From 5bbae6d792fe52982345f477f5c61c27d9b0fdda Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 16 Jan 2023 16:21:40 +0100 Subject: [PATCH] 5.4-stable patches added patches: ocfs2-fix-freeing-uninitialized-resource-on-ocfs2_dlm_shutdown.patch pseries-eeh-fix-the-kdump-kernel-crash-during-eeh_pseries_init.patch tipc-call-tipc_lxc_xmit-without-holding-node_read_lock.patch --- ...lized-resource-on-ocfs2_dlm_shutdown.patch | 69 +++++++++ ...kernel-crash-during-eeh_pseries_init.patch | 73 +++++++++ queue-5.4/series | 3 + ..._xmit-without-holding-node_read_lock.patch | 140 ++++++++++++++++++ 4 files changed, 285 insertions(+) create mode 100644 queue-5.4/ocfs2-fix-freeing-uninitialized-resource-on-ocfs2_dlm_shutdown.patch create mode 100644 queue-5.4/pseries-eeh-fix-the-kdump-kernel-crash-during-eeh_pseries_init.patch create mode 100644 queue-5.4/tipc-call-tipc_lxc_xmit-without-holding-node_read_lock.patch diff --git a/queue-5.4/ocfs2-fix-freeing-uninitialized-resource-on-ocfs2_dlm_shutdown.patch b/queue-5.4/ocfs2-fix-freeing-uninitialized-resource-on-ocfs2_dlm_shutdown.patch new file mode 100644 index 00000000000..e71dafe21d0 --- /dev/null +++ b/queue-5.4/ocfs2-fix-freeing-uninitialized-resource-on-ocfs2_dlm_shutdown.patch @@ -0,0 +1,69 @@ +From 550842cc60987b269e31b222283ade3e1b6c7fc8 Mon Sep 17 00:00:00 2001 +From: Heming Zhao +Date: Mon, 15 Aug 2022 16:57:54 +0800 +Subject: ocfs2: fix freeing uninitialized resource on ocfs2_dlm_shutdown + +From: Heming Zhao + +commit 550842cc60987b269e31b222283ade3e1b6c7fc8 upstream. + +After commit 0737e01de9c4 ("ocfs2: ocfs2_mount_volume does cleanup job +before return error"), any procedure after ocfs2_dlm_init() fails will +trigger crash when calling ocfs2_dlm_shutdown(). + +ie: On local mount mode, no dlm resource is initialized. If +ocfs2_mount_volume() fails in ocfs2_find_slot(), error handling will call +ocfs2_dlm_shutdown(), then does dlm resource cleanup job, which will +trigger kernel crash. + +This solution should bypass uninitialized resources in +ocfs2_dlm_shutdown(). + +Link: https://lkml.kernel.org/r/20220815085754.20417-1-heming.zhao@suse.com +Fixes: 0737e01de9c4 ("ocfs2: ocfs2_mount_volume does cleanup job before return error") +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dlmglue.c | 8 +++++--- + fs/ocfs2/super.c | 3 +-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -3396,10 +3396,12 @@ void ocfs2_dlm_shutdown(struct ocfs2_sup + ocfs2_lock_res_free(&osb->osb_nfs_sync_lockres); + ocfs2_lock_res_free(&osb->osb_orphan_scan.os_lockres); + +- ocfs2_cluster_disconnect(osb->cconn, hangup_pending); +- osb->cconn = NULL; ++ if (osb->cconn) { ++ ocfs2_cluster_disconnect(osb->cconn, hangup_pending); ++ osb->cconn = NULL; + +- ocfs2_dlm_shutdown_debug(osb); ++ ocfs2_dlm_shutdown_debug(osb); ++ } + } + + static int ocfs2_drop_lock(struct ocfs2_super *osb, +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -1922,8 +1922,7 @@ static void ocfs2_dismount_volume(struct + !ocfs2_is_hard_readonly(osb)) + hangup_needed = 1; + +- if (osb->cconn) +- ocfs2_dlm_shutdown(osb, hangup_needed); ++ ocfs2_dlm_shutdown(osb, hangup_needed); + + ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats); + debugfs_remove_recursive(osb->osb_debug_root); diff --git a/queue-5.4/pseries-eeh-fix-the-kdump-kernel-crash-during-eeh_pseries_init.patch b/queue-5.4/pseries-eeh-fix-the-kdump-kernel-crash-during-eeh_pseries_init.patch new file mode 100644 index 00000000000..1eeb5b9296c --- /dev/null +++ b/queue-5.4/pseries-eeh-fix-the-kdump-kernel-crash-during-eeh_pseries_init.patch @@ -0,0 +1,73 @@ +From eb8257a12192f43ffd41bd90932c39dade958042 Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Mon, 20 Sep 2021 22:03:26 +0530 +Subject: pseries/eeh: Fix the kdump kernel crash during eeh_pseries_init + +From: Mahesh Salgaonkar + +commit eb8257a12192f43ffd41bd90932c39dade958042 upstream. + +On pseries LPAR when an empty slot is assigned to partition OR in single +LPAR mode, kdump kernel crashes during issuing PHB reset. + +In the kdump scenario, we traverse all PHBs and issue reset using the +pe_config_addr of the first child device present under each PHB. However +the code assumes that none of the PHB slots can be empty and uses +list_first_entry() to get the first child device under the PHB. Since +list_first_entry() expects the list to be non-empty, it returns an +invalid pci_dn entry and ends up accessing NULL phb pointer under +pci_dn->phb causing kdump kernel crash. + +This patch fixes the below kdump kernel crash by skipping empty slots: + + audit: initializing netlink subsys (disabled) + thermal_sys: Registered thermal governor 'fair_share' + thermal_sys: Registered thermal governor 'step_wise' + cpuidle: using governor menu + pstore: Registered nvram as persistent store backend + Issue PHB reset ... + audit: type=2000 audit(1631267818.000:1): state=initialized audit_enabled=0 res=1 + BUG: Kernel NULL pointer dereference on read at 0x00000268 + Faulting instruction address: 0xc000000008101fb0 + Oops: Kernel access of bad area, sig: 7 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 7 PID: 1 Comm: swapper/7 Not tainted 5.14.0 #1 + NIP: c000000008101fb0 LR: c000000009284ccc CTR: c000000008029d70 + REGS: c00000001161b840 TRAP: 0300 Not tainted (5.14.0) + MSR: 8000000002009033 CR: 28000224 XER: 20040002 + CFAR: c000000008101f0c DAR: 0000000000000268 DSISR: 00080000 IRQMASK: 0 + ... + NIP pseries_eeh_get_pe_config_addr+0x100/0x1b0 + LR __machine_initcall_pseries_eeh_pseries_init+0x2cc/0x350 + Call Trace: + 0xc00000001161bb80 (unreliable) + __machine_initcall_pseries_eeh_pseries_init+0x2cc/0x350 + do_one_initcall+0x60/0x2d0 + kernel_init_freeable+0x350/0x3f8 + kernel_init+0x3c/0x17c + ret_from_kernel_thread+0x5c/0x64 + +Fixes: 5a090f7c363fd ("powerpc/pseries: PCIE PHB reset") +Signed-off-by: Mahesh Salgaonkar +[mpe: Tweak wording and trim oops] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/163215558252.413351.8600189949820258982.stgit@jupiter +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -879,6 +879,10 @@ static int __init eeh_pseries_init(void) + if (is_kdump_kernel() || reset_devices) { + pr_info("Issue PHB reset ...\n"); + list_for_each_entry(phb, &hose_list, list_node) { ++ // Skip if the slot is empty ++ if (list_empty(&PCI_DN(phb->dn)->child_list)) ++ continue; ++ + pdn = list_first_entry(&PCI_DN(phb->dn)->child_list, struct pci_dn, list); + addr = (pdn->busno << 16) | (pdn->devfn << 8); + config_addr = pseries_eeh_get_config_addr(phb, addr); diff --git a/queue-5.4/series b/queue-5.4/series index 7f445decc5f..d076b46154a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -654,3 +654,6 @@ revert-usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch tipc-fix-use-after-free-in-tipc_disc_rcv.patch tty-serial-tegra-handle-rx-transfer-in-pio-mode-if-dma-wasn-t-started.patch tipc-add-a-missing-case-of-tipc_direct_msg-type.patch +pseries-eeh-fix-the-kdump-kernel-crash-during-eeh_pseries_init.patch +ocfs2-fix-freeing-uninitialized-resource-on-ocfs2_dlm_shutdown.patch +tipc-call-tipc_lxc_xmit-without-holding-node_read_lock.patch diff --git a/queue-5.4/tipc-call-tipc_lxc_xmit-without-holding-node_read_lock.patch b/queue-5.4/tipc-call-tipc_lxc_xmit-without-holding-node_read_lock.patch new file mode 100644 index 00000000000..4133ba0749f --- /dev/null +++ b/queue-5.4/tipc-call-tipc_lxc_xmit-without-holding-node_read_lock.patch @@ -0,0 +1,140 @@ +From 88956177db179e4eba7cd590971961857d1565b8 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sat, 3 Dec 2022 18:37:21 -0500 +Subject: tipc: call tipc_lxc_xmit without holding node_read_lock + +From: Xin Long + +commit 88956177db179e4eba7cd590971961857d1565b8 upstream. + +When sending packets between nodes in netns, it calls tipc_lxc_xmit() for +peer node to receive the packets where tipc_sk_mcast_rcv()/tipc_sk_rcv() +might be called, and it's pretty much like in tipc_rcv(). + +Currently the local 'node rw lock' is held during calling tipc_lxc_xmit() +to protect the peer_net not being freed by another thread. However, when +receiving these packets, tipc_node_add_conn() might be called where the +peer 'node rw lock' is acquired. Then a dead lock warning is triggered by +lockdep detector, although it is not a real dead lock: + + WARNING: possible recursive locking detected + -------------------------------------------- + conn_server/1086 is trying to acquire lock: + ffff8880065cb020 (&n->lock#2){++--}-{2:2}, \ + at: tipc_node_add_conn.cold.76+0xaa/0x211 [tipc] + + but task is already holding lock: + ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \ + at: tipc_node_xmit+0x285/0xb30 [tipc] + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&n->lock#2); + lock(&n->lock#2); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 4 locks held by conn_server/1086: + #0: ffff8880036d1e40 (sk_lock-AF_TIPC){+.+.}-{0:0}, \ + at: tipc_accept+0x9c0/0x10b0 [tipc] + #1: ffff8880036d5f80 (sk_lock-AF_TIPC/1){+.+.}-{0:0}, \ + at: tipc_accept+0x363/0x10b0 [tipc] + #2: ffff8880065cd020 (&n->lock#2){++--}-{2:2}, \ + at: tipc_node_xmit+0x285/0xb30 [tipc] + #3: ffff888012e13370 (slock-AF_TIPC){+...}-{2:2}, \ + at: tipc_sk_rcv+0x2da/0x1b40 [tipc] + + Call Trace: + + dump_stack_lvl+0x44/0x5b + __lock_acquire.cold.77+0x1f2/0x3d7 + lock_acquire+0x1d2/0x610 + _raw_write_lock_bh+0x38/0x80 + tipc_node_add_conn.cold.76+0xaa/0x211 [tipc] + tipc_sk_finish_conn+0x21e/0x640 [tipc] + tipc_sk_filter_rcv+0x147b/0x3030 [tipc] + tipc_sk_rcv+0xbb4/0x1b40 [tipc] + tipc_lxc_xmit+0x225/0x26b [tipc] + tipc_node_xmit.cold.82+0x4a/0x102 [tipc] + __tipc_sendstream+0x879/0xff0 [tipc] + tipc_accept+0x966/0x10b0 [tipc] + do_accept+0x37d/0x590 + +This patch avoids this warning by not holding the 'node rw lock' before +calling tipc_lxc_xmit(). As to protect the 'peer_net', rcu_read_lock() +should be enough, as in cleanup_net() when freeing the netns, it calls +synchronize_rcu() before the free is continued. + +Also since tipc_lxc_xmit() is like the RX path in tipc_rcv(), it makes +sense to call it under rcu_read_lock(). Note that the right lock order +must be: + + rcu_read_lock(); + tipc_node_read_lock(n); + tipc_node_read_unlock(n); + tipc_lxc_xmit(); + rcu_read_unlock(); + +instead of: + + tipc_node_read_lock(n); + rcu_read_lock(); + tipc_node_read_unlock(n); + tipc_lxc_xmit(); + rcu_read_unlock(); + +and we have to call tipc_node_read_lock/unlock() twice in +tipc_node_xmit(). + +Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns") +Reported-by: Shuang Li +Signed-off-by: Xin Long +Link: https://lore.kernel.org/r/5bdd1f8fee9db695cfff4528a48c9b9d0523fb00.1670110641.git.lucien.xin@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -1546,6 +1546,7 @@ int tipc_node_xmit(struct net *net, stru + struct tipc_node *n; + struct sk_buff_head xmitq; + bool node_up = false; ++ struct net *peer_net; + int bearer_id; + int rc; + +@@ -1562,18 +1563,23 @@ int tipc_node_xmit(struct net *net, stru + return -EHOSTUNREACH; + } + ++ rcu_read_lock(); + tipc_node_read_lock(n); + node_up = node_is_up(n); +- if (node_up && n->peer_net && check_net(n->peer_net)) { ++ peer_net = n->peer_net; ++ tipc_node_read_unlock(n); ++ if (node_up && peer_net && check_net(peer_net)) { + /* xmit inner linux container */ +- tipc_lxc_xmit(n->peer_net, list); ++ tipc_lxc_xmit(peer_net, list); + if (likely(skb_queue_empty(list))) { +- tipc_node_read_unlock(n); ++ rcu_read_unlock(); + tipc_node_put(n); + return 0; + } + } ++ rcu_read_unlock(); + ++ tipc_node_read_lock(n); + bearer_id = n->active_links[selector & 1]; + if (unlikely(bearer_id == INVALID_BEARER_ID)) { + tipc_node_read_unlock(n); -- 2.47.3