android_kernel_zuk_msm8996.git/kernel/locking, branch master null Merge remote-tracking branch 'common/android-4.4-p' into lineage-18.1-caf-msm8998 2021-09-16T15:09:37+00:00 Michael Bestas mkbestas@lineageos.org 2021-09-16T15:09:37+00:00 1ed76589b97cb8ebafe7d2c78eceea3a22247347 # By Thomas Gleixner (11) and others # Via Greg Kroah-Hartman * google/common/android-4.4-p: Linux 4.4.283 Revert "floppy: reintroduce O_NDELAY fix" fbmem: add margin check to fb_check_caps() vt_kdsetmode: extend console locking vringh: Use wiov->used to check for read/write desc order virtio: Improve vq->broken access to avoid any compiler optimization net: marvell: fix MVNETA_TX_IN_PRGRS bit number e1000e: Fix the max snoop/no-snoop latency for 10M USB: serial: option: add new VID/PID to support Fibocom FG150 Revert "USB: serial: ch341: fix character loss at high transfer rates" can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters Linux 4.4.282 mmc: dw_mmc: Fix occasional hang after tuning on eMMC ASoC: intel: atom: Fix breakage for PCM buffer address setup ipack: tpci200: fix many double free issues in tpci200_pci_probe ALSA: hda - fix the 'Capture Switch' value change notifications mmc: dw_mmc: Fix hang on data CRC error mmc: dw_mmc: call the dw_mci_prep_stop_abort() by default mmc: dw_mmc: Wait for data transfer after response errors. net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 net: 6pack: fix slab-out-of-bounds in decode_data dccp: add do-while-0 stubs for dccp_pr_debug macros Bluetooth: hidp: use correct wait queue when removing ctrl_wait scsi: core: Avoid printing an error if target_alloc() returns -ENXIO scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218 dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) vmlinux.lds.h: Handle clang's module.{c,d}tor sections PCI/MSI: Enforce MSI[X] entry updates to be visible PCI/MSI: Enforce that MSI-X table entry is masked for update PCI/MSI: Mask all unused MSI-X entries PCI/MSI: Protect msi_desc::masked for multi-MSI PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() PCI/MSI: Correct misleading comments PCI/MSI: Do not set invalid bits in MSI mask PCI/MSI: Enable and mask MSI-X early x86/tools: Fix objdump version check again xen/events: Fix race in set_evtchn_to_irq net: Fix memory leak in ieee802154_raw_deliver i2c: dev: zero out array used for i2c reads from userspace ASoC: intel: atom: Fix reference to PCM buffer address ANDROID: xt_quota2: set usersize in xt_match registration object ANDROID: xt_quota2: clear quota2_log message before sending ANDROID: xt_quota2: remove trailing junk which might have a digit in it UPSTREAM: netfilter: x_tables: fix pointer leaks to userspace Linux 4.4.281 ovl: prevent private clone if bind mount is not allowed net: xilinx_emaclite: Do not print real IOMEM pointer USB:ehci:fix Kunpeng920 ehci hardware problem pipe: increase minimum default pipe size to 2 pages net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset alpha: Send stop IPI to send to online CPUs reiserfs: check directory items on read from disk reiserfs: add check for root_inode in reiserfs_fill_super pcmcia: i82092: fix a null pointer dereference bug MIPS: Malta: Do not byte-swap accesses to the CBUS UART serial: 8250: Mask out floating 16/32-bit bus bits media: rtl28xxu: fix zero-length control request scripts/tracing: fix the bug that can't parse raw_trace_func USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 USB: serial: ch341: fix character loss at high transfer rates USB: serial: option: add Telit FD980 composition 0x1056 Bluetooth: defer cleanup of resources in hci_unregister_dev() net: vxge: fix use-after-free in vxge_device_unregister net: pegasus: fix uninit-value in get_interrupt_interval bnx2x: fix an error code in bnx2x_nic_load() mips: Fix non-POSIX regexp net: natsemi: Fix missing pci_disable_device() in probe and remove media: videobuf2-core: dequeue if start_streaming fails scsi: sr: Return correct event when media event code is 3 ALSA: seq: Fix racy deletion of subscriber Linux 4.4.280 rcu: Update documentation of rcu_read_unlock() futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() futex: Avoid freeing an active timer futex: Handle transient "ownerless" rtmutex state correctly rtmutex: Make wait_lock irq safe futex: Futex_unlock_pi() determinism futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() futex: Pull rt_mutex_futex_unlock() out from under hb->lock futex,rt_mutex: Introduce rt_mutex_init_waiter() futex: Cleanup refcounting futex: Rename free_pi_state() to put_pi_state() Linux 4.4.279 can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled" net: Fix zero-copy head len calculation. r8152: Fix potential PM refcount imbalance regulator: rt5033: Fix n_voltages settings for BUCK and LDO btrfs: mark compressed range uptodate only if all bio succeed Conflicts: net/bluetooth/hci_core.c net/netfilter/xt_quota2.c Change-Id: I66e2384c8cc40448a7bff34bb935c74e6103e924 
# By Thomas Gleixner (11) and others
# Via Greg Kroah-Hartman
* google/common/android-4.4-p:
  Linux 4.4.283
  Revert "floppy: reintroduce O_NDELAY fix"
  fbmem: add margin check to fb_check_caps()
  vt_kdsetmode: extend console locking
  vringh: Use wiov->used to check for read/write desc order
  virtio: Improve vq->broken access to avoid any compiler optimization
  net: marvell: fix MVNETA_TX_IN_PRGRS bit number
  e1000e: Fix the max snoop/no-snoop latency for 10M
  USB: serial: option: add new VID/PID to support Fibocom FG150
  Revert "USB: serial: ch341: fix character loss at high transfer rates"
  can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters
  Linux 4.4.282
  mmc: dw_mmc: Fix occasional hang after tuning on eMMC
  ASoC: intel: atom: Fix breakage for PCM buffer address setup
  ipack: tpci200: fix many double free issues in tpci200_pci_probe
  ALSA: hda - fix the 'Capture Switch' value change notifications
  mmc: dw_mmc: Fix hang on data CRC error
  mmc: dw_mmc: call the dw_mci_prep_stop_abort() by default
  mmc: dw_mmc: Wait for data transfer after response errors.
  net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32
  net: 6pack: fix slab-out-of-bounds in decode_data
  dccp: add do-while-0 stubs for dccp_pr_debug macros
  Bluetooth: hidp: use correct wait queue when removing ctrl_wait
  scsi: core: Avoid printing an error if target_alloc() returns -ENXIO
  scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry()
  dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available
  ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218
  dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe()
  KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
  vmlinux.lds.h: Handle clang's module.{c,d}tor sections
  PCI/MSI: Enforce MSI[X] entry updates to be visible
  PCI/MSI: Enforce that MSI-X table entry is masked for update
  PCI/MSI: Mask all unused MSI-X entries
  PCI/MSI: Protect msi_desc::masked for multi-MSI
  PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown()
  PCI/MSI: Correct misleading comments
  PCI/MSI: Do not set invalid bits in MSI mask
  PCI/MSI: Enable and mask MSI-X early
  x86/tools: Fix objdump version check again
  xen/events: Fix race in set_evtchn_to_irq
  net: Fix memory leak in ieee802154_raw_deliver
  i2c: dev: zero out array used for i2c reads from userspace
  ASoC: intel: atom: Fix reference to PCM buffer address
  ANDROID: xt_quota2: set usersize in xt_match registration object
  ANDROID: xt_quota2: clear quota2_log message before sending
  ANDROID: xt_quota2: remove trailing junk which might have a digit in it
  UPSTREAM: netfilter: x_tables: fix pointer leaks to userspace
  Linux 4.4.281
  ovl: prevent private clone if bind mount is not allowed
  net: xilinx_emaclite: Do not print real IOMEM pointer
  USB:ehci:fix Kunpeng920 ehci hardware problem
  pipe: increase minimum default pipe size to 2 pages
  net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset
  alpha: Send stop IPI to send to online CPUs
  reiserfs: check directory items on read from disk
  reiserfs: add check for root_inode in reiserfs_fill_super
  pcmcia: i82092: fix a null pointer dereference bug
  MIPS: Malta: Do not byte-swap accesses to the CBUS UART
  serial: 8250: Mask out floating 16/32-bit bus bits
  media: rtl28xxu: fix zero-length control request
  scripts/tracing: fix the bug that can't parse raw_trace_func
  USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2
  USB: serial: ch341: fix character loss at high transfer rates
  USB: serial: option: add Telit FD980 composition 0x1056
  Bluetooth: defer cleanup of resources in hci_unregister_dev()
  net: vxge: fix use-after-free in vxge_device_unregister
  net: pegasus: fix uninit-value in get_interrupt_interval
  bnx2x: fix an error code in bnx2x_nic_load()
  mips: Fix non-POSIX regexp
  net: natsemi: Fix missing pci_disable_device() in probe and remove
  media: videobuf2-core: dequeue if start_streaming fails
  scsi: sr: Return correct event when media event code is 3
  ALSA: seq: Fix racy deletion of subscriber
  Linux 4.4.280
  rcu: Update documentation of rcu_read_unlock()
  futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock()
  futex: Avoid freeing an active timer
  futex: Handle transient "ownerless" rtmutex state correctly
  rtmutex: Make wait_lock irq safe
  futex: Futex_unlock_pi() determinism
  futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()
  futex: Pull rt_mutex_futex_unlock() out from under hb->lock
  futex,rt_mutex: Introduce rt_mutex_init_waiter()
  futex: Cleanup refcounting
  futex: Rename free_pi_state() to put_pi_state()
  Linux 4.4.279
  can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
  Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"
  net: Fix zero-copy head len calculation.
  r8152: Fix potential PM refcount imbalance
  regulator: rt5033: Fix n_voltages settings for BUCK and LDO
  btrfs: mark compressed range uptodate only if all bio succeed

 Conflicts:
	net/bluetooth/hci_core.c
	net/netfilter/xt_quota2.c

Change-Id: I66e2384c8cc40448a7bff34bb935c74e6103e924
Merge 4.4.280 into android-4.4-p 2021-08-10T17:32:45+00:00 Greg Kroah-Hartman gregkh@google.com 2021-08-10T17:32:45+00:00 c5c38d81d47414adc49be96b02987da14f755a6a Changes in 4.4.280 futex: Rename free_pi_state() to put_pi_state() futex: Cleanup refcounting futex,rt_mutex: Introduce rt_mutex_init_waiter() futex: Pull rt_mutex_futex_unlock() out from under hb->lock futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() futex: Futex_unlock_pi() determinism rtmutex: Make wait_lock irq safe futex: Handle transient "ownerless" rtmutex state correctly futex: Avoid freeing an active timer futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() rcu: Update documentation of rcu_read_unlock() Linux 4.4.280 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib8bf7ba366087b2442c4de8a078f0a252b076c51 
Changes in 4.4.280
	futex: Rename free_pi_state() to put_pi_state()
	futex: Cleanup refcounting
	futex,rt_mutex: Introduce rt_mutex_init_waiter()
	futex: Pull rt_mutex_futex_unlock() out from under hb->lock
	futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()
	futex: Futex_unlock_pi() determinism
	rtmutex: Make wait_lock irq safe
	futex: Handle transient "ownerless" rtmutex state correctly
	futex: Avoid freeing an active timer
	futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock()
	rcu: Update documentation of rcu_read_unlock()
	Linux 4.4.280

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ib8bf7ba366087b2442c4de8a078f0a252b076c51
futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() 2021-08-10T15:39:42+00:00 Peter Zijlstra peterz@infradead.org 2021-08-02T13:46:23+00:00 66edc0dded9863962505c42c0f726db97204ed4e [ Upstream commit 04dc1b2fff4e96cb4142227fbdc63c8871ad4ed9 ] Markus reported that the glibc/nptl/tst-robustpi8 test was failing after commit: cfafcd117da0 ("futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()") The following trace shows the problem: ld-linux-x86-64-2161 [019] .... 410.760971: SyS_futex: 00007ffbeb76b028: 80000875 op=FUTEX_LOCK_PI ld-linux-x86-64-2161 [019] ...1 410.760972: lock_pi_update_atomic: 00007ffbeb76b028: curval=80000875 uval=80000875 newval=80000875 ret=0 ld-linux-x86-64-2165 [011] .... 410.760978: SyS_futex: 00007ffbeb76b028: 80000875 op=FUTEX_UNLOCK_PI ld-linux-x86-64-2165 [011] d..1 410.760979: do_futex: 00007ffbeb76b028: curval=80000875 uval=80000875 newval=80000871 ret=0 ld-linux-x86-64-2165 [011] .... 410.760980: SyS_futex: 00007ffbeb76b028: 80000871 ret=0000 ld-linux-x86-64-2161 [019] .... 410.760980: SyS_futex: 00007ffbeb76b028: 80000871 ret=ETIMEDOUT Task 2165 does an UNLOCK_PI, assigning the lock to the waiter task 2161 which then returns with -ETIMEDOUT. That wrecks the lock state, because now the owner isn't aware it acquired the lock and removes the pending robust list entry. If 2161 is killed, the robust list will not clear out this futex and the subsequent acquire on this futex will then (correctly) result in -ESRCH which is unexpected by glibc, triggers an internal assertion and dies. Task 2161 Task 2165 rt_mutex_wait_proxy_lock() timeout(); /* T2161 is still queued in the waiter list */ return -ETIMEDOUT; futex_unlock_pi() spin_lock(hb->lock); rtmutex_unlock() remove_rtmutex_waiter(T2161); mark_lock_available(); /* Make the next waiter owner of the user space side */ futex_uval = 2161; spin_unlock(hb->lock); spin_lock(hb->lock); rt_mutex_cleanup_proxy_lock() if (rtmutex_owner() !== current) ... return FAIL; .... return -ETIMEOUT; This means that rt_mutex_cleanup_proxy_lock() needs to call try_to_take_rt_mutex() so it can take over the rtmutex correctly which was assigned by the waker. If the rtmutex is owned by some other task then this call is harmless and just confirmes that the waiter is not able to acquire it. While there, fix what looks like a merge error which resulted in rt_mutex_cleanup_proxy_lock() having two calls to fixup_rt_mutex_waiters() and rt_mutex_wait_proxy_lock() not having any. Both should have one, since both potentially touch the waiter list. Fixes: 38d589f2fd08 ("futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()") Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de> Bug-Spotted-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Florian Weimer <fweimer@redhat.com> Cc: Darren Hart <dvhart@infradead.org> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Markus Trippelsdorf <markus@trippelsdorf.de> Link: http://lkml.kernel.org/r/20170519154850.mlomgdsd26drq5j6@hirez.programming.kicks-ass.net Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Acked-by: Joe Korty <joe.korty@concurrent-rt.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit 04dc1b2fff4e96cb4142227fbdc63c8871ad4ed9 ]

Markus reported that the glibc/nptl/tst-robustpi8 test was failing after
commit:

  cfafcd117da0 ("futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()")

The following trace shows the problem:

 ld-linux-x86-64-2161  [019] ....   410.760971: SyS_futex: 00007ffbeb76b028: 80000875  op=FUTEX_LOCK_PI
 ld-linux-x86-64-2161  [019] ...1   410.760972: lock_pi_update_atomic: 00007ffbeb76b028: curval=80000875 uval=80000875 newval=80000875 ret=0
 ld-linux-x86-64-2165  [011] ....   410.760978: SyS_futex: 00007ffbeb76b028: 80000875  op=FUTEX_UNLOCK_PI
 ld-linux-x86-64-2165  [011] d..1   410.760979: do_futex: 00007ffbeb76b028: curval=80000875 uval=80000875 newval=80000871 ret=0
 ld-linux-x86-64-2165  [011] ....   410.760980: SyS_futex: 00007ffbeb76b028: 80000871 ret=0000
 ld-linux-x86-64-2161  [019] ....   410.760980: SyS_futex: 00007ffbeb76b028: 80000871 ret=ETIMEDOUT

Task 2165 does an UNLOCK_PI, assigning the lock to the waiter task 2161
which then returns with -ETIMEDOUT. That wrecks the lock state, because now
the owner isn't aware it acquired the lock and removes the pending robust
list entry.

If 2161 is killed, the robust list will not clear out this futex and the
subsequent acquire on this futex will then (correctly) result in -ESRCH
which is unexpected by glibc, triggers an internal assertion and dies.

Task 2161			Task 2165

rt_mutex_wait_proxy_lock()
   timeout();
   /* T2161 is still queued in  the waiter list */
   return -ETIMEDOUT;

				futex_unlock_pi()
				spin_lock(hb->lock);
				rtmutex_unlock()
				  remove_rtmutex_waiter(T2161);
				   mark_lock_available();
				/* Make the next waiter owner of the user space side */
				futex_uval = 2161;
				spin_unlock(hb->lock);
spin_lock(hb->lock);
rt_mutex_cleanup_proxy_lock()
  if (rtmutex_owner() !== current)
     ...
     return FAIL;
....
return -ETIMEOUT;

This means that rt_mutex_cleanup_proxy_lock() needs to call
try_to_take_rt_mutex() so it can take over the rtmutex correctly which was
assigned by the waker. If the rtmutex is owned by some other task then this
call is harmless and just confirmes that the waiter is not able to acquire
it.

While there, fix what looks like a merge error which resulted in
rt_mutex_cleanup_proxy_lock() having two calls to
fixup_rt_mutex_waiters() and rt_mutex_wait_proxy_lock() not having any.
Both should have one, since both potentially touch the waiter list.

Fixes: 38d589f2fd08 ("futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()")
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Bug-Spotted-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Link: http://lkml.kernel.org/r/20170519154850.mlomgdsd26drq5j6@hirez.programming.kicks-ass.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Joe Korty <joe.korty@concurrent-rt.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
rtmutex: Make wait_lock irq safe 2021-08-10T15:39:42+00:00 Thomas Gleixner tglx@linutronix.de 2021-08-02T13:46:20+00:00 6ef8ca1e4f08745b1e56b289bf418474becc937b [ Upstream commit b4abf91047cf054f203dcfac97e1038388826937 ] Sasha reported a lockdep splat about a potential deadlock between RCU boosting rtmutex and the posix timer it_lock. CPU0 CPU1 rtmutex_lock(&rcu->rt_mutex) spin_lock(&rcu->rt_mutex.wait_lock) local_irq_disable() spin_lock(&timer->it_lock) spin_lock(&rcu->mutex.wait_lock) --> Interrupt spin_lock(&timer->it_lock) This is caused by the following code sequence on CPU1 rcu_read_lock() x = lookup(); if (x) spin_lock_irqsave(&x->it_lock); rcu_read_unlock(); return x; We could fix that in the posix timer code by keeping rcu read locked across the spinlocked and irq disabled section, but the above sequence is common and there is no reason not to support it. Taking rt_mutex.wait_lock irq safe prevents the deadlock. Reported-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Paul McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Acked-by: Joe Korty <joe.korty@concurrent-rt.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit b4abf91047cf054f203dcfac97e1038388826937 ]

Sasha reported a lockdep splat about a potential deadlock between RCU boosting
rtmutex and the posix timer it_lock.

CPU0					CPU1

rtmutex_lock(&rcu->rt_mutex)
  spin_lock(&rcu->rt_mutex.wait_lock)
					local_irq_disable()
					spin_lock(&timer->it_lock)
					spin_lock(&rcu->mutex.wait_lock)
--> Interrupt
    spin_lock(&timer->it_lock)

This is caused by the following code sequence on CPU1

     rcu_read_lock()
     x = lookup();
     if (x)
     	spin_lock_irqsave(&x->it_lock);
     rcu_read_unlock();
     return x;

We could fix that in the posix timer code by keeping rcu read locked across
the spinlocked and irq disabled section, but the above sequence is common and
there is no reason not to support it.

Taking rt_mutex.wait_lock irq safe prevents the deadlock.

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Joe Korty <joe.korty@concurrent-rt.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock() 2021-08-10T15:39:42+00:00 Peter Zijlstra peterz@infradead.org 2021-08-02T13:46:18+00:00 b5dac38eb0ff3cbef23afd36d6822291a2a757a5 [ Upstream commit cfafcd117da0216520568c195cb2f6cd1980c4bb ] By changing futex_lock_pi() to use rt_mutex_*_proxy_lock() all wait_list modifications are done under both hb->lock and wait_lock. This closes the obvious interleave pattern between futex_lock_pi() and futex_unlock_pi(), but not entirely so. See below: Before: futex_lock_pi() futex_unlock_pi() unlock hb->lock lock hb->lock unlock hb->lock lock rt_mutex->wait_lock unlock rt_mutex_wait_lock -EAGAIN lock rt_mutex->wait_lock list_add unlock rt_mutex->wait_lock schedule() lock rt_mutex->wait_lock list_del unlock rt_mutex->wait_lock <idem> -EAGAIN lock hb->lock After: futex_lock_pi() futex_unlock_pi() lock hb->lock lock rt_mutex->wait_lock list_add unlock rt_mutex->wait_lock unlock hb->lock schedule() lock hb->lock unlock hb->lock lock hb->lock lock rt_mutex->wait_lock list_del unlock rt_mutex->wait_lock lock rt_mutex->wait_lock unlock rt_mutex_wait_lock -EAGAIN unlock hb->lock It does however solve the earlier starvation/live-lock scenario which got introduced with the -EAGAIN since unlike the before scenario; where the -EAGAIN happens while futex_unlock_pi() doesn't hold any locks; in the after scenario it happens while futex_unlock_pi() actually holds a lock, and then it is serialized on that lock. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: juri.lelli@arm.com Cc: bigeasy@linutronix.de Cc: xlpang@redhat.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: jdesfossez@efficios.com Cc: dvhart@infradead.org Cc: bristot@redhat.com Link: http://lkml.kernel.org/r/20170322104152.062785528@infradead.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Acked-by: Joe Korty <joe.korty@concurrent-rt.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit cfafcd117da0216520568c195cb2f6cd1980c4bb ]

By changing futex_lock_pi() to use rt_mutex_*_proxy_lock() all wait_list
modifications are done under both hb->lock and wait_lock.

This closes the obvious interleave pattern between futex_lock_pi() and
futex_unlock_pi(), but not entirely so. See below:

Before:

futex_lock_pi()			futex_unlock_pi()
  unlock hb->lock

				  lock hb->lock
				  unlock hb->lock

				  lock rt_mutex->wait_lock
				  unlock rt_mutex_wait_lock
				    -EAGAIN

  lock rt_mutex->wait_lock
  list_add
  unlock rt_mutex->wait_lock

  schedule()

  lock rt_mutex->wait_lock
  list_del
  unlock rt_mutex->wait_lock

				  <idem>
				    -EAGAIN

  lock hb->lock

After:

futex_lock_pi()			futex_unlock_pi()

  lock hb->lock
  lock rt_mutex->wait_lock
  list_add
  unlock rt_mutex->wait_lock
  unlock hb->lock

  schedule()
				  lock hb->lock
				  unlock hb->lock
  lock hb->lock
  lock rt_mutex->wait_lock
  list_del
  unlock rt_mutex->wait_lock

				  lock rt_mutex->wait_lock
				  unlock rt_mutex_wait_lock
				    -EAGAIN

  unlock hb->lock

It does however solve the earlier starvation/live-lock scenario which got
introduced with the -EAGAIN since unlike the before scenario; where the
-EAGAIN happens while futex_unlock_pi() doesn't hold any locks; in the
after scenario it happens while futex_unlock_pi() actually holds a lock,
and then it is serialized on that lock.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170322104152.062785528@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Joe Korty <joe.korty@concurrent-rt.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
futex,rt_mutex: Introduce rt_mutex_init_waiter() 2021-08-10T15:39:42+00:00 Peter Zijlstra peterz@infradead.org 2021-08-02T13:46:16+00:00 50801cdc86003c4e20b9ae668cf2659d0218cfcc [ Upstream commit 50809358dd7199aa7ce232f6877dd09ec30ef374 ] Since there's already two copies of this code, introduce a helper now before adding a third one. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: juri.lelli@arm.com Cc: bigeasy@linutronix.de Cc: xlpang@redhat.com Cc: rostedt@goodmis.org Cc: mathieu.desnoyers@efficios.com Cc: jdesfossez@efficios.com Cc: dvhart@infradead.org Cc: bristot@redhat.com Link: http://lkml.kernel.org/r/20170322104151.950039479@infradead.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Acked-by: Joe Korty <joe.korty@concurrent-rt.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit 50809358dd7199aa7ce232f6877dd09ec30ef374 ]

Since there's already two copies of this code, introduce a helper now
before adding a third one.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170322104151.950039479@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Joe Korty <joe.korty@concurrent-rt.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'android-4.4-p' of https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998 2021-02-28T01:22:47+00:00 Michael Bestas mkbestas@lineageos.org 2021-02-28T01:22:47+00:00 3d9b6f5ee02e712b6cd1d50db3c2e68064fc2eca This brings LA.UM.9.2.r1-02500-SDMxx0.0 up to date with https://android.googlesource.com/kernel/common/ android-4.4-p at commit: 4fd124d1546d8 Merge 4.4.258 into android-4.4-p Change-Id: Idbae7489bc1d831a378dd60993f46139e5e28c4c 
This brings LA.UM.9.2.r1-02500-SDMxx0.0 up to date with
https://android.googlesource.com/kernel/common/ android-4.4-p at commit:
4fd124d1546d8 Merge 4.4.258 into android-4.4-p

Change-Id: Idbae7489bc1d831a378dd60993f46139e5e28c4c
Merge 4.4.257 into android-4.4-p 2021-02-10T09:32:46+00:00 Greg Kroah-Hartman gregkh@google.com 2021-02-10T09:32:46+00:00 831b1199b5e3105a15c3a12c7bd03ea45320ed01 Changes in 4.4.257 net_sched: reject silly cell_log in qdisc_get_rtab() futex,rt_mutex: Provide futex specific rt_mutex API futex: Remove rt_mutex_deadlock_account_*() futex: Rework inconsistent rt_mutex/futex_q state futex: Avoid violating the 10th rule of futex futex: Replace pointless printk in fixup_owner() futex: Provide and use pi_state_update_owner() rtmutex: Remove unused argument from rt_mutex_proxy_unlock() futex: Use pi_state_update_owner() in put_pi_state() futex: Simplify fixup_pi_state_owner() futex: Handle faults correctly for PI futexes usb: udc: core: Use lock when write to soft_connect scsi: libfc: Avoid invoking response handler twice if ep is already completed scsi: ibmvfc: Set default timeout to avoid crash during migration stable: clamp SUBLEVEL in 4.4 and 4.9 USB: serial: cp210x: add pid/vid for WSDA-200-USB USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 USB: serial: option: Adding support for Cinterion MV31 Input: i8042 - unbreak Pegatron C15B net: lapb: Copy the skb before sending a packet ELF/MIPS build fix elfcore: fix building with clang USB: gadget: legacy: fix an error code in eth_bind() USB: usblp: don't call usb_set_interface if there's a single alt usb: dwc2: Fix endpoint direction check in ep_from_windex mac80211: fix station rate table updates on assoc kretprobe: Avoid re-registration of the same kretprobe earlier cifs: report error instead of invalid when revalidating a dentry fails mmc: core: Limit retries when analyse of SDIO tuples fails ARM: footbridge: fix dc21285 PCI configuration accessors mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page mm: hugetlb: fix a race between isolating and freeing page mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active x86/build: Disable CET instrumentation in the kernel x86/apic: Add extra serialization for non-serializing MSRs Input: xpad - sync supported devices with fork on GitHub ACPI: thermal: Do not call acpi_thermal_check() directly ALSA: hda/realtek - Fix typo of pincfg for Dell quirk Linux 4.4.257 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3bd45d2e19a068d1d25e2d57f9d171a0b57061ad 
Changes in 4.4.257
	net_sched: reject silly cell_log in qdisc_get_rtab()
	futex,rt_mutex: Provide futex specific rt_mutex API
	futex: Remove rt_mutex_deadlock_account_*()
	futex: Rework inconsistent rt_mutex/futex_q state
	futex: Avoid violating the 10th rule of futex
	futex: Replace pointless printk in fixup_owner()
	futex: Provide and use pi_state_update_owner()
	rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
	futex: Use pi_state_update_owner() in put_pi_state()
	futex: Simplify fixup_pi_state_owner()
	futex: Handle faults correctly for PI futexes
	usb: udc: core: Use lock when write to soft_connect
	scsi: libfc: Avoid invoking response handler twice if ep is already completed
	scsi: ibmvfc: Set default timeout to avoid crash during migration
	stable: clamp SUBLEVEL in 4.4 and 4.9
	USB: serial: cp210x: add pid/vid for WSDA-200-USB
	USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000
	USB: serial: option: Adding support for Cinterion MV31
	Input: i8042 - unbreak Pegatron C15B
	net: lapb: Copy the skb before sending a packet
	ELF/MIPS build fix
	elfcore: fix building with clang
	USB: gadget: legacy: fix an error code in eth_bind()
	USB: usblp: don't call usb_set_interface if there's a single alt
	usb: dwc2: Fix endpoint direction check in ep_from_windex
	mac80211: fix station rate table updates on assoc
	kretprobe: Avoid re-registration of the same kretprobe earlier
	cifs: report error instead of invalid when revalidating a dentry fails
	mmc: core: Limit retries when analyse of SDIO tuples fails
	ARM: footbridge: fix dc21285 PCI configuration accessors
	mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page
	mm: hugetlb: fix a race between isolating and freeing page
	mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active
	x86/build: Disable CET instrumentation in the kernel
	x86/apic: Add extra serialization for non-serializing MSRs
	Input: xpad - sync supported devices with fork on GitHub
	ACPI: thermal: Do not call acpi_thermal_check() directly
	ALSA: hda/realtek - Fix typo of pincfg for Dell quirk
	Linux 4.4.257

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3bd45d2e19a068d1d25e2d57f9d171a0b57061ad
rtmutex: Remove unused argument from rt_mutex_proxy_unlock() 2021-02-10T08:07:25+00:00 Lee Jones lee.jones@linaro.org 2021-02-04T17:29:00+00:00 42255927e832f9c1ed8db4e84530bc6a54aa2fee From: Thomas Gleixner <tglx@linutronix.de> [ Upstream commit 2156ac1934166d6deb6cd0f6ffc4c1076ec63697 ] Nothing uses the argument. Remove it as preparation to use pi_state_update_owner(). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: stable@vger.kernel.org Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
From: Thomas Gleixner <tglx@linutronix.de>

[ Upstream commit 2156ac1934166d6deb6cd0f6ffc4c1076ec63697 ]
Nothing uses the argument. Remove it as preparation to use
pi_state_update_owner().

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
futex: Avoid violating the 10th rule of futex 2021-02-10T08:07:25+00:00 Lee Jones lee.jones@linaro.org 2021-02-04T17:28:57+00:00 ad4740ceccfbf326b7f82ebac43d860a64240c1c From: Peter Zijlstra <peterz@infradead.org> commit c1e2f0eaf015fb7076d51a339011f2383e6dd389 upstream. Julia reported futex state corruption in the following scenario: waiter waker stealer (prio > waiter) futex(WAIT_REQUEUE_PI, uaddr, uaddr2, timeout=[N ms]) futex_wait_requeue_pi() futex_wait_queue_me() freezable_schedule() <scheduled out> futex(LOCK_PI, uaddr2) futex(CMP_REQUEUE_PI, uaddr, uaddr2, 1, 0) /* requeues waiter to uaddr2 */ futex(UNLOCK_PI, uaddr2) wake_futex_pi() cmp_futex_value_locked(uaddr2, waiter) wake_up_q() <woken by waker> <hrtimer_wakeup() fires, clears sleeper->task> futex(LOCK_PI, uaddr2) __rt_mutex_start_proxy_lock() try_to_take_rt_mutex() /* steals lock */ rt_mutex_set_owner(lock, stealer) <preempted> <scheduled in> rt_mutex_wait_proxy_lock() __rt_mutex_slowlock() try_to_take_rt_mutex() /* fails, lock held by stealer */ if (timeout && !timeout->task) return -ETIMEDOUT; fixup_owner() /* lock wasn't acquired, so, fixup_pi_state_owner skipped */ return -ETIMEDOUT; /* At this point, we've returned -ETIMEDOUT to userspace, but the * futex word shows waiter to be the owner, and the pi_mutex has * stealer as the owner */ futex_lock(LOCK_PI, uaddr2) -> bails with EDEADLK, futex word says we're owner. And suggested that what commit: 73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state") removes from fixup_owner() looks to be just what is needed. And indeed it is -- I completely missed that requeue_pi could also result in this case. So we need to restore that, except that subsequent patches, like commit: 16ffa12d7425 ("futex: Pull rt_mutex_futex_unlock() out from under hb->lock") changed all the locking rules. Even without that, the sequence: - if (rt_mutex_futex_trylock(&q->pi_state->pi_mutex)) { - locked = 1; - goto out; - } - raw_spin_lock_irq(&q->pi_state->pi_mutex.wait_lock); - owner = rt_mutex_owner(&q->pi_state->pi_mutex); - if (!owner) - owner = rt_mutex_next_owner(&q->pi_state->pi_mutex); - raw_spin_unlock_irq(&q->pi_state->pi_mutex.wait_lock); - ret = fixup_pi_state_owner(uaddr, q, owner); already suggests there were races; otherwise we'd never have to look at next_owner. So instead of doing 3 consecutive wait_lock sections with who knows what races, we do it all in a single section. Additionally, the usage of pi_state->owner in fixup_owner() was only safe because only the rt_mutex owner would modify it, which this additional case wrecks. Luckily the values can only change away and not to the value we're testing, this means we can do a speculative test and double check once we have the wait_lock. Fixes: 73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state") Reported-by: Julia Cartwright <julia@ni.com> Reported-by: Gratian Crisan <gratian.crisan@ni.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Julia Cartwright <julia@ni.com> Tested-by: Gratian Crisan <gratian.crisan@ni.com> Cc: Darren Hart <dvhart@infradead.org> Link: https://lkml.kernel.org/r/20171208124939.7livp7no2ov65rrc@hirez.programming.kicks-ass.net Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [Lee: Back-ported to solve a dependency] Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
From: Peter Zijlstra <peterz@infradead.org>

commit c1e2f0eaf015fb7076d51a339011f2383e6dd389 upstream.

Julia reported futex state corruption in the following scenario:

   waiter                                  waker                                            stealer (prio > waiter)

   futex(WAIT_REQUEUE_PI, uaddr, uaddr2,
         timeout=[N ms])
      futex_wait_requeue_pi()
         futex_wait_queue_me()
            freezable_schedule()
            <scheduled out>
                                           futex(LOCK_PI, uaddr2)
                                           futex(CMP_REQUEUE_PI, uaddr,
                                                 uaddr2, 1, 0)
                                              /* requeues waiter to uaddr2 */
                                           futex(UNLOCK_PI, uaddr2)
                                                 wake_futex_pi()
                                                    cmp_futex_value_locked(uaddr2, waiter)
                                                    wake_up_q()
           <woken by waker>
           <hrtimer_wakeup() fires,
            clears sleeper->task>
                                                                                           futex(LOCK_PI, uaddr2)
                                                                                              __rt_mutex_start_proxy_lock()
                                                                                                 try_to_take_rt_mutex() /* steals lock */
                                                                                                    rt_mutex_set_owner(lock, stealer)
                                                                                              <preempted>
         <scheduled in>
         rt_mutex_wait_proxy_lock()
            __rt_mutex_slowlock()
               try_to_take_rt_mutex() /* fails, lock held by stealer */
               if (timeout && !timeout->task)
                  return -ETIMEDOUT;
            fixup_owner()
               /* lock wasn't acquired, so,
                  fixup_pi_state_owner skipped */

   return -ETIMEDOUT;

   /* At this point, we've returned -ETIMEDOUT to userspace, but the
    * futex word shows waiter to be the owner, and the pi_mutex has
    * stealer as the owner */

   futex_lock(LOCK_PI, uaddr2)
     -> bails with EDEADLK, futex word says we're owner.

And suggested that what commit:

  73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state")

removes from fixup_owner() looks to be just what is needed. And indeed
it is -- I completely missed that requeue_pi could also result in this
case. So we need to restore that, except that subsequent patches, like
commit:

  16ffa12d7425 ("futex: Pull rt_mutex_futex_unlock() out from under hb->lock")

changed all the locking rules. Even without that, the sequence:

-               if (rt_mutex_futex_trylock(&q->pi_state->pi_mutex)) {
-                       locked = 1;
-                       goto out;
-               }

-               raw_spin_lock_irq(&q->pi_state->pi_mutex.wait_lock);
-               owner = rt_mutex_owner(&q->pi_state->pi_mutex);
-               if (!owner)
-                       owner = rt_mutex_next_owner(&q->pi_state->pi_mutex);
-               raw_spin_unlock_irq(&q->pi_state->pi_mutex.wait_lock);
-               ret = fixup_pi_state_owner(uaddr, q, owner);

already suggests there were races; otherwise we'd never have to look
at next_owner.

So instead of doing 3 consecutive wait_lock sections with who knows
what races, we do it all in a single section. Additionally, the usage
of pi_state->owner in fixup_owner() was only safe because only the
rt_mutex owner would modify it, which this additional case wrecks.

Luckily the values can only change away and not to the value we're
testing, this means we can do a speculative test and double check once
we have the wait_lock.

Fixes: 73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state")
Reported-by: Julia Cartwright <julia@ni.com>
Reported-by: Gratian Crisan <gratian.crisan@ni.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Julia Cartwright <julia@ni.com>
Tested-by: Gratian Crisan <gratian.crisan@ni.com>
Cc: Darren Hart <dvhart@infradead.org>
Link: https://lkml.kernel.org/r/20171208124939.7livp7no2ov65rrc@hirez.programming.kicks-ass.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Lee: Back-ported to solve a dependency]
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>