* [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review
@ 2015-12-17 0:38 Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 01/78] tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c Kamal Mostafa
` (77 more replies)
0 siblings, 78 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Kamal Mostafa
This is the start of the review cycle for the Linux 3.13.11-ckt32 stable kernel.
This version contains 78 new patches, summarized below. The new patches are
posted as replies to this message and also available in this git branch:
http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.13.y-review
git://kernel.ubuntu.com/ubuntu/linux.git linux-3.13.y-review
The review period for version 3.13.11-ckt32 will be open for the next three days.
To report a problem, please reply to the relevant follow-up patch message.
For more information about the Linux 3.13.y-ckt extended stable kernel version,
see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable .
-Kamal
--
Makefile | 20 +++-
arch/Kconfig | 67 +++++++++++
arch/arc/kernel/unwind.c | 37 +-----
arch/arm/Kconfig | 13 +--
arch/arm/Makefile | 4 -
arch/arm/boot/compressed/misc.c | 14 +++
arch/arm/boot/dts/kirkwood-ts219.dtsi | 2 +-
arch/arm64/include/asm/kvm_emulate.h | 8 +-
arch/arm64/kernel/setup.c | 4 +
arch/arm64/kvm/inject_fault.c | 2 +-
arch/mips/Kconfig | 14 +--
arch/mips/Makefile | 4 -
arch/mips/kvm/kvm_locore.S | 16 ++-
arch/mips/kvm/kvm_mips.c | 5 +-
arch/mips/kvm/kvm_mips_emul.c | 2 +-
arch/parisc/include/uapi/asm/mman.h | 10 --
arch/powerpc/include/asm/reg.h | 1 +
arch/powerpc/kernel/signal_32.c | 14 ++-
arch/powerpc/kernel/signal_64.c | 4 +
arch/sh/Kconfig | 15 +--
arch/sh/Makefile | 4 -
arch/x86/Kconfig | 17 +--
arch/x86/Makefile | 8 +-
arch/x86/kernel/cpu/common.c | 3 +-
arch/x86/kernel/signal.c | 17 +--
arch/x86/kernel/xsave.c | 11 +-
block/blk-core.c | 21 ++--
block/partitions/mac.c | 10 +-
drivers/gpu/drm/radeon/rv730_dpm.c | 2 +-
drivers/gpu/drm/radeon/rv770_dpm.c | 4 +-
drivers/iio/adc/ad7793.c | 2 +-
drivers/iio/dac/ad5064.c | 91 ++++++++++-----
drivers/isdn/hisax/config.c | 2 +-
drivers/isdn/hisax/hfc_pci.c | 2 +-
drivers/isdn/hisax/hfc_sx.c | 2 +-
drivers/isdn/hisax/q931.c | 6 +-
drivers/md/dm-mpath.c | 2 +-
drivers/md/dm.c | 2 +-
drivers/mmc/card/block.c | 11 +-
drivers/net/can/sja1000/sja1000.c | 3 +
drivers/net/ethernet/marvell/mvneta.c | 6 +-
drivers/net/ethernet/mellanox/mlx4/main.c | 8 +-
drivers/net/phy/broadcom.c | 2 +-
drivers/net/wan/x25_asy.c | 6 +-
drivers/remoteproc/remoteproc_debugfs.c | 2 +-
drivers/scsi/hosts.c | 11 ++
drivers/staging/iio/adc/lpc32xx_adc.c | 4 +-
drivers/target/iscsi/iscsi_target.c | 13 ++-
drivers/target/iscsi/iscsi_target_nego.c | 1 +
drivers/target/target_core_sbc.c | 17 ++-
drivers/target/target_core_transport.c | 14 ++-
drivers/tty/n_tty.c | 6 +-
drivers/usb/chipidea/debug.c | 2 +
drivers/usb/class/usblp.c | 2 +-
drivers/usb/dwc3/gadget.c | 23 +++-
drivers/usb/host/xhci-hub.c | 15 ++-
drivers/usb/host/xhci.c | 10 ++
drivers/usb/musb/musb_core.c | 10 +-
drivers/usb/serial/option.c | 11 ++
drivers/usb/serial/ti_usb_3410_5052.c | 2 +
drivers/usb/serial/ti_usb_3410_5052.h | 4 +
drivers/xen/gntdev.c | 2 +-
fs/btrfs/file.c | 11 +-
fs/cachefiles/rdwr.c | 2 +-
fs/fat/dir.c | 16 ++-
fs/nfs/inode.c | 6 +-
fs/nfs/nfs4client.c | 2 +-
fs/splice.c | 8 ++
fs/sysv/inode.c | 10 +-
include/linux/blkdev.h | 1 -
include/linux/signal.h | 1 -
include/net/af_unix.h | 1 +
include/target/target_core_base.h | 2 +-
kernel/sched/core.c | 7 +-
kernel/signal.c | 2 +-
kernel/trace/ring_buffer.c | 12 +-
net/core/neighbour.c | 4 +-
net/ipv4/tcp_ipv4.c | 3 +-
net/ipv6/ip6mr.c | 15 +--
net/mac80211/mesh_pathtbl.c | 8 +-
net/packet/af_packet.c | 60 +++++-----
net/rds/connection.c | 6 -
net/rds/send.c | 4 +-
net/sctp/auth.c | 4 +-
net/unix/af_unix.c | 183 ++++++++++++++++++++++++++----
sound/pci/hda/patch_realtek.c | 14 +++
sound/pci/hda/patch_sigmatel.c | 45 +++++---
sound/soc/codecs/wm8962.c | 4 +-
sound/usb/midi.c | 46 ++++++++
sound/usb/quirks-table.h | 11 ++
sound/usb/quirks.c | 1 +
sound/usb/usbaudio.h | 1 +
92 files changed, 754 insertions(+), 383 deletions(-)
Aaro Koskinen (1):
broadcom: fix PHY_ID_BCM5481 entry in the id table
Al Viro (1):
fix sysvfs symlinks
Aleksander Morgado (1):
USB: serial: option: add support for Novatel MiFi USB620L
Alex Deucher (2):
drm/radeon: make rv770_set_sw_state failures non-fatal
drm/radeon: make some dpm errors debug only
Alexander Drozdov (1):
packet: tpacket_snd(): fix signed/unsigned comparison
Andrew Cooper (1):
x86/cpu: Fix SMAP check in PVOPS environments
Arnd Bergmann (1):
remoteproc: avoid stack overflow in debugfs file
Bart Van Assche (1):
Fix a memory leak in scsi_host_dev_release()
Ben McCauley (1):
usb: dwc3: gadget: let us set lower max_speed
Benjamin Coddington (1):
nfs4: start callback_ident at idr 1
Bjørn Mork (1):
USB: option: add XS Stick W100-2 from 4G Systems
Boris Ostrovsky (1):
xen/gntdev: Grant maps should not be subject to NUMA balancing
Christoph Biedl (1):
isdn: Partially revert debug format string usage clean up
Clemens Ladisch (3):
ALSA: usb-audio: add packet size quirk for the Medeli DD305
ALSA: usb-audio: prevent CH345 multiport output SysEx corruption
ALSA: usb-audio: work around CH345 input SysEx corruption
Daniel Borkmann (3):
packet: allow to transmit +4 byte in TX_RING slot for VLAN case
packet: only allow extra vlan len on ethernet devices
packet: fix tpacket_snd max frame len
Dave Hansen (1):
x86/fpu: Fix 32-bit signal frame handling
David Sterba (1):
btrfs: fix signed overflows in btrfs_sync_file
David Woodhouse (1):
USB: ti_usb_3410_5052: Add Honeywell HGI80 ID
Dmitry V. Levin (1):
x86/signal: Fix restart_syscall number for x32 tasks
Eric Dumazet (1):
tcp: md5: fix lockdep annotation
Geert Uytterhoeven (1):
FS-Cache: Add missing initialization of ret in cachefiles_write_page()
Hannes Reinecke (1):
block: Always check queue limits for cloned requests
Helge Deller (1):
parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h
Helmut Klein (1):
ARM: dts: Kirkwood: Fix QNAP TS219 power-off
Hui Wang (1):
ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3
James Hogan (3):
MIPS: KVM: Fix ASID restoration logic
MIPS: KVM: Fix CACHE immediate offset sign extension
MIPS: KVM: Uninit VCPU in vcpu_create error path
Jan Engelhardt (1):
target: fix COMPARE_AND_WRITE non zero SGL offset data corruption
Jan Kara (2):
vfs: Make sendfile(2) killable even better
vfs: Avoid softlockups with sendfile(2)
Jeff Layton (1):
nfs: if we have no valid attrs, then don't declare the attribute cache valid
Jiri Slaby (1):
usblp: do not set TASK_INTERRUPTIBLE before lock
Johannes Berg (1):
mac80211: mesh: fix call_rcu() usage
Junichi Nomura (1):
dm: fix ioctl retry termination with signal
Kees Cook (3):
stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures
stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
mac: validate mac_partition is within sector
Konstantin Khlebnikov (1):
net/neighbour: fix crash at dumping device-agnostic proxy entries
Kosuke Tatsukawa (1):
tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c
Lars-Peter Clausen (2):
iio: ad5064: Fix ad5629/ad5669 shift
iio:ad7793: Fix ad7785 product ID
Li Jun (1):
usb: chipidea: debug: disable usb irq while role switch
Luca Porzio (1):
mmc: remove bondage between REQ_META and reliable write
Marc Zyngier (1):
arm64: KVM: Fix AArch32 to AArch64 register mapping
Marcin Wojtas (3):
net: mvneta: add configuration for MBUS windows access protection
net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG
net: mvneta: fix bit assignment for RX packet irq enable
Mathias Nyman (1):
xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices
Michael Hennerich (1):
iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
Michael Neuling (1):
powerpc/tm: Block signal return setting invalid MSR state
Mirza Krak (1):
can: sja1000: clear interrupts on start
Nicholas Bellinger (2):
iscsi-target: Fix rx_login_comp hang after login failure
target: Fix race for SCF_COMPARE_AND_WRITE_POST checking
Nikolay Aleksandrov (1):
net: ip6mr: fix static mfc/dev leaks on table destruction
Noa Osherovich (1):
net/mlx4_core: Avoid returning success in case of an error flow
OGAWA Hirofumi (1):
fat: fix fake_offset handling on error path
Peter Hurley (1):
wan/x25: Fix use-after-free in x25_asy_open_tty()
Quentin Casasnovas (1):
RDS: fix race condition when sending a message on unbound socket
Rainer Weikusat (1):
unix: avoid use-after-free in ep_remove_wait_queue
Rajmohan Mani (1):
xhci: Workaround to get Intel xHCI reset working more reliably
Richard Weinberger (1):
kernel/signal.c: unexport sigsuspend()
Sachin Pandhare (1):
ASoC: wm8962: correct addresses for HPF_C_0/1
Sasha Levin (1):
sched/core: Remove false-positive warning from wake_up_process()
Steven Rostedt (Red Hat) (1):
ring-buffer: Update read stamp with first real commit on page
Takashi Iwai (2):
ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14
ALSA: hda - Apply HP headphone fixups more generically
Uwe Kleine-König (1):
usb: musb: core: fix order of arguments to ulpi write callback
Vineet Gupta (1):
ARC: dw2 unwind: Remove falllback linear search thru FDE entries
Vladimir Zapolskiy (1):
iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
Xunlei Pang (1):
sched/core: Clear the root_domain cpumasks in init_rootdomain()
Yang Shi (1):
arm64: restore bogomips information in /proc/cpuinfo
lucien (1):
sctp: translate host order to network order when setting a hmacid
^ permalink raw reply [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 01/78] tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
` (76 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Kosuke Tatsukawa, Greg Kroah-Hartman, Joseph Salisbury, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
commit e81107d4c6bd098878af9796b24edc8d4a9524fd upstream.
My colleague ran into a program stall on a x86_64 server, where
n_tty_read() was waiting for data even if there was data in the buffer
in the pty. kernel stack for the stuck process looks like below.
#0 [ffff88303d107b58] __schedule at ffffffff815c4b20
#1 [ffff88303d107bd0] schedule at ffffffff815c513e
#2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818
#3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2
#4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23
#5 [ffff88303d107dd0] tty_read at ffffffff81368013
#6 [ffff88303d107e20] __vfs_read at ffffffff811a3704
#7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57
#8 [ffff88303d107f00] sys_read at ffffffff811a4306
#9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7
There seems to be two problems causing this issue.
First, in drivers/tty/n_tty.c, __receive_buf() stores the data and
updates ldata->commit_head using smp_store_release() and then checks
the wait queue using waitqueue_active(). However, since there is no
memory barrier, __receive_buf() could return without calling
wake_up_interactive_poll(), and at the same time, n_tty_read() could
start to wait in wait_woken() as in the following chart.
__receive_buf() n_tty_read()
------------------------------------------------------------------------
if (waitqueue_active(&tty->read_wait))
/* Memory operations issued after the
RELEASE may be completed before the
RELEASE operation has completed */
add_wait_queue(&tty->read_wait, &wait);
...
if (!input_available_p(tty, 0)) {
smp_store_release(&ldata->commit_head,
ldata->read_head);
...
timeout = wait_woken(&wait,
TASK_INTERRUPTIBLE, timeout);
------------------------------------------------------------------------
The second problem is that n_tty_read() also lacks a memory barrier
call and could also cause __receive_buf() to return without calling
wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken()
as in the chart below.
__receive_buf() n_tty_read()
------------------------------------------------------------------------
spin_lock_irqsave(&q->lock, flags);
/* from add_wait_queue() */
...
if (!input_available_p(tty, 0)) {
/* Memory operations issued after the
RELEASE may be completed before the
RELEASE operation has completed */
smp_store_release(&ldata->commit_head,
ldata->read_head);
if (waitqueue_active(&tty->read_wait))
__add_wait_queue(q, wait);
spin_unlock_irqrestore(&q->lock,flags);
/* from add_wait_queue() */
...
timeout = wait_woken(&wait,
TASK_INTERRUPTIBLE, timeout);
------------------------------------------------------------------------
There are also other places in drivers/tty/n_tty.c which have similar
calls to waitqueue_active(), so instead of adding many memory barrier
calls, this patch simply removes the call to waitqueue_active(),
leaving just wake_up*() behind.
This fixes both problems because, even though the memory access before
or after the spinlocks in both wake_up*() and add_wait_queue() can
sneak into the critical section, it cannot go past it and the critical
section assures that they will be serialized (please see "INTER-CPU
ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a
better explanation). Moreover, the resulting code is much simpler.
Latency measurement using a ping-pong test over a pty doesn't show any
visible performance drop.
Signed-off-by: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[jsalisbury: Backported to 3.13.y:
- Use wake_up_interruptible(), not wake_up_interruptible_poll()
- There are only two spurious uses of waitqueue_active() to remove]
BugLink: http://bugs.launchpad.net/bugs/1512815
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/tty/n_tty.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 0b2e1ff..d40c9e3 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1383,8 +1383,7 @@ handle_newline:
put_tty_queue(c, ldata);
ldata->canon_head = ldata->read_head;
kill_fasync(&tty->fasync, SIGIO, POLL_IN);
- if (waitqueue_active(&tty->read_wait))
- wake_up_interruptible(&tty->read_wait);
+ wake_up_interruptible(&tty->read_wait);
return 0;
}
}
@@ -1669,8 +1668,7 @@ static void __receive_buf(struct tty_struct *tty, const unsigned char *cp,
if ((!ldata->icanon && (read_cnt(ldata) >= ldata->minimum_to_wake)) ||
L_EXTPROC(tty)) {
kill_fasync(&tty->fasync, SIGIO, POLL_IN);
- if (waitqueue_active(&tty->read_wait))
- wake_up_interruptible(&tty->read_wait);
+ wake_up_interruptible(&tty->read_wait);
}
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 02/78] stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 01/78] tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
` (75 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Kees Cook, Arjan van de Ven, Michal Marek, Russell King,
Ralf Baechle, Paul Mundt, James Hogan, Stephen Rothwell,
Shawn Guo, Linus Torvalds, Andrew Morton, Peter Zijlstra,
Thomas Gleixner, linux-arm-kernel, linux-mips, linux-arch,
Ingo Molnar, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 19952a92037e752f9d3bbbad552d596f9a56e146 upstream.
Instead of duplicating the CC_STACKPROTECTOR Kconfig and
Makefile logic in each architecture, switch to using
HAVE_CC_STACKPROTECTOR and keep everything in one place. This
retains the x86-specific bug verification scripts.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-mips@linux-mips.org
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-2-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable prereq for
8779657 stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 14 +++++++++++---
arch/Kconfig | 22 ++++++++++++++++++++++
arch/arm/Kconfig | 13 +------------
arch/arm/Makefile | 4 ----
arch/mips/Kconfig | 14 +-------------
arch/mips/Makefile | 4 ----
arch/sh/Kconfig | 15 +--------------
arch/sh/Makefile | 4 ----
arch/x86/Kconfig | 17 +----------------
arch/x86/Makefile | 8 +++-----
10 files changed, 40 insertions(+), 75 deletions(-)
diff --git a/Makefile b/Makefile
index 7606094..58a799e 100644
--- a/Makefile
+++ b/Makefile
@@ -597,10 +597,18 @@ ifneq ($(CONFIG_FRAME_WARN),0)
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
-# Force gcc to behave correct even for buggy distributions
-ifndef CONFIG_CC_STACKPROTECTOR
-KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
+# Handle stack protector mode.
+ifdef CONFIG_CC_STACKPROTECTOR
+ stackp-flag := -fstack-protector
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
+ -fstack-protector not supported by compiler))
+ endif
+else
+ # Force off for distro compilers that enable stack protector by default.
+ stackp-flag := $(call cc-option, -fno-stack-protector)
endif
+KBUILD_CFLAGS += $(stackp-flag)
# This warning generated too much noise in a regular build.
# Use make W=1 to enable this warning (see scripts/Makefile.build)
diff --git a/arch/Kconfig b/arch/Kconfig
index f1cf895..24e026d 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -336,6 +336,28 @@ config SECCOMP_FILTER
See Documentation/prctl/seccomp_filter.txt for details.
+config HAVE_CC_STACKPROTECTOR
+ bool
+ help
+ An arch should select this symbol if:
+ - its compiler supports the -fstack-protector option
+ - it has implemented a stack canary (e.g. __stack_chk_guard)
+
+config CC_STACKPROTECTOR
+ bool "Enable -fstack-protector buffer overflow detection"
+ depends on HAVE_CC_STACKPROTECTOR
+ help
+ This option turns on the -fstack-protector GCC feature. This
+ feature puts, at the beginning of functions, a canary value on
+ the stack just before the return address, and validates
+ the value just before actually returning. Stack based buffer
+ overflows (that need to overwrite this return address) now also
+ overwrite the canary, which gets detected and the attack is then
+ neutralized via a kernel panic.
+
+ This feature requires gcc version 4.2 or above, or a distribution
+ gcc with the feature backported.
+
config HAVE_CONTEXT_TRACKING
bool
help
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index b3d400d..5102fd5 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -31,6 +31,7 @@ config ARM
select HAVE_BPF_JIT
select HAVE_CONTEXT_TRACKING
select HAVE_C_RECORDMCOUNT
+ select HAVE_CC_STACKPROTECTOR
select HAVE_DEBUG_KMEMLEAK
select HAVE_DMA_API_DEBUG
select HAVE_DMA_ATTRS
@@ -1859,18 +1860,6 @@ config SECCOMP
and the task is only allowed to execute a few safe syscalls
defined by each seccomp mode.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
- This feature requires gcc version 4.2 or above.
-
config SWIOTLB
def_bool y
diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index 749e88f..bc050dc 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -40,10 +40,6 @@ ifeq ($(CONFIG_FRAME_POINTER),y)
KBUILD_CFLAGS +=-fno-omit-frame-pointer -mapcs -mno-sched-prolog
endif
-ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
-KBUILD_CFLAGS +=-fstack-protector
-endif
-
ifeq ($(CONFIG_CPU_BIG_ENDIAN),y)
KBUILD_CPPFLAGS += -mbig-endian
AS += -EB
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index 650de39..c93d92b 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -47,6 +47,7 @@ config MIPS
select MODULES_USE_ELF_RELA if MODULES && 64BIT
select CLONE_BACKWARDS
select HAVE_DEBUG_STACKOVERFLOW
+ select HAVE_CC_STACKPROTECTOR
menu "Machine selection"
@@ -2322,19 +2323,6 @@ config SECCOMP
If unsure, say Y. Only embedded should say N here.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above.
-
config USE_OF
bool
select OF
diff --git a/arch/mips/Makefile b/arch/mips/Makefile
index de300b9..efe50787 100644
--- a/arch/mips/Makefile
+++ b/arch/mips/Makefile
@@ -232,10 +232,6 @@ bootvars-y = VMLINUX_LOAD_ADDRESS=$(load-y) \
LDFLAGS += -m $(ld-emul)
-ifdef CONFIG_CC_STACKPROTECTOR
- KBUILD_CFLAGS += -fstack-protector
-endif
-
ifdef CONFIG_MIPS
CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 9b0979f..ce29831 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -66,6 +66,7 @@ config SUPERH32
select PERF_EVENTS
select ARCH_HIBERNATION_POSSIBLE if MMU
select SPARSE_IRQ
+ select HAVE_CC_STACKPROTECTOR
config SUPERH64
def_bool ARCH = "sh64"
@@ -695,20 +696,6 @@ config SECCOMP
If unsure, say N.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- depends on SUPERH32
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above.
-
config SMP
bool "Symmetric multi-processing support"
depends on SYS_SUPPORTS_SMP
diff --git a/arch/sh/Makefile b/arch/sh/Makefile
index aed701c..d4d16e4 100644
--- a/arch/sh/Makefile
+++ b/arch/sh/Makefile
@@ -199,10 +199,6 @@ ifeq ($(CONFIG_DWARF_UNWINDER),y)
KBUILD_CFLAGS += -fasynchronous-unwind-tables
endif
-ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
- KBUILD_CFLAGS += -fstack-protector
-endif
-
libs-$(CONFIG_SUPERH32) := arch/sh/lib/ $(libs-y)
libs-$(CONFIG_SUPERH64) := arch/sh/lib64/ $(libs-y)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 223080d..250706e 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -126,6 +126,7 @@ config X86
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
select ARCH_SUPPORTS_ATOMIC_RMW
+ select HAVE_CC_STACKPROTECTOR
config INSTRUCTION_DECODER
def_bool y
@@ -1640,22 +1641,6 @@ config SECCOMP
If unsure, say Y. Only embedded should say N here.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
- ---help---
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported. Older versions are automatically
- detected and for those versions, this configuration option is
- ignored. (and a warning is printed during bootup)
-
source kernel/Kconfig.hz
config KEXEC
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 57d0215..13b22e0 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -89,13 +89,11 @@ else
KBUILD_CFLAGS += -maccumulate-outgoing-args
endif
+# Make sure compiler does not have buggy stack-protector support.
ifdef CONFIG_CC_STACKPROTECTOR
cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
- ifeq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
- stackp-y := -fstack-protector
- KBUILD_CFLAGS += $(stackp-y)
- else
- $(warning stack protector enabled but no compiler support)
+ ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
+ $(warning stack-protector enabled but compiler support broken)
endif
endif
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 02/78] stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures
@ 2015-12-17 0:38 ` Kamal Mostafa
0 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Marek, Stephen Rothwell, James Hogan, Russell King,
Kees Cook, linux-mips, Peter Zijlstra, Linus Torvalds,
Kamal Mostafa, Ralf Baechle, Ingo Molnar, Paul Mundt, linux-arch,
Andrew Morton, Shawn Guo, Arjan van de Ven, Thomas Gleixner,
linux-arm-kernel
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 19952a92037e752f9d3bbbad552d596f9a56e146 upstream.
Instead of duplicating the CC_STACKPROTECTOR Kconfig and
Makefile logic in each architecture, switch to using
HAVE_CC_STACKPROTECTOR and keep everything in one place. This
retains the x86-specific bug verification scripts.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-mips@linux-mips.org
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-2-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable prereq for
8779657 stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 14 +++++++++++---
arch/Kconfig | 22 ++++++++++++++++++++++
arch/arm/Kconfig | 13 +------------
arch/arm/Makefile | 4 ----
arch/mips/Kconfig | 14 +-------------
arch/mips/Makefile | 4 ----
arch/sh/Kconfig | 15 +--------------
arch/sh/Makefile | 4 ----
arch/x86/Kconfig | 17 +----------------
arch/x86/Makefile | 8 +++-----
10 files changed, 40 insertions(+), 75 deletions(-)
diff --git a/Makefile b/Makefile
index 7606094..58a799e 100644
--- a/Makefile
+++ b/Makefile
@@ -597,10 +597,18 @@ ifneq ($(CONFIG_FRAME_WARN),0)
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
-# Force gcc to behave correct even for buggy distributions
-ifndef CONFIG_CC_STACKPROTECTOR
-KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
+# Handle stack protector mode.
+ifdef CONFIG_CC_STACKPROTECTOR
+ stackp-flag := -fstack-protector
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
+ -fstack-protector not supported by compiler))
+ endif
+else
+ # Force off for distro compilers that enable stack protector by default.
+ stackp-flag := $(call cc-option, -fno-stack-protector)
endif
+KBUILD_CFLAGS += $(stackp-flag)
# This warning generated too much noise in a regular build.
# Use make W=1 to enable this warning (see scripts/Makefile.build)
diff --git a/arch/Kconfig b/arch/Kconfig
index f1cf895..24e026d 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -336,6 +336,28 @@ config SECCOMP_FILTER
See Documentation/prctl/seccomp_filter.txt for details.
+config HAVE_CC_STACKPROTECTOR
+ bool
+ help
+ An arch should select this symbol if:
+ - its compiler supports the -fstack-protector option
+ - it has implemented a stack canary (e.g. __stack_chk_guard)
+
+config CC_STACKPROTECTOR
+ bool "Enable -fstack-protector buffer overflow detection"
+ depends on HAVE_CC_STACKPROTECTOR
+ help
+ This option turns on the -fstack-protector GCC feature. This
+ feature puts, at the beginning of functions, a canary value on
+ the stack just before the return address, and validates
+ the value just before actually returning. Stack based buffer
+ overflows (that need to overwrite this return address) now also
+ overwrite the canary, which gets detected and the attack is then
+ neutralized via a kernel panic.
+
+ This feature requires gcc version 4.2 or above, or a distribution
+ gcc with the feature backported.
+
config HAVE_CONTEXT_TRACKING
bool
help
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index b3d400d..5102fd5 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -31,6 +31,7 @@ config ARM
select HAVE_BPF_JIT
select HAVE_CONTEXT_TRACKING
select HAVE_C_RECORDMCOUNT
+ select HAVE_CC_STACKPROTECTOR
select HAVE_DEBUG_KMEMLEAK
select HAVE_DMA_API_DEBUG
select HAVE_DMA_ATTRS
@@ -1859,18 +1860,6 @@ config SECCOMP
and the task is only allowed to execute a few safe syscalls
defined by each seccomp mode.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
- This feature requires gcc version 4.2 or above.
-
config SWIOTLB
def_bool y
diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index 749e88f..bc050dc 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -40,10 +40,6 @@ ifeq ($(CONFIG_FRAME_POINTER),y)
KBUILD_CFLAGS +=-fno-omit-frame-pointer -mapcs -mno-sched-prolog
endif
-ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
-KBUILD_CFLAGS +=-fstack-protector
-endif
-
ifeq ($(CONFIG_CPU_BIG_ENDIAN),y)
KBUILD_CPPFLAGS += -mbig-endian
AS += -EB
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index 650de39..c93d92b 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -47,6 +47,7 @@ config MIPS
select MODULES_USE_ELF_RELA if MODULES && 64BIT
select CLONE_BACKWARDS
select HAVE_DEBUG_STACKOVERFLOW
+ select HAVE_CC_STACKPROTECTOR
menu "Machine selection"
@@ -2322,19 +2323,6 @@ config SECCOMP
If unsure, say Y. Only embedded should say N here.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above.
-
config USE_OF
bool
select OF
diff --git a/arch/mips/Makefile b/arch/mips/Makefile
index de300b9..efe50787 100644
--- a/arch/mips/Makefile
+++ b/arch/mips/Makefile
@@ -232,10 +232,6 @@ bootvars-y = VMLINUX_LOAD_ADDRESS=$(load-y) \
LDFLAGS += -m $(ld-emul)
-ifdef CONFIG_CC_STACKPROTECTOR
- KBUILD_CFLAGS += -fstack-protector
-endif
-
ifdef CONFIG_MIPS
CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 9b0979f..ce29831 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -66,6 +66,7 @@ config SUPERH32
select PERF_EVENTS
select ARCH_HIBERNATION_POSSIBLE if MMU
select SPARSE_IRQ
+ select HAVE_CC_STACKPROTECTOR
config SUPERH64
def_bool ARCH = "sh64"
@@ -695,20 +696,6 @@ config SECCOMP
If unsure, say N.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- depends on SUPERH32
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above.
-
config SMP
bool "Symmetric multi-processing support"
depends on SYS_SUPPORTS_SMP
diff --git a/arch/sh/Makefile b/arch/sh/Makefile
index aed701c..d4d16e4 100644
--- a/arch/sh/Makefile
+++ b/arch/sh/Makefile
@@ -199,10 +199,6 @@ ifeq ($(CONFIG_DWARF_UNWINDER),y)
KBUILD_CFLAGS += -fasynchronous-unwind-tables
endif
-ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
- KBUILD_CFLAGS += -fstack-protector
-endif
-
libs-$(CONFIG_SUPERH32) := arch/sh/lib/ $(libs-y)
libs-$(CONFIG_SUPERH64) := arch/sh/lib64/ $(libs-y)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 223080d..250706e 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -126,6 +126,7 @@ config X86
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
select ARCH_SUPPORTS_ATOMIC_RMW
+ select HAVE_CC_STACKPROTECTOR
config INSTRUCTION_DECODER
def_bool y
@@ -1640,22 +1641,6 @@ config SECCOMP
If unsure, say Y. Only embedded should say N here.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
- ---help---
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported. Older versions are automatically
- detected and for those versions, this configuration option is
- ignored. (and a warning is printed during bootup)
-
source kernel/Kconfig.hz
config KEXEC
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 57d0215..13b22e0 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -89,13 +89,11 @@ else
KBUILD_CFLAGS += -maccumulate-outgoing-args
endif
+# Make sure compiler does not have buggy stack-protector support.
ifdef CONFIG_CC_STACKPROTECTOR
cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
- ifeq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
- stackp-y := -fstack-protector
- KBUILD_CFLAGS += $(stackp-y)
- else
- $(warning stack protector enabled but no compiler support)
+ ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
+ $(warning stack-protector enabled but compiler support broken)
endif
endif
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 02/78] stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures
@ 2015-12-17 0:38 ` Kamal Mostafa
0 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-arm-kernel
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 19952a92037e752f9d3bbbad552d596f9a56e146 upstream.
Instead of duplicating the CC_STACKPROTECTOR Kconfig and
Makefile logic in each architecture, switch to using
HAVE_CC_STACKPROTECTOR and keep everything in one place. This
retains the x86-specific bug verification scripts.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arm-kernel at lists.infradead.org
Cc: linux-mips at linux-mips.org
Cc: linux-arch at vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-2-git-send-email-keescook at chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable prereq for
8779657 stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 14 +++++++++++---
arch/Kconfig | 22 ++++++++++++++++++++++
arch/arm/Kconfig | 13 +------------
arch/arm/Makefile | 4 ----
arch/mips/Kconfig | 14 +-------------
arch/mips/Makefile | 4 ----
arch/sh/Kconfig | 15 +--------------
arch/sh/Makefile | 4 ----
arch/x86/Kconfig | 17 +----------------
arch/x86/Makefile | 8 +++-----
10 files changed, 40 insertions(+), 75 deletions(-)
diff --git a/Makefile b/Makefile
index 7606094..58a799e 100644
--- a/Makefile
+++ b/Makefile
@@ -597,10 +597,18 @@ ifneq ($(CONFIG_FRAME_WARN),0)
KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
-# Force gcc to behave correct even for buggy distributions
-ifndef CONFIG_CC_STACKPROTECTOR
-KBUILD_CFLAGS += $(call cc-option, -fno-stack-protector)
+# Handle stack protector mode.
+ifdef CONFIG_CC_STACKPROTECTOR
+ stackp-flag := -fstack-protector
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
+ -fstack-protector not supported by compiler))
+ endif
+else
+ # Force off for distro compilers that enable stack protector by default.
+ stackp-flag := $(call cc-option, -fno-stack-protector)
endif
+KBUILD_CFLAGS += $(stackp-flag)
# This warning generated too much noise in a regular build.
# Use make W=1 to enable this warning (see scripts/Makefile.build)
diff --git a/arch/Kconfig b/arch/Kconfig
index f1cf895..24e026d 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -336,6 +336,28 @@ config SECCOMP_FILTER
See Documentation/prctl/seccomp_filter.txt for details.
+config HAVE_CC_STACKPROTECTOR
+ bool
+ help
+ An arch should select this symbol if:
+ - its compiler supports the -fstack-protector option
+ - it has implemented a stack canary (e.g. __stack_chk_guard)
+
+config CC_STACKPROTECTOR
+ bool "Enable -fstack-protector buffer overflow detection"
+ depends on HAVE_CC_STACKPROTECTOR
+ help
+ This option turns on the -fstack-protector GCC feature. This
+ feature puts, at the beginning of functions, a canary value on
+ the stack just before the return address, and validates
+ the value just before actually returning. Stack based buffer
+ overflows (that need to overwrite this return address) now also
+ overwrite the canary, which gets detected and the attack is then
+ neutralized via a kernel panic.
+
+ This feature requires gcc version 4.2 or above, or a distribution
+ gcc with the feature backported.
+
config HAVE_CONTEXT_TRACKING
bool
help
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index b3d400d..5102fd5 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -31,6 +31,7 @@ config ARM
select HAVE_BPF_JIT
select HAVE_CONTEXT_TRACKING
select HAVE_C_RECORDMCOUNT
+ select HAVE_CC_STACKPROTECTOR
select HAVE_DEBUG_KMEMLEAK
select HAVE_DMA_API_DEBUG
select HAVE_DMA_ATTRS
@@ -1859,18 +1860,6 @@ config SECCOMP
and the task is only allowed to execute a few safe syscalls
defined by each seccomp mode.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
- This feature requires gcc version 4.2 or above.
-
config SWIOTLB
def_bool y
diff --git a/arch/arm/Makefile b/arch/arm/Makefile
index 749e88f..bc050dc 100644
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -40,10 +40,6 @@ ifeq ($(CONFIG_FRAME_POINTER),y)
KBUILD_CFLAGS +=-fno-omit-frame-pointer -mapcs -mno-sched-prolog
endif
-ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
-KBUILD_CFLAGS +=-fstack-protector
-endif
-
ifeq ($(CONFIG_CPU_BIG_ENDIAN),y)
KBUILD_CPPFLAGS += -mbig-endian
AS += -EB
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index 650de39..c93d92b 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -47,6 +47,7 @@ config MIPS
select MODULES_USE_ELF_RELA if MODULES && 64BIT
select CLONE_BACKWARDS
select HAVE_DEBUG_STACKOVERFLOW
+ select HAVE_CC_STACKPROTECTOR
menu "Machine selection"
@@ -2322,19 +2323,6 @@ config SECCOMP
If unsure, say Y. Only embedded should say N here.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above.
-
config USE_OF
bool
select OF
diff --git a/arch/mips/Makefile b/arch/mips/Makefile
index de300b9..efe50787 100644
--- a/arch/mips/Makefile
+++ b/arch/mips/Makefile
@@ -232,10 +232,6 @@ bootvars-y = VMLINUX_LOAD_ADDRESS=$(load-y) \
LDFLAGS += -m $(ld-emul)
-ifdef CONFIG_CC_STACKPROTECTOR
- KBUILD_CFLAGS += -fstack-protector
-endif
-
ifdef CONFIG_MIPS
CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 9b0979f..ce29831 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -66,6 +66,7 @@ config SUPERH32
select PERF_EVENTS
select ARCH_HIBERNATION_POSSIBLE if MMU
select SPARSE_IRQ
+ select HAVE_CC_STACKPROTECTOR
config SUPERH64
def_bool ARCH = "sh64"
@@ -695,20 +696,6 @@ config SECCOMP
If unsure, say N.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
- depends on SUPERH32
- help
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above.
-
config SMP
bool "Symmetric multi-processing support"
depends on SYS_SUPPORTS_SMP
diff --git a/arch/sh/Makefile b/arch/sh/Makefile
index aed701c..d4d16e4 100644
--- a/arch/sh/Makefile
+++ b/arch/sh/Makefile
@@ -199,10 +199,6 @@ ifeq ($(CONFIG_DWARF_UNWINDER),y)
KBUILD_CFLAGS += -fasynchronous-unwind-tables
endif
-ifeq ($(CONFIG_CC_STACKPROTECTOR),y)
- KBUILD_CFLAGS += -fstack-protector
-endif
-
libs-$(CONFIG_SUPERH32) := arch/sh/lib/ $(libs-y)
libs-$(CONFIG_SUPERH64) := arch/sh/lib64/ $(libs-y)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 223080d..250706e 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -126,6 +126,7 @@ config X86
select HAVE_DEBUG_STACKOVERFLOW
select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
select ARCH_SUPPORTS_ATOMIC_RMW
+ select HAVE_CC_STACKPROTECTOR
config INSTRUCTION_DECODER
def_bool y
@@ -1640,22 +1641,6 @@ config SECCOMP
If unsure, say Y. Only embedded should say N here.
-config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
- ---help---
- This option turns on the -fstack-protector GCC feature. This
- feature puts, at the beginning of functions, a canary value on
- the stack just before the return address, and validates
- the value just before actually returning. Stack based buffer
- overflows (that need to overwrite this return address) now also
- overwrite the canary, which gets detected and the attack is then
- neutralized via a kernel panic.
-
- This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported. Older versions are automatically
- detected and for those versions, this configuration option is
- ignored. (and a warning is printed during bootup)
-
source kernel/Kconfig.hz
config KEXEC
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 57d0215..13b22e0 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -89,13 +89,11 @@ else
KBUILD_CFLAGS += -maccumulate-outgoing-args
endif
+# Make sure compiler does not have buggy stack-protector support.
ifdef CONFIG_CC_STACKPROTECTOR
cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
- ifeq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
- stackp-y := -fstack-protector
- KBUILD_CFLAGS += $(stackp-y)
- else
- $(warning stack protector enabled but no compiler support)
+ ifneq ($(shell $(CONFIG_SHELL) $(cc_has_sp) $(CC) $(KBUILD_CPPFLAGS) $(biarch)),y)
+ $(warning stack-protector enabled but compiler support broken)
endif
endif
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 01/78] tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
` (75 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Kees Cook, Arjan van de Ven, Michal Marek, Russell King,
Ralf Baechle, Paul Mundt, James Hogan, Stephen Rothwell,
Shawn Guo, Linus Torvalds, Andrew Morton, Peter Zijlstra,
linux-arm-kernel, linux-mips, linux-arch, Ingo Molnar,
Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 8779657d29c0ebcc0c94ede4df2f497baf1b563f upstream.
This changes the stack protector config option into a choice of
"None", "Regular", and "Strong":
CONFIG_CC_STACKPROTECTOR_NONE
CONFIG_CC_STACKPROTECTOR_REGULAR
CONFIG_CC_STACKPROTECTOR_STRONG
"Regular" means the old CONFIG_CC_STACKPROTECTOR=y option.
"Strong" is a new mode introduced by this patch. With "Strong" the
kernel is built with -fstack-protector-strong (available in
gcc 4.9 and later). This option increases the coverage of the stack
protector without the heavy performance hit of -fstack-protector-all.
For reference, the stack protector options available in gcc are:
-fstack-protector-all:
Adds the stack-canary saving prefix and stack-canary checking
suffix to _all_ function entry and exit. Results in substantial
use of stack space for saving the canary for deep stack users
(e.g. historically xfs), and measurable (though shockingly still
low) performance hit due to all the saving/checking. Really not
suitable for sane systems, and was entirely removed as an option
from the kernel many years ago.
-fstack-protector:
Adds the canary save/check to functions that define an 8
(--param=ssp-buffer-size=N, N=8 by default) or more byte local
char array. Traditionally, stack overflows happened with
string-based manipulations, so this was a way to find those
functions. Very few total functions actually get the canary; no
measurable performance or size overhead.
-fstack-protector-strong
Adds the canary for a wider set of functions, since it's not
just those with strings that have ultimately been vulnerable to
stack-busting. With this superset, more functions end up with a
canary, but it still remains small compared to all functions
with only a small change in performance. Based on the original
design document, a function gets the canary when it contains any
of:
- local variable's address used as part of the right hand side
of an assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables
https://docs.google.com/a/google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU
Find below a comparison of "size" and "objdump" output when built with
gcc-4.9 in three configurations:
- defconfig
11430641 kernel text size
36110 function bodies
- defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR
11468490 kernel text size (+0.33%)
1015 of 36110 functions are stack-protected (2.81%)
- defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch
11692790 kernel text size (+2.24%)
7401 of 36110 functions are stack-protected (20.5%)
With -strong, ARM's compressed boot code now triggers stack
protection, so a static guard was added. Since this is only used
during decompression and was never used before, the exposure
here is very small. Once it switches to the full kernel, the
stack guard is back to normal.
Chrome OS has been using -fstack-protector-strong for its kernel
builds for the last 8 months with no problems.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-mips@linux-mips.org
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-3-git-send-email-keescook@chromium.org
[ Improved the changelog and descriptions some more. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable: need these arch/arm/boot/compressed/misc.c __stack_chk
canary functions, even for just the old CONFIG_CC_STACKPROTECTOR ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 8 ++++++-
arch/Kconfig | 51 ++++++++++++++++++++++++++++++++++++++---
arch/arm/boot/compressed/misc.c | 14 +++++++++++
3 files changed, 69 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 58a799e..b43786f 100644
--- a/Makefile
+++ b/Makefile
@@ -598,12 +598,18 @@ KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
# Handle stack protector mode.
-ifdef CONFIG_CC_STACKPROTECTOR
+ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
stackp-flag := -fstack-protector
ifeq ($(call cc-option, $(stackp-flag)),)
$(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
-fstack-protector not supported by compiler))
endif
+else ifdef CONFIG_CC_STACKPROTECTOR_STRONG
+ stackp-flag := -fstack-protector-strong
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: \
+ -fstack-protector-strong not supported by compiler)
+ endif
else
# Force off for distro compilers that enable stack protector by default.
stackp-flag := $(call cc-option, -fno-stack-protector)
diff --git a/arch/Kconfig b/arch/Kconfig
index 24e026d..80bbb8c 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -344,10 +344,17 @@ config HAVE_CC_STACKPROTECTOR
- it has implemented a stack canary (e.g. __stack_chk_guard)
config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
+ def_bool n
+ help
+ Set when a stack-protector mode is enabled, so that the build
+ can enable kernel-side support for the GCC feature.
+
+choice
+ prompt "Stack Protector buffer overflow detection"
depends on HAVE_CC_STACKPROTECTOR
+ default CC_STACKPROTECTOR_NONE
help
- This option turns on the -fstack-protector GCC feature. This
+ This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
@@ -355,8 +362,46 @@ config CC_STACKPROTECTOR
overwrite the canary, which gets detected and the attack is then
neutralized via a kernel panic.
+config CC_STACKPROTECTOR_NONE
+ bool "None"
+ help
+ Disable "stack-protector" GCC feature.
+
+config CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added if they
+ have an 8-byte or larger character array on the stack.
+
This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported.
+ gcc with the feature backported ("-fstack-protector").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 3% of all kernel functions, which increases kernel code size
+ by about 0.3%.
+
+config CC_STACKPROTECTOR_STRONG
+ bool "Strong"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added in any
+ of the following conditions:
+
+ - local variable's address used as part of the right hand side of an
+ assignment or function argument
+ - local variable is an array (or union containing an array),
+ regardless of array type or length
+ - uses register local variables
+
+ This feature requires gcc version 4.9 or above, or a distribution
+ gcc with the feature backported ("-fstack-protector-strong").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 20% of all kernel functions, which increases the kernel code
+ size by about 2%.
+
+endchoice
config HAVE_CONTEXT_TRACKING
bool
diff --git a/arch/arm/boot/compressed/misc.c b/arch/arm/boot/compressed/misc.c
index 31bd43b..d4f891f 100644
--- a/arch/arm/boot/compressed/misc.c
+++ b/arch/arm/boot/compressed/misc.c
@@ -127,6 +127,18 @@ asmlinkage void __div0(void)
error("Attempting division by 0!");
}
+unsigned long __stack_chk_guard;
+
+void __stack_chk_guard_setup(void)
+{
+ __stack_chk_guard = 0x000a0dff;
+}
+
+void __stack_chk_fail(void)
+{
+ error("stack-protector: Kernel stack is corrupted\n");
+}
+
extern int do_decompress(u8 *input, int len, u8 *output, void (*error)(char *x));
@@ -137,6 +149,8 @@ decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
{
int ret;
+ __stack_chk_guard_setup();
+
output_data = (unsigned char *)output_start;
free_mem_ptr = free_mem_ptr_p;
free_mem_end_ptr = free_mem_ptr_end_p;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
@ 2015-12-17 0:38 ` Kamal Mostafa
0 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michal Marek, Stephen Rothwell, James Hogan, Russell King,
Kees Cook, linux-mips, Peter Zijlstra, Linus Torvalds,
Kamal Mostafa, Ralf Baechle, Paul Mundt, linux-arch,
Andrew Morton, Shawn Guo, Arjan van de Ven, Ingo Molnar,
linux-arm-kernel
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 8779657d29c0ebcc0c94ede4df2f497baf1b563f upstream.
This changes the stack protector config option into a choice of
"None", "Regular", and "Strong":
CONFIG_CC_STACKPROTECTOR_NONE
CONFIG_CC_STACKPROTECTOR_REGULAR
CONFIG_CC_STACKPROTECTOR_STRONG
"Regular" means the old CONFIG_CC_STACKPROTECTOR=y option.
"Strong" is a new mode introduced by this patch. With "Strong" the
kernel is built with -fstack-protector-strong (available in
gcc 4.9 and later). This option increases the coverage of the stack
protector without the heavy performance hit of -fstack-protector-all.
For reference, the stack protector options available in gcc are:
-fstack-protector-all:
Adds the stack-canary saving prefix and stack-canary checking
suffix to _all_ function entry and exit. Results in substantial
use of stack space for saving the canary for deep stack users
(e.g. historically xfs), and measurable (though shockingly still
low) performance hit due to all the saving/checking. Really not
suitable for sane systems, and was entirely removed as an option
from the kernel many years ago.
-fstack-protector:
Adds the canary save/check to functions that define an 8
(--param=ssp-buffer-size=N, N=8 by default) or more byte local
char array. Traditionally, stack overflows happened with
string-based manipulations, so this was a way to find those
functions. Very few total functions actually get the canary; no
measurable performance or size overhead.
-fstack-protector-strong
Adds the canary for a wider set of functions, since it's not
just those with strings that have ultimately been vulnerable to
stack-busting. With this superset, more functions end up with a
canary, but it still remains small compared to all functions
with only a small change in performance. Based on the original
design document, a function gets the canary when it contains any
of:
- local variable's address used as part of the right hand side
of an assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables
https://docs.google.com/a/google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU
Find below a comparison of "size" and "objdump" output when built with
gcc-4.9 in three configurations:
- defconfig
11430641 kernel text size
36110 function bodies
- defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR
11468490 kernel text size (+0.33%)
1015 of 36110 functions are stack-protected (2.81%)
- defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch
11692790 kernel text size (+2.24%)
7401 of 36110 functions are stack-protected (20.5%)
With -strong, ARM's compressed boot code now triggers stack
protection, so a static guard was added. Since this is only used
during decompression and was never used before, the exposure
here is very small. Once it switches to the full kernel, the
stack guard is back to normal.
Chrome OS has been using -fstack-protector-strong for its kernel
builds for the last 8 months with no problems.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-mips@linux-mips.org
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-3-git-send-email-keescook@chromium.org
[ Improved the changelog and descriptions some more. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable: need these arch/arm/boot/compressed/misc.c __stack_chk
canary functions, even for just the old CONFIG_CC_STACKPROTECTOR ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 8 ++++++-
arch/Kconfig | 51 ++++++++++++++++++++++++++++++++++++++---
arch/arm/boot/compressed/misc.c | 14 +++++++++++
3 files changed, 69 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 58a799e..b43786f 100644
--- a/Makefile
+++ b/Makefile
@@ -598,12 +598,18 @@ KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
# Handle stack protector mode.
-ifdef CONFIG_CC_STACKPROTECTOR
+ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
stackp-flag := -fstack-protector
ifeq ($(call cc-option, $(stackp-flag)),)
$(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
-fstack-protector not supported by compiler))
endif
+else ifdef CONFIG_CC_STACKPROTECTOR_STRONG
+ stackp-flag := -fstack-protector-strong
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: \
+ -fstack-protector-strong not supported by compiler)
+ endif
else
# Force off for distro compilers that enable stack protector by default.
stackp-flag := $(call cc-option, -fno-stack-protector)
diff --git a/arch/Kconfig b/arch/Kconfig
index 24e026d..80bbb8c 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -344,10 +344,17 @@ config HAVE_CC_STACKPROTECTOR
- it has implemented a stack canary (e.g. __stack_chk_guard)
config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
+ def_bool n
+ help
+ Set when a stack-protector mode is enabled, so that the build
+ can enable kernel-side support for the GCC feature.
+
+choice
+ prompt "Stack Protector buffer overflow detection"
depends on HAVE_CC_STACKPROTECTOR
+ default CC_STACKPROTECTOR_NONE
help
- This option turns on the -fstack-protector GCC feature. This
+ This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
@@ -355,8 +362,46 @@ config CC_STACKPROTECTOR
overwrite the canary, which gets detected and the attack is then
neutralized via a kernel panic.
+config CC_STACKPROTECTOR_NONE
+ bool "None"
+ help
+ Disable "stack-protector" GCC feature.
+
+config CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added if they
+ have an 8-byte or larger character array on the stack.
+
This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported.
+ gcc with the feature backported ("-fstack-protector").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 3% of all kernel functions, which increases kernel code size
+ by about 0.3%.
+
+config CC_STACKPROTECTOR_STRONG
+ bool "Strong"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added in any
+ of the following conditions:
+
+ - local variable's address used as part of the right hand side of an
+ assignment or function argument
+ - local variable is an array (or union containing an array),
+ regardless of array type or length
+ - uses register local variables
+
+ This feature requires gcc version 4.9 or above, or a distribution
+ gcc with the feature backported ("-fstack-protector-strong").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 20% of all kernel functions, which increases the kernel code
+ size by about 2%.
+
+endchoice
config HAVE_CONTEXT_TRACKING
bool
diff --git a/arch/arm/boot/compressed/misc.c b/arch/arm/boot/compressed/misc.c
index 31bd43b..d4f891f 100644
--- a/arch/arm/boot/compressed/misc.c
+++ b/arch/arm/boot/compressed/misc.c
@@ -127,6 +127,18 @@ asmlinkage void __div0(void)
error("Attempting division by 0!");
}
+unsigned long __stack_chk_guard;
+
+void __stack_chk_guard_setup(void)
+{
+ __stack_chk_guard = 0x000a0dff;
+}
+
+void __stack_chk_fail(void)
+{
+ error("stack-protector: Kernel stack is corrupted\n");
+}
+
extern int do_decompress(u8 *input, int len, u8 *output, void (*error)(char *x));
@@ -137,6 +149,8 @@ decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
{
int ret;
+ __stack_chk_guard_setup();
+
output_data = (unsigned char *)output_start;
free_mem_ptr = free_mem_ptr_p;
free_mem_end_ptr = free_mem_ptr_end_p;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG
@ 2015-12-17 0:38 ` Kamal Mostafa
0 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-arm-kernel
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 8779657d29c0ebcc0c94ede4df2f497baf1b563f upstream.
This changes the stack protector config option into a choice of
"None", "Regular", and "Strong":
CONFIG_CC_STACKPROTECTOR_NONE
CONFIG_CC_STACKPROTECTOR_REGULAR
CONFIG_CC_STACKPROTECTOR_STRONG
"Regular" means the old CONFIG_CC_STACKPROTECTOR=y option.
"Strong" is a new mode introduced by this patch. With "Strong" the
kernel is built with -fstack-protector-strong (available in
gcc 4.9 and later). This option increases the coverage of the stack
protector without the heavy performance hit of -fstack-protector-all.
For reference, the stack protector options available in gcc are:
-fstack-protector-all:
Adds the stack-canary saving prefix and stack-canary checking
suffix to _all_ function entry and exit. Results in substantial
use of stack space for saving the canary for deep stack users
(e.g. historically xfs), and measurable (though shockingly still
low) performance hit due to all the saving/checking. Really not
suitable for sane systems, and was entirely removed as an option
from the kernel many years ago.
-fstack-protector:
Adds the canary save/check to functions that define an 8
(--param=ssp-buffer-size=N, N=8 by default) or more byte local
char array. Traditionally, stack overflows happened with
string-based manipulations, so this was a way to find those
functions. Very few total functions actually get the canary; no
measurable performance or size overhead.
-fstack-protector-strong
Adds the canary for a wider set of functions, since it's not
just those with strings that have ultimately been vulnerable to
stack-busting. With this superset, more functions end up with a
canary, but it still remains small compared to all functions
with only a small change in performance. Based on the original
design document, a function gets the canary when it contains any
of:
- local variable's address used as part of the right hand side
of an assignment or function argument
- local variable is an array (or union containing an array),
regardless of array type or length
- uses register local variables
https://docs.google.com/a/google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU
Find below a comparison of "size" and "objdump" output when built with
gcc-4.9 in three configurations:
- defconfig
11430641 kernel text size
36110 function bodies
- defconfig + CONFIG_CC_STACKPROTECTOR_REGULAR
11468490 kernel text size (+0.33%)
1015 of 36110 functions are stack-protected (2.81%)
- defconfig + CONFIG_CC_STACKPROTECTOR_STRONG via this patch
11692790 kernel text size (+2.24%)
7401 of 36110 functions are stack-protected (20.5%)
With -strong, ARM's compressed boot code now triggers stack
protection, so a static guard was added. Since this is only used
during decompression and was never used before, the exposure
here is very small. Once it switches to the full kernel, the
stack guard is back to normal.
Chrome OS has been using -fstack-protector-strong for its kernel
builds for the last 8 months with no problems.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Shawn Guo <shawn.guo@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-arm-kernel at lists.infradead.org
Cc: linux-mips at linux-mips.org
Cc: linux-arch at vger.kernel.org
Link: http://lkml.kernel.org/r/1387481759-14535-3-git-send-email-keescook at chromium.org
[ Improved the changelog and descriptions some more. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ kamal: 3.13-stable: need these arch/arm/boot/compressed/misc.c __stack_chk
canary functions, even for just the old CONFIG_CC_STACKPROTECTOR ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
Makefile | 8 ++++++-
arch/Kconfig | 51 ++++++++++++++++++++++++++++++++++++++---
arch/arm/boot/compressed/misc.c | 14 +++++++++++
3 files changed, 69 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 58a799e..b43786f 100644
--- a/Makefile
+++ b/Makefile
@@ -598,12 +598,18 @@ KBUILD_CFLAGS += $(call cc-option,-Wframe-larger-than=${CONFIG_FRAME_WARN})
endif
# Handle stack protector mode.
-ifdef CONFIG_CC_STACKPROTECTOR
+ifdef CONFIG_CC_STACKPROTECTOR_REGULAR
stackp-flag := -fstack-protector
ifeq ($(call cc-option, $(stackp-flag)),)
$(warning Cannot use CONFIG_CC_STACKPROTECTOR: \
-fstack-protector not supported by compiler))
endif
+else ifdef CONFIG_CC_STACKPROTECTOR_STRONG
+ stackp-flag := -fstack-protector-strong
+ ifeq ($(call cc-option, $(stackp-flag)),)
+ $(warning Cannot use CONFIG_CC_STACKPROTECTOR_STRONG: \
+ -fstack-protector-strong not supported by compiler)
+ endif
else
# Force off for distro compilers that enable stack protector by default.
stackp-flag := $(call cc-option, -fno-stack-protector)
diff --git a/arch/Kconfig b/arch/Kconfig
index 24e026d..80bbb8c 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -344,10 +344,17 @@ config HAVE_CC_STACKPROTECTOR
- it has implemented a stack canary (e.g. __stack_chk_guard)
config CC_STACKPROTECTOR
- bool "Enable -fstack-protector buffer overflow detection"
+ def_bool n
+ help
+ Set when a stack-protector mode is enabled, so that the build
+ can enable kernel-side support for the GCC feature.
+
+choice
+ prompt "Stack Protector buffer overflow detection"
depends on HAVE_CC_STACKPROTECTOR
+ default CC_STACKPROTECTOR_NONE
help
- This option turns on the -fstack-protector GCC feature. This
+ This option turns on the "stack-protector" GCC feature. This
feature puts, at the beginning of functions, a canary value on
the stack just before the return address, and validates
the value just before actually returning. Stack based buffer
@@ -355,8 +362,46 @@ config CC_STACKPROTECTOR
overwrite the canary, which gets detected and the attack is then
neutralized via a kernel panic.
+config CC_STACKPROTECTOR_NONE
+ bool "None"
+ help
+ Disable "stack-protector" GCC feature.
+
+config CC_STACKPROTECTOR_REGULAR
+ bool "Regular"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added if they
+ have an 8-byte or larger character array on the stack.
+
This feature requires gcc version 4.2 or above, or a distribution
- gcc with the feature backported.
+ gcc with the feature backported ("-fstack-protector").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 3% of all kernel functions, which increases kernel code size
+ by about 0.3%.
+
+config CC_STACKPROTECTOR_STRONG
+ bool "Strong"
+ select CC_STACKPROTECTOR
+ help
+ Functions will have the stack-protector canary logic added in any
+ of the following conditions:
+
+ - local variable's address used as part of the right hand side of an
+ assignment or function argument
+ - local variable is an array (or union containing an array),
+ regardless of array type or length
+ - uses register local variables
+
+ This feature requires gcc version 4.9 or above, or a distribution
+ gcc with the feature backported ("-fstack-protector-strong").
+
+ On an x86 "defconfig" build, this feature adds canary checks to
+ about 20% of all kernel functions, which increases the kernel code
+ size by about 2%.
+
+endchoice
config HAVE_CONTEXT_TRACKING
bool
diff --git a/arch/arm/boot/compressed/misc.c b/arch/arm/boot/compressed/misc.c
index 31bd43b..d4f891f 100644
--- a/arch/arm/boot/compressed/misc.c
+++ b/arch/arm/boot/compressed/misc.c
@@ -127,6 +127,18 @@ asmlinkage void __div0(void)
error("Attempting division by 0!");
}
+unsigned long __stack_chk_guard;
+
+void __stack_chk_guard_setup(void)
+{
+ __stack_chk_guard = 0x000a0dff;
+}
+
+void __stack_chk_fail(void)
+{
+ error("stack-protector: Kernel stack is corrupted\n");
+}
+
extern int do_decompress(u8 *input, int len, u8 *output, void (*error)(char *x));
@@ -137,6 +149,8 @@ decompress_kernel(unsigned long output_start, unsigned long free_mem_ptr_p,
{
int ret;
+ __stack_chk_guard_setup();
+
output_data = (unsigned char *)output_start;
free_mem_ptr = free_mem_ptr_p;
free_mem_end_ptr = free_mem_ptr_end_p;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 04/78] iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (2 preceding siblings ...)
2015-12-17 0:38 ` Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 05/78] iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success Kamal Mostafa
` (73 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Vladimir Zapolskiy, Jonathan Cameron, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vz@mleia.com>
commit 01bb70ae0b98d266fa3e860482c7ce22fa482a6e upstream.
If common clock framework is configured, the driver generates a warning,
which is fixed by this change:
root@devkit3250:~# cat /sys/bus/iio/devices/iio\:device0/in_voltage0_raw
------------[ cut here ]------------
WARNING: CPU: 0 PID: 724 at drivers/clk/clk.c:727 clk_core_enable+0x2c/0xa4()
Modules linked in: sc16is7xx snd_soc_uda1380
CPU: 0 PID: 724 Comm: cat Not tainted 4.3.0-rc2+ #198
Hardware name: LPC32XX SoC (Flattened Device Tree)
Backtrace:
[<>] (dump_backtrace) from [<>] (show_stack+0x18/0x1c)
[<>] (show_stack) from [<>] (dump_stack+0x20/0x28)
[<>] (dump_stack) from [<>] (warn_slowpath_common+0x90/0xb8)
[<>] (warn_slowpath_common) from [<>] (warn_slowpath_null+0x24/0x2c)
[<>] (warn_slowpath_null) from [<>] (clk_core_enable+0x2c/0xa4)
[<>] (clk_core_enable) from [<>] (clk_enable+0x24/0x38)
[<>] (clk_enable) from [<>] (lpc32xx_read_raw+0x38/0x80)
[<>] (lpc32xx_read_raw) from [<>] (iio_read_channel_info+0x70/0x94)
[<>] (iio_read_channel_info) from [<>] (dev_attr_show+0x28/0x4c)
[<>] (dev_attr_show) from [<>] (sysfs_kf_seq_show+0x8c/0xf0)
[<>] (sysfs_kf_seq_show) from [<>] (kernfs_seq_show+0x2c/0x30)
[<>] (kernfs_seq_show) from [<>] (seq_read+0x1c8/0x440)
[<>] (seq_read) from [<>] (kernfs_fop_read+0x38/0x170)
[<>] (kernfs_fop_read) from [<>] (do_readv_writev+0x16c/0x238)
[<>] (do_readv_writev) from [<>] (vfs_readv+0x50/0x58)
[<>] (vfs_readv) from [<>] (default_file_splice_read+0x1a4/0x308)
[<>] (default_file_splice_read) from [<>] (do_splice_to+0x78/0x84)
[<>] (do_splice_to) from [<>] (splice_direct_to_actor+0xc8/0x1cc)
[<>] (splice_direct_to_actor) from [<>] (do_splice_direct+0xa0/0xb8)
[<>] (do_splice_direct) from [<>] (do_sendfile+0x1a8/0x30c)
[<>] (do_sendfile) from [<>] (SyS_sendfile64+0x104/0x10c)
[<>] (SyS_sendfile64) from [<>] (ret_fast_syscall+0x0/0x38)
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/staging/iio/adc/lpc32xx_adc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/iio/adc/lpc32xx_adc.c b/drivers/staging/iio/adc/lpc32xx_adc.c
index ef0a21d..b52c10c 100644
--- a/drivers/staging/iio/adc/lpc32xx_adc.c
+++ b/drivers/staging/iio/adc/lpc32xx_adc.c
@@ -76,7 +76,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev,
if (mask == IIO_CHAN_INFO_RAW) {
mutex_lock(&indio_dev->mlock);
- clk_enable(info->clk);
+ clk_prepare_enable(info->clk);
/* Measurement setup */
__raw_writel(AD_INTERNAL | (chan->address) | AD_REFp | AD_REFm,
LPC32XX_ADC_SELECT(info->adc_base));
@@ -84,7 +84,7 @@ static int lpc32xx_read_raw(struct iio_dev *indio_dev,
__raw_writel(AD_PDN_CTRL | AD_STROBE,
LPC32XX_ADC_CTRL(info->adc_base));
wait_for_completion(&info->completion); /* set by ISR */
- clk_disable(info->clk);
+ clk_disable_unprepare(info->clk);
*val = info->value;
mutex_unlock(&indio_dev->mlock);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 05/78] iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (3 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 04/78] iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 06/78] iio: ad5064: Fix ad5629/ad5669 shift Kamal Mostafa
` (72 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michael Hennerich, Lars-Peter Clausen, Jonathan Cameron, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Hennerich <michael.hennerich@analog.com>
commit 03fe472ef33b7f31fbd11d300dbb3fdab9c00fd4 upstream.
i2c_master_send() returns the number of bytes transferred on success while
the ad5064 driver expects that the write() callback returns 0 on success.
Fix that by translating any non negative return value of i2c_master_send()
to 0.
Fixes: commit 6a17a0768f77 ("iio:dac:ad5064: Add support for the ad5629r and ad5669r")
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/dac/ad5064.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/iio/dac/ad5064.c b/drivers/iio/dac/ad5064.c
index cb9c636..3c7e8ea 100644
--- a/drivers/iio/dac/ad5064.c
+++ b/drivers/iio/dac/ad5064.c
@@ -593,10 +593,16 @@ static int ad5064_i2c_write(struct ad5064_state *st, unsigned int cmd,
unsigned int addr, unsigned int val)
{
struct i2c_client *i2c = to_i2c_client(st->dev);
+ int ret;
st->data.i2c[0] = (cmd << 4) | addr;
put_unaligned_be16(val, &st->data.i2c[1]);
- return i2c_master_send(i2c, st->data.i2c, 3);
+
+ ret = i2c_master_send(i2c, st->data.i2c, 3);
+ if (ret < 0)
+ return ret;
+
+ return 0;
}
static int ad5064_i2c_probe(struct i2c_client *i2c,
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 06/78] iio: ad5064: Fix ad5629/ad5669 shift
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (4 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 05/78] iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 07/78] iio:ad7793: Fix ad7785 product ID Kamal Mostafa
` (71 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lars-Peter Clausen, Jonathan Cameron, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 5dcbe97bedd6ba4b0f574a96cc2e293d26f3d857 upstream.
The ad5629/ad5669 are the I2C variant of the ad5628/ad5668, which has a SPI
interface. They are mostly identical with the exception that the shift
factor is different. Currently the driver does not take care of this
difference which leads to incorrect DAC output values.
Fix this by introducing a custom channel spec for the ad5629/ad5669 with
the correct shift factor.
Fixes: commit 6a17a0768f77 ("iio:dac:ad5064: Add support for the ad5629r and ad5669r")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[ kamal: backport to 3.13-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/dac/ad5064.c | 83 +++++++++++++++++++++++++++++++++---------------
1 file changed, 57 insertions(+), 26 deletions(-)
diff --git a/drivers/iio/dac/ad5064.c b/drivers/iio/dac/ad5064.c
index 3c7e8ea..0b1f406 100644
--- a/drivers/iio/dac/ad5064.c
+++ b/drivers/iio/dac/ad5064.c
@@ -113,12 +113,16 @@ enum ad5064_type {
ID_AD5065,
ID_AD5628_1,
ID_AD5628_2,
+ ID_AD5629_1,
+ ID_AD5629_2,
ID_AD5648_1,
ID_AD5648_2,
ID_AD5666_1,
ID_AD5666_2,
ID_AD5668_1,
ID_AD5668_2,
+ ID_AD5669_1,
+ ID_AD5669_2,
};
static int ad5064_write(struct ad5064_state *st, unsigned int cmd,
@@ -291,7 +295,7 @@ static const struct iio_chan_spec_ext_info ad5064_ext_info[] = {
{ },
};
-#define AD5064_CHANNEL(chan, addr, bits) { \
+#define AD5064_CHANNEL(chan, addr, bits, _shift) { \
.type = IIO_VOLTAGE, \
.indexed = 1, \
.output = 1, \
@@ -299,35 +303,38 @@ static const struct iio_chan_spec_ext_info ad5064_ext_info[] = {
.info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | \
BIT(IIO_CHAN_INFO_SCALE), \
.address = addr, \
- .scan_type = IIO_ST('u', (bits), 16, 20 - (bits)), \
+ .scan_type = IIO_ST('u', (bits), 16, (_shift)), \
.ext_info = ad5064_ext_info, \
}
-#define DECLARE_AD5064_CHANNELS(name, bits) \
+#define DECLARE_AD5064_CHANNELS(name, bits, shift) \
const struct iio_chan_spec name[] = { \
- AD5064_CHANNEL(0, 0, bits), \
- AD5064_CHANNEL(1, 1, bits), \
- AD5064_CHANNEL(2, 2, bits), \
- AD5064_CHANNEL(3, 3, bits), \
- AD5064_CHANNEL(4, 4, bits), \
- AD5064_CHANNEL(5, 5, bits), \
- AD5064_CHANNEL(6, 6, bits), \
- AD5064_CHANNEL(7, 7, bits), \
+ AD5064_CHANNEL(0, 0, bits, shift), \
+ AD5064_CHANNEL(1, 1, bits, shift), \
+ AD5064_CHANNEL(2, 2, bits, shift), \
+ AD5064_CHANNEL(3, 3, bits, shift), \
+ AD5064_CHANNEL(4, 4, bits, shift), \
+ AD5064_CHANNEL(5, 5, bits, shift), \
+ AD5064_CHANNEL(6, 6, bits, shift), \
+ AD5064_CHANNEL(7, 7, bits, shift), \
}
-#define DECLARE_AD5065_CHANNELS(name, bits) \
+#define DECLARE_AD5065_CHANNELS(name, bits, shift) \
const struct iio_chan_spec name[] = { \
- AD5064_CHANNEL(0, 0, bits), \
- AD5064_CHANNEL(1, 3, bits), \
+ AD5064_CHANNEL(0, 0, bits, shift), \
+ AD5064_CHANNEL(1, 3, bits, shift), \
}
-static DECLARE_AD5064_CHANNELS(ad5024_channels, 12);
-static DECLARE_AD5064_CHANNELS(ad5044_channels, 14);
-static DECLARE_AD5064_CHANNELS(ad5064_channels, 16);
+static DECLARE_AD5064_CHANNELS(ad5024_channels, 12, 8);
+static DECLARE_AD5064_CHANNELS(ad5044_channels, 14, 6);
+static DECLARE_AD5064_CHANNELS(ad5064_channels, 16, 4);
-static DECLARE_AD5065_CHANNELS(ad5025_channels, 12);
-static DECLARE_AD5065_CHANNELS(ad5045_channels, 14);
-static DECLARE_AD5065_CHANNELS(ad5065_channels, 16);
+static DECLARE_AD5065_CHANNELS(ad5025_channels, 12, 8);
+static DECLARE_AD5065_CHANNELS(ad5045_channels, 14, 6);
+static DECLARE_AD5065_CHANNELS(ad5065_channels, 16, 4);
+
+static DECLARE_AD5064_CHANNELS(ad5629_channels, 12, 4);
+static DECLARE_AD5064_CHANNELS(ad5669_channels, 16, 0);
static const struct ad5064_chip_info ad5064_chip_info_tbl[] = {
[ID_AD5024] = {
@@ -377,6 +384,18 @@ static const struct ad5064_chip_info ad5064_chip_info_tbl[] = {
.channels = ad5024_channels,
.num_channels = 8,
},
+ [ID_AD5629_1] = {
+ .shared_vref = true,
+ .internal_vref = 2500000,
+ .channels = ad5629_channels,
+ .num_channels = 8,
+ },
+ [ID_AD5629_2] = {
+ .shared_vref = true,
+ .internal_vref = 5000000,
+ .channels = ad5629_channels,
+ .num_channels = 8,
+ },
[ID_AD5648_1] = {
.shared_vref = true,
.internal_vref = 2500000,
@@ -413,6 +432,18 @@ static const struct ad5064_chip_info ad5064_chip_info_tbl[] = {
.channels = ad5064_channels,
.num_channels = 8,
},
+ [ID_AD5669_1] = {
+ .shared_vref = true,
+ .internal_vref = 2500000,
+ .channels = ad5669_channels,
+ .num_channels = 8,
+ },
+ [ID_AD5669_2] = {
+ .shared_vref = true,
+ .internal_vref = 5000000,
+ .channels = ad5669_channels,
+ .num_channels = 8,
+ },
};
static inline unsigned int ad5064_num_vref(struct ad5064_state *st)
@@ -618,12 +649,12 @@ static int ad5064_i2c_remove(struct i2c_client *i2c)
}
static const struct i2c_device_id ad5064_i2c_ids[] = {
- {"ad5629-1", ID_AD5628_1},
- {"ad5629-2", ID_AD5628_2},
- {"ad5629-3", ID_AD5628_2}, /* similar enough to ad5629-2 */
- {"ad5669-1", ID_AD5668_1},
- {"ad5669-2", ID_AD5668_2},
- {"ad5669-3", ID_AD5668_2}, /* similar enough to ad5669-2 */
+ {"ad5629-1", ID_AD5629_1},
+ {"ad5629-2", ID_AD5629_2},
+ {"ad5629-3", ID_AD5629_2}, /* similar enough to ad5629-2 */
+ {"ad5669-1", ID_AD5669_1},
+ {"ad5669-2", ID_AD5669_2},
+ {"ad5669-3", ID_AD5669_2}, /* similar enough to ad5669-2 */
{}
};
MODULE_DEVICE_TABLE(i2c, ad5064_i2c_ids);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 07/78] iio:ad7793: Fix ad7785 product ID
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (5 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 06/78] iio: ad5064: Fix ad5629/ad5669 shift Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 08/78] x86/fpu: Fix 32-bit signal frame handling Kamal Mostafa
` (70 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lars-Peter Clausen, Jonathan Cameron, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 785171fd6cd7dcd7ada5a733b6a2d44ec566c3a0 upstream.
While the datasheet for the AD7785 lists 0xXB as the product ID the actual
product ID is 0xX3.
Fix the product ID otherwise the driver will reject the device due to non
matching IDs.
Fixes: e786cc26dcc5 ("staging:iio:ad7793: Implement stricter id checking")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/iio/adc/ad7793.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/adc/ad7793.c b/drivers/iio/adc/ad7793.c
index 4dddeab..5da0754 100644
--- a/drivers/iio/adc/ad7793.c
+++ b/drivers/iio/adc/ad7793.c
@@ -101,7 +101,7 @@
#define AD7795_CH_AIN1M_AIN1M 8 /* AIN1(-) - AIN1(-) */
/* ID Register Bit Designations (AD7793_REG_ID) */
-#define AD7785_ID 0xB
+#define AD7785_ID 0x3
#define AD7792_ID 0xA
#define AD7793_ID 0xB
#define AD7794_ID 0xF
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 08/78] x86/fpu: Fix 32-bit signal frame handling
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (6 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 07/78] iio:ad7793: Fix ad7785 product ID Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 09/78] ALSA: usb-audio: add packet size quirk for the Medeli DD305 Kamal Mostafa
` (69 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dave Hansen, Andy Lutomirski, Borislav Petkov, Brian Gerst,
Denys Vlasenko, H. Peter Anvin, Linus Torvalds, Peter Zijlstra,
Thomas Gleixner, dave, fenghua.yu, yu-cheng.yu, Ingo Molnar,
Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
commit ab6b52947545a5355154f64f449f97af9d05845f upstream.
(This should have gone to LKML originally. Sorry for the extra
noise, folks on the cc.)
Background:
Signal frames on x86 have two formats:
1. For 32-bit executables (whether on a real 32-bit kernel or
under 32-bit emulation on a 64-bit kernel) we have a
'fpregset_t' that includes the "FSAVE" registers.
2. For 64-bit executables (on 64-bit kernels obviously), the
'fpregset_t' is smaller and does not contain the "FSAVE"
state.
When creating the signal frame, we have to be aware of whether
we are running a 32 or 64-bit executable so we create the
correct format signal frame.
Problem:
save_xstate_epilog() uses 'fx_sw_reserved_ia32' whenever it is
called for a 32-bit executable. This is for real 32-bit and
ia32 emulation.
But, fpu__init_prepare_fx_sw_frame() only initializes
'fx_sw_reserved_ia32' when emulation is enabled, *NOT* for real
32-bit kernels.
This leads to really wierd situations where 32-bit programs
lose their extended state when returning from a signal handler.
The kernel copies the uninitialized (zero) 'fx_sw_reserved_ia32'
out to userspace in save_xstate_epilog(). But when returning
from the signal, the kernel errors out in check_for_xstate()
when it does not see FP_XSTATE_MAGIC1 present (because it was
zeroed). This leads to the FPU/XSAVE state being initialized.
For MPX, this leads to the most permissive state and means we
silently lose bounds violations. I think this would also mean
that we could lose *ANY* FPU/SSE/AVX state. I'm not sure why
no one has spotted this bug.
I believe this was broken by:
72a671ced66d ("x86, fpu: Unify signal handling code paths for x86 and x86_64 kernels")
way back in 2012.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@sr71.net
Cc: fenghua.yu@intel.com
Cc: yu-cheng.yu@intel.com
Link: http://lkml.kernel.org/r/20151111002354.A0799571@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ luis: backported to 3.16:
- file and function rename:
* arch/x86/kernel/fpu/signal.c -> arch/x86/kernel/xsave.c
* fpu__init_prepare_fx_sw_frame() -> prepare_fx_sw_frame()
- use 'i387_fsave_struct' instead of 'fregs_state'
- adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kernel/xsave.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c
index bf640b8..cf2e969 100644
--- a/arch/x86/kernel/xsave.c
+++ b/arch/x86/kernel/xsave.c
@@ -429,20 +429,19 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size)
*/
static void prepare_fx_sw_frame(void)
{
- int fsave_header_size = sizeof(struct i387_fsave_struct);
int size = xstate_size + FP_XSTATE_MAGIC2_SIZE;
- if (config_enabled(CONFIG_X86_32))
- size += fsave_header_size;
-
fx_sw_reserved.magic1 = FP_XSTATE_MAGIC1;
fx_sw_reserved.extended_size = size;
fx_sw_reserved.xstate_bv = pcntxt_mask;
fx_sw_reserved.xstate_size = xstate_size;
- if (config_enabled(CONFIG_IA32_EMULATION)) {
+ if (config_enabled(CONFIG_IA32_EMULATION) ||
+ config_enabled(CONFIG_X86_32)) {
+ int fsave_header_size = sizeof(struct i387_fsave_struct);
+
fx_sw_reserved_ia32 = fx_sw_reserved;
- fx_sw_reserved_ia32.extended_size += fsave_header_size;
+ fx_sw_reserved_ia32.extended_size = size + fsave_header_size;
}
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 09/78] ALSA: usb-audio: add packet size quirk for the Medeli DD305
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (7 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 08/78] x86/fpu: Fix 32-bit signal frame handling Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 10/78] ALSA: usb-audio: prevent CH345 multiport output SysEx corruption Kamal Mostafa
` (68 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Clemens Ladisch, Takashi Iwai, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Ladisch <clemens@ladisch.de>
commit 98d362becb6621bebdda7ed0eac7ad7ec6c37898 upstream.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/usb/midi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index c7aa71e..fa9028e 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1326,6 +1326,7 @@ static int snd_usbmidi_out_endpoint_create(struct snd_usb_midi* umidi,
* Various chips declare a packet size larger than 4 bytes, but
* do not actually work with larger packets:
*/
+ case USB_ID(0x0a67, 0x5011): /* Medeli DD305 */
case USB_ID(0x0a92, 0x1020): /* ESI M4U */
case USB_ID(0x1430, 0x474b): /* RedOctane GH MIDI INTERFACE */
case USB_ID(0x15ca, 0x0101): /* Textech USB Midi Cable */
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 10/78] ALSA: usb-audio: prevent CH345 multiport output SysEx corruption
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (8 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 09/78] ALSA: usb-audio: add packet size quirk for the Medeli DD305 Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 11/78] ALSA: usb-audio: work around CH345 input " Kamal Mostafa
` (67 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Clemens Ladisch, Takashi Iwai, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Ladisch <clemens@ladisch.de>
commit 1ca8b201309d842642f221db7f02f71c0af5be2d upstream.
The CH345 USB MIDI chip has two output ports. However, they are
multiplexed through one pin, and the number of ports cannot be reduced
even for hardware that implements only one connector, so for those
devices, data sent to either port ends up on the same hardware output.
This becomes a problem when both ports are used at the same time, as
longer MIDI commands (such as SysEx messages) are likely to be
interrupted by messages from the other port, and thus to get lost.
It would not be possible for the driver to detect how many ports the
device actually has, except that in practice, _all_ devices built with
the CH345 have only one port. So we can just ignore the device's
descriptors, and hardcode one output port.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/usb/midi.c | 3 +++
sound/usb/quirks-table.h | 11 +++++++++++
sound/usb/quirks.c | 1 +
sound/usb/usbaudio.h | 1 +
4 files changed, 16 insertions(+)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index fa9028e..966051f 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -2291,6 +2291,9 @@ int snd_usbmidi_create(struct snd_card *card,
err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
break;
+ case QUIRK_MIDI_CH345:
+ err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
+ break;
default:
snd_printd(KERN_ERR "invalid quirk type %d\n", quirk->type);
err = -ENXIO;
diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
index e3bd28a..e5b9ade 100644
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -2814,6 +2814,17 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.idProduct = 0x1020,
},
+/* QinHeng devices */
+{
+ USB_DEVICE(0x1a86, 0x752d),
+ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ .vendor_name = "QinHeng",
+ .product_name = "CH345",
+ .ifnum = 1,
+ .type = QUIRK_MIDI_CH345
+ }
+},
+
/* KeithMcMillen Stringport */
{
USB_DEVICE(0x1f38, 0x0001),
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 3fbb455..c3af0ce 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -526,6 +526,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip,
[QUIRK_MIDI_CME] = create_any_midi_quirk,
[QUIRK_MIDI_AKAI] = create_any_midi_quirk,
[QUIRK_MIDI_FTDI] = create_any_midi_quirk,
+ [QUIRK_MIDI_CH345] = create_any_midi_quirk,
[QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk,
[QUIRK_AUDIO_FIXED_ENDPOINT] = create_fixed_stream_quirk,
[QUIRK_AUDIO_EDIROL_UAXX] = create_uaxx_quirk,
diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
index 5d2fe05..e5b2c30 100644
--- a/sound/usb/usbaudio.h
+++ b/sound/usb/usbaudio.h
@@ -84,6 +84,7 @@ enum quirk_type {
QUIRK_MIDI_AKAI,
QUIRK_MIDI_US122L,
QUIRK_MIDI_FTDI,
+ QUIRK_MIDI_CH345,
QUIRK_AUDIO_STANDARD_INTERFACE,
QUIRK_AUDIO_FIXED_ENDPOINT,
QUIRK_AUDIO_EDIROL_UAXX,
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 11/78] ALSA: usb-audio: work around CH345 input SysEx corruption
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (9 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 10/78] ALSA: usb-audio: prevent CH345 multiport output SysEx corruption Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 12/78] USB: serial: option: add support for Novatel MiFi USB620L Kamal Mostafa
` (66 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Clemens Ladisch, Takashi Iwai, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Ladisch <clemens@ladisch.de>
commit a91e627e3f0ed820b11d86cdc04df38f65f33a70 upstream.
One of the many faults of the QinHeng CH345 USB MIDI interface chip is
that it does not handle received SysEx messages correctly -- every second
event packet has a wrong code index number, which is the one from the last
seen message, instead of 4. For example, the two messages "FE F0 01 02 03
04 05 06 07 08 09 0A 0B 0C 0D 0E F7" result in the following event
packets:
correct: CH345:
0F FE 00 00 0F FE 00 00
04 F0 01 02 04 F0 01 02
04 03 04 05 0F 03 04 05
04 06 07 08 04 06 07 08
04 09 0A 0B 0F 09 0A 0B
04 0C 0D 0E 04 0C 0D 0E
05 F7 00 00 05 F7 00 00
A class-compliant driver must interpret an event packet with CIN 15 as
having a single data byte, so the other two bytes would be ignored. The
message received by the host would then be missing two bytes out of six;
in this example, "F0 01 02 03 06 07 08 09 0C 0D 0E F7".
These corrupted SysEx event packages contain only data bytes, while the
CH345 uses event packets with a correct CIN value only for messages with
a status byte, so it is possible to distinguish between these two cases by
checking for the presence of this status byte.
(Other bugs in the CH345's input handling, such as the corruption resulting
from running status, cannot be worked around.)
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/usb/midi.c | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index 966051f..9123fc5 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -174,6 +174,8 @@ struct snd_usb_midi_in_endpoint {
u8 running_status_length;
} ports[0x10];
u8 seen_f5;
+ bool in_sysex;
+ u8 last_cin;
u8 error_resubmit;
int current_port;
};
@@ -465,6 +467,39 @@ static void snd_usbmidi_maudio_broken_running_status_input(
}
/*
+ * QinHeng CH345 is buggy: every second packet inside a SysEx has not CIN 4
+ * but the previously seen CIN, but still with three data bytes.
+ */
+static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep,
+ uint8_t *buffer, int buffer_length)
+{
+ unsigned int i, cin, length;
+
+ for (i = 0; i + 3 < buffer_length; i += 4) {
+ if (buffer[i] == 0 && i > 0)
+ break;
+ cin = buffer[i] & 0x0f;
+ if (ep->in_sysex &&
+ cin == ep->last_cin &&
+ (buffer[i + 1 + (cin == 0x6)] & 0x80) == 0)
+ cin = 0x4;
+#if 0
+ if (buffer[i + 1] == 0x90) {
+ /*
+ * Either a corrupted running status or a real note-on
+ * message; impossible to detect reliably.
+ */
+ }
+#endif
+ length = snd_usbmidi_cin_length[cin];
+ snd_usbmidi_input_data(ep, 0, &buffer[i + 1], length);
+ ep->in_sysex = cin == 0x4;
+ if (!ep->in_sysex)
+ ep->last_cin = cin;
+ }
+}
+
+/*
* CME protocol: like the standard protocol, but SysEx commands are sent as a
* single USB packet preceded by a 0x0F byte.
*/
@@ -650,6 +685,12 @@ static struct usb_protocol_ops snd_usbmidi_cme_ops = {
.output_packet = snd_usbmidi_output_standard_packet,
};
+static struct usb_protocol_ops snd_usbmidi_ch345_broken_sysex_ops = {
+ .input = ch345_broken_sysex_input,
+ .output = snd_usbmidi_standard_output,
+ .output_packet = snd_usbmidi_output_standard_packet,
+};
+
/*
* AKAI MPD16 protocol:
*
@@ -2292,6 +2333,7 @@ int snd_usbmidi_create(struct snd_card *card,
err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
break;
case QUIRK_MIDI_CH345:
+ umidi->usb_protocol_ops = &snd_usbmidi_ch345_broken_sysex_ops;
err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints);
break;
default:
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 12/78] USB: serial: option: add support for Novatel MiFi USB620L
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (10 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 11/78] ALSA: usb-audio: work around CH345 input " Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 13/78] USB: ti_usb_3410_5052: Add Honeywell HGI80 ID Kamal Mostafa
` (65 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Aleksander Morgado, Johan Hovold, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksander Morgado <aleksander@aleksander.es>
commit e07af133c3e2716db25e3e1e1d9f10c2088e9c1a upstream.
Also known as Verizon U620L.
The device is modeswitched from 1410:9020 to 1410:9022 by selecting the
4th USB configuration:
$ sudo usb_modeswitch –v 0x1410 –p 0x9020 –u 4
This configuration provides a ECM interface as well as TTYs ('Enterprise
Mode' according to the U620 Linux integration guide).
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 2188cb8..110f95f 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -162,6 +162,7 @@ static void option_instat_callback(struct urb *urb);
#define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED 0x9001
#define NOVATELWIRELESS_PRODUCT_E362 0x9010
#define NOVATELWIRELESS_PRODUCT_E371 0x9011
+#define NOVATELWIRELESS_PRODUCT_U620L 0x9022
#define NOVATELWIRELESS_PRODUCT_G2 0xA010
#define NOVATELWIRELESS_PRODUCT_MC551 0xB001
@@ -1067,6 +1068,7 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E371, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_U620L, 0xff, 0x00, 0x00) },
{ USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) },
{ USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) },
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 13/78] USB: ti_usb_3410_5052: Add Honeywell HGI80 ID
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (11 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 12/78] USB: serial: option: add support for Novatel MiFi USB620L Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 14/78] ASoC: wm8962: correct addresses for HPF_C_0/1 Kamal Mostafa
` (64 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David Woodhouse, Johan Hovold, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw2@infradead.org>
commit 1bcb49e663f88bccee35b8688e6a3da2bea31fd4 upstream.
The Honeywell HGI80 is a wireless interface to the evohome connected
thermostat. It uses a TI 3410 USB-serial port.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/ti_usb_3410_5052.c | 2 ++
drivers/usb/serial/ti_usb_3410_5052.h | 4 ++++
2 files changed, 6 insertions(+)
diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index c9a3569..11b4029 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -160,6 +160,7 @@ static struct usb_device_id ti_id_table_3410[] = {
{ USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STEREO_PLUG_ID) },
{ USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) },
{ USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) },
+ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) },
{ } /* terminator */
};
@@ -192,6 +193,7 @@ static struct usb_device_id ti_id_table_combined[] = {
{ USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_PRODUCT_ID) },
{ USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) },
{ USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) },
+ { USB_DEVICE(HONEYWELL_VENDOR_ID, HONEYWELL_HGI80_PRODUCT_ID) },
{ } /* terminator */
};
diff --git a/drivers/usb/serial/ti_usb_3410_5052.h b/drivers/usb/serial/ti_usb_3410_5052.h
index 4a2423e..98f35c6 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.h
+++ b/drivers/usb/serial/ti_usb_3410_5052.h
@@ -56,6 +56,10 @@
#define ABBOTT_PRODUCT_ID ABBOTT_STEREO_PLUG_ID
#define ABBOTT_STRIP_PORT_ID 0x3420
+/* Honeywell vendor and product IDs */
+#define HONEYWELL_VENDOR_ID 0x10ac
+#define HONEYWELL_HGI80_PRODUCT_ID 0x0102 /* Honeywell HGI80 */
+
/* Commands */
#define TI_GET_VERSION 0x01
#define TI_GET_PORT_STATUS 0x02
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 14/78] ASoC: wm8962: correct addresses for HPF_C_0/1
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (12 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 13/78] USB: ti_usb_3410_5052: Add Honeywell HGI80 ID Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 15/78] mac80211: mesh: fix call_rcu() usage Kamal Mostafa
` (63 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sachin Pandhare, Mark Brown, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Pandhare <sachinpandhare@gmail.com>
commit e9f96bc53c1b959859599cb30ce6fd4fbb4448c2 upstream.
>From datasheet:
R17408 (4400h) HPF_C_1
R17409 (4401h) HPF_C_0
17048 -> 17408 (0x4400)
17049 -> 17409 (0x4401)
Signed-off-by: Sachin Pandhare <sachinpandhare@gmail.com>
Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/soc/codecs/wm8962.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
index 8540b4f..5001d72 100644
--- a/sound/soc/codecs/wm8962.c
+++ b/sound/soc/codecs/wm8962.c
@@ -364,8 +364,8 @@ static struct reg_default wm8962_reg[] = {
{ 16924, 0x0059 }, /* R16924 - HDBASS_PG_1 */
{ 16925, 0x999A }, /* R16925 - HDBASS_PG_0 */
- { 17048, 0x0083 }, /* R17408 - HPF_C_1 */
- { 17049, 0x98AD }, /* R17409 - HPF_C_0 */
+ { 17408, 0x0083 }, /* R17408 - HPF_C_1 */
+ { 17409, 0x98AD }, /* R17409 - HPF_C_0 */
{ 17920, 0x007F }, /* R17920 - ADCL_RETUNE_C1_1 */
{ 17921, 0xFFFF }, /* R17921 - ADCL_RETUNE_C1_0 */
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 15/78] mac80211: mesh: fix call_rcu() usage
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (13 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 14/78] ASoC: wm8962: correct addresses for HPF_C_0/1 Kamal Mostafa
@ 2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 16/78] usb: dwc3: gadget: let us set lower max_speed Kamal Mostafa
` (62 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:38 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Johannes Berg, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 upstream.
When using call_rcu(), the called function may be delayed quite
significantly, and without a matching rcu_barrier() there's no
way to be sure it has finished.
Therefore, global state that could be gone/freed/reused should
never be touched in the callback.
Fix this in mesh by moving the atomic_dec() into the caller;
that's not really a problem since we already unlinked the path
and it will be destroyed anyway.
This fixes a crash Jouni observed when running certain tests in
a certain order, in which the mesh interface was torn down, the
memory reused for a function pointer (work struct) and running
that then crashed since the pointer had been decremented by 1,
resulting in an invalid instruction byte stream.
Fixes: eb2b9311fd00 ("mac80211: mesh path table implementation")
Reported-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/mac80211/mesh_pathtbl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 89aacfd..9ba6d8c 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -747,10 +747,8 @@ void mesh_plink_broken(struct sta_info *sta)
static void mesh_path_node_reclaim(struct rcu_head *rp)
{
struct mpath_node *node = container_of(rp, struct mpath_node, rcu);
- struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
del_timer_sync(&node->mpath->timer);
- atomic_dec(&sdata->u.mesh.mpaths);
kfree(node->mpath);
kfree(node);
}
@@ -758,8 +756,9 @@ static void mesh_path_node_reclaim(struct rcu_head *rp)
/* needs to be called with the corresponding hashwlock taken */
static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node)
{
- struct mesh_path *mpath;
- mpath = node->mpath;
+ struct mesh_path *mpath = node->mpath;
+ struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
+
spin_lock(&mpath->state_lock);
mpath->flags |= MESH_PATH_RESOLVING;
if (mpath->is_gate)
@@ -767,6 +766,7 @@ static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node)
hlist_del_rcu(&node->list);
call_rcu(&node->rcu, mesh_path_node_reclaim);
spin_unlock(&mpath->state_lock);
+ atomic_dec(&sdata->u.mesh.mpaths);
atomic_dec(&tbl->entries);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 16/78] usb: dwc3: gadget: let us set lower max_speed
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (14 preceding siblings ...)
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 15/78] mac80211: mesh: fix call_rcu() usage Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 17/78] dm: fix ioctl retry termination with signal Kamal Mostafa
` (61 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Ben McCauley, Felipe Balbi, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben McCauley <ben.mccauley@garmin.com>
commit b9e51b2b1fda19143f48d182ed7a2943f21e1ae4 upstream.
In some SoCs, dwc3 is implemented as a USB2.0 only
core, meaning that it can't ever achieve SuperSpeed.
Currect driver always sets gadget.max_speed to
USB_SPEED_SUPER unconditionally. This can causes
issues to some Host stacks where the host will issue
a GetBOS() request and we will reply with a BOS
containing Superspeed Capability Descriptor.
At least Windows seems to be upset by this fact and
prints a warning that we should connect $this device
to another port.
[ balbi@ti.com : rewrote entire commit, including
source code comment to make a lot clearer what the
problem is ]
Signed-off-by: Ben McCauley <ben.mccauley@garmin.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
[ luis: backported to 3.16:
- used dev_vdbg() instead of dwc3_trace() ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/dwc3/gadget.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 217cc175..a38ad1b 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2604,12 +2604,33 @@ int dwc3_gadget_init(struct dwc3 *dwc)
}
dwc->gadget.ops = &dwc3_gadget_ops;
- dwc->gadget.max_speed = USB_SPEED_SUPER;
dwc->gadget.speed = USB_SPEED_UNKNOWN;
dwc->gadget.sg_supported = true;
dwc->gadget.name = "dwc3-gadget";
/*
+ * FIXME We might be setting max_speed to <SUPER, however versions
+ * <2.20a of dwc3 have an issue with metastability (documented
+ * elsewhere in this driver) which tells us we can't set max speed to
+ * anything lower than SUPER.
+ *
+ * Because gadget.max_speed is only used by composite.c and function
+ * drivers (i.e. it won't go into dwc3's registers) we are allowing this
+ * to happen so we avoid sending SuperSpeed Capability descriptor
+ * together with our BOS descriptor as that could confuse host into
+ * thinking we can handle super speed.
+ *
+ * Note that, in fact, we won't even support GetBOS requests when speed
+ * is less than super speed because we don't have means, yet, to tell
+ * composite.c that we are USB 2.0 + LPM ECN.
+ */
+ if (dwc->revision < DWC3_REVISION_220A)
+ dev_vdbg(dwc->dev, "Changing max_speed on rev %08x\n",
+ dwc->revision);
+
+ dwc->gadget.max_speed = dwc->maximum_speed;
+
+ /*
* REVISIT: Here we should clear all pending IRQs to be
* sure we're starting from a well known location.
*/
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 17/78] dm: fix ioctl retry termination with signal
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (15 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 16/78] usb: dwc3: gadget: let us set lower max_speed Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 18/78] usb: chipidea: debug: disable usb irq while role switch Kamal Mostafa
` (60 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jun'ichi Nomura, Hannes Reinecke, Mikulas Patocka,
Mike Snitzer, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Junichi Nomura <j-nomura@ce.jp.nec.com>
commit 5bbbfdf685657771fda05b926b28ca0f79163a28 upstream.
dm-mpath retries ioctl, when no path is readily available and the device
is configured to queue I/O in such a case. If you want to stop the retry
before multipathd decides to turn off queueing mode, you could send
signal for the process to exit from the loop.
However the check of fatal signal has not carried along when commit
6c182cd88d17 ("dm mpath: fix ioctl deadlock when no paths") moved the
loop from dm-mpath to dm core. As a result, we can't terminate such
a process in the retry loop.
Easy reproducer of the situation is:
# dmsetup create mp --table '0 1024 multipath 0 0 0 0'
# dmsetup message mp 0 'queue_if_no_path'
# sg_inq /dev/mapper/mp
then you should be able to terminate sg_inq by pressing Ctrl+C.
Fixes: 6c182cd88d17 ("dm mpath: fix ioctl deadlock when no paths")
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
[ kamal: backport to 3.13-stable: context ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/md/dm-mpath.c | 2 +-
drivers/md/dm.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index 6eb9dc9..aa69ad0 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1629,7 +1629,7 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
r = scsi_verify_blk_ioctl(NULL, cmd);
- if (r == -ENOTCONN && !fatal_signal_pending(current))
+ if (r == -ENOTCONN)
queue_work(kmultipathd, &m->process_queued_ios);
return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index f89fdaf..648da1b 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -530,7 +530,7 @@ retry:
out:
dm_put_live_table(md, srcu_idx);
- if (r == -ENOTCONN) {
+ if (r == -ENOTCONN && !fatal_signal_pending(current)) {
msleep(10);
goto retry;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 18/78] usb: chipidea: debug: disable usb irq while role switch
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (16 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 17/78] dm: fix ioctl retry termination with signal Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 19/78] MIPS: KVM: Fix ASID restoration logic Kamal Mostafa
` (59 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Li Jun, Peter Chen, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Jun <jun.li@freescale.com>
commit 251b3c8b57481bcecd3f753108e36e7389ce12ac upstream.
Since the ci->role will be set after the host role start is complete, there
will be nobody cared irq during start host if usb irq enabled. This error
can be reproduced on i.mx6 sololite EVK board by:
1. disable otg id irq(IDIE) and disable all real otg properties of usbotg1
in dts.
2. boot up the board with ID cable and usb device connected.
3. echo gadget > /sys/kernel/debug/ci_hdrc.0/role
4. echo host > /sys/kernel/debug/ci_hdrc.0/role
5. irq 212: nobody cared.
Signed-off-by: Li Jun <jun.li@freescale.com>
Signed-off-by: Peter Chen <peter.chen@freescale.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/chipidea/debug.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/chipidea/debug.c b/drivers/usb/chipidea/debug.c
index 96d899a..bc12400 100644
--- a/drivers/usb/chipidea/debug.c
+++ b/drivers/usb/chipidea/debug.c
@@ -234,8 +234,10 @@ static ssize_t ci_role_write(struct file *file, const char __user *ubuf,
if (role == CI_ROLE_END || role == ci->role)
return -EINVAL;
+ disable_irq(ci->irq);
ci_role_stop(ci);
ret = ci_role_start(ci, role);
+ enable_irq(ci->irq);
return ret ? ret : count;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 19/78] MIPS: KVM: Fix ASID restoration logic
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (17 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 18/78] usb: chipidea: debug: disable usb irq while role switch Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 20/78] MIPS: KVM: Fix CACHE immediate offset sign extension Kamal Mostafa
` (58 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: James Hogan, Ralf Baechle, Paolo Bonzini, Gleb Natapov,
linux-mips, kvm, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 002374f371bd02df864cce1fe85d90dc5b292837 upstream.
ASID restoration on guest resume should determine the guest execution
mode based on the guest Status register rather than bit 30 of the guest
PC.
Fix the two places in locore.S that do this, loading the guest status
from the cop0 area. Note, this assembly is specific to the trap &
emulate implementation of KVM, so it doesn't need to check the
supervisor bit as that mode is not implemented in the guest.
Fixes: b680f70fc111 ("KVM/MIPS32: Entry point for trampolining to...")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ luis: backported to 3.16:
- file rename: locore.S -> kvm_locore.S ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/kvm/kvm_locore.S | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/arch/mips/kvm/kvm_locore.S b/arch/mips/kvm/kvm_locore.S
index 03a2db5..ba5ce99 100644
--- a/arch/mips/kvm/kvm_locore.S
+++ b/arch/mips/kvm/kvm_locore.S
@@ -159,9 +159,11 @@ FEXPORT(__kvm_mips_vcpu_run)
FEXPORT(__kvm_mips_load_asid)
/* Set the ASID for the Guest Kernel */
- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */
- /* addresses shift to 0x80000000 */
- bltz t0, 1f /* If kernel */
+ PTR_L t0, VCPU_COP0(k1)
+ LONG_L t0, COP0_STATUS(t0)
+ andi t0, KSU_USER | ST0_ERL | ST0_EXL
+ xori t0, KSU_USER
+ bnez t0, 1f /* If kernel */
INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */
INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */
1:
@@ -438,9 +440,11 @@ __kvm_mips_return_to_guest:
mtc0 t0, CP0_EPC
/* Set the ASID for the Guest Kernel */
- INT_SLL t0, t0, 1 /* with kseg0 @ 0x40000000, kernel */
- /* addresses shift to 0x80000000 */
- bltz t0, 1f /* If kernel */
+ PTR_L t0, VCPU_COP0(k1)
+ LONG_L t0, COP0_STATUS(t0)
+ andi t0, KSU_USER | ST0_ERL | ST0_EXL
+ xori t0, KSU_USER
+ bnez t0, 1f /* If kernel */
INT_ADDIU t1, k1, VCPU_GUEST_KERNEL_ASID /* (BD) */
INT_ADDIU t1, k1, VCPU_GUEST_USER_ASID /* else user */
1:
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 20/78] MIPS: KVM: Fix CACHE immediate offset sign extension
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (18 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 19/78] MIPS: KVM: Fix ASID restoration logic Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 21/78] MIPS: KVM: Uninit VCPU in vcpu_create error path Kamal Mostafa
` (57 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: James Hogan, Ralf Baechle, Paolo Bonzini, Gleb Natapov,
linux-mips, kvm, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit c5c2a3b998f1ff5a586f9d37e154070b8d550d17 upstream.
The immediate field of the CACHE instruction is signed, so ensure that
it gets sign extended by casting it to an int16_t rather than just
masking the low 16 bits.
Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ luis: backported to 3.16:
- file rename: emulate.c -> kvm_mips_emul.c ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/kvm/kvm_mips_emul.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/mips/kvm/kvm_mips_emul.c b/arch/mips/kvm/kvm_mips_emul.c
index e75ef82..4d88db7 100644
--- a/arch/mips/kvm/kvm_mips_emul.c
+++ b/arch/mips/kvm/kvm_mips_emul.c
@@ -935,7 +935,7 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc, uint32_t cause,
base = (inst >> 21) & 0x1f;
op_inst = (inst >> 16) & 0x1f;
- offset = inst & 0xffff;
+ offset = (int16_t)inst;
cache = (inst >> 16) & 0x3;
op = (inst >> 18) & 0x7;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 21/78] MIPS: KVM: Uninit VCPU in vcpu_create error path
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (19 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 20/78] MIPS: KVM: Fix CACHE immediate offset sign extension Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 22/78] xhci: Workaround to get Intel xHCI reset working more reliably Kamal Mostafa
` (56 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: James Hogan, Ralf Baechle, Paolo Bonzini, Gleb Natapov,
linux-mips, kvm, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 585bb8f9a5e592f2ce7abbe5ed3112d5438d2754 upstream.
If either of the memory allocations in kvm_arch_vcpu_create() fail, the
vcpu which has been allocated and kvm_vcpu_init'd doesn't get uninit'd
in the error handling path. Add a call to kvm_vcpu_uninit() to fix this.
Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ luis: backported to 3.16:
- file rename: mips.c -> kvm_mips.c ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/mips/kvm/kvm_mips.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/mips/kvm/kvm_mips.c b/arch/mips/kvm/kvm_mips.c
index 538abbf..054216b 100644
--- a/arch/mips/kvm/kvm_mips.c
+++ b/arch/mips/kvm/kvm_mips.c
@@ -315,7 +315,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
if (!gebase) {
err = -ENOMEM;
- goto out_free_cpu;
+ goto out_uninit_cpu;
}
kvm_info("Allocated %d bytes for KVM Exception Handlers @ %p\n",
ALIGN(size, PAGE_SIZE), gebase);
@@ -375,6 +375,9 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
out_free_gebase:
kfree(gebase);
+out_uninit_cpu:
+ kvm_vcpu_uninit(vcpu);
+
out_free_cpu:
kfree(vcpu);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 22/78] xhci: Workaround to get Intel xHCI reset working more reliably
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (20 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 21/78] MIPS: KVM: Uninit VCPU in vcpu_create error path Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 23/78] xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices Kamal Mostafa
` (55 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Rajmohan Mani, Mathias Nyman, Greg Kroah-Hartman, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Rajmohan Mani <rajmohan.mani@intel.com>
commit a5964396190d0c40dd549c23848c282fffa5d1f2 upstream.
Existing Intel xHCI controllers require a delay of 1 mS,
after setting the CMD_RESET bit in command register, before
accessing any HC registers. This allows the HC to complete
the reset operation and be ready for HC register access.
Without this delay, the subsequent HC register access,
may result in a system hang, very rarely.
Verified CherryView / Braswell platforms go through over
5000 warm reboot cycles (which was not possible without
this patch), without any xHCI reset hang.
Signed-off-by: Rajmohan Mani <rajmohan.mani@intel.com>
Tested-by: Joe Lawrence <joe.lawrence@stratus.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/host/xhci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 159b826..3c42d4b 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -172,6 +172,16 @@ int xhci_reset(struct xhci_hcd *xhci)
command |= CMD_RESET;
xhci_writel(xhci, command, &xhci->op_regs->command);
+ /* Existing Intel xHCI controllers require a delay of 1 mS,
+ * after setting the CMD_RESET bit, and before accessing any
+ * HC registers. This allows the HC to complete the
+ * reset operation and be ready for HC register access.
+ * Without this delay, the subsequent HC register access,
+ * may result in a system hang very rarely.
+ */
+ if (xhci->quirks & XHCI_INTEL_HOST)
+ udelay(1000);
+
ret = xhci_handshake(xhci, &xhci->op_regs->command,
CMD_RESET, 0, 10 * 1000 * 1000);
if (ret)
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 23/78] xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (21 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 22/78] xhci: Workaround to get Intel xHCI reset working more reliably Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` Kamal Mostafa
` (54 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mathias Nyman, Greg Kroah-Hartman, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit dad67d5f3d0efe01d38c6cebcb6698280e51927b upstream.
Clear device initiated resume variables once device is fully up and running
in U0 state.
Resume needs to be signaled for 20ms for usb2 devices before they can be
moved to U0 state.
An interrupt is triggered if a device initiates resume. As we handle the
event in interrupt context we can not sleep for 20ms, so we instead set
a resume flag, a timestamp, and start the roothub polling.
The roothub code will later move the port to U0 when it finds a port in
resume state with the resume flag set, and timestamp passed by 20ms.
A host initiated resume is however not done in interrupt context, and
host initiated resume code will directly signal resume, wait 20ms and then
move the port to U0.
These two codepaths can race, if we are in the middle of a host initated
resume, while sleeping for 20ms, we may handle a port event and find the
port in resume state. The port event handling code will assume the resume
was device initiated and set the resume flag and timestamp.
Root hub code will however not catch the port in resume state again as the
host initated resume code has already moved the port to U0.
The resume flag and timestamp will remain set for this port preventing port
from suspending again (LPM setting port to U3)
Fix this for now by always clearing the device initated resume parameters
once port is in U0
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/host/xhci-hub.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index 50d8413..21af496 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -662,12 +662,15 @@ static u32 xhci_get_port_status(struct usb_hcd *hcd,
status |= USB_PORT_STAT_SUSPEND;
}
}
- if ((raw_port_status & PORT_PLS_MASK) == XDEV_U0
- && (raw_port_status & PORT_POWER)
- && (bus_state->suspended_ports & (1 << wIndex))) {
- bus_state->suspended_ports &= ~(1 << wIndex);
- if (hcd->speed != HCD_USB3)
- bus_state->port_c_suspend |= 1 << wIndex;
+ if ((raw_port_status & PORT_PLS_MASK) == XDEV_U0 &&
+ (raw_port_status & PORT_POWER)) {
+ if (bus_state->suspended_ports & (1 << wIndex)) {
+ bus_state->suspended_ports &= ~(1 << wIndex);
+ if (hcd->speed != HCD_USB3)
+ bus_state->port_c_suspend |= 1 << wIndex;
+ }
+ bus_state->resume_done[wIndex] = 0;
+ clear_bit(wIndex, &bus_state->resuming_ports);
}
if (raw_port_status & PORT_CONNECT) {
status |= USB_PORT_STAT_CONNECTION;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 24/78] x86/cpu: Fix SMAP check in PVOPS environments
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
` (76 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Andrew Cooper, Rusty Russell, Konrad Rzeszutek Wilk,
Boris Ostrovsky, lguest, Xen-devel, Thomas Gleixner,
Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Cooper <andrew.cooper3@citrix.com>
commit 581b7f158fe0383b492acd1ce3fb4e99d4e57808 upstream.
There appears to be no formal statement of what pv_irq_ops.save_fl() is
supposed to return precisely. Native returns the full flags, while lguest and
Xen only return the Interrupt Flag, and both have comments by the
implementations stating that only the Interrupt Flag is looked at. This may
have been true when initially implemented, but no longer is.
To make matters worse, the Xen PVOP leaves the upper bits undefined, making
the BUG_ON() undefined behaviour. Experimentally, this now trips for 32bit PV
guests on Broadwell hardware. The BUG_ON() is consistent for an individual
build, but not consistent for all builds. It has also been a sitting timebomb
since SMAP support was introduced.
Use native_save_fl() instead, which will obtain an accurate view of the AC
flag.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Tested-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: <lguest@lists.ozlabs.org>
Cc: Xen-devel <xen-devel@lists.xen.org>
Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kernel/cpu/common.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 37c4f31..a1f7c91 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -280,10 +280,9 @@ __setup("nosmap", setup_disable_smap);
static __always_inline void setup_smap(struct cpuinfo_x86 *c)
{
- unsigned long eflags;
+ unsigned long eflags = native_save_fl();
/* This should have been cleared long ago */
- raw_local_save_flags(eflags);
BUG_ON(eflags & X86_EFLAGS_AC);
if (cpu_has(c, X86_FEATURE_SMAP)) {
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 24/78] x86/cpu: Fix SMAP check in PVOPS environments
@ 2015-12-17 0:39 ` Kamal Mostafa
0 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: lguest, Andrew Cooper, Kamal Mostafa, Rusty Russell, Xen-devel,
Boris Ostrovsky, Thomas Gleixner
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Cooper <andrew.cooper3@citrix.com>
commit 581b7f158fe0383b492acd1ce3fb4e99d4e57808 upstream.
There appears to be no formal statement of what pv_irq_ops.save_fl() is
supposed to return precisely. Native returns the full flags, while lguest and
Xen only return the Interrupt Flag, and both have comments by the
implementations stating that only the Interrupt Flag is looked at. This may
have been true when initially implemented, but no longer is.
To make matters worse, the Xen PVOP leaves the upper bits undefined, making
the BUG_ON() undefined behaviour. Experimentally, this now trips for 32bit PV
guests on Broadwell hardware. The BUG_ON() is consistent for an individual
build, but not consistent for all builds. It has also been a sitting timebomb
since SMAP support was introduced.
Use native_save_fl() instead, which will obtain an accurate view of the AC
flag.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Tested-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: <lguest@lists.ozlabs.org>
Cc: Xen-devel <xen-devel@lists.xen.org>
Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kernel/cpu/common.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 37c4f31..a1f7c91 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -280,10 +280,9 @@ __setup("nosmap", setup_disable_smap);
static __always_inline void setup_smap(struct cpuinfo_x86 *c)
{
- unsigned long eflags;
+ unsigned long eflags = native_save_fl();
/* This should have been cleared long ago */
- raw_local_save_flags(eflags);
BUG_ON(eflags & X86_EFLAGS_AC);
if (cpu_has(c, X86_FEATURE_SMAP)) {
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 25/78] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (23 preceding siblings ...)
2015-12-17 0:39 ` Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 26/78] arm64: restore bogomips information in /proc/cpuinfo Kamal Mostafa
` (52 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Takashi Iwai, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit b9c2fa52135d49a931c56ed2bfc17d61f771b412 upstream.
For making the speakers on Acer Aspire One Cloudbook 14 to work, we
need the as same quirk as for another Chromebook. This patch adds the
corresponding fixup entry.
Reported-by: Patrick <epictetus@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 368b2bb..548cdf9 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4419,6 +4419,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x1025, 0x0742, "Acer AO756", ALC271_FIXUP_HP_GATE_MIC_JACK),
SND_PCI_QUIRK_VENDOR(0x1025, "Acer Aspire", ALC271_FIXUP_DMIC),
SND_PCI_QUIRK(0x1025, 0x0775, "Acer Aspire E1-572", ALC271_FIXUP_HP_GATE_MIC_JACK_E1_572),
+ SND_PCI_QUIRK(0x1025, 0x106d, "Acer Cloudbook 14", ALC283_FIXUP_CHROME_BOOK),
SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z),
SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS),
SND_PCI_QUIRK(0x1028, 0x05bd, "Dell", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE),
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 26/78] arm64: restore bogomips information in /proc/cpuinfo
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (24 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 25/78] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 27/78] USB: option: add XS Stick W100-2 from 4G Systems Kamal Mostafa
` (51 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Yang Shi, Catalin Marinas, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Shi <yang.shi@linaro.org>
commit 92e788b749862ebe9920360513a718e5dd4da7a9 upstream.
As previously reported, some userspace applications depend on bogomips
showed by /proc/cpuinfo. Although there is much less legacy impact on
aarch64 than arm, it does break libvirt.
This patch reverts commit 326b16db9f69 ("arm64: delay: don't bother
reporting bogomips in /proc/cpuinfo"), but with some tweak due to
context change and without the pr_info().
Fixes: 326b16db9f69 ("arm64: delay: don't bother reporting bogomips in /proc/cpuinfo")
Signed-off-by: Yang Shi <yang.shi@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ luis: backported to 3.16:
- file rename: cpuinfo.c -> setup.c
- linux/delay.h is already included
- adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm64/kernel/setup.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
index 56ccb32..4dafbf6 100644
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -295,6 +295,10 @@ static int c_show(struct seq_file *m, void *v)
#ifdef CONFIG_SMP
seq_printf(m, "processor\t: %d\n", i);
#endif
+
+ seq_printf(m, "BogoMIPS\t: %lu.%02lu\n",
+ loops_per_jiffy / (500000UL/HZ),
+ loops_per_jiffy / (5000UL/HZ) % 100);
}
/* dump out the processor features */
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 27/78] USB: option: add XS Stick W100-2 from 4G Systems
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (25 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 26/78] arm64: restore bogomips information in /proc/cpuinfo Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 28/78] usblp: do not set TASK_INTERRUPTIBLE before lock Kamal Mostafa
` (50 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bjørn Mork, Greg Kroah-Hartman, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
commit 638148e20c7f8f6e95017fdc13bce8549a6925e0 upstream.
Thomas reports
"
4gsystems sells two total different LTE-surfsticks under the same name.
..
The newer version of XS Stick W100 is from "omega"
..
Under windows the driver switches to the same ID, and uses MI03\6 for
network and MI01\6 for modem.
..
echo "1c9e 9b01" > /sys/bus/usb/drivers/qmi_wwan/new_id
echo "1c9e 9b01" > /sys/bus/usb-serial/drivers/option1/new_id
T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1c9e ProdID=9b01 Rev=02.32
S: Manufacturer=USB Modem
S: Product=USB Modem
S: SerialNumber=
C: #Ifs= 5 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
Now all important things are there:
wwp0s29f7u2i3 (net), ttyUSB2 (at), cdc-wdm0 (qmi), ttyUSB1 (at)
There is also ttyUSB0, but it is not usable, at least not for at.
The device works well with qmi and ModemManager-NetworkManager.
"
Reported-by: Thomas Schäfer <tschaefer@t-online.de>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/serial/option.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 110f95f..f807079 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -357,6 +357,7 @@ static void option_instat_callback(struct urb *urb);
/* This is the 4G XS Stick W14 a.k.a. Mobilcom Debitel Surf-Stick *
* It seems to contain a Qualcomm QSC6240/6290 chipset */
#define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603
+#define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01
/* iBall 3.5G connect wireless modem */
#define IBALL_3_5G_CONNECT 0x9605
@@ -530,6 +531,11 @@ static const struct option_blacklist_info four_g_w14_blacklist = {
.sendsetup = BIT(0) | BIT(1),
};
+static const struct option_blacklist_info four_g_w100_blacklist = {
+ .sendsetup = BIT(1) | BIT(2),
+ .reserved = BIT(3),
+};
+
static const struct option_blacklist_info alcatel_x200_blacklist = {
.sendsetup = BIT(0) | BIT(1),
.reserved = BIT(4),
@@ -1652,6 +1658,9 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14),
.driver_info = (kernel_ulong_t)&four_g_w14_blacklist
},
+ { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100),
+ .driver_info = (kernel_ulong_t)&four_g_w100_blacklist
+ },
{ USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) },
{ USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) },
{ USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) },
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 28/78] usblp: do not set TASK_INTERRUPTIBLE before lock
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (26 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 27/78] USB: option: add XS Stick W100-2 from 4G Systems Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 29/78] mac: validate mac_partition is within sector Kamal Mostafa
` (49 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jiri Slaby, Greg Kroah-Hartman, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit 19cd80a214821f4b558560ebd76bfb2c38b4f3d8 upstream.
It is not permitted to set task state before lock. usblp_wwait sets
the state to TASK_INTERRUPTIBLE and calls mutex_lock_interruptible.
Upon return from that function, the state will be TASK_RUNNING again.
This is clearly a bug and a warning is generated with LOCKDEP too:
WARNING: CPU: 1 PID: 5109 at kernel/sched/core.c:7404 __might_sleep+0x7d/0x90()
do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffffa0c588d0>] usblp_wwait+0xa0/0x310 [usblp]
Modules linked in: ...
CPU: 1 PID: 5109 Comm: captmon Tainted: G W 4.2.5-0.gef2823b-default #1
Hardware name: LENOVO 23252SG/23252SG, BIOS G2ET33WW (1.13 ) 07/24/2012
ffffffff81a4edce ffff880236ec7ba8 ffffffff81716651 0000000000000000
ffff880236ec7bf8 ffff880236ec7be8 ffffffff8106e146 0000000000000282
ffffffff81a50119 000000000000028b 0000000000000000 ffff8802dab7c508
Call Trace:
...
[<ffffffff8106e1c6>] warn_slowpath_fmt+0x46/0x50
[<ffffffff8109a8bd>] __might_sleep+0x7d/0x90
[<ffffffff8171b20f>] mutex_lock_interruptible_nested+0x2f/0x4b0
[<ffffffffa0c588fc>] usblp_wwait+0xcc/0x310 [usblp]
[<ffffffffa0c58bb2>] usblp_write+0x72/0x350 [usblp]
[<ffffffff8121ed98>] __vfs_write+0x28/0xf0
...
Commit 7f477358e2384c54b190cc3b6ce28277050a041b (usblp: Implement the
ENOSPC convention) moved the set prior locking. So move it back after
the lock.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Fixes: 7f477358e2 ("usblp: Implement the ENOSPC convention")
Acked-By: Pete Zaitcev <zaitcev@yahoo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/class/usblp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/class/usblp.c b/drivers/usb/class/usblp.c
index d4c47d5..7ac5fac 100644
--- a/drivers/usb/class/usblp.c
+++ b/drivers/usb/class/usblp.c
@@ -870,11 +870,11 @@ static int usblp_wwait(struct usblp *usblp, int nonblock)
add_wait_queue(&usblp->wwait, &waita);
for (;;) {
- set_current_state(TASK_INTERRUPTIBLE);
if (mutex_lock_interruptible(&usblp->mut)) {
rc = -EINTR;
break;
}
+ set_current_state(TASK_INTERRUPTIBLE);
rc = usblp_wtest(usblp, nonblock);
mutex_unlock(&usblp->mut);
if (rc <= 0)
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 29/78] mac: validate mac_partition is within sector
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (27 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 28/78] usblp: do not set TASK_INTERRUPTIBLE before lock Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 30/78] ALSA: hda - Apply HP headphone fixups more generically Kamal Mostafa
` (48 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Kees Cook, Jens Axboe, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 02e2a5bfebe99edcf9d694575a75032d53fe1b73 upstream.
If md->signature == MAC_DRIVER_MAGIC and md->block_size == 1023, a single
512 byte sector would be read (secsize / 512). However the partition
structure would be located past the end of the buffer (secsize % 512).
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
block/partitions/mac.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/block/partitions/mac.c b/block/partitions/mac.c
index 76d8ba6..bd5b914 100644
--- a/block/partitions/mac.c
+++ b/block/partitions/mac.c
@@ -32,7 +32,7 @@ int mac_partition(struct parsed_partitions *state)
Sector sect;
unsigned char *data;
int slot, blocks_in_map;
- unsigned secsize;
+ unsigned secsize, datasize, partoffset;
#ifdef CONFIG_PPC_PMAC
int found_root = 0;
int found_root_goodness = 0;
@@ -50,10 +50,14 @@ int mac_partition(struct parsed_partitions *state)
}
secsize = be16_to_cpu(md->block_size);
put_dev_sector(sect);
- data = read_part_sector(state, secsize/512, §);
+ datasize = round_down(secsize, 512);
+ data = read_part_sector(state, datasize / 512, §);
if (!data)
return -1;
- part = (struct mac_partition *) (data + secsize%512);
+ partoffset = secsize % 512;
+ if (partoffset + sizeof(*part) > datasize)
+ return -1;
+ part = (struct mac_partition *) (data + partoffset);
if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) {
put_dev_sector(sect);
return 0; /* not a MacOS disk */
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 30/78] ALSA: hda - Apply HP headphone fixups more generically
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (28 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 29/78] mac: validate mac_partition is within sector Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 31/78] fat: fix fake_offset handling on error path Kamal Mostafa
` (47 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Takashi Iwai, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 196543d54574f50e3fd04df4e3048181e006a9da upstream.
It turned out that many HP laptops suffer from the same problem as
fixed in commit [c932b98c1e47: ALSA: hda - Apply pin fixup for HP
ProBook 6550b]. But, it's tiresome to list up all such PCI SSIDs, as
there are really lots of HP machines.
Instead, we do a bit more clever, try to check the supposedly dock and
built-in headphone pins, and apply the fixup when both seem valid.
This rule can be applied generically to all models using the same
quirk, so we'll fix all in a shot.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=107491
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/pci/hda/patch_sigmatel.c | 45 +++++++++++++++++++++++++++---------------
1 file changed, 29 insertions(+), 16 deletions(-)
diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
index 3629164..94a2c55 100644
--- a/sound/pci/hda/patch_sigmatel.c
+++ b/sound/pci/hda/patch_sigmatel.c
@@ -3116,6 +3116,29 @@ static void stac92hd71bxx_fixup_hp_hdx(struct hda_codec *codec,
spec->gpio_led = 0x08;
}
+static bool is_hp_output(struct hda_codec *codec, hda_nid_t pin)
+{
+ unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, pin);
+
+ /* count line-out, too, as BIOS sets often so */
+ return get_defcfg_connect(pin_cfg) != AC_JACK_PORT_NONE &&
+ (get_defcfg_device(pin_cfg) == AC_JACK_LINE_OUT ||
+ get_defcfg_device(pin_cfg) == AC_JACK_HP_OUT);
+}
+
+static void fixup_hp_headphone(struct hda_codec *codec, hda_nid_t pin)
+{
+ unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, pin);
+
+ /* It was changed in the BIOS to just satisfy MS DTM.
+ * Lets turn it back into slaved HP
+ */
+ pin_cfg = (pin_cfg & (~AC_DEFCFG_DEVICE)) |
+ (AC_JACK_HP_OUT << AC_DEFCFG_DEVICE_SHIFT);
+ pin_cfg = (pin_cfg & (~(AC_DEFCFG_DEF_ASSOC | AC_DEFCFG_SEQUENCE))) |
+ 0x1f;
+ snd_hda_codec_set_pincfg(codec, pin, pin_cfg);
+}
static void stac92hd71bxx_fixup_hp(struct hda_codec *codec,
const struct hda_fixup *fix, int action)
@@ -3125,22 +3148,12 @@ static void stac92hd71bxx_fixup_hp(struct hda_codec *codec,
if (action != HDA_FIXUP_ACT_PRE_PROBE)
return;
- if (hp_blike_system(codec->subsystem_id)) {
- unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, 0x0f);
- if (get_defcfg_device(pin_cfg) == AC_JACK_LINE_OUT ||
- get_defcfg_device(pin_cfg) == AC_JACK_SPEAKER ||
- get_defcfg_device(pin_cfg) == AC_JACK_HP_OUT) {
- /* It was changed in the BIOS to just satisfy MS DTM.
- * Lets turn it back into slaved HP
- */
- pin_cfg = (pin_cfg & (~AC_DEFCFG_DEVICE))
- | (AC_JACK_HP_OUT <<
- AC_DEFCFG_DEVICE_SHIFT);
- pin_cfg = (pin_cfg & (~(AC_DEFCFG_DEF_ASSOC
- | AC_DEFCFG_SEQUENCE)))
- | 0x1f;
- snd_hda_codec_set_pincfg(codec, 0x0f, pin_cfg);
- }
+ /* when both output A and F are assigned, these are supposedly
+ * dock and built-in headphones; fix both pin configs
+ */
+ if (is_hp_output(codec, 0x0a) && is_hp_output(codec, 0x0f)) {
+ fixup_hp_headphone(codec, 0x0a);
+ fixup_hp_headphone(codec, 0x0f);
}
if (find_mute_led_cfg(codec, 1))
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 31/78] fat: fix fake_offset handling on error path
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (29 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 30/78] ALSA: hda - Apply HP headphone fixups more generically Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 32/78] kernel/signal.c: unexport sigsuspend() Kamal Mostafa
` (46 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Richard Weinberger, OGAWA Hirofumi, Andrew Morton,
Linus Torvalds, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
commit 928a477102c4fc6739883415b66987207e3502f4 upstream.
For the root directory, . and .. are faked (using dir_emit_dots()) and
ctx->pos is reset from 2 to 0.
A corrupted root directory could cause fat_get_entry() to fail, but
->iterate() (fat_readdir()) reports progress to the VFS (with ctx->pos
rewound to 0), so any following calls to ->iterate() continue to return
the same entries again and again.
The result is that userspace will never see the end of the directory,
causing e.g. 'ls' to hang in a getdents() loop.
[hirofumi@mail.parknet.co.jp: cleanup and make sure to correct fake_offset]
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Richard Weinberger <richard.weinberger@gmail.com>
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/fat/dir.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/fs/fat/dir.c b/fs/fat/dir.c
index 3963ede..75bf5e7 100644
--- a/fs/fat/dir.c
+++ b/fs/fat/dir.c
@@ -614,9 +614,9 @@ parse_record:
int status = fat_parse_long(inode, &cpos, &bh, &de,
&unicode, &nr_slots);
if (status < 0) {
- ctx->pos = cpos;
+ bh = NULL;
ret = status;
- goto out;
+ goto end_of_dir;
} else if (status == PARSE_INVALID)
goto record_end;
else if (status == PARSE_NOT_LONGNAME)
@@ -658,8 +658,9 @@ parse_record:
fill_len = short_len;
start_filldir:
- if (!fake_offset)
- ctx->pos = cpos - (nr_slots + 1) * sizeof(struct msdos_dir_entry);
+ ctx->pos = cpos - (nr_slots + 1) * sizeof(struct msdos_dir_entry);
+ if (fake_offset && ctx->pos < 2)
+ ctx->pos = 2;
if (!memcmp(de->name, MSDOS_DOT, MSDOS_NAME)) {
if (!dir_emit_dot(file, ctx))
@@ -685,14 +686,19 @@ record_end:
fake_offset = 0;
ctx->pos = cpos;
goto get_new;
+
end_of_dir:
- ctx->pos = cpos;
+ if (fake_offset && cpos < 2)
+ ctx->pos = 2;
+ else
+ ctx->pos = cpos;
fill_failed:
brelse(bh);
if (unicode)
__putname(unicode);
out:
mutex_unlock(&sbi->s_lock);
+
return ret;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 32/78] kernel/signal.c: unexport sigsuspend()
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (30 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 31/78] fat: fix fake_offset handling on error path Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 33/78] parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h Kamal Mostafa
` (45 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Richard Weinberger, Andrew Morton, Linus Torvalds, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 9d8a765211335cfdad464b90fb19f546af5706ae upstream.
sigsuspend() is nowhere used except in signal.c itself, so we can mark it
static do not pollute the global namespace.
But this patch is more than a boring cleanup patch, it fixes a real issue
on UserModeLinux. UML has a special console driver to display ttys using
xterm, or other terminal emulators, on the host side. Vegard reported
that sometimes UML is unable to spawn a xterm and he's facing the
following warning:
WARNING: CPU: 0 PID: 908 at include/linux/thread_info.h:128 sigsuspend+0xab/0xc0()
It turned out that this warning makes absolutely no sense as the UML
xterm code calls sigsuspend() on the host side, at least it tries. But
as the kernel itself offers a sigsuspend() symbol the linker choose this
one instead of the glibc wrapper. Interestingly this code used to work
since ever but always blocked signals on the wrong side. Some recent
kernel change made the WARN_ON() trigger and uncovered the bug.
It is a wonderful example of how much works by chance on computers. :-)
Fixes: 68f3f16d9ad0f1 ("new helper: sigsuspend()")
Signed-off-by: Richard Weinberger <richard@nod.at>
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/linux/signal.h | 1 -
kernel/signal.c | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/linux/signal.h b/include/linux/signal.h
index 2ac423b..53944e5 100644
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -247,7 +247,6 @@ extern int sigprocmask(int, sigset_t *, sigset_t *);
extern void set_current_blocked(sigset_t *);
extern void __set_current_blocked(const sigset_t *);
extern int show_unhandled_signals;
-extern int sigsuspend(sigset_t *);
struct sigaction {
#ifndef __ARCH_HAS_IRIX_SIGACTION
diff --git a/kernel/signal.c b/kernel/signal.c
index 940b30e..9864d04 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3550,7 +3550,7 @@ SYSCALL_DEFINE0(pause)
#endif
-int sigsuspend(sigset_t *set)
+static int sigsuspend(sigset_t *set)
{
current->saved_sigmask = current->blocked;
set_current_blocked(set);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 33/78] parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (31 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 32/78] kernel/signal.c: unexport sigsuspend() Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 34/78] can: sja1000: clear interrupts on start Kamal Mostafa
` (44 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Helge Deller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit dcbf0d299c00ed4f82ea8d6e359ad88a5182f9b8 upstream.
Drop the MADV_xxK_PAGES flags, which were never used and were from a proposed
API which was never integrated into the generic Linux kernel code.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/parisc/include/uapi/asm/mman.h | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/arch/parisc/include/uapi/asm/mman.h b/arch/parisc/include/uapi/asm/mman.h
index 294d251..2ae13ce5 100644
--- a/arch/parisc/include/uapi/asm/mman.h
+++ b/arch/parisc/include/uapi/asm/mman.h
@@ -46,16 +46,6 @@
#define MADV_DONTFORK 10 /* don't inherit across fork */
#define MADV_DOFORK 11 /* do inherit across fork */
-/* The range 12-64 is reserved for page size specification. */
-#define MADV_4K_PAGES 12 /* Use 4K pages */
-#define MADV_16K_PAGES 14 /* Use 16K pages */
-#define MADV_64K_PAGES 16 /* Use 64K pages */
-#define MADV_256K_PAGES 18 /* Use 256K pages */
-#define MADV_1M_PAGES 20 /* Use 1 Megabyte pages */
-#define MADV_4M_PAGES 22 /* Use 4 Megabyte pages */
-#define MADV_16M_PAGES 24 /* Use 16 Megabyte pages */
-#define MADV_64M_PAGES 26 /* Use 64 Megabyte pages */
-
#define MADV_MERGEABLE 65 /* KSM may merge identical pages */
#define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 34/78] can: sja1000: clear interrupts on start
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (32 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 33/78] parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 35/78] powerpc/tm: Block signal return setting invalid MSR state Kamal Mostafa
` (43 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mirza Krak, Marc Kleine-Budde, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mirza Krak <mirza.krak@hostmobility.com>
commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream.
According to SJA1000 data sheet error-warning (EI) interrupt is not
cleared by setting the controller in to reset-mode.
Then if we have the following case:
- system is suspended (echo mem > /sys/power/state) and SJA1000 is left
in operating state
- A bus error condition occurs which activates EI interrupt, system is
still suspended which means EI interrupt will be not be handled nor
cleared.
If the above two events occur, on resume there is no way to return the
SJA1000 to operating state, except to cycle power to it.
By simply reading the IR register on start we will clear any previous
conditions that could be present.
Signed-off-by: Mirza Krak <mirza.krak@hostmobility.com>
Reported-by: Christian Magnusson <Christian.Magnusson@semcon.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/can/sja1000/sja1000.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
index f17c301..c2d0559 100644
--- a/drivers/net/can/sja1000/sja1000.c
+++ b/drivers/net/can/sja1000/sja1000.c
@@ -184,6 +184,9 @@ static void sja1000_start(struct net_device *dev)
priv->write_reg(priv, SJA1000_RXERR, 0x0);
priv->read_reg(priv, SJA1000_ECC);
+ /* clear interrupt flags */
+ priv->read_reg(priv, SJA1000_IR);
+
/* leave reset mode */
set_normal_mode(dev);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 35/78] powerpc/tm: Block signal return setting invalid MSR state
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (33 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 34/78] can: sja1000: clear interrupts on start Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 36/78] ARC: dw2 unwind: Remove falllback linear search thru FDE entries Kamal Mostafa
` (42 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Michael Neuling, Michael Ellerman, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Neuling <mikey@neuling.org>
commit d2b9d2a5ad5ef04ff978c9923d19730cb05efd55 upstream.
Currently we allow both the MSR T and S bits to be set by userspace on
a signal return. Unfortunately this is a reserved configuration and
will cause a TM Bad Thing exception if attempted (via rfid).
This patch checks for this case in both the 32 and 64 bit signals
code. If both T and S are set, we mark the context as invalid.
Found using a syscall fuzzer.
Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
Signed-off-by: Michael Neuling <mikey@neuling.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/powerpc/include/asm/reg.h | 1 +
arch/powerpc/kernel/signal_32.c | 14 +++++++++-----
arch/powerpc/kernel/signal_64.c | 4 ++++
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
index 663e5c2..644e6a5 100644
--- a/arch/powerpc/include/asm/reg.h
+++ b/arch/powerpc/include/asm/reg.h
@@ -108,6 +108,7 @@
#define MSR_TS_T __MASK(MSR_TS_T_LG) /* Transaction Transactional */
#define MSR_TS_MASK (MSR_TS_T | MSR_TS_S) /* Transaction State bits */
#define MSR_TM_ACTIVE(x) (((x) & MSR_TS_MASK) != 0) /* Transaction active? */
+#define MSR_TM_RESV(x) (((x) & MSR_TS_MASK) == MSR_TS_MASK) /* Reserved */
#define MSR_TM_TRANSACTIONAL(x) (((x) & MSR_TS_MASK) == MSR_TS_T)
#define MSR_TM_SUSPENDED(x) (((x) & MSR_TS_MASK) == MSR_TS_S)
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index c5e5854..885e9ab 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -869,6 +869,15 @@ static long restore_tm_user_regs(struct pt_regs *regs,
return 1;
#endif /* CONFIG_SPE */
+ /* Get the top half of the MSR from the user context */
+ if (__get_user(msr_hi, &tm_sr->mc_gregs[PT_MSR]))
+ return 1;
+ msr_hi <<= 32;
+ /* If TM bits are set to the reserved value, it's an invalid context */
+ if (MSR_TM_RESV(msr_hi))
+ return 1;
+ /* Pull in the MSR TM bits from the user context */
+ regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr_hi & MSR_TS_MASK);
/* Now, recheckpoint. This loads up all of the checkpointed (older)
* registers, including FP and V[S]Rs. After recheckpointing, the
* transactional versions should be loaded.
@@ -878,11 +887,6 @@ static long restore_tm_user_regs(struct pt_regs *regs,
current->thread.tm_texasr |= TEXASR_FS;
/* This loads the checkpointed FP/VEC state, if used */
tm_recheckpoint(¤t->thread, msr);
- /* Get the top half of the MSR */
- if (__get_user(msr_hi, &tm_sr->mc_gregs[PT_MSR]))
- return 1;
- /* Pull in MSR TM from user context */
- regs->msr = (regs->msr & ~MSR_TS_MASK) | ((msr_hi<<32) & MSR_TS_MASK);
/* This loads the speculative FP/VEC state, if used */
if (msr & MSR_FP) {
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 96fb6c8..b6b5f11 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -421,6 +421,10 @@ static long restore_tm_sigcontexts(struct pt_regs *regs,
/* get MSR separately, transfer the LE bit if doing signal return */
err |= __get_user(msr, &sc->gp_regs[PT_MSR]);
+ /* Don't allow reserved mode. */
+ if (MSR_TM_RESV(msr))
+ return -EINVAL;
+
/* pull in MSR TM from user context */
regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 36/78] ARC: dw2 unwind: Remove falllback linear search thru FDE entries
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (34 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 35/78] powerpc/tm: Block signal return setting invalid MSR state Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 37/78] fix sysvfs symlinks Kamal Mostafa
` (41 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Vineet Gupta, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <vgupta@synopsys.com>
commit 2e22502c080f27afeab5e6f11e618fb7bc7aea53 upstream.
Fixes STAR 9000953410: "perf callgraph profiling causing RCU stalls"
| perf record -g -c 15000 -e cycles /sbin/hackbench
|
| INFO: rcu_preempt self-detected stall on CPU
| 1: (1 GPs behind) idle=609/140000000000002/0 softirq=2914/2915 fqs=603
| Task dump for CPU 1:
in-kernel dwarf unwinder has a fast binary lookup and a fallback linear
search (which iterates thru each of ~11K entries) thus takes 2 orders of
magnitude longer (~3 million cycles vs. 2000). Routines written in hand
assembler lack dwarf info (as we don't support assembler CFI pseudo-ops
yet) fail the unwinder binary lookup, hit linear search, failing
nevertheless in the end.
However the linear search is pointless as binary lookup tables are created
from it in first place. It is impossible to have binary lookup fail while
succeed the linear search. It is pure waste of cycles thus removed by
this patch.
This manifested as RCU stalls / NMI watchdog splat when running
hackbench under perf with callgraph profiling. The triggering condition
was perf counter overflowing in routine lacking dwarf info (like memset)
leading to patheic 3 million cycle unwinder slow path and by the time it
returned new interrupts were already pending (Timer, IPI) and taken
rightaway. The original memset didn't make forward progress, system kept
accruing more interrupts and more unwinder delayes in a vicious feedback
loop, ultimately triggering the NMI diagnostic.
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arc/kernel/unwind.c | 37 ++++---------------------------------
1 file changed, 4 insertions(+), 33 deletions(-)
diff --git a/arch/arc/kernel/unwind.c b/arch/arc/kernel/unwind.c
index e550b11..2d6a36e 100644
--- a/arch/arc/kernel/unwind.c
+++ b/arch/arc/kernel/unwind.c
@@ -986,42 +986,13 @@ int arc_unwind(struct unwind_frame_info *frame)
(const u8 *)(fde +
1) +
*fde, ptrType);
- if (pc >= endLoc)
+ if (pc >= endLoc) {
fde = NULL;
- } else
- fde = NULL;
- }
- if (fde == NULL) {
- for (fde = table->address, tableSize = table->size;
- cie = NULL, tableSize > sizeof(*fde)
- && tableSize - sizeof(*fde) >= *fde;
- tableSize -= sizeof(*fde) + *fde,
- fde += 1 + *fde / sizeof(*fde)) {
- cie = cie_for_fde(fde, table);
- if (cie == &bad_cie) {
cie = NULL;
- break;
}
- if (cie == NULL
- || cie == ¬_fde
- || (ptrType = fde_pointer_type(cie)) < 0)
- continue;
- ptr = (const u8 *)(fde + 2);
- startLoc = read_pointer(&ptr,
- (const u8 *)(fde + 1) +
- *fde, ptrType);
- if (!startLoc)
- continue;
- if (!(ptrType & DW_EH_PE_indirect))
- ptrType &=
- DW_EH_PE_FORM | DW_EH_PE_signed;
- endLoc =
- startLoc + read_pointer(&ptr,
- (const u8 *)(fde +
- 1) +
- *fde, ptrType);
- if (pc >= startLoc && pc < endLoc)
- break;
+ } else {
+ fde = NULL;
+ cie = NULL;
}
}
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 37/78] fix sysvfs symlinks
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (35 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 36/78] ARC: dw2 unwind: Remove falllback linear search thru FDE entries Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 38/78] vfs: Make sendfile(2) killable even better Kamal Mostafa
` (40 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Al Viro, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 0ebf7f10d67a70e120f365018f1c5fce9ddc567d upstream.
The thing got broken back in 2002 - sysvfs does *not* have inline
symlinks; even short ones have bodies stored in the first block
of file. sysv_symlink() handles that correctly; unfortunately,
attempting to look an existing symlink up will end up confusing
them for inline symlinks, and interpret the block number containing
the body as the body itself.
Nobody has noticed until now, which says something about the level
of testing sysvfs gets ;-/
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/sysv/inode.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c
index c327d4e..7b3792e 100644
--- a/fs/sysv/inode.c
+++ b/fs/sysv/inode.c
@@ -161,14 +161,8 @@ void sysv_set_inode(struct inode *inode, dev_t rdev)
inode->i_fop = &sysv_dir_operations;
inode->i_mapping->a_ops = &sysv_aops;
} else if (S_ISLNK(inode->i_mode)) {
- if (inode->i_blocks) {
- inode->i_op = &sysv_symlink_inode_operations;
- inode->i_mapping->a_ops = &sysv_aops;
- } else {
- inode->i_op = &sysv_fast_symlink_inode_operations;
- nd_terminate_link(SYSV_I(inode)->i_data, inode->i_size,
- sizeof(SYSV_I(inode)->i_data) - 1);
- }
+ inode->i_op = &sysv_symlink_inode_operations;
+ inode->i_mapping->a_ops = &sysv_aops;
} else
init_special_inode(inode, inode->i_mode, rdev);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 38/78] vfs: Make sendfile(2) killable even better
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (36 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 37/78] fix sysvfs symlinks Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 39/78] vfs: Avoid softlockups with sendfile(2) Kamal Mostafa
` (39 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Jan Kara, Al Viro, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit c725bfce7968009756ed2836a8cd7ba4dc163011 upstream.
Commit 296291cdd162 (mm: make sendfile(2) killable) fixed an issue where
sendfile(2) was doing a lot of tiny writes into a filesystem and thus
was unkillable for a long time. However sendfile(2) can be (mis)used to
issue lots of writes into arbitrary file descriptor such as evenfd or
similar special file descriptors which never hit the standard filesystem
write path and thus are still unkillable. E.g. the following example
from Dmitry burns CPU for ~16s on my test system without possibility to
be killed:
int r1 = eventfd(0, 0);
int r2 = memfd_create("", 0);
unsigned long n = 1<<30;
fallocate(r2, 0, 0, n);
sendfile(r1, r2, 0, n);
There are actually quite a few tests for pending signals in sendfile
code however we data to write is always available none of them seems to
trigger. So fix the problem by adding a test for pending signal into
splice_from_pipe_next() also before the loop waiting for pipe buffers to
be available. This should fix all the lockup issues with sendfile of the
do-ton-of-tiny-writes nature.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/splice.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/splice.c b/fs/splice.c
index f345d53..4eef647 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -871,6 +871,13 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
*/
int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
{
+ /*
+ * Check for signal early to make process killable when there are
+ * always buffers available
+ */
+ if (signal_pending(current))
+ return -ERESTARTSYS;
+
while (!pipe->nrbufs) {
if (!pipe->writers)
return 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 39/78] vfs: Avoid softlockups with sendfile(2)
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (37 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 38/78] vfs: Make sendfile(2) killable even better Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 40/78] nfs4: start callback_ident at idr 1 Kamal Mostafa
` (38 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dmitry Vyukov, Jan Kara, Al Viro, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit c2489e07c0a71a56fb2c84bc0ee66cddfca7d068 upstream.
The following test program from Dmitry can cause softlockups or RCU
stalls as it copies 1GB from tmpfs into eventfd and we don't have any
scheduling point at that path in sendfile(2) implementation:
int r1 = eventfd(0, 0);
int r2 = memfd_create("", 0);
unsigned long n = 1<<30;
fallocate(r2, 0, 0, n);
sendfile(r1, r2, 0, n);
Add cond_resched() into __splice_from_pipe() to fix the problem.
CC: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/splice.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/splice.c b/fs/splice.c
index 4eef647..bef92b4 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -956,6 +956,7 @@ ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
splice_from_pipe_begin(sd);
do {
+ cond_resched();
ret = splice_from_pipe_next(pipe, sd);
if (ret > 0)
ret = splice_from_pipe_feed(pipe, sd, actor);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 40/78] nfs4: start callback_ident at idr 1
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (38 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 39/78] vfs: Avoid softlockups with sendfile(2) Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 41/78] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3 Kamal Mostafa
` (37 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Benjamin Coddington, Trond Myklebust, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Coddington <bcodding@redhat.com>
commit c68a027c05709330fe5b2f50c50d5fa02124b5d8 upstream.
If clp->cl_cb_ident is zero, then nfs_cb_idr_remove_locked() skips removing
it when the nfs_client is freed. A decoding or server bug can then find
and try to put that first nfs_client which would lead to a crash.
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Fixes: d6870312659d ("nfs4client: convert to idr_alloc()")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/nfs/nfs4client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
index baa9bfb..ced4b0e 100644
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -33,7 +33,7 @@ static int nfs_get_cb_ident_idr(struct nfs_client *clp, int minorversion)
return ret;
idr_preload(GFP_KERNEL);
spin_lock(&nn->nfs_client_lock);
- ret = idr_alloc(&nn->cb_ident_idr, clp, 0, 0, GFP_NOWAIT);
+ ret = idr_alloc(&nn->cb_ident_idr, clp, 1, 0, GFP_NOWAIT);
if (ret >= 0)
clp->cl_cb_ident = ret;
spin_unlock(&nn->nfs_client_lock);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 41/78] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (39 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 40/78] nfs4: start callback_ident at idr 1 Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 42/78] ring-buffer: Update read stamp with first real commit on page Kamal Mostafa
` (36 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Kailang Yang, Hui Wang, Takashi Iwai, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hui Wang <hui.wang@canonical.com>
commit 8c69729b4439bbda88c3073df7243f755cc418ed upstream.
We have a machine Dell XPS 13 with the codec alc256, after resume back
from S3, the headphone has noise when play sound.
Through comparing with the coeff vaule before and after S3, we found
restoring a coeff register will help remove noise.
BugLink: https://bugs.launchpad.net/bugs/1519168
Cc: Kailang Yang <kailang@realtek.com>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
sound/pci/hda/patch_realtek.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 548cdf9..65b1112 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4021,6 +4021,7 @@ enum {
ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
ALC255_FIXUP_HEADSET_MODE,
ALC275_FIXUP_DELL_XPS,
+ ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE,
};
static const struct hda_fixup alc269_fixups[] = {
@@ -4406,6 +4407,17 @@ static const struct hda_fixup alc269_fixups[] = {
{}
}
},
+ [ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE] = {
+ .type = HDA_FIXUP_VERBS,
+ .v.verbs = (const struct hda_verb[]) {
+ /* Disable pass-through path for FRONT 14h */
+ {0x20, AC_VERB_SET_COEF_INDEX, 0x36},
+ {0x20, AC_VERB_SET_PROC_COEF, 0x1737},
+ {}
+ },
+ .chained = true,
+ .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE
+ },
};
static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -4483,6 +4495,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x1028, 0x0684, "Dell", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x15cc, "Dell X5 Precision", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x15cd, "Dell X5 Precision", ALC269_FIXUP_DELL2_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
SND_PCI_QUIRK(0x103c, 0x18e6, "HP", ALC269_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x1973, "HP Pavilion", ALC269_FIXUP_HP_MUTE_LED_MIC1),
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 42/78] ring-buffer: Update read stamp with first real commit on page
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (40 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 41/78] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3 Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 43/78] arm64: KVM: Fix AArch32 to AArch64 register mapping Kamal Mostafa
` (35 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Steven Rostedt, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit b81f472a208d3e2b4392faa6d17037a89442f4ce upstream.
Do not update the read stamp after swapping out the reader page from the
write buffer. If the reader page is swapped out of the buffer before an
event is written to it, then the read_stamp may get an out of date
timestamp, as the page timestamp is updated on the first commit to that
page.
rb_get_reader_page() only returns a page if it has an event on it, otherwise
it will return NULL. At that point, check if the page being returned has
events and has not been read yet. Then at that point update the read_stamp
to match the time stamp of the reader page.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/trace/ring_buffer.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index dc0a884..c660e9f 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -1946,12 +1946,6 @@ rb_set_commit_to_write(struct ring_buffer_per_cpu *cpu_buffer)
goto again;
}
-static void rb_reset_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
-{
- cpu_buffer->read_stamp = cpu_buffer->reader_page->page->time_stamp;
- cpu_buffer->reader_page->read = 0;
-}
-
static void rb_inc_iter(struct ring_buffer_iter *iter)
{
struct ring_buffer_per_cpu *cpu_buffer = iter->cpu_buffer;
@@ -3589,7 +3583,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
/* Finally update the reader page to the new head */
cpu_buffer->reader_page = reader;
- rb_reset_reader_page(cpu_buffer);
+ cpu_buffer->reader_page->read = 0;
if (overwrite != cpu_buffer->last_overrun) {
cpu_buffer->lost_events = overwrite - cpu_buffer->last_overrun;
@@ -3599,6 +3593,10 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
goto again;
out:
+ /* Update the read_stamp on the first event */
+ if (reader && reader->read == 0)
+ cpu_buffer->read_stamp = reader->page->time_stamp;
+
arch_spin_unlock(&cpu_buffer->lock);
local_irq_restore(flags);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 43/78] arm64: KVM: Fix AArch32 to AArch64 register mapping
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (41 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 42/78] ring-buffer: Update read stamp with first real commit on page Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 44/78] drm/radeon: make rv770_set_sw_state failures non-fatal Kamal Mostafa
` (34 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marc Zyngier, Christoffer Dall, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <marc.zyngier@arm.com>
commit c0f0963464c24e034b858441205455bf2a5d93ad upstream.
When running a 32bit guest under a 64bit hypervisor, the ARMv8
architecture defines a mapping of the 32bit registers in the 64bit
space. This includes banked registers that are being demultiplexed
over the 64bit ones.
On exceptions caused by an operation involving a 32bit register, the
HW exposes the register number in the ESR_EL2 register. It was so
far understood that SW had to distinguish between AArch32 and AArch64
accesses (based on the current AArch32 mode and register number).
It turns out that I misinterpreted the ARM ARM, and the clue is in
D1.20.1: "For some exceptions, the exception syndrome given in the
ESR_ELx identifies one or more register numbers from the issued
instruction that generated the exception. Where the exception is
taken from an Exception level using AArch32 these register numbers
give the AArch64 view of the register."
Which means that the HW is already giving us the translated version,
and that we shouldn't try to interpret it at all (for example, doing
an MMIO operation from the IRQ mode using the LR register leads to
very unexpected behaviours).
The fix is thus not to perform a call to vcpu_reg32() at all from
vcpu_reg(), and use whatever register number is supplied directly.
The only case we need to find out about the mapping is when we
actively generate a register access, which only occurs when injecting
a fault in a guest.
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm64/include/asm/kvm_emulate.h | 8 +++++---
arch/arm64/kvm/inject_fault.c | 2 +-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h
index dd8ecfc3..4c9a5cb 100644
--- a/arch/arm64/include/asm/kvm_emulate.h
+++ b/arch/arm64/include/asm/kvm_emulate.h
@@ -79,11 +79,13 @@ static inline void vcpu_set_thumb(struct kvm_vcpu *vcpu)
*vcpu_cpsr(vcpu) |= COMPAT_PSR_T_BIT;
}
+/*
+ * vcpu_reg should always be passed a register number coming from a
+ * read of ESR_EL2. Otherwise, it may give the wrong result on AArch32
+ * with banked registers.
+ */
static inline unsigned long *vcpu_reg(const struct kvm_vcpu *vcpu, u8 reg_num)
{
- if (vcpu_mode_is_32bit(vcpu))
- return vcpu_reg32(vcpu, reg_num);
-
return (unsigned long *)&vcpu_gp_regs(vcpu)->regs.regs[reg_num];
}
diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c
index 86825f88..f527a37 100644
--- a/arch/arm64/kvm/inject_fault.c
+++ b/arch/arm64/kvm/inject_fault.c
@@ -48,7 +48,7 @@ static void prepare_fault32(struct kvm_vcpu *vcpu, u32 mode, u32 vect_offset)
/* Note: These now point to the banked copies */
*vcpu_spsr(vcpu) = new_spsr_value;
- *vcpu_reg(vcpu, 14) = *vcpu_pc(vcpu) + return_offset;
+ *vcpu_reg32(vcpu, 14) = *vcpu_pc(vcpu) + return_offset;
/* Branch to exception vector */
if (sctlr & (1 << 13))
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 44/78] drm/radeon: make rv770_set_sw_state failures non-fatal
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (42 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 43/78] arm64: KVM: Fix AArch32 to AArch64 register mapping Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 45/78] RDS: fix race condition when sending a message on unbound socket Kamal Mostafa
` (33 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 4e7697ed79d0c0d5f869c87a6b3ce3d5cd1a07d6 upstream.
On some cards it takes a relatively long time for the change
to take place. Make a timeout non-fatal.
bug:
https://bugs.freedesktop.org/show_bug.cgi?id=76130
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/rv770_dpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/rv770_dpm.c b/drivers/gpu/drm/radeon/rv770_dpm.c
index 890cf17..7eda43c 100644
--- a/drivers/gpu/drm/radeon/rv770_dpm.c
+++ b/drivers/gpu/drm/radeon/rv770_dpm.c
@@ -1415,7 +1415,7 @@ int rv770_resume_smc(struct radeon_device *rdev)
int rv770_set_sw_state(struct radeon_device *rdev)
{
if (rv770_send_msg_to_smc(rdev, PPSMC_MSG_SwitchToSwState) != PPSMC_Result_OK)
- return -EINVAL;
+ DRM_ERROR("rv770_set_sw_state failed\n");
return 0;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 45/78] RDS: fix race condition when sending a message on unbound socket
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (43 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 44/78] drm/radeon: make rv770_set_sw_state failures non-fatal Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 46/78] btrfs: fix signed overflows in btrfs_sync_file Kamal Mostafa
` (32 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David S. Miller, Quentin Casasnovas, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
Sasha's found a NULL pointer dereference in the RDS connection code when
sending a message to an apparently unbound socket. The problem is caused
by the code checking if the socket is bound in rds_sendmsg(), which checks
the rs_bound_addr field without taking a lock on the socket. This opens a
race where rs_bound_addr is temporarily set but where the transport is not
in rds_bind(), leading to a NULL pointer dereference when trying to
dereference 'trans' in __rds_conn_create().
Vegard wrote a reproducer for this issue, so kindly ask him to share if
you're interested.
I cannot reproduce the NULL pointer dereference using Vegard's reproducer
with this patch, whereas I could without.
Complete earlier incomplete fix to CVE-2015-6937:
74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
Cc: David S. Miller <davem@davemloft.net>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/rds/connection.c | 6 ------
net/rds/send.c | 4 +++-
2 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/net/rds/connection.c b/net/rds/connection.c
index f5fb7d6..378c3a6 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -183,12 +183,6 @@ static struct rds_connection *__rds_conn_create(__be32 laddr, __be32 faddr,
}
}
- if (trans == NULL) {
- kmem_cache_free(rds_conn_slab, conn);
- conn = ERR_PTR(-ENODEV);
- goto out;
- }
-
conn->c_trans = trans;
ret = trans->conn_alloc(conn, gfp);
diff --git a/net/rds/send.c b/net/rds/send.c
index 88eace5..31c9fa4 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
release_sock(sk);
}
- /* racing with another thread binding seems ok here */
+ lock_sock(sk);
if (daddr == 0 || rs->rs_bound_addr == 0) {
+ release_sock(sk);
ret = -ENOTCONN; /* XXX not a great errno */
goto out;
}
+ release_sock(sk);
/* size of rm including all sgs */
ret = rds_rm_size(msg, payload_len);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 46/78] btrfs: fix signed overflows in btrfs_sync_file
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (44 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 45/78] RDS: fix race condition when sending a message on unbound socket Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 47/78] drm/radeon: make some dpm errors debug only Kamal Mostafa
` (31 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David Sterba, Chris Mason, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
commit 9dcbeed4d7e11e1dcf5e55475de3754f0855d1c2 upstream.
The calculation of range length in btrfs_sync_file leads to signed
overflow. This was caught by PaX gcc SIZE_OVERFLOW plugin.
https://forums.grsecurity.net/viewtopic.php?f=1&t=4284
The fsync call passes 0 and LLONG_MAX, the range length does not fit to
loff_t and overflows, but the value is converted to u64 so it silently
works as expected.
The minimal fix is a typecast to u64, switching functions to take
(start, end) instead of (start, len) would be more intrusive.
Coccinelle script found that there's one more opencoded calculation of
the length.
<smpl>
@@
loff_t start, end;
@@
* end - start
</smpl>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
[ kamal: backport to 3.13-stable: use len in both btrfs_wait_ordered_range
calls, like
b659ef0 Btrfs: avoid syncing log in the fast fsync path when not necessary ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/btrfs/file.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index 9a0758d..9dfee4b 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1781,7 +1781,13 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
int ret = 0;
struct btrfs_trans_handle *trans;
bool full_sync = 0;
+ u64 len;
+ /*
+ * The range length can be represented by u64, we have to do the typecasts
+ * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync()
+ */
+ len = (u64)end - (u64)start + 1;
trace_btrfs_sync_file(file, datasync);
/*
@@ -1809,7 +1815,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
full_sync = test_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
&BTRFS_I(inode)->runtime_flags);
if (full_sync) {
- ret = btrfs_wait_ordered_range(inode, start, end - start + 1);
+ ret = btrfs_wait_ordered_range(inode, start, len);
if (ret) {
mutex_unlock(&inode->i_mutex);
goto out;
@@ -1900,8 +1906,7 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
}
}
if (!full_sync) {
- ret = btrfs_wait_ordered_range(inode, start,
- end - start + 1);
+ ret = btrfs_wait_ordered_range(inode, start, len);
if (ret)
goto out;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 47/78] drm/radeon: make some dpm errors debug only
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (45 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 46/78] btrfs: fix signed overflows in btrfs_sync_file Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 48/78] nfs: if we have no valid attrs, then don't declare the attribute cache valid Kamal Mostafa
` (30 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Alex Deucher, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 9c565e3386fdc804a61f8c116efc2c5999ba46e1 upstream.
"Could not force DPM to low", etc. is usually harmless and
just confuses users.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/gpu/drm/radeon/rv730_dpm.c | 2 +-
drivers/gpu/drm/radeon/rv770_dpm.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/rv730_dpm.c b/drivers/gpu/drm/radeon/rv730_dpm.c
index 3f5e1cf..d37ba2c 100644
--- a/drivers/gpu/drm/radeon/rv730_dpm.c
+++ b/drivers/gpu/drm/radeon/rv730_dpm.c
@@ -464,7 +464,7 @@ void rv730_stop_dpm(struct radeon_device *rdev)
result = rv770_send_msg_to_smc(rdev, PPSMC_MSG_TwoLevelsDisabled);
if (result != PPSMC_Result_OK)
- DRM_ERROR("Could not force DPM to low\n");
+ DRM_DEBUG("Could not force DPM to low\n");
WREG32_P(GENERAL_PWRMGT, 0, ~GLOBAL_PWRMGT_EN);
diff --git a/drivers/gpu/drm/radeon/rv770_dpm.c b/drivers/gpu/drm/radeon/rv770_dpm.c
index 7eda43c..5d41c4b 100644
--- a/drivers/gpu/drm/radeon/rv770_dpm.c
+++ b/drivers/gpu/drm/radeon/rv770_dpm.c
@@ -192,7 +192,7 @@ void rv770_stop_dpm(struct radeon_device *rdev)
result = rv770_send_msg_to_smc(rdev, PPSMC_MSG_TwoLevelsDisabled);
if (result != PPSMC_Result_OK)
- DRM_ERROR("Could not force DPM to low.\n");
+ DRM_DEBUG("Could not force DPM to low.\n");
WREG32_P(GENERAL_PWRMGT, 0, ~GLOBAL_PWRMGT_EN);
@@ -1415,7 +1415,7 @@ int rv770_resume_smc(struct radeon_device *rdev)
int rv770_set_sw_state(struct radeon_device *rdev)
{
if (rv770_send_msg_to_smc(rdev, PPSMC_MSG_SwitchToSwState) != PPSMC_Result_OK)
- DRM_ERROR("rv770_set_sw_state failed\n");
+ DRM_DEBUG("rv770_set_sw_state failed\n");
return 0;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 48/78] nfs: if we have no valid attrs, then don't declare the attribute cache valid
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (46 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 47/78] drm/radeon: make some dpm errors debug only Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 49/78] xen/gntdev: Grant maps should not be subject to NUMA balancing Kamal Mostafa
` (29 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jeff Layton, Trond Myklebust, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@poochiereds.net>
commit c812012f9ca7cf89c9e1a1cd512e6c3b5be04b85 upstream.
If we pass in an empty nfs_fattr struct to nfs_update_inode, it will
(correctly) not update any of the attributes, but it then clears the
NFS_INO_INVALID_ATTR flag, which indicates that the attributes are
up to date. Don't clear the flag if the fattr struct has no valid
attrs to apply.
Reviewed-by: Steve French <steve.french@primarydata.com>
Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/nfs/inode.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 8af210f..3bf36c2 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -1624,7 +1624,11 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
nfsi->attrtimeo_timestamp = now;
}
}
- invalid &= ~NFS_INO_INVALID_ATTR;
+
+ /* Don't declare attrcache up to date if there were no attrs! */
+ if (fattr->valid != 0)
+ invalid &= ~NFS_INO_INVALID_ATTR;
+
/* Don't invalidate the data if we were to blame */
if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)
|| S_ISLNK(inode->i_mode)))
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 49/78] xen/gntdev: Grant maps should not be subject to NUMA balancing
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (47 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 48/78] nfs: if we have no valid attrs, then don't declare the attribute cache valid Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 50/78] iscsi-target: Fix rx_login_comp hang after login failure Kamal Mostafa
` (28 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Boris Ostrovsky, David Vrabel, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
commit 9c17d96500f78d7ecdb71ca6942830158bc75a2b upstream.
Doing so will cause the grant to be unmapped and then, during
fault handling, the fault to be mistakenly treated as NUMA hint
fault.
In addition, even if those maps could partcipate in NUMA
balancing, it wouldn't provide any benefit since we are unable
to determine physical page's node (even if/when VNUMA is
implemented).
Marking grant maps' VMAs as VM_IO will exclude them from being
part of NUMA balancing.
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/xen/gntdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index 37c34b8..de9a8fb 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -765,7 +765,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
vma->vm_ops = &gntdev_vmops;
- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
+ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
if (use_ptemod)
vma->vm_flags |= VM_DONTCOPY;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 50/78] iscsi-target: Fix rx_login_comp hang after login failure
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (48 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 49/78] xen/gntdev: Grant maps should not be subject to NUMA balancing Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 51/78] target: Fix race for SCF_COMPARE_AND_WRITE_POST checking Kamal Mostafa
` (27 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sagi Grimberg, Nicholas Bellinger, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit ca82c2bded29b38d36140bfa1e76a7bbfcade390 upstream.
This patch addresses a case where iscsi_target_do_tx_login_io()
fails sending the last login response PDU, after the RX/TX
threads have already been started.
The case centers around iscsi_target_rx_thread() not invoking
allow_signal(SIGINT) before the send_sig(SIGINT, ...) occurs
from the failure path, resulting in RX thread hanging
indefinately on iscsi_conn->rx_login_comp.
Note this bug is a regression introduced by:
commit e54198657b65625085834847ab6271087323ffea
Author: Nicholas Bellinger <nab@linux-iscsi.org>
Date: Wed Jul 22 23:14:19 2015 -0700
iscsi-target: Fix iscsit_start_kthreads failure OOPs
To address this bug, complete ->rx_login_complete for good
measure in the failure path, and immediately return from
RX thread context if connection state did not actually reach
full feature phase (TARG_CONN_STATE_LOGGED_IN).
Cc: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/target/iscsi/iscsi_target.c | 13 ++++++++++++-
drivers/target/iscsi/iscsi_target_nego.c | 1 +
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index effc8c7..a0a5737 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4026,6 +4026,17 @@ reject:
return iscsit_add_reject(conn, ISCSI_REASON_BOOKMARK_NO_RESOURCES, buf);
}
+static bool iscsi_target_check_conn_state(struct iscsi_conn *conn)
+{
+ bool ret;
+
+ spin_lock_bh(&conn->state_lock);
+ ret = (conn->conn_state != TARG_CONN_STATE_LOGGED_IN);
+ spin_unlock_bh(&conn->state_lock);
+
+ return ret;
+}
+
int iscsi_target_rx_thread(void *arg)
{
int ret, rc;
@@ -4043,7 +4054,7 @@ int iscsi_target_rx_thread(void *arg)
* incoming iscsi/tcp socket I/O, and/or failing the connection.
*/
rc = wait_for_completion_interruptible(&conn->rx_login_comp);
- if (rc < 0)
+ if (rc < 0 || iscsi_target_check_conn_state(conn))
return 0;
if (conn->conn_transport->transport_type == ISCSI_INFINIBAND) {
diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
index 25ad113..abbac7f 100644
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -393,6 +393,7 @@ err:
if (login->login_complete) {
if (conn->rx_thread && conn->rx_thread_active) {
send_sig(SIGINT, conn->rx_thread, 1);
+ complete(&conn->rx_login_comp);
kthread_stop(conn->rx_thread);
}
if (conn->tx_thread && conn->tx_thread_active) {
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 51/78] target: Fix race for SCF_COMPARE_AND_WRITE_POST checking
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (49 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 50/78] iscsi-target: Fix rx_login_comp hang after login failure Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 52/78] target: fix COMPARE_AND_WRITE non zero SGL offset data corruption Kamal Mostafa
` (26 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sagi Grimberg, Nicholas Bellinger, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 057085e522f8bf94c2e691a5b76880f68060f8ba upstream.
This patch addresses a race + use after free where the first
stage of COMPARE_AND_WRITE in compare_and_write_callback()
is rescheduled after the backend sends the secondary WRITE,
resulting in second stage compare_and_write_post() callback
completing in target_complete_ok_work() before the first
can return.
Because current code depends on checking se_cmd->se_cmd_flags
after return from se_cmd->transport_complete_callback(),
this results in first stage having SCF_COMPARE_AND_WRITE_POST
set, which incorrectly falls through into second stage CAW
processing code, eventually triggering a NULL pointer
dereference due to use after free.
To address this bug, pass in a new *post_ret parameter into
se_cmd->transport_complete_callback(), and depend upon this
value instead of ->se_cmd_flags to determine when to return
or fall through into ->queue_status() code for CAW.
Cc: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/target/target_core_sbc.c | 13 +++++++++----
drivers/target/target_core_transport.c | 14 ++++++++------
include/target/target_core_base.h | 2 +-
3 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index 11526d2..2664c4c 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -308,7 +308,8 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
return 0;
}
-static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success)
+static sense_reason_t xdreadwrite_callback(struct se_cmd *cmd, bool success,
+ int *post_ret)
{
unsigned char *buf, *addr;
struct scatterlist *sg;
@@ -372,7 +373,8 @@ sbc_execute_rw(struct se_cmd *cmd)
cmd->data_direction);
}
-static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success)
+static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success,
+ int *post_ret)
{
struct se_device *dev = cmd->se_dev;
@@ -382,8 +384,10 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success)
* sent to the backend driver.
*/
spin_lock_irq(&cmd->t_state_lock);
- if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status)
+ if ((cmd->transport_state & CMD_T_SENT) && !cmd->scsi_status) {
cmd->se_cmd_flags |= SCF_COMPARE_AND_WRITE_POST;
+ *post_ret = 1;
+ }
spin_unlock_irq(&cmd->t_state_lock);
/*
@@ -395,7 +399,8 @@ static sense_reason_t compare_and_write_post(struct se_cmd *cmd, bool success)
return TCM_NO_SENSE;
}
-static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success)
+static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool success,
+ int *post_ret)
{
struct se_device *dev = cmd->se_dev;
struct scatterlist *write_sg = NULL, *sg;
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index fefd5f5..7458b13 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1546,7 +1546,7 @@ bool target_stop_cmd(struct se_cmd *cmd, unsigned long *flags)
void transport_generic_request_failure(struct se_cmd *cmd,
sense_reason_t sense_reason)
{
- int ret = 0;
+ int ret = 0, post_ret = 0;
pr_debug("-----[ Storage Engine Exception for cmd: %p ITT: 0x%08x"
" CDB: 0x%02x\n", cmd, cmd->se_tfo->get_task_tag(cmd),
@@ -1569,7 +1569,7 @@ void transport_generic_request_failure(struct se_cmd *cmd,
*/
if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
cmd->transport_complete_callback)
- cmd->transport_complete_callback(cmd, false);
+ cmd->transport_complete_callback(cmd, false, &post_ret);
switch (sense_reason) {
case TCM_NON_EXISTENT_LUN:
@@ -1902,11 +1902,13 @@ static void target_complete_ok_work(struct work_struct *work)
*/
if (cmd->transport_complete_callback) {
sense_reason_t rc;
+ bool caw = (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE);
+ bool zero_dl = !(cmd->data_length);
+ int post_ret = 0;
- rc = cmd->transport_complete_callback(cmd, true);
- if (!rc && !(cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE_POST)) {
- if ((cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) &&
- !cmd->data_length)
+ rc = cmd->transport_complete_callback(cmd, true, &post_ret);
+ if (!rc && !post_ret) {
+ if (caw && zero_dl)
goto queue_rsp;
return;
diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
index 1f2c8e7..9c12091 100644
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -458,7 +458,7 @@ struct se_cmd {
sense_reason_t (*execute_cmd)(struct se_cmd *);
sense_reason_t (*execute_rw)(struct se_cmd *, struct scatterlist *,
u32, enum dma_data_direction);
- sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool);
+ sense_reason_t (*transport_complete_callback)(struct se_cmd *, bool, int *);
unsigned char *t_task_cdb;
unsigned char __t_task_cdb[TCM_MAX_COMMAND_SIZE];
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 52/78] target: fix COMPARE_AND_WRITE non zero SGL offset data corruption
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (50 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 51/78] target: Fix race for SCF_COMPARE_AND_WRITE_POST checking Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 53/78] block: Always check queue limits for cloned requests Kamal Mostafa
` (25 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jan Engelhardt, Nicholas Bellinger, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Engelhardt <jengelh@inai.de>
commit d94e5a61357a04938ce14d6033b4d33a3c5fd780 upstream.
target_core_sbc's compare_and_write functionality suffers from taking
data at the wrong memory location when writing a CAW request to disk
when a SGL offset is non-zero.
This can happen with loopback and vhost-scsi fabric drivers when
SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC is used to map existing user-space
SGL memory into COMPARE_AND_WRITE READ/WRITE payload buffers.
Given the following sample LIO subtopology,
% targetcli ls /loopback/
o- loopback ................................. [1 Target]
o- naa.6001405ebb8df14a ....... [naa.60014059143ed2b3]
o- luns ................................... [2 LUNs]
o- lun0 ................ [iblock/ram0 (/dev/ram0)]
o- lun1 ................ [iblock/ram1 (/dev/ram1)]
% lsscsi -g
[3:0:1:0] disk LIO-ORG IBLOCK 4.0 /dev/sdc /dev/sg3
[3:0:1:1] disk LIO-ORG IBLOCK 4.0 /dev/sdd /dev/sg4
the following bug can be observed in Linux 4.3 and 4.4~rc1:
% perl -e 'print chr$_ for 0..255,reverse 0..255' >rand
% perl -e 'print "\0" x 512' >zero
% cat rand >/dev/sdd
% sg_compare_and_write -i rand -D zero --lba 0 /dev/sdd
% sg_compare_and_write -i zero -D rand --lba 0 /dev/sdd
Miscompare reported
% hexdump -Cn 512 /dev/sdd
00000000 0f 0e 0d 0c 0b 0a 09 08 07 06 05 04 03 02 01 00
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
00000200
Rather than writing all-zeroes as instructed with the -D file, it
corrupts the data in the sector by splicing some of the original
bytes in. The page of the first entry of cmd->t_data_sg includes the
CDB, and sg->offset is set to a position past the CDB. I presume that
sg->offset is also the right choice to use for subsequent sglist
members.
Signed-off-by: Jan Engelhardt <jengelh@netitwork.de>
Tested-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/target/target_core_sbc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index 2664c4c..7d4abdc 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -496,11 +496,11 @@ static sense_reason_t compare_and_write_callback(struct se_cmd *cmd, bool succes
if (block_size < PAGE_SIZE) {
sg_set_page(&write_sg[i], m.page, block_size,
- block_size);
+ m.piter.sg->offset + block_size);
} else {
sg_miter_next(&m);
sg_set_page(&write_sg[i], m.page, block_size,
- 0);
+ m.piter.sg->offset);
}
len -= block_size;
i++;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 53/78] block: Always check queue limits for cloned requests
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (51 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 52/78] target: fix COMPARE_AND_WRITE non zero SGL offset data corruption Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 54/78] Fix a memory leak in scsi_host_dev_release() Kamal Mostafa
` (24 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mike Snitzer, Ewan Milne, Jeff Moyer, Hannes Reinecke,
Jens Axboe, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@suse.de>
commit bf4e6b4e757488dee1b6a581f49c7ac34cd217f8 upstream.
When a cloned request is retried on other queues it always needs
to be checked against the queue limits of that queue.
Otherwise the calculations for nr_phys_segments might be wrong,
leading to a crash in scsi_init_sgtable().
To clarify this the patch renames blk_rq_check_limits()
to blk_cloned_rq_check_limits() and removes the symbol
export, as the new function should only be used for
cloned requests and never exported.
Cc: Mike Snitzer <snitzer@redhat.com>
Cc: Ewan Milne <emilne@redhat.com>
Cc: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
Fixes: e2a60da74 ("block: Clean up special command handling logic")
Acked-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
block/blk-core.c | 21 +++++++--------------
include/linux/blkdev.h | 1 -
2 files changed, 7 insertions(+), 15 deletions(-)
diff --git a/block/blk-core.c b/block/blk-core.c
index 36da493..3b974be 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -1888,7 +1888,8 @@ void submit_bio(int rw, struct bio *bio)
EXPORT_SYMBOL(submit_bio);
/**
- * blk_rq_check_limits - Helper function to check a request for the queue limit
+ * blk_cloned_rq_check_limits - Helper function to check a cloned request
+ * for new the queue limits
* @q: the queue
* @rq: the request being checked
*
@@ -1899,20 +1900,13 @@ EXPORT_SYMBOL(submit_bio);
* after it is inserted to @q, it should be checked against @q before
* the insertion using this generic function.
*
- * This function should also be useful for request stacking drivers
- * in some cases below, so export this function.
* Request stacking drivers like request-based dm may change the queue
- * limits while requests are in the queue (e.g. dm's table swapping).
- * Such request stacking drivers should check those requests agaist
- * the new queue limits again when they dispatch those requests,
- * although such checkings are also done against the old queue limits
- * when submitting requests.
+ * limits when retrying requests on other queues. Those requests need
+ * to be checked against the new queue limits again during dispatch.
*/
-int blk_rq_check_limits(struct request_queue *q, struct request *rq)
+static int blk_cloned_rq_check_limits(struct request_queue *q,
+ struct request *rq)
{
- if (!rq_mergeable(rq))
- return 0;
-
if (blk_rq_sectors(rq) > blk_queue_get_max_sectors(q, rq->cmd_flags)) {
printk(KERN_ERR "%s: over max size limit.\n", __func__);
return -EIO;
@@ -1932,7 +1926,6 @@ int blk_rq_check_limits(struct request_queue *q, struct request *rq)
return 0;
}
-EXPORT_SYMBOL_GPL(blk_rq_check_limits);
/**
* blk_insert_cloned_request - Helper for stacking drivers to submit a request
@@ -1944,7 +1937,7 @@ int blk_insert_cloned_request(struct request_queue *q, struct request *rq)
unsigned long flags;
int where = ELEVATOR_INSERT_BACK;
- if (blk_rq_check_limits(q, rq))
+ if (blk_cloned_rq_check_limits(q, rq))
return -EIO;
if (rq->rq_disk &&
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 75fc3a1..41731c3 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -776,7 +776,6 @@ extern struct request *blk_make_request(struct request_queue *, struct bio *,
extern void blk_requeue_request(struct request_queue *, struct request *);
extern void blk_add_request_payload(struct request *rq, struct page *page,
unsigned int len);
-extern int blk_rq_check_limits(struct request_queue *q, struct request *rq);
extern int blk_lld_busy(struct request_queue *q);
extern int blk_rq_prep_clone(struct request *rq, struct request *rq_src,
struct bio_set *bs, gfp_t gfp_mask,
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 54/78] Fix a memory leak in scsi_host_dev_release()
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (52 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 53/78] block: Always check queue limits for cloned requests Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 55/78] wan/x25: Fix use-after-free in x25_asy_open_tty() Kamal Mostafa
` (23 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bart Van Assche, Christoph Hellwig, Hannes Reinecke,
Martin K. Petersen, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@sandisk.com>
commit b49493f99690c8eaacfbc635bafaad629ea2c036 upstream.
Avoid that kmemleak reports the following memory leak if a
SCSI LLD calls scsi_host_alloc() and scsi_host_put() but neither
scsi_host_add() nor scsi_host_remove(). The following shell
command triggers that scenario:
for ((i=0; i<2; i++)); do
srp_daemon -oac |
while read line; do
echo $line >/sys/class/infiniband_srp/srp-mlx4_0-1/add_target
done
done
unreferenced object 0xffff88021b24a220 (size 8):
comm "srp_daemon", pid 56421, jiffies 4295006762 (age 4240.750s)
hex dump (first 8 bytes):
68 6f 73 74 35 38 00 a5 host58..
backtrace:
[<ffffffff8151014a>] kmemleak_alloc+0x7a/0xc0
[<ffffffff81165c1e>] __kmalloc_track_caller+0xfe/0x160
[<ffffffff81260d2b>] kvasprintf+0x5b/0x90
[<ffffffff81260e2d>] kvasprintf_const+0x8d/0xb0
[<ffffffff81254b0c>] kobject_set_name_vargs+0x3c/0xa0
[<ffffffff81337e3c>] dev_set_name+0x3c/0x40
[<ffffffff81355757>] scsi_host_alloc+0x327/0x4b0
[<ffffffffa03edc8e>] srp_create_target+0x4e/0x8a0 [ib_srp]
[<ffffffff8133778b>] dev_attr_store+0x1b/0x20
[<ffffffff811f27fa>] sysfs_kf_write+0x4a/0x60
[<ffffffff811f1e8e>] kernfs_fop_write+0x14e/0x180
[<ffffffff81176eef>] __vfs_write+0x2f/0xf0
[<ffffffff811771e4>] vfs_write+0xa4/0x100
[<ffffffff81177c64>] SyS_write+0x54/0xc0
[<ffffffff8151b257>] entry_SYSCALL_64_fastpath+0x12/0x6f
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/scsi/hosts.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
index f2c5005..3b7d405 100644
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -305,6 +305,17 @@ static void scsi_host_dev_release(struct device *dev)
kfree(queuedata);
}
+ if (shost->shost_state == SHOST_CREATED) {
+ /*
+ * Free the shost_dev device name here if scsi_host_alloc()
+ * and scsi_host_put() have been called but neither
+ * scsi_host_add() nor scsi_host_remove() has been called.
+ * This avoids that the memory allocated for the shost_dev
+ * name is leaked.
+ */
+ kfree(dev_name(&shost->shost_dev));
+ }
+
scsi_destroy_command_freelist(shost);
if (shost->bqt)
blk_free_tags(shost->bqt);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 55/78] wan/x25: Fix use-after-free in x25_asy_open_tty()
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (53 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 54/78] Fix a memory leak in scsi_host_dev_release() Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 56/78] sched/core: Clear the root_domain cpumasks in init_rootdomain() Kamal Mostafa
` (22 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Peter Hurley, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Hurley <peter@hurleysoftware.com>
commit ee9159ddce14bc1dec9435ae4e3bd3153e783706 upstream.
The N_X25 line discipline may access the previous line discipline's closed
and already-freed private data on open [1].
The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).
[1]
[ 634.336761] ==================================================================
[ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
[ 634.339558] Read of size 4 by task syzkaller_execu/8981
[ 634.340359] =============================================================================
[ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
...
[ 634.405018] Call Trace:
[ 634.405277] dump_stack (lib/dump_stack.c:52)
[ 634.405775] print_trailer (mm/slub.c:655)
[ 634.406361] object_err (mm/slub.c:662)
[ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
[ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
[ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
[ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
[ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
[ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
[ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
[ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
[ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/wan/x25_asy.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
index 5895f19..e98de42 100644
--- a/drivers/net/wan/x25_asy.c
+++ b/drivers/net/wan/x25_asy.c
@@ -545,16 +545,12 @@ static void x25_asy_receive_buf(struct tty_struct *tty,
static int x25_asy_open_tty(struct tty_struct *tty)
{
- struct x25_asy *sl = tty->disc_data;
+ struct x25_asy *sl;
int err;
if (tty->ops->write == NULL)
return -EOPNOTSUPP;
- /* First make sure we're not already connected. */
- if (sl && sl->magic == X25_ASY_MAGIC)
- return -EEXIST;
-
/* OK. Find a free X.25 channel to use. */
sl = x25_asy_alloc();
if (sl == NULL)
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 56/78] sched/core: Clear the root_domain cpumasks in init_rootdomain()
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (54 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 55/78] wan/x25: Fix use-after-free in x25_asy_open_tty() Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 57/78] x86/signal: Fix restart_syscall number for x32 tasks Kamal Mostafa
` (21 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Xunlei Pang, Peter Zijlstra (Intel),
Linus Torvalds, Mike Galbraith, Steven Rostedt, Thomas Gleixner,
Ingo Molnar, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Xunlei Pang <xlpang@redhat.com>
commit 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 upstream.
root_domain::rto_mask allocated through alloc_cpumask_var()
contains garbage data, this may cause problems. For instance,
When doing pull_rt_task(), it may do useless iterations if
rto_mask retains some extra garbage bits. Worse still, this
violates the isolated domain rule for clustered scheduling
using cpuset, because the tasks(with all the cpus allowed)
belongs to one root domain can be pulled away into another
root domain.
The patch cleans the garbage by using zalloc_cpumask_var()
instead of alloc_cpumask_var() for root_domain::rto_mask
allocation, thereby addressing the issues.
Do the same thing for root_domain's other cpumask memembers:
dlo_mask, span, and online.
Signed-off-by: Xunlei Pang <xlpang@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1449057179-29321-1-git-send-email-xlpang@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/sched/core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index a3b0ea0..5d2b6c1 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4823,11 +4823,11 @@ static int init_rootdomain(struct root_domain *rd)
{
memset(rd, 0, sizeof(*rd));
- if (!alloc_cpumask_var(&rd->span, GFP_KERNEL))
+ if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL))
goto out;
- if (!alloc_cpumask_var(&rd->online, GFP_KERNEL))
+ if (!zalloc_cpumask_var(&rd->online, GFP_KERNEL))
goto free_span;
- if (!alloc_cpumask_var(&rd->rto_mask, GFP_KERNEL))
+ if (!zalloc_cpumask_var(&rd->rto_mask, GFP_KERNEL))
goto free_online;
if (cpupri_init(&rd->cpupri) != 0)
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 57/78] x86/signal: Fix restart_syscall number for x32 tasks
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (55 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 56/78] sched/core: Clear the root_domain cpumasks in init_rootdomain() Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 58/78] mmc: remove bondage between REQ_META and reliable write Kamal Mostafa
` (20 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dmitry V. Levin, Elvira Khabirova, Thomas Gleixner, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Dmitry V. Levin" <ldv@altlinux.org>
commit 22eab1108781eff09961ae7001704f7bd8fb1dce upstream.
When restarting a syscall with regs->ax == -ERESTART_RESTARTBLOCK,
regs->ax is assigned to a restart_syscall number. For x32 tasks, this
syscall number must have __X32_SYSCALL_BIT set, otherwise it will be
an x86_64 syscall number instead of a valid x32 syscall number. This
issue has been there since the introduction of x32.
Reported-by: strace/tests/restart_syscall.test
Reported-and-tested-by: Elvira Khabirova <lineprinter0@gmail.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Cc: Elvira Khabirova <lineprinter0@gmail.com>
Link: http://lkml.kernel.org/r/20151130215436.GA25996@altlinux.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/x86/kernel/signal.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index b88fc86..5d3e601 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -682,12 +682,15 @@ handle_signal(struct ksignal *ksig, struct pt_regs *regs)
signal_setup_done(failed, ksig, test_thread_flag(TIF_SINGLESTEP));
}
-#ifdef CONFIG_X86_32
-#define NR_restart_syscall __NR_restart_syscall
-#else /* !CONFIG_X86_32 */
-#define NR_restart_syscall \
- test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : __NR_restart_syscall
-#endif /* CONFIG_X86_32 */
+static inline unsigned long get_nr_restart_syscall(const struct pt_regs *regs)
+{
+#if defined(CONFIG_X86_32) || !defined(CONFIG_X86_64)
+ return __NR_restart_syscall;
+#else /* !CONFIG_X86_32 && CONFIG_X86_64 */
+ return test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall :
+ __NR_restart_syscall | (regs->orig_ax & __X32_SYSCALL_BIT);
+#endif /* CONFIG_X86_32 || !CONFIG_X86_64 */
+}
/*
* Note that 'init' is a special process: it doesn't get signals it doesn't
@@ -716,7 +719,7 @@ static void do_signal(struct pt_regs *regs)
break;
case -ERESTART_RESTARTBLOCK:
- regs->ax = NR_restart_syscall;
+ regs->ax = get_nr_restart_syscall(regs);
regs->ip -= 2;
break;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 58/78] mmc: remove bondage between REQ_META and reliable write
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (56 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 57/78] x86/signal: Fix restart_syscall number for x32 tasks Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 59/78] sctp: translate host order to network order when setting a hmacid Kamal Mostafa
` (19 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Bruce Ford, Luca Porzio, Ulf Hansson, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Porzio <lporzio@micron.com>
commit d3df0465db00cf4ed9f90d0bfc3b827d32b9c796 upstream.
Anytime a write operation is performed with Reliable Write flag enabled,
the eMMC device is enforced to bypass the cache and do a write to the
underling NVM device by Jedec specification; this causes a performance
penalty since write operations can't be optimized by the device cache.
In our tests, we replayed a typical mobile daily trace pattern and found
~9% overall time reduction in trace replay by using this patch. Also the
write ops within 4KB~64KB chunk size range get a 40~60% performance
improvement by using the patch (as this range of write chunks are the ones
affected by REQ_META).
This patch has been discussed in the Mobile & Embedded Linux Storage Forum
and it's the results of feedbacks from many people. We also checked with
fsdevl and f2fs mailing list developers that this change in the usage of
REQ_META is not affecting FS behavior and we got positive feedbacks.
Reporting here the feedbacks:
http://comments.gmane.org/gmane.linux.file-systems/97219
http://thread.gmane.org/gmane.linux.file-systems.f2fs/3178/focus=3183
Signed-off-by: Bruce Ford <bford@micron.com>
Signed-off-by: Luca Porzio <lporzio@micron.com>
Fixes: ce39f9d17c14 ("mmc: support packed write command for eMMC4.5 devices")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/mmc/card/block.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index a6bf69b..76671d6 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -62,8 +62,7 @@ MODULE_ALIAS("mmc:block");
#define MMC_SANITIZE_REQ_TIMEOUT 240000
#define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
-#define mmc_req_rel_wr(req) (((req->cmd_flags & REQ_FUA) || \
- (req->cmd_flags & REQ_META)) && \
+#define mmc_req_rel_wr(req) ((req->cmd_flags & REQ_FUA) && \
(rq_data_dir(req) == WRITE))
#define PACKED_CMD_VER 0x01
#define PACKED_CMD_WR 0x02
@@ -1328,13 +1327,9 @@ static void mmc_blk_rw_rq_prep(struct mmc_queue_req *mqrq,
/*
* Reliable writes are used to implement Forced Unit Access and
- * REQ_META accesses, and are supported only on MMCs.
- *
- * XXX: this really needs a good explanation of why REQ_META
- * is treated special.
+ * are supported only on MMCs.
*/
- bool do_rel_wr = ((req->cmd_flags & REQ_FUA) ||
- (req->cmd_flags & REQ_META)) &&
+ bool do_rel_wr = (req->cmd_flags & REQ_FUA) &&
(rq_data_dir(req) == WRITE) &&
(md->flags & MMC_BLK_REL_WR);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 59/78] sctp: translate host order to network order when setting a hmacid
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (57 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 58/78] mmc: remove bondage between REQ_META and reliable write Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 60/78] usb: musb: core: fix order of arguments to ulpi write callback Kamal Mostafa
` (18 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Xin Long, Marcelo Ricardo Leitner, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: lucien <lucien.xin@gmail.com>
commit ed5a377d87dc4c87fb3e1f7f698cba38cd893103 upstream.
now sctp auth cannot work well when setting a hmacid manually, which
is caused by that we didn't use the network order for hmacid, so fix
it by adding the transformation in sctp_auth_ep_set_hmacs.
even we set hmacid with the network order in userspace, it still
can't work, because of this condition in sctp_auth_ep_set_hmacs():
if (id > SCTP_AUTH_HMAC_ID_MAX)
return -EOPNOTSUPP;
so this wasn't working before and thus it won't break compatibility.
Fixes: 65b07e5d0d09 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/sctp/auth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 9f29e1c..1875051 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -802,8 +802,8 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
if (!has_sha1)
return -EINVAL;
- memcpy(ep->auth_hmacs_list->hmac_ids, &hmacs->shmac_idents[0],
- hmacs->shmac_num_idents * sizeof(__u16));
+ for (i = 0; i < hmacs->shmac_num_idents; i++)
+ ep->auth_hmacs_list->hmac_ids[i] = htons(hmacs->shmac_idents[i]);
ep->auth_hmacs_list->param_hdr.length = htons(sizeof(sctp_paramhdr_t) +
hmacs->shmac_num_idents * sizeof(__u16));
return 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 60/78] usb: musb: core: fix order of arguments to ulpi write callback
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (58 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 59/78] sctp: translate host order to network order when setting a hmacid Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 61/78] FS-Cache: Add missing initialization of ret in cachefiles_write_page() Kamal Mostafa
` (17 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Uwe Kleine-König, Felipe Balbi, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
commit 705e63d2b29c8bbf091119084544d353bda70393 upstream.
There is a bit of a mess in the order of arguments to the ulpi write
callback. There is
int ulpi_write(struct ulpi *ulpi, u8 addr, u8 val)
in drivers/usb/common/ulpi.c;
struct usb_phy_io_ops {
...
int (*write)(struct usb_phy *x, u32 val, u32 reg);
}
in include/linux/usb/phy.h.
The callback registered by the musb driver has to comply to the latter,
but up to now had "offset" first which effectively made the function
broken for correct users. So flip the order and while at it also
switch to the parameter names of struct usb_phy_io_ops's write.
Fixes: ffb865b1e460 ("usb: musb: add ulpi access operations")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/usb/musb/musb_core.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
index d595091..708b7a4 100644
--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -133,7 +133,7 @@ static inline struct musb *dev_to_musb(struct device *dev)
/*-------------------------------------------------------------------------*/
#ifndef CONFIG_BLACKFIN
-static int musb_ulpi_read(struct usb_phy *phy, u32 offset)
+static int musb_ulpi_read(struct usb_phy *phy, u32 reg)
{
void __iomem *addr = phy->io_priv;
int i = 0;
@@ -152,7 +152,7 @@ static int musb_ulpi_read(struct usb_phy *phy, u32 offset)
* ULPICarKitControlDisableUTMI after clearing POWER_SUSPENDM.
*/
- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset);
+ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg);
musb_writeb(addr, MUSB_ULPI_REG_CONTROL,
MUSB_ULPI_REG_REQ | MUSB_ULPI_RDN_WR);
@@ -177,7 +177,7 @@ out:
return ret;
}
-static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data)
+static int musb_ulpi_write(struct usb_phy *phy, u32 val, u32 reg)
{
void __iomem *addr = phy->io_priv;
int i = 0;
@@ -192,8 +192,8 @@ static int musb_ulpi_write(struct usb_phy *phy, u32 offset, u32 data)
power &= ~MUSB_POWER_SUSPENDM;
musb_writeb(addr, MUSB_POWER, power);
- musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)offset);
- musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)data);
+ musb_writeb(addr, MUSB_ULPI_REG_ADDR, (u8)reg);
+ musb_writeb(addr, MUSB_ULPI_REG_DATA, (u8)val);
musb_writeb(addr, MUSB_ULPI_REG_CONTROL, MUSB_ULPI_REG_REQ);
while (!(musb_readb(addr, MUSB_ULPI_REG_CONTROL)
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 61/78] FS-Cache: Add missing initialization of ret in cachefiles_write_page()
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (59 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 60/78] usb: musb: core: fix order of arguments to ulpi write callback Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 62/78] tcp: md5: fix lockdep annotation Kamal Mostafa
` (16 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Geert Uytterhoeven, David Howells, Al Viro, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
commit cf89752645e47d86ba8a4157f4b121fcb33434c5 upstream.
fs/cachefiles/rdwr.c: In function ‘cachefiles_write_page’:
fs/cachefiles/rdwr.c:882: warning: ‘ret’ may be used uninitialized in
this function
If the jump to label "error" is taken, "ret" will indeed be
uninitialized, and random stack data may be printed by the debug code.
Fixes: 102f4d900c9c8f5e ("FS-Cache: Handle a write to the page immediately beyond the EOF marker")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
fs/cachefiles/rdwr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cachefiles/rdwr.c b/fs/cachefiles/rdwr.c
index 807e554..a1210b0 100644
--- a/fs/cachefiles/rdwr.c
+++ b/fs/cachefiles/rdwr.c
@@ -899,7 +899,7 @@ int cachefiles_write_page(struct fscache_storage *op, struct page *page)
loff_t pos, eof;
size_t len;
void *data;
- int ret;
+ int ret = -ENOBUFS;
ASSERT(op != NULL);
ASSERT(page != NULL);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 62/78] tcp: md5: fix lockdep annotation
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (60 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 61/78] FS-Cache: Add missing initialization of ret in cachefiles_write_page() Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 63/78] ARM: dts: Kirkwood: Fix QNAP TS219 power-off Kamal Mostafa
` (15 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 1b8e6a01e19f001e9f93b39c32387961c91ed3cc upstream.
When a passive TCP is created, we eventually call tcp_md5_do_add()
with sk pointing to the child. It is not owner by the user yet (we
will add this socket into listener accept queue a bit later anyway)
But we do own the spinlock, so amend the lockdep annotation to avoid
following splat :
[ 8451.090932] net/ipv4/tcp_ipv4.c:923 suspicious rcu_dereference_protected() usage!
[ 8451.090932]
[ 8451.090932] other info that might help us debug this:
[ 8451.090932]
[ 8451.090934]
[ 8451.090934] rcu_scheduler_active = 1, debug_locks = 1
[ 8451.090936] 3 locks held by socket_sockopt_/214795:
[ 8451.090936] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff855c6ac1>] __netif_receive_skb_core+0x151/0xe90
[ 8451.090947] #1: (rcu_read_lock){.+.+..}, at: [<ffffffff85618143>] ip_local_deliver_finish+0x43/0x2b0
[ 8451.090952] #2: (slock-AF_INET){+.-...}, at: [<ffffffff855acda5>] sk_clone_lock+0x1c5/0x500
[ 8451.090958]
[ 8451.090958] stack backtrace:
[ 8451.090960] CPU: 7 PID: 214795 Comm: socket_sockopt_
[ 8451.091215] Call Trace:
[ 8451.091216] <IRQ> [<ffffffff856fb29c>] dump_stack+0x55/0x76
[ 8451.091229] [<ffffffff85123b5b>] lockdep_rcu_suspicious+0xeb/0x110
[ 8451.091235] [<ffffffff8564544f>] tcp_md5_do_add+0x1bf/0x1e0
[ 8451.091239] [<ffffffff85645751>] tcp_v4_syn_recv_sock+0x1f1/0x4c0
[ 8451.091242] [<ffffffff85642b27>] ? tcp_v4_md5_hash_skb+0x167/0x190
[ 8451.091246] [<ffffffff85647c78>] tcp_check_req+0x3c8/0x500
[ 8451.091249] [<ffffffff856451ae>] ? tcp_v4_inbound_md5_hash+0x11e/0x190
[ 8451.091253] [<ffffffff85647170>] tcp_v4_rcv+0x3c0/0x9f0
[ 8451.091256] [<ffffffff85618143>] ? ip_local_deliver_finish+0x43/0x2b0
[ 8451.091260] [<ffffffff856181b6>] ip_local_deliver_finish+0xb6/0x2b0
[ 8451.091263] [<ffffffff85618143>] ? ip_local_deliver_finish+0x43/0x2b0
[ 8451.091267] [<ffffffff85618d38>] ip_local_deliver+0x48/0x80
[ 8451.091270] [<ffffffff85618510>] ip_rcv_finish+0x160/0x700
[ 8451.091273] [<ffffffff8561900e>] ip_rcv+0x29e/0x3d0
[ 8451.091277] [<ffffffff855c74b7>] __netif_receive_skb_core+0xb47/0xe90
Fixes: a8afca0329988 ("tcp: md5: protects md5sig_info with RCU")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv4/tcp_ipv4.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 1f2cd0f..fcb88df 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -997,7 +997,8 @@ int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,
}
md5sig = rcu_dereference_protected(tp->md5sig_info,
- sock_owned_by_user(sk));
+ sock_owned_by_user(sk) ||
+ lockdep_is_held(&sk->sk_lock.slock));
if (!md5sig) {
md5sig = kmalloc(sizeof(*md5sig), gfp);
if (!md5sig)
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 63/78] ARM: dts: Kirkwood: Fix QNAP TS219 power-off
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (61 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 62/78] tcp: md5: fix lockdep annotation Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 64/78] isdn: Partially revert debug format string usage clean up Kamal Mostafa
` (14 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Helmut Klein, Andrew Lunn, Gregory CLEMENT, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Helmut Klein <hgkr.klein@gmail.com>
commit 5442f0eadf2885453d5b2ed8c8592f32a3744f8e upstream.
The "reg" entry in the "poweroff" section of "kirkwood-ts219.dtsi"
addressed the wrong uart (0 = console). This patch changes the address
to select uart 1, which is the uart connected to the pic
microcontroller, which can switch the device off.
Signed-off-by: Helmut Klein <hgkr.klein@gmail.com>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Fixes: 4350a47bbac3 ("ARM: Kirkwood: Make use of the QNAP Power off driver.")
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
arch/arm/boot/dts/kirkwood-ts219.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/kirkwood-ts219.dtsi b/arch/arm/boot/dts/kirkwood-ts219.dtsi
index 39158cf..067e1e9 100644
--- a/arch/arm/boot/dts/kirkwood-ts219.dtsi
+++ b/arch/arm/boot/dts/kirkwood-ts219.dtsi
@@ -47,7 +47,7 @@
};
poweroff@12100 {
compatible = "qnap,power-off";
- reg = <0x12000 0x100>;
+ reg = <0x12100 0x100>;
clocks = <&gate_clk 7>;
};
spi@10600 {
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 64/78] isdn: Partially revert debug format string usage clean up
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (62 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 63/78] ARM: dts: Kirkwood: Fix QNAP TS219 power-off Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 65/78] remoteproc: avoid stack overflow in debugfs file Kamal Mostafa
` (13 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Kees Cook, Karsten Keil, Christoph Biedl, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
commit 19cebbcb04c8277bb8a7905957c8af11967c4e28 upstream.
Commit 35a4a57 ("isdn: clean up debug format string usage") introduced
a safeguard to avoid accidential format string interpolation of data
when calling debugl1 or HiSax_putstatus. This did however not take into
account VHiSax_putstatus (called by HiSax_putstatus) does *not* call
vsprintf if the head parameter is NULL - the format string is treated
as plain text then instead. As a result, the string "%s" is processed
literally, and the actual information is lost. This affects the isdnlog
userspace program which stopped logging information since that commit.
So revert the HiSax_putstatus invocations to the previous state.
Fixes: 35a4a5733b0a ("isdn: clean up debug format string usage")
Cc: Kees Cook <keescook@chromium.org>
Cc: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/isdn/hisax/config.c | 2 +-
drivers/isdn/hisax/hfc_pci.c | 2 +-
drivers/isdn/hisax/hfc_sx.c | 2 +-
drivers/isdn/hisax/q931.c | 6 +++---
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/isdn/hisax/config.c b/drivers/isdn/hisax/config.c
index b33f53b..bf04d2a 100644
--- a/drivers/isdn/hisax/config.c
+++ b/drivers/isdn/hisax/config.c
@@ -1896,7 +1896,7 @@ static void EChannel_proc_rcv(struct hisax_d_if *d_if)
ptr--;
*ptr++ = '\n';
*ptr = 0;
- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
+ HiSax_putstatus(cs, NULL, cs->dlog);
} else
HiSax_putstatus(cs, "LogEcho: ",
"warning Frame too big (%d)",
diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c
index 4a48255..90449e1 100644
--- a/drivers/isdn/hisax/hfc_pci.c
+++ b/drivers/isdn/hisax/hfc_pci.c
@@ -901,7 +901,7 @@ Begin:
ptr--;
*ptr++ = '\n';
*ptr = 0;
- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
+ HiSax_putstatus(cs, NULL, cs->dlog);
} else
HiSax_putstatus(cs, "LogEcho: ", "warning Frame too big (%d)", total - 3);
}
diff --git a/drivers/isdn/hisax/hfc_sx.c b/drivers/isdn/hisax/hfc_sx.c
index fa1fefd..dc4574f 100644
--- a/drivers/isdn/hisax/hfc_sx.c
+++ b/drivers/isdn/hisax/hfc_sx.c
@@ -674,7 +674,7 @@ receive_emsg(struct IsdnCardState *cs)
ptr--;
*ptr++ = '\n';
*ptr = 0;
- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
+ HiSax_putstatus(cs, NULL, cs->dlog);
} else
HiSax_putstatus(cs, "LogEcho: ", "warning Frame too big (%d)", skb->len);
}
diff --git a/drivers/isdn/hisax/q931.c b/drivers/isdn/hisax/q931.c
index af1b020..041bf52 100644
--- a/drivers/isdn/hisax/q931.c
+++ b/drivers/isdn/hisax/q931.c
@@ -1179,7 +1179,7 @@ LogFrame(struct IsdnCardState *cs, u_char *buf, int size)
dp--;
*dp++ = '\n';
*dp = 0;
- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
+ HiSax_putstatus(cs, NULL, cs->dlog);
} else
HiSax_putstatus(cs, "LogFrame: ", "warning Frame too big (%d)", size);
}
@@ -1246,7 +1246,7 @@ dlogframe(struct IsdnCardState *cs, struct sk_buff *skb, int dir)
}
if (finish) {
*dp = 0;
- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
+ HiSax_putstatus(cs, NULL, cs->dlog);
return;
}
if ((0xfe & buf[0]) == PROTO_DIS_N0) { /* 1TR6 */
@@ -1509,5 +1509,5 @@ dlogframe(struct IsdnCardState *cs, struct sk_buff *skb, int dir)
dp += sprintf(dp, "Unknown protocol %x!", buf[0]);
}
*dp = 0;
- HiSax_putstatus(cs, NULL, "%s", cs->dlog);
+ HiSax_putstatus(cs, NULL, cs->dlog);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 65/78] remoteproc: avoid stack overflow in debugfs file
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (63 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 64/78] isdn: Partially revert debug format string usage clean up Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 66/78] net: mvneta: add configuration for MBUS windows access protection Kamal Mostafa
` (12 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Arnd Bergmann, Ohad Ben-Cohen, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 92792e48e2ae6051af30468a87994b5432da2f06 upstream.
Recent gcc versions warn about reading from a negative offset of
an on-stack array:
drivers/remoteproc/remoteproc_debugfs.c: In function 'rproc_recovery_write':
drivers/remoteproc/remoteproc_debugfs.c:167:9: warning: 'buf[4294967295u]' may be used uninitialized in this function [-Wmaybe-uninitialized]
I don't see anything in sys_write() that prevents us from
being called with a zero 'count' argument, so we should
add an extra check in rproc_recovery_write() to prevent the
access and avoid the warning.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 2e37abb89a2e ("remoteproc: create a 'recovery' debugfs entry")
Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/remoteproc/remoteproc_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/remoteproc/remoteproc_debugfs.c b/drivers/remoteproc/remoteproc_debugfs.c
index 9d30809..916af50 100644
--- a/drivers/remoteproc/remoteproc_debugfs.c
+++ b/drivers/remoteproc/remoteproc_debugfs.c
@@ -156,7 +156,7 @@ rproc_recovery_write(struct file *filp, const char __user *user_buf,
char buf[10];
int ret;
- if (count > sizeof(buf))
+ if (count < 1 || count > sizeof(buf))
return count;
ret = copy_from_user(buf, user_buf, count);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 66/78] net: mvneta: add configuration for MBUS windows access protection
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (64 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 65/78] remoteproc: avoid stack overflow in debugfs file Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 67/78] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG Kamal Mostafa
` (11 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marcin Wojtas, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcin Wojtas <mw@semihalf.com>
commit db6ba9a5371f173489df126739d0a1c2a50f347b upstream.
This commit adds missing configuration of MBUS windows access protection
in mvneta_conf_mbus_windows function - a dedicated variable for that
purpose remained there unused since v3.8 initial mvneta support. Because
of that the register contents were inherited from the bootloader.
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network
unit")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/marvell/mvneta.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 05d247f..4635e2b 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -58,6 +58,7 @@
#define MVNETA_WIN_SIZE(w) (0x2204 + ((w) << 3))
#define MVNETA_WIN_REMAP(w) (0x2280 + ((w) << 2))
#define MVNETA_BASE_ADDR_ENABLE 0x2290
+#define MVNETA_ACCESS_PROTECT_ENABLE 0x2294
#define MVNETA_PORT_CONFIG 0x2400
#define MVNETA_UNI_PROMISC_MODE BIT(0)
#define MVNETA_DEF_RXQ(q) ((q) << 1)
@@ -2740,6 +2741,7 @@ static void mvneta_conf_mbus_windows(struct mvneta_port *pp,
}
mvreg_write(pp, MVNETA_BASE_ADDR_ENABLE, win_enable);
+ mvreg_write(pp, MVNETA_ACCESS_PROTECT_ENABLE, win_protect);
}
/* Power up the port */
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 67/78] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (65 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 66/78] net: mvneta: add configuration for MBUS windows access protection Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 68/78] net: mvneta: fix bit assignment for RX packet irq enable Kamal Mostafa
` (10 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marcin Wojtas, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcin Wojtas <mw@semihalf.com>
commit e5bdf689d32fcf3aaf548c71e715b303ba20b5d1 upstream.
MVNETA_RXQ_HW_BUF_ALLOC bit which controls enabling hardware buffer
allocation was mistakenly set as BIT(1). This commit fixes the assignment.
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network
unit")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/marvell/mvneta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 4635e2b..9ff2d90 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -32,7 +32,7 @@
/* Registers */
#define MVNETA_RXQ_CONFIG_REG(q) (0x1400 + ((q) << 2))
-#define MVNETA_RXQ_HW_BUF_ALLOC BIT(1)
+#define MVNETA_RXQ_HW_BUF_ALLOC BIT(0)
#define MVNETA_RXQ_PKT_OFFSET_ALL_MASK (0xf << 8)
#define MVNETA_RXQ_PKT_OFFSET_MASK(offs) ((offs) << 8)
#define MVNETA_RXQ_THRESHOLD_REG(q) (0x14c0 + ((q) << 2))
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 68/78] net: mvneta: fix bit assignment for RX packet irq enable
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (66 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 67/78] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 69/78] sched/core: Remove false-positive warning from wake_up_process() Kamal Mostafa
` (9 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marcin Wojtas, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcin Wojtas <mw@semihalf.com>
commit dc1aadf6f1e7609590fadf7a0252413732289b2e upstream.
A value originally defined in the driver was inappropriate. Even though
the ingress was somehow working, writing MVNETA_RXQ_INTR_ENABLE_ALL_MASK
to MVNETA_INTR_ENABLE didn't make any effect, because the bits [31:16]
are reserved and read-only.
This commit updates MVNETA_RXQ_INTR_ENABLE_ALL_MASK to be compliant with
the controller's documentation.
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network
unit")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/marvell/mvneta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 9ff2d90..35db1de 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -150,7 +150,7 @@
#define MVNETA_INTR_ENABLE 0x25b8
#define MVNETA_TXQ_INTR_ENABLE_ALL_MASK 0x0000ff00
-#define MVNETA_RXQ_INTR_ENABLE_ALL_MASK 0xff000000 // note: neta says it's 0x000000FF
+#define MVNETA_RXQ_INTR_ENABLE_ALL_MASK 0x000000ff
#define MVNETA_RXQ_CMD 0x2680
#define MVNETA_RXQ_DISABLE_SHIFT 8
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 69/78] sched/core: Remove false-positive warning from wake_up_process()
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (67 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 68/78] net: mvneta: fix bit assignment for RX packet irq enable Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 70/78] packet: allow to transmit +4 byte in TX_RING slot for VLAN case Kamal Mostafa
` (8 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sasha Levin, Peter Zijlstra (Intel),
Mike Galbraith, Thomas Gleixner, oleg, Ingo Molnar,
Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sasha.levin@oracle.com>
commit 119d6f6a3be8b424b200dcee56e74484d5445f7e upstream.
Because wakeups can (fundamentally) be late, a task might not be in
the expected state. Therefore testing against a task's state is racy,
and can yield false positives.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: oleg@redhat.com
Fixes: 9067ac85d533 ("wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task")
Link: http://lkml.kernel.org/r/1448933660-23082-1-git-send-email-sasha.levin@oracle.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
kernel/sched/core.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 5d2b6c1..42d354e 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -1700,7 +1700,6 @@ out:
*/
int wake_up_process(struct task_struct *p)
{
- WARN_ON(task_is_stopped_or_traced(p));
return try_to_wake_up(p, TASK_NORMAL, 0);
}
EXPORT_SYMBOL(wake_up_process);
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 70/78] packet: allow to transmit +4 byte in TX_RING slot for VLAN case
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (68 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 69/78] sched/core: Remove false-positive warning from wake_up_process() Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 71/78] packet: tpacket_snd(): fix signed/unsigned comparison Kamal Mostafa
` (7 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Daniel Borkmann, Ben Greear, Phil Sutter, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
commit 52f1454f629fafbfb47ad6727e0837250e1f08c0 upstream.
Commit 57f89bfa2140 ("network: Allow af_packet to transmit +4 bytes
for VLAN packets.") added the possibility for non-mmaped frames to
send extra 4 byte for VLAN header so the MTU increases from 1500 to
1504 byte, for example.
Commit cbd89acb9eb2 ("af_packet: fix for sending VLAN frames via
packet_mmap") attempted to fix that for the mmap part but was
reverted as it caused regressions while using eth_type_trans()
on output path.
Lets just act analogous to 57f89bfa2140 and add a similar logic
to TX_RING. We presume size_max as overcharged with +4 bytes and
later on after skb has been built by tpacket_fill_skb() check
for ETH_P_8021Q header on packets larger than normal MTU. Can
be easily reproduced with a slightly modified trafgen in mmap(2)
mode, test cases:
{ fill(0xff, 12) const16(0x8100) fill(0xff, <1504|1505>) }
{ fill(0xff, 12) const16(0x0806) fill(0xff, <1500|1501>) }
Note that we need to do the test right after tpacket_fill_skb()
as sockets can have PACKET_LOSS set where we would not fail but
instead just continue to traverse the ring.
Reported-by: Mathias Kretschmer <mathias.kretschmer@fokus.fraunhofer.de>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Ben Greear <greearb@candelatech.com>
Cc: Phil Sutter <phil@nwl.cc>
Tested-by: Mathias Kretschmer <mathias.kretschmer@fokus.fraunhofer.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/packet/af_packet.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index b4cb15b..870046d 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2119,8 +2119,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
if (unlikely(!(dev->flags & IFF_UP)))
goto out_put;
- reserve = dev->hard_header_len;
-
+ reserve = dev->hard_header_len + VLAN_HLEN;
size_max = po->tx_ring.frame_size
- (po->tp_hdrlen - sizeof(struct sockaddr_ll));
@@ -2147,8 +2146,19 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
goto out_status;
tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
- addr, hlen);
+ addr, hlen);
+ if (tp_len > dev->mtu + dev->hard_header_len) {
+ struct ethhdr *ehdr;
+ /* Earlier code assumed this would be a VLAN pkt,
+ * double-check this now that we have the actual
+ * packet in hand.
+ */
+ skb_reset_mac_header(skb);
+ ehdr = eth_hdr(skb);
+ if (ehdr->h_proto != htons(ETH_P_8021Q))
+ tp_len = -EMSGSIZE;
+ }
if (unlikely(tp_len < 0)) {
if (po->tp_loss) {
__packet_set_status(po, ph,
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 71/78] packet: tpacket_snd(): fix signed/unsigned comparison
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (69 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 70/78] packet: allow to transmit +4 byte in TX_RING slot for VLAN case Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 72/78] packet: only allow extra vlan len on ethernet devices Kamal Mostafa
` (6 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Alexander Drozdov, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Drozdov <al.drozdov@gmail.com>
commit dbd46ab412b8fb395f2b0ff6f6a7eec9df311550 upstream.
tpacket_fill_skb() can return a negative value (-errno) which
is stored in tp_len variable. In that case the following
condition will be (but shouldn't be) true:
tp_len > dev->mtu + dev->hard_header_len
as dev->mtu and dev->hard_header_len are both unsigned.
That may lead to just returning an incorrect EMSGSIZE errno
to the user.
Fixes: 52f1454f629fa ("packet: allow to transmit +4 byte in TX_RING slot for VLAN case")
Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/packet/af_packet.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 870046d..04d0e35 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2147,7 +2147,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
addr, hlen);
- if (tp_len > dev->mtu + dev->hard_header_len) {
+ if (likely(tp_len >= 0) &&
+ tp_len > dev->mtu + dev->hard_header_len) {
struct ethhdr *ehdr;
/* Earlier code assumed this would be a VLAN pkt,
* double-check this now that we have the actual
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 72/78] packet: only allow extra vlan len on ethernet devices
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (70 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 71/78] packet: tpacket_snd(): fix signed/unsigned comparison Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 73/78] packet: fix tpacket_snd max frame len Kamal Mostafa
` (5 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Daniel Borkmann, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
commit 3c70c132488794e2489ab045559b0ce0afcf17de upstream.
Packet sockets can be used by various net devices and are not
really restricted to ARPHRD_ETHER device types. However, when
currently checking for the extra 4 bytes that can be transmitted
in VLAN case, our assumption is that we generally probe on
ARPHRD_ETHER devices. Therefore, before looking into Ethernet
header, check the device type first.
This also fixes the issue where non-ARPHRD_ETHER devices could
have no dev->hard_header_len in TX_RING SOCK_RAW case, and thus
the check would test unfilled linear part of the skb (instead
of non-linear).
Fixes: 57f89bfa2140 ("network: Allow af_packet to transmit +4 bytes for VLAN packets.")
Fixes: 52f1454f629f ("packet: allow to transmit +4 byte in TX_RING slot for VLAN case")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/packet/af_packet.c | 60 +++++++++++++++++++++-----------------------------
1 file changed, 25 insertions(+), 35 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 04d0e35..02af0fb 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1392,6 +1392,20 @@ static void fanout_release(struct sock *sk)
mutex_unlock(&fanout_mutex);
}
+static bool packet_extra_vlan_len_allowed(const struct net_device *dev,
+ struct sk_buff *skb)
+{
+ /* Earlier code assumed this would be a VLAN pkt, double-check
+ * this now that we have the actual packet in hand. We can only
+ * do this check on Ethernet devices.
+ */
+ if (unlikely(dev->type != ARPHRD_ETHER))
+ return false;
+
+ skb_reset_mac_header(skb);
+ return likely(eth_hdr(skb)->h_proto == htons(ETH_P_8021Q));
+}
+
static const struct proto_ops packet_ops;
static const struct proto_ops packet_ops_spkt;
@@ -1553,18 +1567,10 @@ retry:
goto retry;
}
- if (len > (dev->mtu + dev->hard_header_len + extra_len)) {
- /* Earlier code assumed this would be a VLAN pkt,
- * double-check this now that we have the actual
- * packet in hand.
- */
- struct ethhdr *ehdr;
- skb_reset_mac_header(skb);
- ehdr = eth_hdr(skb);
- if (ehdr->h_proto != htons(ETH_P_8021Q)) {
- err = -EMSGSIZE;
- goto out_unlock;
- }
+ if (len > (dev->mtu + dev->hard_header_len + extra_len) &&
+ !packet_extra_vlan_len_allowed(dev, skb)) {
+ err = -EMSGSIZE;
+ goto out_unlock;
}
skb->protocol = proto;
@@ -2148,18 +2154,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
addr, hlen);
if (likely(tp_len >= 0) &&
- tp_len > dev->mtu + dev->hard_header_len) {
- struct ethhdr *ehdr;
- /* Earlier code assumed this would be a VLAN pkt,
- * double-check this now that we have the actual
- * packet in hand.
- */
+ tp_len > dev->mtu + dev->hard_header_len &&
+ !packet_extra_vlan_len_allowed(dev, skb))
+ tp_len = -EMSGSIZE;
- skb_reset_mac_header(skb);
- ehdr = eth_hdr(skb);
- if (ehdr->h_proto != htons(ETH_P_8021Q))
- tp_len = -EMSGSIZE;
- }
if (unlikely(tp_len < 0)) {
if (po->tp_loss) {
__packet_set_status(po, ph,
@@ -2366,18 +2364,10 @@ static int packet_snd(struct socket *sock,
sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags);
- if (!gso_type && (len > dev->mtu + reserve + extra_len)) {
- /* Earlier code assumed this would be a VLAN pkt,
- * double-check this now that we have the actual
- * packet in hand.
- */
- struct ethhdr *ehdr;
- skb_reset_mac_header(skb);
- ehdr = eth_hdr(skb);
- if (ehdr->h_proto != htons(ETH_P_8021Q)) {
- err = -EMSGSIZE;
- goto out_free;
- }
+ if (!gso_type && (len > dev->mtu + reserve + extra_len) &&
+ !packet_extra_vlan_len_allowed(dev, skb)) {
+ err = -EMSGSIZE;
+ goto out_free;
}
skb->protocol = proto;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 73/78] packet: fix tpacket_snd max frame len
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (71 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 72/78] packet: only allow extra vlan len on ethernet devices Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 74/78] net/mlx4_core: Avoid returning success in case of an error flow Kamal Mostafa
` (4 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Daniel Borkmann, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
commit 5cfb4c8d05b4409c4044cb9c05b19705c1d9818b upstream.
Since it's introduction in commit 69e3c75f4d54 ("net: TX_RING and
packet mmap"), TX_RING could be used from SOCK_DGRAM and SOCK_RAW
side. When used with SOCK_DGRAM only, the size_max > dev->mtu +
reserve check should have reserve as 0, but currently, this is
unconditionally set (in it's original form as dev->hard_header_len).
I think this is not correct since tpacket_fill_skb() would then
take dev->mtu and dev->hard_header_len into account for SOCK_DGRAM,
the extra VLAN_HLEN could be possible in both cases. Presumably, the
reserve code was copied from packet_snd(), but later on missed the
check. Make it similar as we have it in packet_snd().
Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/packet/af_packet.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 02af0fb..5714c74 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2125,12 +2125,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
if (unlikely(!(dev->flags & IFF_UP)))
goto out_put;
- reserve = dev->hard_header_len + VLAN_HLEN;
+ if (po->sk.sk_socket->type == SOCK_RAW)
+ reserve = dev->hard_header_len;
size_max = po->tx_ring.frame_size
- (po->tp_hdrlen - sizeof(struct sockaddr_ll));
- if (size_max > dev->mtu + reserve)
- size_max = dev->mtu + reserve;
+ if (size_max > dev->mtu + reserve + VLAN_HLEN)
+ size_max = dev->mtu + reserve + VLAN_HLEN;
do {
ph = packet_current_frame(po, &po->tx_ring,
@@ -2154,7 +2155,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
tp_len = tpacket_fill_skb(po, skb, ph, dev, size_max, proto,
addr, hlen);
if (likely(tp_len >= 0) &&
- tp_len > dev->mtu + dev->hard_header_len &&
+ tp_len > dev->mtu + reserve &&
!packet_extra_vlan_len_allowed(dev, skb))
tp_len = -EMSGSIZE;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 74/78] net/mlx4_core: Avoid returning success in case of an error flow
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (72 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 73/78] packet: fix tpacket_snd max frame len Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 75/78] net: ip6mr: fix static mfc/dev leaks on table destruction Kamal Mostafa
` (3 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Noa Osherovich, Or Gerlitz, David S. Miller, Luis Henriques,
Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Noa Osherovich <noaos@mellanox.com>
commit d49c2197fd70c37d57982804465268440a33183a upstream.
The err variable wasn't set with the correct error value in some cases.
Fixes: 47605df95398 ('mlx4: Modify proxy/tunnel QP mechanism [..]')
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/ethernet/mellanox/mlx4/main.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
index 1f4b447..115ce14 100644
--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -606,9 +606,10 @@ static int mlx4_slave_cap(struct mlx4_dev *dev)
dev->caps.qp1_tunnel[i - 1] = func_cap.qp1_tunnel_qpn;
dev->caps.qp1_proxy[i - 1] = func_cap.qp1_proxy_qpn;
dev->caps.port_mask[i] = dev->caps.port_type[i];
- if (mlx4_get_slave_pkey_gid_tbl_len(dev, i,
- &dev->caps.gid_table_len[i],
- &dev->caps.pkey_table_len[i]))
+ err = mlx4_get_slave_pkey_gid_tbl_len(dev, i,
+ &dev->caps.gid_table_len[i],
+ &dev->caps.pkey_table_len[i]);
+ if (err)
goto err_mem;
}
@@ -619,6 +620,7 @@ static int mlx4_slave_cap(struct mlx4_dev *dev)
"PCI resource 2 size of 0x%llx, aborting.\n",
dev->caps.uar_page_size * dev->caps.num_uars,
(unsigned long long) pci_resource_len(dev->pdev, 2));
+ err = -ENOMEM;
goto err_mem;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 75/78] net: ip6mr: fix static mfc/dev leaks on table destruction
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (73 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 74/78] net/mlx4_core: Avoid returning success in case of an error flow Kamal Mostafa
@ 2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 76/78] unix: avoid use-after-free in ep_remove_wait_queue Kamal Mostafa
` (2 subsequent siblings)
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:39 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Benjamin Thery, Nikolay Aleksandrov, David S. Miller,
Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
commit 4c6980462f32b4f282c5d8e5f7ea8070e2937725 upstream.
Similar to ipv4, when destroying an mrt table the static mfc entries and
the static devices are kept, which leads to devices that can never be
destroyed (because of refcnt taken) and leaked memory. Make sure that
everything is cleaned up on netns destruction.
Fixes: 8229efdaef1e ("netns: ip6mr: enable namespace support in ipv6 multicast forwarding code")
CC: Benjamin Thery <benjamin.thery@bull.net>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Reviewed-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/ipv6/ip6mr.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 821d8df..9ad5611 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -120,7 +120,7 @@ static void mr6_netlink_event(struct mr6_table *mrt, struct mfc6_cache *mfc,
int cmd);
static int ip6mr_rtm_dumproute(struct sk_buff *skb,
struct netlink_callback *cb);
-static void mroute_clean_tables(struct mr6_table *mrt);
+static void mroute_clean_tables(struct mr6_table *mrt, bool all);
static void ipmr_expire_process(unsigned long arg);
#ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES
@@ -337,7 +337,7 @@ static struct mr6_table *ip6mr_new_table(struct net *net, u32 id)
static void ip6mr_free_table(struct mr6_table *mrt)
{
del_timer(&mrt->ipmr_expire_timer);
- mroute_clean_tables(mrt);
+ mroute_clean_tables(mrt, true);
kfree(mrt);
}
@@ -1536,7 +1536,7 @@ static int ip6mr_mfc_add(struct net *net, struct mr6_table *mrt,
* Close the multicast socket, and clear the vif tables etc
*/
-static void mroute_clean_tables(struct mr6_table *mrt)
+static void mroute_clean_tables(struct mr6_table *mrt, bool all)
{
int i;
LIST_HEAD(list);
@@ -1546,8 +1546,9 @@ static void mroute_clean_tables(struct mr6_table *mrt)
* Shut down all active vif entries
*/
for (i = 0; i < mrt->maxvif; i++) {
- if (!(mrt->vif6_table[i].flags & VIFF_STATIC))
- mif6_delete(mrt, i, &list);
+ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC))
+ continue;
+ mif6_delete(mrt, i, &list);
}
unregister_netdevice_many(&list);
@@ -1556,7 +1557,7 @@ static void mroute_clean_tables(struct mr6_table *mrt)
*/
for (i = 0; i < MFC6_LINES; i++) {
list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) {
- if (c->mfc_flags & MFC_STATIC)
+ if (!all && (c->mfc_flags & MFC_STATIC))
continue;
write_lock_bh(&mrt_lock);
list_del(&c->list);
@@ -1619,7 +1620,7 @@ int ip6mr_sk_done(struct sock *sk)
net->ipv6.devconf_all);
write_unlock_bh(&mrt_lock);
- mroute_clean_tables(mrt);
+ mroute_clean_tables(mrt, false);
err = 0;
break;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 76/78] unix: avoid use-after-free in ep_remove_wait_queue
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (74 preceding siblings ...)
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 75/78] net: ip6mr: fix static mfc/dev leaks on table destruction Kamal Mostafa
@ 2015-12-17 0:40 ` Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 77/78] broadcom: fix PHY_ID_BCM5481 entry in the id table Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 78/78] net/neighbour: fix crash at dumping device-agnostic proxy entries Kamal Mostafa
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Rainer Weikusat, David S. Miller, Luis Henriques, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
commit 7d267278a9ece963d77eefec61630223fce08c6c upstream.
Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
An AF_UNIX datagram socket being the client in an n:1 association with
some server socket is only allowed to send messages to the server if the
receive queue of this socket contains at most sk_max_ack_backlog
datagrams. This implies that prospective writers might be forced to go
to sleep despite none of the message presently enqueued on the server
receive queue were sent by them. In order to ensure that these will be
woken up once space becomes again available, the present unix_dgram_poll
routine does a second sock_poll_wait call with the peer_wait wait queue
of the server socket as queue argument (unix_dgram_recvmsg does a wake
up on this queue after a datagram was received). This is inherently
problematic because the server socket is only guaranteed to remain alive
for as long as the client still holds a reference to it. In case the
connection is dissolved via connect or by the dead peer detection logic
in unix_dgram_sendmsg, the server socket may be freed despite "the
polling mechanism" (in particular, epoll) still has a pointer to the
corresponding peer_wait queue. There's no way to forcibly deregister a
wait queue with epoll.
Based on an idea by Jason Baron, the patch below changes the code such
that a wait_queue_t belonging to the client socket is enqueued on the
peer_wait queue of the server whenever the peer receive queue full
condition is detected by either a sendmsg or a poll. A wake up on the
peer queue is then relayed to the ordinary wait queue of the client
socket via wake function. The connection to the peer wait queue is again
dissolved if either a wake up is about to be relayed or the client
socket reconnects or a dead peer is detected or the client socket is
itself closed. This enables removing the second sock_poll_wait from
unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
that no blocked writer sleeps forever.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
Reviewed-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
include/net/af_unix.h | 1 +
net/unix/af_unix.c | 183 ++++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 165 insertions(+), 19 deletions(-)
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index dfe4ddf..e830c3d 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -63,6 +63,7 @@ struct unix_sock {
#define UNIX_GC_CANDIDATE 0
#define UNIX_GC_MAYBE_CYCLE 1
struct socket_wq peer_wq;
+ wait_queue_t peer_wake;
};
static inline struct unix_sock *unix_sk(struct sock *sk)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 157b359..9ce79ed 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -314,6 +314,118 @@ found:
return s;
}
+/* Support code for asymmetrically connected dgram sockets
+ *
+ * If a datagram socket is connected to a socket not itself connected
+ * to the first socket (eg, /dev/log), clients may only enqueue more
+ * messages if the present receive queue of the server socket is not
+ * "too large". This means there's a second writeability condition
+ * poll and sendmsg need to test. The dgram recv code will do a wake
+ * up on the peer_wait wait queue of a socket upon reception of a
+ * datagram which needs to be propagated to sleeping would-be writers
+ * since these might not have sent anything so far. This can't be
+ * accomplished via poll_wait because the lifetime of the server
+ * socket might be less than that of its clients if these break their
+ * association with it or if the server socket is closed while clients
+ * are still connected to it and there's no way to inform "a polling
+ * implementation" that it should let go of a certain wait queue
+ *
+ * In order to propagate a wake up, a wait_queue_t of the client
+ * socket is enqueued on the peer_wait queue of the server socket
+ * whose wake function does a wake_up on the ordinary client socket
+ * wait queue. This connection is established whenever a write (or
+ * poll for write) hit the flow control condition and broken when the
+ * association to the server socket is dissolved or after a wake up
+ * was relayed.
+ */
+
+static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
+ void *key)
+{
+ struct unix_sock *u;
+ wait_queue_head_t *u_sleep;
+
+ u = container_of(q, struct unix_sock, peer_wake);
+
+ __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
+ q);
+ u->peer_wake.private = NULL;
+
+ /* relaying can only happen while the wq still exists */
+ u_sleep = sk_sleep(&u->sk);
+ if (u_sleep)
+ wake_up_interruptible_poll(u_sleep, key);
+
+ return 0;
+}
+
+static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
+{
+ struct unix_sock *u, *u_other;
+ int rc;
+
+ u = unix_sk(sk);
+ u_other = unix_sk(other);
+ rc = 0;
+ spin_lock(&u_other->peer_wait.lock);
+
+ if (!u->peer_wake.private) {
+ u->peer_wake.private = other;
+ __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
+
+ rc = 1;
+ }
+
+ spin_unlock(&u_other->peer_wait.lock);
+ return rc;
+}
+
+static void unix_dgram_peer_wake_disconnect(struct sock *sk,
+ struct sock *other)
+{
+ struct unix_sock *u, *u_other;
+
+ u = unix_sk(sk);
+ u_other = unix_sk(other);
+ spin_lock(&u_other->peer_wait.lock);
+
+ if (u->peer_wake.private == other) {
+ __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
+ u->peer_wake.private = NULL;
+ }
+
+ spin_unlock(&u_other->peer_wait.lock);
+}
+
+static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
+ struct sock *other)
+{
+ unix_dgram_peer_wake_disconnect(sk, other);
+ wake_up_interruptible_poll(sk_sleep(sk),
+ POLLOUT |
+ POLLWRNORM |
+ POLLWRBAND);
+}
+
+/* preconditions:
+ * - unix_peer(sk) == other
+ * - association is stable
+ */
+static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
+{
+ int connected;
+
+ connected = unix_dgram_peer_wake_connect(sk, other);
+
+ if (unix_recvq_full(other))
+ return 1;
+
+ if (connected)
+ unix_dgram_peer_wake_disconnect(sk, other);
+
+ return 0;
+}
+
static inline int unix_writable(struct sock *sk)
{
return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
@@ -418,6 +530,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
skpair->sk_state_change(skpair);
sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
}
+
+ unix_dgram_peer_wake_disconnect(sk, skpair);
sock_put(skpair); /* It may now die */
unix_peer(sk) = NULL;
}
@@ -651,6 +765,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock)
INIT_LIST_HEAD(&u->link);
mutex_init(&u->readlock); /* single task reading lock */
init_waitqueue_head(&u->peer_wait);
+ init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
unix_insert_socket(unix_sockets_unbound(sk), sk);
out:
if (sk == NULL)
@@ -1018,6 +1133,8 @@ restart:
if (unix_peer(sk)) {
struct sock *old_peer = unix_peer(sk);
unix_peer(sk) = other;
+ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
+
unix_state_double_unlock(sk, other);
if (other != old_peer)
@@ -1457,6 +1574,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
struct scm_cookie tmp_scm;
int max_level;
int data_len = 0;
+ int sk_locked;
if (NULL == siocb->scm)
siocb->scm = &tmp_scm;
@@ -1534,12 +1652,14 @@ restart:
goto out_free;
}
+ sk_locked = 0;
unix_state_lock(other);
+restart_locked:
err = -EPERM;
if (!unix_may_send(sk, other))
goto out_unlock;
- if (sock_flag(other, SOCK_DEAD)) {
+ if (unlikely(sock_flag(other, SOCK_DEAD))) {
/*
* Check with 1003.1g - what should
* datagram error
@@ -1547,10 +1667,14 @@ restart:
unix_state_unlock(other);
sock_put(other);
+ if (!sk_locked)
+ unix_state_lock(sk);
+
err = 0;
- unix_state_lock(sk);
if (unix_peer(sk) == other) {
unix_peer(sk) = NULL;
+ unix_dgram_peer_wake_disconnect_wakeup(sk, other);
+
unix_state_unlock(sk);
unix_dgram_disconnected(sk, other);
@@ -1576,21 +1700,38 @@ restart:
goto out_unlock;
}
- if (unix_peer(other) != sk && unix_recvq_full(other)) {
- if (!timeo) {
- err = -EAGAIN;
- goto out_unlock;
+ if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ if (timeo) {
+ timeo = unix_wait_for_peer(other, timeo);
+
+ err = sock_intr_errno(timeo);
+ if (signal_pending(current))
+ goto out_free;
+
+ goto restart;
}
- timeo = unix_wait_for_peer(other, timeo);
+ if (!sk_locked) {
+ unix_state_unlock(other);
+ unix_state_double_lock(sk, other);
+ }
- err = sock_intr_errno(timeo);
- if (signal_pending(current))
- goto out_free;
+ if (unix_peer(sk) != other ||
+ unix_dgram_peer_wake_me(sk, other)) {
+ err = -EAGAIN;
+ sk_locked = 1;
+ goto out_unlock;
+ }
- goto restart;
+ if (!sk_locked) {
+ sk_locked = 1;
+ goto restart_locked;
+ }
}
+ if (unlikely(sk_locked))
+ unix_state_unlock(sk);
+
if (sock_flag(other, SOCK_RCVTSTAMP))
__net_timestamp(skb);
maybe_add_creds(skb, sock, other);
@@ -1604,6 +1745,8 @@ restart:
return len;
out_unlock:
+ if (sk_locked)
+ unix_state_unlock(sk);
unix_state_unlock(other);
out_free:
kfree_skb(skb);
@@ -2261,14 +2404,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
return mask;
writable = unix_writable(sk);
- other = unix_peer_get(sk);
- if (other) {
- if (unix_peer(other) != sk) {
- sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
- if (unix_recvq_full(other))
- writable = 0;
- }
- sock_put(other);
+ if (writable) {
+ unix_state_lock(sk);
+
+ other = unix_peer(sk);
+ if (other && unix_peer(other) != sk &&
+ unix_recvq_full(other) &&
+ unix_dgram_peer_wake_me(sk, other))
+ writable = 0;
+
+ unix_state_unlock(sk);
}
if (writable)
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 77/78] broadcom: fix PHY_ID_BCM5481 entry in the id table
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (75 preceding siblings ...)
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 76/78] unix: avoid use-after-free in ep_remove_wait_queue Kamal Mostafa
@ 2015-12-17 0:40 ` Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 78/78] net/neighbour: fix crash at dumping device-agnostic proxy entries Kamal Mostafa
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Aaro Koskinen, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
commit 3c25a860d17b7378822f35d8c9141db9507e3beb upstream.
Commit fcb26ec5b18d ("broadcom: move all PHY_ID's to header")
updated broadcom_tbl to use PHY_IDs, but incorrectly replaced 0x0143bca0
with PHY_ID_BCM5482 (making a duplicate entry, and completely omitting
the original). Fix that.
Fixes: fcb26ec5b18d ("broadcom: move all PHY_ID's to header")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/net/phy/broadcom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/phy/broadcom.c b/drivers/net/phy/broadcom.c
index f8c90ea..7a1ff57 100644
--- a/drivers/net/phy/broadcom.c
+++ b/drivers/net/phy/broadcom.c
@@ -848,7 +848,7 @@ static struct mdio_device_id __maybe_unused broadcom_tbl[] = {
{ PHY_ID_BCM5421, 0xfffffff0 },
{ PHY_ID_BCM5461, 0xfffffff0 },
{ PHY_ID_BCM5464, 0xfffffff0 },
- { PHY_ID_BCM5482, 0xfffffff0 },
+ { PHY_ID_BCM5481, 0xfffffff0 },
{ PHY_ID_BCM5482, 0xfffffff0 },
{ PHY_ID_BCM50610, 0xfffffff0 },
{ PHY_ID_BCM50610M, 0xfffffff0 },
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
* [PATCH 3.13.y-ckt 78/78] net/neighbour: fix crash at dumping device-agnostic proxy entries
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
` (76 preceding siblings ...)
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 77/78] broadcom: fix PHY_ID_BCM5481 entry in the id table Kamal Mostafa
@ 2015-12-17 0:40 ` Kamal Mostafa
77 siblings, 0 replies; 84+ messages in thread
From: Kamal Mostafa @ 2015-12-17 0:40 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Konstantin Khlebnikov, David S. Miller, Kamal Mostafa
3.13.11-ckt32 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov <koct9i@gmail.com>
commit 6adc5fd6a142c6e2c80574c1db0c7c17dedaa42e upstream.
Proxy entries could have null pointer to net-device.
Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
Fixes: 84920c1420e2 ("net: Allow ipv6 proxies and arp proxies be shown with iproute2")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
net/core/neighbour.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 35962f1..9ea0671 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2211,7 +2211,7 @@ static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn,
ndm->ndm_pad2 = 0;
ndm->ndm_flags = pn->flags | NTF_PROXY;
ndm->ndm_type = NDA_DST;
- ndm->ndm_ifindex = pn->dev->ifindex;
+ ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0;
ndm->ndm_state = NUD_NONE;
if (nla_put(skb, NDA_DST, tbl->key_len, pn->key))
@@ -2285,7 +2285,7 @@ static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
if (h > s_h)
s_idx = 0;
for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) {
- if (dev_net(n->dev) != net)
+ if (pneigh_net(n) != net)
continue;
if (idx < s_idx)
goto next;
--
1.9.1
^ permalink raw reply related [flat|nested] 84+ messages in thread
end of thread, other threads:[~2015-12-17 1:11 UTC | newest]
Thread overview: 84+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-17 0:38 [3.13.y-ckt stable] Linux 3.13.11-ckt32 stable review Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 01/78] tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 02/78] stackprotector: Unify the HAVE_CC_STACKPROTECTOR logic between architectures Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 03/78] stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 04/78] iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 05/78] iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 06/78] iio: ad5064: Fix ad5629/ad5669 shift Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 07/78] iio:ad7793: Fix ad7785 product ID Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 08/78] x86/fpu: Fix 32-bit signal frame handling Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 09/78] ALSA: usb-audio: add packet size quirk for the Medeli DD305 Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 10/78] ALSA: usb-audio: prevent CH345 multiport output SysEx corruption Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 11/78] ALSA: usb-audio: work around CH345 input " Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 12/78] USB: serial: option: add support for Novatel MiFi USB620L Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 13/78] USB: ti_usb_3410_5052: Add Honeywell HGI80 ID Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 14/78] ASoC: wm8962: correct addresses for HPF_C_0/1 Kamal Mostafa
2015-12-17 0:38 ` [PATCH 3.13.y-ckt 15/78] mac80211: mesh: fix call_rcu() usage Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 16/78] usb: dwc3: gadget: let us set lower max_speed Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 17/78] dm: fix ioctl retry termination with signal Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 18/78] usb: chipidea: debug: disable usb irq while role switch Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 19/78] MIPS: KVM: Fix ASID restoration logic Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 20/78] MIPS: KVM: Fix CACHE immediate offset sign extension Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 21/78] MIPS: KVM: Uninit VCPU in vcpu_create error path Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 22/78] xhci: Workaround to get Intel xHCI reset working more reliably Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 23/78] xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 24/78] x86/cpu: Fix SMAP check in PVOPS environments Kamal Mostafa
2015-12-17 0:39 ` Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 25/78] ALSA: hda - Add fixup for Acer Aspire One Cloudbook 14 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 26/78] arm64: restore bogomips information in /proc/cpuinfo Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 27/78] USB: option: add XS Stick W100-2 from 4G Systems Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 28/78] usblp: do not set TASK_INTERRUPTIBLE before lock Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 29/78] mac: validate mac_partition is within sector Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 30/78] ALSA: hda - Apply HP headphone fixups more generically Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 31/78] fat: fix fake_offset handling on error path Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 32/78] kernel/signal.c: unexport sigsuspend() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 33/78] parisc: Drop unused MADV_xxxK_PAGES flags from asm/mman.h Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 34/78] can: sja1000: clear interrupts on start Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 35/78] powerpc/tm: Block signal return setting invalid MSR state Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 36/78] ARC: dw2 unwind: Remove falllback linear search thru FDE entries Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 37/78] fix sysvfs symlinks Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 38/78] vfs: Make sendfile(2) killable even better Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 39/78] vfs: Avoid softlockups with sendfile(2) Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 40/78] nfs4: start callback_ident at idr 1 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 41/78] ALSA: hda - Fix headphone noise after Dell XPS 13 resume back from S3 Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 42/78] ring-buffer: Update read stamp with first real commit on page Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 43/78] arm64: KVM: Fix AArch32 to AArch64 register mapping Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 44/78] drm/radeon: make rv770_set_sw_state failures non-fatal Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 45/78] RDS: fix race condition when sending a message on unbound socket Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 46/78] btrfs: fix signed overflows in btrfs_sync_file Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 47/78] drm/radeon: make some dpm errors debug only Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 48/78] nfs: if we have no valid attrs, then don't declare the attribute cache valid Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 49/78] xen/gntdev: Grant maps should not be subject to NUMA balancing Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 50/78] iscsi-target: Fix rx_login_comp hang after login failure Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 51/78] target: Fix race for SCF_COMPARE_AND_WRITE_POST checking Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 52/78] target: fix COMPARE_AND_WRITE non zero SGL offset data corruption Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 53/78] block: Always check queue limits for cloned requests Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 54/78] Fix a memory leak in scsi_host_dev_release() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 55/78] wan/x25: Fix use-after-free in x25_asy_open_tty() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 56/78] sched/core: Clear the root_domain cpumasks in init_rootdomain() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 57/78] x86/signal: Fix restart_syscall number for x32 tasks Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 58/78] mmc: remove bondage between REQ_META and reliable write Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 59/78] sctp: translate host order to network order when setting a hmacid Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 60/78] usb: musb: core: fix order of arguments to ulpi write callback Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 61/78] FS-Cache: Add missing initialization of ret in cachefiles_write_page() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 62/78] tcp: md5: fix lockdep annotation Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 63/78] ARM: dts: Kirkwood: Fix QNAP TS219 power-off Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 64/78] isdn: Partially revert debug format string usage clean up Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 65/78] remoteproc: avoid stack overflow in debugfs file Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 66/78] net: mvneta: add configuration for MBUS windows access protection Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 67/78] net: mvneta: fix bit assignment in MVNETA_RXQ_CONFIG_REG Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 68/78] net: mvneta: fix bit assignment for RX packet irq enable Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 69/78] sched/core: Remove false-positive warning from wake_up_process() Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 70/78] packet: allow to transmit +4 byte in TX_RING slot for VLAN case Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 71/78] packet: tpacket_snd(): fix signed/unsigned comparison Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 72/78] packet: only allow extra vlan len on ethernet devices Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 73/78] packet: fix tpacket_snd max frame len Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 74/78] net/mlx4_core: Avoid returning success in case of an error flow Kamal Mostafa
2015-12-17 0:39 ` [PATCH 3.13.y-ckt 75/78] net: ip6mr: fix static mfc/dev leaks on table destruction Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 76/78] unix: avoid use-after-free in ep_remove_wait_queue Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 77/78] broadcom: fix PHY_ID_BCM5481 entry in the id table Kamal Mostafa
2015-12-17 0:40 ` [PATCH 3.13.y-ckt 78/78] net/neighbour: fix crash at dumping device-agnostic proxy entries Kamal Mostafa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.