From: Greg Kroah-Hartman Date: Tue, 14 Apr 2020 12:26:30 +0000 (+0200) Subject: 5.6-stable patches X-Git-Tag: v4.19.116~78 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43ca3d7ea361a6d294d7df73359c2c7b14d16a0e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.6-stable patches added patches: cpu-hotplug-ignore-pm_wakeup_pending-for-disable_nonboot_cpus.patch genirq-debugfs-add-missing-sanity-checks-to-interrupt-injection.patch io_uring-ensure-openat-sets-o_largefile-if-needed.patch io_uring-fix-ctx-refcounting-in-io_submit_sqes.patch io_uring-remove-bogus-rlimit_nofile-check-in-file-registration.patch irqchip-versatile-fpga-apply-clear-mask-earlier.patch mips-octeon-irq-fix-potential-null-pointer-dereference.patch mips-tlbex-fix-lddir-usage-in-setup_pw-for-loongson-3.patch pm-domains-allow-no-domain-idle-states-dt-property-in-genpd-when-parsing.patch pm-sleep-wakeup-skip-wakeup_source_sysfs_remove-if-device-is-not-there.patch pstore-pstore_ftrace_seq_next-should-increase-position-index.patch rcu-make-rcu_barrier-account-for-offline-no-cbs-cpus.patch --- diff --git a/queue-5.6/cpu-hotplug-ignore-pm_wakeup_pending-for-disable_nonboot_cpus.patch b/queue-5.6/cpu-hotplug-ignore-pm_wakeup_pending-for-disable_nonboot_cpus.patch new file mode 100644 index 00000000000..6b4c05880f4 --- /dev/null +++ b/queue-5.6/cpu-hotplug-ignore-pm_wakeup_pending-for-disable_nonboot_cpus.patch @@ -0,0 +1,77 @@ +From e98eac6ff1b45e4e73f2e6031b37c256ccb5d36b Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 27 Mar 2020 12:06:44 +0100 +Subject: cpu/hotplug: Ignore pm_wakeup_pending() for disable_nonboot_cpus() + +From: Thomas Gleixner + +commit e98eac6ff1b45e4e73f2e6031b37c256ccb5d36b upstream. + +A recent change to freeze_secondary_cpus() which added an early abort if a +wakeup is pending missed the fact that the function is also invoked for +shutdown, reboot and kexec via disable_nonboot_cpus(). + +In case of disable_nonboot_cpus() the wakeup event needs to be ignored as +the purpose is to terminate the currently running kernel. + +Add a 'suspend' argument which is only set when the freeze is in context of +a suspend operation. If not set then an eventually pending wakeup event is +ignored. + +Fixes: a66d955e910a ("cpu/hotplug: Abort disabling secondary CPUs if wakeup is pending") +Reported-by: Boqun Feng +Signed-off-by: Thomas Gleixner +Cc: Pavankumar Kondeti +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/874kuaxdiz.fsf@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/cpu.h | 12 +++++++++--- + kernel/cpu.c | 4 ++-- + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -138,12 +138,18 @@ static inline void get_online_cpus(void) + static inline void put_online_cpus(void) { cpus_read_unlock(); } + + #ifdef CONFIG_PM_SLEEP_SMP +-extern int freeze_secondary_cpus(int primary); ++int __freeze_secondary_cpus(int primary, bool suspend); ++static inline int freeze_secondary_cpus(int primary) ++{ ++ return __freeze_secondary_cpus(primary, true); ++} ++ + static inline int disable_nonboot_cpus(void) + { +- return freeze_secondary_cpus(0); ++ return __freeze_secondary_cpus(0, false); + } +-extern void enable_nonboot_cpus(void); ++ ++void enable_nonboot_cpus(void); + + static inline int suspend_disable_secondary_cpus(void) + { +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1212,7 +1212,7 @@ EXPORT_SYMBOL_GPL(cpu_up); + #ifdef CONFIG_PM_SLEEP_SMP + static cpumask_var_t frozen_cpus; + +-int freeze_secondary_cpus(int primary) ++int __freeze_secondary_cpus(int primary, bool suspend) + { + int cpu, error = 0; + +@@ -1237,7 +1237,7 @@ int freeze_secondary_cpus(int primary) + if (cpu == primary) + continue; + +- if (pm_wakeup_pending()) { ++ if (suspend && pm_wakeup_pending()) { + pr_info("Wakeup pending. Abort CPU freeze\n"); + error = -EBUSY; + break; diff --git a/queue-5.6/genirq-debugfs-add-missing-sanity-checks-to-interrupt-injection.patch b/queue-5.6/genirq-debugfs-add-missing-sanity-checks-to-interrupt-injection.patch new file mode 100644 index 00000000000..c3c22bfaab4 --- /dev/null +++ b/queue-5.6/genirq-debugfs-add-missing-sanity-checks-to-interrupt-injection.patch @@ -0,0 +1,43 @@ +From a740a423c36932695b01a3e920f697bc55b05fec Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 6 Mar 2020 14:03:42 +0100 +Subject: genirq/debugfs: Add missing sanity checks to interrupt injection + +From: Thomas Gleixner + +commit a740a423c36932695b01a3e920f697bc55b05fec upstream. + +Interrupts cannot be injected when the interrupt is not activated and when +a replay is already in progress. + +Fixes: 536e2e34bd00 ("genirq/debugfs: Triggering of interrupts from userspace") +Signed-off-by: Thomas Gleixner +Acked-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20200306130623.500019114@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/debugfs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/kernel/irq/debugfs.c ++++ b/kernel/irq/debugfs.c +@@ -206,8 +206,15 @@ static ssize_t irq_debug_write(struct fi + chip_bus_lock(desc); + raw_spin_lock_irqsave(&desc->lock, flags); + +- if (irq_settings_is_level(desc) || desc->istate & IRQS_NMI) { +- /* Can't do level nor NMIs, sorry */ ++ /* ++ * Don't allow injection when the interrupt is: ++ * - Level or NMI type ++ * - not activated ++ * - replaying already ++ */ ++ if (irq_settings_is_level(desc) || ++ !irqd_is_activated(&desc->irq_data) || ++ (desc->istate & (IRQS_NMI | IRQS_REPLAY))) { + err = -EINVAL; + } else { + desc->istate |= IRQS_PENDING; diff --git a/queue-5.6/io_uring-ensure-openat-sets-o_largefile-if-needed.patch b/queue-5.6/io_uring-ensure-openat-sets-o_largefile-if-needed.patch new file mode 100644 index 00000000000..7ee5ea1a190 --- /dev/null +++ b/queue-5.6/io_uring-ensure-openat-sets-o_largefile-if-needed.patch @@ -0,0 +1,28 @@ +From 08a1d26eb894a9dcf79f674558a284ad1ffef517 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 8 Apr 2020 09:20:54 -0600 +Subject: io_uring: ensure openat sets O_LARGEFILE if needed + +From: Jens Axboe + +commit 08a1d26eb894a9dcf79f674558a284ad1ffef517 upstream. + +OPENAT2 correctly sets O_LARGEFILE if it has to, but that escaped the +OPENAT opcode. Dmitry reports that his test case that compares openat() +and IORING_OP_OPENAT sees failures on large files: + +--- + fs/io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2571,6 +2571,8 @@ static int io_openat_prep(struct io_kioc + req->open.how.mode = READ_ONCE(sqe->len); + fname = u64_to_user_ptr(READ_ONCE(sqe->addr)); + req->open.how.flags = READ_ONCE(sqe->open_flags); ++ if (force_o_largefile()) ++ req->open.how.flags |= O_LARGEFILE; + + req->open.filename = getname(fname); + if (IS_ERR(req->open.filename)) { diff --git a/queue-5.6/io_uring-fix-ctx-refcounting-in-io_submit_sqes.patch b/queue-5.6/io_uring-fix-ctx-refcounting-in-io_submit_sqes.patch new file mode 100644 index 00000000000..f56140a4402 --- /dev/null +++ b/queue-5.6/io_uring-fix-ctx-refcounting-in-io_submit_sqes.patch @@ -0,0 +1,38 @@ +From 48bdd849e967f1c573d2b2bc24308e24a83f39c2 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 6 Apr 2020 00:08:52 +0300 +Subject: io_uring: fix ctx refcounting in io_submit_sqes() + +From: Pavel Begunkov + +commit 48bdd849e967f1c573d2b2bc24308e24a83f39c2 upstream. + +If io_get_req() fails, it drops a ref. Then, awhile keeping @submitted +unmodified, io_submit_sqes() breaks the loop and puts @nr - @submitted +refs. For each submitted req a ref is dropped in io_put_req() and +friends. So, for @nr taken refs there will be +(@nr - @submitted + @submitted + 1) dropped. + +Remove ctx refcounting from io_get_req(), that at the same time makes +it clearer. + +Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references") +Cc: stable@vger.kernel.org # v5.6 +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1242,7 +1242,6 @@ fallback: + req = io_get_fallback_req(ctx); + if (req) + goto got_it; +- percpu_ref_put(&ctx->refs); + return NULL; + } + diff --git a/queue-5.6/io_uring-remove-bogus-rlimit_nofile-check-in-file-registration.patch b/queue-5.6/io_uring-remove-bogus-rlimit_nofile-check-in-file-registration.patch new file mode 100644 index 00000000000..990f9645a16 --- /dev/null +++ b/queue-5.6/io_uring-remove-bogus-rlimit_nofile-check-in-file-registration.patch @@ -0,0 +1,38 @@ +From c336e992cb1cb1db9ee608dfb30342ae781057ab Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Fri, 3 Apr 2020 13:54:26 -0600 +Subject: io_uring: remove bogus RLIMIT_NOFILE check in file registration + +From: Jens Axboe + +commit c336e992cb1cb1db9ee608dfb30342ae781057ab upstream. + +We already checked this limit when the file was opened, and we keep it +open in the file table. Hence when we added unit_inflight to the count +we want to register, we're doubly accounting these files. This results +in -EMFILE for file registration, if we're at half the limit. + +Cc: stable@vger.kernel.org # v5.1+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -5426,13 +5426,6 @@ static int __io_sqe_files_scm(struct io_ + struct sk_buff *skb; + int i, nr_files; + +- if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { +- unsigned long inflight = ctx->user->unix_inflight + nr; +- +- if (inflight > task_rlimit(current, RLIMIT_NOFILE)) +- return -EMFILE; +- } +- + fpl = kzalloc(sizeof(*fpl), GFP_KERNEL); + if (!fpl) + return -ENOMEM; diff --git a/queue-5.6/irqchip-versatile-fpga-apply-clear-mask-earlier.patch b/queue-5.6/irqchip-versatile-fpga-apply-clear-mask-earlier.patch new file mode 100644 index 00000000000..1e2a7dc9d2f --- /dev/null +++ b/queue-5.6/irqchip-versatile-fpga-apply-clear-mask-earlier.patch @@ -0,0 +1,52 @@ +From 6a214a28132f19ace3d835a6d8f6422ec80ad200 Mon Sep 17 00:00:00 2001 +From: Sungbo Eo +Date: Sat, 21 Mar 2020 22:38:42 +0900 +Subject: irqchip/versatile-fpga: Apply clear-mask earlier + +From: Sungbo Eo + +commit 6a214a28132f19ace3d835a6d8f6422ec80ad200 upstream. + +Clear its own IRQs before the parent IRQ get enabled, so that the +remaining IRQs do not accidentally interrupt the parent IRQ controller. + +This patch also fixes a reboot bug on OX820 SoC, where the remaining +rps-timer IRQ raises a GIC interrupt that is left pending. After that, +the rps-timer IRQ is cleared during driver initialization, and there's +no IRQ left in rps-irq when local_irq_enable() is called, which evokes +an error message "unexpected IRQ trap". + +Fixes: bdd272cbb97a ("irqchip: versatile FPGA: support cascaded interrupts from DT") +Signed-off-by: Sungbo Eo +Signed-off-by: Marc Zyngier +Reviewed-by: Linus Walleij +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200321133842.2408823-1-mans0n@gorani.run +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-versatile-fpga.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/irqchip/irq-versatile-fpga.c ++++ b/drivers/irqchip/irq-versatile-fpga.c +@@ -212,6 +212,9 @@ int __init fpga_irq_of_init(struct devic + if (of_property_read_u32(node, "valid-mask", &valid_mask)) + valid_mask = 0; + ++ writel(clear_mask, base + IRQ_ENABLE_CLEAR); ++ writel(clear_mask, base + FIQ_ENABLE_CLEAR); ++ + /* Some chips are cascaded from a parent IRQ */ + parent_irq = irq_of_parse_and_map(node, 0); + if (!parent_irq) { +@@ -221,9 +224,6 @@ int __init fpga_irq_of_init(struct devic + + fpga_irq_init(base, node->name, 0, parent_irq, valid_mask, node); + +- writel(clear_mask, base + IRQ_ENABLE_CLEAR); +- writel(clear_mask, base + FIQ_ENABLE_CLEAR); +- + /* + * On Versatile AB/PB, some secondary interrupts have a direct + * pass-thru to the primary controller for IRQs 20 and 22-31 which need diff --git a/queue-5.6/mips-octeon-irq-fix-potential-null-pointer-dereference.patch b/queue-5.6/mips-octeon-irq-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..acf1b431ad9 --- /dev/null +++ b/queue-5.6/mips-octeon-irq-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 792a402c2840054533ef56279c212ef6da87d811 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 22 Jan 2019 14:18:42 -0600 +Subject: MIPS: OCTEON: irq: Fix potential NULL pointer dereference + +From: Gustavo A. R. Silva + +commit 792a402c2840054533ef56279c212ef6da87d811 upstream. + +There is a potential NULL pointer dereference in case kzalloc() +fails and returns NULL. + +Fix this by adding a NULL check on *cd* + +This bug was detected with the help of Coccinelle. + +Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/octeon-irq.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -2199,6 +2199,9 @@ static int octeon_irq_cib_map(struct irq + } + + cd = kzalloc(sizeof(*cd), GFP_KERNEL); ++ if (!cd) ++ return -ENOMEM; ++ + cd->host_data = host_data; + cd->bit = hw; + diff --git a/queue-5.6/mips-tlbex-fix-lddir-usage-in-setup_pw-for-loongson-3.patch b/queue-5.6/mips-tlbex-fix-lddir-usage-in-setup_pw-for-loongson-3.patch new file mode 100644 index 00000000000..10b24d63f24 --- /dev/null +++ b/queue-5.6/mips-tlbex-fix-lddir-usage-in-setup_pw-for-loongson-3.patch @@ -0,0 +1,55 @@ +From d191aaffe3687d1e73e644c185f5f0550ec242b5 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 25 Mar 2020 11:44:54 +0800 +Subject: MIPS/tlbex: Fix LDDIR usage in setup_pw() for Loongson-3 + +From: Huacai Chen + +commit d191aaffe3687d1e73e644c185f5f0550ec242b5 upstream. + +LDDIR/LDPTE is Loongson-3's acceleration for Page Table Walking. If BD +(Base Directory, the 4th page directory) is not enabled, then GDOffset +is biased by BadVAddr[63:62]. So, if GDOffset (aka. BadVAddr[47:36] for +Loongson-3) is big enough, "0b11(BadVAddr[63:62])|BadVAddr[47:36]|...." +can far beyond pg_swapper_dir. This means the pg_swapper_dir may NOT be +accessed by LDDIR correctly, so fix it by set PWDirExt in CP0_PWCtl. + +Cc: +Signed-off-by: Pei Huang +Signed-off-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -1480,6 +1480,7 @@ static void build_r4000_tlb_refill_handl + + static void setup_pw(void) + { ++ unsigned int pwctl; + unsigned long pgd_i, pgd_w; + #ifndef __PAGETABLE_PMD_FOLDED + unsigned long pmd_i, pmd_w; +@@ -1506,6 +1507,7 @@ static void setup_pw(void) + + pte_i = ilog2(_PAGE_GLOBAL); + pte_w = 0; ++ pwctl = 1 << 30; /* Set PWDirExt */ + + #ifndef __PAGETABLE_PMD_FOLDED + write_c0_pwfield(pgd_i << 24 | pmd_i << 12 | pt_i << 6 | pte_i); +@@ -1516,8 +1518,9 @@ static void setup_pw(void) + #endif + + #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT +- write_c0_pwctl(1 << 6 | psn); ++ pwctl |= (1 << 6 | psn); + #endif ++ write_c0_pwctl(pwctl); + write_c0_kpgd((long)swapper_pg_dir); + kscratch_used_mask |= (1 << 7); /* KScratch6 is used for KPGD */ + } diff --git a/queue-5.6/pm-domains-allow-no-domain-idle-states-dt-property-in-genpd-when-parsing.patch b/queue-5.6/pm-domains-allow-no-domain-idle-states-dt-property-in-genpd-when-parsing.patch new file mode 100644 index 00000000000..b99a71f9cfd --- /dev/null +++ b/queue-5.6/pm-domains-allow-no-domain-idle-states-dt-property-in-genpd-when-parsing.patch @@ -0,0 +1,41 @@ +From 56cb26891ea4180121265dc6b596015772c4a4b8 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Tue, 10 Mar 2020 11:40:23 +0100 +Subject: PM / Domains: Allow no domain-idle-states DT property in genpd when parsing + +From: Ulf Hansson + +commit 56cb26891ea4180121265dc6b596015772c4a4b8 upstream. + +Commit 2c361684803e ("PM / Domains: Don't treat zero found compatible idle +states as an error"), moved of_genpd_parse_idle_states() towards allowing +none compatible idle state to be found for the device node, rather than +returning an error code. + +However, it didn't consider that the "domain-idle-states" DT property may +be missing as it's optional, which makes of_count_phandle_with_args() to +return -ENOENT. Let's fix this to make the behaviour consistent. + +Fixes: 2c361684803e ("PM / Domains: Don't treat zero found compatible idle states as an error") +Reported-by: Benjamin Gaignard +Cc: 4.20+ # 4.20+ +Reviewed-by: Sudeep Holla +Signed-off-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/domain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2653,7 +2653,7 @@ static int genpd_iterate_idle_states(str + + ret = of_count_phandle_with_args(dn, "domain-idle-states", NULL); + if (ret <= 0) +- return ret; ++ return ret == -ENOENT ? 0 : ret; + + /* Loop over the phandles until all the requested entry is found */ + of_for_each_phandle(&it, ret, dn, "domain-idle-states", NULL, 0) { diff --git a/queue-5.6/pm-sleep-wakeup-skip-wakeup_source_sysfs_remove-if-device-is-not-there.patch b/queue-5.6/pm-sleep-wakeup-skip-wakeup_source_sysfs_remove-if-device-is-not-there.patch new file mode 100644 index 00000000000..87992f0a85e --- /dev/null +++ b/queue-5.6/pm-sleep-wakeup-skip-wakeup_source_sysfs_remove-if-device-is-not-there.patch @@ -0,0 +1,37 @@ +From 87de6594dc45dbf6819f3e0ef92f9331c5a9444c Mon Sep 17 00:00:00 2001 +From: Neeraj Upadhyay +Date: Mon, 23 Mar 2020 10:38:51 +0530 +Subject: PM: sleep: wakeup: Skip wakeup_source_sysfs_remove() if device is not there + +From: Neeraj Upadhyay + +commit 87de6594dc45dbf6819f3e0ef92f9331c5a9444c upstream. + +Skip wakeup_source_sysfs_remove() to fix a NULL pinter dereference via +ws->dev, if the wakeup source is unregistered before registering the +wakeup class from device_add(). + +Fixes: 2ca3d1ecb8c4 ("PM / wakeup: Register wakeup class kobj after device is added") +Signed-off-by: Neeraj Upadhyay +Cc: 5.4+ # 5.4+ +[ rjw: Subject & changelog, white space ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/wakeup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/base/power/wakeup.c ++++ b/drivers/base/power/wakeup.c +@@ -241,7 +241,9 @@ void wakeup_source_unregister(struct wak + { + if (ws) { + wakeup_source_remove(ws); +- wakeup_source_sysfs_remove(ws); ++ if (ws->dev) ++ wakeup_source_sysfs_remove(ws); ++ + wakeup_source_destroy(ws); + } + } diff --git a/queue-5.6/pstore-pstore_ftrace_seq_next-should-increase-position-index.patch b/queue-5.6/pstore-pstore_ftrace_seq_next-should-increase-position-index.patch new file mode 100644 index 00000000000..28ccf30a1da --- /dev/null +++ b/queue-5.6/pstore-pstore_ftrace_seq_next-should-increase-position-index.patch @@ -0,0 +1,81 @@ +From 6c871b7314dde9ab64f20de8f5aa3d01be4518e8 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 25 Feb 2020 11:11:20 +0300 +Subject: pstore: pstore_ftrace_seq_next should increase position index + +From: Vasily Averin + +commit 6c871b7314dde9ab64f20de8f5aa3d01be4518e8 upstream. + +In Aug 2018 NeilBrown noticed +commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") +"Some ->next functions do not increment *pos when they return NULL... +Note that such ->next functions are buggy and should be fixed. +A simple demonstration is + + dd if=/proc/swaps bs=1000 skip=1 + +Choose any block size larger than the size of /proc/swaps. This will +always show the whole last line of /proc/swaps" + +/proc/swaps output was fixed recently, however there are lot of other +affected files, and one of them is related to pstore subsystem. + +If .next function does not change position index, following .show function +will repeat output related to current position index. + +There are at least 2 related problems: +- read after lseek beyond end of file, described above by NeilBrown + "dd if= bs=1000 skip=1" will generate whole last list +- read after lseek on in middle of last line will output expected rest of + last line but then repeat whole last line once again. + +If .show() function generates multy-line output (like +pstore_ftrace_seq_show() does ?) following bash script cycles endlessly + + $ q=;while read -r r;do echo "$((++q)) $r";done < AFFECTED_FILE + +Unfortunately I'm not familiar enough to pstore subsystem and was unable +to find affected pstore-related file on my test node. + +If .next function does not change position index, following .show function +will repeat output related to current position index. + +Cc: stable@vger.kernel.org +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code ...") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206283 +Signed-off-by: Vasily Averin +Link: https://lore.kernel.org/r/4e49830d-4c88-0171-ee24-1ee540028dad@virtuozzo.com +[kees: with robustness tweak from Joel Fernandes ] +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + fs/pstore/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/pstore/inode.c ++++ b/fs/pstore/inode.c +@@ -87,11 +87,11 @@ static void *pstore_ftrace_seq_next(stru + struct pstore_private *ps = s->private; + struct pstore_ftrace_seq_data *data = v; + ++ (*pos)++; + data->off += REC_SIZE; + if (data->off + REC_SIZE > ps->total_size) + return NULL; + +- (*pos)++; + return data; + } + +@@ -101,6 +101,9 @@ static int pstore_ftrace_seq_show(struct + struct pstore_ftrace_seq_data *data = v; + struct pstore_ftrace_record *rec; + ++ if (!data) ++ return 0; ++ + rec = (struct pstore_ftrace_record *)(ps->record->buf + data->off); + + seq_printf(s, "CPU:%d ts:%llu %08lx %08lx %ps <- %pS\n", diff --git a/queue-5.6/rcu-make-rcu_barrier-account-for-offline-no-cbs-cpus.patch b/queue-5.6/rcu-make-rcu_barrier-account-for-offline-no-cbs-cpus.patch new file mode 100644 index 00000000000..5954b391c68 --- /dev/null +++ b/queue-5.6/rcu-make-rcu_barrier-account-for-offline-no-cbs-cpus.patch @@ -0,0 +1,122 @@ +From 127e29815b4b2206c0a97ac1d83f92ffc0e25c34 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Tue, 11 Feb 2020 06:17:33 -0800 +Subject: rcu: Make rcu_barrier() account for offline no-CBs CPUs + +From: Paul E. McKenney + +commit 127e29815b4b2206c0a97ac1d83f92ffc0e25c34 upstream. + +Currently, rcu_barrier() ignores offline CPUs, However, it is possible +for an offline no-CBs CPU to have callbacks queued, and rcu_barrier() +must wait for those callbacks. This commit therefore makes rcu_barrier() +directly invoke the rcu_barrier_func() with interrupts disabled for such +CPUs. This requires passing the CPU number into this function so that +it can entrain the rcu_barrier() callback onto the correct CPU's callback +list, given that the code must instead execute on the current CPU. + +While in the area, this commit fixes a bug where the first CPU's callback +might have been invoked before rcu_segcblist_entrain() returned, which +would also result in an early wakeup. + +Fixes: 5d6742b37727 ("rcu/nocb: Use rcu_segcblist for no-CBs CPUs") +Signed-off-by: Paul E. McKenney +[ paulmck: Apply optimization feedback from Boqun Feng. ] +Cc: # 5.5.x +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/rcu.h | 1 + + kernel/rcu/tree.c | 36 ++++++++++++++++++++++++------------ + 2 files changed, 25 insertions(+), 12 deletions(-) + +--- a/include/trace/events/rcu.h ++++ b/include/trace/events/rcu.h +@@ -712,6 +712,7 @@ TRACE_EVENT_RCU(rcu_torture_read, + * "Begin": rcu_barrier() started. + * "EarlyExit": rcu_barrier() piggybacked, thus early exit. + * "Inc1": rcu_barrier() piggyback check counter incremented. ++ * "OfflineNoCBQ": rcu_barrier() found offline no-CBs CPU with callbacks. + * "OnlineQ": rcu_barrier() found online CPU with callbacks. + * "OnlineNQ": rcu_barrier() found online CPU, no callbacks. + * "IRQ": An rcu_barrier_callback() callback posted on remote CPU. +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -3090,9 +3090,10 @@ static void rcu_barrier_callback(struct + /* + * Called with preemption disabled, and from cross-cpu IRQ context. + */ +-static void rcu_barrier_func(void *unused) ++static void rcu_barrier_func(void *cpu_in) + { +- struct rcu_data *rdp = raw_cpu_ptr(&rcu_data); ++ uintptr_t cpu = (uintptr_t)cpu_in; ++ struct rcu_data *rdp = per_cpu_ptr(&rcu_data, cpu); + + rcu_barrier_trace(TPS("IRQ"), -1, rcu_state.barrier_sequence); + rdp->barrier_head.func = rcu_barrier_callback; +@@ -3119,7 +3120,7 @@ static void rcu_barrier_func(void *unuse + */ + void rcu_barrier(void) + { +- int cpu; ++ uintptr_t cpu; + struct rcu_data *rdp; + unsigned long s = rcu_seq_snap(&rcu_state.barrier_sequence); + +@@ -3142,13 +3143,14 @@ void rcu_barrier(void) + rcu_barrier_trace(TPS("Inc1"), -1, rcu_state.barrier_sequence); + + /* +- * Initialize the count to one rather than to zero in order to +- * avoid a too-soon return to zero in case of a short grace period +- * (or preemption of this task). Exclude CPU-hotplug operations +- * to ensure that no offline CPU has callbacks queued. ++ * Initialize the count to two rather than to zero in order ++ * to avoid a too-soon return to zero in case of an immediate ++ * invocation of the just-enqueued callback (or preemption of ++ * this task). Exclude CPU-hotplug operations to ensure that no ++ * offline non-offloaded CPU has callbacks queued. + */ + init_completion(&rcu_state.barrier_completion); +- atomic_set(&rcu_state.barrier_cpu_count, 1); ++ atomic_set(&rcu_state.barrier_cpu_count, 2); + get_online_cpus(); + + /* +@@ -3158,13 +3160,23 @@ void rcu_barrier(void) + */ + for_each_possible_cpu(cpu) { + rdp = per_cpu_ptr(&rcu_data, cpu); +- if (!cpu_online(cpu) && ++ if (cpu_is_offline(cpu) && + !rcu_segcblist_is_offloaded(&rdp->cblist)) + continue; +- if (rcu_segcblist_n_cbs(&rdp->cblist)) { ++ if (rcu_segcblist_n_cbs(&rdp->cblist) && cpu_online(cpu)) { + rcu_barrier_trace(TPS("OnlineQ"), cpu, + rcu_state.barrier_sequence); +- smp_call_function_single(cpu, rcu_barrier_func, NULL, 1); ++ smp_call_function_single(cpu, rcu_barrier_func, (void *)cpu, 1); ++ } else if (rcu_segcblist_n_cbs(&rdp->cblist) && ++ cpu_is_offline(cpu)) { ++ rcu_barrier_trace(TPS("OfflineNoCBQ"), cpu, ++ rcu_state.barrier_sequence); ++ local_irq_disable(); ++ rcu_barrier_func((void *)cpu); ++ local_irq_enable(); ++ } else if (cpu_is_offline(cpu)) { ++ rcu_barrier_trace(TPS("OfflineNoCBNoQ"), cpu, ++ rcu_state.barrier_sequence); + } else { + rcu_barrier_trace(TPS("OnlineNQ"), cpu, + rcu_state.barrier_sequence); +@@ -3176,7 +3188,7 @@ void rcu_barrier(void) + * Now that we have an rcu_barrier_callback() callback on each + * CPU, and thus each counted, remove the initial count. + */ +- if (atomic_dec_and_test(&rcu_state.barrier_cpu_count)) ++ if (atomic_sub_and_test(2, &rcu_state.barrier_cpu_count)) + complete(&rcu_state.barrier_completion); + + /* Wait for all rcu_barrier_callback() callbacks to be invoked. */ diff --git a/queue-5.6/series b/queue-5.6/series index 3413ab1852b..6c974d7c300 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -108,3 +108,15 @@ tpm-tpm1_bios_measurements_next-should-increase-position-index.patch tpm-tpm2_bios_measurements_next-should-increase-position-index.patch keys-reaching-the-keys-quotas-correctly.patch mmc-mmci_sdmmc-fix-clear-busyd0end-irq-flag.patch +rcu-make-rcu_barrier-account-for-offline-no-cbs-cpus.patch +cpu-hotplug-ignore-pm_wakeup_pending-for-disable_nonboot_cpus.patch +genirq-debugfs-add-missing-sanity-checks-to-interrupt-injection.patch +irqchip-versatile-fpga-apply-clear-mask-earlier.patch +io_uring-ensure-openat-sets-o_largefile-if-needed.patch +io_uring-remove-bogus-rlimit_nofile-check-in-file-registration.patch +io_uring-fix-ctx-refcounting-in-io_submit_sqes.patch +pstore-pstore_ftrace_seq_next-should-increase-position-index.patch +mips-tlbex-fix-lddir-usage-in-setup_pw-for-loongson-3.patch +mips-octeon-irq-fix-potential-null-pointer-dereference.patch +pm-domains-allow-no-domain-idle-states-dt-property-in-genpd-when-parsing.patch +pm-sleep-wakeup-skip-wakeup_source_sysfs_remove-if-device-is-not-there.patch