October 2020 - Linux-stable-mirror

FAILED: patch "[PATCH] vhost: Don't call access_ok() when using IOTLB" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 0210a8db2aeca393fb3067e234967877e3146266 Mon Sep 17 00:00:00 2001 From: Greg Kurz <groug(a)kaod.org> Date: Sat, 3 Oct 2020 12:01:52 +0200 Subject: [PATCH] vhost: Don't call access_ok() when using IOTLB When the IOTLB device is enabled, the vring addresses we get from userspace are GIOVAs. It is thus wrong to pass them down to access_ok() which only takes HVAs. Access validation is done at prefetch time with IOTLB. Teach vq_access_ok() about that by moving the (vq->iotlb) check from vhost_vq_access_ok() to vq_access_ok(). This prevents vhost_vring_set_addr() to fail when verifying the accesses. No behavior change for vhost_vq_access_ok(). BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1883084 Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API") Cc: jasowang(a)redhat.com CC: stable(a)vger.kernel.org # 4.14+ Signed-off-by: Greg Kurz <groug(a)kaod.org> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://lore.kernel.org/r/160171931213.284610.2052489816407219136.stgit@bah… Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index b45519ca66a7..c3b49975dc28 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -1290,6 +1290,11 @@ static bool vq_access_ok(struct vhost_virtqueue *vq, unsigned int num, vring_used_t __user *used) { + /* If an IOTLB device is present, the vring addresses are + * GIOVAs. Access validation occurs at prefetch time. */ + if (vq->iotlb) + return true; + return access_ok(desc, vhost_get_desc_size(vq, num)) && access_ok(avail, vhost_get_avail_size(vq, num)) && access_ok(used, vhost_get_used_size(vq, num)); @@ -1383,10 +1388,6 @@ bool vhost_vq_access_ok(struct vhost_virtqueue *vq) if (!vq_log_access_ok(vq, vq->log_base)) return false; - /* Access validation occurs at prefetch time with IOTLB */ - if (vq->iotlb) - return true; - return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used); } EXPORT_SYMBOL_GPL(vhost_vq_access_ok);

4 years, 3 months

1
0
0 0

[PATCH for 4.4, 4.9, 4.19, 4.14 and 5.4] driver core: Fix probe_count imbalance in really_probe()

by Nobuhiro Iwamatsu

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> commit b292b50b0efcc7095d8bf15505fba6909bb35dce upstream. syzbot is reporting hung task in wait_for_device_probe() [1]. At least, we always need to decrement probe_count if we incremented probe_count in really_probe(). However, since I can't find "Resources present before probing" message in the console log, both "this message simply flowed off" and "syzbot is not hitting this path" will be possible. Therefore, while we are at it, let's also prepare for concurrent wait_for_device_probe() calls by replacing wake_up() with wake_up_all(). [1] https://syzkaller.appspot.com/bug?id=25c833f1983c9c1d512f4ff860dd0d7f5a2e2c… Reported-by: syzbot <syzbot+805f5f6ae37411f15b64(a)syzkaller.appspotmail.com> Fixes: 7c35e699c88bd607 ("driver core: Print device when resources present in really_probe()") Cc: Geert Uytterhoeven <geert+renesas(a)glider.be> Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Cc: stable <stable(a)kernel.org> Link: https://lore.kernel.org/r/20200713021254.3444-1-penguin-kernel@I-love.SAKUR… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [iwamatsu: Drop patch for deferred_probe_timeout_work_func()] Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu(a)toshiba.co.jp> --- drivers/base/dd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 0047bbdd43c0f0..b3c569412f4e2e 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -472,7 +472,8 @@ static int really_probe(struct device *dev, struct device_driver *drv) drv->bus->name, __func__, drv->name, dev_name(dev)); if (!list_empty(&dev->devres_head)) { dev_crit(dev, "Resources present before probing\n"); - return -EBUSY; + ret = -EBUSY; + goto done; } re_probe: @@ -579,7 +580,7 @@ static int really_probe(struct device *dev, struct device_driver *drv) ret = 0; done: atomic_dec(&probe_count); - wake_up(&probe_waitqueue); + wake_up_all(&probe_waitqueue); return ret; } -- 2.28.0

4 years, 3 months

1
0
0 0

[PATCH v2] vringh: fix __vringh_iov() when riov and wiov are different

by Stefano Garzarella

If riov and wiov are both defined and they point to different objects, only riov is initialized. If the wiov is not initialized by the caller, the function fails returning -EINVAL and printing "Readable desc 0x... after writable" error message. This issue happens when descriptors have both readable and writable buffers (eg. virtio-blk devices has virtio_blk_outhdr in the readable buffer and status as last byte of writable buffer) and we call __vringh_iov() to get both type of buffers in two different iovecs. Let's replace the 'else if' clause with 'if' to initialize both riov and wiov if they are not NULL. As checkpatch pointed out, we also avoid crashing the kernel when riov and wiov are both NULL, replacing BUG() with WARN_ON() and returning -EINVAL. Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.") Cc: stable(a)vger.kernel.org Signed-off-by: Stefano Garzarella <sgarzare(a)redhat.com> --- drivers/vhost/vringh.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c index e059a9a47cdf..8bd8b403f087 100644 --- a/drivers/vhost/vringh.c +++ b/drivers/vhost/vringh.c @@ -284,13 +284,14 @@ __vringh_iov(struct vringh *vrh, u16 i, desc_max = vrh->vring.num; up_next = -1; + /* You must want something! */ + if (WARN_ON(!riov && !wiov)) + return -EINVAL; + if (riov) riov->i = riov->used = 0; - else if (wiov) + if (wiov) wiov->i = wiov->used = 0; - else - /* You must want something! */ - BUG(); for (;;) { void *addr; -- 2.26.2

4 years, 3 months

2
2
0 0

[PATCH for 4.19] mtd: rawnand: sunxi: Fix the probe error path

by Nobuhiro Iwamatsu

From: Miquel Raynal <miquel.raynal(a)bootlin.com> commit 3d84515ffd8fb657e10fa5b1215e9f095fa7efca upstream. nand_release() is supposed be called after MTD device registration. Here, only nand_scan() happened, so use nand_cleanup() instead. Fixes: 1fef62c1423b ("mtd: nand: add sunxi NAND flash controller support") Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/linux-mtd/20200519130035.1883-54-miquel.raynal@boot… Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu(a)toshiba.co.jp> --- drivers/mtd/nand/raw/sunxi_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c index 5b8502fd50cbc6..88075e420f907c 100644 --- a/drivers/mtd/nand/raw/sunxi_nand.c +++ b/drivers/mtd/nand/raw/sunxi_nand.c @@ -1947,7 +1947,7 @@ static int sunxi_nand_chip_init(struct device *dev, struct sunxi_nfc *nfc, ret = mtd_device_register(mtd, NULL, 0); if (ret) { dev_err(dev, "failed to register mtd device: %d\n", ret); - nand_release(nand); + nand_cleanup(nand); return ret; } -- 2.28.0

4 years, 3 months

1
0
0 0

[PATCH for 4.9, 4.14] mtd: rawnand: sunxi: Fix the probe error path

by Nobuhiro Iwamatsu

From: Miquel Raynal <miquel.raynal(a)bootlin.com> commit 3d84515ffd8fb657e10fa5b1215e9f095fa7efca upstream. nand_release() is supposed be called after MTD device registration. Here, only nand_scan() happened, so use nand_cleanup() instead. Fixes: 1fef62c1423b ("mtd: nand: add sunxi NAND flash controller support") Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/linux-mtd/20200519130035.1883-54-miquel.raynal@boot… [iwamatsu: adjust filename] Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu(a)toshiba.co.jp> --- drivers/mtd/nand/sunxi_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/sunxi_nand.c b/drivers/mtd/nand/sunxi_nand.c index ddf3e24cc2898d..2cf19372efb90a 100644 --- a/drivers/mtd/nand/sunxi_nand.c +++ b/drivers/mtd/nand/sunxi_nand.c @@ -2108,7 +2108,7 @@ static int sunxi_nand_chip_init(struct device *dev, struct sunxi_nfc *nfc, ret = mtd_device_register(mtd, NULL, 0); if (ret) { dev_err(dev, "failed to register mtd device: %d\n", ret); - nand_release(nand); + nand_cleanup(nand); return ret; } -- 2.28.0

4 years, 3 months

1
0
0 0

[PATCH for 4.19 and 5.4] i2c: i801: Exclude device from suspend direct complete optimization

by Nobuhiro Iwamatsu

From: Jean Delvare <jdelvare(a)suse.de> commit 845b89127bc5458d0152a4d63f165c62a22fcb70 upstream. By default, PCI drivers with runtime PM enabled will skip the calls to suspend and resume on system PM. For this driver, we don't want that, as we need to perform additional steps for system PM to work properly on all systems. So instruct the PM core to not skip these calls. Fixes: a9c8088c7988 ("i2c: i801: Don't restore config registers on runtime PM") Reported-by: Volker Rümelin <volker.ruemelin(a)googlemail.com> Signed-off-by: Jean Delvare <jdelvare(a)suse.de> Cc: stable(a)vger.kernel.org Signed-off-by: Wolfram Sang <wsa(a)kernel.org> [iwamatsu: Use DPM_FLAG_NEVER_SKIP instead of DPM_FLAG_NO_DIRECT_COMPLETE] Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu(a)toshiba.co.jp> --- drivers/i2c/busses/i2c-i801.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c index 9a80c3c7e8af27..c40eef4e7a9858 100644 --- a/drivers/i2c/busses/i2c-i801.c +++ b/drivers/i2c/busses/i2c-i801.c @@ -1891,6 +1891,7 @@ static int i801_probe(struct pci_dev *dev, const struct pci_device_id *id) pci_set_drvdata(dev, priv); + dev_pm_set_driver_flags(&dev->dev, DPM_FLAG_NEVER_SKIP); pm_runtime_set_autosuspend_delay(&dev->dev, 1000); pm_runtime_use_autosuspend(&dev->dev); pm_runtime_put_autosuspend(&dev->dev); -- 2.28.0

4 years, 3 months

1
0
0 0

[GIT PULL] vhost,vdpa: last minute fixes

by Michael S. Tsirkin

The following changes since commit a127c5bbb6a8eee851cbdec254424c480b8edd75: vhost-vdpa: fix backend feature ioctls (2020-09-24 05:54:36 -0400) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus for you to fetch changes up to aff90770e54cdb40228f2ab339339e95d0aa0c9a: vdpa/mlx5: Fix dependency on MLX5_CORE (2020-10-08 16:02:00 -0400) ---------------------------------------------------------------- vhost,vdpa: last minute fixes Some last minute fixes. The last two of them haven't been in next but they do seem kind of obvious, very small and safe, fix bugs reported in the field, and they are both in a new mlx5 vdpa driver, so it's not like we can introduce regressions. Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> ---------------------------------------------------------------- Eli Cohen (1): vdpa/mlx5: Fix dependency on MLX5_CORE Greg Kurz (3): vhost: Don't call access_ok() when using IOTLB vhost: Use vhost_get_used_size() in vhost_vring_set_addr() vhost: Don't call log_access_ok() when using IOTLB Mike Christie (1): vhost vdpa: fix vhost_vdpa_open error handling Si-Wei Liu (3): vhost-vdpa: fix vhost_vdpa_map() on error condition vhost-vdpa: fix page pinning leakage in error path vdpa/mlx5: should keep avail_index despite device status drivers/vdpa/Kconfig | 7 +-- drivers/vdpa/mlx5/net/mlx5_vnet.c | 20 ++++-- drivers/vhost/vdpa.c | 127 +++++++++++++++++++++++--------------- drivers/vhost/vhost.c | 33 +++++++--- 4 files changed, 117 insertions(+), 70 deletions(-)

4 years, 3 months

2
1
0 0

[PATCH] vringh: fix __vringh_iov() when riov and wiov are different

by Stefano Garzarella

If riov and wiov are both defined and they point to different objects, only riov is initialized. If the wiov is not initialized by the caller, the function fails returning -EINVAL and printing "Readable desc 0x... after writable" error message. Let's replace the 'else if' clause with 'if' to initialize both riov and wiov if they are not NULL. As checkpatch pointed out, we also avoid crashing the kernel when riov and wiov are both NULL, replacing BUG() with WARN_ON() and returning -EINVAL. Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.") Cc: stable(a)vger.kernel.org Signed-off-by: Stefano Garzarella <sgarzare(a)redhat.com> --- drivers/vhost/vringh.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c index e059a9a47cdf..8bd8b403f087 100644 --- a/drivers/vhost/vringh.c +++ b/drivers/vhost/vringh.c @@ -284,13 +284,14 @@ __vringh_iov(struct vringh *vrh, u16 i, desc_max = vrh->vring.num; up_next = -1; + /* You must want something! */ + if (WARN_ON(!riov && !wiov)) + return -EINVAL; + if (riov) riov->i = riov->used = 0; - else if (wiov) + if (wiov) wiov->i = wiov->used = 0; - else - /* You must want something! */ - BUG(); for (;;) { void *addr; -- 2.26.2

4 years, 3 months

2
4
0 0

[PATCH] random: use correct memory barriers for crng_node_pool

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> When a CPU selects which CRNG to use, it accesses crng_node_pool without a memory barrier. That's wrong, because crng_node_pool can be set by another CPU concurrently. Without a memory barrier, the crng_state that is used might not appear to be fully initialized. There's an explicit mb() on the write side, but it's redundant with cmpxchg() (or cmpxchg_release()) and does nothing to fix the read side. Implement this correctly by using a cmpxchg_release() + smp_load_acquire() pair. Fixes: 1e7f583af67b ("random: make /dev/urandom scalable for silly userspace programs") Cc: <stable(a)vger.kernel.org> # v4.8+ Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- drivers/char/random.c | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 09b1551d4092f..9f1e7a4a0fbbb 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -843,8 +843,8 @@ static void do_numa_crng_init(struct work_struct *work) crng_initialize_secondary(crng); pool[i] = crng; } - mb(); - if (cmpxchg(&crng_node_pool, NULL, pool)) { + /* pairs with smp_load_acquire() in select_crng() */ + if (cmpxchg_release(&crng_node_pool, NULL, pool) != NULL) { for_each_node(i) kfree(pool[i]); kfree(pool); @@ -857,8 +857,26 @@ static void numa_crng_init(void) { schedule_work(&numa_crng_init_work); } + +static inline struct crng_state *select_crng(void) +{ + struct crng_state **pool; + int nid = numa_node_id(); + + /* pairs with cmpxchg_release() in do_numa_crng_init() */ + pool = smp_load_acquire(&crng_node_pool); + if (pool && pool[nid]) + return pool[nid]; + + return &primary_crng; +} #else static void numa_crng_init(void) {} + +static inline struct crng_state *select_crng(void) +{ + return &primary_crng; +} #endif /* @@ -1005,15 +1023,7 @@ static void _extract_crng(struct crng_state *crng, static void extract_crng(__u8 out[CHACHA_BLOCK_SIZE]) { - struct crng_state *crng = NULL; - -#ifdef CONFIG_NUMA - if (crng_node_pool) - crng = crng_node_pool[numa_node_id()]; - if (crng == NULL) -#endif - crng = &primary_crng; - _extract_crng(crng, out); + _extract_crng(select_crng(), out); } /* @@ -1042,15 +1052,7 @@ static void _crng_backtrack_protect(struct crng_state *crng, static void crng_backtrack_protect(__u8 tmp[CHACHA_BLOCK_SIZE], int used) { - struct crng_state *crng = NULL; - -#ifdef CONFIG_NUMA - if (crng_node_pool) - crng = crng_node_pool[numa_node_id()]; - if (crng == NULL) -#endif - crng = &primary_crng; - _crng_backtrack_protect(crng, tmp, used); + _crng_backtrack_protect(select_crng(), tmp, used); } static ssize_t extract_crng_user(void __user *buf, size_t nbytes) -- 2.28.0

4 years, 3 months

3
20
0 0

[PATCH v2] pinctrl: cherryview: Ensure _REG(ACPI_ADR_SPACE_GPIO, 1) gets called

by Hans de Goede

On Cherry Trail devices there are 2 possible ACPI OpRegions for accessing GPIOs. The standard GeneralPurposeIo OpRegion and the Cherry Trail specific UserDefined 0x9X OpRegions. Having 2 different types of OpRegions leads to potential issues with checks for OpRegion availability, or in other words checks if _REG has been called for the OpRegion which the ACPI code wants to use. The ACPICA core does not call _REG on an ACPI node which does not define an OpRegion matching the type being registered; and the reference design DSDT, from which most Cherry Trail DSDTs are derived, does not define GeneralPurposeIo, nor UserDefined(0x93) OpRegions for the GPO2 (UID 3) device, because no pins were assigned ACPI controlled functions in the reference design. Together this leads to the perfect storm, at least on the Cherry Trail based Medion Akayo E1239T. This design does use a GPO2 pin from its ACPI code and has added the Cherry Trail specific UserDefined(0x93) opregion to its GPO2 ACPI node to access this pin. But it uses a has _REG been called availability check for the standard GeneralPurposeIo OpRegion. This clearly is a bug in the DSDT, but this does work under Windows. This issue leads to the intel_vbtn driver reporting the device always being in tablet-mode at boot, even if it is in laptop mode. Which in turn causes userspace to ignore touchpad events. So iow this issues causes the touchpad to not work at boot. Since the bug in the DSDT stems from the confusion of having 2 different OpRegion types for accessing GPIOs on Cherry Trail devices, I believe that this is best fixed inside the Cherryview pinctrl driver. This commit adds a workaround to the Cherryview pinctrl driver so that the DSDT's expectations of _REG always getting called for the GeneralPurposeIo OpRegion are met. Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- Changes in v2: - Drop unnecessary if (acpi_has_method(adev->handle, "_REG")) check - Fix Cherryview spelling in the commit message --- drivers/pinctrl/intel/pinctrl-cherryview.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c index 4c74fdde576d..4817aec114d6 100644 --- a/drivers/pinctrl/intel/pinctrl-cherryview.c +++ b/drivers/pinctrl/intel/pinctrl-cherryview.c @@ -1693,6 +1693,8 @@ static acpi_status chv_pinctrl_mmio_access_handler(u32 function, static int chv_pinctrl_probe(struct platform_device *pdev) { + struct acpi_object_list input; + union acpi_object params[2]; struct chv_pinctrl *pctrl; struct acpi_device *adev; acpi_status status; @@ -1755,6 +1757,22 @@ static int chv_pinctrl_probe(struct platform_device *pdev) if (ACPI_FAILURE(status)) dev_err(&pdev->dev, "failed to install ACPI addr space handler\n"); + /* + * Some DSDT-s use the chv_pinctrl_mmio_access_handler while checking + * for the regular GeneralPurposeIo OpRegion availability, mixed with + * the DSDT not defining a GeneralPurposeIo OpRegion at all. In this + * case the ACPICA code will not call _REG to signal availability of + * the GeneralPurposeIo OpRegion. Manually call _REG here so that + * the DSDT-s GeneralPurposeIo availability checks will succeed. + */ + params[0].type = ACPI_TYPE_INTEGER; + params[0].integer.value = ACPI_ADR_SPACE_GPIO; + params[1].type = ACPI_TYPE_INTEGER; + params[1].integer.value = 1; + input.count = 2; + input.pointer = params; + acpi_evaluate_object(adev->handle, "_REG", &input, NULL); + platform_set_drvdata(pdev, pctrl); return 0; -- 2.26.0

4 years, 3 months

4
11
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2020