From 21a6286ec510be08c81b15eff371a0b2756cb2ea Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Mar 2020 21:08:36 +0100 Subject: [PATCH] 4.19-stable patches added patches: dm-cache-fix-a-crash-due-to-incorrect-work-item-cancelling.patch dm-report-suspended-device-during-destroy.patch dm-writecache-verify-watermark-during-resume.patch dmaengine-tegra-apb-fix-use-after-free.patch dmaengine-tegra-apb-prevent-race-conditions-of-tasklet-vs-free-list.patch --- ...set-button-supported-for-thinkpad-x1.patch | 58 -------- ...-headset-of-asus-b9450fa-with-alc294.patch | 59 -------- ...ue-to-incorrect-work-item-cancelling.patch | 51 +++++++ ...port-suspended-device-during-destroy.patch | 139 ++++++++++++++++++ ...cache-verify-watermark-during-resume.patch | 57 +++++++ ...-check-to-include-rx-event-for-uart6.patch | 43 ------ ...aengine-tegra-apb-fix-use-after-free.patch | 62 ++++++++ ...e-conditions-of-tasklet-vs-free-list.patch | 37 +++++ queue-4.19/series | 8 +- 9 files changed, 351 insertions(+), 163 deletions(-) delete mode 100644 queue-4.19/alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch delete mode 100644 queue-4.19/alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch create mode 100644 queue-4.19/dm-cache-fix-a-crash-due-to-incorrect-work-item-cancelling.patch create mode 100644 queue-4.19/dm-report-suspended-device-during-destroy.patch create mode 100644 queue-4.19/dm-writecache-verify-watermark-during-resume.patch delete mode 100644 queue-4.19/dmaengine-imx-sdma-fix-the-event-id-check-to-include-rx-event-for-uart6.patch create mode 100644 queue-4.19/dmaengine-tegra-apb-fix-use-after-free.patch create mode 100644 queue-4.19/dmaengine-tegra-apb-prevent-race-conditions-of-tasklet-vs-free-list.patch diff --git a/queue-4.19/alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch b/queue-4.19/alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch deleted file mode 100644 index 99c01e8ac6b..00000000000 --- a/queue-4.19/alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 76f7dec08fd64e9e3ad0810a1a8a60b0a846d348 Mon Sep 17 00:00:00 2001 -From: Kailang Yang -Date: Mon, 10 Feb 2020 16:30:26 +0800 -Subject: ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1 - -From: Kailang Yang - -commit 76f7dec08fd64e9e3ad0810a1a8a60b0a846d348 upstream. - -ThinkPad want to support Headset Button control. -This patch will enable it. - -Signed-off-by: Kailang Yang -Cc: -Link: https://lore.kernel.org/r/7f0b7128f40f41f6b5582ff610adc33d@realtek.com -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman - ---- - sound/pci/hda/patch_realtek.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5725,7 +5725,7 @@ enum { - ALC289_FIXUP_DUAL_SPK, - ALC294_FIXUP_SPK2_TO_DAC1, - ALC294_FIXUP_ASUS_DUAL_SPK, -- -+ ALC285_FIXUP_THINKPAD_HEADSET_JACK, - }; - - static const struct hda_fixup alc269_fixups[] = { -@@ -6813,7 +6813,12 @@ static const struct hda_fixup alc269_fix - .chained = true, - .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 - }, -- -+ [ALC285_FIXUP_THINKPAD_HEADSET_JACK] = { -+ .type = HDA_FIXUP_FUNC, -+ .v.func = alc_fixup_headset_jack, -+ .chained = true, -+ .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1 -+ }, - }; - - static const struct snd_pci_quirk alc269_fixup_tbl[] = { -@@ -7049,8 +7054,8 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), - SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), - SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), -- SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1), -- SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1), -+ SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), -+ SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), - SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), - SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), diff --git a/queue-4.19/alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch b/queue-4.19/alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch deleted file mode 100644 index 8cdced7f97e..00000000000 --- a/queue-4.19/alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 8b33a134a9cc2a501f8fc731d91caef39237d495 Mon Sep 17 00:00:00 2001 -From: Jian-Hong Pan -Date: Tue, 25 Feb 2020 15:29:21 +0800 -Subject: ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294 - -From: Jian-Hong Pan - -commit 8b33a134a9cc2a501f8fc731d91caef39237d495 upstream. - -A headset on the laptop like ASUS B9450FA does not work, until quirk -ALC294_FIXUP_ASUS_HPE is applied. - -Signed-off-by: Jian-Hong Pan -Signed-off-by: Kailang Yang -Cc: -Link: https://lore.kernel.org/r/20200225072920.109199-1-jian-hong@endlessm.com -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman - ---- - sound/pci/hda/patch_realtek.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -5727,6 +5727,7 @@ enum { - ALC294_FIXUP_SPK2_TO_DAC1, - ALC294_FIXUP_ASUS_DUAL_SPK, - ALC285_FIXUP_THINKPAD_HEADSET_JACK, -+ ALC294_FIXUP_ASUS_HPE, - }; - - static const struct hda_fixup alc269_fixups[] = { -@@ -6820,6 +6821,17 @@ static const struct hda_fixup alc269_fix - .chained = true, - .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1 - }, -+ [ALC294_FIXUP_ASUS_HPE] = { -+ .type = HDA_FIXUP_VERBS, -+ .v.verbs = (const struct hda_verb[]) { -+ /* Set EAPD high */ -+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x0f }, -+ { 0x20, AC_VERB_SET_PROC_COEF, 0x7774 }, -+ { } -+ }, -+ .chained = true, -+ .chain_id = ALC294_FIXUP_ASUS_HEADSET_MIC -+ }, - }; - - static const struct snd_pci_quirk alc269_fixup_tbl[] = { -@@ -6985,6 +6997,7 @@ static const struct snd_pci_quirk alc269 - SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), - SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), - SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), -+ SND_PCI_QUIRK(0x1043, 0x19ce, "ASUS B9450FA", ALC294_FIXUP_ASUS_HPE), - SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW), - SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC), - SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC), diff --git a/queue-4.19/dm-cache-fix-a-crash-due-to-incorrect-work-item-cancelling.patch b/queue-4.19/dm-cache-fix-a-crash-due-to-incorrect-work-item-cancelling.patch new file mode 100644 index 00000000000..5aa06c566f1 --- /dev/null +++ b/queue-4.19/dm-cache-fix-a-crash-due-to-incorrect-work-item-cancelling.patch @@ -0,0 +1,51 @@ +From 7cdf6a0aae1cccf5167f3f04ecddcf648b78e289 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 19 Feb 2020 10:25:45 -0500 +Subject: dm cache: fix a crash due to incorrect work item cancelling + +From: Mikulas Patocka + +commit 7cdf6a0aae1cccf5167f3f04ecddcf648b78e289 upstream. + +The crash can be reproduced by running the lvm2 testsuite test +lvconvert-thin-external-cache.sh for several minutes, e.g.: + while :; do make check T=shell/lvconvert-thin-external-cache.sh; done + +The crash happens in this call chain: +do_waker -> policy_tick -> smq_tick -> end_hotspot_period -> clear_bitset +-> memset -> __memset -- which accesses an invalid pointer in the vmalloc +area. + +The work entry on the workqueue is executed even after the bitmap was +freed. The problem is that cancel_delayed_work doesn't wait for the +running work item to finish, so the work item can continue running and +re-submitting itself even after cache_postsuspend. In order to make sure +that the work item won't be running, we must use cancel_delayed_work_sync. + +Also, change flush_workqueue to drain_workqueue, so that if some work item +submits itself or another work item, we are properly waiting for both of +them. + +Fixes: c6b4fcbad044 ("dm: add cache target") +Cc: stable@vger.kernel.org # v3.9 +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-target.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -2859,8 +2859,8 @@ static void cache_postsuspend(struct dm_ + prevent_background_work(cache); + BUG_ON(atomic_read(&cache->nr_io_migrations)); + +- cancel_delayed_work(&cache->waker); +- flush_workqueue(cache->wq); ++ cancel_delayed_work_sync(&cache->waker); ++ drain_workqueue(cache->wq); + WARN_ON(cache->tracker.in_flight); + + /* diff --git a/queue-4.19/dm-report-suspended-device-during-destroy.patch b/queue-4.19/dm-report-suspended-device-during-destroy.patch new file mode 100644 index 00000000000..0c08d17f9fb --- /dev/null +++ b/queue-4.19/dm-report-suspended-device-during-destroy.patch @@ -0,0 +1,139 @@ +From adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 24 Feb 2020 10:20:28 +0100 +Subject: dm: report suspended device during destroy + +From: Mikulas Patocka + +commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 upstream. + +The function dm_suspended returns true if the target is suspended. +However, when the target is being suspended during unload, it returns +false. + +An example where this is a problem: the test "!dm_suspended(wc->ti)" in +writecache_writeback is not sufficient, because dm_suspended returns +zero while writecache_suspend is in progress. As is, without an +enhanced dm_suspended, simply switching from flush_workqueue to +drain_workqueue still emits warnings: +workqueue writecache-writeback: drain_workqueue() isn't complete after 10 tries +workqueue writecache-writeback: drain_workqueue() isn't complete after 100 tries +workqueue writecache-writeback: drain_workqueue() isn't complete after 200 tries +workqueue writecache-writeback: drain_workqueue() isn't complete after 300 tries +workqueue writecache-writeback: drain_workqueue() isn't complete after 400 tries + +writecache_suspend calls flush_workqueue(wc->writeback_wq) - this function +flushes the current work. However, the workqueue may re-queue itself and +flush_workqueue doesn't wait for re-queued works to finish. Because of +this - the function writecache_writeback continues execution after the +device was suspended and then concurrently with writecache_dtr, causing +a crash in writecache_writeback. + +We must use drain_workqueue - that waits until the work and all re-queued +works finish. + +As a prereq for switching to drain_workqueue, this commit fixes +dm_suspended to return true after the presuspend hook and before the +postsuspend hook - just like during a normal suspend. It allows +simplifying the dm-integrity and dm-writecache targets so that they +don't have to maintain suspended flags on their own. + +With this change use of drain_workqueue() can be used effectively. This +change was tested with the lvm2 testsuite and cryptsetup testsuite and +the are no regressions. + +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # 4.18+ +Reported-by: Corey Marthaler +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-integrity.c | 12 +++++------- + drivers/md/dm-writecache.c | 2 +- + drivers/md/dm.c | 1 + + 3 files changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -186,12 +186,13 @@ struct dm_integrity_c { + __u8 sectors_per_block; + + unsigned char mode; +- int suspending; + + int failed; + + struct crypto_shash *internal_hash; + ++ struct dm_target *ti; ++ + /* these variables are locked with endio_wait.lock */ + struct rb_root in_progress; + struct list_head wait_list; +@@ -2080,7 +2081,7 @@ static void integrity_writer(struct work + unsigned prev_free_sectors; + + /* the following test is not needed, but it tests the replay code */ +- if (READ_ONCE(ic->suspending) && !ic->meta_dev) ++ if (unlikely(dm_suspended(ic->ti)) && !ic->meta_dev) + return; + + spin_lock_irq(&ic->endio_wait.lock); +@@ -2139,7 +2140,7 @@ static void integrity_recalc(struct work + + next_chunk: + +- if (unlikely(READ_ONCE(ic->suspending))) ++ if (unlikely(dm_suspended(ic->ti))) + goto unlock_ret; + + range.logical_sector = le64_to_cpu(ic->sb->recalc_sector); +@@ -2411,8 +2412,6 @@ static void dm_integrity_postsuspend(str + + del_timer_sync(&ic->autocommit_timer); + +- WRITE_ONCE(ic->suspending, 1); +- + if (ic->recalc_wq) + drain_workqueue(ic->recalc_wq); + +@@ -2426,8 +2425,6 @@ static void dm_integrity_postsuspend(str + dm_integrity_flush_buffers(ic); + } + +- WRITE_ONCE(ic->suspending, 0); +- + BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress)); + + ic->journal_uptodate = true; +@@ -3116,6 +3113,7 @@ static int dm_integrity_ctr(struct dm_ta + } + ti->private = ic; + ti->per_io_data_size = sizeof(struct dm_integrity_io); ++ ic->ti = ti; + + ic->in_progress = RB_ROOT; + INIT_LIST_HEAD(&ic->wait_list); +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -844,7 +844,7 @@ static void writecache_suspend(struct dm + } + wc_unlock(wc); + +- flush_workqueue(wc->writeback_wq); ++ drain_workqueue(wc->writeback_wq); + + wc_lock(wc); + if (flush_on_suspend) +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2353,6 +2353,7 @@ static void __dm_destroy(struct mapped_d + map = dm_get_live_table(md, &srcu_idx); + if (!dm_suspended_md(md)) { + dm_table_presuspend_targets(map); ++ set_bit(DMF_SUSPENDED, &md->flags); + dm_table_postsuspend_targets(map); + } + /* dm_put_live_table must be before msleep, otherwise deadlock is possible */ diff --git a/queue-4.19/dm-writecache-verify-watermark-during-resume.patch b/queue-4.19/dm-writecache-verify-watermark-during-resume.patch new file mode 100644 index 00000000000..726781c4658 --- /dev/null +++ b/queue-4.19/dm-writecache-verify-watermark-during-resume.patch @@ -0,0 +1,57 @@ +From 41c526c5af46d4c4dab7f72c99000b7fac0b9702 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 24 Feb 2020 10:20:30 +0100 +Subject: dm writecache: verify watermark during resume + +From: Mikulas Patocka + +commit 41c526c5af46d4c4dab7f72c99000b7fac0b9702 upstream. + +Verify the watermark upon resume - so that if the target is reloaded +with lower watermark, it will start the cleanup process immediately. + +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # 4.18+ +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -631,6 +631,12 @@ static void writecache_add_to_freelist(s + wc->freelist_size++; + } + ++static inline void writecache_verify_watermark(struct dm_writecache *wc) ++{ ++ if (unlikely(wc->freelist_size + wc->writeback_size <= wc->freelist_high_watermark)) ++ queue_work(wc->writeback_wq, &wc->writeback_work); ++} ++ + static struct wc_entry *writecache_pop_from_freelist(struct dm_writecache *wc) + { + struct wc_entry *e; +@@ -652,8 +658,8 @@ static struct wc_entry *writecache_pop_f + list_del(&e->lru); + } + wc->freelist_size--; +- if (unlikely(wc->freelist_size + wc->writeback_size <= wc->freelist_high_watermark)) +- queue_work(wc->writeback_wq, &wc->writeback_work); ++ ++ writecache_verify_watermark(wc); + + return e; + } +@@ -967,6 +973,8 @@ erase_this: + writecache_commit_flushed(wc, false); + } + ++ writecache_verify_watermark(wc); ++ + wc_unlock(wc); + } + diff --git a/queue-4.19/dmaengine-imx-sdma-fix-the-event-id-check-to-include-rx-event-for-uart6.patch b/queue-4.19/dmaengine-imx-sdma-fix-the-event-id-check-to-include-rx-event-for-uart6.patch deleted file mode 100644 index fcf2d7a786a..00000000000 --- a/queue-4.19/dmaengine-imx-sdma-fix-the-event-id-check-to-include-rx-event-for-uart6.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 25962e1a7f1d522f1b57ead2f266fab570042a70 Mon Sep 17 00:00:00 2001 -From: Frieder Schrempf -Date: Tue, 25 Feb 2020 08:23:20 +0000 -Subject: dmaengine: imx-sdma: Fix the event id check to include RX event for UART6 - -From: Frieder Schrempf - -commit 25962e1a7f1d522f1b57ead2f266fab570042a70 upstream. - -On i.MX6UL/ULL and i.MX6SX the DMA event id for the RX channel of -UART6 is '0'. To fix the broken DMA support for UART6, we change -the check for event_id0 to include '0' as a valid id. - -Fixes: 1ec1e82f2510 ("dmaengine: Add Freescale i.MX SDMA support") -Signed-off-by: Frieder Schrempf -Reviewed-by: Fabio Estevam -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20200225082139.7646-1-frieder.schrempf@kontron.de -Signed-off-by: Vinod Koul -Signed-off-by: Greg Kroah-Hartman - -diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c -index 332ca5034504..4d4477df4ede 100644 ---- a/drivers/dma/imx-sdma.c -+++ b/drivers/dma/imx-sdma.c -@@ -1331,7 +1331,7 @@ static void sdma_free_chan_resources(struct dma_chan *chan) - - sdma_channel_synchronize(chan); - -- if (sdmac->event_id0) -+ if (sdmac->event_id0 >= 0) - sdma_event_disable(sdmac, sdmac->event_id0); - if (sdmac->event_id1) - sdma_event_disable(sdmac, sdmac->event_id1); -@@ -1632,7 +1632,7 @@ static int sdma_config(struct dma_chan *chan, - memcpy(&sdmac->slave_config, dmaengine_cfg, sizeof(*dmaengine_cfg)); - - /* Set ENBLn earlier to make sure dma request triggered after that */ -- if (sdmac->event_id0) { -+ if (sdmac->event_id0 >= 0) { - if (sdmac->event_id0 >= sdmac->sdma->drvdata->num_events) - return -EINVAL; - sdma_event_enable(sdmac, sdmac->event_id0); diff --git a/queue-4.19/dmaengine-tegra-apb-fix-use-after-free.patch b/queue-4.19/dmaengine-tegra-apb-fix-use-after-free.patch new file mode 100644 index 00000000000..253584b2283 --- /dev/null +++ b/queue-4.19/dmaengine-tegra-apb-fix-use-after-free.patch @@ -0,0 +1,62 @@ +From 94788af4ed039476ff3527b0e6a12c1dc42cb022 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sun, 9 Feb 2020 19:33:38 +0300 +Subject: dmaengine: tegra-apb: Fix use-after-free + +From: Dmitry Osipenko + +commit 94788af4ed039476ff3527b0e6a12c1dc42cb022 upstream. + +I was doing some experiments with I2C and noticed that Tegra APB DMA +driver crashes sometime after I2C DMA transfer termination. The crash +happens because tegra_dma_terminate_all() bails out immediately if pending +list is empty, and thus, it doesn't release the half-completed descriptors +which are getting re-used before ISR tasklet kicks-in. + + tegra-i2c 7000c400.i2c: DMA transfer timeout + elants_i2c 0-0010: elants_i2c_irq: failed to read data: -110 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 142 at lib/list_debug.c:45 __list_del_entry_valid+0x45/0xac + list_del corruption, ddbaac44->next is LIST_POISON1 (00000100) + Modules linked in: + CPU: 0 PID: 142 Comm: kworker/0:2 Not tainted 5.5.0-rc2-next-20191220-00175-gc3605715758d-dirty #538 + Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) + Workqueue: events_freezable_power_ thermal_zone_device_check + [] (unwind_backtrace) from [] (show_stack+0x11/0x14) + [] (show_stack) from [] (dump_stack+0x85/0x94) + [] (dump_stack) from [] (__warn+0xc1/0xc4) + [] (__warn) from [] (warn_slowpath_fmt+0x61/0x78) + [] (warn_slowpath_fmt) from [] (__list_del_entry_valid+0x45/0xac) + [] (__list_del_entry_valid) from [] (tegra_dma_tasklet+0x5b/0x154) + [] (tegra_dma_tasklet) from [] (tasklet_action_common.constprop.0+0x41/0x7c) + [] (tasklet_action_common.constprop.0) from [] (__do_softirq+0xd3/0x2a8) + [] (__do_softirq) from [] (irq_exit+0x7b/0x98) + [] (irq_exit) from [] (__handle_domain_irq+0x45/0x80) + [] (__handle_domain_irq) from [] (gic_handle_irq+0x45/0x7c) + [] (gic_handle_irq) from [] (__irq_svc+0x65/0x94) + Exception stack(0xde2ebb90 to 0xde2ebbd8) + +Signed-off-by: Dmitry Osipenko +Acked-by: Jon Hunter +Cc: +Link: https://lore.kernel.org/r/20200209163356.6439-2-digetx@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/tegra20-apb-dma.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -756,10 +756,6 @@ static int tegra_dma_terminate_all(struc + bool was_busy; + + spin_lock_irqsave(&tdc->lock, flags); +- if (list_empty(&tdc->pending_sg_req)) { +- spin_unlock_irqrestore(&tdc->lock, flags); +- return 0; +- } + + if (!tdc->busy) + goto skip_dma_stop; diff --git a/queue-4.19/dmaengine-tegra-apb-prevent-race-conditions-of-tasklet-vs-free-list.patch b/queue-4.19/dmaengine-tegra-apb-prevent-race-conditions-of-tasklet-vs-free-list.patch new file mode 100644 index 00000000000..e72a401be9b --- /dev/null +++ b/queue-4.19/dmaengine-tegra-apb-prevent-race-conditions-of-tasklet-vs-free-list.patch @@ -0,0 +1,37 @@ +From c33ee1301c393a241d6424e36eff1071811b1064 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sun, 9 Feb 2020 19:33:39 +0300 +Subject: dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list + +From: Dmitry Osipenko + +commit c33ee1301c393a241d6424e36eff1071811b1064 upstream. + +The interrupt handler puts a half-completed DMA descriptor on a free list +and then schedules tasklet to process bottom half of the descriptor that +executes client's callback, this creates possibility to pick up the busy +descriptor from the free list. Thus, let's disallow descriptor's re-use +until it is fully processed. + +Signed-off-by: Dmitry Osipenko +Acked-by: Jon Hunter +Cc: +Link: https://lore.kernel.org/r/20200209163356.6439-3-digetx@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/tegra20-apb-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -288,7 +288,7 @@ static struct tegra_dma_desc *tegra_dma_ + + /* Do not allocate if desc are waiting for ack */ + list_for_each_entry(dma_desc, &tdc->free_dma_desc, node) { +- if (async_tx_test_ack(&dma_desc->txd)) { ++ if (async_tx_test_ack(&dma_desc->txd) && !dma_desc->cb_count) { + list_del(&dma_desc->node); + spin_unlock_irqrestore(&tdc->lock, flags); + dma_desc->txd.flags = 0; diff --git a/queue-4.19/series b/queue-4.19/series index b33b3d560c5..f6e9f2eae16 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -30,9 +30,7 @@ ice-don-t-tell-the-os-that-link-is-going-down.patch x86-xen-distribute-switch-variables-for-initializati.patch net-thunderx-workaround-bgx-tx-underflow-issue.patch alsa-hda-realtek-add-headset-mic-supported.patch -alsa-hda-realtek-add-headset-button-supported-for-thinkpad-x1.patch alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-master.patch -alsa-hda-realtek-enable-the-headset-of-asus-b9450fa-with-alc294.patch cifs-don-t-leak-eagain-for-stat-during-reconnect.patch usb-storage-add-quirk-for-samsung-fit-flash.patch usb-quirks-add-no_lpm-quirk-for-logitech-screen-share.patch @@ -52,4 +50,8 @@ vt-selection-push-console-lock-down.patch vt-selection-push-sel_lock-up.patch media-v4l2-mem2mem.c-fix-broken-links.patch x86-pkeys-manually-set-x86_feature_ospke-to-preserve-existing-changes.patch -dmaengine-imx-sdma-fix-the-event-id-check-to-include-rx-event-for-uart6.patch +dmaengine-tegra-apb-fix-use-after-free.patch +dmaengine-tegra-apb-prevent-race-conditions-of-tasklet-vs-free-list.patch +dm-cache-fix-a-crash-due-to-incorrect-work-item-cancelling.patch +dm-report-suspended-device-during-destroy.patch +dm-writecache-verify-watermark-during-resume.patch -- 2.47.3