1. 20 Oct, 2020 7 commits
    • Juergen Gross's avatar
      xen/scsiback: use lateeoi irq binding · 86991b6e
      Juergen Gross authored
      In order to reduce the chance for the system becoming unresponsive due
      to event storms triggered by a misbehaving scsifront use the lateeoi
      irq binding for scsiback and unmask the event channel only just before
      leaving the event handling function.
      
      In case of a ring protocol error don't issue an EOI in order to avoid
      the possibility to use that for producing an event storm. This at once
      will result in no further call of scsiback_irq_fn(), so the ring_error
      struct member can be dropped and scsiback_do_cmd_fn() can signal the
      protocol error via a negative return value.
      
      This is part of XSA-332.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarJulien Grall <julien@xen.org>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarWei Liu <wl@xen.org>
      86991b6e
    • Juergen Gross's avatar
      xen/netback: use lateeoi irq binding · 23025393
      Juergen Gross authored
      In order to reduce the chance for the system becoming unresponsive due
      to event storms triggered by a misbehaving netfront use the lateeoi
      irq binding for netback and unmask the event channel only just before
      going to sleep waiting for new events.
      
      Make sure not to issue an EOI when none is pending by introducing an
      eoi_pending element to struct xenvif_queue.
      
      When no request has been consumed set the spurious flag when sending
      the EOI for an interrupt.
      
      This is part of XSA-332.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarJulien Grall <julien@xen.org>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarWei Liu <wl@xen.org>
      23025393
    • Juergen Gross's avatar
      xen/blkback: use lateeoi irq binding · 01263a1f
      Juergen Gross authored
      In order to reduce the chance for the system becoming unresponsive due
      to event storms triggered by a misbehaving blkfront use the lateeoi
      irq binding for blkback and unmask the event channel only after
      processing all pending requests.
      
      As the thread processing requests is used to do purging work in regular
      intervals an EOI may be sent only after having received an event. If
      there was no pending I/O request flag the EOI as spurious.
      
      This is part of XSA-332.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarJulien Grall <julien@xen.org>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarWei Liu <wl@xen.org>
      01263a1f
    • Juergen Gross's avatar
      xen/events: add a new "late EOI" evtchn framework · 54c9de89
      Juergen Gross authored
      In order to avoid tight event channel related IRQ loops add a new
      framework of "late EOI" handling: the IRQ the event channel is bound
      to will be masked until the event has been handled and the related
      driver is capable to handle another event. The driver is responsible
      for unmasking the event channel via the new function xen_irq_lateeoi().
      
      This is similar to binding an event channel to a threaded IRQ, but
      without having to structure the driver accordingly.
      
      In order to support a future special handling in case a rogue guest
      is sending lots of unsolicited events, add a flag to xen_irq_lateeoi()
      which can be set by the caller to indicate the event was a spurious
      one.
      
      This is part of XSA-332.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarJulien Grall <julien@xen.org>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Reviewed-by: default avatarStefano Stabellini <sstabellini@kernel.org>
      Reviewed-by: default avatarWei Liu <wl@xen.org>
      54c9de89
    • Juergen Gross's avatar
      xen/events: fix race in evtchn_fifo_unmask() · f0133719
      Juergen Gross authored
      Unmasking a fifo event channel can result in unmasking it twice, once
      directly in the kernel and once via a hypercall in case the event was
      pending.
      
      Fix that by doing the local unmask only if the event is not pending.
      
      This is part of XSA-332.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      f0133719
    • Juergen Gross's avatar
      xen/events: add a proper barrier to 2-level uevent unmasking · 4d3fe31b
      Juergen Gross authored
      A follow-up patch will require certain write to happen before an event
      channel is unmasked.
      
      While the memory barrier is not strictly necessary for all the callers,
      the main one will need it. In order to avoid an extra memory barrier
      when using fifo event channels, mandate evtchn_unmask() to provide
      write ordering.
      
      The 2-level event handling unmask operation is missing an appropriate
      barrier, so add it. Fifo event channels are fine in this regard due to
      using sync_cmpxchg().
      
      This is part of XSA-332.
      
      Cc: stable@vger.kernel.org
      Suggested-by: default avatarJulien Grall <julien@xen.org>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJulien Grall <jgrall@amazon.com>
      Reviewed-by: default avatarWei Liu <wl@xen.org>
      4d3fe31b
    • Juergen Gross's avatar
      xen/events: avoid removing an event channel while handling it · 073d0552
      Juergen Gross authored
      Today it can happen that an event channel is being removed from the
      system while the event handling loop is active. This can lead to a
      race resulting in crashes or WARN() splats when trying to access the
      irq_info structure related to the event channel.
      
      Fix this problem by using a rwlock taken as reader in the event
      handling loop and as writer when deallocating the irq_info structure.
      
      As the observed problem was a NULL dereference in evtchn_from_irq()
      make this function more robust against races by testing the irq_info
      pointer to be not NULL before dereferencing it.
      
      And finally make all accesses to evtchn_to_irq[row][col] atomic ones
      in order to avoid seeing partial updates of an array element in irq
      handling. Note that irq handling can be entered only for event channels
      which have been valid before, so any not populated row isn't a problem
      in this regard, as rows are only ever added and never removed.
      
      This is XSA-331.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
      Reported-by: default avatarJinoh Kang <luke1337@theori.io>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarStefano Stabellini <sstabellini@kernel.org>
      Reviewed-by: default avatarWei Liu <wl@xen.org>
      073d0552
  2. 04 Oct, 2020 7 commits
  3. 03 Oct, 2020 10 commits
  4. 02 Oct, 2020 16 commits
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · d3d45f82
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Some pin control fixes here. All of them are driver fixes, the Intel
        Cherryview being the most interesting one.
      
         - Fix a mux problem for I2C in the MVEBU driver.
      
         - Fix a really hairy inversion problem in the Intel Cherryview
           driver.
      
         - Fix the register for the sdc2_clk in the Qualcomm SM8250 driver.
      
         - Check the virtual GPIO boot failur in the Mediatek driver"
      
      * tag 'pinctrl-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: mediatek: check mtk_is_virt_gpio input parameter
        pinctrl: qcom: sm8250: correct sdc2_clk
        pinctrl: cherryview: Preserve CHV_PADCTRL1_INVRXTX_TXDATA flag on GPIOs
        pinctrl: mvebu: Fix i2c sda definition for 98DX3236
      d3d45f82
    • Linus Torvalds's avatar
      Merge tag 'pci-v5.9-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 4d9c3a68
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - Fix rockchip regression in rockchip_pcie_valid_device() (Lorenzo
         Pieralisi)
      
       - Add Pali Rohár as aardvark PCI maintainer (Pali Rohár)
      
      * tag 'pci-v5.9-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        MAINTAINERS: Add Pali Rohár as aardvark PCI maintainer
        PCI: rockchip: Fix bus checks in rockchip_pcie_valid_device()
      4d9c3a68
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · cb6f55af
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Two patches in driver frameworks. The iscsi one corrects a bug induced
        by a BPF change to network locking and the other is a regression we
        introduced"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername()
        scsi: target: Fix lun lookup for TARGET_SCF_LOOKUP_LUN_FROM_TAG case
      cb6f55af
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.9-2020-10-02' of git://git.kernel.dk/linux-block · 702bfc89
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - fix for async buffered reads if read-ahead is fully disabled (Hao)
      
       - double poll match fix
      
       - ->show_fdinfo() potential ABBA deadlock complaint fix
      
      * tag 'io_uring-5.9-2020-10-02' of git://git.kernel.dk/linux-block:
        io_uring: fix async buffered reads when readahead is disabled
        io_uring: fix potential ABBA deadlock in ->show_fdinfo()
        io_uring: always delete double poll wait entry on match
      702bfc89
    • Linus Torvalds's avatar
      Merge tag 'block-5.9-2020-10-02' of git://git.kernel.dk/linux-block · f016a540
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Single fix for a ->commit_rqs failure case"
      
      * tag 'block-5.9-2020-10-02' of git://git.kernel.dk/linux-block:
        blk-mq: call commit_rqs while list empty but error happen
      f016a540
    • Linus Torvalds's avatar
      Merge branch 'work.epoll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · d4fce2e2
      Linus Torvalds authored
      Pull epoll fixes from Al Viro:
       "Several race fixes in epoll"
      
      * 'work.epoll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        ep_create_wakeup_source(): dentry name can change under you...
        epoll: EPOLL_CTL_ADD: close the race in decision to take fast path
        epoll: replace ->visited/visited_list with generation count
        epoll: do not insert into poll queues until all sanity checks are done
      d4fce2e2
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · db23baa2
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
       "Two fixes for this week:
      
         - The addition of a symbol export for clint_time_val, which has been
           inlined into some timex functions and can be used by drivers.
      
         - A fix to avoid calling get_cycles() before the timers have been
           probed.
      
        These both only effect !MMU systems"
      
      * tag 'riscv-for-linus-5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        RISC-V: Check clint_time_val before use
        clocksource: clint: Export clint_time_val for modules
      db23baa2
    • Linus Torvalds's avatar
      Merge tag 'for-5.9-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 4e3b9ce2
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "Two more fixes.
      
        One is for a lockdep warning/lockup (also caught by syzbot), that one
        has been seen in practice. Regarding the other syzbot reports
        mentioned last time, they don't seem to be urgent and reliably
        reproducible so they'll be fixed later.
      
        The second fix is for a potential corruption when device replace
        finishes and the in-memory state of trim is not copied to the new
        device"
      
      * tag 'for-5.9-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix filesystem corruption after a device replace
        btrfs: move btrfs_rm_dev_replace_free_srcdev outside of all locks
        btrfs: move btrfs_scratch_superblocks into btrfs_dev_replace_finishing
      4e3b9ce2
    • Linus Torvalds's avatar
      Merge tag 'pm-5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · c5130911
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix one more issue related to the recent RCU-lockdep changes, a
        typo in documentation and add a missing return statement to
        intel_pstate.
      
        Specifics:
      
         - Fix up RCU usage for cpuidle on the ARM imx6q platform (Ulf
           Hansson)
      
         - Fix typo in the PM documentation (Yoann Congal)
      
         - Add return statement that is missing after recent changes in the
           intel_pstate driver (Zhang Rui)"
      
      * tag 'pm-5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ARM: imx6q: Fixup RCU usage for cpuidle
        Documentation: PM: Fix a reStructuredText syntax error
        cpufreq: intel_pstate: Fix missing return statement
      c5130911
    • Linus Torvalds's avatar
      Merge tag 'staging-5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · cc8ad8fa
      Linus Torvalds authored
      Pull IIO fixes from Greg KH:
       "Here are two small IIO driver fixes for 5.9-rc8 that resolve some
        reported issues:
      
         - driver name fixed in one driver
      
         - device name typo fixed
      
        Both have been in linux-next for a while with no reported problems"
      
      * tag 'staging-5.9-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        iio: adc: qcom-spmi-adc5: fix driver name
        iio: adc: ad7124: Fix typo in device name
      cc8ad8fa
    • Linus Torvalds's avatar
      Merge tag 'gpio-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 0bf0dfda
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "Some late GPIO fixes for the v5.9 series:
      
         - Fix compiler warnings on the OMAP when PM is disabled
      
         - Clear the interrupt when setting edge sensitivity on the Spreadtrum
           driver.
      
         - Fix up spurious interrupts on the TC35894.
      
         - Support threaded interrupts on the Siox controller.
      
         - Fix resource leaks on the mockup driver.
      
         - Fix line event handling in syscall compatible mode for the
           character device.
      
         - Fix an unitialized variable in the PCA953A driver.
      
         - Fix access to all GPIO IRQs on the Aspeed AST2600.
      
         - Fix line direction on the AMD FCH driver.
      
         - Use the bitmap API instead of compiler intrinsics for bit
           manipulation in the PCA953x driver"
      
      * tag 'gpio-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: pca953x: Correctly initialize registers 6 and 7 for PCA957x
        gpio: pca953x: Use bitmap API over implicit GCC extension
        gpio: amd-fch: correct logic of GPIO_LINE_DIRECTION
        gpio: aspeed: fix ast2600 bank properties
        gpio/aspeed-sgpio: don't enable all interrupts by default
        gpio/aspeed-sgpio: enable access to all 80 input & output sgpios
        gpio: pca953x: Fix uninitialized pending variable
        gpiolib: Fix line event handling in syscall compatible mode
        gpio: mockup: fix resource leak in error path
        gpio: siox: explicitly support only threaded irqs
        gpio: tc35894: fix up tc35894 interrupt configuration
        gpio: sprd: Clear interrupt when setting the type as edge
        gpio: omap: Fix warnings if PM is disabled
      0bf0dfda
    • Linus Torvalds's avatar
      Merge tag 'mmc-v5.9-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 2270b890
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
      
       - Fix deadlock when removing MEMSTICK host
      
       - Workaround broken CMDQ on Intel GLK based IRBIS models
      
      * tag 'mmc-v5.9-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models
        memstick: Skip allocating card when removing host
      2270b890
    • Thibaut Sautereau's avatar
      random32: Restore __latent_entropy attribute on net_rand_state · 09a6b0bc
      Thibaut Sautereau authored
      Commit f227e3ec ("random32: update the net random state on interrupt
      and activity") broke compilation and was temporarily fixed by Linus in
      83bdc727 ("random32: remove net_rand_state from the latent entropy
      gcc plugin") by entirely moving net_rand_state out of the things handled
      by the latent_entropy GCC plugin.
      
      From what I understand when reading the plugin code, using the
      __latent_entropy attribute on a declaration was the wrong part and
      simply keeping the __latent_entropy attribute on the variable definition
      was the correct fix.
      
      Fixes: 83bdc727 ("random32: remove net_rand_state from the latent entropy gcc plugin")
      Acked-by: default avatarWilly Tarreau <w@1wt.eu>
      Cc: Emese Revfy <re.emese@gmail.com>
      Signed-off-by: default avatarThibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      09a6b0bc
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-cpufreq' · 7bbe8f2a
      Rafael J. Wysocki authored
      * pm-cpufreq:
        cpufreq: intel_pstate: Fix missing return statement
      7bbe8f2a
    • Roman Gushchin's avatar
      mm: memcg/slab: fix slab statistics in !SMP configuration · be458311
      Roman Gushchin authored
      Since commit ea426c2a ("mm: memcg: prepare for byte-sized vmstat
      items") the write side of slab counters accepts a value in bytes and
      converts it to pages.  It happens in __mod_node_page_state().
      
      However a non-SMP version of __mod_node_page_state() doesn't perform
      this conversion.  It leads to incorrect (unrealistically high) slab
      counters values.  Fix this by adding a similar conversion to the non-SMP
      version of __mod_node_page_state().
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Reported-and-tested-by: default avatarBastian Bittorf <bb@npl.de>
      Fixes: ea426c2a ("mm: memcg: prepare for byte-sized vmstat items")
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      be458311
    • Linus Torvalds's avatar
      pipe: remove pipe_wait() and fix wakeup race with splice · 472e5b05
      Linus Torvalds authored
      The pipe splice code still used the old model of waiting for pipe IO by
      using a non-specific "pipe_wait()" that waited for any pipe event to
      happen, which depended on all pipe IO being entirely serialized by the
      pipe lock.  So by checking the state you were waiting for, and then
      adding yourself to the wait queue before dropping the lock, you were
      guaranteed to see all the wakeups.
      
      Strictly speaking, the actual wakeups were not done under the lock, but
      the pipe_wait() model still worked, because since the waiter held the
      lock when checking whether it should sleep, it would always see the
      current state, and the wakeup was always done after updating the state.
      
      However, commit 0ddad21d ("pipe: use exclusive waits when reading or
      writing") split the single wait-queue into two, and in the process also
      made the "wait for event" code wait for _two_ wait queues, and that then
      showed a race with the wakers that were not serialized by the pipe lock.
      
      It's only splice that used that "pipe_wait()" model, so the problem
      wasn't obvious, but Josef Bacik reports:
      
       "I hit a hang with fstest btrfs/187, which does a btrfs send into
        /dev/null. This works by creating a pipe, the write side is given to
        the kernel to write into, and the read side is handed to a thread that
        splices into a file, in this case /dev/null.
      
        The box that was hung had the write side stuck here [pipe_write] and
        the read side stuck here [splice_from_pipe_next -> pipe_wait].
      
        [ more details about pipe_wait() scenario ]
      
        The problem is we're doing the prepare_to_wait, which sets our state
        each time, however we can be woken up either with reads or writes. In
        the case above we race with the WRITER waking us up, and re-set our
        state to INTERRUPTIBLE, and thus never break out of schedule"
      
      Josef had a patch that avoided the issue in pipe_wait() by just making
      it set the state only once, but the deeper problem is that pipe_wait()
      depends on a level of synchonization by the pipe mutex that it really
      shouldn't.  And the whole "wait for any pipe state change" model really
      isn't very good to begin with.
      
      So rather than trying to work around things in pipe_wait(), remove that
      legacy model of "wait for arbitrary pipe event" entirely, and actually
      create functions that wait for the pipe actually being readable or
      writable, and can do so without depending on the pipe lock serializing
      everything.
      
      Fixes: 0ddad21d ("pipe: use exclusive waits when reading or writing")
      Link: https://lore.kernel.org/linux-fsdevel/bfa88b5ad6f069b2b679316b9e495a970130416c.1601567868.git.josef@toxicpanda.com/Reported-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Reviewed-and-tested-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      472e5b05