From: Greg Kroah-Hartman Date: Mon, 26 Jul 2021 08:21:02 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.277~68 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6762b075207cf86e1df5a67a66e1a21a2581c84b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-sb-fix-potential-abba-deadlock-in-csp-driver.patch s390-ftrace-fix-ftrace_update_ftrace_func-implementation.patch xhci-fix-lost-usb-2-remote-wake.patch --- diff --git a/queue-4.9/alsa-sb-fix-potential-abba-deadlock-in-csp-driver.patch b/queue-4.9/alsa-sb-fix-potential-abba-deadlock-in-csp-driver.patch new file mode 100644 index 00000000000..15c3be269a5 --- /dev/null +++ b/queue-4.9/alsa-sb-fix-potential-abba-deadlock-in-csp-driver.patch @@ -0,0 +1,75 @@ +From 1c2b9519159b470ef24b2638f4794e86e2952ab7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 16 Jul 2021 15:27:23 +0200 +Subject: ALSA: sb: Fix potential ABBA deadlock in CSP driver + +From: Takashi Iwai + +commit 1c2b9519159b470ef24b2638f4794e86e2952ab7 upstream. + +SB16 CSP driver may hit potentially a typical ABBA deadlock in two +code paths: + + In snd_sb_csp_stop(): + spin_lock_irqsave(&p->chip->mixer_lock, flags); + spin_lock(&p->chip->reg_lock); + + In snd_sb_csp_load(): + spin_lock_irqsave(&p->chip->reg_lock, flags); + spin_lock(&p->chip->mixer_lock); + +Also the similar pattern is seen in snd_sb_csp_start(). + +Although the practical impact is very small (those states aren't +triggered in the same running state and this happens only on a real +hardware, decades old ISA sound boards -- which must be very difficult +to find nowadays), it's a real scenario and has to be fixed. + +This patch addresses those deadlocks by splitting the locks in +snd_sb_csp_start() and snd_sb_csp_stop() for avoiding the nested +locks. + +Reported-by: Jia-Ju Bai +Cc: +Link: https://lore.kernel.org/r/7b0fcdaf-cd4f-4728-2eae-48c151a92e10@gmail.com +Link: https://lore.kernel.org/r/20210716132723.13216-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/sb/sb16_csp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/isa/sb/sb16_csp.c ++++ b/sound/isa/sb/sb16_csp.c +@@ -828,6 +828,7 @@ static int snd_sb_csp_start(struct snd_s + mixR = snd_sbmixer_read(p->chip, SB_DSP4_PCM_DEV + 1); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL & 0x7); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR & 0x7); ++ spin_unlock_irqrestore(&p->chip->mixer_lock, flags); + + spin_lock(&p->chip->reg_lock); + set_mode_register(p->chip, 0xc0); /* c0 = STOP */ +@@ -867,6 +868,7 @@ static int snd_sb_csp_start(struct snd_s + spin_unlock(&p->chip->reg_lock); + + /* restore PCM volume */ ++ spin_lock_irqsave(&p->chip->mixer_lock, flags); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR); + spin_unlock_irqrestore(&p->chip->mixer_lock, flags); +@@ -892,6 +894,7 @@ static int snd_sb_csp_stop(struct snd_sb + mixR = snd_sbmixer_read(p->chip, SB_DSP4_PCM_DEV + 1); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL & 0x7); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR & 0x7); ++ spin_unlock_irqrestore(&p->chip->mixer_lock, flags); + + spin_lock(&p->chip->reg_lock); + if (p->running & SNDRV_SB_CSP_ST_QSOUND) { +@@ -906,6 +909,7 @@ static int snd_sb_csp_stop(struct snd_sb + spin_unlock(&p->chip->reg_lock); + + /* restore PCM volume */ ++ spin_lock_irqsave(&p->chip->mixer_lock, flags); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV, mixL); + snd_sbmixer_write(p->chip, SB_DSP4_PCM_DEV + 1, mixR); + spin_unlock_irqrestore(&p->chip->mixer_lock, flags); diff --git a/queue-4.9/s390-ftrace-fix-ftrace_update_ftrace_func-implementation.patch b/queue-4.9/s390-ftrace-fix-ftrace_update_ftrace_func-implementation.patch new file mode 100644 index 00000000000..ea3581f2ff4 --- /dev/null +++ b/queue-4.9/s390-ftrace-fix-ftrace_update_ftrace_func-implementation.patch @@ -0,0 +1,129 @@ +From f8c2602733c953ed7a16e060640b8e96f9d94b9b Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Fri, 25 Jun 2021 23:50:07 +0200 +Subject: s390/ftrace: fix ftrace_update_ftrace_func implementation + +From: Vasily Gorbik + +commit f8c2602733c953ed7a16e060640b8e96f9d94b9b upstream. + +s390 enforces DYNAMIC_FTRACE if FUNCTION_TRACER is selected. +At the same time implementation of ftrace_caller is not compliant with +HAVE_DYNAMIC_FTRACE since it doesn't provide implementation of +ftrace_update_ftrace_func() and calls ftrace_trace_function() directly. + +The subtle difference is that during ftrace code patching ftrace +replaces function tracer via ftrace_update_ftrace_func() and activates +it back afterwards. Unexpected direct calls to ftrace_trace_function() +during ftrace code patching leads to nullptr-dereferences when tracing +is activated for one of functions which are used during code patching. +Those function currently are: +copy_from_kernel_nofault() +copy_from_kernel_nofault_allowed() +preempt_count_sub() [with debug_defconfig] +preempt_count_add() [with debug_defconfig] + +Corresponding KASAN report: + BUG: KASAN: nullptr-dereference in function_trace_call+0x316/0x3b0 + Read of size 4 at addr 0000000000001e08 by task migration/0/15 + + CPU: 0 PID: 15 Comm: migration/0 Tainted: G B 5.13.0-41423-g08316af3644d + Hardware name: IBM 3906 M04 704 (LPAR) + Stopper: multi_cpu_stop+0x0/0x3e0 <- stop_machine_cpuslocked+0x1e4/0x218 + Call Trace: + [<0000000001f77caa>] show_stack+0x16a/0x1d0 + [<0000000001f8de42>] dump_stack+0x15a/0x1b0 + [<0000000001f81d56>] print_address_description.constprop.0+0x66/0x2e0 + [<000000000082b0ca>] kasan_report+0x152/0x1c0 + [<00000000004cfd8e>] function_trace_call+0x316/0x3b0 + [<0000000001fb7082>] ftrace_caller+0x7a/0x7e + [<00000000006bb3e6>] copy_from_kernel_nofault_allowed+0x6/0x10 + [<00000000006bb42e>] copy_from_kernel_nofault+0x3e/0xd0 + [<000000000014605c>] ftrace_make_call+0xb4/0x1f8 + [<000000000047a1b4>] ftrace_replace_code+0x134/0x1d8 + [<000000000047a6e0>] ftrace_modify_all_code+0x120/0x1d0 + [<000000000047a7ec>] __ftrace_modify_code+0x5c/0x78 + [<000000000042395c>] multi_cpu_stop+0x224/0x3e0 + [<0000000000423212>] cpu_stopper_thread+0x33a/0x5a0 + [<0000000000243ff2>] smpboot_thread_fn+0x302/0x708 + [<00000000002329ea>] kthread+0x342/0x408 + [<00000000001066b2>] __ret_from_fork+0x92/0xf0 + [<0000000001fb57fa>] ret_from_fork+0xa/0x30 + + The buggy address belongs to the page: + page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1 + flags: 0x1ffff00000001000(reserved|node=0|zone=0|lastcpupid=0x1ffff) + raw: 1ffff00000001000 0000040000000048 0000040000000048 0000000000000000 + raw: 0000000000000000 0000000000000000 ffffffff00000001 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + 0000000000001d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 + 0000000000001d80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 + >0000000000001e00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 + ^ + 0000000000001e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 + 0000000000001f00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 + ================================================================== + +To fix that introduce ftrace_func callback to be called from +ftrace_caller and update it in ftrace_update_ftrace_func(). + +Fixes: 4cc9bed034d1 ("[S390] cleanup ftrace backend functions") +Cc: stable@vger.kernel.org +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/ftrace.h | 1 + + arch/s390/kernel/ftrace.c | 2 ++ + arch/s390/kernel/mcount.S | 4 ++-- + 3 files changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/s390/include/asm/ftrace.h ++++ b/arch/s390/include/asm/ftrace.h +@@ -19,6 +19,7 @@ void ftrace_caller(void); + + extern char ftrace_graph_caller_end; + extern unsigned long ftrace_plt; ++extern void *ftrace_func; + + struct dyn_arch_ftrace { }; + +--- a/arch/s390/kernel/ftrace.c ++++ b/arch/s390/kernel/ftrace.c +@@ -55,6 +55,7 @@ + * > brasl %r0,ftrace_caller # offset 0 + */ + ++void *ftrace_func __read_mostly = ftrace_stub; + unsigned long ftrace_plt; + + static inline void ftrace_generate_orig_insn(struct ftrace_insn *insn) +@@ -164,6 +165,7 @@ int ftrace_make_call(struct dyn_ftrace * + + int ftrace_update_ftrace_func(ftrace_func_t func) + { ++ ftrace_func = func; + return 0; + } + +--- a/arch/s390/kernel/mcount.S ++++ b/arch/s390/kernel/mcount.S +@@ -59,13 +59,13 @@ ENTRY(ftrace_caller) + #ifdef CONFIG_HAVE_MARCH_Z196_FEATURES + aghik %r2,%r0,-MCOUNT_INSN_SIZE + lgrl %r4,function_trace_op +- lgrl %r1,ftrace_trace_function ++ lgrl %r1,ftrace_func + #else + lgr %r2,%r0 + aghi %r2,-MCOUNT_INSN_SIZE + larl %r4,function_trace_op + lg %r4,0(%r4) +- larl %r1,ftrace_trace_function ++ larl %r1,ftrace_func + lg %r1,0(%r1) + #endif + lgr %r3,%r14 diff --git a/queue-4.9/series b/queue-4.9/series index d8a2729a339..d4cf565e69d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -41,3 +41,6 @@ scsi-target-fix-protect-handling-in-write-same-32.patch revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch proc-avoid-mixing-integer-types-in-mem_rw.patch revert-mips-add-pmd-table-accounting-into-mips-pmd_alloc_one.patch +s390-ftrace-fix-ftrace_update_ftrace_func-implementation.patch +alsa-sb-fix-potential-abba-deadlock-in-csp-driver.patch +xhci-fix-lost-usb-2-remote-wake.patch diff --git a/queue-4.9/xhci-fix-lost-usb-2-remote-wake.patch b/queue-4.9/xhci-fix-lost-usb-2-remote-wake.patch new file mode 100644 index 00000000000..b53cef18aa0 --- /dev/null +++ b/queue-4.9/xhci-fix-lost-usb-2-remote-wake.patch @@ -0,0 +1,69 @@ +From 72f68bf5c756f5ce1139b31daae2684501383ad5 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 15 Jul 2021 18:06:51 +0300 +Subject: xhci: Fix lost USB 2 remote wake + +From: Mathias Nyman + +commit 72f68bf5c756f5ce1139b31daae2684501383ad5 upstream. + +There's a small window where a USB 2 remote wake may be left unhandled +due to a race between hub thread and xhci port event interrupt handler. + +When the resume event is detected in the xhci interrupt handler it kicks +the hub timer, which should move the port from resume to U0 once resume +has been signalled for long enough. + +To keep the hub "thread" running we set a bus_state->resuming_ports flag. +This flag makes sure hub timer function kicks itself. + +checking this flag was not properly protected by the spinlock. Flag was +copied to a local variable before lock was taken. The local variable was +then checked later with spinlock held. + +If interrupt is handled right after copying the flag to the local variable +we end up stopping the hub thread before it can handle the USB 2 resume. + +CPU0 CPU1 +(hub thread) (xhci event handler) + +xhci_hub_status_data() +status = bus_state->resuming_ports; + + handle_port_status() + spin_lock() + bus_state->resuming_ports = 1 + set_flag(HCD_FLAG_POLL_RH) + spin_unlock() +spin_lock() +if (!status) + clear_flag(HCD_FLAG_POLL_RH) +spin_unlock() + +Fix this by taking the lock a bit earlier so that it covers +the resuming_ports flag copy in the hub thread + +Cc: +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210715150651.1996099-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1292,11 +1292,12 @@ int xhci_hub_status_data(struct usb_hcd + * Inform the usbcore about resume-in-progress by returning + * a non-zero value even if there are no status changes. + */ ++ spin_lock_irqsave(&xhci->lock, flags); ++ + status = bus_state->resuming_ports; + + mask = PORT_CSC | PORT_PEC | PORT_OCC | PORT_PLC | PORT_WRC | PORT_CEC; + +- spin_lock_irqsave(&xhci->lock, flags); + /* For each port, did anything change? If so, set that bit in buf. */ + for (i = 0; i < max_ports; i++) { + temp = readl(port_array[i]);