1. 11 Feb, 2019 1 commit
    • John Stultz's avatar
      usb: f_fs: Avoid crash due to out-of-scope stack ptr access · 54f64d5c
      John Stultz authored
      Since the 5.0 merge window opened, I've been seeing frequent
      crashes on suspend and reboot with the trace:
      
      [   36.911170] Unable to handle kernel paging request at virtual address ffffff801153d660
      [   36.912769] Unable to handle kernel paging request at virtual address ffffff800004b564
      ...
      [   36.950666] Call trace:
      [   36.950670]  queued_spin_lock_slowpath+0x1cc/0x2c8
      [   36.950681]  _raw_spin_lock_irqsave+0x64/0x78
      [   36.950692]  complete+0x28/0x70
      [   36.950703]  ffs_epfile_io_complete+0x3c/0x50
      [   36.950713]  usb_gadget_giveback_request+0x34/0x108
      [   36.950721]  dwc3_gadget_giveback+0x50/0x68
      [   36.950723]  dwc3_thread_interrupt+0x358/0x1488
      [   36.950731]  irq_thread_fn+0x30/0x88
      [   36.950734]  irq_thread+0x114/0x1b0
      [   36.950739]  kthread+0x104/0x130
      [   36.950747]  ret_from_fork+0x10/0x1c
      
      I isolated this down to in ffs_epfile_io():
      https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/usb/gadget/function/f_fs.c#n1065
      
      Where the completion done is setup on the stack:
        DECLARE_COMPLETION_ONSTACK(done);
      
      Then later we setup a request and queue it, and wait for it:
        if (unlikely(wait_for_completion_interruptible(&done))) {
          /*
          * To avoid race condition with ffs_epfile_io_complete,
          * dequeue the request first then check
          * status. usb_ep_dequeue API should guarantee no race
          * condition with req->complete callback.
          */
          usb_ep_dequeue(ep->ep, req);
          interrupted = ep->status < 0;
        }
      
      The problem is, that we end up being interrupted, dequeue the
      request, and exit.
      
      But then the irq triggers and we try calling complete() on the
      context pointer which points to now random stack space, which
      results in the panic.
      
      Alan Stern pointed out there is a bug here, in that the snippet
      above "assumes that usb_ep_dequeue() waits until the request has
      been completed." And that:
      
          wait_for_completion(&done);
      
      Is needed right after the usb_ep_dequeue().
      
      Thus this patch implements that change. With it I no longer see
      the crashes on suspend or reboot.
      
      This issue seems to have been uncovered by behavioral changes in
      the dwc3 driver in commit fec9095b ("usb: dwc3: gadget:
      remove wait_end_transfer").
      
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Cc: Felipe Balbi <balbi@kernel.org>
      Cc: Zeng Tao <prime.zeng@hisilicon.com>
      Cc: Jack Pham <jackp@codeaurora.org>
      Cc: Thinh Nguyen <thinh.nguyen@synopsys.com>
      Cc: Chen Yu <chenyu56@huawei.com>
      Cc: Jerry Zhang <zhangjerry@google.com>
      Cc: Lars-Peter Clausen <lars@metafoo.de>
      Cc: Vincent Pelletier <plr.vincent@gmail.com>
      Cc: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Linux USB List <linux-usb@vger.kernel.org>
      Suggested-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      54f64d5c
  2. 07 Feb, 2019 7 commits
  3. 06 Feb, 2019 2 commits
  4. 05 Feb, 2019 1 commit
  5. 04 Feb, 2019 4 commits
  6. 01 Feb, 2019 1 commit
  7. 28 Jan, 2019 17 commits
  8. 27 Jan, 2019 7 commits
    • Linus Torvalds's avatar
      Linux 5.0-rc4 · f17b5f06
      Linus Torvalds authored
      f17b5f06
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8a5f0605
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of fixes for x86:
      
         - Fix the swapped outb() parameters in the KASLR code
      
         - Fix the PKEY handling at fork which missed to preserve the pkey
           state for the child. Comes with a test case to validate that.
      
         - Fix the entry stack handling for XEN PV to respect that XEN PV
           systems enter the function already on the current thread stack and
           not on the trampoline.
      
         - Fix kexec load failure caused by using a stale value when the
           kexec_buf structure is reused for subsequent allocations.
      
         - Fix a bogus sizeof() in the memory encryption code
      
         - Enforce PCI dependency for the Intel Low Power Subsystem
      
         - Enforce PCI_LOCKLESS_CONFIG when PCI is enabled"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/Kconfig: Select PCI_LOCKLESS_CONFIG if PCI is enabled
        x86/entry/64/compat: Fix stack switching for XEN PV
        x86/kexec: Fix a kexec_file_load() failure
        x86/mm/mem_encrypt: Fix erroneous sizeof()
        x86/selftests/pkeys: Fork() to check for state being preserved
        x86/pkeys: Properly copy pkey state at fork()
        x86/kaslr: Fix incorrect i8254 outb() parameters
        x86/intel/lpss: Make PCI dependency explicit
      8a5f0605
    • Linus Torvalds's avatar
      Merge branch 'x86-timers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 351e1aa6
      Linus Torvalds authored
      Pull x86 timer fixes from Thomas Gleixner:
       "Two commits which were missed to be sent during the merge window.
      
         - The TSC calibration fix turns out to be more urgent as recent
           Skylake-X systems seem to have massive trouble with calibration
           disturbance. This should go back into stable for that reason and it
           the risk of breakage is rather low.
      
         - Drop an unused define"
      
      * 'x86-timers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/hpet: Remove unused FSEC_PER_NSEC define
        x86/tsc: Make calibration refinement more robust
      351e1aa6
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f907bb4c
      Linus Torvalds authored
      Pull timer fix from Thomas Glexiner:
       "A single regression fix to address the unintended breakage of posix
        cpu timers.
      
        This is caused by a new sanity check in the common code, which fails
        for posix cpu timers under certain conditions because the posix cpu
        timer code never updates the variable which is checked"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        posix-cpu-timers: Unbreak timer rearming
      f907bb4c
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 98810518
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "A small series of fixes which all address possible missed wakeups:
      
         - Document and fix the wakeup ordering of wake_q
      
         - Add the missing barrier in rcuwait_wake_up(), which was documented
           in the comment but missing in the code
      
         - Fix the possible missed wakeups in the rwsem and futex code"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/rwsem: Fix (possible) missed wakeup
        futex: Fix (possible) missed wakeup
        sched/wake_q: Fix wakeup ordering for wake_q
        sched/wake_q: Document wake_q_add()
        sched/wait: Fix rcuwait_wake_up() ordering
      98810518
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0d484375
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "A small set of fixes for the interrupt subsystem:
      
         - Fix a double increment in the irq descriptor allocator which
           resulted in a sanity check only being done for every second
           affinity mask
      
         - Add a missing device tree translation in the stm32-exti driver.
           Without that the interrupt association is completely wrong.
      
         - Initialize the mutex in the GIC-V3 MBI driver
      
         - Fix the alignment for aliasing devices in the GIC-V3-ITS driver so
           multi MSI allocations work correctly
      
         - Ensure that the initial affinity of a interrupt is not empty at
           startup time.
      
         - Drop bogus include in the madera irq chip driver
      
         - Fix KernelDoc regression"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size
        genirq/irqdesc: Fix double increment in alloc_descs()
        genirq: Fix the kerneldoc comment for struct irq_affinity_desc
        irqchip/madera: Drop GPIO includes
        irqchip/gic-v3-mbi: Fix uninitialized mbi_lock
        irqchip/stm32-exti: Add domain translate function
        genirq: Make sure the initial affinity is not empty
      0d484375
    • Linus Torvalds's avatar
      Merge tag 'edac_fix_for_5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp · 98354243
      Linus Torvalds authored
      Pull EDAC fix from Borislav Petkov:
       "Fix persistent register offsets of altera_edac, from Thor Thayer"
      
      * tag 'edac_fix_for_5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
        EDAC, altera: Fix S10 persistent register offset
      98354243