From 368a6c4e9a4114c723967ac9737f71dadbf7b37d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 26 Feb 2023 10:46:06 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...potential-deadlock-during-nfit-teard.patch | 75 +++++++++++++++++++ ...-add-power-domains-property-to-dp-no.patch | 36 +++++++++ ...-number-of-clones-and-allocated-memo.patch | 44 +++++++++++ .../ib-hfi1-assign-npages-earlier.patch | 64 ++++++++++++++++ queue-4.19/series | 4 + 5 files changed, 223 insertions(+) create mode 100644 queue-4.19/acpi-nfit-fix-a-potential-deadlock-during-nfit-teard.patch create mode 100644 queue-4.19/arm-dts-rockchip-add-power-domains-property-to-dp-no.patch create mode 100644 queue-4.19/btrfs-send-limit-number-of-clones-and-allocated-memo.patch create mode 100644 queue-4.19/ib-hfi1-assign-npages-earlier.patch create mode 100644 queue-4.19/series diff --git a/queue-4.19/acpi-nfit-fix-a-potential-deadlock-during-nfit-teard.patch b/queue-4.19/acpi-nfit-fix-a-potential-deadlock-during-nfit-teard.patch new file mode 100644 index 00000000000..c5f187c89b6 --- /dev/null +++ b/queue-4.19/acpi-nfit-fix-a-potential-deadlock-during-nfit-teard.patch @@ -0,0 +1,75 @@ +From 2a44048280114e00f48b67637e90f005b2fe79e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 11:34:18 -0700 +Subject: ACPI: NFIT: fix a potential deadlock during NFIT teardown + +From: Vishal Verma + +[ Upstream commit fb6df4366f86dd252bfa3049edffa52d17e7b895 ] + +Lockdep reports that acpi_nfit_shutdown() may deadlock against an +opportune acpi_nfit_scrub(). acpi_nfit_scrub () is run from inside a +'work' and therefore has already acquired workqueue-internal locks. It +also acquiires acpi_desc->init_mutex. acpi_nfit_shutdown() first +acquires init_mutex, and was subsequently attempting to cancel any +pending workqueue items. This reversed locking order causes a potential +deadlock: + + ====================================================== + WARNING: possible circular locking dependency detected + 6.2.0-rc3 #116 Tainted: G O N + ------------------------------------------------------ + libndctl/1958 is trying to acquire lock: + ffff888129b461c0 ((work_completion)(&(&acpi_desc->dwork)->work)){+.+.}-{0:0}, at: __flush_work+0x43/0x450 + + but task is already holding lock: + ffff888129b460e8 (&acpi_desc->init_mutex){+.+.}-{3:3}, at: acpi_nfit_shutdown+0x87/0xd0 [nfit] + + which lock already depends on the new lock. + + ... + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&acpi_desc->init_mutex); + lock((work_completion)(&(&acpi_desc->dwork)->work)); + lock(&acpi_desc->init_mutex); + lock((work_completion)(&(&acpi_desc->dwork)->work)); + + *** DEADLOCK *** + +Since the workqueue manipulation is protected by its own internal locking, +the cancellation of pending work doesn't need to be done under +acpi_desc->init_mutex. Move cancel_delayed_work_sync() outside the +init_mutex to fix the deadlock. Any work that starts after +acpi_nfit_shutdown() drops the lock will see ARS_CANCEL, and the +cancel_delayed_work_sync() will safely flush it out. + +Reported-by: Dan Williams +Signed-off-by: Vishal Verma +Link: https://lore.kernel.org/r/20230112-acpi_nfit_lockdep-v1-1-660be4dd10be@intel.com +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + drivers/acpi/nfit/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index 58a756ca14d85..c2863eec0f241 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -3442,8 +3442,8 @@ void acpi_nfit_shutdown(void *data) + + mutex_lock(&acpi_desc->init_mutex); + set_bit(ARS_CANCEL, &acpi_desc->scrub_flags); +- cancel_delayed_work_sync(&acpi_desc->dwork); + mutex_unlock(&acpi_desc->init_mutex); ++ cancel_delayed_work_sync(&acpi_desc->dwork); + + /* + * Bounce the nvdimm bus lock to make sure any in-flight +-- +2.39.0 + diff --git a/queue-4.19/arm-dts-rockchip-add-power-domains-property-to-dp-no.patch b/queue-4.19/arm-dts-rockchip-add-power-domains-property-to-dp-no.patch new file mode 100644 index 00000000000..07960949209 --- /dev/null +++ b/queue-4.19/arm-dts-rockchip-add-power-domains-property-to-dp-no.patch @@ -0,0 +1,36 @@ +From e500483687c19a26ea583815944139410b250e45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Dec 2022 21:17:32 +0100 +Subject: ARM: dts: rockchip: add power-domains property to dp node on rk3288 + +From: Johan Jonker + +[ Upstream commit 80422339a75088322b4d3884bd12fa0fe5d11050 ] + +The clocks in the Rockchip rk3288 DisplayPort node are +included in the power-domain@RK3288_PD_VIO logic, but the +power-domains property in the dp node is missing, so fix it. + +Signed-off-by: Johan Jonker +Link: https://lore.kernel.org/r/dab85bfb-9f55-86a1-5cd5-7388c43e0ec5@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/rk3288.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi +index e442bf7427ae1..402b5e0fd616c 100644 +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -1172,6 +1172,7 @@ edp: dp@ff970000 { + clock-names = "dp", "pclk"; + phys = <&edp_phy>; + phy-names = "dp"; ++ power-domains = <&power RK3288_PD_VIO>; + resets = <&cru SRST_EDP>; + reset-names = "dp"; + rockchip,grf = <&grf>; +-- +2.39.0 + diff --git a/queue-4.19/btrfs-send-limit-number-of-clones-and-allocated-memo.patch b/queue-4.19/btrfs-send-limit-number-of-clones-and-allocated-memo.patch new file mode 100644 index 00000000000..0a2478b05ad --- /dev/null +++ b/queue-4.19/btrfs-send-limit-number-of-clones-and-allocated-memo.patch @@ -0,0 +1,44 @@ +From 91b51e5f59c9a956b1f36d07481ca381f19cdf0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 20:32:10 +0100 +Subject: btrfs: send: limit number of clones and allocated memory size + +From: David Sterba + +[ Upstream commit 33e17b3f5ab74af12aca58c515bc8424ff69a343 ] + +The arg->clone_sources_count is u64 and can trigger a warning when a +huge value is passed from user space and a huge array is allocated. +Limit the allocated memory to 8MiB (can be increased if needed), which +in turn limits the number of clone sources to 8M / sizeof(struct +clone_root) = 8M / 40 = 209715. Real world number of clones is from +tens to hundreds, so this is future proof. + +Reported-by: syzbot+4376a9a073770c173269@syzkaller.appspotmail.com +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 80d248e88761d..1f535cd990d3c 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -6826,10 +6826,10 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg) + /* + * Check that we don't overflow at later allocations, we request + * clone_sources_count + 1 items, and compare to unsigned long inside +- * access_ok. ++ * access_ok. Also set an upper limit for allocation size so this can't ++ * easily exhaust memory. Max number of clone sources is about 200K. + */ +- if (arg->clone_sources_count > +- ULONG_MAX / sizeof(struct clone_root) - 1) { ++ if (arg->clone_sources_count > SZ_8M / sizeof(struct clone_root)) { + ret = -EINVAL; + goto out; + } +-- +2.39.0 + diff --git a/queue-4.19/ib-hfi1-assign-npages-earlier.patch b/queue-4.19/ib-hfi1-assign-npages-earlier.patch new file mode 100644 index 00000000000..8f0b18bdf04 --- /dev/null +++ b/queue-4.19/ib-hfi1-assign-npages-earlier.patch @@ -0,0 +1,64 @@ +From 61518542d974a999dc321b0c78b6b5a1f374e50a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 14:04:08 -0500 +Subject: IB/hfi1: Assign npages earlier + +From: Dean Luick + +[ Upstream commit f9c47b2caa7ffc903ec950b454b59c209afe3182 ] + +Improve code clarity and enable earlier use of +tidbuf->npages by moving its assignment to +structure creation time. + +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167329104884.1472990.4639750192433251493.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index dab823aac95e1..2619a7a9f27cf 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -215,16 +215,11 @@ static void unpin_rcv_pages(struct hfi1_filedata *fd, + static int pin_rcv_pages(struct hfi1_filedata *fd, struct tid_user_buf *tidbuf) + { + int pinned; +- unsigned int npages; ++ unsigned int npages = tidbuf->npages; + unsigned long vaddr = tidbuf->vaddr; + struct page **pages = NULL; + struct hfi1_devdata *dd = fd->uctxt->dd; + +- /* Get the number of pages the user buffer spans */ +- npages = num_user_pages(vaddr, tidbuf->length); +- if (!npages) +- return -EINVAL; +- + if (npages > fd->uctxt->expected_count) { + dd_dev_err(dd, "Expected buffer too big\n"); + return -EINVAL; +@@ -258,7 +253,6 @@ static int pin_rcv_pages(struct hfi1_filedata *fd, struct tid_user_buf *tidbuf) + return pinned; + } + tidbuf->pages = pages; +- tidbuf->npages = npages; + fd->tid_n_pinned += pinned; + return pinned; + } +@@ -334,6 +328,7 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + + tidbuf->vaddr = tinfo->vaddr; + tidbuf->length = tinfo->length; ++ tidbuf->npages = num_user_pages(tidbuf->vaddr, tidbuf->length); + tidbuf->psets = kcalloc(uctxt->expected_count, sizeof(*tidbuf->psets), + GFP_KERNEL); + if (!tidbuf->psets) { +-- +2.39.0 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..bb534f99284 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,4 @@ +arm-dts-rockchip-add-power-domains-property-to-dp-no.patch +acpi-nfit-fix-a-potential-deadlock-during-nfit-teard.patch +btrfs-send-limit-number-of-clones-and-allocated-memo.patch +ib-hfi1-assign-npages-earlier.patch -- 2.47.3