Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

3 participants
123729 discussions

FAILED: patch "[PATCH] xprtrdma: Fix trace point use-after-free race" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From bdb2ce82818577ba6e57b7d68b698b8d17329281 Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Sun, 19 Apr 2020 20:03:05 -0400 Subject: [PATCH] xprtrdma: Fix trace point use-after-free race It's not safe to use resources pointed to by the @send_wr of ib_post_send() _after_ that function returns. Those resources are typically freed by the Send completion handler, which can run before ib_post_send() returns. Thus the trace points currently around ib_post_send() in the client's RPC/RDMA transport are a hazard, even when they are disabled. Rearrange them so that they touch the Work Request only _before_ ib_post_send() is invoked. Fixes: ab03eff58eb5 ("xprtrdma: Add trace points in RPC Call transmit paths") Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Anna Schumaker <Anna.Schumaker(a)Netapp.com> diff --git a/include/trace/events/rpcrdma.h b/include/trace/events/rpcrdma.h index 051f26fedc4d..72f043876019 100644 --- a/include/trace/events/rpcrdma.h +++ b/include/trace/events/rpcrdma.h @@ -692,11 +692,10 @@ TRACE_EVENT(xprtrdma_prepsend_failed, TRACE_EVENT(xprtrdma_post_send, TP_PROTO( - const struct rpcrdma_req *req, - int status + const struct rpcrdma_req *req ), - TP_ARGS(req, status), + TP_ARGS(req), TP_STRUCT__entry( __field(const void *, req) @@ -705,7 +704,6 @@ TRACE_EVENT(xprtrdma_post_send, __field(unsigned int, client_id) __field(int, num_sge) __field(int, signaled) - __field(int, status) ), TP_fast_assign( @@ -718,15 +716,13 @@ TRACE_EVENT(xprtrdma_post_send, __entry->sc = req->rl_sendctx; __entry->num_sge = req->rl_wr.num_sge; __entry->signaled = req->rl_wr.send_flags & IB_SEND_SIGNALED; - __entry->status = status; ), - TP_printk("task:%u@%u req=%p sc=%p (%d SGE%s) %sstatus=%d", + TP_printk("task:%u@%u req=%p sc=%p (%d SGE%s) %s", __entry->task_id, __entry->client_id, __entry->req, __entry->sc, __entry->num_sge, (__entry->num_sge == 1 ? "" : "s"), - (__entry->signaled ? "signaled " : ""), - __entry->status + (__entry->signaled ? "signaled" : "") ) ); diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c index 29ae982d69cf..05c4d3a9cda2 100644 --- a/net/sunrpc/xprtrdma/verbs.c +++ b/net/sunrpc/xprtrdma/verbs.c @@ -1356,8 +1356,8 @@ int rpcrdma_post_sends(struct rpcrdma_xprt *r_xprt, struct rpcrdma_req *req) --ep->re_send_count; } + trace_xprtrdma_post_send(req); rc = frwr_send(r_xprt, req); - trace_xprtrdma_post_send(req, rc); if (rc) return -ENOTCONN; return 0;

5 years, 8 months

FAILED: patch "[PATCH] i2c: aspeed: Avoid i2c interrupt status clear race condition." failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c926c87b8e36dcc0ea5c2a0a0227ed4f32d0516a Mon Sep 17 00:00:00 2001 From: ryan_chen <ryan_chen(a)aspeedtech.com> Date: Wed, 29 Apr 2020 11:37:37 +0800 Subject: [PATCH] i2c: aspeed: Avoid i2c interrupt status clear race condition. In AST2600 there have a slow peripheral bus between CPU and i2c controller. Therefore GIC i2c interrupt status clear have delay timing, when CPU issue write clear i2c controller interrupt status. To avoid this issue, the driver need have read after write clear at i2c ISR. Fixes: f327c686d3ba ("i2c: aspeed: added driver for Aspeed I2C") Signed-off-by: ryan_chen <ryan_chen(a)aspeedtech.com> Acked-by: Benjamin Herrenschmidt <benh(a)kernel.crashing.org> [wsa: added Fixes tag] Signed-off-by: Wolfram Sang <wsa(a)the-dreams.de> diff --git a/drivers/i2c/busses/i2c-aspeed.c b/drivers/i2c/busses/i2c-aspeed.c index 07c1993274c5..f51702d86a90 100644 --- a/drivers/i2c/busses/i2c-aspeed.c +++ b/drivers/i2c/busses/i2c-aspeed.c @@ -603,6 +603,7 @@ static irqreturn_t aspeed_i2c_bus_irq(int irq, void *dev_id) /* Ack all interrupts except for Rx done */ writel(irq_received & ~ASPEED_I2CD_INTR_RX_DONE, bus->base + ASPEED_I2C_INTR_STS_REG); + readl(bus->base + ASPEED_I2C_INTR_STS_REG); irq_remaining = irq_received; #if IS_ENABLED(CONFIG_I2C_SLAVE) @@ -645,9 +646,11 @@ static irqreturn_t aspeed_i2c_bus_irq(int irq, void *dev_id) irq_received, irq_handled); /* Ack Rx done */ - if (irq_received & ASPEED_I2CD_INTR_RX_DONE) + if (irq_received & ASPEED_I2CD_INTR_RX_DONE) { writel(ASPEED_I2CD_INTR_RX_DONE, bus->base + ASPEED_I2C_INTR_STS_REG); + readl(bus->base + ASPEED_I2C_INTR_STS_REG); + } spin_unlock(&bus->lock); return irq_remaining ? IRQ_NONE : IRQ_HANDLED; }

5 years, 8 months

FAILED: patch "[PATCH] i2c: aspeed: Avoid i2c interrupt status clear race condition." failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c926c87b8e36dcc0ea5c2a0a0227ed4f32d0516a Mon Sep 17 00:00:00 2001 From: ryan_chen <ryan_chen(a)aspeedtech.com> Date: Wed, 29 Apr 2020 11:37:37 +0800 Subject: [PATCH] i2c: aspeed: Avoid i2c interrupt status clear race condition. In AST2600 there have a slow peripheral bus between CPU and i2c controller. Therefore GIC i2c interrupt status clear have delay timing, when CPU issue write clear i2c controller interrupt status. To avoid this issue, the driver need have read after write clear at i2c ISR. Fixes: f327c686d3ba ("i2c: aspeed: added driver for Aspeed I2C") Signed-off-by: ryan_chen <ryan_chen(a)aspeedtech.com> Acked-by: Benjamin Herrenschmidt <benh(a)kernel.crashing.org> [wsa: added Fixes tag] Signed-off-by: Wolfram Sang <wsa(a)the-dreams.de> diff --git a/drivers/i2c/busses/i2c-aspeed.c b/drivers/i2c/busses/i2c-aspeed.c index 07c1993274c5..f51702d86a90 100644 --- a/drivers/i2c/busses/i2c-aspeed.c +++ b/drivers/i2c/busses/i2c-aspeed.c @@ -603,6 +603,7 @@ static irqreturn_t aspeed_i2c_bus_irq(int irq, void *dev_id) /* Ack all interrupts except for Rx done */ writel(irq_received & ~ASPEED_I2CD_INTR_RX_DONE, bus->base + ASPEED_I2C_INTR_STS_REG); + readl(bus->base + ASPEED_I2C_INTR_STS_REG); irq_remaining = irq_received; #if IS_ENABLED(CONFIG_I2C_SLAVE) @@ -645,9 +646,11 @@ static irqreturn_t aspeed_i2c_bus_irq(int irq, void *dev_id) irq_received, irq_handled); /* Ack Rx done */ - if (irq_received & ASPEED_I2CD_INTR_RX_DONE) + if (irq_received & ASPEED_I2CD_INTR_RX_DONE) { writel(ASPEED_I2CD_INTR_RX_DONE, bus->base + ASPEED_I2C_INTR_STS_REG); + readl(bus->base + ASPEED_I2C_INTR_STS_REG); + } spin_unlock(&bus->lock); return irq_remaining ? IRQ_NONE : IRQ_HANDLED; }

5 years, 8 months

[PATCH 4.4] drm/qxl: qxl_release leak in qxl_draw_dirty_fb()

by Vasily Averin

>From 85e9b88af1e6164f19ec71381efd5e2bcfc17620 Mon Sep 17 00:00:00 2001 From: Vasily Averin <vvs(a)virtuozzo.com> Date: Mon, 27 Apr 2020 08:32:46 +0300 Subject: [PATCH] drm/qxl: qxl_release leak in qxl_draw_dirty_fb() ret should be changed to release allocated struct qxl_release Cc: stable(a)vger.kernel.org Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations") Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> Link: http://patchwork.freedesktop.org/patch/msgid/22cfd55f-07c8-95d0-a2f7-191b71… Signed-off-by: Gerd Hoffmann <kraxel(a)redhat.com> backported to v4.4-stable Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> --- drivers/gpu/drm/qxl/qxl_draw.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/qxl/qxl_draw.c b/drivers/gpu/drm/qxl/qxl_draw.c index 6e6c76080d6a..c8ccb3765597 100644 --- a/drivers/gpu/drm/qxl/qxl_draw.c +++ b/drivers/gpu/drm/qxl/qxl_draw.c @@ -352,9 +352,10 @@ void qxl_draw_dirty_fb(struct qxl_device *qdev, goto out_release_backoff; rects = drawable_set_clipping(qdev, drawable, num_clips, clips_bo); - if (!rects) + if (!rects) { + ret = -EINVAL; goto out_release_backoff; - + } drawable = (struct qxl_drawable *)qxl_release_map(qdev, release); drawable->clip.type = SPICE_CLIP_TYPE_RECTS; -- 2.17.1

5 years, 8 months

[PATCH 4.4] drm/qxl: qxl_release use after free

by Vasily Averin

>From 933db73351d359f74b14f4af095808260aff11f9 Mon Sep 17 00:00:00 2001 From: Vasily Averin <vvs(a)virtuozzo.com> Date: Wed, 29 Apr 2020 12:01:24 +0300 Subject: [PATCH] drm/qxl: qxl_release use after free qxl_release should not be accesses after qxl_push_*_ring_release() calls: userspace driver can process submitted command quickly, move qxl_release into release_ring, generate interrupt and trigger garbage collector. It can lead to crashes in qxl driver or trigger memory corruption in some kmalloc-192 slab object Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() + qxl_push_{cursor,command}_ring_release() calls to close that race window. cc: stable(a)vger.kernel.org Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d3241… Signed-off-by: Gerd Hoffmann <kraxel(a)redhat.com> backported to v4.4-stable Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> --- drivers/gpu/drm/qxl/qxl_cmd.c | 5 ++--- drivers/gpu/drm/qxl/qxl_display.c | 6 +++--- drivers/gpu/drm/qxl/qxl_draw.c | 8 ++++---- drivers/gpu/drm/qxl/qxl_ioctl.c | 5 +---- 4 files changed, 10 insertions(+), 14 deletions(-) diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c index fdc1833b1af8..45e08a685102 100644 --- a/drivers/gpu/drm/qxl/qxl_cmd.c +++ b/drivers/gpu/drm/qxl/qxl_cmd.c @@ -528,8 +528,8 @@ int qxl_hw_surface_alloc(struct qxl_device *qdev, /* no need to add a release to the fence for this surface bo, since it is only released when we ask to destroy the surface and it would never signal otherwise */ - qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); surf->hw_surf_alloc = true; spin_lock(&qdev->surf_id_idr_lock); @@ -571,9 +571,8 @@ int qxl_hw_surface_dealloc(struct qxl_device *qdev, cmd->surface_id = id; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); - qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); return 0; } diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c index 5edebf495c07..0d6cc396cc16 100644 --- a/drivers/gpu/drm/qxl/qxl_display.c +++ b/drivers/gpu/drm/qxl/qxl_display.c @@ -292,8 +292,8 @@ qxl_hide_cursor(struct qxl_device *qdev) cmd->type = QXL_CURSOR_HIDE; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); qxl_release_fence_buffer_objects(release); + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); return 0; } @@ -390,8 +390,8 @@ static int qxl_crtc_cursor_set2(struct drm_crtc *crtc, cmd->u.set.visible = 1; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); qxl_release_fence_buffer_objects(release); + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); /* finish with the userspace bo */ ret = qxl_bo_reserve(user_bo, false); @@ -450,8 +450,8 @@ static int qxl_crtc_cursor_move(struct drm_crtc *crtc, cmd->u.position.y = qcrtc->cur_y + qcrtc->hot_spot_y; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); qxl_release_fence_buffer_objects(release); + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); return 0; } diff --git a/drivers/gpu/drm/qxl/qxl_draw.c b/drivers/gpu/drm/qxl/qxl_draw.c index c8ccb3765597..47da124b7ebf 100644 --- a/drivers/gpu/drm/qxl/qxl_draw.c +++ b/drivers/gpu/drm/qxl/qxl_draw.c @@ -245,8 +245,8 @@ void qxl_draw_opaque_fb(const struct qxl_fb_image *qxl_fb_image, qxl_bo_physical_address(qdev, dimage->bo, 0); qxl_release_unmap(qdev, release, &drawable->release_info); - qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); out_free_palette: if (palette_bo) @@ -386,8 +386,8 @@ void qxl_draw_dirty_fb(struct qxl_device *qdev, } qxl_bo_kunmap(clips_bo); - qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); out_release_backoff: if (ret) @@ -437,8 +437,8 @@ void qxl_draw_copyarea(struct qxl_device *qdev, drawable->u.copy_bits.src_pos.y = sy; qxl_release_unmap(qdev, release, &drawable->release_info); - qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); out_free_release: if (ret) @@ -481,8 +481,8 @@ void qxl_draw_fill(struct qxl_draw_fill *qxl_draw_fill_rec) qxl_release_unmap(qdev, release, &drawable->release_info); - qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); out_free_release: if (ret) diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index 7c2e78201ead..4d852449a7d1 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -257,11 +257,8 @@ static int qxl_process_single_command(struct qxl_device *qdev, apply_surf_reloc(qdev, &reloc_info[i]); } + qxl_release_fence_buffer_objects(release); ret = qxl_push_command_ring_release(qdev, release, cmd->type, true); - if (ret) - qxl_release_backoff_reserve_list(release); - else - qxl_release_fence_buffer_objects(release); out_free_bos: out_free_release: -- 2.17.1

5 years, 8 months

[PATCH 4.9] drm/qxl: qxl_release use after free

by Vasily Averin

>From 933db73351d359f74b14f4af095808260aff11f9 Mon Sep 17 00:00:00 2001 From: Vasily Averin <vvs(a)virtuozzo.com> Date: Wed, 29 Apr 2020 12:01:24 +0300 Subject: [PATCH] drm/qxl: qxl_release use after free qxl_release should not be accesses after qxl_push_*_ring_release() calls: userspace driver can process submitted command quickly, move qxl_release into release_ring, generate interrupt and trigger garbage collector. It can lead to crashes in qxl driver or trigger memory corruption in some kmalloc-192 slab object Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() + qxl_push_{cursor,command}_ring_release() calls to close that race window. cc: stable(a)vger.kernel.org Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d3241… Signed-off-by: Gerd Hoffmann <kraxel(a)redhat.com> backported to v4.9-stable Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> --- drivers/gpu/drm/qxl/qxl_cmd.c | 5 ++--- drivers/gpu/drm/qxl/qxl_display.c | 8 ++++---- drivers/gpu/drm/qxl/qxl_draw.c | 8 ++++---- drivers/gpu/drm/qxl/qxl_ioctl.c | 5 +---- 4 files changed, 11 insertions(+), 15 deletions(-) diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c index 04270f5d110c..91774756ae99 100644 --- a/drivers/gpu/drm/qxl/qxl_cmd.c +++ b/drivers/gpu/drm/qxl/qxl_cmd.c @@ -528,8 +528,8 @@ int qxl_hw_surface_alloc(struct qxl_device *qdev, /* no need to add a release to the fence for this surface bo, since it is only released when we ask to destroy the surface and it would never signal otherwise */ - qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); surf->hw_surf_alloc = true; spin_lock(&qdev->surf_id_idr_lock); @@ -571,9 +571,8 @@ int qxl_hw_surface_dealloc(struct qxl_device *qdev, cmd->surface_id = id; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); - qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); return 0; } diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c index a61c0d460ec2..f8a1f84c8838 100644 --- a/drivers/gpu/drm/qxl/qxl_display.c +++ b/drivers/gpu/drm/qxl/qxl_display.c @@ -292,8 +292,8 @@ qxl_hide_cursor(struct qxl_device *qdev) cmd->type = QXL_CURSOR_HIDE; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); qxl_release_fence_buffer_objects(release); + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); return 0; } @@ -333,8 +333,8 @@ static int qxl_crtc_apply_cursor(struct drm_crtc *crtc) cmd->u.set.visible = 1; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); qxl_release_fence_buffer_objects(release); + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); return ret; @@ -436,8 +436,8 @@ static int qxl_crtc_cursor_set2(struct drm_crtc *crtc, cmd->u.set.visible = 1; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); qxl_release_fence_buffer_objects(release); + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); /* finish with the userspace bo */ ret = qxl_bo_reserve(user_bo, false); @@ -497,8 +497,8 @@ static int qxl_crtc_cursor_move(struct drm_crtc *crtc, cmd->u.position.y = qcrtc->cur_y + qcrtc->hot_spot_y; qxl_release_unmap(qdev, release, &cmd->release_info); - qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); qxl_release_fence_buffer_objects(release); + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); return 0; } diff --git a/drivers/gpu/drm/qxl/qxl_draw.c b/drivers/gpu/drm/qxl/qxl_draw.c index 9b728edf1b49..f32b663e5bbc 100644 --- a/drivers/gpu/drm/qxl/qxl_draw.c +++ b/drivers/gpu/drm/qxl/qxl_draw.c @@ -241,8 +241,8 @@ void qxl_draw_opaque_fb(const struct qxl_fb_image *qxl_fb_image, qxl_bo_physical_address(qdev, dimage->bo, 0); qxl_release_unmap(qdev, release, &drawable->release_info); - qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); out_free_palette: if (palette_bo) @@ -381,8 +381,8 @@ void qxl_draw_dirty_fb(struct qxl_device *qdev, } qxl_bo_kunmap(clips_bo); - qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); out_release_backoff: if (ret) @@ -432,8 +432,8 @@ void qxl_draw_copyarea(struct qxl_device *qdev, drawable->u.copy_bits.src_pos.y = sy; qxl_release_unmap(qdev, release, &drawable->release_info); - qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); out_free_release: if (ret) @@ -476,8 +476,8 @@ void qxl_draw_fill(struct qxl_draw_fill *qxl_draw_fill_rec) qxl_release_unmap(qdev, release, &drawable->release_info); - qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); qxl_release_fence_buffer_objects(release); + qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); out_free_release: if (ret) diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c index 5a4c8c492683..db0afb0613c9 100644 --- a/drivers/gpu/drm/qxl/qxl_ioctl.c +++ b/drivers/gpu/drm/qxl/qxl_ioctl.c @@ -256,11 +256,8 @@ static int qxl_process_single_command(struct qxl_device *qdev, apply_surf_reloc(qdev, &reloc_info[i]); } + qxl_release_fence_buffer_objects(release); ret = qxl_push_command_ring_release(qdev, release, cmd->type, true); - if (ret) - qxl_release_backoff_reserve_list(release); - else - qxl_release_fence_buffer_objects(release); out_free_bos: out_free_release: -- 2.17.1

5 years, 8 months

Re: stable-rc/linux-5.4.y bisection: baseline.dmesg.alert on meson-g12a-x96-max

by Guillaume Tucker

Please see the bisection report below about a kernel Oops. Reports aren't automatically sent to the public while we're trialing new bisection features on kernelci.org but this one looks valid. The log shows a kernel NULL pointer dereference: https://storage.kernelci.org/stable-rc/linux-5.4.y/v5.4.36-52-g35bbc55d9e29… The call stack is not the same as in the commit message found by the bisection, so maybe it only fixed part of the problem: <1>[ 16.007376] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 <1>[ 16.016300] Mem abort info: <1>[ 16.019269] ESR = 0x96000006 <1>[ 16.022571] EC = 0x25: DABT (current EL), IL = 32 bits <1>[ 16.028075] SET = 0, FnV = 0 <1>[ 16.031356] EA = 0, S1PTW = 0 <1>[ 16.034705] Data abort info: <1>[ 16.037837] ISV = 0, ISS = 0x00000006 <1>[ 16.041876] CM = 0, WnR = 0 <1>[ 16.045128] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000be0f0000 <1>[ 16.051702] [0000000000000010] pgd=00000000be117003, pud=00000000be118003, pmd=0000000000000000 <0>[ 16.051709] Internal error: Oops: 96000006 [#1] PREEMPT SMP <4>[ 16.133466] CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: G W 5.4.37-rc1 #1 <4>[ 16.141566] Hardware name: Shenzhen Amediatech Technology Co., Ltd X96 Max (DT) <4>[ 16.149087] Workqueue: events deferred_probe_work_func <4>[ 16.154419] pstate: 20000005 (nzCv daif -PAN -UAO) <4>[ 16.159428] pc : snd_soc_dapm_new_dai+0x3c/0x1b0 <4>[ 16.164252] lr : snd_soc_dapm_connect_dai_link_widgets+0x114/0x268 <4>[ 16.256970] Call trace: <4>[ 16.259647] snd_soc_dapm_new_dai+0x3c/0x1b0 <4>[ 16.264129] snd_soc_dapm_connect_dai_link_widgets+0x114/0x268 <4>[ 16.270167] snd_soc_instantiate_card+0x858/0xb88 <4>[ 16.275083] snd_soc_register_card+0xf8/0x120 <4>[ 16.279656] devm_snd_soc_register_card+0x40/0x90 <4>[ 16.284575] axg_card_probe+0x9dc/0xaf0 [snd_soc_meson_axg_sound_card] <4>[ 16.291299] platform_drv_probe+0x50/0xa0 <4>[ 16.295524] really_probe+0xd4/0x328 <4>[ 16.299319] driver_probe_device+0x54/0xe8 ... Guillaume On 01/05/2020 10:32, kernelci.org bot wrote: > * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > * This automated bisection report was sent to you on the basis * > * that you may be involved with the breaking commit it has * > * found. No manual investigation has been done to verify it, * > * and the root cause of the problem may be somewhere else. * > * * > * If you do send a fix, please include this trailer: * > * Reported-by: "kernelci.org bot" <bot(a)kernelci.org> * > * * > * Hope this helps! * > * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > > stable-rc/linux-5.4.y bisection: baseline.dmesg.alert on meson-g12a-x96-max > > Summary: > Start: 35bbc55d9e296 Linux 5.4.37-rc1 > Plain log: https://storage.kernelci.org/stable-rc/linux-5.4.y/v5.4.36-52-g35bbc55d9e29… > HTML log: https://storage.kernelci.org/stable-rc/linux-5.4.y/v5.4.36-52-g35bbc55d9e29… > Result: 09f4294793bd3 ASoC: meson: axg-card: fix codec-to-codec link setup > > Checks: > revert: PASS > verify: PASS > > Parameters: > Tree: stable-rc > URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git > Branch: linux-5.4.y > Target: meson-g12a-x96-max > CPU arch: arm64 > Lab: lab-baylibre > Compiler: gcc-8 > Config: defconfig > Test case: baseline.dmesg.alert > > Breaking commit found: > > ------------------------------------------------------------------------------- > commit 09f4294793bd3e70d68fdab5b392dff18bff62ca > Author: Jerome Brunet <jbrunet(a)baylibre.com> > Date: Mon Apr 20 13:45:10 2020 +0200 > > ASoC: meson: axg-card: fix codec-to-codec link setup > > commit 1164284270779e1865cc2046a2a01b58a1e858a9 upstream. > > Since the addition of commit 9b5db059366a ("ASoC: soc-pcm: dpcm: Only allow > playback/capture if supported"), meson-axg cards which have codec-to-codec > links fail to init and Oops: > > Unable to handle kernel NULL pointer dereference at virtual address 0000000000000128 > Internal error: Oops: 96000044 [#1] PREEMPT SMP > CPU: 3 PID: 1582 Comm: arecord Not tainted 5.7.0-rc1 > pc : invalidate_paths_ep+0x30/0xe0 > lr : snd_soc_dapm_dai_get_connected_widgets+0x170/0x1a8 > Call trace: > invalidate_paths_ep+0x30/0xe0 > snd_soc_dapm_dai_get_connected_widgets+0x170/0x1a8 > dpcm_path_get+0x38/0xd0 > dpcm_fe_dai_open+0x70/0x920 > snd_pcm_open_substream+0x564/0x840 > snd_pcm_open+0xfc/0x228 > snd_pcm_capture_open+0x4c/0x78 > snd_open+0xac/0x1a8 > ... > > While initiliazing the links, ASoC treats the codec-to-codec links of this > card type as a DPCM backend. This error eventually leads to the Oops. > > Most of the card driver code is shared between DPCM backends and > codec-to-codec links. The property "no_pcm" marking DCPM BE was left set on > codec-to-codec links, leading to this problem. This commit fixes that. > > Fixes: 0a8f1117a680 ("ASoC: meson: axg-card: add basic codec-to-codec link support") > Signed-off-by: Jerome Brunet <jbrunet(a)baylibre.com> > Link: https://lore.kernel.org/r/20200420114511.450560-2-jbrunet@baylibre.com > Signed-off-by: Mark Brown <broonie(a)kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > > diff --git a/sound/soc/meson/axg-card.c b/sound/soc/meson/axg-card.c > index 1f698adde506c..2b04ac3d8fd3b 100644 > --- a/sound/soc/meson/axg-card.c > +++ b/sound/soc/meson/axg-card.c > @@ -586,8 +586,10 @@ static int axg_card_add_link(struct snd_soc_card *card, struct device_node *np, > > if (axg_card_cpu_is_tdm_iface(dai_link->cpus->of_node)) > ret = axg_card_parse_tdm(card, np, index); > - else if (axg_card_cpu_is_codec(dai_link->cpus->of_node)) > + else if (axg_card_cpu_is_codec(dai_link->cpus->of_node)) { > dai_link->params = &codec_params; > + dai_link->no_pcm = 0; /* link is not a DPCM BE */ > + } > > return ret; > } > ------------------------------------------------------------------------------- > > > Git bisection log: > > ------------------------------------------------------------------------------- > git bisect start > # good: [aa73bcc376865c23e61dcebd467697b527901be8] Linux 5.4.36 > git bisect good aa73bcc376865c23e61dcebd467697b527901be8 > # bad: [35bbc55d9e296d37cf01555d415338b84a70d4c5] Linux 5.4.37-rc1 > git bisect bad 35bbc55d9e296d37cf01555d415338b84a70d4c5 > # bad: [924f1d37852ff357658c205dd114c70862865fc9] svcrdma: Fix trace point use-after-free race > git bisect bad 924f1d37852ff357658c205dd114c70862865fc9 > # good: [b848f65436665b5fe675fd3f645c1a458e49f60a] counter: 104-quad-8: Add lock guards - generic interface > git bisect good b848f65436665b5fe675fd3f645c1a458e49f60a > # bad: [04b53ed855129c1703d00d8494e4c61309714a99] drivers: soc: xilinx: fix firmware driver Kconfig dependency > git bisect bad 04b53ed855129c1703d00d8494e4c61309714a99 > # good: [ae886eae0318c71a6125347d6810a1578a83d262] ASoC: tas571x: disable regulators on failed probe > git bisect good ae886eae0318c71a6125347d6810a1578a83d262 > # bad: [2c0990070379284dda0b51304ce19c2b96e083a2] ASoC: wm8960: Fix wrong clock after suspend & resume > git bisect bad 2c0990070379284dda0b51304ce19c2b96e083a2 > # bad: [09f4294793bd3e70d68fdab5b392dff18bff62ca] ASoC: meson: axg-card: fix codec-to-codec link setup > git bisect bad 09f4294793bd3e70d68fdab5b392dff18bff62ca > # first bad commit: [09f4294793bd3e70d68fdab5b392dff18bff62ca] ASoC: meson: axg-card: fix codec-to-codec link setup > ------------------------------------------------------------------------------- >

5 years, 8 months

FAILED: patch "[PATCH] RDMA/core: Fix race between destroy and release FD object" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From f0abc761bbb9418876cc4d1ebc473e4ea6352e42 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky <leon(a)kernel.org> Date: Thu, 23 Apr 2020 09:01:22 +0300 Subject: [PATCH] RDMA/core: Fix race between destroy and release FD object The call to ->lookup_put() was too early and it caused an unlock of the read/write protection of the uobject after the FD was put. This allows a race: CPU1 CPU2 rdma_lookup_put_uobject() lookup_put_fd_uobject() fput() fput() uverbs_uobject_fd_release() WARN_ON(uverbs_try_lock_object(uobj, UVERBS_LOOKUP_WRITE)); atomic_dec(usecnt) Fix the code by changing the order, first unlock and call to ->lookup_put() after that. Fixes: 3832125624b7 ("IB/core: Add support for idr types") Link: https://lore.kernel.org/r/20200423060122.6182-1-leon@kernel.org Suggested-by: Jason Gunthorpe <jgg(a)mellanox.com> Signed-off-by: Leon Romanovsky <leonro(a)mellanox.com> Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> diff --git a/drivers/infiniband/core/rdma_core.c b/drivers/infiniband/core/rdma_core.c index 2947f4f83561..177333d8bcda 100644 --- a/drivers/infiniband/core/rdma_core.c +++ b/drivers/infiniband/core/rdma_core.c @@ -678,7 +678,6 @@ void rdma_lookup_put_uobject(struct ib_uobject *uobj, enum rdma_lookup_mode mode) { assert_uverbs_usecnt(uobj, mode); - uobj->uapi_object->type_class->lookup_put(uobj, mode); /* * In order to unlock an object, either decrease its usecnt for * read access or zero it in case of exclusive access. See @@ -695,6 +694,7 @@ void rdma_lookup_put_uobject(struct ib_uobject *uobj, break; } + uobj->uapi_object->type_class->lookup_put(uobj, mode); /* Pairs with the kref obtained by type->lookup_get */ uverbs_uobject_put(uobj); }

5 years, 8 months

Linux 5.6.10

by Greg KH

I'm announcing the release of the 5.6.10 kernel. All users of the 5.6 kernel series must upgrade. The updated 5.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- sound/soc/meson/axg-card.c | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) Greg Kroah-Hartman (2): Revert "ASoC: meson: axg-card: fix codec-to-codec link setup" Linux 5.6.10

5 years, 8 months

Linux 5.4.38

by Greg KH

I'm announcing the release of the 5.4.38 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- sound/soc/meson/axg-card.c | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) Greg Kroah-Hartman (2): Revert "ASoC: meson: axg-card: fix codec-to-codec link setup" Linux 5.4.38

5 years, 8 months

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror