From d9446a9179309e975bbdce03b0fb7171bcbeecd7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 18 Aug 2019 14:12:36 +0200 Subject: [PATCH] 5.2-stable patches added patches: blk-mq-move-cancel-of-requeue_work-to-the-front-of-blk_exit_queue.patch io_uring-fix-manual-setup-of-iov_iter-for-fixed-buffers.patch revert-i2c-imx-improve-the-error-handling-in-i2c_imx_dma_request.patch riscv-correct-the-initialized-flow-of-fp-register.patch riscv-make-__fstate_clean-work-correctly.patch --- ..._work-to-the-front-of-blk_exit_queue.patch | 55 +++++++ ...-setup-of-iov_iter-for-fixed-buffers.patch | 46 ++++++ ...rror-handling-in-i2c_imx_dma_request.patch | 145 ++++++++++++++++++ ...-the-initialized-flow-of-fp-register.patch | 91 +++++++++++ ...v-make-__fstate_clean-work-correctly.patch | 36 +++++ queue-5.2/series | 5 + 6 files changed, 378 insertions(+) create mode 100644 queue-5.2/blk-mq-move-cancel-of-requeue_work-to-the-front-of-blk_exit_queue.patch create mode 100644 queue-5.2/io_uring-fix-manual-setup-of-iov_iter-for-fixed-buffers.patch create mode 100644 queue-5.2/revert-i2c-imx-improve-the-error-handling-in-i2c_imx_dma_request.patch create mode 100644 queue-5.2/riscv-correct-the-initialized-flow-of-fp-register.patch create mode 100644 queue-5.2/riscv-make-__fstate_clean-work-correctly.patch diff --git a/queue-5.2/blk-mq-move-cancel-of-requeue_work-to-the-front-of-blk_exit_queue.patch b/queue-5.2/blk-mq-move-cancel-of-requeue_work-to-the-front-of-blk_exit_queue.patch new file mode 100644 index 00000000000..821772561f5 --- /dev/null +++ b/queue-5.2/blk-mq-move-cancel-of-requeue_work-to-the-front-of-blk_exit_queue.patch @@ -0,0 +1,55 @@ +From e26cc08265dda37d2acc8394604f220ef412299d Mon Sep 17 00:00:00 2001 +From: zhengbin +Date: Mon, 12 Aug 2019 20:36:55 +0800 +Subject: blk-mq: move cancel of requeue_work to the front of blk_exit_queue + +From: zhengbin + +commit e26cc08265dda37d2acc8394604f220ef412299d upstream. + +blk_exit_queue will free elevator_data, while blk_mq_requeue_work +will access it. Move cancel of requeue_work to the front of +blk_exit_queue to avoid use-after-free. + +blk_exit_queue blk_mq_requeue_work + __elevator_exit blk_mq_run_hw_queues + blk_mq_exit_sched blk_mq_run_hw_queue + dd_exit_queue blk_mq_hctx_has_pending + kfree(elevator_data) blk_mq_sched_has_work + dd_has_work + +Fixes: fbc2a15e3433 ("blk-mq: move cancel of requeue_work into blk_mq_release") +Cc: stable@vger.kernel.org +Reviewed-by: Ming Lei +Signed-off-by: zhengbin +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq.c | 2 -- + block/blk-sysfs.c | 3 +++ + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2674,8 +2674,6 @@ void blk_mq_release(struct request_queue + struct blk_mq_hw_ctx *hctx, *next; + int i; + +- cancel_delayed_work_sync(&q->requeue_work); +- + queue_for_each_hw_ctx(q, hctx, i) + WARN_ON_ONCE(hctx && list_empty(&hctx->hctx_list)); + +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -892,6 +892,9 @@ static void __blk_release_queue(struct w + + blk_free_queue_stats(q->stats); + ++ if (queue_is_mq(q)) ++ cancel_delayed_work_sync(&q->requeue_work); ++ + blk_exit_queue(q); + + blk_queue_free_zone_bitmaps(q); diff --git a/queue-5.2/io_uring-fix-manual-setup-of-iov_iter-for-fixed-buffers.patch b/queue-5.2/io_uring-fix-manual-setup-of-iov_iter-for-fixed-buffers.patch new file mode 100644 index 00000000000..65cf43938e4 --- /dev/null +++ b/queue-5.2/io_uring-fix-manual-setup-of-iov_iter-for-fixed-buffers.patch @@ -0,0 +1,46 @@ +From 99c79f6692ccdc42e04deea8a36e22bb48168a62 Mon Sep 17 00:00:00 2001 +From: Aleix Roca Nonell +Date: Thu, 15 Aug 2019 14:03:22 +0200 +Subject: io_uring: fix manual setup of iov_iter for fixed buffers + +From: Aleix Roca Nonell + +commit 99c79f6692ccdc42e04deea8a36e22bb48168a62 upstream. + +Commit bd11b3a391e3 ("io_uring: don't use iov_iter_advance() for fixed +buffers") introduced an optimization to avoid using the slow +iov_iter_advance by manually populating the iov_iter iterator in some +cases. + +However, the computation of the iterator count field was erroneous: The +first bvec was always accounted for an extent of page size even if the +bvec length was smaller. + +In consequence, some I/O operations on fixed buffers were unable to +operate on the full extent of the buffer, consistently skipping some +bytes at the end of it. + +Fixes: bd11b3a391e3 ("io_uring: don't use iov_iter_advance() for fixed buffers") +Cc: stable@vger.kernel.org +Signed-off-by: Aleix Roca Nonell +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1032,10 +1032,8 @@ static int io_import_fixed(struct io_rin + + iter->bvec = bvec + seg_skip; + iter->nr_segs -= seg_skip; +- iter->count -= (seg_skip << PAGE_SHIFT); ++ iter->count -= bvec->bv_len + offset; + iter->iov_offset = offset & ~PAGE_MASK; +- if (iter->iov_offset) +- iter->count -= iter->iov_offset; + } + } + diff --git a/queue-5.2/revert-i2c-imx-improve-the-error-handling-in-i2c_imx_dma_request.patch b/queue-5.2/revert-i2c-imx-improve-the-error-handling-in-i2c_imx_dma_request.patch new file mode 100644 index 00000000000..3b73d377b28 --- /dev/null +++ b/queue-5.2/revert-i2c-imx-improve-the-error-handling-in-i2c_imx_dma_request.patch @@ -0,0 +1,145 @@ +From e8c220fac415d9f4a994b0c2871b835feac1eb4e Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 8 Aug 2019 18:01:36 -0300 +Subject: Revert "i2c: imx: improve the error handling in i2c_imx_dma_request()" + +From: Fabio Estevam + +commit e8c220fac415d9f4a994b0c2871b835feac1eb4e upstream. + +Since commit e1ab9a468e3b ("i2c: imx: improve the error handling in +i2c_imx_dma_request()") when booting with the DMA driver as module (such +as CONFIG_FSL_EDMA=m) the following endless clk warnings are seen: + +[ 153.077831] ------------[ cut here ]------------ +[ 153.082528] WARNING: CPU: 0 PID: 15 at drivers/clk/clk.c:924 clk_core_disable_lock+0x18/0x24 +[ 153.093077] i2c0 already disabled +[ 153.096416] Modules linked in: +[ 153.099521] CPU: 0 PID: 15 Comm: kworker/0:1 Tainted: G W 5.2.0+ #321 +[ 153.107290] Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) +[ 153.113772] Workqueue: events deferred_probe_work_func +[ 153.118979] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 153.126778] [] (show_stack) from [] (dump_stack+0x9c/0xd4) +[ 153.134051] [] (dump_stack) from [] (__warn+0xf8/0x124) +[ 153.141056] [] (__warn) from [] (warn_slowpath_fmt+0x38/0x48) +[ 153.148580] [] (warn_slowpath_fmt) from [] (clk_core_disable_lock+0x18/0x24) +[ 153.157413] [] (clk_core_disable_lock) from [] (i2c_imx_probe+0x554/0x6ec) +[ 153.166076] [] (i2c_imx_probe) from [] (platform_drv_probe+0x48/0x98) +[ 153.174297] [] (platform_drv_probe) from [] (really_probe+0x1d8/0x2c0) +[ 153.182605] [] (really_probe) from [] (driver_probe_device+0x5c/0x174) +[ 153.190909] [] (driver_probe_device) from [] (bus_for_each_drv+0x44/0x8c) +[ 153.199480] [] (bus_for_each_drv) from [] (__device_attach+0xa0/0x108) +[ 153.207782] [] (__device_attach) from [] (bus_probe_device+0x88/0x90) +[ 153.215999] [] (bus_probe_device) from [] (deferred_probe_work_func+0x60/0x90) +[ 153.225003] [] (deferred_probe_work_func) from [] (process_one_work+0x204/0x634) +[ 153.234178] [] (process_one_work) from [] (worker_thread+0x20/0x484) +[ 153.242315] [] (worker_thread) from [] (kthread+0x118/0x150) +[ 153.249758] [] (kthread) from [] (ret_from_fork+0x14/0x20) +[ 153.257006] Exception stack(0xdde43fb0 to 0xdde43ff8) +[ 153.262095] 3fa0: 00000000 00000000 00000000 00000000 +[ 153.270306] 3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 153.278520] 3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +[ 153.285159] irq event stamp: 3323022 +[ 153.288787] hardirqs last enabled at (3323021): [] _raw_spin_unlock_irq+0x24/0x2c +[ 153.297261] hardirqs last disabled at (3323022): [] clk_enable_lock+0x10/0x124 +[ 153.305392] softirqs last enabled at (3322092): [] __do_softirq+0x344/0x540 +[ 153.313352] softirqs last disabled at (3322081): [] irq_exit+0x10c/0x128 +[ 153.320946] ---[ end trace a506731ccd9bd703 ]--- + +This endless clk warnings behaviour is well explained by Andrey Smirnov: + +"Allocating DMA after registering I2C adapter can lead to infinite +probing loop, for example, consider the following scenario: + + 1. i2c_imx_probe() is called and successfully registers an I2C + adapter via i2c_add_numbered_adapter() + + 2. As a part of i2c_add_numbered_adapter() new I2C slave devices + are added from DT which results in a call to + driver_deferred_probe_trigger() + + 3. i2c_imx_probe() continues and calls i2c_imx_dma_request() which + due to lack of proper DMA driver returns -EPROBE_DEFER + + 4. i2c_imx_probe() fails, removes I2C adapter and returns + -EPROBE_DEFER, which places it into deferred probe list + + 5. Deferred probe work triggered in #2 above kicks in and calls + i2c_imx_probe() again thus bringing us to step #1" + +So revert commit e1ab9a468e3b ("i2c: imx: improve the error handling in +i2c_imx_dma_request()") and restore the old behaviour, in order to +avoid regressions on existing setups. + +Cc: +Reported-by: Andrey Smirnov +Reported-by: Russell King +Fixes: e1ab9a468e3b ("i2c: imx: improve the error handling in i2c_imx_dma_request()") +Signed-off-by: Fabio Estevam +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-imx.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -273,8 +273,8 @@ static inline unsigned char imx_i2c_read + } + + /* Functions for DMA support */ +-static int i2c_imx_dma_request(struct imx_i2c_struct *i2c_imx, +- dma_addr_t phy_addr) ++static void i2c_imx_dma_request(struct imx_i2c_struct *i2c_imx, ++ dma_addr_t phy_addr) + { + struct imx_i2c_dma *dma; + struct dma_slave_config dma_sconfig; +@@ -283,7 +283,7 @@ static int i2c_imx_dma_request(struct im + + dma = devm_kzalloc(dev, sizeof(*dma), GFP_KERNEL); + if (!dma) +- return -ENOMEM; ++ return; + + dma->chan_tx = dma_request_chan(dev, "tx"); + if (IS_ERR(dma->chan_tx)) { +@@ -328,7 +328,7 @@ static int i2c_imx_dma_request(struct im + dev_info(dev, "using %s (tx) and %s (rx) for DMA transfers\n", + dma_chan_name(dma->chan_tx), dma_chan_name(dma->chan_rx)); + +- return 0; ++ return; + + fail_rx: + dma_release_channel(dma->chan_rx); +@@ -336,8 +336,6 @@ fail_tx: + dma_release_channel(dma->chan_tx); + fail_al: + devm_kfree(dev, dma); +- /* return successfully if there is no dma support */ +- return ret == -ENODEV ? 0 : ret; + } + + static void i2c_imx_dma_callback(void *arg) +@@ -1165,17 +1163,13 @@ static int i2c_imx_probe(struct platform + dev_dbg(&i2c_imx->adapter.dev, "device resources: %pR\n", res); + dev_dbg(&i2c_imx->adapter.dev, "adapter name: \"%s\"\n", + i2c_imx->adapter.name); ++ dev_info(&i2c_imx->adapter.dev, "IMX I2C adapter registered\n"); + + /* Init DMA config if supported */ +- ret = i2c_imx_dma_request(i2c_imx, phy_addr); +- if (ret < 0) +- goto del_adapter; ++ i2c_imx_dma_request(i2c_imx, phy_addr); + +- dev_info(&i2c_imx->adapter.dev, "IMX I2C adapter registered\n"); + return 0; /* Return OK */ + +-del_adapter: +- i2c_del_adapter(&i2c_imx->adapter); + clk_notifier_unregister: + clk_notifier_unregister(i2c_imx->clk, &i2c_imx->clk_change_nb); + rpm_disable: diff --git a/queue-5.2/riscv-correct-the-initialized-flow-of-fp-register.patch b/queue-5.2/riscv-correct-the-initialized-flow-of-fp-register.patch new file mode 100644 index 00000000000..3fad016413a --- /dev/null +++ b/queue-5.2/riscv-correct-the-initialized-flow-of-fp-register.patch @@ -0,0 +1,91 @@ +From 8ac71d7e46b94a4fc8ffc6f1c88004cdf24459e8 Mon Sep 17 00:00:00 2001 +From: Vincent Chen +Date: Wed, 14 Aug 2019 16:23:52 +0800 +Subject: riscv: Correct the initialized flow of FP register + +From: Vincent Chen + +commit 8ac71d7e46b94a4fc8ffc6f1c88004cdf24459e8 upstream. + + The following two reasons cause FP registers are sometimes not +initialized before starting the user program. +1. Currently, the FP context is initialized in flush_thread() function + and we expect these initial values to be restored to FP register when + doing FP context switch. However, the FP context switch only occurs in + switch_to function. Hence, if this process does not be scheduled out + and scheduled in before entering the user space, the FP registers + have no chance to initialize. +2. In flush_thread(), the state of reg->sstatus.FS inherits from the + parent. Hence, the state of reg->sstatus.FS may be dirty. If this + process is scheduled out during flush_thread() and initializing the + FP register, the fstate_save() in switch_to will corrupt the FP context + which has been initialized until flush_thread(). + + To solve the 1st case, the initialization of the FP register will be +completed in start_thread(). It makes sure all FP registers are initialized +before starting the user program. For the 2nd case, the state of +reg->sstatus.FS in start_thread will be set to SR_FS_OFF to prevent this +process from corrupting FP context in doing context save. The FP state is +set to SR_FS_INITIAL in start_trhead(). + +Signed-off-by: Vincent Chen +Reviewed-by: Anup Patel +Reviewed-by: Christoph Hellwig +Fixes: 7db91e57a0acd ("RISC-V: Task implementation") +Cc: stable@vger.kernel.org +[paul.walmsley@sifive.com: fixed brace alignment issue reported by + checkpatch] +Signed-off-by: Paul Walmsley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/riscv/include/asm/switch_to.h | 6 ++++++ + arch/riscv/kernel/process.c | 11 +++++++++-- + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/switch_to.h ++++ b/arch/riscv/include/asm/switch_to.h +@@ -19,6 +19,12 @@ static inline void __fstate_clean(struct + regs->sstatus |= (regs->sstatus & ~(SR_FS)) | SR_FS_CLEAN; + } + ++static inline void fstate_off(struct task_struct *task, ++ struct pt_regs *regs) ++{ ++ regs->sstatus = (regs->sstatus & ~SR_FS) | SR_FS_OFF; ++} ++ + static inline void fstate_save(struct task_struct *task, + struct pt_regs *regs) + { +--- a/arch/riscv/kernel/process.c ++++ b/arch/riscv/kernel/process.c +@@ -64,8 +64,14 @@ void start_thread(struct pt_regs *regs, + unsigned long sp) + { + regs->sstatus = SR_SPIE; +- if (has_fpu) ++ if (has_fpu) { + regs->sstatus |= SR_FS_INITIAL; ++ /* ++ * Restore the initial value to the FP register ++ * before starting the user program. ++ */ ++ fstate_restore(current, regs); ++ } + regs->sepc = pc; + regs->sp = sp; + set_fs(USER_DS); +@@ -75,10 +81,11 @@ void flush_thread(void) + { + #ifdef CONFIG_FPU + /* +- * Reset FPU context ++ * Reset FPU state and context + * frm: round to nearest, ties to even (IEEE default) + * fflags: accrued exceptions cleared + */ ++ fstate_off(current, task_pt_regs(current)); + memset(¤t->thread.fstate, 0, sizeof(current->thread.fstate)); + #endif + } diff --git a/queue-5.2/riscv-make-__fstate_clean-work-correctly.patch b/queue-5.2/riscv-make-__fstate_clean-work-correctly.patch new file mode 100644 index 00000000000..8bf0398fbb3 --- /dev/null +++ b/queue-5.2/riscv-make-__fstate_clean-work-correctly.patch @@ -0,0 +1,36 @@ +From 69703eb9a8ae28a46cd5bce7d69ceeef6273a104 Mon Sep 17 00:00:00 2001 +From: Vincent Chen +Date: Wed, 14 Aug 2019 16:23:53 +0800 +Subject: riscv: Make __fstate_clean() work correctly. + +From: Vincent Chen + +commit 69703eb9a8ae28a46cd5bce7d69ceeef6273a104 upstream. + +Make the __fstate_clean() function correctly set the +state of sstatus.FS in pt_regs to SR_FS_CLEAN. + +Fixes: 7db91e57a0acd ("RISC-V: Task implementation") +Cc: linux-stable +Signed-off-by: Vincent Chen +Reviewed-by: Anup Patel +Reviewed-by: Christoph Hellwig +[paul.walmsley@sifive.com: expanded "Fixes" commit ID] +Signed-off-by: Paul Walmsley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/riscv/include/asm/switch_to.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/include/asm/switch_to.h ++++ b/arch/riscv/include/asm/switch_to.h +@@ -16,7 +16,7 @@ extern void __fstate_restore(struct task + + static inline void __fstate_clean(struct pt_regs *regs) + { +- regs->sstatus |= (regs->sstatus & ~(SR_FS)) | SR_FS_CLEAN; ++ regs->sstatus = (regs->sstatus & ~SR_FS) | SR_FS_CLEAN; + } + + static inline void fstate_off(struct task_struct *task, diff --git a/queue-5.2/series b/queue-5.2/series index 9b5143f12f4..b5ddfd30126 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -29,3 +29,8 @@ input-iforce-add-sanity-checks.patch net-usb-pegasus-fix-improper-read-if-get_registers-fail.patch bpf-fix-access-to-skb_shared_info-gso_segs.patch netfilter-ebtables-also-count-base-chain-policies.patch +riscv-correct-the-initialized-flow-of-fp-register.patch +riscv-make-__fstate_clean-work-correctly.patch +revert-i2c-imx-improve-the-error-handling-in-i2c_imx_dma_request.patch +blk-mq-move-cancel-of-requeue_work-to-the-front-of-blk_exit_queue.patch +io_uring-fix-manual-setup-of-iov_iter-for-fixed-buffers.patch -- 2.47.3