Eric Lee / smarc-fsl-linux-kernel

01 Jul, 2020

2 commits

  • f7f181582   ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function ... Browse Code »

    [ Upstream commit f650ef61e040bcb175dd8762164b00a5d627f20e ]

    BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0
    drivers/ata/libata-scsi.c:4045
    Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621

    CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    1.10.2-1ubuntu1 04/01/2014
    Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0xac/0xee lib/dump_stack.c:118
    print_address_description+0x60/0x223 mm/kasan/report.c:253
    kasan_report_error mm/kasan/report.c:351 [inline]
    kasan_report mm/kasan/report.c:409 [inline]
    kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393
    ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045
    ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035
    __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline]
    ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409
    scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867
    scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170
    blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186
    blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108
    blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204
    __blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308
    __blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376
    blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413
    blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397
    blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64
    blk_execute_rq+0xc5/0x112 block/blk-exec.c:101
    sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507
    sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106
    vfs_ioctl fs/ioctl.c:46 [inline]
    file_ioctl fs/ioctl.c:501 [inline]
    do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688
    ksys_ioctl+0x76/0xa0 fs/ioctl.c:705
    __do_sys_ioctl fs/ioctl.c:712 [inline]
    __se_sys_ioctl fs/ioctl.c:710 [inline]
    __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
    do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
    entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x45c479
    Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
    f7 48
    89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff
    ff 0f
    83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
    RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479
    RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003
    RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
    R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc

    Allocated by task 12577:
    set_track mm/kasan/kasan.c:460 [inline]
    kasan_kmalloc mm/kasan/kasan.c:553 [inline]
    kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
    __kmalloc+0xf3/0x1e0 mm/slub.c:3749
    kmalloc include/linux/slab.h:520 [inline]
    load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441
    load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737
    search_binary_handler fs/exec.c:1654 [inline]
    search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
    exec_binprm fs/exec.c:1696 [inline]
    __do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
    do_execveat_common fs/exec.c:1866 [inline]
    do_execve fs/exec.c:1883 [inline]
    __do_sys_execve fs/exec.c:1964 [inline]
    __se_sys_execve fs/exec.c:1959 [inline]
    __x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
    do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

    Freed by task 12577:
    set_track mm/kasan/kasan.c:460 [inline]
    __kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521
    slab_free_hook mm/slub.c:1370 [inline]
    slab_free_freelist_hook mm/slub.c:1397 [inline]
    slab_free mm/slub.c:2952 [inline]
    kfree+0x8b/0x1a0 mm/slub.c:3904
    load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118
    search_binary_handler fs/exec.c:1654 [inline]
    search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
    exec_binprm fs/exec.c:1696 [inline]
    __do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
    do_execveat_common fs/exec.c:1866 [inline]
    do_execve fs/exec.c:1883 [inline]
    __do_sys_execve fs/exec.c:1964 [inline]
    __se_sys_execve fs/exec.c:1959 [inline]
    __x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
    do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

    The buggy address belongs to the object at ffff88803b8ccf00
    which belongs to the cache kmalloc-512 of size 512
    The buggy address is located 259 bytes inside of
    512-byte region [ffff88803b8ccf00, ffff88803b8cd100)
    The buggy address belongs to the page:
    page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080
    index:0xffff88803b8cc780 compound_mapcount: 0
    flags: 0x100000000008100(slab|head)
    raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080
    raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected

    Memory state around the buggy address:
    ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ^
    ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

    You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce
    this error.

    The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000
    which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))"
    maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer"
    may not page aligned.
    This also looks completely buggy on highmem systems and really needs to use a
    kmap_atomic. --Christoph Hellwig
    To address above bugs, Paolo Bonzini advise to simpler to just make a char array
    of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer
    to copy from the sglist into the buffer, and workthere.

    Signed-off-by: Ye Bin
    Signed-off-by: Jens Axboe
    Signed-off-by: Sasha Levin

    Ye Bin
     
  • 4dfc238a2   sata_rcar: handle pm_runtime_get_sync failure cases ... Browse Code »

    [ Upstream commit eea1238867205b9e48a67c1a63219529a73c46fd ]

    Calling pm_runtime_get_sync increments the counter even in case of
    failure, causing incorrect ref count. Call pm_runtime_put if
    pm_runtime_get_sync fails.

    Signed-off-by: Navid Emamdoost
    Signed-off-by: Jens Axboe
    Signed-off-by: Sasha Levin

    Navid Emamdoost
     

24 Jun, 2020

1 commit

  • ef4f3b65d   libata: Use per port sync for detach ... Browse Code »

    [ Upstream commit b5292111de9bb70cba3489075970889765302136 ]

    Commit 130f4caf145c ("libata: Ensure ata_port probe has completed before
    detach") may cause system freeze during suspend.

    Using async_synchronize_full() in PM callbacks is wrong, since async
    callbacks that are already scheduled may wait for not-yet-scheduled
    callbacks, causes a circular dependency.

    Instead of using big hammer like async_synchronize_full(), use async
    cookie to make sure port probe are synced, without affecting other
    scheduled PM callbacks.

    Fixes: 130f4caf145c ("libata: Ensure ata_port probe has completed before detach")
    Suggested-by: John Garry
    Signed-off-by: Kai-Heng Feng
    Tested-by: John Garry
    BugLink: https://bugs.launchpad.net/bugs/1867983
    Signed-off-by: Jens Axboe
    Signed-off-by: Sasha Levin

    Kai-Heng Feng
     

17 Apr, 2020

2 commits

  • d0b9bd480   libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set ... Browse Code »

    commit 8305f72f952cff21ce8109dc1ea4b321c8efc5af upstream.

    During system resume from suspend, this can be observed on ASM1062 PMP
    controller:

    ata10.01: SATA link down (SStatus 0 SControl 330)
    ata10.02: hard resetting link
    ata10.02: SATA link down (SStatus 0 SControl 330)
    ata10.00: configured for UDMA/133
    Kernel panic - not syncing: stack-protector: Kernel
    in: sata_pmp_eh_recover+0xa2b/0xa40

    CPU: 2 PID: 230 Comm: scsi_eh_9 Tainted: P OE
    #49-Ubuntu
    Hardware name: System manufacturer System Product
    1001 12/10/2017
    Call Trace:
    dump_stack+0x63/0x8b
    panic+0xe4/0x244
    ? sata_pmp_eh_recover+0xa2b/0xa40
    __stack_chk_fail+0x19/0x20
    sata_pmp_eh_recover+0xa2b/0xa40
    ? ahci_do_softreset+0x260/0x260 [libahci]
    ? ahci_do_hardreset+0x140/0x140 [libahci]
    ? ata_phys_link_offline+0x60/0x60
    ? ahci_stop_engine+0xc0/0xc0 [libahci]
    sata_pmp_error_handler+0x22/0x30
    ahci_error_handler+0x45/0x80 [libahci]
    ata_scsi_port_error_handler+0x29b/0x770
    ? ata_scsi_cmd_error_handler+0x101/0x140
    ata_scsi_error+0x95/0xd0
    ? scsi_try_target_reset+0x90/0x90
    scsi_error_handler+0xd0/0x5b0
    kthread+0x121/0x140
    ? scsi_eh_get_sense+0x200/0x200
    ? kthread_create_worker_on_cpu+0x70/0x70
    ret_from_fork+0x22/0x40
    Kernel Offset: 0xcc00000 from 0xffffffff81000000
    (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

    Since sata_pmp_eh_recover_pmp() doens't set rc when ATA_DFLAG_DETACH is
    set, sata_pmp_eh_recover() continues to run. During retry it triggers
    the stack protector.

    Set correct rc in sata_pmp_eh_recover_pmp() to let sata_pmp_eh_recover()
    jump to pmp_fail directly.

    BugLink: https://bugs.launchpad.net/bugs/1821434
    Cc: stable@vger.kernel.org
    Signed-off-by: Kai-Heng Feng
    Signed-off-by: Jens Axboe
    Signed-off-by: Greg Kroah-Hartman

    Kai-Heng Feng
     
  • 347f09109   libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() ... Browse Code »

    [ Upstream commit 1d72f7aec3595249dbb83291ccac041a2d676c57 ]

    If the call to scsi_add_host_with_dma() in ata_scsi_add_hosts() fails,
    then we may get use-after-free KASAN warns:

    ==================================================================
    BUG: KASAN: use-after-free in kobject_put+0x24/0x180
    Read of size 1 at addr ffff0026b8c80364 by task swapper/0/1
    CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 5.6.0-rc3-00004-g5a71b206ea82-dirty #1765
    Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDD, BIOS 2280-V2 CS V3.B160.01 02/24/2020
    Call trace:
    dump_backtrace+0x0/0x298
    show_stack+0x14/0x20
    dump_stack+0x118/0x190
    print_address_description.isra.9+0x6c/0x3b8
    __kasan_report+0x134/0x23c
    kasan_report+0xc/0x18
    __asan_load1+0x5c/0x68
    kobject_put+0x24/0x180
    put_device+0x10/0x20
    scsi_host_put+0x10/0x18
    ata_devres_release+0x74/0xb0
    release_nodes+0x2d0/0x470
    devres_release_all+0x50/0x78
    really_probe+0x2d4/0x560
    driver_probe_device+0x7c/0x148
    device_driver_attach+0x94/0xa0
    __driver_attach+0xa8/0x110
    bus_for_each_dev+0xe8/0x158
    driver_attach+0x30/0x40
    bus_add_driver+0x220/0x2e0
    driver_register+0xbc/0x1d0
    __pci_register_driver+0xbc/0xd0
    ahci_pci_driver_init+0x20/0x28
    do_one_initcall+0xf0/0x608
    kernel_init_freeable+0x31c/0x384
    kernel_init+0x10/0x118
    ret_from_fork+0x10/0x18

    Allocated by task 5:
    save_stack+0x28/0xc8
    __kasan_kmalloc.isra.8+0xbc/0xd8
    kasan_kmalloc+0xc/0x18
    __kmalloc+0x1a8/0x280
    scsi_host_alloc+0x44/0x678
    ata_scsi_add_hosts+0x74/0x268
    ata_host_register+0x228/0x488
    ahci_host_activate+0x1c4/0x2a8
    ahci_init_one+0xd18/0x1298
    local_pci_probe+0x74/0xf0
    work_for_cpu_fn+0x2c/0x48
    process_one_work+0x488/0xc08
    worker_thread+0x330/0x5d0
    kthread+0x1c8/0x1d0
    ret_from_fork+0x10/0x18

    Freed by task 5:
    save_stack+0x28/0xc8
    __kasan_slab_free+0x118/0x180
    kasan_slab_free+0x10/0x18
    slab_free_freelist_hook+0xa4/0x1a0
    kfree+0xd4/0x3a0
    scsi_host_dev_release+0x100/0x148
    device_release+0x7c/0xe0
    kobject_put+0xb0/0x180
    put_device+0x10/0x20
    scsi_host_put+0x10/0x18
    ata_scsi_add_hosts+0x210/0x268
    ata_host_register+0x228/0x488
    ahci_host_activate+0x1c4/0x2a8
    ahci_init_one+0xd18/0x1298
    local_pci_probe+0x74/0xf0
    work_for_cpu_fn+0x2c/0x48
    process_one_work+0x488/0xc08
    worker_thread+0x330/0x5d0
    kthread+0x1c8/0x1d0
    ret_from_fork+0x10/0x18

    There is also refcount issue, as well:
    WARNING: CPU: 1 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0xf8/0x170

    The issue is that we make an erroneous extra call to scsi_host_put()
    for that host:

    So in ahci_init_one()->ata_host_alloc_pinfo()->ata_host_alloc(), we setup
    a device release method - ata_devres_release() - which intends to release
    the SCSI hosts:

    static void ata_devres_release(struct device *gendev, void *res)
    {
    ...
    for (i = 0; i < host->n_ports; i++) {
    struct ata_port *ap = host->ports[i];

    if (!ap)
    continue;

    if (ap->scsi_host)
    scsi_host_put(ap->scsi_host);

    }
    ...
    }

    However in the ata_scsi_add_hosts() error path, we also call
    scsi_host_put() for the SCSI hosts.

    Fix by removing the the scsi_host_put() calls in ata_scsi_add_hosts() and
    leave this to ata_devres_release().

    Fixes: f31871951b38 ("libata: separate out ata_host_alloc() and ata_host_register()")
    Signed-off-by: John Garry
    Signed-off-by: Jens Axboe
    Signed-off-by: Sasha Levin

    John Garry
     

01 Apr, 2020

1 commit

29 Feb, 2020

1 commit

  • 9724b3f28   ata: ahci: Add shutdown to freeze hardware resources of ahci ... Browse Code »

    commit 10a663a1b15134a5a714aa515e11425a44d4fdf7 upstream.

    device_shutdown() called from reboot or power_shutdown expect
    all devices to be shutdown. Same is true for even ahci pci driver.
    As no ahci shutdown function is implemented, the ata subsystem
    always remains alive with DMA & interrupt support. File system
    related calls should not be honored after device_shutdown().

    So defining ahci pci driver shutdown to freeze hardware (mask
    interrupt, stop DMA engine and free DMA resources).

    Signed-off-by: Prabhakar Kushwaha
    Signed-off-by: Jens Axboe
    Signed-off-by: Greg Kroah-Hartman

    Prabhakar Kushwaha
     

09 Jan, 2020

5 commits

  • c9738c3a4   libata: Fix retrieving of active qcs ... Browse Code »

    commit 8385d756e114f2df8568e508902d5f9850817ffb upstream.

    ata_qc_complete_multiple() is called with a mask of the still active
    tags.

    mv_sata doesn't have this information directly and instead calculates
    the still active tags from the started tags (ap->qc_active) and the
    finished tags as (ap->qc_active ^ done_mask)

    Since 28361c40368 the hw_tag and tag are no longer the same and the
    equation is no longer valid. In ata_exec_internal_sg() ap->qc_active is
    initialized as 1ULL << ATA_TAG_INTERNAL, but in hardware tag 0 is
    started and this will be in done_mask on completion. ap->qc_active ^
    done_mask becomes 0x100000000 ^ 0x1 = 0x100000001 and thus tag 0 used as
    the internal tag will never be reported as completed.

    This is fixed by introducing ata_qc_get_active() which returns the
    active hardware tags and calling it where appropriate.

    This is tested on mv_sata, but sata_fsl and sata_nv suffer from the same
    problem. There is another case in sata_nv that most likely needs fixing
    as well, but this looks a little different, so I wasn't confident enough
    to change that.

    Fixes: 28361c403683 ("libata: add extra internal command")
    Cc: stable@vger.kernel.org
    Tested-by: Pali Rohár
    Signed-off-by: Sascha Hauer
    Signed-off-by: Greg Kroah-Hartman

    Add missing export of ata_qc_get_active(), as per Pali.

    Signed-off-by: Jens Axboe

    Sascha Hauer
     
  • fc6e6f322   ata: ahci_brcm: BCM7425 AHCI requires AHCI_HFLAG_DELAY_ENGINE ... Browse Code »

    commit 1a3d78cb6e20779a19388315bd8efefbd8d4a656 upstream.

    Set AHCI_HFLAG_DELAY_ENGINE for the BCM7425 AHCI controller thus making
    it conforming to the 'strict' AHCI implementation which this controller
    is based on.

    This solves long link establishment with specific hard drives (e.g.:
    Seagate ST1000VM002-9ZL1 SC12) that would otherwise have to complete the
    error recovery handling before finally establishing a succesful SATA
    link at the desired speed.

    We re-order the hpriv->flags assignment to also remove the NONCQ quirk
    since we can set the flag directly.

    Fixes: 9586114cf1e9 ("ata: ahci_brcmstb: add support MIPS-based platforms")
    Fixes: 423be77daabe ("ata: ahci_brcmstb: add quirk for broken ncq")
    Cc: stable@vger.kernel.org
    Reviewed-by: Hans de Goede
    Signed-off-by: Florian Fainelli
    Signed-off-by: Jens Axboe
    Signed-off-by: Greg Kroah-Hartman

    Florian Fainelli
     
  • a3b6848e8   ata: ahci_brcm: Add missing clock management during recovery ... Browse Code »

    commit bf0e5013bc2dcac205417e1252205dca39dfc005 upstream.

    The downstream implementation of ahci_brcm.c did contain clock
    management recovery, but until recently, did that outside of the
    libahci_platform helpers and this was unintentionally stripped out while
    forward porting the patch upstream.

    Add the missing clock management during recovery and sleep for 10
    milliseconds per the design team recommendations to ensure the SATA PHY
    controller and AFE have been fully quiesced.

    Fixes: eb73390ae241 ("ata: ahci_brcm: Recover from failures to identify devices")
    Cc: stable@vger.kernel.org
    Reviewed-by: Hans de Goede
    Signed-off-by: Florian Fainelli
    Signed-off-by: Jens Axboe
    Signed-off-by: Greg Kroah-Hartman

    Florian Fainelli
     
  • d9295852f   ata: ahci_brcm: Fix AHCI resources management ... Browse Code »

    commit c0cdf2ac4b5bf3e5ef2451ea29fb4104278cdabc upstream.

    The AHCI resources management within ahci_brcm.c is a little
    convoluted, largely because it historically had a dedicated clock that
    was managed within this file in the downstream tree. Once brough
    upstream though, the clock was left to be managed by libahci_platform.c
    which is entirely appropriate.

    This patch series ensures that the AHCI resources are fetched and
    enabled before any register access is done, thus avoiding bus errors on
    platforms which clock gate the controller by default.

    As a result we need to re-arrange the suspend() and resume() functions
    in order to avoid accessing registers after the clocks have been turned
    off respectively before the clocks have been turned on. Finally, we can
    refactor brcm_ahci_get_portmask() in order to fetch the number of ports
    from hpriv->mmio which is now accessible without jumping through hoops
    like we used to do.

    The commit pointed in the Fixes tag is both old and new enough not to
    require major headaches for backporting of this patch.

    Fixes: eba68f829794 ("ata: ahci_brcmstb: rename to support across Broadcom SoC's")
    Cc: stable@vger.kernel.org
    Reviewed-by: Hans de Goede
    Signed-off-by: Florian Fainelli
    Signed-off-by: Jens Axboe
    Signed-off-by: Greg Kroah-Hartman

    Florian Fainelli
     
  • 1ce0f1e6f   ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys() ... Browse Code »

    commit 84b032dbfdf1c139cd2b864e43959510646975f8 upstream.

    This reverts commit 6bb86fefa086faba7b60bb452300b76a47cde1a5
    ("libahci_platform: Staticize ahci_platform_able_phys()") we are
    going to need ahci_platform_{enable,disable}_phys() in a subsequent
    commit for ahci_brcm.c in order to properly control the PHY
    initialization order.

    Also make sure the function prototypes are declared in
    include/linux/ahci_platform.h as a result.

    Cc: stable@vger.kernel.org
    Reviewed-by: Hans de Goede
    Signed-off-by: Florian Fainelli
    Signed-off-by: Jens Axboe
    Signed-off-by: Greg Kroah-Hartman

    Florian Fainelli
     

31 Dec, 2019

1 commit

  • f545fda25   libata: Ensure ata_port probe has completed before detach ... Browse Code »

    [ Upstream commit 130f4caf145c3562108b245a576db30b916199d2 ]

    With CONFIG_DEBUG_TEST_DRIVER_REMOVE set, we may find the following WARN:

    [ 23.452574] ------------[ cut here ]------------
    [ 23.457190] WARNING: CPU: 59 PID: 1 at drivers/ata/libata-core.c:6676 ata_host_detach+0x15c/0x168
    [ 23.466047] Modules linked in:
    [ 23.469092] CPU: 59 PID: 1 Comm: swapper/0 Not tainted 5.4.0-rc1-00010-g5b83fd27752b-dirty #296
    [ 23.477776] Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
    [ 23.486286] pstate: a0c00009 (NzCv daif +PAN +UAO)
    [ 23.491065] pc : ata_host_detach+0x15c/0x168
    [ 23.495322] lr : ata_host_detach+0x88/0x168
    [ 23.499491] sp : ffff800011cabb50
    [ 23.502792] x29: ffff800011cabb50 x28: 0000000000000007
    [ 23.508091] x27: ffff80001137f068 x26: ffff8000112c0c28
    [ 23.513390] x25: 0000000000003848 x24: ffff0023ea185300
    [ 23.518689] x23: 0000000000000001 x22: 00000000000014c0
    [ 23.523987] x21: 0000000000013740 x20: ffff0023bdc20000
    [ 23.529286] x19: 0000000000000000 x18: 0000000000000004
    [ 23.534584] x17: 0000000000000001 x16: 00000000000000f0
    [ 23.539883] x15: ffff0023eac13790 x14: ffff0023eb76c408
    [ 23.545181] x13: 0000000000000000 x12: ffff0023eac13790
    [ 23.550480] x11: ffff0023eb76c228 x10: 0000000000000000
    [ 23.555779] x9 : ffff0023eac13798 x8 : 0000000040000000
    [ 23.561077] x7 : 0000000000000002 x6 : 0000000000000001
    [ 23.566376] x5 : 0000000000000002 x4 : 0000000000000000
    [ 23.571674] x3 : ffff0023bf08a0bc x2 : 0000000000000000
    [ 23.576972] x1 : 3099674201f72700 x0 : 0000000000400284
    [ 23.582272] Call trace:
    [ 23.584706] ata_host_detach+0x15c/0x168
    [ 23.588616] ata_pci_remove_one+0x10/0x18
    [ 23.592615] ahci_remove_one+0x20/0x40
    [ 23.596356] pci_device_remove+0x3c/0xe0
    [ 23.600267] really_probe+0xdc/0x3e0
    [ 23.603830] driver_probe_device+0x58/0x100
    [ 23.608000] device_driver_attach+0x6c/0x90
    [ 23.612169] __driver_attach+0x84/0xc8
    [ 23.615908] bus_for_each_dev+0x74/0xc8
    [ 23.619730] driver_attach+0x20/0x28
    [ 23.623292] bus_add_driver+0x148/0x1f0
    [ 23.627115] driver_register+0x60/0x110
    [ 23.630938] __pci_register_driver+0x40/0x48
    [ 23.635199] ahci_pci_driver_init+0x20/0x28
    [ 23.639372] do_one_initcall+0x5c/0x1b0
    [ 23.643199] kernel_init_freeable+0x1a4/0x24c
    [ 23.647546] kernel_init+0x10/0x108
    [ 23.651023] ret_from_fork+0x10/0x18
    [ 23.654590] ---[ end trace 634a14b675b71c13 ]---

    With KASAN also enabled, we may also get many use-after-free reports.

    The issue is that when CONFIG_DEBUG_TEST_DRIVER_REMOVE is set, we may
    attempt to detach the ata_port before it has been probed.

    This is because the ata_ports are async probed, meaning that there is no
    guarantee that the ata_port has probed prior to detach. When the ata_port
    does probe in this scenario, we get all sorts of issues as the detach may
    have already happened.

    Fix by ensuring synchronisation with async_synchronize_full(). We could
    alternatively use the cookie returned from the ata_port probe
    async_schedule() call, but that means managing the cookie, so more
    complicated.

    Signed-off-by: John Garry
    Signed-off-by: Jens Axboe
    Signed-off-by: Sasha Levin

    John Garry
     

26 Oct, 2019

1 commit

  • 962399bb7   ata: libahci_platform: Fix regulator_get_optional() misuse ... Browse Code »

    This driver is using regulator_get_optional() to handle all the supplies
    that it handles, and only ever enables and disables all supplies en masse
    without ever doing any other configuration of the device to handle missing
    power. These are clear signs that the API is being misused - it should only
    be used for supplies that may be physically absent from the system and in
    these cases the hardware usually needs different configuration if the
    supply is missing. Instead use normal regualtor_get(), if the supply is
    not described in DT then the framework will substitute a dummy regulator in
    so no special handling is needed by the consumer driver.

    In the case of the PHY regulator the handling in the driver is a hack to
    deal with integrated PHYs; the supplies are only optional in the sense
    that that there's some confusion in the code about where they're bound to.
    From a code point of view they function exactly as normal supplies so can
    be treated as such. It'd probably be better to model this by instantiating
    a PHY object for integrated PHYs.

    Reviewed-by: Hans de Goede
    Signed-off-by: Mark Brown
    Signed-off-by: Jens Axboe

    Mark Brown
     

16 Oct, 2019

1 commit

  • 09d6ac8dc   libata/ahci: Fix PCS quirk application ... Browse Code »

    Commit c312ef176399 "libata/ahci: Drop PCS quirk for Denverton and
    beyond" got the polarity wrong on the check for which board-ids should
    have the quirk applied. The board type board_ahci_pcs7 is defined at the
    end of the list such that "pcs7" boards can be special cased in the
    future if they need the quirk. All prior Intel board ids "<
    board_ahci_pcs7" should proceed with applying the quirk.

    Reported-by: Andreas Friedrich
    Reported-by: Stephen Douthit
    Fixes: c312ef176399 ("libata/ahci: Drop PCS quirk for Denverton and beyond")
    Cc:
    Signed-off-by: Dan Williams
    Signed-off-by: Jens Axboe

    Dan Williams
     

06 Oct, 2019

1 commit

20 Sep, 2019

1 commit

  • d7f76f36a   ata: libahci_platform: Add of_node_put() before loop exit ... Browse Code »

    Each iteration of for_each_child_of_node puts the previous node, but
    in the case of a goto from the middle of the loop, there is no put,
    thus causing a memory leak. Add an of_node_put before three such goto
    statements.
    Issue found with Coccinelle.

    Reviewed-by: Hans de Goede
    Signed-off-by: Nishka Dasgupta
    Signed-off-by: Jens Axboe

    Nishka Dasgupta
     

18 Sep, 2019

1 commit

  • 5260c2b86   Merge tag 'for-5.4/libata-2019-09-15' of git://git.kernel.dk/linux-block ... Browse Code »

    Pull libata updates from Jens Axboe:

    - Kill unused export (Andy)

    - Use dma_set_mask_and_coherent() throughout (Christoph)

    - Drop PCS quirk on Denverton, which has different register layout
    (Dan)

    - Support non-boot time detection for pata_buddha (Max)

    * tag 'for-5.4/libata-2019-09-15' of git://git.kernel.dk/linux-block:
    libata/ahci: Drop PCS quirk for Denverton and beyond
    ahci: Do not export local variable ahci_em_messages
    libata: switch remaining drivers to use dma_set_mask_and_coherent
    sata_sil24: use dma_set_mask_and_coherent
    sata_qstor: use dma_set_mask_and_coherent
    sata_nv: use dma_set_mask_and_coherent
    sata_mv: use dma_set_mask_and_coherent
    pdc_adma: use dma_set_mask_and_coherent
    ahci: use dma_set_mask_and_coherent
    acard_ahci: use dma_set_mask_and_coherent
    ata/pata_buddha: Probe via modalias instead of initcall

    Linus Torvalds
     

31 Aug, 2019

2 commits

  • c312ef176   libata/ahci: Drop PCS quirk for Denverton and beyond ... Browse Code »

    The Linux ahci driver has historically implemented a configuration fixup
    for platforms / platform-firmware that fails to enable the ports prior
    to OS hand-off at boot. The fixup was originally implemented way back
    before ahci moved from drivers/scsi/ to drivers/ata/, and was updated in
    2007 via commit 49f290903935 "ahci: update PCS programming". The quirk
    sets a port-enable bitmap in the PCS register at offset 0x92.

    This quirk could be applied generically up until the arrival of the
    Denverton (DNV) platform. The DNV AHCI controller architecture supports
    more than 6 ports and along with that the PCS register location and
    format were updated to allow for more possible ports in the bitmap. DNV
    AHCI expands the register to 32-bits and moves it to offset 0x94.

    As it stands there are no known problem reports with existing Linux
    trying to set bits at offset 0x92 which indicates that the quirk is not
    applicable. Likely it is not applicable on a wider range of platforms,
    but it is difficult to discern which platforms if any still depend on
    the quirk.

    Rather than try to fix the PCS quirk to consider the DNV register layout
    instead require explicit opt-in. The assumption is that the OS driver
    need not touch this register, and platforms can be added with a new
    boad_ahci_pcs7 board-id when / if problematic platforms are found in the
    future. The logic in ahci_intel_pcs_quirk() looks for all Intel AHCI
    instances with "legacy" board-ids and otherwise skips the quirk if the
    board was matched by class-code.

    Reported-by: Stephen Douthit
    Cc: Christoph Hellwig
    Reviewed-by: Stephen Douthit
    Signed-off-by: Dan Williams
    Signed-off-by: Jens Axboe

    Dan Williams
     
  • 60fc35f32   ahci: Do not export local variable ahci_em_messages ... Browse Code »

    The commit ed08d40cdec4
    ("ahci: Changing two module params with static and __read_mostly")
    moved ahci_em_messages to be static while missing the fact of exporting it.

    WARNING: "ahci_em_messages" [vmlinux] is a static EXPORT_SYMBOL_GPL

    Drop export for the local variable ahci_em_messages.

    Fixes: ed08d40cdec4 ("ahci: Changing two module params with static and __read_mostly")
    Cc: Chuansheng Liu
    Signed-off-by: Andy Shevchenko
    Signed-off-by: Jens Axboe

    Andy Shevchenko
     

27 Aug, 2019

8 commits

23 Aug, 2019

1 commit

  • 12ce6b0d2   ata/pata_buddha: Probe via modalias instead of initcall ... Browse Code »

    Up until now, the pata_buddha driver would only check for cards on
    initcall time. Now, the kernel will call its probe function as soon
    as a compatible card is detected.

    v7: Removed suppress_bind_attrs that slipped in

    v6: Only do the drvdata workaround for X-Surf (remove breaks otherwise)
    Style

    v5: Remove module_exit(): There's no good way to handle the X-Surf hack.
    Also include a workaround to save X-Surf's drvdata in case zorro8390
    is active.

    v4: Clean up pata_buddha_probe() by using ent->driver_data.
    Support X-Surf via late_initcall()

    v3: Clean up devm_*, implement device removal.

    v2: Rename 'zdev' to 'z' to make the patch easy to analyse with
    git diff --ignore-space-change

    Signed-off-by: Max Staudt
    Signed-off-by: Jens Axboe

    Max Staudt
     

08 Aug, 2019

2 commits

  • 752ead444   libata: add SG safety checks in SFF pio transfers ... Browse Code »

    Abort processing of a command if we run out of mapped data in the
    SG list. This should never happen, but a previous bug caused it to
    be possible. Play it safe and attempt to abort nicely if we don't
    have more SG segments left.

    Reviewed-by: Kees Cook
    Signed-off-by: Jens Axboe

    Jens Axboe
     
  • 2d7271501   libata: have ata_scsi_rw_xlat() fail invalid passthrough requests ... Browse Code »

    For passthrough requests, libata-scsi takes what the user passes in
    as gospel. This can be problematic if the user fills in the CDB
    incorrectly. One example of that is in request sizes. For read/write
    commands, the CDB contains fields describing the transfer length of
    the request. These should match with the SG_IO header fields, but
    libata-scsi currently does no validation of that.

    Check that the number of blocks in the CDB for passthrough requests
    matches what was mapped into the request. If the CDB asks for more
    data then the validated SG_IO header fields, error it.

    Reported-by: Krishna Ram Prakash R
    Reviewed-by: Kees Cook
    Signed-off-by: Jens Axboe

    Jens Axboe
     

06 Aug, 2019

1 commit

  • db341a049   ata: rb532_cf: Fix unused variable warning in rb532_pata_driver_probe ... Browse Code »

    Fix the following warning (Building: rb532_defconfig mips):

    drivers/ata/pata_rb532_cf.c: In function ‘rb532_pata_driver_remove’:
    drivers/ata/pata_rb532_cf.c:161:24: warning: unused variable ‘info’ [-Wunused-variable]
    struct rb532_cf_info *info = ah->private_data;
    ^~~~

    Fixes: cd56f35e52d9 ("ata: rb532_cf: Convert to use GPIO descriptors")
    Signed-off-by: Gustavo A. R. Silva
    Signed-off-by: Jens Axboe

    Gustavo A. R. Silva
     

31 Jul, 2019

1 commit

30 Jul, 2019

1 commit

  • 71d6c505b   libata: zpodd: Fix small read overflow in zpodd_get_mech_type() ... Browse Code »

    Jeffrin reported a KASAN issue:

    BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
    Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
    ...
    The buggy address belongs to the variable:
    cdb.48319+0x0/0x40

    Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
    eject_tray()"), this fixes a cdb[] buffer length, this time in
    zpodd_get_mech_type():

    We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
    ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

    Reported-by: Jeffrin Jose T
    Fixes: afe759511808c ("libata: identify and init ZPODD devices")
    Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/
    Tested-by: Jeffrin Jose T
    Reviewed-by: Nick Desaulniers
    Signed-off-by: Kees Cook
    Signed-off-by: Jens Axboe

    Kees Cook
     

16 Jul, 2019

1 commit

10 Jul, 2019

1 commit

  • cdc5ffc41   Merge tag 'for-5.3/libata-20190708' of git://git.kernel.dk/linux-block ... Browse Code »

    Pull libata updates from Jens Axboe:
    "These are the changes that are reviewed, tested, and queued up for
    this merge window. This contains:

    - Removal of redundant memset after dmam_alloc_coherent (Fuqian)

    - Expand blacklist check for ST1000LM024, making it independent of
    firmware version (Hans)

    - Request sense fix (Tejun)

    - ahci_sunxi FIFO fix (Uenal)"

    * tag 'for-5.3/libata-20190708' of git://git.kernel.dk/linux-block:
    drivers: ata: ahci_sunxi: Increased SATA/AHCI DMA TX/RX FIFOs
    libata: Drop firmware version check from the ST1000LM024 quirk
    ata: sata_sil24: Remove call to memset after dmam_alloc_coherent
    ata:sata_qstor: Remove call to memset after dmam_alloc_coherent
    ata: sata_nv: Remove call to memset after dmam_alloc_coherent
    ata: pdc_adma: Remove call to memset after dmam_alloc_coherent
    ata: libahci: Remove call to memset after dmam_alloc_coherent
    ata: acard-ahci: Remove call to memset after dmam_alloc_coherent
    libata: don't request sense data on !ZAC ATA devices

    Linus Torvalds
     

06 Jul, 2019

1 commit

  • 120357ea1   drivers: ata: ahci_sunxi: Increased SATA/AHCI DMA TX/RX FIFOs ... Browse Code »

    Increasing the SATA/AHCI DMA TX/RX FIFOs (P0DMACR.TXTS and .RXTS, ie.
    TX_TRANSACTION_SIZE and RX_TRANSACTION_SIZE) from default 0x0 each
    to 0x3 each, gives a write performance boost of 120 MiB/s to 132 MiB/s
    from lame 36 MiB/s to 45 MiB/s previously.
    Read performance is above 200 MiB/s.
    [tested on SSD using dd bs=4K/8K/12K/16K/20K/24K/32K: peak-perf at 12K]

    Tested on the SBCs Banana Pi R1 (aka Lamobo R1) and Banana Pi M1 which
    are based on the Allwinner A20 32bit-SoC (ARMv7-a / arm-linux-gnueabihf).
    These devices are RaspberryPi-like small devices.

    This problem of slow SATA write-speed with these small devices lasts
    for about 7 years now (beginning with the A10 SoC). Many commentators
    throughout the years wrongly assumed the slow write speed was a
    hardware limitation. This patch finally solves the problem, which
    in fact was just a hard-to-find software problem due to lack of
    SATA/AHCI documentation by the SoC-maker Allwinner Technology.

    Lists of the affected sunxi and other boards and SoCs with SATA using
    the ahci_sunxi driver:
    $ grep -i -e "^&ahci" arch/arm/boot/dts/sun*dts
    and http://linux-sunxi.org/SATA#Devices_with_SATA_ports
    See also http://linux-sunxi.org/Category:Devices_with_SATA_port

    Tested-by: Chen-Yu Tsai
    Acked-by: Maxime Ripard
    Reviewed-by: Hans de Goede
    Signed-off-by: Uenal Mutlu
    Signed-off-by: Jens Axboe

    Uenal Mutlu
     

03 Jul, 2019

1 commit

29 Jun, 2019

2 commits