[PATCH AUTOSEL 4.9 01/12] drm/r128: Fix undefined behavior due to shift overflowing the constant
From: Borislav Petkov bp@suse.de
[ Upstream commit 6556551f8848f98eff356c8aacae42c8dd65b2df ]
Fix:
drivers/gpu/drm/r128/r128_cce.c: In function ‘r128_do_init_cce’: drivers/gpu/drm/r128/r128_cce.c:417:2: error: case label does not reduce to an integer constant case R128_PM4_64BM_64VCBM_64INDBM: ^~~~ drivers/gpu/drm/r128/r128_cce.c:418:2: error: case label does not reduce to an integer constant case R128_PM4_64PIO_64VCPIO_64INDPIO: ^~~~
See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory details as to why it triggers with older gccs only.
Reviewed-by: Randy Dunlap rdunlap@infradead.org Signed-off-by: Borislav Petkov bp@suse.de Cc: David Airlie airlied@linux.ie Cc: Daniel Vetter daniel@ffwll.ch Cc: Alex Deucher alexander.deucher@amd.com Cc: dri-devel@lists.freedesktop.org Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Link: https://patchwork.freedesktop.org/patch/msgid/20220405151517.29753-5-bp@alie... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/r128/r128_drv.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/r128/r128_drv.h b/drivers/gpu/drm/r128/r128_drv.h index 09143b840482..6553a855a176 100644 --- a/drivers/gpu/drm/r128/r128_drv.h +++ b/drivers/gpu/drm/r128/r128_drv.h @@ -289,8 +289,8 @@ extern long r128_compat_ioctl(struct file *filp, unsigned int cmd, # define R128_PM4_64PIO_128INDBM (5 << 28) # define R128_PM4_64BM_128INDBM (6 << 28) # define R128_PM4_64PIO_64VCBM_64INDBM (7 << 28) -# define R128_PM4_64BM_64VCBM_64INDBM (8 << 28) -# define R128_PM4_64PIO_64VCPIO_64INDPIO (15 << 28) +# define R128_PM4_64BM_64VCBM_64INDBM (8U << 28) +# define R128_PM4_64PIO_64VCPIO_64INDPIO (15U << 28) # define R128_PM4_BUFFER_CNTL_NOUPDATE (1 << 27)
#define R128_PM4_BUFFER_WM_CNTL 0x0708
From: Xiaohui Zhang xiaohuizhang@ruc.edu.cn
[ Upstream commit 0381ac3ca2e727d4dfb7264d9416a8ba6bb6c18b ]
Similar to the handling of amdgpu_sa_bo_next_hole in commit 6a15f3ff19a8 ("drm/amdgpu: Initialize fences array entries in amdgpu_sa_bo_next_hole"), we thought a patch might be needed here as well.
The entries were only initialized once in radeon_sa_bo_new. If a fence wasn't signalled yet in the first radeon_sa_bo_next_hole call, but then got signalled before a later radeon_sa_bo_next_hole call, it could destroy the fence but leave its pointer in the array, resulting in use-after-free in radeon_sa_bo_new.
Signed-off-by: Xiaohui Zhang xiaohuizhang@ruc.edu.cn Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/radeon/radeon_sa.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c index 197b157b73d0..0cb6eeb77b5f 100644 --- a/drivers/gpu/drm/radeon/radeon_sa.c +++ b/drivers/gpu/drm/radeon/radeon_sa.c @@ -267,6 +267,8 @@ static bool radeon_sa_bo_next_hole(struct radeon_sa_manager *sa_manager, for (i = 0; i < RADEON_NUM_RINGS; ++i) { struct radeon_sa_bo *sa_bo;
+ fences[i] = NULL; + if (list_empty(&sa_manager->flist[i])) { continue; } @@ -332,10 +334,8 @@ int radeon_sa_bo_new(struct radeon_device *rdev,
spin_lock(&sa_manager->wq.lock); do { - for (i = 0; i < RADEON_NUM_RINGS; ++i) { - fences[i] = NULL; + for (i = 0; i < RADEON_NUM_RINGS; ++i) tries[i] = 0; - }
do { radeon_sa_bo_try_free(sa_manager);
From: Oliver Neukum oneukum@suse.com
[ Upstream commit ca9dc8d06ab64543a6a31adac5003349c5671218 ]
If we want to avoid memory corruption on incoherent architectures, buffers for DMA must not reside - on the stack - embedded within other structures
Allocate them separately.
v2: fix uninitialized return value
Signed-off-by: Oliver Neukum oneukum@suse.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/usb/airspy/airspy.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c index 8251942bcd12..1c549ad60195 100644 --- a/drivers/media/usb/airspy/airspy.c +++ b/drivers/media/usb/airspy/airspy.c @@ -134,7 +134,7 @@ struct airspy {
/* USB control message buffer */ #define BUF_SIZE 128 - u8 buf[BUF_SIZE]; + u8 *buf;
/* Current configuration */ unsigned int f_adc; @@ -872,6 +872,7 @@ static void airspy_video_release(struct v4l2_device *v)
v4l2_ctrl_handler_free(&s->hdl); v4l2_device_unregister(&s->v4l2_dev); + kfree(s->buf); kfree(s); }
@@ -979,7 +980,10 @@ static int airspy_probe(struct usb_interface *intf, { struct airspy *s; int ret; - u8 u8tmp, buf[BUF_SIZE]; + u8 u8tmp, *buf; + + buf = NULL; + ret = -ENOMEM;
s = kzalloc(sizeof(struct airspy), GFP_KERNEL); if (s == NULL) { @@ -987,6 +991,13 @@ static int airspy_probe(struct usb_interface *intf, return -ENOMEM; }
+ s->buf = kzalloc(BUF_SIZE, GFP_KERNEL); + if (!s->buf) + goto err_free_mem; + buf = kzalloc(BUF_SIZE, GFP_KERNEL); + if (!buf) + goto err_free_mem; + mutex_init(&s->v4l2_lock); mutex_init(&s->vb_queue_lock); spin_lock_init(&s->queued_bufs_lock); @@ -1082,6 +1093,8 @@ static int airspy_probe(struct usb_interface *intf, v4l2_ctrl_handler_free(&s->hdl); v4l2_device_unregister(&s->v4l2_dev); err_free_mem: + kfree(buf); + kfree(s->buf); kfree(s); return ret; }
From: Dongliang Mu mudongliangabcd@gmail.com
[ Upstream commit 945a9a8e448b65bec055d37eba58f711b39f66f0 ]
The error handling code in pvr2_hdw_create forgets to unregister the v4l2 device. When pvr2_hdw_create returns back to pvr2_context_create, it calls pvr2_context_destroy to destroy context, but mp->hdw is NULL, which leads to that pvr2_hdw_destroy directly returns.
Fix this by adding v4l2_device_unregister to decrease the refcount of usb interface.
Reported-by: syzbot+77b432d57c4791183ed4@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu mudongliangabcd@gmail.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c index b868a77a048c..a02da1d55fd0 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c @@ -2656,6 +2656,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf, del_timer_sync(&hdw->encoder_run_timer); del_timer_sync(&hdw->encoder_wait_timer); flush_work(&hdw->workpoll); + v4l2_device_unregister(&hdw->v4l2_dev); usb_free_urb(hdw->ctl_read_urb); usb_free_urb(hdw->ctl_write_urb); kfree(hdw->ctl_read_buffer);
From: Amit Cohen amcohen@nvidia.com
[ Upstream commit 89df3c6261f271c550f120b5ccf4d9c5132e870c ]
Currently, the length of 'config_profile.flood_mode' is defined as 2 bits, while the correct length is 3 bits.
As preparation for unified bridge model, which will use the whole field length, fix it and increase the field to the correct size.
Signed-off-by: Amit Cohen amcohen@nvidia.com Signed-off-by: Ido Schimmel idosch@nvidia.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/mellanox/mlxsw/cmd.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/cmd.h b/drivers/net/ethernet/mellanox/mlxsw/cmd.h index 28271bedd957..f126050389ee 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/cmd.h +++ b/drivers/net/ethernet/mellanox/mlxsw/cmd.h @@ -722,7 +722,7 @@ MLXSW_ITEM32(cmd_mbox, config_profile, max_vid_flood_tables, 0x30, 8, 4); * max_fid_offset_flood_tables indicates the number of FID-offset tables. * max_fid_flood_tables indicates the number of per-FID tables. */ -MLXSW_ITEM32(cmd_mbox, config_profile, flood_mode, 0x30, 0, 2); +MLXSW_ITEM32(cmd_mbox, config_profile, flood_mode, 0x30, 0, 3);
/* cmd_mbox_config_profile_max_fid_offset_flood_tables * Maximum number of FID-offset flooding tables.
Hi!
From: Amit Cohen amcohen@nvidia.com
[ Upstream commit 89df3c6261f271c550f120b5ccf4d9c5132e870c ]
Currently, the length of 'config_profile.flood_mode' is defined as 2 bits, while the correct length is 3 bits.
As preparation for unified bridge model, which will use the whole field length, fix it and increase the field to the correct size.
I don't think we need here as follow-up patches are not queued for at least 4.9 and 4.19...
Best regards, Pavel
From: Al Viro viro@zeniv.linux.org.uk
[ Upstream commit 7392ed1734c319150b5ddec3f192a6405728e8d0 ]
All callers can and should handle iov_iter_get_pages() returning fewer pages than requested. All in-kernel ones do. And it makes the arithmetical overflow analysis much simpler...
Reviewed-by: Jeff Layton jlayton@kernel.org Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Sasha Levin sashal@kernel.org --- lib/iov_iter.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c index e01bb1c51d87..c4b9896422ae 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -951,6 +951,8 @@ ssize_t iov_iter_get_pages(struct iov_iter *i,
if (!maxsize) return 0; + if (maxsize > MAX_RW_COUNT) + maxsize = MAX_RW_COUNT;
if (unlikely(i->type & ITER_PIPE)) return pipe_get_pages(i, pages, maxsize, maxpages, start); @@ -1031,6 +1033,8 @@ ssize_t iov_iter_get_pages_alloc(struct iov_iter *i,
if (!maxsize) return 0; + if (maxsize > MAX_RW_COUNT) + maxsize = MAX_RW_COUNT;
if (unlikely(i->type & ITER_PIPE)) return pipe_get_pages_alloc(i, pages, maxsize, start);
From: Herbert Xu herbert@gondor.apana.org.au
[ Upstream commit cc8166bfc829043020b5cc3b7cdba02a17d03b6d ]
The compiler complains that p8_ghash_alg isn't declared which is because the header file aesp8-ppc.h isn't included in ghash.c. This patch fixes the warning.
Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Acked-by: Breno Leitao leitao@debian.org Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/crypto/vmx/ghash.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c index 1bfe867c0b7b..84a293d45cc5 100644 --- a/drivers/crypto/vmx/ghash.c +++ b/drivers/crypto/vmx/ghash.c @@ -22,6 +22,7 @@ #include <crypto/scatterwalk.h> #include <crypto/internal/hash.h> #include <crypto/b128ops.h> +#include "aesp8-ppc.h"
#define IN_INTERRUPT in_interrupt()
From: Biju Das biju.das.jz@bp.renesas.com
[ Upstream commit 2d99bfbf3386962692dcccd73931cb0db07a1a43 ]
As per Chapter 6.5.16 of the RZ/N1 Peripheral Manual, The SJA1000 CAN controller does not support Clock Divider Register compared to the reference Philips SJA1000 device.
This patch adds a device quirk to handle this difference.
Link: https://lore.kernel.org/all/20220710115248.190280-4-biju.das.jz@bp.renesas.c... Signed-off-by: Biju Das biju.das.jz@bp.renesas.com Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/can/sja1000/sja1000.c | 8 +++++--- drivers/net/can/sja1000/sja1000.h | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c index 9f107798f904..ae0ca0ab371f 100644 --- a/drivers/net/can/sja1000/sja1000.c +++ b/drivers/net/can/sja1000/sja1000.c @@ -184,8 +184,9 @@ static void chipset_init(struct net_device *dev) { struct sja1000_priv *priv = netdev_priv(dev);
- /* set clock divider and output control register */ - priv->write_reg(priv, SJA1000_CDR, priv->cdr | CDR_PELICAN); + if (!(priv->flags & SJA1000_QUIRK_NO_CDR_REG)) + /* set clock divider and output control register */ + priv->write_reg(priv, SJA1000_CDR, priv->cdr | CDR_PELICAN);
/* set acceptance filter (accept all) */ priv->write_reg(priv, SJA1000_ACCC0, 0x00); @@ -210,7 +211,8 @@ static void sja1000_start(struct net_device *dev) set_reset_mode(dev);
/* Initialize chip if uninitialized at this stage */ - if (!(priv->read_reg(priv, SJA1000_CDR) & CDR_PELICAN)) + if (!(priv->flags & SJA1000_QUIRK_NO_CDR_REG || + priv->read_reg(priv, SJA1000_CDR) & CDR_PELICAN)) chipset_init(dev);
/* Clear error counters and error code capture */ diff --git a/drivers/net/can/sja1000/sja1000.h b/drivers/net/can/sja1000/sja1000.h index 9d46398f8154..7f736f1df547 100644 --- a/drivers/net/can/sja1000/sja1000.h +++ b/drivers/net/can/sja1000/sja1000.h @@ -145,7 +145,8 @@ /* * Flags for sja1000priv.flags */ -#define SJA1000_CUSTOM_IRQ_HANDLER 0x1 +#define SJA1000_CUSTOM_IRQ_HANDLER BIT(0) +#define SJA1000_QUIRK_NO_CDR_REG BIT(1)
/* * SJA1000 private data structure
Hi!
As per Chapter 6.5.16 of the RZ/N1 Peripheral Manual, The SJA1000 CAN controller does not support Clock Divider Register compared to the reference Philips SJA1000 device.
This patch adds a device quirk to handle this difference.
I don't think this is suitable for stable (at least 5.10.X and older) as we don't have user of the quirk queued up.
Best regards, Pavel
From: Łukasz Spintzyk lukasz.spintzyk@synaptics.com
[ Upstream commit 5588d628027092e66195097bdf6835ddf64418b3 ]
DisplayLink ethernet devices require NTB buffers larger then 32kb in order to run with highest performance.
This patch is changing upper limit of the rx and tx buffers. Those buffers are initialized with CDC_NCM_NTB_DEF_SIZE_RX and CDC_NCM_NTB_DEF_SIZE_TX which is 16kb so by default no device is affected by increased limit.
Rx and tx buffer is increased under two conditions: - Device need to advertise that it supports higher buffer size in dwNtbMaxInMaxSize and dwNtbMaxOutMaxSize. - cdc_ncm/rx_max and cdc_ncm/tx_max driver parameters must be adjusted with udev rule or ethtool.
Summary of testing and performance results: Tests were performed on following devices: - DisplayLink DL-3xxx family device - DisplayLink DL-6xxx family device - ASUS USB-C2500 2.5G USB3 ethernet adapter - Plugable USB3 1G USB3 ethernet adapter - EDIMAX EU-4307 USB-C ethernet adapter - Dell DBQBCBC064 USB-C ethernet adapter
Performance measurements were done with: - iperf3 between two linux boxes - http://openspeedtest.com/ instance running on local test machine
Insights from tests results: - All except one from third party usb adapters were not affected by increased buffer size to their advertised dwNtbOutMaxSize and dwNtbInMaxSize. Devices were generally reaching 912-940Mbps both download and upload.
Only EDIMAX adapter experienced decreased download size from 929Mbps to 827Mbps with iper3, with openspeedtest decrease was from 968Mbps to 886Mbps.
- DisplayLink DL-3xxx family devices experienced performance increase with iperf3 download from 300Mbps to 870Mbps and upload from 782Mbps to 844Mbps. With openspeedtest download increased from 556Mbps to 873Mbps and upload from 727Mbps to 973Mbps
- DiplayLink DL-6xxx family devices are not affected by increased buffer size.
Signed-off-by: Łukasz Spintzyk lukasz.spintzyk@synaptics.com Acked-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Link: https://lore.kernel.org/r/20220720060518.541-2-lukasz.spintzyk@synaptics.com Signed-off-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- include/linux/usb/cdc_ncm.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/usb/cdc_ncm.h b/include/linux/usb/cdc_ncm.h index b0fad110817b..4c4e33e5cbb1 100644 --- a/include/linux/usb/cdc_ncm.h +++ b/include/linux/usb/cdc_ncm.h @@ -49,8 +49,8 @@ #define USB_CDC_NCM_NDP16_LENGTH_MIN 0x10
/* Maximum NTB length */ -#define CDC_NCM_NTB_MAX_SIZE_TX 32768 /* bytes */ -#define CDC_NCM_NTB_MAX_SIZE_RX 32768 /* bytes */ +#define CDC_NCM_NTB_MAX_SIZE_TX 65536 /* bytes */ +#define CDC_NCM_NTB_MAX_SIZE_RX 65536 /* bytes */
/* Initial NTB length */ #define CDC_NCM_NTB_DEF_SIZE_TX 16384 /* bytes */
From: Zheyu Ma zheyuma97@gmail.com
[ Upstream commit 13876f2a087ad352bf640a7a0a4a4229ea6e9e4f ]
When the driver fails at ieee80211_alloc_hw() at the probe time, the driver will free the 'hw' which is not allocated, causing a bug.
The following log can reveal it:
[ 15.981294] BUG: KASAN: user-memory-access in mutex_is_locked+0xe/0x40 [ 15.981558] Read of size 8 at addr 0000000000001ab0 by task modprobe/373 [ 15.982583] Call Trace: [ 15.984282] ieee80211_free_hw+0x22/0x390 [ 15.984446] rtl8xxxu_probe+0x3a1/0xab30 [rtl8xxxu]
Fix the bug by changing the order of the error handling.
Signed-off-by: Zheyu Ma zheyuma97@gmail.com Signed-off-by: Kalle Valo kvalo@kernel.org Link: https://lore.kernel.org/r/20220716130444.2950690-1-zheyuma97@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- .../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c index e73613b9f2f5..ba9ac025d440 100644 --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c @@ -6023,7 +6023,7 @@ static int rtl8xxxu_probe(struct usb_interface *interface, if (!hw) { ret = -ENOMEM; priv = NULL; - goto exit; + goto err_put_dev; }
priv = hw->priv; @@ -6042,24 +6042,24 @@ static int rtl8xxxu_probe(struct usb_interface *interface,
ret = rtl8xxxu_parse_usb(priv, interface); if (ret) - goto exit; + goto err_set_intfdata;
ret = rtl8xxxu_identify_chip(priv); if (ret) { dev_err(&udev->dev, "Fatal - failed to identify chip\n"); - goto exit; + goto err_set_intfdata; }
ret = rtl8xxxu_read_efuse(priv); if (ret) { dev_err(&udev->dev, "Fatal - failed to read EFuse\n"); - goto exit; + goto err_set_intfdata; }
ret = priv->fops->parse_efuse(priv); if (ret) { dev_err(&udev->dev, "Fatal - failed to parse EFuse\n"); - goto exit; + goto err_set_intfdata; }
rtl8xxxu_print_chipinfo(priv); @@ -6067,12 +6067,12 @@ static int rtl8xxxu_probe(struct usb_interface *interface, ret = priv->fops->load_firmware(priv); if (ret) { dev_err(&udev->dev, "Fatal - failed to load firmware\n"); - goto exit; + goto err_set_intfdata; }
ret = rtl8xxxu_init_device(hw); if (ret) - goto exit; + goto err_set_intfdata;
hw->wiphy->max_scan_ssids = 1; hw->wiphy->max_scan_ie_len = IEEE80211_MAX_DATA_LEN; @@ -6120,12 +6120,12 @@ static int rtl8xxxu_probe(struct usb_interface *interface, if (ret) { dev_err(&udev->dev, "%s: Failed to register: %i\n", __func__, ret); - goto exit; + goto err_set_intfdata; }
return 0;
-exit: +err_set_intfdata: usb_set_intfdata(interface, NULL);
if (priv) { @@ -6133,9 +6133,10 @@ static int rtl8xxxu_probe(struct usb_interface *interface, mutex_destroy(&priv->usb_buf_mutex); mutex_destroy(&priv->h2c_mutex); } - usb_put_dev(udev);
ieee80211_free_hw(hw); +err_put_dev: + usb_put_dev(udev);
return ret; }
From: Al Viro viro@zeniv.linux.org.uk
[ Upstream commit 40a3cb0d2314a41975aa385a74643878454f6eac ]
All callers of d_alloc_parallel() must make sure that resulting in-lookup dentry (if any) will encounter __d_lookup_done() before the final dput(). d_add_ci() might end up creating in-lookup dentries; they are fed to d_splice_alias(), which will normally make sure they meet __d_lookup_done(). However, it is possible to end up with d_splice_alias() failing with ERR_PTR(-ELOOP) without having done so. It takes a corrupted ntfs or case-insensitive xfs image, but neither should end up with memory corruption...
Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Sasha Levin sashal@kernel.org --- fs/dcache.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/dcache.c b/fs/dcache.c index 05bad55352bb..e42c715fc9e9 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2089,6 +2089,7 @@ struct dentry *d_add_ci(struct dentry *dentry, struct inode *inode, } res = d_splice_alias(inode, found); if (res) { + d_lookup_done(found); dput(found); return res; }
From: Sebastian Andrzej Siewior bigeasy@linutronix.de
[ Upstream commit cf634d540a29018e8d69ab1befb7e08182bc6594 ]
i_dir_seq is a sequence counter with a lock which is represented by the lowest bit. The writer atomically updates the counter which ensures that it can be modified by only one writer at a time. This requires preemption to be disabled across the write side critical section.
On !PREEMPT_RT kernels this is implicit by the caller acquiring dentry::lock. On PREEMPT_RT kernels spin_lock() does not disable preemption which means that a preempting writer or reader would live lock. It's therefore required to disable preemption explicitly.
An alternative solution would be to replace i_dir_seq with a seqlock_t for PREEMPT_RT, but that comes with its own set of problems due to arbitrary lock nesting. A pure sequence count with an associated spinlock is not possible because the locks held by the caller are not necessarily related.
As the critical section is small, disabling preemption is a sensible solution.
Reported-by: Oleg.Karfich@wago.com Signed-off-by: Sebastian Andrzej Siewior bigeasy@linutronix.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: Sebastian Andrzej Siewior bigeasy@linutronix.de Link: https://lkml.kernel.org/r/20220613140712.77932-2-bigeasy@linutronix.de Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Sasha Levin sashal@kernel.org --- fs/dcache.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/dcache.c b/fs/dcache.c index e42c715fc9e9..feb592bb7cbe 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2425,7 +2425,15 @@ EXPORT_SYMBOL(d_rehash);
static inline unsigned start_dir_add(struct inode *dir) { - + /* + * The caller holds a spinlock (dentry::d_lock). On !PREEMPT_RT + * kernels spin_lock() implicitly disables preemption, but not on + * PREEMPT_RT. So for RT it has to be done explicitly to protect + * the sequence count write side critical section against a reader + * or another writer preempting, which would result in a live lock. + */ + if (IS_ENABLED(CONFIG_PREEMPT_RT)) + preempt_disable(); for (;;) { unsigned n = dir->i_dir_seq; if (!(n & 1) && cmpxchg(&dir->i_dir_seq, n, n + 1) == n) @@ -2437,6 +2445,8 @@ static inline unsigned start_dir_add(struct inode *dir) static inline void end_dir_add(struct inode *dir, unsigned n) { smp_store_release(&dir->i_dir_seq, n + 2); + if (IS_ENABLED(CONFIG_PREEMPT_RT)) + preempt_enable(); }
static void d_wait_lookup(struct dentry *dentry)
linux-stable-mirror@lists.linaro.org
-
Pavel Machek -
Sasha Levin