Changes in 4.19.299
vfs: fix readahead(2) on block devices
genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
i40e: fix potential memory leaks in i40e_remove()
tcp_metrics: add missing barriers on delete
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
tcp_metrics: do not create an entry from tcp_init_metrics()
wifi: rtlwifi: fix EDCA limit set by BT coexistence
can: dev: move driver related infrastructure into separate subdir
can: dev: can_restart(): don't crash kernel if carrier is OK
can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on()
thermal: core: prevent potential string overflow
chtls: fix tp->rcv_tstamp initialization
ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
ipv6: avoid atomic fragment on GSO packets
macsec: Fix traffic counters/statistics
macsec: use DEV_STATS_INC()
net: add DEV_STATS_READ() helper
ipvlan: properly track tx_errors
regmap: debugfs: Fix a erroneous check after snprintf()
clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
clk: npcm7xx: Fix incorrect kfree
clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
platform/x86: wmi: Fix probe failure when failing to register WMI devices
platform/x86: wmi: remove unnecessary initializations
platform/x86: wmi: Fix opening of char device
hwmon: (coretemp) Fix potentially truncated sysfs attribute name
drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
drm/radeon: possible buffer overflow
drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
firmware: ti_sci: Mark driver as non removable
clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped
hwrng: geode - fix accessing registers
sched/rt: Provide migrate_disable/enable() inlines
nd_btt: Make BTT lanes preemptible
HID: cp2112: Use irqchip template
hid: cp2112: Fix duplicate workqueue initialization
ARM: 9321/1: memset: cast the constant byte to unsigned char
ext4: move 'ix' sanity check to corrent position
RDMA/hfi1: Workaround truncation compilation error
sh: bios: Revive earlyprintk support
ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
ASoC: ams-delta.c: use component after check
mfd: dln2: Fix double put in dln2_probe
leds: pwm: simplify if condition
leds: pwm: convert to atomic PWM API
leds: pwm: Don't disable the PWM when the LED should be off
ledtrig-cpu: Limit to 8 CPUs
leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency
dmaengine: ti: edma: handle irq_of_parse_and_map() errors
misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
tools: iio: privatize globals and functions in iio_generic_buffer.c file
tools: iio: iio_generic_buffer: Fix some integer type and calculation
tools: iio: iio_generic_buffer ensure alignment
USB: usbip: fix stub_dev hub disconnect
dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
pcmcia: cs: fix possible hung task and memory leak pccardd()
pcmcia: ds: fix refcount leak in pcmcia_device_add()
pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
media: bttv: fix use after free error due to btv->timeout timer
media: s3c-camif: Avoid inappropriate kfree()
media: dvb-usb-v2: af9035: fix missing unlock
pwm: sti: Avoid conditional gotos
pwm: sti: Reduce number of allocations and drop usage of chip_data
pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
llc: verify mac len before reading mac header
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
r8169: improve rtl_set_rx_mode
net: r8169: Disable multicast filter for RTL8168H and RTL8107E
net/smc: postpone release of clcsock
net/smc: wait for pending work before clcsock release_sock
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
tg3: power down device only on SYSTEM_POWER_OFF
r8169: respect userspace disabling IFF_MULTICAST
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
fbdev: imsttfb: Fix error path of imsttfb_probe()
fbdev: imsttfb: fix a resource leak in probe
fbdev: fsl-diu-fb: mark wr_reg_wa() static
Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
btrfs: use u64 for buffer sizes in the tree search ioctls
Linux 4.19.299
Change-Id: I130ef8f6fcd9ce2815d8b2493f96082376730758
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 6841cab8c4504835e4011689cbdb3351dec693fd ]
This race condition was discovered while updating the at91_can driver
to use can_bus_off(). The following scenario describes how the
converted at91_can driver would behave.
When a CAN device goes into BUS-OFF state, the driver usually
stops/resets the CAN device and calls can_bus_off().
This function sets the netif carrier to off, and (if configured by
user space) schedules a delayed work that calls can_restart() to
restart the CAN device.
The can_restart() function first checks if the carrier is off and
triggers an error message if the carrier is OK.
Then it calls the driver's do_set_mode() function to restart the
device, then it sets the netif carrier to on. There is a race window
between these two calls.
The at91 CAN controller (observed on the sama5d3, a single core 32 bit
ARM CPU) has a hardware limitation. If the device goes into bus-off
while sending a CAN frame, there is no way to abort the sending of
this frame. After the controller is enabled again, another attempt is
made to send it.
If the bus is still faulty, the device immediately goes back to the
bus-off state. The driver calls can_bus_off(), the netif carrier is
switched off and another can_restart is scheduled. This occurs within
the race window before the original can_restart() handler marks the
netif carrier as OK. This would cause the 2nd can_restart() to be
called with an OK netif carrier, resulting in an error message.
The flow of the 1st can_restart() looks like this:
can_restart()
// bail out if netif_carrier is OK
netif_carrier_ok(dev)
priv->do_set_mode(dev, CAN_MODE_START)
// enable CAN controller
// sama5d3 restarts sending old message
// CAN devices goes into BUS_OFF, triggers IRQ
// IRQ handler start
at91_irq()
at91_irq_err_line()
can_bus_off()
netif_carrier_off()
schedule_delayed_work()
// IRQ handler end
netif_carrier_on()
The 2nd can_restart() will be called with an OK netif carrier and the
error message will be printed.
To close the race window, first set the netif carrier to on, then
restart the controller. In case the restart fails with an error code,
roll back the netif carrier to off.
Fixes: 39549eef35 ("can: CAN Network device driver and Netlink interface")
Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-2-91b5c1fd922c@pengutronix.de
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit fe5c9940dfd8ba0c73672dddb30acd1b7a11d4c7 ]
During testing, I triggered a can_restart() with the netif carrier
being OK [1]. The BUG_ON, which checks if the carrier is OK, results
in a fatal kernel crash. This is neither helpful for debugging nor for
a production system.
[1] The root cause is a race condition in can_restart() which will be
fixed in the next patch.
Do not crash the kernel, issue an error message instead, and continue
restarting the CAN device anyway.
Fixes: 39549eef35 ("can: CAN Network device driver and Netlink interface")
Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-1-91b5c1fd922c@pengutronix.de
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 3e77f70e734584e0ad1038e459ed3fd2400f873a ]
This patch moves the CAN driver related infrastructure into a separate subdir.
It will be split into more files in the coming patches.
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Link: https://lore.kernel.org/r/20210111141930.693847-3-mkl@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Stable-dep-of: fe5c9940dfd8 ("can: dev: can_restart(): don't crash kernel if carrier is OK")
Signed-off-by: Sasha Levin <sashal@kernel.org>
