1. 20 Nov, 2020 1 commit
    • Serge Semin's avatar
      spi: Take the SPI IO-mutex in the spi_setup() method · 4fae3a58
      Serge Semin authored
      I've discovered that due to the recent commit 49d7d695 ("spi: dw:
      Explicitly de-assert CS on SPI transfer completion") a concurrent usage of
      the spidev devices with different chip-selects causes the "SPI transfer
      timed out" error. The root cause of the problem has turned to be in a race
      condition of the SPI-transfer execution procedure and the spi_setup()
      method being called at the same time. In particular in calling the
      spi_set_cs(false) while there is an SPI-transfer being executed. In my
      case due to the commit cited above all CSs get to be switched off by
      calling the spi_setup() for /dev/spidev0.1 while there is an concurrent
      SPI-transfer execution performed on /dev/spidev0.0. Of course a situation
      of the spi_setup() being called while there is an SPI-transfer being
      executed for two different SPI peripheral devices of the same controller
      may happen not only for the spidev driver, but for instance for MMC SPI +
      some another device, or spi_setup() being called from an SPI-peripheral
      probe method while some other device has already been probed and is being
      used by a corresponding driver...
      
      Of course I could have provided a fix affecting the DW APB SSI driver
      only, for instance, by creating a mutual exclusive access to the set_cs
      callback and setting/clearing only the bit responsible for the
      corresponding chip-select. But after a short research I've discovered that
      the problem most likely affects a lot of the other drivers:
      - drivers/spi/spi-sun4i.c - RMW the chip-select register;
      - drivers/spi/spi-rockchip.c - RMW the chip-select register;
      - drivers/spi/spi-qup.c - RMW a generic force-CS flag in a CSR.
      - drivers/spi/spi-sifive.c - set a generic CS-mode flag in a CSR.
      - drivers/spi/spi-bcm63xx-hsspi.c - uses an internal mutex to serialize
        the bus config changes, but still isn't protected from the race
        condition described above;
      - drivers/spi/spi-geni-qcom.c - RMW a chip-select internal flag and set the
        CS state in HW;
      - drivers/spi/spi-orion.c - RMW a chip-select register;
      - drivers/spi/spi-cadence.c - RMW a chip-select register;
      - drivers/spi/spi-armada-3700.c - RMW a chip-select register;
      - drivers/spi/spi-lantiq-ssc.c - overwrites the chip-select register;
      - drivers/spi/spi-sun6i.c - RMW a chip-select register;
      - drivers/spi/spi-synquacer.c - RMW a chip-select register;
      - drivers/spi/spi-altera.c - directly sets the chip-select state;
      - drivers/spi/spi-omap2-mcspi.c - RMW an internally cached CS state and
        writes it to HW;
      - drivers/spi/spi-mt65xx.c - RMW some CSR;
      - drivers/spi/spi-jcore.c - directly sets the chip-selects state;
      - drivers/spi/spi-mt7621.c - RMW a chip-select register;
      
      I could have missed some drivers, but a scale of the problem is obvious.
      As you can see most of the drivers perform an unprotected
      Read-modify-write chip-select register modification in the set_cs callback.
      Seeing the spi_setup() function is calling the spi_set_cs() and it can be
      executed concurrently with SPI-transfers exec procedure, which also calls
      spi_set_cs() in the SPI core spi_transfer_one_message() method, the race
      condition of the register modification turns to be obvious.
      
      To sum up the problem denoted above affects each driver for a controller
      having more than one chip-select lane and which:
      1) performs the RMW to some CS-related register with no serialization;
      2) directly disables any CS on spi_set_cs(dev, false).
      * the later is the case of the DW APB SSI driver.
      
      The controllers which equipped with a single CS theoretically can also
      experience the problem, but in practice will not since normally the
      spi_setup() isn't called concurrently with the SPI-transfers executed on
      the same SPI peripheral device.
      
      In order to generically fix the denoted bug I'd suggest to serialize an
      access to the controller IO by taking the IO mutex in the spi_setup()
      callback. The mutex is held while there is an SPI communication going on
      on the SPI-bus of the corresponding SPI-controller. So calling the
      spi_setup() method and disabling/updating the CS state within it would be
      safe while there is no any SPI-transfers being executed. Also note I
      suppose it would be safer to protect the spi_controller->setup() callback
      invocation too, seeing some of the SPI-controller drivers update a HW
      state in there.
      
      Fixes: 49d7d695 ("spi: dw: Explicitly de-assert CS on SPI transfer completion")
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Link: https://lore.kernel.org/r/20201117094517.5654-1-Sergey.Semin@baikalelectronics.ruSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      4fae3a58
  2. 17 Nov, 2020 2 commits
  3. 16 Nov, 2020 1 commit
  4. 13 Nov, 2020 1 commit
  5. 12 Nov, 2020 6 commits
    • Mark Brown's avatar
      Merge series "Use-after-free be gone" from Lukas Wunner <lukas@wunner.de>: · c371dcf5
      Mark Brown authored
      Here's my proposal to fix the use-after-free bugs reported by
      Sascha Hauer and Florian Fainelli:
      
      I scrutinized all SPI drivers in the v5.10 tree:
      
      * There are 9 drivers with a use-after-free in the ->remove() hook
        caused by accessing driver private data after spi_unregister_controller().
      
      * There are 8 drivers which leak the spi_controller in the ->probe()
        error path because of a missing spi_controller_put().
      
      I'm introducing devm_spi_alloc_master/slave() which automatically
      calls spi_controller_put() on ->remove().  This fixes both classes
      of bugs while at the same time reducing code amount and complexity
      in the ->probe() hook.
      
      I propose that spi_controller_unregister() should no longer release
      a reference on the spi_controller.  Instead, drivers need to either
      do it themselves or use one of the devm functions introduced herein.
      The vast majority of drivers can be converted to the devm functions.
      See the commit message of patch [1/4] for the rationale and details.
      
      Enclosed are patches for 3 Broadcom drivers.
      Patches for the other drivers are on this branch:
      https://github.com/l1k/linux/commits/spi_fixes
      
      @Florian Fainelli:  Could you verify that there are no KASAN splats or
      leaks with these patches?  Unfortunately I do not have any SPI-capable
      hardware at my disposal right now, so can only compile-test.  You may
      want to augment spi_controller_release() with a printk() to log when
      the spi_controller is freed.
      
      @Mark Brown:  Patches [2/4] to [4/4] reference the SHA-1 of patch [1/4]
      in their stable tags.  Because the hash is unknown to me until you apply
      the patch, I've used "123456789abc" as a placeholder.  You'll have to
      replace the hash if/when applying.  Alternatively, only apply patch [1/4]
      and I'll repost the other patches with the hash fixed up.
      
      Thanks!
      
      Lukas Wunner (4):
        spi: Introduce device-managed SPI controller allocation
        spi: bcm2835: Fix use-after-free on unbind
        spi: bcm2835aux: Fix use-after-free on unbind
        spi: bcm-qspi: Fix use-after-free on unbind
      
       drivers/spi/spi-bcm-qspi.c   | 34 ++++++++-------------
       drivers/spi/spi-bcm2835.c    | 24 +++++----------
       drivers/spi/spi-bcm2835aux.c | 21 +++++--------
       drivers/spi/spi.c            | 58 +++++++++++++++++++++++++++++++++++-
       include/linux/spi/spi.h      | 19 ++++++++++++
       5 files changed, 103 insertions(+), 53 deletions(-)
      
      --
      2.28.0
      c371dcf5
    • Lukas Wunner's avatar
      spi: lpspi: Fix use-after-free on unbind · 4def49da
      Lukas Wunner authored
      Normally the last reference on an spi_controller is released by
      spi_unregister_controller().  In the case of the i.MX lpspi driver,
      the spi_controller is registered with devm_spi_register_controller(),
      so spi_unregister_controller() is invoked automatically after the driver
      has unbound.
      
      However the driver already releases the last reference in
      fsl_lpspi_remove() through a gratuitous call to spi_master_put(),
      causing a use-after-free when spi_unregister_controller() is
      subsequently invoked by the devres framework.
      
      Fix by dropping the superfluous spi_master_put().
      
      Fixes: 944c01a8 ("spi: lpspi: enable runtime pm for lpspi")
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Cc: <stable@vger.kernel.org> # v5.2+
      Cc: Han Xu <han.xu@nxp.com>
      Link: https://lore.kernel.org/r/ab3c0b18bd820501a12c85e440006e09ec0e275f.1604874488.git.lukas@wunner.deSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      4def49da
    • Lukas Wunner's avatar
      spi: bcm-qspi: Fix use-after-free on unbind · 63c5395b
      Lukas Wunner authored
      bcm_qspi_remove() calls spi_unregister_master() even though
      bcm_qspi_probe() calls devm_spi_register_master().  The spi_master is
      therefore unregistered and freed twice on unbind.
      
      Moreover, since commit 0392727c ("spi: bcm-qspi: Handle clock probe
      deferral"), bcm_qspi_probe() leaks the spi_master allocation if the call
      to devm_clk_get_optional() fails.
      
      Fix by switching over to the new devm_spi_alloc_master() helper which
      keeps the private data accessible until the driver has unbound and also
      avoids the spi_master leak on probe.
      
      While at it, fix an ordering issue in bcm_qspi_remove() wherein
      spi_unregister_master() is called after uninitializing the hardware,
      disabling the clock and freeing an IRQ data structure.  The correct
      order is to call spi_unregister_master() *before* those teardown steps
      because bus accesses may still be ongoing until that function returns.
      
      Fixes: fa236a7e ("spi: bcm-qspi: Add Broadcom MSPI driver")
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Cc: <stable@vger.kernel.org> # v4.9+: 123456789abc: spi: Introduce device-managed SPI controller allocation
      Cc: <stable@vger.kernel.org> # v4.9+
      Cc: Kamal Dasu <kdasu.kdev@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Tested-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/5e31a9a59fd1c0d0b795b2fe219f25e5ee855f9d.1605121038.git.lukas@wunner.deSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      63c5395b
    • Lukas Wunner's avatar
      spi: bcm2835aux: Fix use-after-free on unbind · e13ee6cc
      Lukas Wunner authored
      bcm2835aux_spi_remove() accesses the driver's private data after calling
      spi_unregister_master() even though that function releases the last
      reference on the spi_master and thereby frees the private data.
      
      Fix by switching over to the new devm_spi_alloc_master() helper which
      keeps the private data accessible until the driver has unbound.
      
      Fixes: b9dd3f6d ("spi: bcm2835aux: Fix controller unregister order")
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Cc: <stable@vger.kernel.org> # v4.4+: 123456789abc: spi: Introduce device-managed SPI controller allocation
      Cc: <stable@vger.kernel.org> # v4.4+: b9dd3f6d: spi: bcm2835aux: Fix controller unregister order
      Cc: <stable@vger.kernel.org> # v4.4+
      Link: https://lore.kernel.org/r/b290b06357d0c0bdee9cecc539b840a90630f101.1605121038.git.lukas@wunner.deSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      e13ee6cc
    • Lukas Wunner's avatar
      spi: bcm2835: Fix use-after-free on unbind · e1483ac0
      Lukas Wunner authored
      bcm2835_spi_remove() accesses the driver's private data after calling
      spi_unregister_controller() even though that function releases the last
      reference on the spi_controller and thereby frees the private data.
      
      Fix by switching over to the new devm_spi_alloc_master() helper which
      keeps the private data accessible until the driver has unbound.
      
      Fixes: f8043872 ("spi: add driver for BCM2835")
      Reported-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Reported-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Cc: <stable@vger.kernel.org> # v3.10+: 123456789abc: spi: Introduce device-managed SPI controller allocation
      Cc: <stable@vger.kernel.org> # v3.10+
      Cc: Vladimir Oltean <olteanv@gmail.com>
      Tested-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Link: https://lore.kernel.org/r/ad66e0a0ad96feb848814842ecf5b6a4539ef35c.1605121038.git.lukas@wunner.deSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      e1483ac0
    • Lukas Wunner's avatar
      spi: Introduce device-managed SPI controller allocation · 5e844cc3
      Lukas Wunner authored
      SPI driver probing currently comprises two steps, whereas removal
      comprises only one step:
      
          spi_alloc_master()
          spi_register_controller()
      
          spi_unregister_controller()
      
      That's because spi_unregister_controller() calls device_unregister()
      instead of device_del(), thereby releasing the reference on the
      spi_controller which was obtained by spi_alloc_master().
      
      An SPI driver's private data is contained in the same memory allocation
      as the spi_controller struct.  Thus, once spi_unregister_controller()
      has been called, the private data is inaccessible.  But some drivers
      need to access it after spi_unregister_controller() to perform further
      teardown steps.
      
      Introduce devm_spi_alloc_master() and devm_spi_alloc_slave(), which
      release a reference on the spi_controller struct only after the driver
      has unbound, thereby keeping the memory allocation accessible.  Change
      spi_unregister_controller() to not release a reference if the
      spi_controller was allocated by one of these new devm functions.
      
      The present commit is small enough to be backportable to stable.
      It allows fixing drivers which use the private data in their ->remove()
      hook after it's been freed.  It also allows fixing drivers which neglect
      to release a reference on the spi_controller in the probe error path.
      
      Long-term, most SPI drivers shall be moved over to the devm functions
      introduced herein.  The few that can't shall be changed in a treewide
      commit to explicitly release the last reference on the controller.
      That commit shall amend spi_unregister_controller() to no longer release
      a reference, thereby completing the migration.
      
      As a result, the behaviour will be less surprising and more consistent
      with subsystems such as IIO, which also includes the private data in the
      allocation of the generic iio_dev struct, but calls device_del() in
      iio_device_unregister().
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://lore.kernel.org/r/272bae2ef08abd21388c98e23729886663d19192.1605121038.git.lukas@wunner.deSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      5e844cc3
  6. 11 Nov, 2020 2 commits
  7. 06 Nov, 2020 1 commit
  8. 04 Nov, 2020 1 commit
  9. 29 Oct, 2020 1 commit
  10. 28 Oct, 2020 1 commit
  11. 25 Oct, 2020 17 commits
  12. 24 Oct, 2020 6 commits
    • Linus Torvalds's avatar
      Merge tag 'block-5.10-2020-10-24' of git://git.kernel.dk/linux-block · d7691390
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request from Christoph
           - rdma error handling fixes (Chao Leng)
           - fc error handling and reconnect fixes (James Smart)
           - fix the qid displace when tracing ioctl command (Keith Busch)
           - don't use BLK_MQ_REQ_NOWAIT for passthru (Chaitanya Kulkarni)
           - fix MTDT for passthru (Logan Gunthorpe)
           - blacklist Write Same on more devices (Kai-Heng Feng)
           - fix an uninitialized work struct (zhenwei pi)"
      
       - lightnvm out-of-bounds fix (Colin)
      
       - SG allocation leak fix (Doug)
      
       - rnbd fixes (Gioh, Guoqing, Jack)
      
       - zone error translation fixes (Keith)
      
       - kerneldoc markup fix (Mauro)
      
       - zram lockdep fix (Peter)
      
       - Kill unused io_context members (Yufen)
      
       - NUMA memory allocation cleanup (Xianting)
      
       - NBD config wakeup fix (Xiubo)
      
      * tag 'block-5.10-2020-10-24' of git://git.kernel.dk/linux-block: (27 commits)
        block: blk-mq: fix a kernel-doc markup
        nvme-fc: shorten reconnect delay if possible for FC
        nvme-fc: wait for queues to freeze before calling update_hr_hw_queues
        nvme-fc: fix error loop in create_hw_io_queues
        nvme-fc: fix io timeout to abort I/O
        null_blk: use zone status for max active/open
        nvmet: don't use BLK_MQ_REQ_NOWAIT for passthru
        nvmet: cleanup nvmet_passthru_map_sg()
        nvmet: limit passthru MTDS by BIO_MAX_PAGES
        nvmet: fix uninitialized work for zero kato
        nvme-pci: disable Write Zeroes on Sandisk Skyhawk
        nvme: use queuedata for nvme_req_qid
        nvme-rdma: fix crash due to incorrect cqe
        nvme-rdma: fix crash when connect rejected
        block: remove unused members for io_context
        blk-mq: remove the calling of local_memory_node()
        zram: Fix __zram_bvec_{read,write}() locking order
        skd_main: remove unused including <linux/version.h>
        sgl_alloc_order: fix memory leak
        lightnvm: fix out-of-bounds write to array devices->info[]
        ...
      d7691390
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.10-2020-10-24' of git://git.kernel.dk/linux-block · af004187
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - fsize was missed in previous unification of work flags
      
       - Few fixes cleaning up the flags unification creds cases (Pavel)
      
       - Fix NUMA affinities for completely unplugged/replugged node for io-wq
      
       - Two fallout fixes from the set_fs changes. One local to io_uring, one
         for the splice entry point that io_uring uses.
      
       - Linked timeout fixes (Pavel)
      
       - Removal of ->flush() ->files work-around that we don't need anymore
         with referenced files (Pavel)
      
       - Various cleanups (Pavel)
      
      * tag 'io_uring-5.10-2020-10-24' of git://git.kernel.dk/linux-block:
        splice: change exported internal do_splice() helper to take kernel offset
        io_uring: make loop_rw_iter() use original user supplied pointers
        io_uring: remove req cancel in ->flush()
        io-wq: re-set NUMA node affinities if CPUs come online
        io_uring: don't reuse linked_timeout
        io_uring: unify fsize with def->work_flags
        io_uring: fix racy REQ_F_LINK_TIMEOUT clearing
        io_uring: do poll's hash_node init in common code
        io_uring: inline io_poll_task_handler()
        io_uring: remove extra ->file check in poll prep
        io_uring: make cached_cq_overflow non atomic_t
        io_uring: inline io_fail_links()
        io_uring: kill ref get/drop in personality init
        io_uring: flags-based creds init in queue
      af004187
    • Linus Torvalds's avatar
      Merge tag 'libata-5.10-2020-10-24' of git://git.kernel.dk/linux-block · cb6b2897
      Linus Torvalds authored
      Pull libata fixes from Jens Axboe:
       "Two minor libata fixes:
      
         - Fix a DMA boundary mask regression for sata_rcar (Geert)
      
         - kerneldoc markup fix (Mauro)"
      
      * tag 'libata-5.10-2020-10-24' of git://git.kernel.dk/linux-block:
        ata: fix some kernel-doc markups
        ata: sata_rcar: Fix DMA boundary mask
      cb6b2897
    • Linus Torvalds's avatar
      Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 0eac1102
      Linus Torvalds authored
      Pull misc vfs updates from Al Viro:
       "Assorted stuff all over the place (the largest group here is
        Christoph's stat cleanups)"
      
      * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fs: remove KSTAT_QUERY_FLAGS
        fs: remove vfs_stat_set_lookup_flags
        fs: move vfs_fstatat out of line
        fs: implement vfs_stat and vfs_lstat in terms of vfs_fstatat
        fs: remove vfs_statx_fd
        fs: omfs: use kmemdup() rather than kmalloc+memcpy
        [PATCH] reduce boilerplate in fsid handling
        fs: Remove duplicated flag O_NDELAY occurring twice in VALID_OPEN_FLAGS
        selftests: mount: add nosymfollow tests
        Add a "nosymfollow" mount option.
      0eac1102
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-5.10-1' of git://git.infradead.org/users/hch/dma-mapping · 1b307ac8
      Linus Torvalds authored
      Pull dma-mapping fixes from Christoph Hellwig:
      
       - document the new dma_{alloc,free}_pages() API
      
       - two fixups for the dma-mapping.h split
      
      * tag 'dma-mapping-5.10-1' of git://git.infradead.org/users/hch/dma-mapping:
        dma-mapping: document dma_{alloc,free}_pages
        dma-mapping: move more functions to dma-map-ops.h
        ARM/sa1111: add a missing include of dma-map-ops.h
      1b307ac8
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 9bf8d8bc
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "Two fixes for this merge window, and an unrelated bugfix for a host
        hang"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: ioapic: break infinite recursion on lazy EOI
        KVM: vmx: rename pi_init to avoid conflict with paride
        KVM: x86/mmu: Avoid modulo operator on 64-bit value to fix i386 build
      9bf8d8bc