From 2595e493085af795ac273608c8f218b696eb81f8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Mar 2021 13:58:43 +0100 Subject: [PATCH] 4.9-stable patches added patches: floppy-reintroduce-o_ndelay-fix.patch libnvdimm-dimm-avoid-race-between-probe-and-available_slots_show.patch mm-hugetlb-fix-a-race-between-freeing-and-dissolving-the-page.patch mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch --- .../floppy-reintroduce-o_ndelay-fix.patch | 81 ++++++++++ ...tween-probe-and-available_slots_show.patch | 98 +++++++++++++ ...ween-freeing-and-dissolving-the-page.patch | 138 ++++++++++++++++++ ...-sfc-put-child-node-np-on-error-path.patch | 36 +++++ queue-4.9/series | 5 + ...r-pipe-running-flag-in-usbhs_pkt_pop.patch | 37 +++++ 6 files changed, 395 insertions(+) create mode 100644 queue-4.9/floppy-reintroduce-o_ndelay-fix.patch create mode 100644 queue-4.9/libnvdimm-dimm-avoid-race-between-probe-and-available_slots_show.patch create mode 100644 queue-4.9/mm-hugetlb-fix-a-race-between-freeing-and-dissolving-the-page.patch create mode 100644 queue-4.9/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch create mode 100644 queue-4.9/usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch diff --git a/queue-4.9/floppy-reintroduce-o_ndelay-fix.patch b/queue-4.9/floppy-reintroduce-o_ndelay-fix.patch new file mode 100644 index 00000000000..c09342d632c --- /dev/null +++ b/queue-4.9/floppy-reintroduce-o_ndelay-fix.patch @@ -0,0 +1,81 @@ +From 8a0c014cd20516ade9654fc13b51345ec58e7be8 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Fri, 22 Jan 2021 12:13:20 +0100 +Subject: floppy: reintroduce O_NDELAY fix + +From: Jiri Kosina + +commit 8a0c014cd20516ade9654fc13b51345ec58e7be8 upstream. + +This issue was originally fixed in 09954bad4 ("floppy: refactor open() +flags handling"). + +The fix as a side-effect, however, introduce issue for open(O_ACCMODE) +that is being used for ioctl-only open. I wrote a fix for that, but +instead of it being merged, full revert of 09954bad4 was performed, +re-introducing the O_NDELAY / O_NONBLOCK issue, and it strikes again. + +This is a forward-port of the original fix to current codebase; the +original submission had the changelog below: + +==== +Commit 09954bad4 ("floppy: refactor open() flags handling"), as a +side-effect, causes open(/dev/fdX, O_ACCMODE) to fail. It turns out that +this is being used setfdprm userspace for ioctl-only open(). + +Reintroduce back the original behavior wrt !(FMODE_READ|FMODE_WRITE) +modes, while still keeping the original O_NDELAY bug fixed. + +Link: https://lore.kernel.org/r/nycvar.YFH.7.76.2101221209060.5622@cbobk.fhfr.pm +Cc: stable@vger.kernel.org +Reported-by: Wim Osterholt +Tested-by: Wim Osterholt +Reported-and-tested-by: Kurt Garloff +Fixes: 09954bad4 ("floppy: refactor open() flags handling") +Fixes: f2791e7ead ("Revert "floppy: refactor open() flags handling"") +Signed-off-by: Jiri Kosina +Signed-off-by: Denis Efremov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4067,21 +4067,22 @@ static int floppy_open(struct block_devi + if (UFDCS->rawcmd == 1) + UFDCS->rawcmd = 2; + +- if (!(mode & FMODE_NDELAY)) { +- if (mode & (FMODE_READ|FMODE_WRITE)) { +- UDRS->last_checked = 0; +- clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags); +- check_disk_change(bdev); +- if (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags)) +- goto out; +- if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags)) +- goto out; +- } +- res = -EROFS; +- if ((mode & FMODE_WRITE) && +- !test_bit(FD_DISK_WRITABLE_BIT, &UDRS->flags)) ++ if (mode & (FMODE_READ|FMODE_WRITE)) { ++ UDRS->last_checked = 0; ++ clear_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags); ++ check_disk_change(bdev); ++ if (test_bit(FD_DISK_CHANGED_BIT, &UDRS->flags)) ++ goto out; ++ if (test_bit(FD_OPEN_SHOULD_FAIL_BIT, &UDRS->flags)) + goto out; + } ++ ++ res = -EROFS; ++ ++ if ((mode & FMODE_WRITE) && ++ !test_bit(FD_DISK_WRITABLE_BIT, &UDRS->flags)) ++ goto out; ++ + mutex_unlock(&open_lock); + mutex_unlock(&floppy_mutex); + return 0; diff --git a/queue-4.9/libnvdimm-dimm-avoid-race-between-probe-and-available_slots_show.patch b/queue-4.9/libnvdimm-dimm-avoid-race-between-probe-and-available_slots_show.patch new file mode 100644 index 00000000000..e9ee031c7d1 --- /dev/null +++ b/queue-4.9/libnvdimm-dimm-avoid-race-between-probe-and-available_slots_show.patch @@ -0,0 +1,98 @@ +From foo@baz Mon Mar 1 01:45:40 PM CET 2021 +From: Dan Williams +Date: Mon, 1 Feb 2021 16:20:40 -0800 +Subject: libnvdimm/dimm: Avoid race between probe and available_slots_show() + +From: Dan Williams + +commit 7018c897c2f243d4b5f1b94bc6b4831a7eab80fb upstream + +Richard reports that the following test: + +(while true; do + cat /sys/bus/nd/devices/nmem*/available_slots 2>&1 > /dev/null + done) & + +while true; do + for i in $(seq 0 4); do + echo nmem$i > /sys/bus/nd/drivers/nvdimm/bind + done + for i in $(seq 0 4); do + echo nmem$i > /sys/bus/nd/drivers/nvdimm/unbind + done + done + +...fails with a crash signature like: + + divide error: 0000 [#1] SMP KASAN PTI + RIP: 0010:nd_label_nfree+0x134/0x1a0 [libnvdimm] + [..] + Call Trace: + available_slots_show+0x4e/0x120 [libnvdimm] + dev_attr_show+0x42/0x80 + ? memset+0x20/0x40 + sysfs_kf_seq_show+0x218/0x410 + +The root cause is that available_slots_show() consults driver-data, but +fails to synchronize against device-unbind setting up a TOCTOU race to +access uninitialized memory. + +Validate driver-data under the device-lock. + +Fixes: 4d88a97aa9e8 ("libnvdimm, nvdimm: dimm driver and base libnvdimm device-driver infrastructure") +Cc: +Cc: Vishal Verma +Cc: Dave Jiang +Cc: Ira Weiny +Cc: Coly Li +Reported-by: Richard Palethorpe +Acked-by: Richard Palethorpe +Signed-off-by: Dan Williams +[sudip: use device_lock()] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvdimm/dimm_devs.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/nvdimm/dimm_devs.c ++++ b/drivers/nvdimm/dimm_devs.c +@@ -317,16 +317,16 @@ static ssize_t state_show(struct device + } + static DEVICE_ATTR_RO(state); + +-static ssize_t available_slots_show(struct device *dev, +- struct device_attribute *attr, char *buf) ++static ssize_t __available_slots_show(struct nvdimm_drvdata *ndd, char *buf) + { +- struct nvdimm_drvdata *ndd = dev_get_drvdata(dev); ++ struct device *dev; + ssize_t rc; + u32 nfree; + + if (!ndd) + return -ENXIO; + ++ dev = ndd->dev; + nvdimm_bus_lock(dev); + nfree = nd_label_nfree(ndd); + if (nfree - 1 > nfree) { +@@ -338,6 +338,18 @@ static ssize_t available_slots_show(stru + nvdimm_bus_unlock(dev); + return rc; + } ++ ++static ssize_t available_slots_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ ssize_t rc; ++ ++ device_lock(dev); ++ rc = __available_slots_show(dev_get_drvdata(dev), buf); ++ device_unlock(dev); ++ ++ return rc; ++} + static DEVICE_ATTR_RO(available_slots); + + static struct attribute *nvdimm_attributes[] = { diff --git a/queue-4.9/mm-hugetlb-fix-a-race-between-freeing-and-dissolving-the-page.patch b/queue-4.9/mm-hugetlb-fix-a-race-between-freeing-and-dissolving-the-page.patch new file mode 100644 index 00000000000..41b691052fa --- /dev/null +++ b/queue-4.9/mm-hugetlb-fix-a-race-between-freeing-and-dissolving-the-page.patch @@ -0,0 +1,138 @@ +From foo@baz Mon Mar 1 01:41:53 PM CET 2021 +From: Muchun Song +Date: Thu, 4 Feb 2021 18:32:06 -0800 +Subject: mm: hugetlb: fix a race between freeing and dissolving the page + +From: Muchun Song + +commit 7ffddd499ba6122b1a07828f023d1d67629aa017 upstream + +There is a race condition between __free_huge_page() +and dissolve_free_huge_page(). + + CPU0: CPU1: + + // page_count(page) == 1 + put_page(page) + __free_huge_page(page) + dissolve_free_huge_page(page) + spin_lock(&hugetlb_lock) + // PageHuge(page) && !page_count(page) + update_and_free_page(page) + // page is freed to the buddy + spin_unlock(&hugetlb_lock) + spin_lock(&hugetlb_lock) + clear_page_huge_active(page) + enqueue_huge_page(page) + // It is wrong, the page is already freed + spin_unlock(&hugetlb_lock) + +The race window is between put_page() and dissolve_free_huge_page(). + +We should make sure that the page is already on the free list when it is +dissolved. + +As a result __free_huge_page would corrupt page(s) already in the buddy +allocator. + +Link: https://lkml.kernel.org/r/20210115124942.46403-4-songmuchun@bytedance.com +Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle hugepage") +Signed-off-by: Muchun Song +Reviewed-by: Mike Kravetz +Reviewed-by: Oscar Salvador +Acked-by: Michal Hocko +Cc: David Hildenbrand +Cc: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[sudip: adjust context] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -66,6 +66,21 @@ DEFINE_SPINLOCK(hugetlb_lock); + static int num_fault_mutexes; + struct mutex *hugetlb_fault_mutex_table ____cacheline_aligned_in_smp; + ++static inline bool PageHugeFreed(struct page *head) ++{ ++ return page_private(head + 4) == -1UL; ++} ++ ++static inline void SetPageHugeFreed(struct page *head) ++{ ++ set_page_private(head + 4, -1UL); ++} ++ ++static inline void ClearPageHugeFreed(struct page *head) ++{ ++ set_page_private(head + 4, 0); ++} ++ + /* Forward declaration */ + static int hugetlb_acct_memory(struct hstate *h, long delta); + +@@ -863,6 +878,7 @@ static void enqueue_huge_page(struct hst + list_move(&page->lru, &h->hugepage_freelists[nid]); + h->free_huge_pages++; + h->free_huge_pages_node[nid]++; ++ SetPageHugeFreed(page); + } + + static struct page *dequeue_huge_page_node(struct hstate *h, int nid) +@@ -880,6 +896,7 @@ static struct page *dequeue_huge_page_no + return NULL; + list_move(&page->lru, &h->hugepage_activelist); + set_page_refcounted(page); ++ ClearPageHugeFreed(page); + h->free_huge_pages--; + h->free_huge_pages_node[nid]--; + return page; +@@ -1292,6 +1309,7 @@ static void prep_new_huge_page(struct hs + set_hugetlb_cgroup(page, NULL); + h->nr_huge_pages++; + h->nr_huge_pages_node[nid]++; ++ ClearPageHugeFreed(page); + spin_unlock(&hugetlb_lock); + put_page(page); /* free it into the hugepage allocator */ + } +@@ -1455,6 +1473,7 @@ static int dissolve_free_huge_page(struc + { + int rc = 0; + ++retry: + spin_lock(&hugetlb_lock); + if (PageHuge(page) && !page_count(page)) { + struct page *head = compound_head(page); +@@ -1464,6 +1483,26 @@ static int dissolve_free_huge_page(struc + rc = -EBUSY; + goto out; + } ++ ++ /* ++ * We should make sure that the page is already on the free list ++ * when it is dissolved. ++ */ ++ if (unlikely(!PageHugeFreed(head))) { ++ spin_unlock(&hugetlb_lock); ++ cond_resched(); ++ ++ /* ++ * Theoretically, we should return -EBUSY when we ++ * encounter this race. In fact, we have a chance ++ * to successfully dissolve the page if we do a ++ * retry. Because the race window is quite small. ++ * If we seize this opportunity, it is an optimization ++ * for increasing the success rate of dissolving page. ++ */ ++ goto retry; ++ } ++ + list_del(&head->lru); + h->free_huge_pages--; + h->free_huge_pages_node[nid]--; diff --git a/queue-4.9/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch b/queue-4.9/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch new file mode 100644 index 00000000000..5bcf372f577 --- /dev/null +++ b/queue-4.9/mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch @@ -0,0 +1,36 @@ +From fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 21 Jan 2021 01:18:47 -0800 +Subject: mtd: spi-nor: hisi-sfc: Put child node np on error path + +From: Pan Bian + +commit fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 upstream. + +Put the child node np when it fails to get or register device. + +Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver") +Cc: stable@vger.kernel.org +Signed-off-by: Pan Bian +[ta: Add Fixes tag and Cc stable] +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20210121091847.85362-1-bianpan2016@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/hisi-sfc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/hisi-sfc.c ++++ b/drivers/mtd/spi-nor/hisi-sfc.c +@@ -393,8 +393,10 @@ static int hisi_spi_nor_register_all(str + + for_each_available_child_of_node(dev->of_node, np) { + ret = hisi_spi_nor_register(np, host); +- if (ret) ++ if (ret) { ++ of_node_put(np); + goto fail; ++ } + + if (host->num_chip == HIFMC_MAX_CHIP_NUM) { + dev_warn(dev, "Flash device number exceeds the maximum chipselect number\n"); diff --git a/queue-4.9/series b/queue-4.9/series index 910d0d0652e..6c8526f2fda 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -106,3 +106,8 @@ seccomp-add-missing-return-in-non-void-function.patch drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch x86-reboot-force-all-cpus-to-exit-vmx-root-if-vmx-is-supported.patch +floppy-reintroduce-o_ndelay-fix.patch +mtd-spi-nor-hisi-sfc-put-child-node-np-on-error-path.patch +mm-hugetlb-fix-a-race-between-freeing-and-dissolving-the-page.patch +usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch +libnvdimm-dimm-avoid-race-between-probe-and-available_slots_show.patch diff --git a/queue-4.9/usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch b/queue-4.9/usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch new file mode 100644 index 00000000000..b6b15a2bc21 --- /dev/null +++ b/queue-4.9/usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Mar 1 01:44:48 PM CET 2021 +From: Yoshihiro Shimoda +Date: Mon, 1 Feb 2021 21:47:20 +0900 +Subject: usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop() + +From: Yoshihiro Shimoda + +commit 9917f0e3cdba7b9f1a23f70e3f70b1a106be54a8 upstream + +Should clear the pipe running flag in usbhs_pkt_pop(). Otherwise, +we cannot use this pipe after dequeue was called while the pipe was +running. + +Fixes: 8355b2b3082d ("usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle") +Reported-by: Tho Vu +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1612183640-8898-1-git-send-email-yoshihiro.shimoda.uh@renesas.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +[sudip: adjust context] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/renesas_usbhs/fifo.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -140,6 +140,8 @@ struct usbhs_pkt *usbhs_pkt_pop(struct u + usbhsf_dma_unmap(pkt); + } + ++ usbhs_pipe_running(pipe, 0); ++ + __usbhsf_pkt_del(pkt); + } + -- 2.47.3