[PATCH openEuler-21.03 00/20] openEuler kernel 21.03创新版本

List overview All Threads
Download

newer

older

[PATCH openEuler-5.10 000/118]...

[openEuler-5.10 000/303] Backport...

Wang ShaoBo

21 Oct 2021 21 Oct '21

6:25 p.m.

openEuler kernel 21.03创新版本补丁

Alexander Kuznetsov (1): cgroup1: don't allow '\n' in renaming

Andy Shevchenko (1): usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe()

Anna Schumaker (1): NFS: Fix use-after-free in nfs4_init_client()

Desmond Cheong Zhi Xi (1): drm: Fix use-after-free read in drm_getunique()

Eric Farman (2): vfio-ccw: Reset FSM state to IDLE inside FSM vfio-ccw: Serialize FSM IDLE state with I/O completion

Jeremy Szu (1): ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8

Jerome Brunet (1): ASoC: meson: gx-card: fix sound-dai dt schema

Johannes Berg (1): netlink: disable IRQs for netlink_lock_table()

Li Jun (1): usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port

Linus Walleij (1): drm/mcde: Fix off by 10^3 in calculation

Maciej Żenczykowski (1): usb: f_ncm: only first packet of aggregate needs to start timer

Saravana Kannan (1): spi: Fix spi device unregister flow

Tiezhu Yang (1): MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER

Trond Myklebust (1): NFSv4: Fix second deadlock in nfs4_evict_inode()

Vincent Guittot (1): sched/fair: Keep load_avg and load_sum synced

Wesley Cheng (1): usb: dwc3: gadget: Disable gadget IRQ during pullup disable

Wolfram Sang (1): mmc: renesas_sdhi: abort tuning when timeout detected

Zhen Lei (1): tools/bootconfig: Fix error return code in apply_xbc()

Zou Wei (1): ASoC: sti-sas: add missing MODULE_DEVICE_TABLE

-- 2.25.1

Show replies by date

Wang ShaoBo

21 Oct 21 Oct

6:25 p.m.

New subject: [PATCH openEuler-21.03 01/20] MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER

From: Tiezhu Yang yangtiezhu@loongson.cn

stable inclusion from stable-v5.10.44 commit 7519ece673e300b0362572edbde7e030552705ec bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=417 CVE: NA

-------------------------------------------------

[ Upstream commit 78cf0eb926cb1abeff2106bae67752e032fe5f3e ]

When update the latest mainline kernel with the following three configs, the kernel hangs during startup:

(1) CONFIG_FUNCTION_GRAPH_TRACER=y (2) CONFIG_PREEMPT_TRACER=y (3) CONFIG_FTRACE_STARTUP_TEST=y

When update the latest mainline kernel with the above two configs (1) and (2), the kernel starts normally, but it still hangs when execute the following command:

echo "function_graph" > /sys/kernel/debug/tracing/current_tracer

Without CONFIG_PREEMPT_TRACER=y, the above two kinds of kernel hangs disappeared, so it seems that CONFIG_PREEMPT_TRACER has some influences with function_graph tracer at the first glance.

I use ejtag to find out the epc address is related with preempt_enable() in the file arch/mips/lib/mips-atomic.c, because function tracing can trace the preempt_{enable,disable} calls that are traced, replace them with preempt_{enable,disable}_notrace to prevent function tracing from going into an infinite loop, and then it can fix the kernel hang issue.

By the way, it seems that this commit is a complement and improvement of commit f93a1a00f2bd ("MIPS: Fix crash that occurs when function tracing is enabled").

Signed-off-by: Tiezhu Yang yangtiezhu@loongson.cn Cc: Steven Rostedt rostedt@goodmis.org Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: You Jia jiayou@zju.edu.cn --- arch/mips/lib/mips-atomic.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/arch/mips/lib/mips-atomic.c b/arch/mips/lib/mips-atomic.c index de03838b343b..a9b72eacfc0b 100644 --- a/arch/mips/lib/mips-atomic.c +++ b/arch/mips/lib/mips-atomic.c @@ -37,7 +37,7 @@ */ notrace void arch_local_irq_disable(void) { - preempt_disable(); + preempt_disable_notrace();

__asm__ __volatile__( " .set push \n" @@ -53,7 +53,7 @@ notrace void arch_local_irq_disable(void) : /* no inputs */ : "memory");

- preempt_enable(); + preempt_enable_notrace(); } EXPORT_SYMBOL(arch_local_irq_disable);

@@ -61,7 +61,7 @@ notrace unsigned long arch_local_irq_save(void) { unsigned long flags;

- preempt_disable(); + preempt_disable_notrace();

__asm__ __volatile__( " .set push \n" @@ -78,7 +78,7 @@ notrace unsigned long arch_local_irq_save(void) : /* no inputs */ : "memory");

- preempt_enable(); + preempt_enable_notrace();

return flags; } @@ -88,7 +88,7 @@ notrace void arch_local_irq_restore(unsigned long flags) { unsigned long __tmp1;

- preempt_disable(); + preempt_disable_notrace();

__asm__ __volatile__( " .set push \n" @@ -106,7 +106,7 @@ notrace void arch_local_irq_restore(unsigned long flags) : "0" (flags) : "memory");

- preempt_enable(); + preempt_enable_notrace(); } EXPORT_SYMBOL(arch_local_irq_restore);

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 02/20] vfio-ccw: Reset FSM state to IDLE inside FSM

From: Eric Farman farman@linux.ibm.com

stable inclusion from stable-v5.10.44 commit cad3dc73c0645d00adfe96cebc8d950897cc1227 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=453 CVE: NA

-------------------------------------------------

[ Upstream commit 6c02ac4c9211edabe17bda437ac97e578756f31b ]

When an I/O request is made, the fsm_io_request() routine moves the FSM state from IDLE to CP_PROCESSING, and then fsm_io_helper() moves it to CP_PENDING if the START SUBCHANNEL received a cc0. Yet, the error case to go from CP_PROCESSING back to IDLE is done after the FSM call returns.

Let's move this up into the FSM proper, to provide some better symmetry when unwinding in this case.

Signed-off-by: Eric Farman farman@linux.ibm.com Reviewed-by: Cornelia Huck cohuck@redhat.com Acked-by: Matthew Rosato mjrosato@linux.ibm.com Message-Id: 20210511195631.3995081-3-farman@linux.ibm.com Signed-off-by: Cornelia Huck cohuck@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: YuanHuiQ 3552253686@qq.com --- drivers/s390/cio/vfio_ccw_fsm.c | 1 + drivers/s390/cio/vfio_ccw_ops.c | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/s390/cio/vfio_ccw_fsm.c b/drivers/s390/cio/vfio_ccw_fsm.c index 23e61aa638e4..e435a9cd92da 100644 --- a/drivers/s390/cio/vfio_ccw_fsm.c +++ b/drivers/s390/cio/vfio_ccw_fsm.c @@ -318,6 +318,7 @@ static void fsm_io_request(struct vfio_ccw_private *private, }

err_out: + private->state = VFIO_CCW_STATE_IDLE; trace_vfio_ccw_fsm_io_request(scsw->cmd.fctl, schid, io_region->ret_code, errstr); } diff --git a/drivers/s390/cio/vfio_ccw_ops.c b/drivers/s390/cio/vfio_ccw_ops.c index 1ad5f7018ec2..2280f51dd679 100644 --- a/drivers/s390/cio/vfio_ccw_ops.c +++ b/drivers/s390/cio/vfio_ccw_ops.c @@ -276,8 +276,6 @@ static ssize_t vfio_ccw_mdev_write_io_region(struct vfio_ccw_private *private, }

vfio_ccw_fsm_event(private, VFIO_CCW_EVENT_IO_REQ); - if (region->ret_code != 0) - private->state = VFIO_CCW_STATE_IDLE; ret = (region->ret_code != 0) ? region->ret_code : count;

out_unlock:

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 03/20] drm/mcde: Fix off by 10^3 in calculation

From: Linus Walleij linus.walleij@linaro.org

stable inclusion from stable-v5.10.44 commit 5a61f69da3b8d735b01dddee72fee4671510d907 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=402 CVE: NA

-------------------------------------------------

commit c8a570443943304cac2e4186dbce6989b6c2b8b5 upstream.

The calclulation of how many bytes we stuff into the DSI pipeline for video mode panels is off by three orders of magnitude because we did not account for the fact that the DRM mode clock is in kilohertz rather than hertz.

This used to be: drm_mode_vrefresh(mode) * mode->htotal * mode->vtotal which would become for example for s6e63m0: 60 x 514 x 831 = 25628040 Hz, but mode->clock is 25628 as it is in kHz.

This affects only the Samsung GT-I8190 "Golden" phone right now since it is the only MCDE device with a video mode display.

Curiously some specimen work with this code and wild settings in the EOL and empty packets at the end of the display, but I have noticed an eeire flicker until now. Others were not so lucky and got black screens.

Cc: Ville Syrjälä ville.syrjala@linux.intel.com Reported-by: Stephan Gerhold stephan@gerhold.net Fixes: 920dd1b1425b ("drm/mcde: Use mode->clock instead of reverse calculating it from the vrefresh") Signed-off-by: Linus Walleij linus.walleij@linaro.org Tested-by: Stephan Gerhold stephan@gerhold.net Reviewed-by: Stephan Gerhold stephan@gerhold.net Link: https://patchwork.freedesktop.org/patch/msgid/20210608213318.3897858-1-linus... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Jiaoyu 895515570@qq.com --- drivers/gpu/drm/mcde/mcde_dsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/mcde/mcde_dsi.c b/drivers/gpu/drm/mcde/mcde_dsi.c index b3fd3501c412..5275b2723293 100644 --- a/drivers/gpu/drm/mcde/mcde_dsi.c +++ b/drivers/gpu/drm/mcde/mcde_dsi.c @@ -577,7 +577,7 @@ static void mcde_dsi_setup_video_mode(struct mcde_dsi *d, * porches and sync. */ /* (ps/s) / (pixels/s) = ps/pixels */ - pclk = DIV_ROUND_UP_ULL(1000000000000, mode->clock); + pclk = DIV_ROUND_UP_ULL(1000000000000, (mode->clock * 1000)); dev_dbg(d->dev, "picoseconds between two pixels: %llu\n", pclk);

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 04/20] NFS: Fix use-after-free in nfs4_init_client()

From: Anna Schumaker Anna.Schumaker@Netapp.com

stable inclusion from stable-v5.10.44 commit c3b6cf64dfe4ef96e7341508d50d6998da7062c7 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=449 CVE: NA

-------------------------------------------------

commit 476bdb04c501fc64bf3b8464ffddefc8dbe01577 upstream.

KASAN reports a use-after-free when attempting to mount two different exports through two different NICs that belong to the same server.

Olga was able to hit this with kernels starting somewhere between 5.7 and 5.10, but I traced the patch that introduced the clear_bit() call to 4.13. So something must have changed in the refcounting of the clp pointer to make this call to nfs_put_client() the very last one.

Fixes: 8dcbec6d20 ("NFSv41: Handle EXCHID4_FLAG_CONFIRMED_R during NFSv4.1 migration") Cc: stable@vger.kernel.org # 4.13+ Signed-off-by: Anna Schumaker Anna.Schumaker@Netapp.com Signed-off-by: Trond Myklebust trond.myklebust@hammerspace.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: KK 323291357@qq.com --- fs/nfs/nfs4client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c index be7915c861ce..7491323a5820 100644 --- a/fs/nfs/nfs4client.c +++ b/fs/nfs/nfs4client.c @@ -435,8 +435,8 @@ struct nfs_client *nfs4_init_client(struct nfs_client *clp, */ nfs_mark_client_ready(clp, -EPERM); } - nfs_put_client(clp); clear_bit(NFS_CS_TSM_POSSIBLE, &clp->cl_flags); + nfs_put_client(clp); return old;

error:

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 05/20] drm: Fix use-after-free read in drm_getunique()

From: Desmond Cheong Zhi Xi desmondcheongzx@gmail.com

stable inclusion from stable-v5.10.44 commit 491d52e0078860b33b6c14f0a7ac74ca1b603bd6 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=390 CVE: NA

-------------------------------------------------

commit b436acd1cf7fac0ba987abd22955d98025c80c2b upstream.

There is a time-of-check-to-time-of-use error in drm_getunique() due to retrieving file_priv->master prior to locking the device's master mutex.

An example can be seen in the crash report of the use-after-free error found by Syzbot: https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f80...

In the report, the master pointer was used after being freed. This is because another process had acquired the device's master mutex in drm_setmaster_ioctl(), then overwrote fpriv->master in drm_new_set_master(). The old value of fpriv->master was subsequently freed before the mutex was unlocked.

To fix this, we lock the device's master mutex before retrieving the pointer from from fpriv->master. This patch passes the Syzbot reproducer test.

Reported-by: syzbot+c3a706cec1ea99e1c693@syzkaller.appspotmail.com Signed-off-by: Desmond Cheong Zhi Xi desmondcheongzx@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Link: https://patchwork.freedesktop.org/patch/msgid/20210608110436.239583-1-desmon... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Cwj 161434832@qq.com --- drivers/gpu/drm/drm_ioctl.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 789ee65ac1f5..ae647be4a49f 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -118,17 +118,18 @@ int drm_getunique(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_unique *u = data; - struct drm_master *master = file_priv->master; + struct drm_master *master;

- mutex_lock(&master->dev->master_mutex); + mutex_lock(&dev->master_mutex); + master = file_priv->master; if (u->unique_len >= master->unique_len) { if (copy_to_user(u->unique, master->unique, master->unique_len)) { - mutex_unlock(&master->dev->master_mutex); + mutex_unlock(&dev->master_mutex); return -EFAULT; } } u->unique_len = master->unique_len; - mutex_unlock(&master->dev->master_mutex); + mutex_unlock(&dev->master_mutex);

return 0; }

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 06/20] ASoC: sti-sas: add missing MODULE_DEVICE_TABLE

From: Zou Wei zou_wei@huawei.com

stable inclusion from stable-v5.10.44 commit 369f3caa4d74380efdbf614a01de067171fa19a1 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=381 CVE: NA

-------------------------------------------------

[ Upstream commit e072b2671606c77538d6a4dd5dda80b508cb4816 ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module.

Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Zou Wei zou_wei@huawei.com Link: https://lore.kernel.org/r/1620789145-14936-1-git-send-email-zou_wei@huawei.c... Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: yihanjing 1271728396@qq.com --- sound/soc/codecs/sti-sas.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/sound/soc/codecs/sti-sas.c b/sound/soc/codecs/sti-sas.c index ec9933b054ad..423daac9d5a9 100644 --- a/sound/soc/codecs/sti-sas.c +++ b/sound/soc/codecs/sti-sas.c @@ -411,6 +411,7 @@ static const struct of_device_id sti_sas_dev_match[] = { }, {}, }; +MODULE_DEVICE_TABLE(of, sti_sas_dev_match);

static int sti_sas_driver_probe(struct platform_device *pdev) {

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 07/20] sched/fair: Keep load_avg and load_sum synced

From: Vincent Guittot vincent.guittot@linaro.org

stable inclusion from stable-v5.10.44 commit 4c37b062edae8ad3e1f279ecc084f254bc8161ae bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=394 CVE: NA

-------------------------------------------------

commit 7c7ad626d9a0ff0a36c1e2a3cfbbc6a13828d5eb upstream.

when removing a cfs_rq from the list we only check _sum value so we must ensure that _avg and _sum stay synced so load_sum can't be null whereas load_avg is not after propagating load in the cgroup hierarchy.

Use load_avg to compute load_sum similarly to what is done for util_sum and runnable_sum.

Fixes: 0e2d2aaaae52 ("sched/fair: Rewrite PELT migration propagation") Reported-by: Odin Ugedal odin@uged.al Signed-off-by: Vincent Guittot vincent.guittot@linaro.org Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Reviewed-by: Odin Ugedal odin@uged.al Link: https://lkml.kernel.org/r/20210527122916.27683-2-vincent.guittot@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: xx_xiaohang~ 1623836996@qq.com --- kernel/sched/fair.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 1ad0e52487f6..f07a581ded95 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -3501,10 +3501,9 @@ update_tg_cfs_runnable(struct cfs_rq *cfs_rq, struct sched_entity *se, struct cf static inline void update_tg_cfs_load(struct cfs_rq *cfs_rq, struct sched_entity *se, struct cfs_rq *gcfs_rq) { - long delta_avg, running_sum, runnable_sum = gcfs_rq->prop_runnable_sum; + long delta, running_sum, runnable_sum = gcfs_rq->prop_runnable_sum; unsigned long load_avg; u64 load_sum = 0; - s64 delta_sum; u32 divider;

if (!runnable_sum) @@ -3551,13 +3550,13 @@ update_tg_cfs_load(struct cfs_rq *cfs_rq, struct sched_entity *se, struct cfs_rq load_sum = (s64)se_weight(se) * runnable_sum; load_avg = div_s64(load_sum, divider);

- delta_sum = load_sum - (s64)se_weight(se) * se->avg.load_sum; - delta_avg = load_avg - se->avg.load_avg; + delta = load_avg - se->avg.load_avg;

se->avg.load_sum = runnable_sum; se->avg.load_avg = load_avg; - add_positive(&cfs_rq->avg.load_avg, delta_avg); - add_positive(&cfs_rq->avg.load_sum, delta_sum); + + add_positive(&cfs_rq->avg.load_avg, delta); + cfs_rq->avg.load_sum = cfs_rq->avg.load_avg * divider; }

static inline void add_tg_cfs_propagate(struct cfs_rq *cfs_rq, long runnable_sum)

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 08/20] usb: f_ncm: only first packet of aggregate needs to start timer

From: Maciej Żenczykowski maze@google.com

stable inclusion from stable-v5.10.44 commit 0ff5f83ae147e63c297e0a5515c9c271b7448f6f bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=359 CVE: NA

-------------------------------------------------

commit 1958ff5ad2d4908b44a72bcf564dfe67c981e7fe upstream.

The reasoning for this change is that if we already had a packet pending, then we also already had a pending timer, and as such there is no need to reschedule it.

This also prevents packets getting delayed 60 ms worst case under a tiny packet every 290us transmit load, by keeping the timeout always relative to the first queued up packet. (300us delay * 16KB max aggregation / 80 byte packet =~ 60 ms)

As such the first packet is now at most delayed by 300us.

Under low transmit load, this will simply result in us sending a shorter aggregate, as originally intended.

This patch has the benefit of greatly reducing (by ~10 factor with 1500 byte frames aggregated into 16 kiB) the number of (potentially pretty costly) updates to the hrtimer.

Cc: Brooke Basile brookebasile@gmail.com Cc: Bryan O'Donoghue bryan.odonoghue@linaro.org Cc: Felipe Balbi balbi@kernel.org Cc: Lorenzo Colitti lorenzo@google.com Signed-off-by: Maciej Żenczykowski maze@google.com Link: https://lore.kernel.org/r/20210608085438.813960-1-zenczykowski@gmail.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: YinXiaoHan yinxiaohan123321@163.com --- drivers/usb/gadget/function/f_ncm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c index 019bea8e09cc..5a3dcedb75d1 100644 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@ -1101,11 +1101,11 @@ static struct sk_buff *ncm_wrap_ntb(struct gether *port, ncm->ndp_dgram_count = 1;

/* Note: we skip opts->next_ndp_index */ - }

- /* Delay the timer. */ - hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS, - HRTIMER_MODE_REL_SOFT); + /* Start the timer. */ + hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS, + HRTIMER_MODE_REL_SOFT); + }

/* Add the datagram position entries */ ntb_ndp = skb_put_zero(ncm->skb_tx_ndp, dgram_idx_len);

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 09/20] mmc: renesas_sdhi: abort tuning when timeout detected

From: Wolfram Sang wsa+renesas@sang-engineering.com

stable inclusion from stable-v5.10.44 commit 67aca230caf346ddf608ee69469777cd52929493 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=408 CVE: NA

-------------------------------------------------

commit 2c9017d0b5d3fbf17e69577a42d9e610ca122810 upstream.

We have to bring the eMMC from sending-data state back to transfer state once we detected a CRC error (timeout) during tuning. So, send a stop command via mmc_abort_tuning().

Fixes: 4f11997773b6 ("mmc: tmio: Add tuning support") Reported-by Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Signed-off-by: Wolfram Sang wsa+renesas@sang-engineering.com Reviewed-by: Niklas Söderlund niklas.soderlund+renesas@ragnatech.se Reviewed-by: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Tested-by: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Link: https://lore.kernel.org/r/20210602073435.5955-1-wsa+renesas@sang-engineering... Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: WangQiQin wangqiqin111@163.com --- drivers/mmc/host/renesas_sdhi_core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/mmc/host/renesas_sdhi_core.c b/drivers/mmc/host/renesas_sdhi_core.c index acb9c81a4e45..666c824715e1 100644 --- a/drivers/mmc/host/renesas_sdhi_core.c +++ b/drivers/mmc/host/renesas_sdhi_core.c @@ -660,14 +660,19 @@ static int renesas_sdhi_execute_tuning(struct mmc_host *mmc, u32 opcode)

/* Issue CMD19 twice for each tap */ for (i = 0; i < 2 * priv->tap_num; i++) { + int cmd_error; + /* Set sampling clock position */ sd_scc_write32(host, priv, SH_MOBILE_SDHI_SCC_TAPSET, i % priv->tap_num);

- if (mmc_send_tuning(mmc, opcode, NULL) == 0) + if (mmc_send_tuning(mmc, opcode, &cmd_error) == 0) set_bit(i, priv->taps);

if (sd_scc_read32(host, priv, SH_MOBILE_SDHI_SCC_SMPCMP) == 0) set_bit(i, priv->smpcmp); + + if (cmd_error) + mmc_abort_tuning(mmc, opcode); }

ret = renesas_sdhi_select_tuning(host);

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 10/20] cgroup1: don't allow '\n' in renaming

From: Alexander Kuznetsov wwfq@yandex-team.ru

stable inclusion from stable-v5.10.44 commit 74d3b20b1b206a76f2cbccc5e09106adf6b5775c bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=415 CVE: NA

-------------------------------------------------

commit b7e24eb1caa5f8da20d405d262dba67943aedc42 upstream.

cgroup_mkdir() have restriction on newline usage in names: $ mkdir $'/sys/fs/cgroup/cpu/test\ntest2' mkdir: cannot create directory '/sys/fs/cgroup/cpu/test\ntest2': Invalid argument

But in cgroup1_rename() such check is missed. This allows us to make /proc/<pid>/cgroup unparsable: $ mkdir /sys/fs/cgroup/cpu/test $ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2' $ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2' $ cat /proc/self/cgroup 11:pids:/ 10:freezer:/ 9:hugetlb:/ 8:cpuset:/ 7:blkio:/user.slice 6:memory:/user.slice 5:net_cls,net_prio:/ 4:perf_event:/ 3:devices:/user.slice 2:cpu,cpuacct:/test test2 1:name=systemd:/ 0::/

Signed-off-by: Alexander Kuznetsov wwfq@yandex-team.ru Reported-by: Andrey Krasichkov buglloc@yandex-team.ru Acked-by: Dmitry Yakunin zeil@yandex-team.ru Cc: stable@vger.kernel.org Signed-off-by: Tejun Heo tj@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: yinzixiang yinzixiang1231@163.com --- kernel/cgroup/cgroup-v1.c | 4 ++++ 1 file changed, 4 insertions(+)

diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c index ffa14a4131ba..c7bd9d634e8e 100644 --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -824,6 +824,10 @@ static int cgroup1_rename(struct kernfs_node *kn, struct kernfs_node *new_parent struct cgroup *cgrp = kn->priv; int ret;

+ /* do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable */ + if (strchr(new_name_str, '\n')) + return -EINVAL; + if (kernfs_type(kn) != KERNFS_DIR) return -ENOTDIR; if (kn->parent != new_parent)

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 11/20] vfio-ccw: Serialize FSM IDLE state with I/O completion

From: Eric Farman farman@linux.ibm.com

stable inclusion from stable-v5.10.44 commit 01905f3232fdc0737de5c38e9d817f87a06a1a6d bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=349 CVE: NA

-------------------------------------------------

[ Upstream commit 2af7a834a435460d546f0cf0a8b8e4d259f1d910 ]

Today, the stacked call to vfio_ccw_sch_io_todo() does three things:

1) Update a solicited IRB with CP information, and release the CP if the interrupt was the end of a START operation. 2) Copy the IRB data into the io_region, under the protection of the io_mutex 3) Reset the vfio-ccw FSM state to IDLE to acknowledge that vfio-ccw can accept more work.

The trouble is that step 3 is (A) invoked for both solicited and unsolicited interrupts, and (B) sitting after the mutex for step 2. This second piece becomes a problem if it processes an interrupt for a CLEAR SUBCHANNEL while another thread initiates a START, thus allowing the CP and FSM states to get out of sync. That is:

CPU 1 CPU 2 fsm_do_clear() fsm_irq() fsm_io_request() vfio_ccw_sch_io_todo() fsm_io_helper()

Since the FSM state and CP should be kept in sync, let's make a note when the CP is released, and rely on that as an indication that the FSM should also be reset at the end of this routine and open up the device for more work.

Signed-off-by: Eric Farman farman@linux.ibm.com Acked-by: Matthew Rosato mjrosato@linux.ibm.com Reviewed-by: Cornelia Huck cohuck@redhat.com Message-Id: 20210511195631.3995081-4-farman@linux.ibm.com Signed-off-by: Cornelia Huck cohuck@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: yilianxueer yilianxueerl@163.com --- drivers/s390/cio/vfio_ccw_drv.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c index 8c625b530035..9b61e9b131ad 100644 --- a/drivers/s390/cio/vfio_ccw_drv.c +++ b/drivers/s390/cio/vfio_ccw_drv.c @@ -86,6 +86,7 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work) struct vfio_ccw_private *private; struct irb *irb; bool is_final; + bool cp_is_finished = false;

private = container_of(work, struct vfio_ccw_private, io_work); irb = &private->irb; @@ -94,14 +95,21 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work) (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT)); if (scsw_is_solicited(&irb->scsw)) { cp_update_scsw(&private->cp, &irb->scsw); - if (is_final && private->state == VFIO_CCW_STATE_CP_PENDING) + if (is_final && private->state == VFIO_CCW_STATE_CP_PENDING) { cp_free(&private->cp); + cp_is_finished = true; + } } mutex_lock(&private->io_mutex); memcpy(private->io_region->irb_area, irb, sizeof(*irb)); mutex_unlock(&private->io_mutex);

- if (private->mdev && is_final) + /* + * Reset to IDLE only if processing of a channel program + * has finished. Do not overwrite a possible processing + * state if the final interrupt was for HSCH or CSCH. + */ + if (private->mdev && cp_is_finished) private->state = VFIO_CCW_STATE_IDLE;

if (private->io_trigger)

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 12/20] netlink: disable IRQs for netlink_lock_table()

From: Johannes Berg johannes.berg@intel.com

stable inclusion from stable-v5.10.44 commit 1d6d43d4805da9b3fa0f5841e8b1083c89868f35 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=369 CVE: NA

-------------------------------------------------

[ Upstream commit 1d482e666b8e74c7555dbdfbfb77205eeed3ff2d ]

Syzbot reports that in mac80211 we have a potential deadlock between our "local->stop_queue_reasons_lock" (spinlock) and netlink's nl_table_lock (rwlock). This is because there's at least one situation in which we might try to send a netlink message with this spinlock held while it is also possible to take the spinlock from a hardirq context, resulting in the following deadlock scenario reported by lockdep:

CPU0 CPU1 ---- ---- lock(nl_table_lock); local_irq_disable(); lock(&local->queue_stop_reason_lock); lock(nl_table_lock); <Interrupt> lock(&local->queue_stop_reason_lock);

This seems valid, we can take the queue_stop_reason_lock in any kind of context ("CPU0"), and call ieee80211_report_ack_skb() with the spinlock held and IRQs disabled ("CPU1") in some code path (ieee80211_do_stop() via ieee80211_free_txskb()).

Short of disallowing netlink use in scenarios like these (which would be rather complex in mac80211's case due to the deep callchain), it seems the only fix for this is to disable IRQs while nl_table_lock is held to avoid hitting this scenario, this disallows the "CPU0" portion of the reported deadlock.

Note that the writer side (netlink_table_grab()) already disables IRQs for this lock.

Unfortunately though, this seems like a huge hammer, and maybe the whole netlink table locking should be reworked.

Reported-by: syzbot+69ff9dff50dcfe14ddd4@syzkaller.appspotmail.com Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yuan yi Qi yuanyi_qh@163.com --- net/netlink/af_netlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index daca50d6bb12..e527f5686e2b 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -453,11 +453,13 @@ void netlink_table_ungrab(void) static inline void netlink_lock_table(void) { + unsigned long flags; + /* read_lock() synchronizes us to netlink_table_grab */

- read_lock(&nl_table_lock); + read_lock_irqsave(&nl_table_lock, flags); atomic_inc(&nl_table_users); - read_unlock(&nl_table_lock); + read_unlock_irqrestore(&nl_table_lock, flags); }

static inline void

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 13/20] ASoC: meson: gx-card: fix sound-dai dt schema

From: Jerome Brunet jbrunet@baylibre.com

stable inclusion from stable-v5.10.44 commit 62d891861f83ac12e1b00b304211faf3d1e24857 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=407 CVE: NA

-------------------------------------------------

commit d031d99b02eaf7363c33f5b27b38086cc8104082 upstream.

There is a fair amount of warnings when running 'make dtbs_check' with amlogic,gx-sound-card.yaml.

Ex: arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0:1: missing phandle tag in 0 arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0:2: missing phandle tag in 0 arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0: [66, 0, 0] is too long

The reason is that the sound-dai phandle provided has cells, and in such case the schema should use 'phandle-array' instead of 'phandle'.

Fixes: fd00366b8e41 ("ASoC: meson: gx: add sound card dt-binding documentation") Signed-off-by: Jerome Brunet jbrunet@baylibre.com Link: https://lore.kernel.org/r/20210524093448.357140-1-jbrunet@baylibre.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: yxh yxh_yuanqi@163.com --- .../devicetree/bindings/sound/amlogic,gx-sound-card.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml b/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml index db61f0731a20..2e35aeaa8781 100644 --- a/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml +++ b/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml @@ -57,7 +57,7 @@ patternProperties: rate

sound-dai: - $ref: /schemas/types.yaml#/definitions/phandle + $ref: /schemas/types.yaml#/definitions/phandle-array description: phandle of the CPU DAI

patternProperties: @@ -71,7 +71,7 @@ patternProperties:

properties: sound-dai: - $ref: /schemas/types.yaml#/definitions/phandle + $ref: /schemas/types.yaml#/definitions/phandle-array description: phandle of the codec DAI

required:

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 14/20] tools/bootconfig: Fix error return code in apply_xbc()

From: Zhen Lei thunder.leizhen@huawei.com

stable inclusion from stable-v5.10.44 commit c9cb5837e92ee3052e0e46e3cd1eb1f7a903411d bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=451 CVE: NA

-------------------------------------------------

commit e8ba0b2b64126381643bb50df3556b139a60545a upstream.

Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function.

Link: https://lkml.kernel.org/r/20210508034216.2277-1-thunder.leizhen@huawei.com

Fixes: a995e6bc0524 ("tools/bootconfig: Fix to check the write failure correctly") Reported-by: Hulk Robot hulkci@huawei.com Acked-by: Masami Hiramatsu mhiramat@kernel.org Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Signed-off-by: Steven Rostedt (VMware) rostedt@goodmis.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Xiao zju_xhy@163.com --- tools/bootconfig/main.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c index 7362bef1a368..6cd6080cac04 100644 --- a/tools/bootconfig/main.c +++ b/tools/bootconfig/main.c @@ -399,6 +399,7 @@ static int apply_xbc(const char *path, const char *xbc_path) } /* TODO: Ensure the @path is initramfs/initrd image */ if (fstat(fd, &stat) < 0) { + ret = -errno; pr_err("Failed to get the size of %s\n", path); goto out; }

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 15/20] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8

From: Jeremy Szu jeremy.szu@canonical.com

stable inclusion from stable-v5.10.44 commit d62d55f3941b99a88384ce764f70bc5865d42c06 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=458 CVE: NA

-------------------------------------------------

commit dfb06401b4cdfc71e2fc3e19b877ab845cc9f7f7 upstream.

The HP EliteBook 840 Aero G8 using ALC285 codec which using 0x04 to control mute LED and 0x01 to control micmute LED. In the other hand, there is no output from right channel of speaker. Therefore, add a quirk to make it works.

Signed-off-by: Jeremy Szu jeremy.szu@canonical.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210605082539.41797-3-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: feifei zju_feifei@163.com --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index cc13a68197f3..f0317ba97cba 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -8314,6 +8314,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP), SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 16/20] spi: Fix spi device unregister flow

From: Saravana Kannan saravanak@google.com

stable inclusion from stable-v5.10.44 commit 01905f3232fdc0737de5c38e9d817f87a06a1a6d bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=347 CVE: NA

-------------------------------------------------

[ Upstream commit c7299fea67696db5bd09d924d1f1080d894f92ef ]

When an SPI device is unregistered, the spi->controller->cleanup() is called in the device's release callback. That's wrong for a couple of reasons:

1. spi_dev_put() can be called before spi_add_device() is called. And it's spi_add_device() that calls spi_setup(). This will cause clean() to get called without the spi device ever being setup.

2. There's no guarantee that the controller's driver would be present by the time the spi device's release function gets called.

3. It also causes "sleeping in atomic context" stack dump[1] when device link deletion code does a put_device() on the spi device.

Fix these issues by simply moving the cleanup from the device release callback to the actual spi_unregister_device() function.

[1] - https://lore.kernel.org/lkml/CAHp75Vc=FCGcUyS0v6fnxme2YJ+qD+Y-hQDQLa2JhWNON9...

Signed-off-by: Saravana Kannan saravanak@google.com Link: https://lore.kernel.org/r/20210426235638.1285530-1-saravanak@google.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yu Hua Xiao xiaoyuhua2332@163.com --- drivers/spi/spi.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 5e11a29a91a0..b1d452f5a02a 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -47,10 +47,6 @@ static void spidev_release(struct device *dev) { struct spi_device *spi = to_spi_device(dev);

- /* spi controllers may cleanup for released devices */ - if (spi->controller->cleanup) - spi->controller->cleanup(spi); - spi_controller_put(spi->controller); kfree(spi->driver_override); kfree(spi); @@ -550,6 +546,12 @@ static int spi_dev_check(struct device *dev, void *data) return 0; }

+static void spi_cleanup(struct spi_device *spi) +{ + if (spi->controller->cleanup) + spi->controller->cleanup(spi); +} + /** * spi_add_device - Add spi_device allocated with spi_alloc_device * @spi: spi_device to register @@ -614,11 +616,13 @@ int spi_add_device(struct spi_device *spi)

/* Device may be bound to an active driver when this returns */ status = device_add(&spi->dev); - if (status < 0) + if (status < 0) { dev_err(dev, "can't add %s, status %d\n", dev_name(&spi->dev), status); - else + spi_cleanup(spi); + } else { dev_dbg(dev, "registered child %s\n", dev_name(&spi->dev)); + }

done: mutex_unlock(&spi_add_lock); @@ -705,6 +709,8 @@ void spi_unregister_device(struct spi_device *spi) if (!spi) return;

+ spi_cleanup(spi); + if (spi->dev.of_node) { of_node_clear_flag(spi->dev.of_node, OF_POPULATED); of_node_put(spi->dev.of_node);

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 17/20] usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port

From: Li Jun jun.li@nxp.com

stable inclusion from stable-v5.10.44 commit 18eaf0de50eadeeb395b83310b259b21ad8ed0a6 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=365 CVE: NA

-------------------------------------------------

commit 3a13ff7ef4349d70d1d18378d661117dd5af8efe upstream.

A pending hrtimer may expire after the kthread_worker of tcpm port is destroyed, see below kernel dump when do module unload, fix it by cancel the 2 hrtimers.

[ 111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880 [ 111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 [ 111.526594] Mem abort info: [ 111.526597] ESR = 0x96000047 [ 111.526600] EC = 0x25: DABT (current EL), IL = 32 bits [ 111.526604] SET = 0, FnV = 0 [ 111.526607] EA = 0, S1PTW = 0 [ 111.526610] Data abort info: [ 111.526612] ISV = 0, ISS = 0x00000047 [ 111.526615] CM = 0, WnR = 1 [ 111.526619] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041d75000 [ 111.526623] [ffff8000118cb880] pgd=10000001bffff003, p4d=10000001bffff003, pud=10000001bfffe003, pmd=10000001bfffa003, pte=0000000000000000 [ 111.526642] Internal error: Oops: 96000047 [#1] PREEMPT SMP [ 111.526647] Modules linked in: dwc3_imx8mp dwc3 phy_fsl_imx8mq_usb [last unloaded: tcpci] [ 111.526663] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-00927-gebbe9dbd802c-dirty #36 [ 111.526670] Hardware name: NXP i.MX8MPlus EVK board (DT) [ 111.526674] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO BTYPE=--) [ 111.526681] pc : queued_spin_lock_slowpath+0x1a0/0x390 [ 111.526695] lr : _raw_spin_lock_irqsave+0x88/0xb4 [ 111.526703] sp : ffff800010003e20 [ 111.526706] x29: ffff800010003e20 x28: ffff00017f380180 [ 111.537156] buffer_io_error: 6 callbacks suppressed [ 111.537162] Buffer I/O error on dev sda1, logical block 60040704, async page read [ 111.539932] x27: ffff00017f3801c0 [ 111.539938] x26: ffff800010ba2490 x25: 0000000000000000 x24: 0000000000000001 [ 111.543025] blk_update_request: I/O error, dev sda, sector 60061186 op 0x0:(READ) flags 0x0 phys_seg 7 prio class 0 [ 111.548304] [ 111.548306] x23: 00000000000000c0 x22: ffff0000c2a9f184 x21: ffff00017f380180 [ 111.551374] Buffer I/O error on dev sda1, logical block 60040705, async page read [ 111.554499] [ 111.554503] x20: ffff0000c5f14210 x19: 00000000000000c0 x18: 0000000000000000 [ 111.557391] Buffer I/O error on dev sda1, logical block 60040706, async page read [ 111.561218] [ 111.561222] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 111.564205] Buffer I/O error on dev sda1, logical block 60040707, async page read [ 111.570887] x14: 00000000000000f5 x13: 0000000000000001 x12: 0000000000000040 [ 111.570902] x11: ffff0000c05ac6d8 [ 111.583420] Buffer I/O error on dev sda1, logical block 60040708, async page read [ 111.588978] x10: 0000000000000000 x9 : 0000000000040000 [ 111.588988] x8 : 0000000000000000 [ 111.597173] Buffer I/O error on dev sda1, logical block 60040709, async page read [ 111.605766] x7 : ffff00017f384880 x6 : ffff8000118cb880 [ 111.605777] x5 : ffff00017f384880 [ 111.611094] Buffer I/O error on dev sda1, logical block 60040710, async page read [ 111.617086] x4 : 0000000000000000 x3 : ffff0000c2a9f184 [ 111.617096] x2 : ffff8000118cb880 [ 111.622242] Buffer I/O error on dev sda1, logical block 60040711, async page read [ 111.626927] x1 : ffff8000118cb880 x0 : ffff00017f384888 [ 111.626938] Call trace: [ 111.626942] queued_spin_lock_slowpath+0x1a0/0x390 [ 111.795809] kthread_queue_work+0x30/0xc0 [ 111.799828] state_machine_timer_handler+0x20/0x30 [ 111.804624] __hrtimer_run_queues+0x140/0x1e0 [ 111.808990] hrtimer_interrupt+0xec/0x2c0 [ 111.813004] arch_timer_handler_phys+0x38/0x50 [ 111.817456] handle_percpu_devid_irq+0x88/0x150 [ 111.821991] __handle_domain_irq+0x80/0xe0 [ 111.826093] gic_handle_irq+0xc0/0x140 [ 111.829848] el1_irq+0xbc/0x154 [ 111.832991] arch_cpu_idle+0x1c/0x2c [ 111.836572] default_idle_call+0x24/0x6c [ 111.840497] do_idle+0x238/0x2ac [ 111.843729] cpu_startup_entry+0x2c/0x70 [ 111.847657] rest_init+0xdc/0xec [ 111.850890] arch_call_rest_init+0x14/0x20 [ 111.854988] start_kernel+0x508/0x540 [ 111.858659] Code: 910020e0 8b0200c2 f861d884 aa0203e1 (f8246827) [ 111.864760] ---[ end trace 308b9a4a3dcb73ac ]--- [ 111.869381] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 111.876258] SMP: stopping secondary CPUs [ 111.880185] Kernel Offset: disabled [ 111.883673] CPU features: 0x00001001,20000846 [ 111.888031] Memory Limit: none [ 111.891090] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

Fixes: 3ed8e1c2ac99 ("usb: typec: tcpm: Migrate workqueue to RT priority for processing events") Cc: stable stable@vger.kernel.org Reviewed-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Li Jun jun.li@nxp.com Link: https://lore.kernel.org/r/1622627829-11070-1-git-send-email-jun.li@nxp.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: ouyangxuexu ouyangxuexu@163.com --- drivers/usb/typec/tcpm/tcpm.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c index bdbd346dc59f..4395220a97dc 100644 --- a/drivers/usb/typec/tcpm/tcpm.c +++ b/drivers/usb/typec/tcpm/tcpm.c @@ -5187,6 +5187,9 @@ void tcpm_unregister_port(struct tcpm_port *port) { int i;

+ hrtimer_cancel(&port->vdm_state_machine_timer); + hrtimer_cancel(&port->state_machine_timer); + tcpm_reset_port(port); for (i = 0; i < ARRAY_SIZE(port->port_altmode); i++) typec_unregister_altmode(port->port_altmode[i]);

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 18/20] usb: dwc3: gadget: Disable gadget IRQ during pullup disable

From: Wesley Cheng wcheng@codeaurora.org

stable inclusion from stable-v5.10.44 commit 9e0677c2e39052ac20efae4474bb20614d9a88c9 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=431 CVE: NA

-------------------------------------------------

commit 8212937305f84ef73ea81036dafb80c557583d4b upstream.

Current sequence utilizes dwc3_gadget_disable_irq() alongside synchronize_irq() to ensure that no further DWC3 events are generated. However, the dwc3_gadget_disable_irq() API only disables device specific events. Endpoint events can still be generated. Briefly disable the interrupt line, so that the cleanup code can run to prevent device and endpoint events. (i.e. __dwc3_gadget_stop() and dwc3_stop_active_transfers() respectively)

Without doing so, it can lead to both the interrupt handler and the pullup disable routine both writing to the GEVNTCOUNT register, which will cause an incorrect count being read from future interrupts.

Fixes: ae7e86108b12 ("usb: dwc3: Stop active transfers before halting the controller") Signed-off-by: Wesley Cheng wcheng@codeaurora.org Link: https://lore.kernel.org/r/1621571037-1424-1-git-send-email-wcheng@codeaurora... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Hu Tao huijiao_love@163.com --- drivers/usb/dwc3/gadget.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index ead877e7c87f..ab704bfdc2eb 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -2143,13 +2143,10 @@ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on) }

/* - * Synchronize any pending event handling before executing the controller - * halt routine. + * Synchronize and disable any further event handling while controller + * is being enabled/disabled. */ - if (!is_on) { - dwc3_gadget_disable_irq(dwc); - synchronize_irq(dwc->irq_gadget); - } + disable_irq(dwc->irq_gadget);

spin_lock_irqsave(&dwc->lock, flags);

@@ -2187,6 +2184,8 @@ static int dwc3_gadget_pullup(struct usb_gadget *g, int is_on)

ret = dwc3_gadget_run_stop(dwc, is_on, false); spin_unlock_irqrestore(&dwc->lock, flags); + enable_irq(dwc->irq_gadget); + pm_runtime_put(dwc->dev);

return ret;

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 19/20] usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe()

From: Andy Shevchenko andy.shevchenko@gmail.com

stable inclusion from stable-v5.10.44 commit 6900ef1b1095e2ffa6538895017a5408e4706e34 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=410 CVE: NA

-------------------------------------------------

commit 1a85b350a7741776a406005b943e3dec02c424ed upstream.

device_get_next_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller.

Fixes: 6701adfa9693 ("usb: typec: driver for Intel PMC mux control") Cc: Heikki Krogerus heikki.krogerus@linux.intel.com Reviewed-by: Heikki Krogerus heikki.krogerus@linux.intel.com Signed-off-by: Andy Shevchenko andy.shevchenko@gmail.com Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/20210607205007.71458-1-andy.shevchenko@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yuan Yao yaoyuan_1999_1@163.com --- drivers/usb/typec/mux/intel_pmc_mux.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/typec/mux/intel_pmc_mux.c b/drivers/usb/typec/mux/intel_pmc_mux.c index 17896bd87fc3..f6eaa7e30d54 100644 --- a/drivers/usb/typec/mux/intel_pmc_mux.c +++ b/drivers/usb/typec/mux/intel_pmc_mux.c @@ -623,8 +623,10 @@ static int pmc_usb_probe(struct platform_device *pdev) break;

ret = pmc_usb_register_port(pmc, i, fwnode); - if (ret) + if (ret) { + fwnode_handle_put(fwnode); goto err_remove_ports; + } }

platform_set_drvdata(pdev, pmc);

-- 2.25.1

Wang ShaoBo

6:25 p.m.

New subject: [PATCH openEuler-21.03 20/20] NFSv4: Fix second deadlock in nfs4_evict_inode()

From: Trond Myklebust trond.myklebust@hammerspace.com

stable inclusion from stable-v5.10.44 commit d973bd0d6e7f9b4ea976cc619e8d6e0d235b9056 bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=462 CVE: NA

-------------------------------------------------

commit c3aba897c6e67fa464ec02b1f17911577d619713 upstream.

If the inode is being evicted but has to return a layout first, then that too can cause a deadlock in the corner case where the server reboots.

Signed-off-by: Trond Myklebust trond.myklebust@hammerspace.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Hang haihangyiyuan@163.com --- fs/nfs/nfs4proc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index c92d6ff0fcea..eedcbe6832fb 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -9619,15 +9619,20 @@ int nfs4_proc_layoutreturn(struct nfs4_layoutreturn *lrp, bool sync) &task_setup_data.rpc_client, &msg);

dprintk("--> %s\n", __func__); + lrp->inode = nfs_igrab_and_active(lrp->args.inode); if (!sync) { - lrp->inode = nfs_igrab_and_active(lrp->args.inode); if (!lrp->inode) { nfs4_layoutreturn_release(lrp); return -EAGAIN; } task_setup_data.flags |= RPC_TASK_ASYNC; } - nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, 0); + if (!lrp->inode) + nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, + 1); + else + nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, + 0); task = rpc_run_task(&task_setup_data); if (IS_ERR(task)) return PTR_ERR(task);

-- 2.25.1

chengjian (D)

9:07 p.m.

Reviewed-by: Cheng Jian cj.chengjian@huawei.com

在 2021/10/21 18:25, Wang ShaoBo 写道:

...

openEuler kernel 21.03创新版本补丁

Alexander Kuznetsov (1): cgroup1: don't allow '\n' in renaming

Andy Shevchenko (1): usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe()

Anna Schumaker (1): NFS: Fix use-after-free in nfs4_init_client()

Desmond Cheong Zhi Xi (1): drm: Fix use-after-free read in drm_getunique()

Eric Farman (2): vfio-ccw: Reset FSM state to IDLE inside FSM vfio-ccw: Serialize FSM IDLE state with I/O completion

Jeremy Szu (1): ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8

Jerome Brunet (1): ASoC: meson: gx-card: fix sound-dai dt schema

Johannes Berg (1): netlink: disable IRQs for netlink_lock_table()

Li Jun (1): usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port

Linus Walleij (1): drm/mcde: Fix off by 10^3 in calculation

Maciej Żenczykowski (1): usb: f_ncm: only first packet of aggregate needs to start timer

Saravana Kannan (1): spi: Fix spi device unregister flow

Tiezhu Yang (1): MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER

Trond Myklebust (1): NFSv4: Fix second deadlock in nfs4_evict_inode()

Vincent Guittot (1): sched/fair: Keep load_avg and load_sum synced

Wesley Cheng (1): usb: dwc3: gadget: Disable gadget IRQ during pullup disable

Wolfram Sang (1): mmc: renesas_sdhi: abort tuning when timeout detected

Zhen Lei (1): tools/bootconfig: Fix error return code in apply_xbc()

Zou Wei (1): ASoC: sti-sas: add missing MODULE_DEVICE_TABLE

.../bindings/sound/amlogic,gx-sound-card.yaml | 4 ++-- arch/mips/lib/mips-atomic.c | 12 ++++++------ drivers/gpu/drm/drm_ioctl.c | 9 +++++---- drivers/gpu/drm/mcde/mcde_dsi.c | 2 +- drivers/mmc/host/renesas_sdhi_core.c | 7 ++++++- drivers/s390/cio/vfio_ccw_drv.c | 12 ++++++++++-- drivers/s390/cio/vfio_ccw_fsm.c | 1 + drivers/s390/cio/vfio_ccw_ops.c | 2 -- drivers/spi/spi.c | 18 ++++++++++++------ drivers/usb/dwc3/gadget.c | 11 +++++------ drivers/usb/gadget/function/f_ncm.c | 8 ++++---- drivers/usb/typec/mux/intel_pmc_mux.c | 4 +++- drivers/usb/typec/tcpm/tcpm.c | 3 +++ fs/nfs/nfs4client.c | 2 +- fs/nfs/nfs4proc.c | 9 +++++++-- kernel/cgroup/cgroup-v1.c | 4 ++++ kernel/sched/fair.c | 11 +++++------ net/netlink/af_netlink.c | 6 ++++-- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/sti-sas.c | 1 + tools/bootconfig/main.c | 1 + 21 files changed, 82 insertions(+), 46 deletions(-)

1129

Age (days ago)

1129

Last active (days ago)

kernel@openeuler.org

21 comments

2 participants

tags (0)

participants (2)

chengjian (D)
Wang ShaoBo