1. 20 10月, 2020 1 次提交
    • J
      xen/events: avoid removing an event channel while handling it · 073d0552
      Juergen Gross 提交于
      Today it can happen that an event channel is being removed from the
      system while the event handling loop is active. This can lead to a
      race resulting in crashes or WARN() splats when trying to access the
      irq_info structure related to the event channel.
      
      Fix this problem by using a rwlock taken as reader in the event
      handling loop and as writer when deallocating the irq_info structure.
      
      As the observed problem was a NULL dereference in evtchn_from_irq()
      make this function more robust against races by testing the irq_info
      pointer to be not NULL before dereferencing it.
      
      And finally make all accesses to evtchn_to_irq[row][col] atomic ones
      in order to avoid seeing partial updates of an array element in irq
      handling. Note that irq handling can be entered only for event channels
      which have been valid before, so any not populated row isn't a problem
      in this regard, as rows are only ever added and never removed.
      
      This is XSA-331.
      
      Cc: stable@vger.kernel.org
      Reported-by: NMarek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
      Reported-by: NJinoh Kang <luke1337@theori.io>
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      Reviewed-by: NStefano Stabellini <sstabellini@kernel.org>
      Reviewed-by: NWei Liu <wl@xen.org>
      073d0552
  2. 05 10月, 2020 7 次提交
  3. 04 10月, 2020 8 次提交
  4. 03 10月, 2020 17 次提交
  5. 02 10月, 2020 5 次提交
    • L
      pipe: remove pipe_wait() and fix wakeup race with splice · 472e5b05
      Linus Torvalds 提交于
      The pipe splice code still used the old model of waiting for pipe IO by
      using a non-specific "pipe_wait()" that waited for any pipe event to
      happen, which depended on all pipe IO being entirely serialized by the
      pipe lock.  So by checking the state you were waiting for, and then
      adding yourself to the wait queue before dropping the lock, you were
      guaranteed to see all the wakeups.
      
      Strictly speaking, the actual wakeups were not done under the lock, but
      the pipe_wait() model still worked, because since the waiter held the
      lock when checking whether it should sleep, it would always see the
      current state, and the wakeup was always done after updating the state.
      
      However, commit 0ddad21d ("pipe: use exclusive waits when reading or
      writing") split the single wait-queue into two, and in the process also
      made the "wait for event" code wait for _two_ wait queues, and that then
      showed a race with the wakers that were not serialized by the pipe lock.
      
      It's only splice that used that "pipe_wait()" model, so the problem
      wasn't obvious, but Josef Bacik reports:
      
       "I hit a hang with fstest btrfs/187, which does a btrfs send into
        /dev/null. This works by creating a pipe, the write side is given to
        the kernel to write into, and the read side is handed to a thread that
        splices into a file, in this case /dev/null.
      
        The box that was hung had the write side stuck here [pipe_write] and
        the read side stuck here [splice_from_pipe_next -> pipe_wait].
      
        [ more details about pipe_wait() scenario ]
      
        The problem is we're doing the prepare_to_wait, which sets our state
        each time, however we can be woken up either with reads or writes. In
        the case above we race with the WRITER waking us up, and re-set our
        state to INTERRUPTIBLE, and thus never break out of schedule"
      
      Josef had a patch that avoided the issue in pipe_wait() by just making
      it set the state only once, but the deeper problem is that pipe_wait()
      depends on a level of synchonization by the pipe mutex that it really
      shouldn't.  And the whole "wait for any pipe state change" model really
      isn't very good to begin with.
      
      So rather than trying to work around things in pipe_wait(), remove that
      legacy model of "wait for arbitrary pipe event" entirely, and actually
      create functions that wait for the pipe actually being readable or
      writable, and can do so without depending on the pipe lock serializing
      everything.
      
      Fixes: 0ddad21d ("pipe: use exclusive waits when reading or writing")
      Link: https://lore.kernel.org/linux-fsdevel/bfa88b5ad6f069b2b679316b9e495a970130416c.1601567868.git.josef@toxicpanda.com/Reported-by: NJosef Bacik <josef@toxicpanda.com>
      Reviewed-and-tested-by: NJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      472e5b05
    • L
      Merge tag 'iommu-fixes-v5.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 44b6e23b
      Linus Torvalds 提交于
      Pull iommu fixes from Joerg Roedel:
      
       - Fix a device reference counting bug in the Exynos IOMMU driver.
      
       - Lockdep fix for the Intel VT-d driver.
      
       - Fix a bug in the AMD IOMMU driver which caused corruption of the IVRS
         ACPI table and caused IOMMU driver initialization failures in kdump
         kernels.
      
      * tag 'iommu-fixes-v5.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/vt-d: Fix lockdep splat in iommu_flush_dev_iotlb()
        iommu/amd: Fix the overwritten field in IVMD header
        iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate()
      44b6e23b
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · eed2ef44
      Linus Torvalds 提交于
      Pull arm64 fix from Catalin Marinas:
       "A previous commit to prevent AML memory opregions from accessing the
        kernel memory turned out to be too restrictive. Relax the permission
        check to permit the ACPI core to map kernel memory used for table
        overrides"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: permit ACPI core to map kernel memory used for table overrides
      eed2ef44
    • L
      Merge tag 'drm-fixes-2020-10-01-1' of git://anongit.freedesktop.org/drm/drm · fcadab74
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "AMD and vmwgfx fixes.
      
        Just dequeuing these a bit early as the AMD ones are bit larger than
        I'd prefer, but Alex missed last week so it's a double set of fixes.
        The larger ones are just register header fixes for the new chips that
        were just introduced in rc1 along with some new PCI IDs for new hw.
        Otherwise it is usual fixes.
      
        The vmwgfx fix was due to some testing I was doing and found we
        weren't booting properly, vmware had the fix internally so hurried it
      
        vmwgfx:
         - fix a regression due to TTM refactor
      
        amdgpu:
         - Fix potential double free in userptr handling
         - Sienna Cichlid and Navy Flounder udpates
         - Add Sienna Cichlid PCI IDs
         - Drop experimental flag for navi12
         - Raven fixes
         - Renoir fixes
         - HDCP fix
         - DCN3 fix for clang and older versions of gcc
         - Fix a runtime pm refcount issue"
      
      * tag 'drm-fixes-2020-10-01-1' of git://anongit.freedesktop.org/drm/drm:
        drm/amdgpu: disable gfxoff temporarily for navy_flounder
        drm/amd/pm: setup APU dpm clock table in SMU HW initialization
        drm/vmwgfx: Fix error handling in get_node
        drm/amd/display: remove duplicate call to rn_vbios_smu_get_smu_version()
        drm/amdgpu/swsmu/smu12: fix force clock handling for mclk
        drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config
        drm/amdgpu/display: fix CFLAGS setup for DCN30
        drm/amd/display: fix return value check for hdcp_work
        drm/amdgpu: remove gpu_info fw support for sienna_cichlid etc.
        drm/amd/pm: Removed fixed clock in auto mode DPM
        drm/amdgpu: remove experimental flag from navi12
        drm/amdgpu: add device ID for sienna_cichlid (v2)
        drm/amdgpu: use the AV1 defines for VCN 3.0
        drm/amdgpu: add VCN 3.0 AV1 registers
        drm/amdgpu: add the GC 10.3 VRS registers
        drm/amdgpu: prevent double kfree ttm->sg
      fcadab74
    • L
      Merge tag 'trace-v5.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · aa5ff935
      Linus Torvalds 提交于
      Pull tracing fixes from Steven Rostedt:
       "Two tracing fixes:
      
         - Fix temp buffer accounting that caused a WARNING for
           ftrace_dump_on_opps()
      
         - Move the recursion check in one of the function callback helpers to
           the beginning of the function, as if the rcu_is_watching() gets
           traced, it will cause a recursive loop that will crash the kernel"
      
      * tag 'trace-v5.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace: Move RCU is watching check after recursion check
        tracing: Fix trace_find_next_entry() accounting of temp buffer size
      aa5ff935
  6. 01 10月, 2020 2 次提交