From 13100aed48e75f7ce1b9ad5832e54c5342c3e45f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 29 May 2020 11:05:02 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...ace-between-read_waiter-and-read_cop.patch | 126 ++++++++++++++++++ ...-fix-null-pointer-check-in-cifs_read.patch | 36 +++++ ...quota_unhold-if-quotas-are-not-locke.patch | 46 +++++++ ...eged-user-check-to-gfs2_quota_lock_c.patch | 57 ++++++++ ...a-mask-gpio-irqs-during-irq-shutdown.patch | 39 ++++++ ...p-encx24j600-add-missed-kthread_stop.patch | 53 ++++++++ queue-4.9/series | 7 + ...y-fix-redundant-initialization-warni.patch | 63 +++++++++ 8 files changed, 427 insertions(+) create mode 100644 queue-4.9/cachefiles-fix-race-between-read_waiter-and-read_cop.patch create mode 100644 queue-4.9/cifs-fix-null-pointer-check-in-cifs_read.patch create mode 100644 queue-4.9/gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch create mode 100644 queue-4.9/gfs2-move-privileged-user-check-to-gfs2_quota_lock_c.patch create mode 100644 queue-4.9/gpio-tegra-mask-gpio-irqs-during-irq-shutdown.patch create mode 100644 queue-4.9/net-microchip-encx24j600-add-missed-kthread_stop.patch create mode 100644 queue-4.9/usb-gadget-legacy-fix-redundant-initialization-warni.patch diff --git a/queue-4.9/cachefiles-fix-race-between-read_waiter-and-read_cop.patch b/queue-4.9/cachefiles-fix-race-between-read_waiter-and-read_cop.patch new file mode 100644 index 00000000000..120cf65cb24 --- /dev/null +++ b/queue-4.9/cachefiles-fix-race-between-read_waiter-and-read_cop.patch @@ -0,0 +1,126 @@ +From 6934e49fed782748e5c2aa77d9ef648b0faa75e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 08:50:22 -0400 +Subject: cachefiles: Fix race between read_waiter and read_copier involving + op->to_do + +From: Lei Xue + +[ Upstream commit 7bb0c5338436dae953622470d52689265867f032 ] + +There is a potential race in fscache operation enqueuing for reading and +copying multiple pages from cachefiles to netfs. The problem can be seen +easily on a heavy loaded system (for example many processes reading files +continually on an NFS share covered by fscache triggered this problem within +a few minutes). + +The race is due to cachefiles_read_waiter() adding the op to the monitor +to_do list and then then drop the object->work_lock spinlock before +completing fscache_enqueue_operation(). Once the lock is dropped, +cachefiles_read_copier() grabs the op, completes processing it, and +makes it through fscache_retrieval_complete() which sets the op->state to +the final state of FSCACHE_OP_ST_COMPLETE(4). When cachefiles_read_waiter() +finally gets through the remainder of fscache_enqueue_operation() +it sees the invalid state, and hits the ASSERTCMP and the following +oops is seen: +[ 2259.612361] FS-Cache: +[ 2259.614785] FS-Cache: Assertion failed +[ 2259.618639] FS-Cache: 4 == 5 is false +[ 2259.622456] ------------[ cut here ]------------ +[ 2259.627190] kernel BUG at fs/fscache/operation.c:70! +... +[ 2259.791675] RIP: 0010:[] [] fscache_enqueue_operation+0xff/0x170 [fscache] +[ 2259.802059] RSP: 0000:ffffa0263d543be0 EFLAGS: 00010046 +[ 2259.807521] RAX: 0000000000000019 RBX: ffffa01a4d390480 RCX: 0000000000000006 +[ 2259.814847] RDX: 0000000000000000 RSI: 0000000000000046 RDI: ffffa0263d553890 +[ 2259.822176] RBP: ffffa0263d543be8 R08: 0000000000000000 R09: ffffa0263c2d8708 +[ 2259.829502] R10: 0000000000001e7f R11: 0000000000000000 R12: ffffa01a4d390480 +[ 2259.844483] R13: ffff9fa9546c5920 R14: ffffa0263d543c80 R15: ffffa0293ff9bf10 +[ 2259.859554] FS: 00007f4b6efbd700(0000) GS:ffffa0263d540000(0000) knlGS:0000000000000000 +[ 2259.875571] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2259.889117] CR2: 00007f49e1624ff0 CR3: 0000012b38b38000 CR4: 00000000007607e0 +[ 2259.904015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 2259.918764] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 2259.933449] PKRU: 55555554 +[ 2259.943654] Call Trace: +[ 2259.953592] +[ 2259.955577] [] cachefiles_read_waiter+0x92/0xf0 [cachefiles] +[ 2259.978039] [] __wake_up_common+0x82/0x120 +[ 2259.991392] [] __wake_up_common_lock+0x83/0xc0 +[ 2260.004930] [] ? task_rq_unlock+0x20/0x20 +[ 2260.017863] [] __wake_up+0x13/0x20 +[ 2260.030230] [] __wake_up_bit+0x50/0x70 +[ 2260.042535] [] unlock_page+0x2b/0x30 +[ 2260.054495] [] page_endio+0x29/0x90 +[ 2260.066184] [] mpage_end_io+0x51/0x80 + +CPU1 +cachefiles_read_waiter() + 20 static int cachefiles_read_waiter(wait_queue_entry_t *wait, unsigned mode, + 21 int sync, void *_key) + 22 { +... + 61 spin_lock(&object->work_lock); + 62 list_add_tail(&monitor->op_link, &op->to_do); + 63 spin_unlock(&object->work_lock); + + 64 + 65 fscache_enqueue_retrieval(op); +182 static inline void fscache_enqueue_retrieval(struct fscache_retrieval *op) +183 { +184 fscache_enqueue_operation(&op->op); +185 } + 58 void fscache_enqueue_operation(struct fscache_operation *op) + 59 { + 60 struct fscache_cookie *cookie = op->object->cookie; + 61 + 62 _enter("{OBJ%x OP%x,%u}", + 63 op->object->debug_id, op->debug_id, atomic_read(&op->usage)); + 64 + 65 ASSERT(list_empty(&op->pend_link)); + 66 ASSERT(op->processor != NULL); + 67 ASSERT(fscache_object_is_available(op->object)); + 68 ASSERTCMP(atomic_read(&op->usage), >, 0); + + +CPU2 +cachefiles_read_copier() +168 while (!list_empty(&op->to_do)) { +... +202 fscache_end_io(op, monitor->netfs_page, error); +203 put_page(monitor->netfs_page); +204 fscache_retrieval_complete(op, 1); + +CPU1 + 58 void fscache_enqueue_operation(struct fscache_operation *op) + 59 { +... + 69 ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS, + 70 op->state, ==, FSCACHE_OP_ST_CANCELLED); + +Signed-off-by: Lei Xue +Signed-off-by: Dave Wysochanski +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + fs/cachefiles/rdwr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c +index 799b59d96fe2..7dba96d5fef1 100644 +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -64,9 +64,9 @@ static int cachefiles_read_waiter(wait_queue_t *wait, unsigned mode, + object = container_of(op->op.object, struct cachefiles_object, fscache); + spin_lock(&object->work_lock); + list_add_tail(&monitor->op_link, &op->to_do); ++ fscache_enqueue_retrieval(op); + spin_unlock(&object->work_lock); + +- fscache_enqueue_retrieval(op); + fscache_put_retrieval(op); + return 0; + } +-- +2.25.1 + diff --git a/queue-4.9/cifs-fix-null-pointer-check-in-cifs_read.patch b/queue-4.9/cifs-fix-null-pointer-check-in-cifs_read.patch new file mode 100644 index 00000000000..b3030e67fd7 --- /dev/null +++ b/queue-4.9/cifs-fix-null-pointer-check-in-cifs_read.patch @@ -0,0 +1,36 @@ +From 7b75e67abcafeaf9ec30706da3f00be7972aaa98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 May 2020 10:27:16 -0500 +Subject: cifs: Fix null pointer check in cifs_read + +From: Steve French + +[ Upstream commit 9bd21d4b1a767c3abebec203342f3820dcb84662 ] + +Coverity scan noted a redundant null check + +Coverity-id: 728517 +Reported-by: Coverity +Signed-off-by: Steve French +Reviewed-by: Shyam Prasad N +Signed-off-by: Sasha Levin +--- + fs/cifs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 09d83275c20b..b2919166855f 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -3293,7 +3293,7 @@ cifs_read(struct file *file, char *read_data, size_t read_size, loff_t *offset) + * than it negotiated since it will refuse the read + * then. + */ +- if ((tcon->ses) && !(tcon->ses->capabilities & ++ if (!(tcon->ses->capabilities & + tcon->ses->server->vals->cap_large_files)) { + current_read_size = min_t(uint, + current_read_size, CIFSMaxBufSize); +-- +2.25.1 + diff --git a/queue-4.9/gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch b/queue-4.9/gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch new file mode 100644 index 00000000000..af8611f7acc --- /dev/null +++ b/queue-4.9/gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch @@ -0,0 +1,46 @@ +From 7407c72f786d0111927ca58d08a516cf30453483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 11:55:03 -0500 +Subject: gfs2: don't call quota_unhold if quotas are not locked + +From: Bob Peterson + +[ Upstream commit c9cb9e381985bbbe8acd2695bbe6bd24bf06b81c ] + +Before this patch, function gfs2_quota_unlock checked if quotas are +turned off, and if so, it branched to label out, which called +gfs2_quota_unhold. With the new system of gfs2_qa_get and put, we +no longer want to call gfs2_quota_unhold or we won't balance our +gets and puts. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/quota.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c +index fb9b1d702351..fb2e0ad945bf 100644 +--- a/fs/gfs2/quota.c ++++ b/fs/gfs2/quota.c +@@ -1112,7 +1112,7 @@ void gfs2_quota_unlock(struct gfs2_inode *ip) + int found; + + if (!test_and_clear_bit(GIF_QD_LOCKED, &ip->i_flags)) +- goto out; ++ return; + + for (x = 0; x < ip->i_qadata->qa_qd_num; x++) { + struct gfs2_quota_data *qd; +@@ -1149,7 +1149,6 @@ void gfs2_quota_unlock(struct gfs2_inode *ip) + qd_unlock(qda[x]); + } + +-out: + gfs2_quota_unhold(ip); + } + +-- +2.25.1 + diff --git a/queue-4.9/gfs2-move-privileged-user-check-to-gfs2_quota_lock_c.patch b/queue-4.9/gfs2-move-privileged-user-check-to-gfs2_quota_lock_c.patch new file mode 100644 index 00000000000..e39549d7dad --- /dev/null +++ b/queue-4.9/gfs2-move-privileged-user-check-to-gfs2_quota_lock_c.patch @@ -0,0 +1,57 @@ +From 9db7555e2816a8da68684a78bd5aa8ef1f249bca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 11:53:21 -0500 +Subject: gfs2: move privileged user check to gfs2_quota_lock_check + +From: Bob Peterson + +[ Upstream commit 4ed0c30811cb4d30ef89850b787a53a84d5d2bcb ] + +Before this patch, function gfs2_quota_lock checked if it was called +from a privileged user, and if so, it bypassed the quota check: +superuser can operate outside the quotas. +That's the wrong place for the check because the lock/unlock functions +are separate from the lock_check function, and you can do lock and +unlock without actually checking the quotas. + +This patch moves the check to gfs2_quota_lock_check. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/quota.c | 3 +-- + fs/gfs2/quota.h | 3 ++- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c +index c2ca9566b764..fb9b1d702351 100644 +--- a/fs/gfs2/quota.c ++++ b/fs/gfs2/quota.c +@@ -1039,8 +1039,7 @@ int gfs2_quota_lock(struct gfs2_inode *ip, kuid_t uid, kgid_t gid) + u32 x; + int error = 0; + +- if (capable(CAP_SYS_RESOURCE) || +- sdp->sd_args.ar_quota != GFS2_QUOTA_ON) ++ if (sdp->sd_args.ar_quota != GFS2_QUOTA_ON) + return 0; + + error = gfs2_quota_hold(ip, uid, gid); +diff --git a/fs/gfs2/quota.h b/fs/gfs2/quota.h +index 836f29480be6..e3a6e2404d11 100644 +--- a/fs/gfs2/quota.h ++++ b/fs/gfs2/quota.h +@@ -47,7 +47,8 @@ static inline int gfs2_quota_lock_check(struct gfs2_inode *ip, + int ret; + + ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ +- if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) ++ if (capable(CAP_SYS_RESOURCE) || ++ sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) + return 0; + ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); + if (ret) +-- +2.25.1 + diff --git a/queue-4.9/gpio-tegra-mask-gpio-irqs-during-irq-shutdown.patch b/queue-4.9/gpio-tegra-mask-gpio-irqs-during-irq-shutdown.patch new file mode 100644 index 00000000000..0d9f8d21481 --- /dev/null +++ b/queue-4.9/gpio-tegra-mask-gpio-irqs-during-irq-shutdown.patch @@ -0,0 +1,39 @@ +From 58682eebed06b18fc5ce9ca0b932c33d5c80b38c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 17:26:05 -0600 +Subject: gpio: tegra: mask GPIO IRQs during IRQ shutdown + +From: Stephen Warren + +[ Upstream commit 0cf253eed5d2bdf7bb3152457b38f39b012955f7 ] + +The driver currently leaves GPIO IRQs unmasked even when the GPIO IRQ +client has released the GPIO IRQ. This allows the HW to raise IRQs, and +SW to process them, after shutdown. Fix this by masking the IRQ when it's +shut down. This is usually taken care of by the irqchip core, but since +this driver has a custom irq_shutdown implementation, it must do this +explicitly itself. + +Signed-off-by: Stephen Warren +Link: https://lore.kernel.org/r/20200427232605.11608-1-swarren@wwwdotorg.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tegra.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpio-tegra.c b/drivers/gpio/gpio-tegra.c +index 05d3241ad20b..9d763557a105 100644 +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -341,6 +341,7 @@ static void tegra_gpio_irq_shutdown(struct irq_data *d) + struct tegra_gpio_info *tgi = bank->tgi; + int gpio = d->hwirq; + ++ tegra_gpio_irq_mask(d); + gpiochip_unlock_as_irq(&tgi->gc, gpio); + } + +-- +2.25.1 + diff --git a/queue-4.9/net-microchip-encx24j600-add-missed-kthread_stop.patch b/queue-4.9/net-microchip-encx24j600-add-missed-kthread_stop.patch new file mode 100644 index 00000000000..ff7d678cfed --- /dev/null +++ b/queue-4.9/net-microchip-encx24j600-add-missed-kthread_stop.patch @@ -0,0 +1,53 @@ +From 849e32ca9e54e221e4f1b3f1c99dd58d745080bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 May 2020 23:13:20 +0800 +Subject: net: microchip: encx24j600: add missed kthread_stop + +From: Chuhong Yuan + +[ Upstream commit ff8ce319e9c25e920d994cc35236f0bb32dfc8f3 ] + +This driver calls kthread_run() in probe, but forgets to call +kthread_stop() in probe failure and remove. +Add the missed kthread_stop() to fix it. + +Signed-off-by: Chuhong Yuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/encx24j600.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microchip/encx24j600.c b/drivers/net/ethernet/microchip/encx24j600.c +index b14f0305aa31..ad661d1979c7 100644 +--- a/drivers/net/ethernet/microchip/encx24j600.c ++++ b/drivers/net/ethernet/microchip/encx24j600.c +@@ -1058,7 +1058,7 @@ static int encx24j600_spi_probe(struct spi_device *spi) + if (unlikely(ret)) { + netif_err(priv, probe, ndev, "Error %d initializing card encx24j600 card\n", + ret); +- goto out_free; ++ goto out_stop; + } + + eidled = encx24j600_read_reg(priv, EIDLED); +@@ -1076,6 +1076,8 @@ static int encx24j600_spi_probe(struct spi_device *spi) + + out_unregister: + unregister_netdev(priv->ndev); ++out_stop: ++ kthread_stop(priv->kworker_task); + out_free: + free_netdev(ndev); + +@@ -1088,6 +1090,7 @@ static int encx24j600_spi_remove(struct spi_device *spi) + struct encx24j600_priv *priv = dev_get_drvdata(&spi->dev); + + unregister_netdev(priv->ndev); ++ kthread_stop(priv->kworker_task); + + free_netdev(priv->ndev); + +-- +2.25.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 14de1d44f65..9663407fc36 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -10,3 +10,10 @@ net-sun-fix-missing-release-regions-in-cas_init_one.patch net-mlx4_core-fix-a-memory-leak-bug.patch uapi-fix-linux-if_pppol2tp.h-userspace-compilation-errors.patch ib-cma-fix-reference-count-leak-when-no-ipv4-addresses-are-set.patch +gpio-tegra-mask-gpio-irqs-during-irq-shutdown.patch +net-microchip-encx24j600-add-missed-kthread_stop.patch +gfs2-move-privileged-user-check-to-gfs2_quota_lock_c.patch +gfs2-don-t-call-quota_unhold-if-quotas-are-not-locke.patch +cachefiles-fix-race-between-read_waiter-and-read_cop.patch +usb-gadget-legacy-fix-redundant-initialization-warni.patch +cifs-fix-null-pointer-check-in-cifs_read.patch diff --git a/queue-4.9/usb-gadget-legacy-fix-redundant-initialization-warni.patch b/queue-4.9/usb-gadget-legacy-fix-redundant-initialization-warni.patch new file mode 100644 index 00000000000..3ac1d366a0d --- /dev/null +++ b/queue-4.9/usb-gadget-legacy-fix-redundant-initialization-warni.patch @@ -0,0 +1,63 @@ +From 5ae5fc5d970320e73766e208f8ac465f22182622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Apr 2020 22:16:51 +0900 +Subject: usb: gadget: legacy: fix redundant initialization warnings + +From: Masahiro Yamada + +[ Upstream commit d13cce757954fa663c69845611957396843ed87a ] + +Fix the following cppcheck warnings: + +drivers/usb/gadget/legacy/inode.c:1364:8: style: Redundant initialization for 'value'. The initialized value is overwritten$ + value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1331:15: note: value is initialized + int value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1364:8: note: value is overwritten + value = -EOPNOTSUPP; + ^ +drivers/usb/gadget/legacy/inode.c:1817:8: style: Redundant initialization for 'value'. The initialized value is overwritten$ + value = -EINVAL; + ^ +drivers/usb/gadget/legacy/inode.c:1787:18: note: value is initialized + ssize_t value = len, length = len; + ^ +drivers/usb/gadget/legacy/inode.c:1817:8: note: value is overwritten + value = -EINVAL; + ^ +Acked-by: Alan Stern +Reported-by: kbuild test robot +Signed-off-by: Masahiro Yamada +Signed-off-by: Felipe Balbi + +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/inode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index b8534d3f8bb0..cb02e9ecd8e7 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1364,7 +1364,6 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + + req->buf = dev->rbuf; + req->context = NULL; +- value = -EOPNOTSUPP; + switch (ctrl->bRequest) { + + case USB_REQ_GET_DESCRIPTOR: +@@ -1788,7 +1787,7 @@ static ssize_t + dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr) + { + struct dev_data *dev = fd->private_data; +- ssize_t value = len, length = len; ++ ssize_t value, length = len; + unsigned total; + u32 tag; + char *kbuf; +-- +2.25.1 + -- 2.47.3