From: Greg Kroah-Hartman Date: Thu, 6 Dec 2018 09:29:53 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.8~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5da74325d1ea867e49fe23e2150a9c32e96612f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: drm-ast-fix-incorrect-free-on-ioregs.patch drm-meson-enable-fast_io-in-meson_dw_hdmi_regmap_config.patch drm-meson-fix-oob-memory-accesses-in-meson_viu_set_osd_lut.patch drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch iser-set-sector-for-ambiguous-mr-status-errors.patch mips-fix-mips_get_syscall_arg-o32-check.patch mips-ralink-fix-mt7620-nd_sd-pinmux.patch uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch userfaultfd-shmem-add-i_size-checks.patch userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch userfaultfd-shmem-uffdio_copy-set-the-page-dirty-if-vm_write-is-not-set.patch userfaultfd-use-enoent-instead-of-efault-if-the-atomic-copy-user-fails.patch --- diff --git a/queue-4.14/drm-ast-fix-incorrect-free-on-ioregs.patch b/queue-4.14/drm-ast-fix-incorrect-free-on-ioregs.patch new file mode 100644 index 00000000000..b94713b69c2 --- /dev/null +++ b/queue-4.14/drm-ast-fix-incorrect-free-on-ioregs.patch @@ -0,0 +1,38 @@ +From dc25ab067645eabd037f1a23d49a666f9e0b8c68 Mon Sep 17 00:00:00 2001 +From: Sam Bobroff +Date: Mon, 5 Nov 2018 16:57:47 +1100 +Subject: drm/ast: Fix incorrect free on ioregs + +From: Sam Bobroff + +commit dc25ab067645eabd037f1a23d49a666f9e0b8c68 upstream. + +If the platform has no IO space, ioregs is placed next to the already +allocated regs. In this case, it should not be separately freed. + +This prevents a kernel warning from __vunmap "Trying to vfree() +nonexistent vm area" when unloading the driver. + +Fixes: 0dd68309b9c5 ("drm/ast: Try to use MMIO registers when PIO isn't supported") + +Signed-off-by: Sam Bobroff +Cc: +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -583,7 +583,8 @@ void ast_driver_unload(struct drm_device + drm_mode_config_cleanup(dev); + + ast_mm_fini(ast); +- pci_iounmap(dev->pdev, ast->ioregs); ++ if (ast->ioregs != ast->regs + AST_IO_MM_OFFSET) ++ pci_iounmap(dev->pdev, ast->ioregs); + pci_iounmap(dev->pdev, ast->regs); + kfree(ast); + } diff --git a/queue-4.14/drm-meson-enable-fast_io-in-meson_dw_hdmi_regmap_config.patch b/queue-4.14/drm-meson-enable-fast_io-in-meson_dw_hdmi_regmap_config.patch new file mode 100644 index 00000000000..adf354e9c56 --- /dev/null +++ b/queue-4.14/drm-meson-enable-fast_io-in-meson_dw_hdmi_regmap_config.patch @@ -0,0 +1,167 @@ +From 995b278e4723b26f8ebf0e7c119286d16c712747 Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Sat, 24 Nov 2018 14:12:38 -0500 +Subject: drm/meson: Enable fast_io in meson_dw_hdmi_regmap_config + +From: Lyude Paul + +commit 995b278e4723b26f8ebf0e7c119286d16c712747 upstream. + +Seeing as we use this registermap in the context of our IRQ handlers, we +need to be using spinlocks for reading/writing registers so that we can +still read them from IRQ handlers without having to grab any mutexes and +accidentally sleep. We don't currently do this, as pointed out by +lockdep: + +[ 18.403770] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908 +[ 18.406744] in_atomic(): 1, irqs_disabled(): 128, pid: 68, name: kworker/u17:0 +[ 18.413864] INFO: lockdep is turned off. +[ 18.417675] irq event stamp: 12 +[ 18.420778] hardirqs last enabled at (11): [] _raw_spin_unlock_irq+0x2c/0x60 +[ 18.429510] hardirqs last disabled at (12): [] __schedule+0xc4/0xa60 +[ 18.437345] softirqs last enabled at (0): [] copy_process.isra.4.part.5+0x4d8/0x1c50 +[ 18.446684] softirqs last disabled at (0): [<0000000000000000>] (null) +[ 18.453979] CPU: 0 PID: 68 Comm: kworker/u17:0 Tainted: G W O 4.20.0-rc3Lyude-Test+ #9 +[ 18.469839] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018 +[ 18.480037] Workqueue: hci0 hci_power_on [bluetooth] +[ 18.487138] Call trace: +[ 18.494192] dump_backtrace+0x0/0x1b8 +[ 18.501280] show_stack+0x14/0x20 +[ 18.508361] dump_stack+0xbc/0xf4 +[ 18.515427] ___might_sleep+0x140/0x1d8 +[ 18.522515] __might_sleep+0x50/0x88 +[ 18.529582] __mutex_lock+0x60/0x870 +[ 18.536621] mutex_lock_nested+0x1c/0x28 +[ 18.543660] regmap_lock_mutex+0x10/0x18 +[ 18.550696] regmap_read+0x38/0x70 +[ 18.557727] dw_hdmi_hardirq+0x58/0x138 [dw_hdmi] +[ 18.564804] __handle_irq_event_percpu+0xac/0x410 +[ 18.571891] handle_irq_event_percpu+0x34/0x88 +[ 18.578982] handle_irq_event+0x48/0x78 +[ 18.586051] handle_fasteoi_irq+0xac/0x160 +[ 18.593061] generic_handle_irq+0x24/0x38 +[ 18.599989] __handle_domain_irq+0x60/0xb8 +[ 18.606857] gic_handle_irq+0x50/0xa0 +[ 18.613659] el1_irq+0xb4/0x130 +[ 18.620394] debug_lockdep_rcu_enabled+0x2c/0x30 +[ 18.627111] schedule+0x38/0xa0 +[ 18.633781] schedule_timeout+0x3a8/0x510 +[ 18.640389] wait_for_common+0x15c/0x180 +[ 18.646905] wait_for_completion+0x14/0x20 +[ 18.653319] mmc_wait_for_req_done+0x28/0x168 +[ 18.659693] mmc_wait_for_req+0xa8/0xe8 +[ 18.665978] mmc_wait_for_cmd+0x64/0x98 +[ 18.672180] mmc_io_rw_direct_host+0x94/0x130 +[ 18.678385] mmc_io_rw_direct+0x10/0x18 +[ 18.684516] sdio_enable_func+0xe8/0x1d0 +[ 18.690627] btsdio_open+0x24/0xc0 [btsdio] +[ 18.696821] hci_dev_do_open+0x64/0x598 [bluetooth] +[ 18.703025] hci_power_on+0x50/0x270 [bluetooth] +[ 18.709163] process_one_work+0x2a0/0x6e0 +[ 18.715252] worker_thread+0x40/0x448 +[ 18.721310] kthread+0x12c/0x130 +[ 18.727326] ret_from_fork+0x10/0x1c +[ 18.735555] ------------[ cut here ]------------ +[ 18.741430] do not call blocking ops when !TASK_RUNNING; state=2 set at [<000000006265ec59>] wait_for_common+0x140/0x180 +[ 18.752417] WARNING: CPU: 0 PID: 68 at kernel/sched/core.c:6096 __might_sleep+0x7c/0x88 +[ 18.760553] Modules linked in: dm_mirror dm_region_hash dm_log dm_mod +btsdio bluetooth snd_soc_hdmi_codec dw_hdmi_i2s_audio ecdh_generic +brcmfmac brcmutil cfg80211 rfkill ir_nec_decoder meson_dw_hdmi(O) +dw_hdmi rc_geekbox meson_rng meson_ir ao_cec rng_core rc_core cec +leds_pwm efivars nfsd ip_tables x_tables crc32_generic f2fs uas +meson_gxbb_wdt pwm_meson efivarfs ipv6 +[ 18.799469] CPU: 0 PID: 68 Comm: kworker/u17:0 Tainted: G W O 4.20.0-rc3Lyude-Test+ #9 +[ 18.808858] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018 +[ 18.818045] Workqueue: hci0 hci_power_on [bluetooth] +[ 18.824088] pstate: 80000085 (Nzcv daIf -PAN -UAO) +[ 18.829891] pc : __might_sleep+0x7c/0x88 +[ 18.835722] lr : __might_sleep+0x7c/0x88 +[ 18.841256] sp : ffff000008003cb0 +[ 18.846751] x29: ffff000008003cb0 x28: 0000000000000000 +[ 18.852269] x27: ffff00000938e000 x26: ffff800010283000 +[ 18.857726] x25: ffff800010353280 x24: ffff00000868ef50 +[ 18.863166] x23: 0000000000000000 x22: 0000000000000000 +[ 18.868551] x21: 0000000000000000 x20: 000000000000038c +[ 18.873850] x19: ffff000008cd08c0 x18: 0000000000000010 +[ 18.879081] x17: ffff000008a68cb0 x16: 0000000000000000 +[ 18.884197] x15: 0000000000aaaaaa x14: 0e200e200e200e20 +[ 18.889239] x13: 0000000000000001 x12: 00000000ffffffff +[ 18.894261] x11: ffff000008adfa48 x10: 0000000000000001 +[ 18.899517] x9 : ffff0000092a0158 x8 : 0000000000000000 +[ 18.904674] x7 : ffff00000812136c x6 : 0000000000000000 +[ 18.909895] x5 : 0000000000000000 x4 : 0000000000000001 +[ 18.915080] x3 : 0000000000000007 x2 : 0000000000000007 +[ 18.920269] x1 : 99ab8e9ebb6c8500 x0 : 0000000000000000 +[ 18.925443] Call trace: +[ 18.929904] __might_sleep+0x7c/0x88 +[ 18.934311] __mutex_lock+0x60/0x870 +[ 18.938687] mutex_lock_nested+0x1c/0x28 +[ 18.943076] regmap_lock_mutex+0x10/0x18 +[ 18.947453] regmap_read+0x38/0x70 +[ 18.951842] dw_hdmi_hardirq+0x58/0x138 [dw_hdmi] +[ 18.956269] __handle_irq_event_percpu+0xac/0x410 +[ 18.960712] handle_irq_event_percpu+0x34/0x88 +[ 18.965176] handle_irq_event+0x48/0x78 +[ 18.969612] handle_fasteoi_irq+0xac/0x160 +[ 18.974058] generic_handle_irq+0x24/0x38 +[ 18.978501] __handle_domain_irq+0x60/0xb8 +[ 18.982938] gic_handle_irq+0x50/0xa0 +[ 18.987351] el1_irq+0xb4/0x130 +[ 18.991734] debug_lockdep_rcu_enabled+0x2c/0x30 +[ 18.996180] schedule+0x38/0xa0 +[ 19.000609] schedule_timeout+0x3a8/0x510 +[ 19.005064] wait_for_common+0x15c/0x180 +[ 19.009513] wait_for_completion+0x14/0x20 +[ 19.013951] mmc_wait_for_req_done+0x28/0x168 +[ 19.018402] mmc_wait_for_req+0xa8/0xe8 +[ 19.022809] mmc_wait_for_cmd+0x64/0x98 +[ 19.027177] mmc_io_rw_direct_host+0x94/0x130 +[ 19.031563] mmc_io_rw_direct+0x10/0x18 +[ 19.035922] sdio_enable_func+0xe8/0x1d0 +[ 19.040294] btsdio_open+0x24/0xc0 [btsdio] +[ 19.044742] hci_dev_do_open+0x64/0x598 [bluetooth] +[ 19.049228] hci_power_on+0x50/0x270 [bluetooth] +[ 19.053687] process_one_work+0x2a0/0x6e0 +[ 19.058143] worker_thread+0x40/0x448 +[ 19.062608] kthread+0x12c/0x130 +[ 19.067064] ret_from_fork+0x10/0x1c +[ 19.071513] irq event stamp: 12 +[ 19.075937] hardirqs last enabled at (11): [] _raw_spin_unlock_irq+0x2c/0x60 +[ 19.083560] hardirqs last disabled at (12): [] __schedule+0xc4/0xa60 +[ 19.091401] softirqs last enabled at (0): [] copy_process.isra.4.part.5+0x4d8/0x1c50 +[ 19.100801] softirqs last disabled at (0): [<0000000000000000>] (null) +[ 19.108135] ---[ end trace 38c4920787b88c75 ]--- + +So, fix this by enabling the fast_io option in our regmap config so that +regmap uses spinlocks for locking instead of mutexes. + +Signed-off-by: Lyude Paul +Fixes: 3f68be7d8e96 ("drm/meson: Add support for HDMI encoder and DW-HDMI bridge + PHY") +Cc: Daniel Vetter +Cc: Neil Armstrong +Cc: Carlo Caione +Cc: Kevin Hilman +Cc: dri-devel@lists.freedesktop.org +Cc: linux-amlogic@lists.infradead.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: # v4.12+ +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20181124191238.28276-1-lyude@redhat.com +Signed-off-by: Sean Paul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/meson/meson_dw_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/meson/meson_dw_hdmi.c ++++ b/drivers/gpu/drm/meson/meson_dw_hdmi.c +@@ -697,6 +697,7 @@ static const struct regmap_config meson_ + .reg_read = meson_dw_hdmi_reg_read, + .reg_write = meson_dw_hdmi_reg_write, + .max_register = 0x10000, ++ .fast_io = true, + }; + + static bool meson_hdmi_connector_is_available(struct device *dev) diff --git a/queue-4.14/drm-meson-fix-oob-memory-accesses-in-meson_viu_set_osd_lut.patch b/queue-4.14/drm-meson-fix-oob-memory-accesses-in-meson_viu_set_osd_lut.patch new file mode 100644 index 00000000000..6643d15e8af --- /dev/null +++ b/queue-4.14/drm-meson-fix-oob-memory-accesses-in-meson_viu_set_osd_lut.patch @@ -0,0 +1,138 @@ +From 97b2a3180a559a33852ac0cd77904166069484fd Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Sat, 24 Nov 2018 20:21:17 -0500 +Subject: drm/meson: Fix OOB memory accesses in meson_viu_set_osd_lut() + +From: Lyude Paul + +commit 97b2a3180a559a33852ac0cd77904166069484fd upstream. + +Currently on driver bringup with KASAN enabled, meson triggers an OOB +memory access as shown below: + +[ 117.904528] ================================================================== +[ 117.904560] BUG: KASAN: global-out-of-bounds in meson_viu_set_osd_lut+0x7a0/0x890 +[ 117.904588] Read of size 4 at addr ffff20000a63ce24 by task systemd-udevd/498 +[ 117.904601] +[ 118.083372] CPU: 4 PID: 498 Comm: systemd-udevd Not tainted 4.20.0-rc3Lyude-Test+ #20 +[ 118.091143] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018 +[ 118.099768] Call trace: +[ 118.102181] dump_backtrace+0x0/0x3e8 +[ 118.105796] show_stack+0x14/0x20 +[ 118.109083] dump_stack+0x130/0x1c4 +[ 118.112539] print_address_description+0x60/0x25c +[ 118.117214] kasan_report+0x1b4/0x368 +[ 118.120851] __asan_report_load4_noabort+0x18/0x20 +[ 118.125566] meson_viu_set_osd_lut+0x7a0/0x890 +[ 118.129953] meson_viu_init+0x10c/0x290 +[ 118.133741] meson_drv_bind_master+0x474/0x748 +[ 118.138141] meson_drv_bind+0x10/0x18 +[ 118.141760] try_to_bring_up_master+0x3d8/0x768 +[ 118.146249] component_add+0x214/0x570 +[ 118.149978] meson_dw_hdmi_probe+0x18/0x20 [meson_dw_hdmi] +[ 118.155404] platform_drv_probe+0x98/0x138 +[ 118.159455] really_probe+0x2a0/0xa70 +[ 118.163070] driver_probe_device+0x1b4/0x2d8 +[ 118.167299] __driver_attach+0x200/0x280 +[ 118.171189] bus_for_each_dev+0x10c/0x1a8 +[ 118.175144] driver_attach+0x38/0x50 +[ 118.178681] bus_add_driver+0x330/0x608 +[ 118.182471] driver_register+0x140/0x388 +[ 118.186361] __platform_driver_register+0xc8/0x108 +[ 118.191117] meson_dw_hdmi_platform_driver_init+0x1c/0x1000 [meson_dw_hdmi] +[ 118.198022] do_one_initcall+0x12c/0x3bc +[ 118.201883] do_init_module+0x1fc/0x638 +[ 118.205673] load_module+0x4b4c/0x6808 +[ 118.209387] __se_sys_init_module+0x2e8/0x3c0 +[ 118.213699] __arm64_sys_init_module+0x68/0x98 +[ 118.218100] el0_svc_common+0x104/0x210 +[ 118.221893] el0_svc_handler+0x48/0xb8 +[ 118.225594] el0_svc+0x8/0xc +[ 118.228429] +[ 118.229887] The buggy address belongs to the variable: +[ 118.235007] eotf_33_linear_mapping+0x84/0xc0 +[ 118.239301] +[ 118.240752] Memory state around the buggy address: +[ 118.245522] ffff20000a63cd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 118.252695] ffff20000a63cd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 118.259850] >ffff20000a63ce00: 00 00 00 00 04 fa fa fa fa fa fa fa 00 00 00 00 +[ 118.267000] ^ +[ 118.271222] ffff20000a63ce80: 00 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 +[ 118.278393] ffff20000a63cf00: 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa +[ 118.285542] ================================================================== +[ 118.292699] Disabling lock debugging due to kernel taint + +It seems that when looping through the OSD EOTF LUT maps, we use the +same max iterator for OETF: 20. This is wrong though, since 20*2 is 40, +which means that we'll stop out of bounds on the EOTF maps. + +But, this whole thing is already confusing enough to read through as-is, +so let's just replace all of the hardcoded sizes with +OSD_(OETF/EOTF)_LUT_SIZE / 2. + +Signed-off-by: Lyude Paul +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Cc: Neil Armstrong +Cc: Maxime Ripard +Cc: Carlo Caione +Cc: Kevin Hilman +Cc: dri-devel@lists.freedesktop.org +Cc: linux-amlogic@lists.infradead.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: # v4.10+ +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20181125012117.31915-1-lyude@redhat.com +Signed-off-by: Sean Paul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/meson/meson_viu.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/meson/meson_viu.c ++++ b/drivers/gpu/drm/meson/meson_viu.c +@@ -184,18 +184,18 @@ void meson_viu_set_osd_lut(struct meson_ + if (lut_sel == VIU_LUT_OSD_OETF) { + writel(0, priv->io_base + _REG(addr_port)); + +- for (i = 0; i < 20; i++) ++ for (i = 0; i < (OSD_OETF_LUT_SIZE / 2); i++) + writel(r_map[i * 2] | (r_map[i * 2 + 1] << 16), + priv->io_base + _REG(data_port)); + + writel(r_map[OSD_OETF_LUT_SIZE - 1] | (g_map[0] << 16), + priv->io_base + _REG(data_port)); + +- for (i = 0; i < 20; i++) ++ for (i = 0; i < (OSD_OETF_LUT_SIZE / 2); i++) + writel(g_map[i * 2 + 1] | (g_map[i * 2 + 2] << 16), + priv->io_base + _REG(data_port)); + +- for (i = 0; i < 20; i++) ++ for (i = 0; i < (OSD_OETF_LUT_SIZE / 2); i++) + writel(b_map[i * 2] | (b_map[i * 2 + 1] << 16), + priv->io_base + _REG(data_port)); + +@@ -211,18 +211,18 @@ void meson_viu_set_osd_lut(struct meson_ + } else if (lut_sel == VIU_LUT_OSD_EOTF) { + writel(0, priv->io_base + _REG(addr_port)); + +- for (i = 0; i < 20; i++) ++ for (i = 0; i < (OSD_EOTF_LUT_SIZE / 2); i++) + writel(r_map[i * 2] | (r_map[i * 2 + 1] << 16), + priv->io_base + _REG(data_port)); + + writel(r_map[OSD_EOTF_LUT_SIZE - 1] | (g_map[0] << 16), + priv->io_base + _REG(data_port)); + +- for (i = 0; i < 20; i++) ++ for (i = 0; i < (OSD_EOTF_LUT_SIZE / 2); i++) + writel(g_map[i * 2 + 1] | (g_map[i * 2 + 2] << 16), + priv->io_base + _REG(data_port)); + +- for (i = 0; i < 20; i++) ++ for (i = 0; i < (OSD_EOTF_LUT_SIZE / 2); i++) + writel(b_map[i * 2] | (b_map[i * 2 + 1] << 16), + priv->io_base + _REG(data_port)); + diff --git a/queue-4.14/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch b/queue-4.14/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch new file mode 100644 index 00000000000..aa7645fb7ee --- /dev/null +++ b/queue-4.14/drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch @@ -0,0 +1,107 @@ +From 23a336b34258aba3b50ea6863cca4e81b5ef6384 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 22 Nov 2018 02:33:29 -0300 +Subject: drm: set is_master to 0 upon drm_new_set_master() failure + +From: Sergio Correia + +commit 23a336b34258aba3b50ea6863cca4e81b5ef6384 upstream. + +When drm_new_set_master() fails, set is_master to 0, to prevent a +possible NULL pointer deref. + +Here is a problematic flow: we check is_master in drm_is_current_master(), +then proceed to call drm_lease_owner() passing master. If we do not restore +is_master status when drm_new_set_master() fails, we may have a situation +in which is_master will be 1 and master itself, NULL, leading to the deref +of a NULL pointer in drm_lease_owner(). + +This fixes the following OOPS, observed on an ArchLinux running a 4.19.2 +kernel: + +[ 97.804282] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 +[ 97.807224] PGD 0 P4D 0 +[ 97.807224] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 97.807224] CPU: 0 PID: 1348 Comm: xfwm4 Tainted: P OE 4.19.2-arch1-1-ARCH #1 +[ 97.807224] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./AB350 Pro4, BIOS P5.10 10/16/2018 +[ 97.807224] RIP: 0010:drm_lease_owner+0xd/0x20 [drm] +[ 97.807224] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44 +[ 97.807224] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202 +[ 97.807224] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88 +[ 97.807224] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 97.807224] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000 +[ 97.807224] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888 +[ 97.807224] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8 +[ 97.807224] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000 +[ 97.807224] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 97.807224] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0 +[ 97.807224] Call Trace: +[ 97.807224] drm_is_current_master+0x1a/0x30 [drm] +[ 97.807224] drm_master_release+0x3e/0x130 [drm] +[ 97.807224] drm_file_free.part.0+0x2be/0x2d0 [drm] +[ 97.807224] drm_open+0x1ba/0x1e0 [drm] +[ 97.807224] drm_stub_open+0xaf/0xe0 [drm] +[ 97.807224] chrdev_open+0xa3/0x1b0 +[ 97.807224] ? cdev_put.part.0+0x20/0x20 +[ 97.807224] do_dentry_open+0x132/0x340 +[ 97.807224] path_openat+0x2d1/0x14e0 +[ 97.807224] ? mem_cgroup_commit_charge+0x7a/0x520 +[ 97.807224] do_filp_open+0x93/0x100 +[ 97.807224] ? __check_object_size+0x102/0x189 +[ 97.807224] ? _raw_spin_unlock+0x16/0x30 +[ 97.807224] do_sys_open+0x186/0x210 +[ 97.807224] do_syscall_64+0x5b/0x170 +[ 97.807224] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 97.807224] RIP: 0033:0x7f4147b07976 +[ 97.807224] Code: 89 54 24 08 e8 7b f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f2 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 30 44 89 c7 89 44 24 08 e8 a6 f4 ff ff 8b 44 +[ 97.807224] RSP: 002b:00007ffcced96ca0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 +[ 97.807224] RAX: ffffffffffffffda RBX: 00005619d5037f80 RCX: 00007f4147b07976 +[ 97.807224] RDX: 0000000000000002 RSI: 00005619d46b969c RDI: 00000000ffffff9c +[ 98.040039] RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000000 +[ 98.040039] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000024 +[ 98.040039] R13: 0000000000000012 R14: 00005619d5035950 R15: 0000000000000012 +[ 98.040039] Modules linked in: nct6775 hwmon_vid algif_skcipher af_alg nls_iso8859_1 nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common arc4 videodev media snd_usb_audio snd_hda_codec_hdmi snd_usbmidi_lib snd_rawmidi snd_seq_device mousedev input_leds iwlmvm mac80211 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec edac_mce_amd kvm_amd snd_hda_core kvm iwlwifi snd_hwdep r8169 wmi_bmof cfg80211 snd_pcm irqbypass snd_timer snd libphy soundcore pinctrl_amd rfkill pcspkr sp5100_tco evdev gpio_amdpt k10temp mac_hid i2c_piix4 wmi pcc_cpufreq acpi_cpufreq vboxnetflt(OE) vboxnetadp(OE) vboxpci(OE) vboxdrv(OE) msr sg crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto uas usb_storage dm_crypt hid_generic usbhid hid +[ 98.040039] dm_mod raid1 md_mod sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc ahci libahci aesni_intel aes_x86_64 libata crypto_simd cryptd glue_helper ccp xhci_pci rng_core scsi_mod xhci_hcd nvidia_drm(POE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart nvidia_uvm(POE) nvidia_modeset(POE) nvidia(POE) ipmi_devintf ipmi_msghandler +[ 98.040039] CR2: 0000000000000080 +[ 98.040039] ---[ end trace 3b65093b6fe62b2f ]--- +[ 98.040039] RIP: 0010:drm_lease_owner+0xd/0x20 [drm] +[ 98.040039] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44 +[ 98.040039] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202 +[ 98.040039] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88 +[ 98.040039] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 98.040039] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000 +[ 98.040039] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888 +[ 98.040039] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8 +[ 98.040039] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000 +[ 98.040039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 98.040039] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0 + +Signed-off-by: Sergio Correia +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20181122053329.2692-1-sergio@correia.cc +Signed-off-by: Sean Paul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_auth.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -133,6 +133,7 @@ static int drm_new_set_master(struct drm + + lockdep_assert_held_once(&dev->master_mutex); + ++ WARN_ON(fpriv->is_master); + old_master = fpriv->master; + fpriv->master = drm_master_create(dev); + if (!fpriv->master) { +@@ -161,6 +162,7 @@ out_err: + /* drop references and restore old master on failure */ + drm_master_put(&fpriv->master); + fpriv->master = old_master; ++ fpriv->is_master = 0; + + return ret; + } diff --git a/queue-4.14/ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch b/queue-4.14/ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch new file mode 100644 index 00000000000..990b87954dc --- /dev/null +++ b/queue-4.14/ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch @@ -0,0 +1,86 @@ +From db7a691a1551a748cb92d9c89c6b190ea87e28d5 Mon Sep 17 00:00:00 2001 +From: Michael Guralnik +Date: Wed, 21 Nov 2018 15:03:54 +0200 +Subject: IB/mlx5: Avoid load failure due to unknown link width + +From: Michael Guralnik + +commit db7a691a1551a748cb92d9c89c6b190ea87e28d5 upstream. + +If the firmware reports a connection width that is not 1x, 4x, 8x or 12x +it causes the driver to fail during initialization. + +To prevent this failure every time a new width is introduced to the RDMA +stack, we will set a default 4x width for these widths which ar unknown to +the driver. + +This is needed to allow to run old kernels with new firmware. + +Cc: # 4.1 +Fixes: 1b5daf11b015 ("IB/mlx5: Avoid using the MAD_IFC command under ISSI > 0 mode") +Signed-off-by: Michael Guralnik +Reviewed-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/main.c | 29 +++++++++++------------------ + 1 file changed, 11 insertions(+), 18 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -869,31 +869,26 @@ enum mlx5_ib_width { + MLX5_IB_WIDTH_12X = 1 << 4 + }; + +-static int translate_active_width(struct ib_device *ibdev, u8 active_width, ++static void translate_active_width(struct ib_device *ibdev, u8 active_width, + u8 *ib_width) + { + struct mlx5_ib_dev *dev = to_mdev(ibdev); +- int err = 0; + +- if (active_width & MLX5_IB_WIDTH_1X) { ++ if (active_width & MLX5_IB_WIDTH_1X) + *ib_width = IB_WIDTH_1X; +- } else if (active_width & MLX5_IB_WIDTH_2X) { +- mlx5_ib_dbg(dev, "active_width %d is not supported by IB spec\n", +- (int)active_width); +- err = -EINVAL; +- } else if (active_width & MLX5_IB_WIDTH_4X) { ++ else if (active_width & MLX5_IB_WIDTH_4X) + *ib_width = IB_WIDTH_4X; +- } else if (active_width & MLX5_IB_WIDTH_8X) { ++ else if (active_width & MLX5_IB_WIDTH_8X) + *ib_width = IB_WIDTH_8X; +- } else if (active_width & MLX5_IB_WIDTH_12X) { ++ else if (active_width & MLX5_IB_WIDTH_12X) + *ib_width = IB_WIDTH_12X; +- } else { +- mlx5_ib_dbg(dev, "Invalid active_width %d\n", ++ else { ++ mlx5_ib_dbg(dev, "Invalid active_width %d, setting width to default value: 4x\n", + (int)active_width); +- err = -EINVAL; ++ *ib_width = IB_WIDTH_4X; + } + +- return err; ++ return; + } + + static int mlx5_mtu_to_ib_mtu(int mtu) +@@ -1001,10 +996,8 @@ static int mlx5_query_hca_port(struct ib + if (err) + goto out; + +- err = translate_active_width(ibdev, ib_link_width_oper, +- &props->active_width); +- if (err) +- goto out; ++ translate_active_width(ibdev, ib_link_width_oper, &props->active_width); ++ + err = mlx5_query_port_ib_proto_oper(mdev, &props->active_speed, port); + if (err) + goto out; diff --git a/queue-4.14/iser-set-sector-for-ambiguous-mr-status-errors.patch b/queue-4.14/iser-set-sector-for-ambiguous-mr-status-errors.patch new file mode 100644 index 00000000000..5f722d9802a --- /dev/null +++ b/queue-4.14/iser-set-sector-for-ambiguous-mr-status-errors.patch @@ -0,0 +1,47 @@ +From 24c3456c8d5ee6fc1933ca40f7b4406130682668 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Wed, 14 Nov 2018 10:17:01 -0800 +Subject: iser: set sector for ambiguous mr status errors + +From: Sagi Grimberg + +commit 24c3456c8d5ee6fc1933ca40f7b4406130682668 upstream. + +If for some reason we failed to query the mr status, we need to make sure +to provide sufficient information for an ambiguous error (guard error on +sector 0). + +Fixes: 0a7a08ad6f5f ("IB/iser: Implement check_protection") +Cc: +Reported-by: Dan Carpenter +Signed-off-by: Sagi Grimberg +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/iser/iser_verbs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/ulp/iser/iser_verbs.c ++++ b/drivers/infiniband/ulp/iser/iser_verbs.c +@@ -1108,7 +1108,9 @@ u8 iser_check_task_pi_status(struct iscs + IB_MR_CHECK_SIG_STATUS, &mr_status); + if (ret) { + pr_err("ib_check_mr_status failed, ret %d\n", ret); +- goto err; ++ /* Not a lot we can do, return ambiguous guard error */ ++ *sector = 0; ++ return 0x1; + } + + if (mr_status.fail_status & IB_MR_CHECK_SIG_STATUS) { +@@ -1136,9 +1138,6 @@ u8 iser_check_task_pi_status(struct iscs + } + + return 0; +-err: +- /* Not alot we can do here, return ambiguous guard error */ +- return 0x1; + } + + void iser_err_comp(struct ib_wc *wc, const char *type) diff --git a/queue-4.14/mips-fix-mips_get_syscall_arg-o32-check.patch b/queue-4.14/mips-fix-mips_get_syscall_arg-o32-check.patch new file mode 100644 index 00000000000..07e4dc17d2a --- /dev/null +++ b/queue-4.14/mips-fix-mips_get_syscall_arg-o32-check.patch @@ -0,0 +1,42 @@ +From c50cbd85cd7027d32ac5945bb60217936b4f7eaf Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Wed, 21 Nov 2018 22:14:39 +0300 +Subject: mips: fix mips_get_syscall_arg o32 check + +From: Dmitry V. Levin + +commit c50cbd85cd7027d32ac5945bb60217936b4f7eaf upstream. + +When checking for TIF_32BIT_REGS flag, mips_get_syscall_arg() should +use the task specified as its argument instead of the current task. + +This potentially affects all syscall_get_arguments() users +who specify tasks different from the current. + +Fixes: c0ff3c53d4f99 ("MIPS: Enable HAVE_ARCH_TRACEHOOK.") +Signed-off-by: Dmitry V. Levin +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/21185/ +Cc: Elvira Khabirova +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/syscall.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/syscall.h ++++ b/arch/mips/include/asm/syscall.h +@@ -51,7 +51,7 @@ static inline unsigned long mips_get_sys + #ifdef CONFIG_64BIT + case 4: case 5: case 6: case 7: + #ifdef CONFIG_MIPS32_O32 +- if (test_thread_flag(TIF_32BIT_REGS)) ++ if (test_tsk_thread_flag(task, TIF_32BIT_REGS)) + return get_user(*arg, (int *)usp + n); + else + #endif diff --git a/queue-4.14/mips-ralink-fix-mt7620-nd_sd-pinmux.patch b/queue-4.14/mips-ralink-fix-mt7620-nd_sd-pinmux.patch new file mode 100644 index 00000000000..54781427027 --- /dev/null +++ b/queue-4.14/mips-ralink-fix-mt7620-nd_sd-pinmux.patch @@ -0,0 +1,41 @@ +From 7d35baa4e9ec4b717bc0e58a39cdb6a1c50f5465 Mon Sep 17 00:00:00 2001 +From: Mathias Kresin +Date: Mon, 26 Nov 2018 11:25:40 +0100 +Subject: MIPS: ralink: Fix mt7620 nd_sd pinmux + +From: Mathias Kresin + +commit 7d35baa4e9ec4b717bc0e58a39cdb6a1c50f5465 upstream. + +In case the nd_sd group is set to the sd-card function, Pins 45 + 46 are +configured as GPIOs. If they are blocked by the sd function, they can't +be used as GPIOs. + +Reported-by: Kristian Evensen +Signed-off-by: Mathias Kresin +Signed-off-by: Paul Burton +Fixes: f576fb6a0700 ("MIPS: ralink: cleanup the soc specific pinmux data") +Patchwork: https://patchwork.linux-mips.org/patch/21220/ +Cc: John Crispin +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v3.18+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/ralink/mt7620.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/ralink/mt7620.c ++++ b/arch/mips/ralink/mt7620.c +@@ -84,7 +84,7 @@ static struct rt2880_pmx_func pcie_rst_g + }; + static struct rt2880_pmx_func nd_sd_grp[] = { + FUNC("nand", MT7620_GPIO_MODE_NAND, 45, 15), +- FUNC("sd", MT7620_GPIO_MODE_SD, 45, 15) ++ FUNC("sd", MT7620_GPIO_MODE_SD, 47, 13) + }; + + static struct rt2880_pmx_group mt7620a_pinmux_data[] = { diff --git a/queue-4.14/series b/queue-4.14/series index 2bc124e7a7d..e8814347dc8 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -10,3 +10,16 @@ drm-gma500-fix-logic-error.patch scsi-bfa-convert-to-strlcpy-strlcat.patch staging-rts5208-fix-gcc-8-logic-error-warning.patch kdb-use-memmove-instead-of-overlapping-memcpy.patch +iser-set-sector-for-ambiguous-mr-status-errors.patch +uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch +mips-ralink-fix-mt7620-nd_sd-pinmux.patch +mips-fix-mips_get_syscall_arg-o32-check.patch +ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch +drm-ast-fix-incorrect-free-on-ioregs.patch +drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch +drm-meson-enable-fast_io-in-meson_dw_hdmi_regmap_config.patch +drm-meson-fix-oob-memory-accesses-in-meson_viu_set_osd_lut.patch +userfaultfd-use-enoent-instead-of-efault-if-the-atomic-copy-user-fails.patch +userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch +userfaultfd-shmem-add-i_size-checks.patch +userfaultfd-shmem-uffdio_copy-set-the-page-dirty-if-vm_write-is-not-set.patch diff --git a/queue-4.14/uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch b/queue-4.14/uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch new file mode 100644 index 00000000000..a84456b3790 --- /dev/null +++ b/queue-4.14/uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch @@ -0,0 +1,79 @@ +From 09d3f015d1e1b4fee7e9bbdcf54201d239393391 Mon Sep 17 00:00:00 2001 +From: Andrea Parri +Date: Thu, 22 Nov 2018 17:10:31 +0100 +Subject: uprobes: Fix handle_swbp() vs. unregister() + register() race once more + +From: Andrea Parri + +commit 09d3f015d1e1b4fee7e9bbdcf54201d239393391 upstream. + +Commit: + + 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race") + +added the UPROBE_COPY_INSN flag, and corresponding smp_wmb() and smp_rmb() +memory barriers, to ensure that handle_swbp() uses fully-initialized +uprobes only. + +However, the smp_rmb() is mis-placed: this barrier should be placed +after handle_swbp() has tested for the flag, thus guaranteeing that +(program-order) subsequent loads from the uprobe can see the initial +stores performed by prepare_uprobe(). + +Move the smp_rmb() accordingly. Also amend the comments associated +to the two memory barriers to indicate their actual locations. + +Signed-off-by: Andrea Parri +Acked-by: Oleg Nesterov +Cc: Alexander Shishkin +Cc: Andrew Morton +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: stable@kernel.org +Fixes: 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race") +Link: http://lkml.kernel.org/r/20181122161031.15179-1-andrea.parri@amarulasolutions.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/uprobes.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -616,7 +616,7 @@ static int prepare_uprobe(struct uprobe + BUG_ON((uprobe->offset & ~PAGE_MASK) + + UPROBE_SWBP_INSN_SIZE > PAGE_SIZE); + +- smp_wmb(); /* pairs with rmb() in find_active_uprobe() */ ++ smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */ + set_bit(UPROBE_COPY_INSN, &uprobe->flags); + + out: +@@ -1910,10 +1910,18 @@ static void handle_swbp(struct pt_regs * + * After we hit the bp, _unregister + _register can install the + * new and not-yet-analyzed uprobe at the same address, restart. + */ +- smp_rmb(); /* pairs with wmb() in install_breakpoint() */ + if (unlikely(!test_bit(UPROBE_COPY_INSN, &uprobe->flags))) + goto out; + ++ /* ++ * Pairs with the smp_wmb() in prepare_uprobe(). ++ * ++ * Guarantees that if we see the UPROBE_COPY_INSN bit set, then ++ * we must also see the stores to &uprobe->arch performed by the ++ * prepare_uprobe() call. ++ */ ++ smp_rmb(); ++ + /* Tracing handlers use ->utask to communicate with fetch methods */ + if (!get_utask()) + goto out; diff --git a/queue-4.14/userfaultfd-shmem-add-i_size-checks.patch b/queue-4.14/userfaultfd-shmem-add-i_size-checks.patch new file mode 100644 index 00000000000..3bc5e4ec6ca --- /dev/null +++ b/queue-4.14/userfaultfd-shmem-add-i_size-checks.patch @@ -0,0 +1,149 @@ +From e2a50c1f64145a04959df2442305d57307e5395a Mon Sep 17 00:00:00 2001 +From: Andrea Arcangeli +Date: Fri, 30 Nov 2018 14:09:37 -0800 +Subject: userfaultfd: shmem: add i_size checks + +From: Andrea Arcangeli + +commit e2a50c1f64145a04959df2442305d57307e5395a upstream. + +With MAP_SHARED: recheck the i_size after taking the PT lock, to +serialize against truncate with the PT lock. Delete the page from the +pagecache if the i_size_read check fails. + +With MAP_PRIVATE: check the i_size after the PT lock before mapping +anonymous memory or zeropages into the MAP_PRIVATE shmem mapping. + +A mostly irrelevant cleanup: like we do the delete_from_page_cache() +pagecache removal after dropping the PT lock, the PT lock is a spinlock +so drop it before the sleepable page lock. + +Link: http://lkml.kernel.org/r/20181126173452.26955-5-aarcange@redhat.com +Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") +Signed-off-by: Andrea Arcangeli +Reviewed-by: Mike Rapoport +Reviewed-by: Hugh Dickins +Reported-by: Jann Horn +Cc: +Cc: "Dr. David Alan Gilbert" +Cc: Mike Kravetz +Cc: Peter Xu +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shmem.c | 18 ++++++++++++++++-- + mm/userfaultfd.c | 26 ++++++++++++++++++++++++-- + 2 files changed, 40 insertions(+), 4 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2244,6 +2244,7 @@ static int shmem_mfill_atomic_pte(struct + struct page *page; + pte_t _dst_pte, *dst_pte; + int ret; ++ pgoff_t offset, max_off; + + ret = -ENOMEM; + if (!shmem_inode_acct_block(inode, 1)) +@@ -2281,6 +2282,12 @@ static int shmem_mfill_atomic_pte(struct + __SetPageSwapBacked(page); + __SetPageUptodate(page); + ++ ret = -EFAULT; ++ offset = linear_page_index(dst_vma, dst_addr); ++ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); ++ if (unlikely(offset >= max_off)) ++ goto out_release; ++ + ret = mem_cgroup_try_charge(page, dst_mm, gfp, &memcg, false); + if (ret) + goto out_release; +@@ -2299,8 +2306,14 @@ static int shmem_mfill_atomic_pte(struct + if (dst_vma->vm_flags & VM_WRITE) + _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte)); + +- ret = -EEXIST; + dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); ++ ++ ret = -EFAULT; ++ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); ++ if (unlikely(offset >= max_off)) ++ goto out_release_uncharge_unlock; ++ ++ ret = -EEXIST; + if (!pte_none(*dst_pte)) + goto out_release_uncharge_unlock; + +@@ -2318,13 +2331,14 @@ static int shmem_mfill_atomic_pte(struct + + /* No need to invalidate - it was non-present before */ + update_mmu_cache(dst_vma, dst_addr, dst_pte); +- unlock_page(page); + pte_unmap_unlock(dst_pte, ptl); ++ unlock_page(page); + ret = 0; + out: + return ret; + out_release_uncharge_unlock: + pte_unmap_unlock(dst_pte, ptl); ++ delete_from_page_cache(page); + out_release_uncharge: + mem_cgroup_cancel_charge(page, memcg, false); + out_release: +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -34,6 +34,8 @@ static int mcopy_atomic_pte(struct mm_st + void *page_kaddr; + int ret; + struct page *page; ++ pgoff_t offset, max_off; ++ struct inode *inode; + + if (!*pagep) { + ret = -ENOMEM; +@@ -74,8 +76,17 @@ static int mcopy_atomic_pte(struct mm_st + if (dst_vma->vm_flags & VM_WRITE) + _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte)); + +- ret = -EEXIST; + dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); ++ if (dst_vma->vm_file) { ++ /* the shmem MAP_PRIVATE case requires checking the i_size */ ++ inode = dst_vma->vm_file->f_inode; ++ offset = linear_page_index(dst_vma, dst_addr); ++ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); ++ ret = -EFAULT; ++ if (unlikely(offset >= max_off)) ++ goto out_release_uncharge_unlock; ++ } ++ ret = -EEXIST; + if (!pte_none(*dst_pte)) + goto out_release_uncharge_unlock; + +@@ -109,11 +120,22 @@ static int mfill_zeropage_pte(struct mm_ + pte_t _dst_pte, *dst_pte; + spinlock_t *ptl; + int ret; ++ pgoff_t offset, max_off; ++ struct inode *inode; + + _dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr), + dst_vma->vm_page_prot)); +- ret = -EEXIST; + dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); ++ if (dst_vma->vm_file) { ++ /* the shmem MAP_PRIVATE case requires checking the i_size */ ++ inode = dst_vma->vm_file->f_inode; ++ offset = linear_page_index(dst_vma, dst_addr); ++ max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); ++ ret = -EFAULT; ++ if (unlikely(offset >= max_off)) ++ goto out_unlock; ++ } ++ ret = -EEXIST; + if (!pte_none(*dst_pte)) + goto out_unlock; + set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte); diff --git a/queue-4.14/userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch b/queue-4.14/userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch new file mode 100644 index 00000000000..6bdd35d1be1 --- /dev/null +++ b/queue-4.14/userfaultfd-shmem-allocate-anonymous-memory-for-map_private-shmem.patch @@ -0,0 +1,85 @@ +From 5b51072e97d587186c2f5390c8c9c1fb7e179505 Mon Sep 17 00:00:00 2001 +From: Andrea Arcangeli +Date: Fri, 30 Nov 2018 14:09:28 -0800 +Subject: userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem + +From: Andrea Arcangeli + +commit 5b51072e97d587186c2f5390c8c9c1fb7e179505 upstream. + +Userfaultfd did not create private memory when UFFDIO_COPY was invoked +on a MAP_PRIVATE shmem mapping. Instead it wrote to the shmem file, +even when that had not been opened for writing. Though, fortunately, +that could only happen where there was a hole in the file. + +Fix the shmem-backed implementation of UFFDIO_COPY to create private +memory for MAP_PRIVATE mappings. The hugetlbfs-backed implementation +was already correct. + +This change is visible to userland, if userfaultfd has been used in +unintended ways: so it introduces a small risk of incompatibility, but +is necessary in order to respect file permissions. + +An app that uses UFFDIO_COPY for anything like postcopy live migration +won't notice the difference, and in fact it'll run faster because there +will be no copy-on-write and memory waste in the tmpfs pagecache +anymore. + +Userfaults on MAP_PRIVATE shmem keep triggering only on file holes like +before. + +The real zeropage can also be built on a MAP_PRIVATE shmem mapping +through UFFDIO_ZEROPAGE and that's safe because the zeropage pte is +never dirty, in turn even an mprotect upgrading the vma permission from +PROT_READ to PROT_READ|PROT_WRITE won't make the zeropage pte writable. + +Link: http://lkml.kernel.org/r/20181126173452.26955-3-aarcange@redhat.com +Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") +Signed-off-by: Andrea Arcangeli +Reported-by: Mike Rapoport +Reviewed-by: Hugh Dickins +Cc: +Cc: "Dr. David Alan Gilbert" +Cc: Jann Horn +Cc: Mike Kravetz +Cc: Peter Xu +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/userfaultfd.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -381,7 +381,17 @@ static __always_inline ssize_t mfill_ato + { + ssize_t err; + +- if (vma_is_anonymous(dst_vma)) { ++ /* ++ * The normal page fault path for a shmem will invoke the ++ * fault, fill the hole in the file and COW it right away. The ++ * result generates plain anonymous memory. So when we are ++ * asked to fill an hole in a MAP_PRIVATE shmem mapping, we'll ++ * generate anonymous memory directly without actually filling ++ * the hole. For the MAP_PRIVATE case the robustness check ++ * only happens in the pagetable (to verify it's still none) ++ * and not in the radix tree. ++ */ ++ if (!(dst_vma->vm_flags & VM_SHARED)) { + if (!zeropage) + err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma, + dst_addr, src_addr, page); +@@ -480,7 +490,8 @@ retry: + * dst_vma. + */ + err = -ENOMEM; +- if (vma_is_anonymous(dst_vma) && unlikely(anon_vma_prepare(dst_vma))) ++ if (!(dst_vma->vm_flags & VM_SHARED) && ++ unlikely(anon_vma_prepare(dst_vma))) + goto out_unlock; + + while (src_addr < src_start + len) { diff --git a/queue-4.14/userfaultfd-shmem-uffdio_copy-set-the-page-dirty-if-vm_write-is-not-set.patch b/queue-4.14/userfaultfd-shmem-uffdio_copy-set-the-page-dirty-if-vm_write-is-not-set.patch new file mode 100644 index 00000000000..5a6d58e40b0 --- /dev/null +++ b/queue-4.14/userfaultfd-shmem-uffdio_copy-set-the-page-dirty-if-vm_write-is-not-set.patch @@ -0,0 +1,64 @@ +From dcf7fe9d89763a28e0f43975b422ff141fe79e43 Mon Sep 17 00:00:00 2001 +From: Andrea Arcangeli +Date: Fri, 30 Nov 2018 14:09:43 -0800 +Subject: userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set + +From: Andrea Arcangeli + +commit dcf7fe9d89763a28e0f43975b422ff141fe79e43 upstream. + +Set the page dirty if VM_WRITE is not set because in such case the pte +won't be marked dirty and the page would be reclaimed without writepage +(i.e. swapout in the shmem case). + +This was found by source review. Most apps (certainly including QEMU) +only use UFFDIO_COPY on PROT_READ|PROT_WRITE mappings or the app can't +modify the memory in the first place. This is for correctness and it +could help the non cooperative use case to avoid unexpected data loss. + +Link: http://lkml.kernel.org/r/20181126173452.26955-6-aarcange@redhat.com +Reviewed-by: Hugh Dickins +Cc: stable@vger.kernel.org +Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") +Reported-by: Hugh Dickins +Signed-off-by: Andrea Arcangeli +Cc: "Dr. David Alan Gilbert" +Cc: Jann Horn +Cc: Mike Kravetz +Cc: Mike Rapoport +Cc: Peter Xu +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/shmem.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2305,6 +2305,16 @@ static int shmem_mfill_atomic_pte(struct + _dst_pte = mk_pte(page, dst_vma->vm_page_prot); + if (dst_vma->vm_flags & VM_WRITE) + _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte)); ++ else { ++ /* ++ * We don't set the pte dirty if the vma has no ++ * VM_WRITE permission, so mark the page dirty or it ++ * could be freed from under us. We could do it ++ * unconditionally before unlock_page(), but doing it ++ * only if VM_WRITE is not set is faster. ++ */ ++ set_page_dirty(page); ++ } + + dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); + +@@ -2338,6 +2348,7 @@ out: + return ret; + out_release_uncharge_unlock: + pte_unmap_unlock(dst_pte, ptl); ++ ClearPageDirty(page); + delete_from_page_cache(page); + out_release_uncharge: + mem_cgroup_cancel_charge(page, memcg, false); diff --git a/queue-4.14/userfaultfd-use-enoent-instead-of-efault-if-the-atomic-copy-user-fails.patch b/queue-4.14/userfaultfd-use-enoent-instead-of-efault-if-the-atomic-copy-user-fails.patch new file mode 100644 index 00000000000..bbc23e3af36 --- /dev/null +++ b/queue-4.14/userfaultfd-use-enoent-instead-of-efault-if-the-atomic-copy-user-fails.patch @@ -0,0 +1,107 @@ +From 9e368259ad988356c4c95150fafd1a06af095d98 Mon Sep 17 00:00:00 2001 +From: Andrea Arcangeli +Date: Fri, 30 Nov 2018 14:09:25 -0800 +Subject: userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails + +From: Andrea Arcangeli + +commit 9e368259ad988356c4c95150fafd1a06af095d98 upstream. + +Patch series "userfaultfd shmem updates". + +Jann found two bugs in the userfaultfd shmem MAP_SHARED backend: the +lack of the VM_MAYWRITE check and the lack of i_size checks. + +Then looking into the above we also fixed the MAP_PRIVATE case. + +Hugh by source review also found a data loss source if UFFDIO_COPY is +used on shmem MAP_SHARED PROT_READ mappings (the production usages +incidentally run with PROT_READ|PROT_WRITE, so the data loss couldn't +happen in those production usages like with QEMU). + +The whole patchset is marked for stable. + +We verified QEMU postcopy live migration with guest running on shmem +MAP_PRIVATE run as well as before after the fix of shmem MAP_PRIVATE. +Regardless if it's shmem or hugetlbfs or MAP_PRIVATE or MAP_SHARED, QEMU +unconditionally invokes a punch hole if the guest mapping is filebacked +and a MADV_DONTNEED too (needed to get rid of the MAP_PRIVATE COWs and +for the anon backend). + +This patch (of 5): + +We internally used EFAULT to communicate with the caller, switch to +ENOENT, so EFAULT can be used as a non internal retval. + +Link: http://lkml.kernel.org/r/20181126173452.26955-2-aarcange@redhat.com +Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") +Signed-off-by: Andrea Arcangeli +Reviewed-by: Mike Rapoport +Reviewed-by: Hugh Dickins +Cc: Mike Kravetz +Cc: Jann Horn +Cc: Peter Xu +Cc: "Dr. David Alan Gilbert" +Cc: +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 2 +- + mm/shmem.c | 2 +- + mm/userfaultfd.c | 6 +++--- + 3 files changed, 5 insertions(+), 5 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -4037,7 +4037,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_s + + /* fallback to copy_from_user outside mmap_sem */ + if (unlikely(ret)) { +- ret = -EFAULT; ++ ret = -ENOENT; + *pagep = page; + /* don't free the page */ + goto out; +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2266,7 +2266,7 @@ static int shmem_mfill_atomic_pte(struct + *pagep = page; + shmem_inode_unacct_blocks(inode, 1); + /* don't free the page */ +- return -EFAULT; ++ return -ENOENT; + } + } else { /* mfill_zeropage_atomic */ + clear_highpage(page); +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -49,7 +49,7 @@ static int mcopy_atomic_pte(struct mm_st + + /* fallback to copy_from_user outside mmap_sem */ + if (unlikely(ret)) { +- ret = -EFAULT; ++ ret = -ENOENT; + *pagep = page; + /* don't free the page */ + goto out; +@@ -275,7 +275,7 @@ retry: + + cond_resched(); + +- if (unlikely(err == -EFAULT)) { ++ if (unlikely(err == -ENOENT)) { + up_read(&dst_mm->mmap_sem); + BUG_ON(!page); + +@@ -521,7 +521,7 @@ retry: + src_addr, &page, zeropage); + cond_resched(); + +- if (unlikely(err == -EFAULT)) { ++ if (unlikely(err == -ENOENT)) { + void *page_kaddr; + + up_read(&dst_mm->mmap_sem);