From: Sasha Levin Date: Thu, 24 Sep 2020 23:38:16 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.19.148~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8accf647456323e127c9dca1c443e31aa4bab4b9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/ibmvnic-add-missing-parenthesis-in-do_reset.patch b/queue-5.4/ibmvnic-add-missing-parenthesis-in-do_reset.patch new file mode 100644 index 00000000000..2e95968b823 --- /dev/null +++ b/queue-5.4/ibmvnic-add-missing-parenthesis-in-do_reset.patch @@ -0,0 +1,47 @@ +From 840f6a27c7a9f0ccef5b4f8f9a310f52ab29e963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 21:07:49 -0700 +Subject: ibmvnic: add missing parenthesis in do_reset() + +From: Jakub Kicinski + +[ Upstream commit 8ae4dff882eb879c17bf46574201bd37fc6bc8b5 ] + +Indentation and logic clearly show that this code is missing +parenthesis. + +Fixes: 9f1345737790 ("ibmvnic fix NULL tx_pools and rx_tools issue at do_reset") +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index de45b3709c14e..5329af2337a91 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1939,16 +1939,18 @@ static int do_reset(struct ibmvnic_adapter *adapter, + + } else { + rc = reset_tx_pools(adapter); +- if (rc) ++ if (rc) { + netdev_dbg(adapter->netdev, "reset tx pools failed (%d)\n", + rc); + goto out; ++ } + + rc = reset_rx_pools(adapter); +- if (rc) ++ if (rc) { + netdev_dbg(adapter->netdev, "reset rx pools failed (%d)\n", + rc); + goto out; ++ } + } + ibmvnic_disable_irqs(adapter); + } +-- +2.25.1 + diff --git a/queue-5.4/ibmvnic-fix-null-tx_pools-and-rx_tools-issue-at-do_r.patch b/queue-5.4/ibmvnic-fix-null-tx_pools-and-rx_tools-issue-at-do_r.patch new file mode 100644 index 00000000000..f7680f0659c --- /dev/null +++ b/queue-5.4/ibmvnic-fix-null-tx_pools-and-rx_tools-issue-at-do_r.patch @@ -0,0 +1,83 @@ +From dd0875946a01df00cb2c5d31f317ab68b6df26b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 13:26:41 -0400 +Subject: ibmvnic fix NULL tx_pools and rx_tools issue at do_reset + +From: Mingming Cao + +[ Upstream commit 9f13457377907fa253aef560e1a37e1ca4197f9b ] + +At the time of do_rest, ibmvnic tries to re-initalize the tx_pools +and rx_pools to avoid re-allocating the long term buffer. However +there is a window inside do_reset that the tx_pools and +rx_pools were freed before re-initialized making it possible to deference +null pointers. + +This patch fix this issue by always check the tx_pool +and rx_pool are not NULL after ibmvnic_login. If so, re-allocating +the pools. This will avoid getting into calling reset_tx/rx_pools with +NULL adapter tx_pools/rx_pools pointer. Also add null pointer check in +reset_tx_pools and reset_rx_pools to safe handle NULL pointer case. + +Signed-off-by: Mingming Cao +Signed-off-by: Dany Madden +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 2d20a48f0ba0a..de45b3709c14e 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -416,6 +416,9 @@ static int reset_rx_pools(struct ibmvnic_adapter *adapter) + int i, j, rc; + u64 *size_array; + ++ if (!adapter->rx_pool) ++ return -1; ++ + size_array = (u64 *)((u8 *)(adapter->login_rsp_buf) + + be32_to_cpu(adapter->login_rsp_buf->off_rxadd_buff_size)); + +@@ -586,6 +589,9 @@ static int reset_tx_pools(struct ibmvnic_adapter *adapter) + int tx_scrqs; + int i, rc; + ++ if (!adapter->tx_pool) ++ return -1; ++ + tx_scrqs = be32_to_cpu(adapter->login_rsp_buf->num_txsubm_subcrqs); + for (i = 0; i < tx_scrqs; i++) { + rc = reset_one_tx_pool(adapter, &adapter->tso_pool[i]); +@@ -1918,7 +1924,10 @@ static int do_reset(struct ibmvnic_adapter *adapter, + adapter->req_rx_add_entries_per_subcrq != + old_num_rx_slots || + adapter->req_tx_entries_per_subcrq != +- old_num_tx_slots) { ++ old_num_tx_slots || ++ !adapter->rx_pool || ++ !adapter->tso_pool || ++ !adapter->tx_pool) { + release_rx_pools(adapter); + release_tx_pools(adapter); + release_napi(adapter); +@@ -1931,10 +1940,14 @@ static int do_reset(struct ibmvnic_adapter *adapter, + } else { + rc = reset_tx_pools(adapter); + if (rc) ++ netdev_dbg(adapter->netdev, "reset tx pools failed (%d)\n", ++ rc); + goto out; + + rc = reset_rx_pools(adapter); + if (rc) ++ netdev_dbg(adapter->netdev, "reset rx pools failed (%d)\n", ++ rc); + goto out; + } + ibmvnic_disable_irqs(adapter); +-- +2.25.1 + diff --git a/queue-5.4/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch b/queue-5.4/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch new file mode 100644 index 00000000000..8fd1c2e41cf --- /dev/null +++ b/queue-5.4/kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch @@ -0,0 +1,70 @@ +From ce3643e9454ae2519e1d83db57bde3010a33ad12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 21:20:21 -0700 +Subject: kprobes: fix kill kprobe which has been marked as gone + +From: Muchun Song + +[ Upstream commit b0399092ccebd9feef68d4ceb8d6219a8c0caa05 ] + +If a kprobe is marked as gone, we should not kill it again. Otherwise, we +can disarm the kprobe more than once. In that case, the statistics of +kprobe_ftrace_enabled can unbalance which can lead to that kprobe do not +work. + +Fixes: e8386a0cb22f ("kprobes: support probing module __exit function") +Co-developed-by: Chengming Zhou +Signed-off-by: Muchun Song +Signed-off-by: Chengming Zhou +Signed-off-by: Andrew Morton +Acked-by: Masami Hiramatsu +Cc: "Naveen N . Rao" +Cc: Anil S Keshavamurthy +Cc: David S. Miller +Cc: Song Liu +Cc: Steven Rostedt +Cc: +Link: https://lkml.kernel.org/r/20200822030055.32383-1-songmuchun@bytedance.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index bbff4bccb885d..5646f291eb705 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2088,6 +2088,9 @@ static void kill_kprobe(struct kprobe *p) + { + struct kprobe *kp; + ++ if (WARN_ON_ONCE(kprobe_gone(p))) ++ return; ++ + p->flags |= KPROBE_FLAG_GONE; + if (kprobe_aggrprobe(p)) { + /* +@@ -2270,7 +2273,10 @@ static int kprobes_module_callback(struct notifier_block *nb, + mutex_lock(&kprobe_mutex); + for (i = 0; i < KPROBE_TABLE_SIZE; i++) { + head = &kprobe_table[i]; +- hlist_for_each_entry_rcu(p, head, hlist) ++ hlist_for_each_entry_rcu(p, head, hlist) { ++ if (kprobe_gone(p)) ++ continue; ++ + if (within_module_init((unsigned long)p->addr, mod) || + (checkcore && + within_module_core((unsigned long)p->addr, mod))) { +@@ -2287,6 +2293,7 @@ static int kprobes_module_callback(struct notifier_block *nb, + */ + kill_kprobe(p); + } ++ } + } + mutex_unlock(&kprobe_mutex); + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-5.4/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch b/queue-5.4/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch new file mode 100644 index 00000000000..7fe9f0216f9 --- /dev/null +++ b/queue-5.4/mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch @@ -0,0 +1,110 @@ +From fa69719f1dab682641d6d682cd4df5404fce0c00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 21:20:24 -0700 +Subject: mm/thp: fix __split_huge_pmd_locked() for migration PMD + +From: Ralph Campbell + +[ Upstream commit ec0abae6dcdf7ef88607c869bf35a4b63ce1b370 ] + +A migrating transparent huge page has to already be unmapped. Otherwise, +the page could be modified while it is being copied to a new page and data +could be lost. The function __split_huge_pmd() checks for a PMD migration +entry before calling __split_huge_pmd_locked() leading one to think that +__split_huge_pmd_locked() can handle splitting a migrating PMD. + +However, the code always increments the page->_mapcount and adjusts the +memory control group accounting assuming the page is mapped. + +Also, if the PMD entry is a migration PMD entry, the call to +is_huge_zero_pmd(*pmd) is incorrect because it calls pmd_pfn(pmd) instead +of migration_entry_to_pfn(pmd_to_swp_entry(pmd)). Fix these problems by +checking for a PMD migration entry. + +Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") +Signed-off-by: Ralph Campbell +Signed-off-by: Andrew Morton +Reviewed-by: Yang Shi +Reviewed-by: Zi Yan +Cc: Jerome Glisse +Cc: John Hubbard +Cc: Alistair Popple +Cc: Christoph Hellwig +Cc: Jason Gunthorpe +Cc: Bharata B Rao +Cc: Ben Skeggs +Cc: Shuah Khan +Cc: [4.14+] +Link: https://lkml.kernel.org/r/20200903183140.19055-1-rcampbell@nvidia.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/huge_memory.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/mm/huge_memory.c b/mm/huge_memory.c +index da9040a6838f8..873de55d93fb2 100644 +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2174,7 +2174,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + put_page(page); + add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR); + return; +- } else if (is_huge_zero_pmd(*pmd)) { ++ } else if (pmd_trans_huge(*pmd) && is_huge_zero_pmd(*pmd)) { + /* + * FIXME: Do we want to invalidate secondary mmu by calling + * mmu_notifier_invalidate_range() see comments below inside +@@ -2262,27 +2262,33 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, + pte = pte_offset_map(&_pmd, addr); + BUG_ON(!pte_none(*pte)); + set_pte_at(mm, addr, pte, entry); +- atomic_inc(&page[i]._mapcount); +- pte_unmap(pte); +- } +- +- /* +- * Set PG_double_map before dropping compound_mapcount to avoid +- * false-negative page_mapped(). +- */ +- if (compound_mapcount(page) > 1 && !TestSetPageDoubleMap(page)) { +- for (i = 0; i < HPAGE_PMD_NR; i++) ++ if (!pmd_migration) + atomic_inc(&page[i]._mapcount); ++ pte_unmap(pte); + } + +- if (atomic_add_negative(-1, compound_mapcount_ptr(page))) { +- /* Last compound_mapcount is gone. */ +- __dec_node_page_state(page, NR_ANON_THPS); +- if (TestClearPageDoubleMap(page)) { +- /* No need in mapcount reference anymore */ ++ if (!pmd_migration) { ++ /* ++ * Set PG_double_map before dropping compound_mapcount to avoid ++ * false-negative page_mapped(). ++ */ ++ if (compound_mapcount(page) > 1 && ++ !TestSetPageDoubleMap(page)) { + for (i = 0; i < HPAGE_PMD_NR; i++) +- atomic_dec(&page[i]._mapcount); ++ atomic_inc(&page[i]._mapcount); ++ } ++ ++ lock_page_memcg(page); ++ if (atomic_add_negative(-1, compound_mapcount_ptr(page))) { ++ /* Last compound_mapcount is gone. */ ++ __dec_lruvec_page_state(page, NR_ANON_THPS); ++ if (TestClearPageDoubleMap(page)) { ++ /* No need in mapcount reference anymore */ ++ for (i = 0; i < HPAGE_PMD_NR; i++) ++ atomic_dec(&page[i]._mapcount); ++ } + } ++ unlock_page_memcg(page); + } + + smp_wmb(); /* make pte visible before pmd */ +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 421138f841e..ccdd49e38aa 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,5 @@ af_key-pfkey_dump-needs-parameter-validation.patch +ibmvnic-fix-null-tx_pools-and-rx_tools-issue-at-do_r.patch +ibmvnic-add-missing-parenthesis-in-do_reset.patch +kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch +mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch