +coresight-etb10-do-not-call-smp_processor_id-from-pr.patch +rxrpc-fix-possible-null-pointer-access-in-icmp-handl.patch +ath9k_htc-modify-byte-order-for-an-error-message.patch +ath9k_htc-discard-undersized-packets.patch +arm64-dts-meson-odroid-c2-disable-usb_otg-bus-to-avo.patch +net-add-annotations-on-hh-hh_len-lockless-accesses.patch +s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch +xen-blkback-avoid-unmapping-unmapped-grant-pages.patch +perf-x86-intel-bts-fix-the-use-of-page_private.patch diff --git a/queue-4.14/xen-blkback-avoid-unmapping-unmapped-grant-pages.patch b/queue-4.14/xen-blkback-avoid-unmapping-unmapped-grant-pages.patch new file mode 100644 index 00000000000..7ec9563fbfc --- /dev/null +++ b/queue-4.14/xen-blkback-avoid-unmapping-unmapped-grant-pages.patch @@ -0,0 +1,72 @@ +From 427a56405b4be6bbcac4132c0fe7d7c32d4d8056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2019 16:36:05 +0100 +Subject: xen/blkback: Avoid unmapping unmapped grant pages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: SeongJae Park + +[ Upstream commit f9bd84a8a845d82f9b5a081a7ae68c98a11d2e84 ] + +For each I/O request, blkback first maps the foreign pages for the +request to its local pages. If an allocation of a local page for the +mapping fails, it should unmap every mapping already made for the +request. + +However, blkback's handling mechanism for the allocation failure does +not mark the remaining foreign pages as unmapped. Therefore, the unmap +function merely tries to unmap every valid grant page for the request, +including the pages not mapped due to the allocation failure. On a +system that fails the allocation frequently, this problem leads to +following kernel crash. + + [ 372.012538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 + [ 372.012546] IP: [] gnttab_unmap_refs.part.7+0x1c/0x40 + [ 372.012557] PGD 16f3e9067 PUD 16426e067 PMD 0 + [ 372.012562] Oops: 0002 [#1] SMP + [ 372.012566] Modules linked in: act_police sch_ingress cls_u32 + ... + [ 372.012746] Call Trace: + [ 372.012752] [] gnttab_unmap_refs+0x34/0x40 + [ 372.012759] [] xen_blkbk_unmap+0x83/0x150 [xen_blkback] + ... + [ 372.012802] [] dispatch_rw_block_io+0x970/0x980 [xen_blkback] + ... + Decompressing Linux... Parsing ELF... done. + Booting the kernel. + [ 0.000000] Initializing cgroup subsys cpuset + +This commit fixes this problem by marking the grant pages of the given +request that didn't mapped due to the allocation failure as invalid. + +Fixes: c6cc142dac52 ("xen-blkback: use balloon pages for all mappings") + +Reviewed-by: David Woodhouse +Reviewed-by: Maximilian Heyne +Reviewed-by: Paul Durrant +Reviewed-by: Roger Pau Monné +Signed-off-by: SeongJae Park +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/xen-blkback/blkback.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c +index 987d665e82de..c1d1b94f71b5 100644 +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -929,6 +929,8 @@ next: + out_of_memory: + pr_alert("%s: out of memory\n", __func__); + put_free_pages(ring, pages_to_gnt, segs_to_map); ++ for (i = last_map; i < num; i++) ++ pages[i]->handle = BLKBACK_INVALID_HANDLE; + return -ENOMEM; + } + +-- +2.20.1 +