From: Greg Kroah-Hartman Date: Mon, 22 Jun 2020 18:20:51 +0000 (+0200) Subject: 5.7-stable patches X-Git-Tag: v5.7.6~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a777a89518e41de429901275f0c48a48620b3d0d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.7-stable patches added patches: drm-amdgpu-display-use-blanked-rather-than-plane-state-for-sync-groups.patch drm-amdgpu-replace-invalid-device-id-with-a-valid-device-id.patch drm-ast-don-t-check-new-mode-if-crtc-is-being-disabled.patch drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch drm-nouveau-kms-fix-regression-by-audio-component-transition.patch drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch io_uring-acquire-mm-for-task_work-for-sqpoll.patch io_uring-add-memory-barrier-to-synchronize-io_kiocb-s-result-and-iopoll_completed.patch io_uring-fix-io_kiocb.flags-modification-race-in-iopoll-mode.patch io_uring-reap-poll-completions-while-waiting-for-refs-to-drop-on-exit.patch selinux-fix-a-double-free-in-cond_read_node-cond_read_list.patch selinux-fix-double-free.patch selinux-fix-undefined-return-of-cond_evaluate_expr.patch --- diff --git a/queue-5.7/drm-amdgpu-display-use-blanked-rather-than-plane-state-for-sync-groups.patch b/queue-5.7/drm-amdgpu-display-use-blanked-rather-than-plane-state-for-sync-groups.patch new file mode 100644 index 00000000000..7be4c28cd81 --- /dev/null +++ b/queue-5.7/drm-amdgpu-display-use-blanked-rather-than-plane-state-for-sync-groups.patch @@ -0,0 +1,68 @@ +From b7f839d292948142eaab77cedd031aad0bfec872 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 2 Jun 2020 17:22:48 -0400 +Subject: drm/amdgpu/display: use blanked rather than plane state for sync groups + +From: Alex Deucher + +commit b7f839d292948142eaab77cedd031aad0bfec872 upstream. + +We may end up with no planes set yet, depending on the ordering, but we +should have the proper blanking state which is either handled by either +DPG or TG depending on the hardware generation. Check both to determine +the proper blanked state. + +Bug: https://gitlab.freedesktop.org/drm/amd/issues/781 +Fixes: 5fc0cbfad45648 ("drm/amd/display: determine if a pipe is synced by plane state") +Cc: nicholas.kazlauskas@amd.com +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1011,9 +1011,17 @@ static void program_timing_sync( + } + } + +- /* set first pipe with plane as master */ ++ /* set first unblanked pipe as master */ + for (j = 0; j < group_size; j++) { +- if (pipe_set[j]->plane_state) { ++ bool is_blanked; ++ ++ if (pipe_set[j]->stream_res.opp->funcs->dpg_is_blanked) ++ is_blanked = ++ pipe_set[j]->stream_res.opp->funcs->dpg_is_blanked(pipe_set[j]->stream_res.opp); ++ else ++ is_blanked = ++ pipe_set[j]->stream_res.tg->funcs->is_blanked(pipe_set[j]->stream_res.tg); ++ if (!is_blanked) { + if (j == 0) + break; + +@@ -1034,9 +1042,17 @@ static void program_timing_sync( + status->timing_sync_info.master = false; + + } +- /* remove any other pipes with plane as they have already been synced */ ++ /* remove any other unblanked pipes as they have already been synced */ + for (j = j + 1; j < group_size; j++) { +- if (pipe_set[j]->plane_state) { ++ bool is_blanked; ++ ++ if (pipe_set[j]->stream_res.opp->funcs->dpg_is_blanked) ++ is_blanked = ++ pipe_set[j]->stream_res.opp->funcs->dpg_is_blanked(pipe_set[j]->stream_res.opp); ++ else ++ is_blanked = ++ pipe_set[j]->stream_res.tg->funcs->is_blanked(pipe_set[j]->stream_res.tg); ++ if (!is_blanked) { + group_size--; + pipe_set[j] = pipe_set[group_size]; + j--; diff --git a/queue-5.7/drm-amdgpu-replace-invalid-device-id-with-a-valid-device-id.patch b/queue-5.7/drm-amdgpu-replace-invalid-device-id-with-a-valid-device-id.patch new file mode 100644 index 00000000000..ea5c05f1f8e --- /dev/null +++ b/queue-5.7/drm-amdgpu-replace-invalid-device-id-with-a-valid-device-id.patch @@ -0,0 +1,37 @@ +From 790243d3bf78f9830a3b2ffbca1ed0f528295d48 Mon Sep 17 00:00:00 2001 +From: Sandeep Raghuraman +Date: Thu, 11 Jun 2020 01:36:26 +0530 +Subject: drm/amdgpu: Replace invalid device ID with a valid device ID + +From: Sandeep Raghuraman + +commit 790243d3bf78f9830a3b2ffbca1ed0f528295d48 upstream. + +Initializes Powertune data for a specific Hawaii card by fixing what +looks like a typo in the code. The device ID 66B1 is not a supported +device ID for this driver, and is not mentioned elsewhere. 67B1 is a +valid device ID, and is a Hawaii Pro GPU. + +I have tested on my R9 390 which has device ID 67B1, and it works +fine without problems. + +Signed-off-by: Sandeep Raghuraman +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/ci_smumgr.c +@@ -239,7 +239,7 @@ static void ci_initialize_power_tune_def + + switch (dev_id) { + case 0x67BA: +- case 0x66B1: ++ case 0x67B1: + smu_data->power_tune_defaults = &defaults_hawaii_pro; + break; + case 0x67B8: diff --git a/queue-5.7/drm-ast-don-t-check-new-mode-if-crtc-is-being-disabled.patch b/queue-5.7/drm-ast-don-t-check-new-mode-if-crtc-is-being-disabled.patch new file mode 100644 index 00000000000..3c075cfe01a --- /dev/null +++ b/queue-5.7/drm-ast-don-t-check-new-mode-if-crtc-is-being-disabled.patch @@ -0,0 +1,49 @@ +From d6ddbd5c97d1b9156646ac5c42b8851edd664ee2 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Thu, 7 May 2020 11:06:40 +0200 +Subject: drm/ast: Don't check new mode if CRTC is being disabled + +From: Thomas Zimmermann + +commit d6ddbd5c97d1b9156646ac5c42b8851edd664ee2 upstream. + +Suspending failed because there's no mode if the CRTC is being +disabled. Early-out in this case. This fixes runtime PM for ast. + +v3: + * fixed commit message +v2: + * added Tested-by/Reported-by tags + * added Fixes tags and CC (Sam) + * improved comment + +Signed-off-by: Thomas Zimmermann +Reported-by: Cary Garrett +Tested-by: Cary Garrett +Reviewed-by: Daniel Vetter +Fixes: b48e1b6ffd28 ("drm/ast: Add CRTC helpers for atomic modesetting") +Cc: Thomas Zimmermann +Cc: Gerd Hoffmann +Cc: Dave Airlie +Cc: Daniel Vetter +Cc: Sam Ravnborg +Cc: # v5.6+ +Link: https://patchwork.freedesktop.org/patch/msgid/20200507090640.21561-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_mode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -802,6 +802,9 @@ static int ast_crtc_helper_atomic_check( + return -EINVAL; + } + ++ if (!state->enable) ++ return 0; /* no mode checks if CRTC is being disabled */ ++ + ast_state = to_ast_crtc_state(state); + + format = ast_state->format; diff --git a/queue-5.7/drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch b/queue-5.7/drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch new file mode 100644 index 00000000000..2a362db9507 --- /dev/null +++ b/queue-5.7/drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch @@ -0,0 +1,72 @@ +From a5cb5fa6c3a5c2cf492db667b8670ee7b044b79f Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Fri, 3 Apr 2020 14:08:32 -0400 +Subject: drm/dp_mst: Reformat drm_dp_check_act_status() a bit + +From: Lyude Paul + +commit a5cb5fa6c3a5c2cf492db667b8670ee7b044b79f upstream. + +Just add a bit more line wrapping, get rid of some extraneous +whitespace, remove an unneeded goto label, and move around some variable +declarations. No functional changes here. + +Signed-off-by: Lyude Paul +[this isn't a fix, but it's needed for the fix that comes after this] +Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)") +Cc: Sean Paul +Cc: # v3.17+ +Reviewed-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20200406221253.1307209-3-lyude@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -4457,33 +4457,31 @@ fail: + */ + int drm_dp_check_act_status(struct drm_dp_mst_topology_mgr *mgr) + { ++ int count = 0, ret; + u8 status; +- int ret; +- int count = 0; + + do { +- ret = drm_dp_dpcd_readb(mgr->aux, DP_PAYLOAD_TABLE_UPDATE_STATUS, &status); +- ++ ret = drm_dp_dpcd_readb(mgr->aux, ++ DP_PAYLOAD_TABLE_UPDATE_STATUS, ++ &status); + if (ret < 0) { +- DRM_DEBUG_KMS("failed to read payload table status %d\n", ret); +- goto fail; ++ DRM_DEBUG_KMS("failed to read payload table status %d\n", ++ ret); ++ return ret; + } + + if (status & DP_PAYLOAD_ACT_HANDLED) + break; + count++; + udelay(100); +- + } while (count < 30); + + if (!(status & DP_PAYLOAD_ACT_HANDLED)) { +- DRM_DEBUG_KMS("failed to get ACT bit %d after %d retries\n", status, count); +- ret = -EINVAL; +- goto fail; ++ DRM_DEBUG_KMS("failed to get ACT bit %d after %d retries\n", ++ status, count); ++ return -EINVAL; + } + return 0; +-fail: +- return ret; + } + EXPORT_SYMBOL(drm_dp_check_act_status); + diff --git a/queue-5.7/drm-nouveau-kms-fix-regression-by-audio-component-transition.patch b/queue-5.7/drm-nouveau-kms-fix-regression-by-audio-component-transition.patch new file mode 100644 index 00000000000..be83d167890 --- /dev/null +++ b/queue-5.7/drm-nouveau-kms-fix-regression-by-audio-component-transition.patch @@ -0,0 +1,83 @@ +From 61a41097e4bd4bf5d4abf3b3b58d5bf0856ce144 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 16 Apr 2020 09:54:28 +0200 +Subject: drm/nouveau/kms: Fix regression by audio component transition + +From: Takashi Iwai + +commit 61a41097e4bd4bf5d4abf3b3b58d5bf0856ce144 upstream. + +Since the commit 742db30c4ee6 ("drm/nouveau: Add HD-audio component +notifier support"), the nouveau driver notifies and pokes the HD-audio +HPD and ELD via audio component, but this seems broken. The culprit +is the naive assumption that crtc->index corresponds to the HDA pin. +Actually this rather corresponds to the MST dev_id (alias "pipe" in +the audio component framework) while the actual port number is given +from the output ior id number. + +This patch corrects the assignment of port and dev_id arguments in the +audio component ops to recover from the HDMI/DP audio regression. + +Fixes: 742db30c4ee6 ("drm/nouveau: Add HD-audio component notifier support") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207223 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/dispnv50/disp.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c +@@ -482,15 +482,16 @@ nv50_dac_create(struct drm_connector *co + * audio component binding for ELD notification + */ + static void +-nv50_audio_component_eld_notify(struct drm_audio_component *acomp, int port) ++nv50_audio_component_eld_notify(struct drm_audio_component *acomp, int port, ++ int dev_id) + { + if (acomp && acomp->audio_ops && acomp->audio_ops->pin_eld_notify) + acomp->audio_ops->pin_eld_notify(acomp->audio_ops->audio_ptr, +- port, -1); ++ port, dev_id); + } + + static int +-nv50_audio_component_get_eld(struct device *kdev, int port, int pipe, ++nv50_audio_component_get_eld(struct device *kdev, int port, int dev_id, + bool *enabled, unsigned char *buf, int max_bytes) + { + struct drm_device *drm_dev = dev_get_drvdata(kdev); +@@ -506,7 +507,8 @@ nv50_audio_component_get_eld(struct devi + nv_encoder = nouveau_encoder(encoder); + nv_connector = nouveau_encoder_connector_get(nv_encoder); + nv_crtc = nouveau_crtc(encoder->crtc); +- if (!nv_connector || !nv_crtc || nv_crtc->index != port) ++ if (!nv_connector || !nv_crtc || nv_encoder->or != port || ++ nv_crtc->index != dev_id) + continue; + *enabled = drm_detect_monitor_audio(nv_connector->edid); + if (*enabled) { +@@ -600,7 +602,8 @@ nv50_audio_disable(struct drm_encoder *e + + nvif_mthd(&disp->disp->object, 0, &args, sizeof(args)); + +- nv50_audio_component_eld_notify(drm->audio.component, nv_crtc->index); ++ nv50_audio_component_eld_notify(drm->audio.component, nv_encoder->or, ++ nv_crtc->index); + } + + static void +@@ -634,7 +637,8 @@ nv50_audio_enable(struct drm_encoder *en + nvif_mthd(&disp->disp->object, 0, &args, + sizeof(args.base) + drm_eld_size(args.data)); + +- nv50_audio_component_eld_notify(drm->audio.component, nv_crtc->index); ++ nv50_audio_component_eld_notify(drm->audio.component, nv_encoder->or, ++ nv_crtc->index); + } + + /****************************************************************************** diff --git a/queue-5.7/drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch b/queue-5.7/drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch new file mode 100644 index 00000000000..f9f80c2b047 --- /dev/null +++ b/queue-5.7/drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch @@ -0,0 +1,40 @@ +From 80e5f89da3ab949fbbf1cae01dfaea29f5483a75 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Tue, 31 Mar 2020 14:18:08 +0800 +Subject: drm/qxl: Use correct notify port address when creating cursor ring + +From: Huacai Chen + +commit 80e5f89da3ab949fbbf1cae01dfaea29f5483a75 upstream. + +The command ring and cursor ring use different notify port addresses +definition: QXL_IO_NOTIFY_CMD and QXL_IO_NOTIFY_CURSOR. However, in +qxl_device_init() we use QXL_IO_NOTIFY_CMD to create both command ring +and cursor ring. This doesn't cause any problems now, because QEMU's +behaviors on QXL_IO_NOTIFY_CMD and QXL_IO_NOTIFY_CURSOR are the same. +However, QEMU's behavior may be change in future, so let's fix it. + +P.S.: In the X.org QXL driver, the notify port address of cursor ring + is correct. + +Signed-off-by: Huacai Chen +Cc: +Link: http://patchwork.freedesktop.org/patch/msgid/1585635488-17507-1-git-send-email-chenhc@lemote.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/qxl/qxl_kms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/qxl/qxl_kms.c ++++ b/drivers/gpu/drm/qxl/qxl_kms.c +@@ -218,7 +218,7 @@ int qxl_device_init(struct qxl_device *q + &(qdev->ram_header->cursor_ring_hdr), + sizeof(struct qxl_command), + QXL_CURSOR_RING_SIZE, +- qdev->io_base + QXL_IO_NOTIFY_CMD, ++ qdev->io_base + QXL_IO_NOTIFY_CURSOR, + false, + &qdev->cursor_event); + diff --git a/queue-5.7/io_uring-acquire-mm-for-task_work-for-sqpoll.patch b/queue-5.7/io_uring-acquire-mm-for-task_work-for-sqpoll.patch new file mode 100644 index 00000000000..12cecd25af2 --- /dev/null +++ b/queue-5.7/io_uring-acquire-mm-for-task_work-for-sqpoll.patch @@ -0,0 +1,103 @@ +From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST +From: Jens Axboe +Date: Tue, 16 Jun 2020 18:42:49 -0600 +Subject: io_uring: acquire 'mm' for task_work for SQPOLL + +From: Jens Axboe + +[ Upstream commit 9d8426a09195e2dcf2aa249de2aaadd792d491c7 ] + +If we're unlucky with timing, we could be running task_work after +having dropped the memory context in the sq thread. Since dropping +the context requires a runnable task state, we cannot reliably drop +it as part of our check-for-work loop in io_sq_thread(). Instead, +abstract out the mm acquire for the sq thread into a helper, and call +it from the async task work handler. + +Cc: stable@vger.kernel.org # v5.7 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 44 +++++++++++++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4302,6 +4302,28 @@ static void io_async_queue_proc(struct f + __io_queue_proc(&pt->req->apoll->poll, pt, head); + } + ++static void io_sq_thread_drop_mm(struct io_ring_ctx *ctx) ++{ ++ struct mm_struct *mm = current->mm; ++ ++ if (mm) { ++ unuse_mm(mm); ++ mmput(mm); ++ } ++} ++ ++static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx, ++ struct io_kiocb *req) ++{ ++ if (io_op_defs[req->opcode].needs_mm && !current->mm) { ++ if (unlikely(!mmget_not_zero(ctx->sqo_mm))) ++ return -EFAULT; ++ use_mm(ctx->sqo_mm); ++ } ++ ++ return 0; ++} ++ + static void io_async_task_func(struct callback_head *cb) + { + struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work); +@@ -4333,12 +4355,17 @@ static void io_async_task_func(struct ca + if (canceled) { + kfree(apoll); + io_cqring_ev_posted(ctx); ++end_req: + req_set_fail_links(req); + io_double_put_req(req); + return; + } + + __set_current_state(TASK_RUNNING); ++ if (io_sq_thread_acquire_mm(ctx, req)) { ++ io_cqring_add_event(req, -EFAULT); ++ goto end_req; ++ } + mutex_lock(&ctx->uring_lock); + __io_queue_sqe(req, NULL); + mutex_unlock(&ctx->uring_lock); +@@ -5897,11 +5924,8 @@ static int io_init_req(struct io_ring_ct + if (unlikely(req->opcode >= IORING_OP_LAST)) + return -EINVAL; + +- if (io_op_defs[req->opcode].needs_mm && !current->mm) { +- if (unlikely(!mmget_not_zero(ctx->sqo_mm))) +- return -EFAULT; +- use_mm(ctx->sqo_mm); +- } ++ if (unlikely(io_sq_thread_acquire_mm(ctx, req))) ++ return -EFAULT; + + sqe_flags = READ_ONCE(sqe->flags); + /* enforce forwards compatibility on users */ +@@ -6011,16 +6035,6 @@ fail_req: + return submitted; + } + +-static inline void io_sq_thread_drop_mm(struct io_ring_ctx *ctx) +-{ +- struct mm_struct *mm = current->mm; +- +- if (mm) { +- unuse_mm(mm); +- mmput(mm); +- } +-} +- + static int io_sq_thread(void *data) + { + struct io_ring_ctx *ctx = data; diff --git a/queue-5.7/io_uring-add-memory-barrier-to-synchronize-io_kiocb-s-result-and-iopoll_completed.patch b/queue-5.7/io_uring-add-memory-barrier-to-synchronize-io_kiocb-s-result-and-iopoll_completed.patch new file mode 100644 index 00000000000..a858be0f8de --- /dev/null +++ b/queue-5.7/io_uring-add-memory-barrier-to-synchronize-io_kiocb-s-result-and-iopoll_completed.patch @@ -0,0 +1,140 @@ +From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST +From: Xiaoguang Wang +Date: Tue, 16 Jun 2020 02:06:38 +0800 +Subject: io_uring: add memory barrier to synchronize io_kiocb's result and iopoll_completed + +From: Xiaoguang Wang + +[ Upstream commit bbde017a32b32d2fa8d5fddca25fade20132abf8 ] + +In io_complete_rw_iopoll(), stores to io_kiocb's result and iopoll +completed are two independent store operations, to ensure that once +iopoll_completed is ture and then req->result must been perceived by +the cpu executing io_do_iopoll(), proper memory barrier should be used. + +And in io_do_iopoll(), we check whether req->result is EAGAIN, if it is, +we'll need to issue this io request using io-wq again. In order to just +issue a single smp_rmb() on the completion side, move the re-submit work +to io_iopoll_complete(). + +Cc: stable@vger.kernel.org +Signed-off-by: Xiaoguang Wang +[axboe: don't set ->iopoll_completed for -EAGAIN retry] +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 53 +++++++++++++++++++++++++++++------------------------ + 1 file changed, 29 insertions(+), 24 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1690,6 +1690,18 @@ static int io_put_kbuf(struct io_kiocb * + return cflags; + } + ++static void io_iopoll_queue(struct list_head *again) ++{ ++ struct io_kiocb *req; ++ ++ do { ++ req = list_first_entry(again, struct io_kiocb, list); ++ list_del(&req->list); ++ refcount_inc(&req->refs); ++ io_queue_async_work(req); ++ } while (!list_empty(again)); ++} ++ + /* + * Find and free completed poll iocbs + */ +@@ -1698,12 +1710,21 @@ static void io_iopoll_complete(struct io + { + struct req_batch rb; + struct io_kiocb *req; ++ LIST_HEAD(again); ++ ++ /* order with ->result store in io_complete_rw_iopoll() */ ++ smp_rmb(); + + rb.to_free = rb.need_iter = 0; + while (!list_empty(done)) { + int cflags = 0; + + req = list_first_entry(done, struct io_kiocb, list); ++ if (READ_ONCE(req->result) == -EAGAIN) { ++ req->iopoll_completed = 0; ++ list_move_tail(&req->list, &again); ++ continue; ++ } + list_del(&req->list); + + if (req->flags & REQ_F_BUFFER_SELECTED) +@@ -1721,18 +1742,9 @@ static void io_iopoll_complete(struct io + if (ctx->flags & IORING_SETUP_SQPOLL) + io_cqring_ev_posted(ctx); + io_free_req_many(ctx, &rb); +-} + +-static void io_iopoll_queue(struct list_head *again) +-{ +- struct io_kiocb *req; +- +- do { +- req = list_first_entry(again, struct io_kiocb, list); +- list_del(&req->list); +- refcount_inc(&req->refs); +- io_queue_async_work(req); +- } while (!list_empty(again)); ++ if (!list_empty(&again)) ++ io_iopoll_queue(&again); + } + + static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events, +@@ -1740,7 +1752,6 @@ static int io_do_iopoll(struct io_ring_c + { + struct io_kiocb *req, *tmp; + LIST_HEAD(done); +- LIST_HEAD(again); + bool spin; + int ret; + +@@ -1766,13 +1777,6 @@ static int io_do_iopoll(struct io_ring_c + if (!list_empty(&done)) + break; + +- if (req->result == -EAGAIN) { +- list_move_tail(&req->list, &again); +- continue; +- } +- if (!list_empty(&again)) +- break; +- + ret = kiocb->ki_filp->f_op->iopoll(kiocb, spin); + if (ret < 0) + break; +@@ -1785,9 +1789,6 @@ static int io_do_iopoll(struct io_ring_c + if (!list_empty(&done)) + io_iopoll_complete(ctx, nr_events, &done); + +- if (!list_empty(&again)) +- io_iopoll_queue(&again); +- + return ret; + } + +@@ -1938,9 +1939,13 @@ static void io_complete_rw_iopoll(struct + + if (res != -EAGAIN && res != req->result) + req_set_fail_links(req); +- req->result = res; +- if (res != -EAGAIN) ++ ++ WRITE_ONCE(req->result, res); ++ /* order with io_poll_complete() checking ->result */ ++ if (res != -EAGAIN) { ++ smp_wmb(); + WRITE_ONCE(req->iopoll_completed, 1); ++ } + } + + /* diff --git a/queue-5.7/io_uring-don-t-fail-links-for-eagain-error-in-iopoll-mode.patch b/queue-5.7/io_uring-don-t-fail-links-for-eagain-error-in-iopoll-mode.patch index 3b5cf6f732d..6267c5011ff 100644 --- a/queue-5.7/io_uring-don-t-fail-links-for-eagain-error-in-iopoll-mode.patch +++ b/queue-5.7/io_uring-don-t-fail-links-for-eagain-error-in-iopoll-mode.patch @@ -1,11 +1,11 @@ -From 2d7d67920e5c8e0854df23ca77da2dd5880ce5dd Mon Sep 17 00:00:00 2001 +From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST From: Xiaoguang Wang Date: Tue, 16 Jun 2020 02:06:37 +0800 Subject: io_uring: don't fail links for EAGAIN error in IOPOLL mode From: Xiaoguang Wang -commit 2d7d67920e5c8e0854df23ca77da2dd5880ce5dd upstream. +[ Upstream commit 2d7d67920e5c8e0854df23ca77da2dd5880ce5dd ] In IOPOLL mode, for EAGAIN error, we'll try to submit io request again using io-wq, so don't fail rest of links if this io request @@ -15,14 +15,13 @@ Cc: stable@vger.kernel.org Signed-off-by: Xiaoguang Wang Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman - --- fs/io_uring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/io_uring.c +++ b/fs/io_uring.c -@@ -1937,7 +1937,7 @@ static void io_complete_rw_iopoll(struct +@@ -1936,7 +1936,7 @@ static void io_complete_rw_iopoll(struct if (kiocb->ki_flags & IOCB_WRITE) kiocb_end_write(req); diff --git a/queue-5.7/io_uring-fix-io_kiocb.flags-modification-race-in-iopoll-mode.patch b/queue-5.7/io_uring-fix-io_kiocb.flags-modification-race-in-iopoll-mode.patch new file mode 100644 index 00000000000..d4e1beaa2fd --- /dev/null +++ b/queue-5.7/io_uring-fix-io_kiocb.flags-modification-race-in-iopoll-mode.patch @@ -0,0 +1,107 @@ +From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST +From: Xiaoguang Wang +Date: Thu, 11 Jun 2020 23:39:36 +0800 +Subject: io_uring: fix io_kiocb.flags modification race in IOPOLL mode + +From: Xiaoguang Wang + +[ Upstream commit 65a6543da386838f935d2f03f452c5c0acff2a68 ] + +While testing io_uring in arm, we found sometimes io_sq_thread() keeps +polling io requests even though there are not inflight io requests in +block layer. After some investigations, found a possible race about +io_kiocb.flags, see below race codes: + 1) in the end of io_write() or io_read() + req->flags &= ~REQ_F_NEED_CLEANUP; + kfree(iovec); + return ret; + + 2) in io_complete_rw_iopoll() + if (res != -EAGAIN) + req->flags |= REQ_F_IOPOLL_COMPLETED; + +In IOPOLL mode, io requests still maybe completed by interrupt, then +above codes are not safe, concurrent modifications to req->flags, which +is not protected by lock or is not atomic modifications. I also had +disassemble io_complete_rw_iopoll() in arm: + req->flags |= REQ_F_IOPOLL_COMPLETED; + 0xffff000008387b18 <+76>: ldr w0, [x19,#104] + 0xffff000008387b1c <+80>: orr w0, w0, #0x1000 + 0xffff000008387b20 <+84>: str w0, [x19,#104] + +Seems that the "req->flags |= REQ_F_IOPOLL_COMPLETED;" is load and +modification, two instructions, which obviously is not atomic. + +To fix this issue, add a new iopoll_completed in io_kiocb to indicate +whether io request is completed. + +Signed-off-by: Xiaoguang Wang +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -513,7 +513,6 @@ enum { + REQ_F_INFLIGHT_BIT, + REQ_F_CUR_POS_BIT, + REQ_F_NOWAIT_BIT, +- REQ_F_IOPOLL_COMPLETED_BIT, + REQ_F_LINK_TIMEOUT_BIT, + REQ_F_TIMEOUT_BIT, + REQ_F_ISREG_BIT, +@@ -556,8 +555,6 @@ enum { + REQ_F_CUR_POS = BIT(REQ_F_CUR_POS_BIT), + /* must not punt to workers */ + REQ_F_NOWAIT = BIT(REQ_F_NOWAIT_BIT), +- /* polled IO has completed */ +- REQ_F_IOPOLL_COMPLETED = BIT(REQ_F_IOPOLL_COMPLETED_BIT), + /* has linked timeout */ + REQ_F_LINK_TIMEOUT = BIT(REQ_F_LINK_TIMEOUT_BIT), + /* timeout request */ +@@ -618,6 +615,8 @@ struct io_kiocb { + int cflags; + bool needs_fixed_file; + u8 opcode; ++ /* polled IO has completed */ ++ u8 iopoll_completed; + + u16 buf_index; + +@@ -1760,7 +1759,7 @@ static int io_do_iopoll(struct io_ring_c + * If we find a request that requires polling, break out + * and complete those lists first, if we have entries there. + */ +- if (req->flags & REQ_F_IOPOLL_COMPLETED) { ++ if (READ_ONCE(req->iopoll_completed)) { + list_move_tail(&req->list, &done); + continue; + } +@@ -1941,7 +1940,7 @@ static void io_complete_rw_iopoll(struct + req_set_fail_links(req); + req->result = res; + if (res != -EAGAIN) +- req->flags |= REQ_F_IOPOLL_COMPLETED; ++ WRITE_ONCE(req->iopoll_completed, 1); + } + + /* +@@ -1974,7 +1973,7 @@ static void io_iopoll_req_issued(struct + * For fast devices, IO may have already completed. If it has, add + * it to the front so we find it first. + */ +- if (req->flags & REQ_F_IOPOLL_COMPLETED) ++ if (READ_ONCE(req->iopoll_completed)) + list_add(&req->list, &ctx->poll_list); + else + list_add_tail(&req->list, &ctx->poll_list); +@@ -2098,6 +2097,7 @@ static int io_prep_rw(struct io_kiocb *r + kiocb->ki_flags |= IOCB_HIPRI; + kiocb->ki_complete = io_complete_rw_iopoll; + req->result = 0; ++ req->iopoll_completed = 0; + } else { + if (kiocb->ki_flags & IOCB_HIPRI) + return -EINVAL; diff --git a/queue-5.7/io_uring-fix-possible-race-condition-against-req_f_need_cleanup.patch b/queue-5.7/io_uring-fix-possible-race-condition-against-req_f_need_cleanup.patch index df8ca34199a..73491d8cf69 100644 --- a/queue-5.7/io_uring-fix-possible-race-condition-against-req_f_need_cleanup.patch +++ b/queue-5.7/io_uring-fix-possible-race-condition-against-req_f_need_cleanup.patch @@ -1,11 +1,11 @@ -From 6f2cc1664db20676069cff27a461ccc97dbfd114 Mon Sep 17 00:00:00 2001 +From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST From: Xiaoguang Wang Date: Thu, 18 Jun 2020 15:01:56 +0800 Subject: io_uring: fix possible race condition against REQ_F_NEED_CLEANUP From: Xiaoguang Wang -commit 6f2cc1664db20676069cff27a461ccc97dbfd114 upstream. +[ Upstream commit 6f2cc1664db20676069cff27a461ccc97dbfd114 ] In io_read() or io_write(), when io request is submitted successfully, it'll go through the below sequence: @@ -29,14 +29,13 @@ Cc: stable@vger.kernel.org Signed-off-by: Xiaoguang Wang Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman - --- fs/io_uring.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/fs/io_uring.c +++ b/fs/io_uring.c -@@ -2609,8 +2609,8 @@ copy_iov: +@@ -2614,8 +2614,8 @@ copy_iov: } } out_free: @@ -47,7 +46,7 @@ Signed-off-by: Greg Kroah-Hartman return ret; } -@@ -2732,8 +2732,8 @@ copy_iov: +@@ -2737,8 +2737,8 @@ copy_iov: } } out_free: diff --git a/queue-5.7/io_uring-reap-poll-completions-while-waiting-for-refs-to-drop-on-exit.patch b/queue-5.7/io_uring-reap-poll-completions-while-waiting-for-refs-to-drop-on-exit.patch new file mode 100644 index 00000000000..93bc71cf146 --- /dev/null +++ b/queue-5.7/io_uring-reap-poll-completions-while-waiting-for-refs-to-drop-on-exit.patch @@ -0,0 +1,47 @@ +From foo@baz Mon 22 Jun 2020 08:18:17 PM CEST +From: Jens Axboe +Date: Wed, 17 Jun 2020 15:00:04 -0600 +Subject: io_uring: reap poll completions while waiting for refs to drop on exit + +From: Jens Axboe + +[ Upstream commit 56952e91acc93ed624fe9da840900defb75f1323 ] + +If we're doing polled IO and end up having requests being submitted +async, then completions can come in while we're waiting for refs to +drop. We need to reap these manually, as nobody else will be looking +for them. + +Break the wait into 1/20th of a second time waits, and check for done +poll completions if we time out. Otherwise we can have done poll +completions sitting in ctx->poll_list, which needs us to reap them but +we're just waiting for them. + +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -7404,7 +7404,17 @@ static void io_ring_exit_work(struct wor + if (ctx->rings) + io_cqring_overflow_flush(ctx, true); + +- wait_for_completion(&ctx->completions[0]); ++ /* ++ * If we're doing polled IO and end up having requests being ++ * submitted async (out-of-line), then completions can come in while ++ * we're waiting for refs to drop. We need to reap these manually, ++ * as nobody else will be looking for them. ++ */ ++ while (!wait_for_completion_timeout(&ctx->completions[0], HZ/20)) { ++ io_iopoll_reap_events(ctx); ++ if (ctx->rings) ++ io_cqring_overflow_flush(ctx, true); ++ } + io_ring_ctx_free(ctx); + } + diff --git a/queue-5.7/selinux-fix-a-double-free-in-cond_read_node-cond_read_list.patch b/queue-5.7/selinux-fix-a-double-free-in-cond_read_node-cond_read_list.patch new file mode 100644 index 00000000000..9f25e6a7597 --- /dev/null +++ b/queue-5.7/selinux-fix-a-double-free-in-cond_read_node-cond_read_list.patch @@ -0,0 +1,74 @@ +From aa449a7965a6172a89d48844c313708962216f1f Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Mon, 15 Jun 2020 13:45:48 -0700 +Subject: selinux: fix a double free in cond_read_node()/cond_read_list() + +From: Tom Rix + +commit aa449a7965a6172a89d48844c313708962216f1f upstream. + +Clang static analysis reports this double free error + +security/selinux/ss/conditional.c:139:2: warning: Attempt to free released memory [unix.Malloc] + kfree(node->expr.nodes); + ^~~~~~~~~~~~~~~~~~~~~~~ + +When cond_read_node fails, it calls cond_node_destroy which frees the +node but does not poison the entry in the node list. So when it +returns to its caller cond_read_list, cond_read_list deletes the +partial list. The latest entry in the list will be deleted twice. + +So instead of freeing the node in cond_read_node, let list freeing in +code_read_list handle the freeing the problem node along with all of the +earlier nodes. + +Because cond_read_node no longer does any error handling, the goto's +the error case are redundant. Instead just return the error code. + +Cc: stable@vger.kernel.org +Fixes: 60abd3181db2 ("selinux: convert cond_list to array") +Signed-off-by: Tom Rix +Reviewed-by: Ondrej Mosnacek +[PM: subject line tweaks] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/conditional.c | 18 +++++------------- + 1 file changed, 5 insertions(+), 13 deletions(-) + +--- a/security/selinux/ss/conditional.c ++++ b/security/selinux/ss/conditional.c +@@ -392,27 +392,19 @@ static int cond_read_node(struct policyd + + rc = next_entry(buf, fp, sizeof(u32) * 2); + if (rc) +- goto err; ++ return rc; + + expr->expr_type = le32_to_cpu(buf[0]); + expr->bool = le32_to_cpu(buf[1]); + +- if (!expr_node_isvalid(p, expr)) { +- rc = -EINVAL; +- goto err; +- } ++ if (!expr_node_isvalid(p, expr)) ++ return -EINVAL; + } + + rc = cond_read_av_list(p, fp, &node->true_list, NULL); + if (rc) +- goto err; +- rc = cond_read_av_list(p, fp, &node->false_list, &node->true_list); +- if (rc) +- goto err; +- return 0; +-err: +- cond_node_destroy(node); +- return rc; ++ return rc; ++ return cond_read_av_list(p, fp, &node->false_list, &node->true_list); + } + + int cond_read_list(struct policydb *p, void *fp) diff --git a/queue-5.7/selinux-fix-double-free.patch b/queue-5.7/selinux-fix-double-free.patch new file mode 100644 index 00000000000..65b9860906e --- /dev/null +++ b/queue-5.7/selinux-fix-double-free.patch @@ -0,0 +1,46 @@ +From 65de50969a77509452ae590e9449b70a22b923bb Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Wed, 10 Jun 2020 14:57:13 -0700 +Subject: selinux: fix double free + +From: Tom Rix + +commit 65de50969a77509452ae590e9449b70a22b923bb upstream. + +Clang's static analysis tool reports these double free memory errors. + +security/selinux/ss/services.c:2987:4: warning: Attempt to free released memory [unix.Malloc] + kfree(bnames[i]); + ^~~~~~~~~~~~~~~~ +security/selinux/ss/services.c:2990:2: warning: Attempt to free released memory [unix.Malloc] + kfree(bvalues); + ^~~~~~~~~~~~~~ + +So improve the security_get_bools error handling by freeing these variables +and setting their return pointers to NULL and the return len to 0 + +Cc: stable@vger.kernel.org +Signed-off-by: Tom Rix +Acked-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/services.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -2923,8 +2923,12 @@ err: + if (*names) { + for (i = 0; i < *len; i++) + kfree((*names)[i]); ++ kfree(*names); + } + kfree(*values); ++ *len = 0; ++ *names = NULL; ++ *values = NULL; + goto out; + } + diff --git a/queue-5.7/selinux-fix-undefined-return-of-cond_evaluate_expr.patch b/queue-5.7/selinux-fix-undefined-return-of-cond_evaluate_expr.patch new file mode 100644 index 00000000000..da33910b70c --- /dev/null +++ b/queue-5.7/selinux-fix-undefined-return-of-cond_evaluate_expr.patch @@ -0,0 +1,51 @@ +From 8231b0b9c322c894594fb42eb0eb9f93544a6acc Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Wed, 17 Jun 2020 05:40:28 -0700 +Subject: selinux: fix undefined return of cond_evaluate_expr + +From: Tom Rix + +commit 8231b0b9c322c894594fb42eb0eb9f93544a6acc upstream. + +clang static analysis reports an undefined return + +security/selinux/ss/conditional.c:79:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn] + return s[0]; + ^~~~~~~~~~~ + +static int cond_evaluate_expr( ... +{ + u32 i; + int s[COND_EXPR_MAXDEPTH]; + + for (i = 0; i < expr->len; i++) + ... + + return s[0]; + +When expr->len is 0, the loop which sets s[0] never runs. + +So return -1 if the loop never runs. + +Cc: stable@vger.kernel.org +Signed-off-by: Tom Rix +Acked-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/conditional.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/security/selinux/ss/conditional.c ++++ b/security/selinux/ss/conditional.c +@@ -27,6 +27,9 @@ static int cond_evaluate_expr(struct pol + int s[COND_EXPR_MAXDEPTH]; + int sp = -1; + ++ if (expr->len == 0) ++ return -1; ++ + for (i = 0; i < expr->len; i++) { + struct cond_expr_node *node = &expr->nodes[i]; + diff --git a/queue-5.7/series b/queue-5.7/series index 9b29a20287f..97a77f09510 100644 --- a/queue-5.7/series +++ b/queue-5.7/series @@ -414,11 +414,24 @@ arm64-hw_breakpoint-don-t-invoke-overflow-handler-on.patch libata-use-per-port-sync-for-detach.patch drm-encoder_slave-fix-refcouting-error-for-modules.patch pinctrl-qcom-ipq6018-add-missing-pins-in-qpic-pin-gr.patch -io_uring-don-t-fail-links-for-eagain-error-in-iopoll-mode.patch -io_uring-fix-possible-race-condition-against-req_f_need_cleanup.patch ext4-fix-partial-cluster-initialization-when-splitting-extent.patch ext4-avoid-utf8_strncasecmp-with-unstable-name.patch ext4-jbd2-ensure-panic-by-fix-a-race-between-jbd2-abort-and-ext4-error-handlers.patch arm64-dts-realtek-rtd129x-use-reserved-memory-for-rpc-regions.patch arm64-dts-realtek-rtd129x-carve-out-boot-rom-from-memory.patch sh-convert-iounmap-macros-to-inline-functions.patch +drm-nouveau-kms-fix-regression-by-audio-component-transition.patch +drm-dp_mst-reformat-drm_dp_check_act_status-a-bit.patch +drm-qxl-use-correct-notify-port-address-when-creating-cursor-ring.patch +drm-amdgpu-display-use-blanked-rather-than-plane-state-for-sync-groups.patch +drm-amdgpu-replace-invalid-device-id-with-a-valid-device-id.patch +selinux-fix-double-free.patch +selinux-fix-a-double-free-in-cond_read_node-cond_read_list.patch +selinux-fix-undefined-return-of-cond_evaluate_expr.patch +drm-ast-don-t-check-new-mode-if-crtc-is-being-disabled.patch +io_uring-fix-io_kiocb.flags-modification-race-in-iopoll-mode.patch +io_uring-don-t-fail-links-for-eagain-error-in-iopoll-mode.patch +io_uring-add-memory-barrier-to-synchronize-io_kiocb-s-result-and-iopoll_completed.patch +io_uring-acquire-mm-for-task_work-for-sqpoll.patch +io_uring-reap-poll-completions-while-waiting-for-refs-to-drop-on-exit.patch +io_uring-fix-possible-race-condition-against-req_f_need_cleanup.patch