* [PATCH 4.4 00/23] 4.4.296-rc1 review @ 2021-12-20 14:34 Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 01/23] nfc: fix segfault in nfc_genl_dump_devices_done Greg Kroah-Hartman ` (27 more replies) 0 siblings, 28 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli, stable This is the start of the stable review cycle for the 4.4.296 release. There are 23 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.296-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Linux 4.4.296-rc1 Juergen Gross <jgross@suse.com> xen/netback: don't queue unlimited number of packages Juergen Gross <jgross@suse.com> xen/console: harden hvc_xen against event channel storms Juergen Gross <jgross@suse.com> xen/netfront: harden netfront against event channel storms Juergen Gross <jgross@suse.com> xen/blkfront: harden blkfront against event channel storms Nathan Chancellor <nathan@kernel.org> Input: touchscreen - avoid bitwise vs logical OR warning Nicolas Pitre <nicolas.pitre@linaro.org> ARM: 8805/2: remove unneeded naked function usage Nathan Chancellor <natechancellor@gmail.com> net: lan78xx: Avoid unnecessary self assignment Florian Fainelli <f.fainelli@gmail.com> net: systemport: Add global locking for descriptor lifecycle Yu Liao <liaoyu15@huawei.com> timekeeping: Really make sure wall_to_monotonic isn't positive Daniele Palmas <dnlplm@gmail.com> USB: serial: option: add Telit FN990 compositions Thomas Gleixner <tglx@linutronix.de> PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman <gregkh@linuxfoundation.org> USB: gadget: bRequestType is a bitfield, not a enum Letu Ren <fantasquex@gmail.com> igbvf: fix double free in `igbvf_probe` Nathan Chancellor <nathan@kernel.org> soc/tegra: fuse: Fix bitwise vs. logical OR warning J. Bruce Fields <bfields@redhat.com> nfsd: fix use-after-free due to delegation race Joe Thornber <ejt@redhat.com> dm btree remove: fix use after free in rebalance_children() Jerome Marchand <jmarchan@redhat.com> recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Felix Fietkau <nbd@nbd.name> mac80211: send ADDBA requests using the tid/queue of the aggregation session Armin Wolf <W_Armin@gmx.de> hwmon: (dell-smm) Fix warning on /proc/i8k creation error Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> net: netlink: af_netlink: Prevent empty skb by adding a check on len. Ondrej Jirman <megous@megous.com> i2c: rk3x: Handle a spurious start completion interrupt flag Helge Deller <deller@gmx.de> parisc/agp: Annotate parisc agp init functions with __init Tadeusz Struk <tadeusz.struk@linaro.org> nfc: fix segfault in nfc_genl_dump_devices_done ------------- Diffstat: Makefile | 4 +- arch/arm/mm/copypage-fa.c | 35 ++++---- arch/arm/mm/copypage-feroceon.c | 98 ++++++++++----------- arch/arm/mm/copypage-v4mc.c | 19 ++-- arch/arm/mm/copypage-v4wb.c | 41 +++++---- arch/arm/mm/copypage-v4wt.c | 37 ++++---- arch/arm/mm/copypage-xsc3.c | 71 +++++++-------- arch/arm/mm/copypage-xscale.c | 71 ++++++++------- drivers/block/xen-blkfront.c | 12 ++- drivers/char/agp/parisc-agp.c | 6 +- drivers/hwmon/dell-smm-hwmon.c | 7 +- drivers/i2c/busses/i2c-rk3x.c | 4 +- drivers/input/touchscreen/of_touchscreen.c | 18 ++-- drivers/md/persistent-data/dm-btree-remove.c | 2 +- drivers/net/ethernet/broadcom/bcmsysport.c | 5 ++ drivers/net/ethernet/broadcom/bcmsysport.h | 1 + drivers/net/ethernet/intel/igbvf/netdev.c | 1 + drivers/net/usb/lan78xx.c | 6 +- drivers/net/xen-netback/netback.c | 13 ++- drivers/net/xen-netfront.c | 125 ++++++++++++++++++++------- drivers/pci/msi.c | 2 +- drivers/soc/tegra/fuse/fuse-tegra.c | 2 +- drivers/soc/tegra/fuse/fuse.h | 2 +- drivers/tty/hvc/hvc_xen.c | 30 ++++++- drivers/usb/gadget/composite.c | 6 +- drivers/usb/gadget/legacy/dbgp.c | 6 +- drivers/usb/gadget/legacy/inode.c | 6 +- drivers/usb/serial/option.c | 8 ++ fs/nfsd/nfs4state.c | 9 +- kernel/time/timekeeping.c | 3 +- net/mac80211/agg-tx.c | 2 +- net/netlink/af_netlink.c | 5 ++ net/nfc/netlink.c | 6 +- scripts/recordmcount.pl | 2 +- 34 files changed, 388 insertions(+), 277 deletions(-) ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 01/23] nfc: fix segfault in nfc_genl_dump_devices_done 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 02/23] parisc/agp: Annotate parisc agp init functions with __init Greg Kroah-Hartman ` (26 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, syzbot+f9f76f4a0766420b4a02, Tadeusz Struk, Krzysztof Kozlowski, Jakub Kicinski From: Tadeusz Struk <tadeusz.struk@linaro.org> commit fd79a0cbf0b2e34bcc45b13acf962e2032a82203 upstream. When kmalloc in nfc_genl_dump_devices() fails then nfc_genl_dump_devices_done() segfaults as below KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:klist_iter_exit+0x26/0x80 Call Trace: <TASK> class_dev_iter_exit+0x15/0x20 nfc_genl_dump_devices_done+0x3b/0x50 genl_lock_done+0x84/0xd0 netlink_sock_destruct+0x8f/0x270 __sk_destruct+0x64/0x3b0 sk_destruct+0xa8/0xd0 __sk_free+0x2e8/0x3d0 sk_free+0x51/0x90 netlink_sock_destruct_work+0x1c/0x20 process_one_work+0x411/0x710 worker_thread+0x6fd/0xa80 Link: https://syzkaller.appspot.com/bug?id=fc0fa5a53db9edd261d56e74325419faf18bd0df Reported-by: syzbot+f9f76f4a0766420b4a02@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Link: https://lore.kernel.org/r/20211208182742.340542-1-tadeusz.struk@linaro.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- net/nfc/netlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/net/nfc/netlink.c +++ b/net/nfc/netlink.c @@ -632,8 +632,10 @@ static int nfc_genl_dump_devices_done(st { struct class_dev_iter *iter = (struct class_dev_iter *) cb->args[0]; - nfc_device_iter_exit(iter); - kfree(iter); + if (iter) { + nfc_device_iter_exit(iter); + kfree(iter); + } return 0; } ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 02/23] parisc/agp: Annotate parisc agp init functions with __init 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 01/23] nfc: fix segfault in nfc_genl_dump_devices_done Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 03/23] i2c: rk3x: Handle a spurious start completion interrupt flag Greg Kroah-Hartman ` (25 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Helge Deller, kernel test robot, Sasha Levin From: Helge Deller <deller@gmx.de> [ Upstream commit 8d88382b7436551a9ebb78475c546b670790cbf6 ] Signed-off-by: Helge Deller <deller@gmx.de> Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/char/agp/parisc-agp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/char/agp/parisc-agp.c b/drivers/char/agp/parisc-agp.c index 15f2e7025b78e..1d5510cb6db4e 100644 --- a/drivers/char/agp/parisc-agp.c +++ b/drivers/char/agp/parisc-agp.c @@ -285,7 +285,7 @@ agp_ioc_init(void __iomem *ioc_regs) return 0; } -static int +static int __init lba_find_capability(int cap) { struct _parisc_agp_info *info = &parisc_agp_info; @@ -370,7 +370,7 @@ parisc_agp_setup(void __iomem *ioc_hpa, void __iomem *lba_hpa) return error; } -static int +static int __init find_quicksilver(struct device *dev, void *data) { struct parisc_device **lba = data; @@ -382,7 +382,7 @@ find_quicksilver(struct device *dev, void *data) return 0; } -static int +static int __init parisc_agp_init(void) { extern struct sba_device *sba_list; -- 2.33.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 4.4 03/23] i2c: rk3x: Handle a spurious start completion interrupt flag 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 01/23] nfc: fix segfault in nfc_genl_dump_devices_done Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 02/23] parisc/agp: Annotate parisc agp init functions with __init Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 04/23] net: netlink: af_netlink: Prevent empty skb by adding a check on len Greg Kroah-Hartman ` (24 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Ondrej Jirman, John Keeping, Wolfram Sang, Sasha Levin From: Ondrej Jirman <megous@megous.com> [ Upstream commit 02fe0fbd8a21e183687925c3a266ae27dda9840f ] In a typical read transfer, start completion flag is being set after read finishes (notice ipd bit 4 being set): trasnfer poll=0 i2c start rk3x-i2c fdd40000.i2c: IRQ: state 1, ipd: 10 i2c read rk3x-i2c fdd40000.i2c: IRQ: state 2, ipd: 1b i2c stop rk3x-i2c fdd40000.i2c: IRQ: state 4, ipd: 33 This causes I2C transfer being aborted in polled mode from a stop completion handler: trasnfer poll=1 i2c start rk3x-i2c fdd40000.i2c: IRQ: state 1, ipd: 10 i2c read rk3x-i2c fdd40000.i2c: IRQ: state 2, ipd: 0 rk3x-i2c fdd40000.i2c: IRQ: state 2, ipd: 1b i2c stop rk3x-i2c fdd40000.i2c: IRQ: state 4, ipd: 13 i2c stop rk3x-i2c fdd40000.i2c: unexpected irq in STOP: 0x10 Clearing the START flag after read fixes the issue without any obvious side effects. This issue was dicovered on RK3566 when adding support for powering off the RK817 PMIC. Signed-off-by: Ondrej Jirman <megous@megous.com> Reviewed-by: John Keeping <john@metanate.com> Signed-off-by: Wolfram Sang <wsa@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/i2c/busses/i2c-rk3x.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c index 9096d17beb5bb..587f1a5a10243 100644 --- a/drivers/i2c/busses/i2c-rk3x.c +++ b/drivers/i2c/busses/i2c-rk3x.c @@ -325,8 +325,8 @@ static void rk3x_i2c_handle_read(struct rk3x_i2c *i2c, unsigned int ipd) if (!(ipd & REG_INT_MBRF)) return; - /* ack interrupt */ - i2c_writel(i2c, REG_INT_MBRF, REG_IPD); + /* ack interrupt (read also produces a spurious START flag, clear it too) */ + i2c_writel(i2c, REG_INT_MBRF | REG_INT_START, REG_IPD); /* Can only handle a maximum of 32 bytes at a time */ if (len > 32) -- 2.33.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 4.4 04/23] net: netlink: af_netlink: Prevent empty skb by adding a check on len. 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (2 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 03/23] i2c: rk3x: Handle a spurious start completion interrupt flag Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 05/23] hwmon: (dell-smm) Fix warning on /proc/i8k creation error Greg Kroah-Hartman ` (23 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, syzkaller, Harshit Mogalapalli, Jakub Kicinski, Sasha Levin From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> [ Upstream commit f123cffdd8fe8ea6c7fded4b88516a42798797d0 ] Adding a check on len parameter to avoid empty skb. This prevents a division error in netem_enqueue function which is caused when skb->len=0 and skb->data_len=0 in the randomized corruption step as shown below. skb->data[prandom_u32() % skb_headlen(skb)] ^= 1<<(prandom_u32() % 8); Crash Report: [ 343.170349] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 343.216110] netem: version 1.3 [ 343.235841] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 343.236680] CPU: 3 PID: 4288 Comm: reproducer Not tainted 5.16.0-rc1+ [ 343.237569] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 [ 343.238707] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem] [ 343.239499] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff ff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f 74 <f7> f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03 [ 343.241883] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246 [ 343.242589] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX: 0000000000000000 [ 343.243542] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI: ffff88800f8eda40 [ 343.244474] RBP: ffff88800bcd7458 R08: 0000000000000000 R09: ffffffff94fb8445 [ 343.245403] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12: 0000000000000000 [ 343.246355] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15: 0000000000000020 [ 343.247291] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000 [ 343.248350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 343.249120] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4: 00000000000006e0 [ 343.250076] Call Trace: [ 343.250423] <TASK> [ 343.250713] ? memcpy+0x4d/0x60 [ 343.251162] ? netem_init+0xa0/0xa0 [sch_netem] [ 343.251795] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.252443] netem_enqueue+0xe28/0x33c0 [sch_netem] [ 343.253102] ? stack_trace_save+0x87/0xb0 [ 343.253655] ? filter_irq_stacks+0xb0/0xb0 [ 343.254220] ? netem_init+0xa0/0xa0 [sch_netem] [ 343.254837] ? __kasan_check_write+0x14/0x20 [ 343.255418] ? _raw_spin_lock+0x88/0xd6 [ 343.255953] dev_qdisc_enqueue+0x50/0x180 [ 343.256508] __dev_queue_xmit+0x1a7e/0x3090 [ 343.257083] ? netdev_core_pick_tx+0x300/0x300 [ 343.257690] ? check_kcov_mode+0x10/0x40 [ 343.258219] ? _raw_spin_unlock_irqrestore+0x29/0x40 [ 343.258899] ? __kasan_init_slab_obj+0x24/0x30 [ 343.259529] ? setup_object.isra.71+0x23/0x90 [ 343.260121] ? new_slab+0x26e/0x4b0 [ 343.260609] ? kasan_poison+0x3a/0x50 [ 343.261118] ? kasan_unpoison+0x28/0x50 [ 343.261637] ? __kasan_slab_alloc+0x71/0x90 [ 343.262214] ? memcpy+0x4d/0x60 [ 343.262674] ? write_comp_data+0x2f/0x90 [ 343.263209] ? __kasan_check_write+0x14/0x20 [ 343.263802] ? __skb_clone+0x5d6/0x840 [ 343.264329] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.264958] dev_queue_xmit+0x1c/0x20 [ 343.265470] netlink_deliver_tap+0x652/0x9c0 [ 343.266067] netlink_unicast+0x5a0/0x7f0 [ 343.266608] ? netlink_attachskb+0x860/0x860 [ 343.267183] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.267820] ? write_comp_data+0x2f/0x90 [ 343.268367] netlink_sendmsg+0x922/0xe80 [ 343.268899] ? netlink_unicast+0x7f0/0x7f0 [ 343.269472] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.270099] ? write_comp_data+0x2f/0x90 [ 343.270644] ? netlink_unicast+0x7f0/0x7f0 [ 343.271210] sock_sendmsg+0x155/0x190 [ 343.271721] ____sys_sendmsg+0x75f/0x8f0 [ 343.272262] ? kernel_sendmsg+0x60/0x60 [ 343.272788] ? write_comp_data+0x2f/0x90 [ 343.273332] ? write_comp_data+0x2f/0x90 [ 343.273869] ___sys_sendmsg+0x10f/0x190 [ 343.274405] ? sendmsg_copy_msghdr+0x80/0x80 [ 343.274984] ? slab_post_alloc_hook+0x70/0x230 [ 343.275597] ? futex_wait_setup+0x240/0x240 [ 343.276175] ? security_file_alloc+0x3e/0x170 [ 343.276779] ? write_comp_data+0x2f/0x90 [ 343.277313] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.277969] ? write_comp_data+0x2f/0x90 [ 343.278515] ? __fget_files+0x1ad/0x260 [ 343.279048] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.279685] ? write_comp_data+0x2f/0x90 [ 343.280234] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.280874] ? sockfd_lookup_light+0xd1/0x190 [ 343.281481] __sys_sendmsg+0x118/0x200 [ 343.281998] ? __sys_sendmsg_sock+0x40/0x40 [ 343.282578] ? alloc_fd+0x229/0x5e0 [ 343.283070] ? write_comp_data+0x2f/0x90 [ 343.283610] ? write_comp_data+0x2f/0x90 [ 343.284135] ? __sanitizer_cov_trace_pc+0x21/0x60 [ 343.284776] ? ktime_get_coarse_real_ts64+0xb8/0xf0 [ 343.285450] __x64_sys_sendmsg+0x7d/0xc0 [ 343.285981] ? syscall_enter_from_user_mode+0x4d/0x70 [ 343.286664] do_syscall_64+0x3a/0x80 [ 343.287158] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 343.287850] RIP: 0033:0x7fdde24cf289 [ 343.288344] Code: 01 00 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 db 2c 00 f7 d8 64 89 01 48 [ 343.290729] RSP: 002b:00007fdde2bd6d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 343.291730] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdde24cf289 [ 343.292673] RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000004 [ 343.293618] RBP: 00007fdde2bd6e20 R08: 0000000100000001 R09: 0000000000000000 [ 343.294557] R10: 0000000100000001 R11: 0000000000000246 R12: 0000000000000000 [ 343.295493] R13: 0000000000021000 R14: 0000000000000000 R15: 00007fdde2bd7700 [ 343.296432] </TASK> [ 343.296735] Modules linked in: sch_netem ip6_vti ip_vti ip_gre ipip sit ip_tunnel geneve macsec macvtap tap ipvlan macvlan 8021q garp mrp hsr wireguard libchacha20poly1305 chacha_x86_64 poly1305_x86_64 ip6_udp_tunnel udp_tunnel libblake2s blake2s_x86_64 libblake2s_generic curve25519_x86_64 libcurve25519_generic libchacha xfrm_interface xfrm6_tunnel tunnel4 veth netdevsim psample batman_adv nlmon dummy team bonding tls vcan ip6_gre ip6_tunnel tunnel6 gre tun ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_security iptable_raw ebtable_filter ebtables rfkill ip6table_filter ip6_tables iptable_filter ppdev bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec parport_pc drm joydev floppy parport sg syscopyarea sysfillrect sysimgblt i2c_piix4 qemu_fw_cfg fb_sys_fops pcspkr [ 343.297459] ip_tables xfs virtio_net net_failover failover sd_mod sr_mod cdrom t10_pi ata_generic pata_acpi ata_piix libata virtio_pci virtio_pci_legacy_dev serio_raw virtio_pci_modern_dev dm_mirror dm_region_hash dm_log dm_mod [ 343.311074] Dumping ftrace buffer: [ 343.311532] (ftrace buffer empty) [ 343.312040] ---[ end trace a2e3db5a6ae05099 ]--- [ 343.312691] RIP: 0010:netem_enqueue+0x1590/0x33c0 [sch_netem] [ 343.313481] Code: 89 85 58 ff ff ff e8 5f 5d e9 d3 48 8b b5 48 ff ff ff 8b 8d 50 ff ff ff 8b 85 58 ff ff ff 48 8b bd 70 ff ff ff 31 d2 2b 4f 74 <f7> f1 48 b8 00 00 00 00 00 fc ff df 49 01 d5 4c 89 e9 48 c1 e9 03 [ 343.315893] RSP: 0018:ffff88800bcd7368 EFLAGS: 00010246 [ 343.316622] RAX: 00000000ba7c0a9c RBX: 0000000000000001 RCX: 0000000000000000 [ 343.317585] RDX: 0000000000000000 RSI: ffff88800f8edb10 RDI: ffff88800f8eda40 [ 343.318549] RBP: ffff88800bcd7458 R08: 0000000000000000 R09: ffffffff94fb8445 [ 343.319503] R10: ffffffff94fb8336 R11: ffffffff94fb8445 R12: 0000000000000000 [ 343.320455] R13: ffff88800a5a7000 R14: ffff88800a5b5800 R15: 0000000000000020 [ 343.321414] FS: 00007fdde2bd7700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000 [ 343.322489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 343.323283] CR2: 00000000200000c0 CR3: 000000000ef4c000 CR4: 00000000000006e0 [ 343.324264] Kernel panic - not syncing: Fatal exception in interrupt [ 343.333717] Dumping ftrace buffer: [ 343.334175] (ftrace buffer empty) [ 343.334653] Kernel Offset: 0x13600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 343.336027] Rebooting in 86400 seconds.. Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> Link: https://lore.kernel.org/r/20211129175328.55339-1-harshit.m.mogalapalli@oracle.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- net/netlink/af_netlink.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 65cf129eaad33..2f23b7fef8ef7 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1804,6 +1804,11 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) if (msg->msg_flags&MSG_OOB) return -EOPNOTSUPP; + if (len == 0) { + pr_warn_once("Zero length message leads to an empty skb\n"); + return -ENODATA; + } + err = scm_send(sock, msg, &scm, true); if (err < 0) return err; -- 2.33.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 4.4 05/23] hwmon: (dell-smm) Fix warning on /proc/i8k creation error 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (3 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 04/23] net: netlink: af_netlink: Prevent empty skb by adding a check on len Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 06/23] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman ` (22 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Armin Wolf, Pali Rohár, Guenter Roeck From: Armin Wolf <W_Armin@gmx.de> commit dbd3e6eaf3d813939b28e8a66e29d81cdc836445 upstream. The removal function is called regardless of whether /proc/i8k was created successfully or not, the later causing a WARN() on module removal. Fix that by only registering the removal function if /proc/i8k was created successfully. Tested on a Inspiron 3505. Fixes: 039ae58503f3 ("hwmon: Allow to compile dell-smm-hwmon driver without /proc/i8k") Signed-off-by: Armin Wolf <W_Armin@gmx.de> Acked-by: Pali Rohár <pali@kernel.org> Link: https://lore.kernel.org/r/20211112171440.59006-1-W_Armin@gmx.de Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/hwmon/dell-smm-hwmon.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/hwmon/dell-smm-hwmon.c +++ b/drivers/hwmon/dell-smm-hwmon.c @@ -551,15 +551,18 @@ static const struct file_operations i8k_ .unlocked_ioctl = i8k_ioctl, }; +static struct proc_dir_entry *entry; + static void __init i8k_init_procfs(void) { /* Register the proc entry */ - proc_create("i8k", 0, NULL, &i8k_fops); + entry = proc_create("i8k", 0, NULL, &i8k_fops); } static void __exit i8k_exit_procfs(void) { - remove_proc_entry("i8k", NULL); + if (entry) + remove_proc_entry("i8k", NULL); } #else ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 06/23] mac80211: send ADDBA requests using the tid/queue of the aggregation session 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (4 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 05/23] hwmon: (dell-smm) Fix warning on /proc/i8k creation error Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 07/23] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman ` (21 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Johannes Berg From: Felix Fietkau <nbd@nbd.name> commit 1fe98f5690c4219d419ea9cc190f94b3401cf324 upstream. Sending them out on a different queue can cause a race condition where a number of packets in the queue may be discarded by the receiver, because the ADDBA request is sent too early. This affects any driver with software A-MPDU setup which does not allocate packet seqno in hardware on tx, regardless of whether iTXQ is used or not. The only driver I've seen that explicitly deals with this issue internally is mwl8k. Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name> Link: https://lore.kernel.org/r/20211202124533.80388-1-nbd@nbd.name Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- net/mac80211/agg-tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -109,7 +109,7 @@ static void ieee80211_send_addba_request mgmt->u.action.u.addba_req.start_seq_num = cpu_to_le16(start_seq_num << 4); - ieee80211_tx_skb(sdata, skb); + ieee80211_tx_skb_tid(sdata, skb, tid); } void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn) ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 07/23] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (5 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 06/23] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 08/23] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman ` (20 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Jerome Marchand, Miroslav Benes, Steven Rostedt (VMware), Heiko Carstens From: Jerome Marchand <jmarchan@redhat.com> commit 85bf17b28f97ca2749968d8786dc423db320d9c2 upstream. On s390, recordmcount.pl is looking for "bcrl 0,<xxx>" instructions in the objdump -d outpout. However since binutils 2.37, objdump -d display "jgnop <xxx>" for the same instruction. Update the mcount_regex so that it accepts both. Signed-off-by: Jerome Marchand <jmarchan@redhat.com> Reviewed-by: Miroslav Benes <mbenes@suse.cz> Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20211210093827.1623286-1-jmarchan@redhat.com Signed-off-by: Heiko Carstens <hca@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- scripts/recordmcount.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/scripts/recordmcount.pl +++ b/scripts/recordmcount.pl @@ -248,7 +248,7 @@ if ($arch eq "x86_64") { } elsif ($arch eq "s390" && $bits == 64) { if ($cc =~ /-DCC_USING_HOTPATCH/) { - $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*brcl\\s*0,[0-9a-f]+ <([^\+]*)>\$"; + $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*(bcrl\\s*0,|jgnop\\s*)[0-9a-f]+ <([^\+]*)>\$"; $mcount_adjust = 0; } else { $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*R_390_(PC|PLT)32DBL\\s+_mcount\\+0x2\$"; ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 08/23] dm btree remove: fix use after free in rebalance_children() 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (6 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 07/23] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 09/23] nfsd: fix use-after-free due to delegation race Greg Kroah-Hartman ` (19 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joe Thornber, Mike Snitzer From: Joe Thornber <ejt@redhat.com> commit 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da upstream. Move dm_tm_unlock() after dm_tm_dec(). Cc: stable@vger.kernel.org Signed-off-by: Joe Thornber <ejt@redhat.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/md/persistent-data/dm-btree-remove.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/md/persistent-data/dm-btree-remove.c +++ b/drivers/md/persistent-data/dm-btree-remove.c @@ -423,9 +423,9 @@ static int rebalance_children(struct sha memcpy(n, dm_block_data(child), dm_bm_block_size(dm_tm_get_bm(info->tm))); - dm_tm_unlock(info->tm, child); dm_tm_dec(info->tm, dm_block_location(child)); + dm_tm_unlock(info->tm, child); return 0; } ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 09/23] nfsd: fix use-after-free due to delegation race 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (7 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 08/23] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 10/23] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman ` (18 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, J. Bruce Fields, Salvatore Bonaccorso From: J. Bruce Fields <bfields@redhat.com> commit 548ec0805c399c65ed66c6641be467f717833ab5 upstream. A delegation break could arrive as soon as we've called vfs_setlease. A delegation break runs a callback which immediately (in nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we then exit nfs4_set_delegation without hashing the delegation, it will be freed as soon as the callback is done with it, without ever being removed from del_recall_lru. Symptoms show up later as use-after-free or list corruption warnings, usually in the laundromat thread. I suspect aba2072f4523 "nfsd: grant read delegations to clients holding writes" made this bug easier to hit, but I looked as far back as v3.0 and it looks to me it already had the same problem. So I'm not sure where the bug was introduced; it may have been there from the beginning. Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields <bfields@redhat.com> [Salvatore Bonaccorso: Backport for context changes to versions which do not have 20b7d86f29d3 ("nfsd: use boottime for lease expiry calculation")] Signed-off-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- fs/nfsd/nfs4state.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -844,6 +844,11 @@ hash_delegation_locked(struct nfs4_deleg return 0; } +static bool delegation_hashed(struct nfs4_delegation *dp) +{ + return !(list_empty(&dp->dl_perfile)); +} + static bool unhash_delegation_locked(struct nfs4_delegation *dp) { @@ -851,7 +856,7 @@ unhash_delegation_locked(struct nfs4_del lockdep_assert_held(&state_lock); - if (list_empty(&dp->dl_perfile)) + if (!delegation_hashed(dp)) return false; dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID; @@ -3656,7 +3661,7 @@ static void nfsd4_cb_recall_prepare(stru * queued for a lease break. Don't queue it again. */ spin_lock(&state_lock); - if (dp->dl_time == 0) { + if (delegation_hashed(dp) && dp->dl_time == 0) { dp->dl_time = get_seconds(); list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru); } ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 10/23] soc/tegra: fuse: Fix bitwise vs. logical OR warning 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (8 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 09/23] nfsd: fix use-after-free due to delegation race Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 11/23] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman ` (17 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Michał Mirosław, Nathan Chancellor, Nick Desaulniers, Thierry Reding, Sasha Levin From: Nathan Chancellor <nathan@kernel.org> [ Upstream commit a7083763619f7485ccdade160deb81737cf2732f ] A new warning in clang points out two instances where boolean expressions are being used with a bitwise OR instead of logical OR: drivers/soc/tegra/fuse/speedo-tegra20.c:72:9: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] reg = tegra_fuse_read_spare(i) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ || drivers/soc/tegra/fuse/speedo-tegra20.c:72:9: note: cast one or both operands to int to silence this warning drivers/soc/tegra/fuse/speedo-tegra20.c:87:9: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] reg = tegra_fuse_read_spare(i) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ || drivers/soc/tegra/fuse/speedo-tegra20.c:87:9: note: cast one or both operands to int to silence this warning 2 warnings generated. The motivation for the warning is that logical operations short circuit while bitwise operations do not. In this instance, tegra_fuse_read_spare() is not semantically returning a boolean, it is returning a bit value. Use u32 for its return type so that it can be used with either bitwise or boolean operators without any warnings. Fixes: 25cd5a391478 ("ARM: tegra: Add speedo-based process identification") Link: https://github.com/ClangBuiltLinux/linux/issues/1488 Suggested-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Thierry Reding <treding@nvidia.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/soc/tegra/fuse/fuse-tegra.c | 2 +- drivers/soc/tegra/fuse/fuse.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c index c4f5e5bbb8dce..9397e8ba26469 100644 --- a/drivers/soc/tegra/fuse/fuse-tegra.c +++ b/drivers/soc/tegra/fuse/fuse-tegra.c @@ -176,7 +176,7 @@ static struct platform_driver tegra_fuse_driver = { }; module_platform_driver(tegra_fuse_driver); -bool __init tegra_fuse_read_spare(unsigned int spare) +u32 __init tegra_fuse_read_spare(unsigned int spare) { unsigned int offset = fuse->soc->info->spare + spare * 4; diff --git a/drivers/soc/tegra/fuse/fuse.h b/drivers/soc/tegra/fuse/fuse.h index 10c2076d5089a..f368bd5373088 100644 --- a/drivers/soc/tegra/fuse/fuse.h +++ b/drivers/soc/tegra/fuse/fuse.h @@ -62,7 +62,7 @@ struct tegra_fuse { void tegra_init_revision(void); void tegra_init_apbmisc(void); -bool __init tegra_fuse_read_spare(unsigned int spare); +u32 __init tegra_fuse_read_spare(unsigned int spare); u32 __init tegra_fuse_read_early(unsigned int offset); #ifdef CONFIG_ARCH_TEGRA_2x_SOC -- 2.33.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 4.4 11/23] igbvf: fix double free in `igbvf_probe` 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (9 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 10/23] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 12/23] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman ` (16 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Letu Ren, Konrad Jankowski, Tony Nguyen, Sasha Levin From: Letu Ren <fantasquex@gmail.com> [ Upstream commit b6d335a60dc624c0d279333b22c737faa765b028 ] In `igbvf_probe`, if register_netdev() fails, the program will go to label err_hw_init, and then to label err_ioremap. In free_netdev() which is just below label err_ioremap, there is `list_for_each_entry_safe` and `netif_napi_del` which aims to delete all entries in `dev->napi_list`. The program has added an entry `adapter->rx_ring->napi` which is added by `netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has been freed below label err_hw_init. So this a UAF. In terms of how to patch the problem, we can refer to igbvf_remove() and delete the entry before `adapter->rx_ring`. The KASAN logs are as follows: [ 35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450 [ 35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366 [ 35.128360] [ 35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14 [ 35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 35.131749] Call Trace: [ 35.132199] dump_stack_lvl+0x59/0x7b [ 35.132865] print_address_description+0x7c/0x3b0 [ 35.133707] ? free_netdev+0x1fd/0x450 [ 35.134378] __kasan_report+0x160/0x1c0 [ 35.135063] ? free_netdev+0x1fd/0x450 [ 35.135738] kasan_report+0x4b/0x70 [ 35.136367] free_netdev+0x1fd/0x450 [ 35.137006] igbvf_probe+0x121d/0x1a10 [igbvf] [ 35.137808] ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf] [ 35.138751] local_pci_probe+0x13c/0x1f0 [ 35.139461] pci_device_probe+0x37e/0x6c0 [ 35.165526] [ 35.165806] Allocated by task 366: [ 35.166414] ____kasan_kmalloc+0xc4/0xf0 [ 35.167117] foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf] [ 35.168078] igbvf_probe+0x9c5/0x1a10 [igbvf] [ 35.168866] local_pci_probe+0x13c/0x1f0 [ 35.169565] pci_device_probe+0x37e/0x6c0 [ 35.179713] [ 35.179993] Freed by task 366: [ 35.180539] kasan_set_track+0x4c/0x80 [ 35.181211] kasan_set_free_info+0x1f/0x40 [ 35.181942] ____kasan_slab_free+0x103/0x140 [ 35.182703] kfree+0xe3/0x250 [ 35.183239] igbvf_probe+0x1173/0x1a10 [igbvf] [ 35.184040] local_pci_probe+0x13c/0x1f0 Fixes: d4e0fe01a38a0 (igbvf: add new driver to support 82576 virtual functions) Reported-by: Zheyu Ma <zheyuma97@gmail.com> Signed-off-by: Letu Ren <fantasquex@gmail.com> Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/net/ethernet/intel/igbvf/netdev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c index 519b72c418884..ab080118201df 100644 --- a/drivers/net/ethernet/intel/igbvf/netdev.c +++ b/drivers/net/ethernet/intel/igbvf/netdev.c @@ -2793,6 +2793,7 @@ static int igbvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) return 0; err_hw_init: + netif_napi_del(&adapter->rx_ring->napi); kfree(adapter->tx_ring); kfree(adapter->rx_ring); err_sw_init: -- 2.33.0 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 4.4 12/23] USB: gadget: bRequestType is a bitfield, not a enum 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (10 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 11/23] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 13/23] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman ` (15 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Szymon Heidrich, Sasha Levin From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ] Szymon rightly pointed out that the previous check for the endpoint direction in bRequestType was not looking at only the bit involved, but rather the whole value. Normally this is ok, but for some request types, bits other than bit 8 could be set and the check for the endpoint length could not stall correctly. Fix that up by only checking the single bit. Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests") Cc: Felipe Balbi <balbi@kernel.org> Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com> Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/usb/gadget/composite.c | 6 +++--- drivers/usb/gadget/legacy/dbgp.c | 6 +++--- drivers/usb/gadget/legacy/inode.c | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 1f584d15a3ca4..580ba69f1e4a4 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1485,14 +1485,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) u8 endp; if (w_length > USB_COMP_EP0_BUFSIZ) { - if (ctrl->bRequestType == USB_DIR_OUT) { - goto done; - } else { + if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); w_length = USB_COMP_EP0_BUFSIZ; + } else { + goto done; } } diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c index f1c5a22704b28..e8818ad973e4b 100644 --- a/drivers/usb/gadget/legacy/dbgp.c +++ b/drivers/usb/gadget/legacy/dbgp.c @@ -345,14 +345,14 @@ static int dbgp_setup(struct usb_gadget *gadget, u16 len = 0; if (length > DBGP_REQ_LEN) { - if (ctrl->bRequestType == USB_DIR_OUT) { - return err; - } else { + if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(DBGP_REQ_LEN); length = DBGP_REQ_LEN; + } else { + return err; } } diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c index af0b34763326d..f2b4fdd1f49d5 100644 --- a/drivers/usb/gadget/legacy/inode.c +++ b/drivers/usb/gadget/legacy/inode.c @@ -1335,14 +1335,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) u16 w_length = le16_to_cpu(ctrl->wLength); if (w_length > RBUF_SIZE) { - if (ctrl->bRequestType == USB_DIR_OUT) { - return value; - } else { + if (ctrl->bRequestType & USB_DIR_IN) { /* Cast away the const, we are going to overwrite on purpose. */ __le16 *temp = (__le16 *)&ctrl->wLength; *temp = cpu_to_le16(RBUF_SIZE); w_length = RBUF_SIZE; + } else { + return value; } } -- 2.34.1 ^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 4.4 13/23] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (11 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 12/23] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 14/23] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman ` (14 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Stefan Roese, Thomas Gleixner, linux-pci, Bjorn Helgaas, Michal Simek, Marek Vasut From: Thomas Gleixner <tglx@linutronix.de> commit 94185adbfad56815c2c8401e16d81bdb74a79201 upstream. PCI_MSIX_FLAGS_MASKALL is set in the MSI-X control register at MSI-X interrupt setup time. It's cleared on success, but the error handling path only clears the PCI_MSIX_FLAGS_ENABLE bit. That's incorrect as the reset state of the PCI_MSIX_FLAGS_MASKALL bit is zero. That can be observed via lspci: Capabilities: [b0] MSI-X: Enable- Count=67 Masked+ Clear the bit in the error path to restore the reset state. Fixes: 438553958ba1 ("PCI/MSI: Enable and mask MSI-X early") Reported-by: Stefan Roese <sr@denx.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Stefan Roese <sr@denx.de> Cc: linux-pci@vger.kernel.org Cc: Bjorn Helgaas <bhelgaas@google.com> Cc: Michal Simek <michal.simek@xilinx.com> Cc: Marek Vasut <marex@denx.de> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/87tufevoqx.ffs@tglx Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/pci/msi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/pci/msi.c +++ b/drivers/pci/msi.c @@ -840,7 +840,7 @@ out_free: free_msi_irqs(dev); out_disable: - pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_ENABLE, 0); + pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_MASKALL | PCI_MSIX_FLAGS_ENABLE, 0); return ret; } ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 14/23] USB: serial: option: add Telit FN990 compositions 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (12 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 13/23] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 15/23] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman ` (13 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniele Palmas, Johan Hovold From: Daniele Palmas <dnlplm@gmail.com> commit 2b503c8598d1b232e7fc7526bce9326d92331541 upstream. Add the following Telit FN990 compositions: 0x1070: tty, adb, rmnet, tty, tty, tty, tty 0x1071: tty, adb, mbim, tty, tty, tty, tty 0x1072: rndis, tty, adb, tty, tty, tty, tty 0x1073: tty, adb, ecm, tty, tty, tty, tty Signed-off-by: Daniele Palmas <dnlplm@gmail.com> Link: https://lore.kernel.org/r/20211210100714.22587-1-dnlplm@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/usb/serial/option.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -1195,6 +1195,14 @@ static const struct usb_device_id option .driver_info = NCTRL(2) | RSVD(3) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1063, 0xff), /* Telit LN920 (ECM) */ .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1070, 0xff), /* Telit FN990 (rmnet) */ + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1071, 0xff), /* Telit FN990 (MBIM) */ + .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1072, 0xff), /* Telit FN990 (RNDIS) */ + .driver_info = NCTRL(2) | RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990 (ECM) */ + .driver_info = NCTRL(0) | RSVD(1) }, { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 15/23] timekeeping: Really make sure wall_to_monotonic isnt positive 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (13 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 14/23] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 16/23] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman ` (12 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yu Liao, Thomas Gleixner From: Yu Liao <liaoyu15@huawei.com> commit 4e8c11b6b3f0b6a283e898344f154641eda94266 upstream. Even after commit e1d7ba873555 ("time: Always make sure wall_to_monotonic isn't positive") it is still possible to make wall_to_monotonic positive by running the following code: int main(void) { struct timespec time; clock_gettime(CLOCK_MONOTONIC, &time); time.tv_nsec = 0; clock_settime(CLOCK_REALTIME, &time); return 0; } The reason is that the second parameter of timespec64_compare(), ts_delta, may be unnormalized because the delta is calculated with an open coded substraction which causes the comparison of tv_sec to yield the wrong result: wall_to_monotonic = { .tv_sec = -10, .tv_nsec = 900000000 } ts_delta = { .tv_sec = -9, .tv_nsec = -900000000 } That makes timespec64_compare() claim that wall_to_monotonic < ts_delta, but actually the result should be wall_to_monotonic > ts_delta. After normalization, the result of timespec64_compare() is correct because the tv_sec comparison is not longer misleading: wall_to_monotonic = { .tv_sec = -10, .tv_nsec = 900000000 } ts_delta = { .tv_sec = -10, .tv_nsec = 100000000 } Use timespec64_sub() to ensure that ts_delta is normalized, which fixes the issue. Fixes: e1d7ba873555 ("time: Always make sure wall_to_monotonic isn't positive") Signed-off-by: Yu Liao <liaoyu15@huawei.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20211213135727.1656662-1-liaoyu15@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- kernel/time/timekeeping.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -966,8 +966,7 @@ int do_settimeofday64(const struct times timekeeping_forward_now(tk); xt = tk_xtime(tk); - ts_delta.tv_sec = ts->tv_sec - xt.tv_sec; - ts_delta.tv_nsec = ts->tv_nsec - xt.tv_nsec; + ts_delta = timespec64_sub(*ts, xt); if (timespec64_compare(&tk->wall_to_monotonic, &ts_delta) > 0) { ret = -EINVAL; ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 16/23] net: systemport: Add global locking for descriptor lifecycle 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (14 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 15/23] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 17/23] net: lan78xx: Avoid unnecessary self assignment Greg Kroah-Hartman ` (11 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Florian Fainelli, Jakub Kicinski From: Florian Fainelli <f.fainelli@gmail.com> commit 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034 upstream. The descriptor list is a shared resource across all of the transmit queues, and the locking mechanism used today only protects concurrency across a given transmit queue between the transmit and reclaiming. This creates an opportunity for the SYSTEMPORT hardware to work on corrupted descriptors if we have multiple producers at once which is the case when using multiple transmit queues. This was particularly noticeable when using multiple flows/transmit queues and it showed up in interesting ways in that UDP packets would get a correct UDP header checksum being calculated over an incorrect packet length. Similarly TCP packets would get an equally correct checksum computed by the hardware over an incorrect packet length. The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges when the driver produces a new descriptor anytime it writes to the WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to re-organize its descriptors and it is possible that concurrent TX queues eventually break this internal allocation scheme to the point where the length/status part of the descriptor gets used for an incorrect data buffer. The fix is to impose a global serialization for all TX queues in the short section where we are writing to the WRITE_PORT_{HI,LO} registers which solves the corruption even with multiple concurrent TX queues being used. Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> Link: https://lore.kernel.org/r/20211215202450.4086240-1-f.fainelli@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/net/ethernet/broadcom/bcmsysport.c | 5 +++++ drivers/net/ethernet/broadcom/bcmsysport.h | 1 + 2 files changed, 6 insertions(+) --- a/drivers/net/ethernet/broadcom/bcmsysport.c +++ b/drivers/net/ethernet/broadcom/bcmsysport.c @@ -90,9 +90,13 @@ static inline void tdma_port_write_desc_ struct dma_desc *desc, unsigned int port) { + unsigned long desc_flags; + /* Ports are latched, so write upper address first */ + spin_lock_irqsave(&priv->desc_lock, desc_flags); tdma_writel(priv, desc->addr_status_len, TDMA_WRITE_PORT_HI(port)); tdma_writel(priv, desc->addr_lo, TDMA_WRITE_PORT_LO(port)); + spin_unlock_irqrestore(&priv->desc_lock, desc_flags); } /* Ethtool operations */ @@ -1608,6 +1612,7 @@ static int bcm_sysport_open(struct net_d } /* Initialize both hardware and software ring */ + spin_lock_init(&priv->desc_lock); for (i = 0; i < dev->num_tx_queues; i++) { ret = bcm_sysport_init_tx_ring(priv, i); if (ret) { --- a/drivers/net/ethernet/broadcom/bcmsysport.h +++ b/drivers/net/ethernet/broadcom/bcmsysport.h @@ -660,6 +660,7 @@ struct bcm_sysport_priv { int wol_irq; /* Transmit rings */ + spinlock_t desc_lock; struct bcm_sysport_tx_ring tx_rings[TDMA_NUM_RINGS]; /* Receive queue */ ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 17/23] net: lan78xx: Avoid unnecessary self assignment 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (15 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 16/23] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 18/23] ARM: 8805/2: remove unneeded naked function usage Greg Kroah-Hartman ` (10 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, David S. Miller, Anders Roxell From: Nathan Chancellor <natechancellor@gmail.com> commit 94e7c844990f0db92418586b107be135b4963b66 upstream. Clang warns when a variable is assigned to itself. drivers/net/usb/lan78xx.c:940:11: warning: explicitly assigning value of variable of type 'u32' (aka 'unsigned int') to itself [-Wself-assign] offset = offset; ~~~~~~ ^ ~~~~~~ 1 warning generated. Reorder the if statement to acheive the same result and avoid a self assignment warning. Link: https://github.com/ClangBuiltLinux/linux/issues/129 Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Anders Roxell <anders.roxell@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/net/usb/lan78xx.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -609,11 +609,9 @@ static int lan78xx_read_otp(struct lan78 ret = lan78xx_read_raw_otp(dev, 0, 1, &sig); if (ret == 0) { - if (sig == OTP_INDICATOR_1) - offset = offset; - else if (sig == OTP_INDICATOR_2) + if (sig == OTP_INDICATOR_2) offset += 0x100; - else + else if (sig != OTP_INDICATOR_1) ret = -EINVAL; if (!ret) ret = lan78xx_read_raw_otp(dev, offset, length, data); ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 18/23] ARM: 8805/2: remove unneeded naked function usage 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (16 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 17/23] net: lan78xx: Avoid unnecessary self assignment Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 19/23] Input: touchscreen - avoid bitwise vs logical OR warning Greg Kroah-Hartman ` (9 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Nicolas Pitre, Stefan Agner, Russell King, Anders Roxell From: Nicolas Pitre <nicolas.pitre@linaro.org> commit b99afae1390140f5b0039e6b37a7380de31ae874 upstream. The naked attribute is known to confuse some old gcc versions when function arguments aren't explicitly listed as inline assembly operands despite the gcc documentation. That resulted in commit 9a40ac86152c ("ARM: 6164/1: Add kto and kfrom to input operands list."). Yet that commit has problems of its own by having assembly operand constraints completely wrong. If the generated code has been OK since then, it is due to luck rather than correctness. So this patch also provides proper assembly operand constraints, and removes two instances of redundant register usages in the implementation while at it. Inspection of the generated code with this patch doesn't show any obvious quality degradation either, so not relying on __naked at all will make the code less fragile, and avoid some issues with clang. The only remaining __naked instances (excluding the kprobes test cases) are exynos_pm_power_up_setup(), tc2_pm_power_up_setup() and cci_enable_port_for_self(. But in the first two cases, only the function address is used by the compiler with no chance of inlining it by mistake, and the third case is called from assembly code only. And the fact that no stack is available when the corresponding code is executed does warrant the __naked usage in those cases. Signed-off-by: Nicolas Pitre <nico@linaro.org> Reviewed-by: Stefan Agner <stefan@agner.ch> Tested-by: Stefan Agner <stefan@agner.ch> Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: Anders Roxell <anders.roxell@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- arch/arm/mm/copypage-fa.c | 35 ++++++-------- arch/arm/mm/copypage-feroceon.c | 98 +++++++++++++++++++--------------------- arch/arm/mm/copypage-v4mc.c | 19 +++---- arch/arm/mm/copypage-v4wb.c | 41 ++++++++-------- arch/arm/mm/copypage-v4wt.c | 37 +++++++-------- arch/arm/mm/copypage-xsc3.c | 71 ++++++++++++---------------- arch/arm/mm/copypage-xscale.c | 71 ++++++++++++++-------------- 7 files changed, 178 insertions(+), 194 deletions(-) --- a/arch/arm/mm/copypage-fa.c +++ b/arch/arm/mm/copypage-fa.c @@ -17,26 +17,25 @@ /* * Faraday optimised copy_user_page */ -static void __naked -fa_copy_user_page(void *kto, const void *kfrom) +static void fa_copy_user_page(void *kto, const void *kfrom) { - asm("\ - stmfd sp!, {r4, lr} @ 2\n\ - mov r2, %0 @ 1\n\ -1: ldmia r1!, {r3, r4, ip, lr} @ 4\n\ - stmia r0, {r3, r4, ip, lr} @ 4\n\ - mcr p15, 0, r0, c7, c14, 1 @ 1 clean and invalidate D line\n\ - add r0, r0, #16 @ 1\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4\n\ - stmia r0, {r3, r4, ip, lr} @ 4\n\ - mcr p15, 0, r0, c7, c14, 1 @ 1 clean and invalidate D line\n\ - add r0, r0, #16 @ 1\n\ - subs r2, r2, #1 @ 1\n\ + int tmp; + + asm volatile ("\ +1: ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + stmia %0, {r3, r4, ip, lr} @ 4\n\ + mcr p15, 0, %0, c7, c14, 1 @ 1 clean and invalidate D line\n\ + add %0, %0, #16 @ 1\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + stmia %0, {r3, r4, ip, lr} @ 4\n\ + mcr p15, 0, %0, c7, c14, 1 @ 1 clean and invalidate D line\n\ + add %0, %0, #16 @ 1\n\ + subs %2, %2, #1 @ 1\n\ bne 1b @ 1\n\ - mcr p15, 0, r2, c7, c10, 4 @ 1 drain WB\n\ - ldmfd sp!, {r4, pc} @ 3" - : - : "I" (PAGE_SIZE / 32)); + mcr p15, 0, %2, c7, c10, 4 @ 1 drain WB" + : "+&r" (kto), "+&r" (kfrom), "=&r" (tmp) + : "2" (PAGE_SIZE / 32) + : "r3", "r4", "ip", "lr"); } void fa_copy_user_highpage(struct page *to, struct page *from, --- a/arch/arm/mm/copypage-feroceon.c +++ b/arch/arm/mm/copypage-feroceon.c @@ -13,58 +13,56 @@ #include <linux/init.h> #include <linux/highmem.h> -static void __naked -feroceon_copy_user_page(void *kto, const void *kfrom) +static void feroceon_copy_user_page(void *kto, const void *kfrom) { - asm("\ - stmfd sp!, {r4-r9, lr} \n\ - mov ip, %2 \n\ -1: mov lr, r1 \n\ - ldmia r1!, {r2 - r9} \n\ - pld [lr, #32] \n\ - pld [lr, #64] \n\ - pld [lr, #96] \n\ - pld [lr, #128] \n\ - pld [lr, #160] \n\ - pld [lr, #192] \n\ - pld [lr, #224] \n\ - stmia r0, {r2 - r9} \n\ - ldmia r1!, {r2 - r9} \n\ - mcr p15, 0, r0, c7, c14, 1 @ clean and invalidate D line\n\ - add r0, r0, #32 \n\ - stmia r0, {r2 - r9} \n\ - ldmia r1!, {r2 - r9} \n\ - mcr p15, 0, r0, c7, c14, 1 @ clean and invalidate D line\n\ - add r0, r0, #32 \n\ - stmia r0, {r2 - r9} \n\ - ldmia r1!, {r2 - r9} \n\ - mcr p15, 0, r0, c7, c14, 1 @ clean and invalidate D line\n\ - add r0, r0, #32 \n\ - stmia r0, {r2 - r9} \n\ - ldmia r1!, {r2 - r9} \n\ - mcr p15, 0, r0, c7, c14, 1 @ clean and invalidate D line\n\ - add r0, r0, #32 \n\ - stmia r0, {r2 - r9} \n\ - ldmia r1!, {r2 - r9} \n\ - mcr p15, 0, r0, c7, c14, 1 @ clean and invalidate D line\n\ - add r0, r0, #32 \n\ - stmia r0, {r2 - r9} \n\ - ldmia r1!, {r2 - r9} \n\ - mcr p15, 0, r0, c7, c14, 1 @ clean and invalidate D line\n\ - add r0, r0, #32 \n\ - stmia r0, {r2 - r9} \n\ - ldmia r1!, {r2 - r9} \n\ - mcr p15, 0, r0, c7, c14, 1 @ clean and invalidate D line\n\ - add r0, r0, #32 \n\ - stmia r0, {r2 - r9} \n\ - subs ip, ip, #(32 * 8) \n\ - mcr p15, 0, r0, c7, c14, 1 @ clean and invalidate D line\n\ - add r0, r0, #32 \n\ + int tmp; + + asm volatile ("\ +1: ldmia %1!, {r2 - r7, ip, lr} \n\ + pld [%1, #0] \n\ + pld [%1, #32] \n\ + pld [%1, #64] \n\ + pld [%1, #96] \n\ + pld [%1, #128] \n\ + pld [%1, #160] \n\ + pld [%1, #192] \n\ + stmia %0, {r2 - r7, ip, lr} \n\ + ldmia %1!, {r2 - r7, ip, lr} \n\ + mcr p15, 0, %0, c7, c14, 1 @ clean and invalidate D line\n\ + add %0, %0, #32 \n\ + stmia %0, {r2 - r7, ip, lr} \n\ + ldmia %1!, {r2 - r7, ip, lr} \n\ + mcr p15, 0, %0, c7, c14, 1 @ clean and invalidate D line\n\ + add %0, %0, #32 \n\ + stmia %0, {r2 - r7, ip, lr} \n\ + ldmia %1!, {r2 - r7, ip, lr} \n\ + mcr p15, 0, %0, c7, c14, 1 @ clean and invalidate D line\n\ + add %0, %0, #32 \n\ + stmia %0, {r2 - r7, ip, lr} \n\ + ldmia %1!, {r2 - r7, ip, lr} \n\ + mcr p15, 0, %0, c7, c14, 1 @ clean and invalidate D line\n\ + add %0, %0, #32 \n\ + stmia %0, {r2 - r7, ip, lr} \n\ + ldmia %1!, {r2 - r7, ip, lr} \n\ + mcr p15, 0, %0, c7, c14, 1 @ clean and invalidate D line\n\ + add %0, %0, #32 \n\ + stmia %0, {r2 - r7, ip, lr} \n\ + ldmia %1!, {r2 - r7, ip, lr} \n\ + mcr p15, 0, %0, c7, c14, 1 @ clean and invalidate D line\n\ + add %0, %0, #32 \n\ + stmia %0, {r2 - r7, ip, lr} \n\ + ldmia %1!, {r2 - r7, ip, lr} \n\ + mcr p15, 0, %0, c7, c14, 1 @ clean and invalidate D line\n\ + add %0, %0, #32 \n\ + stmia %0, {r2 - r7, ip, lr} \n\ + subs %2, %2, #(32 * 8) \n\ + mcr p15, 0, %0, c7, c14, 1 @ clean and invalidate D line\n\ + add %0, %0, #32 \n\ bne 1b \n\ - mcr p15, 0, ip, c7, c10, 4 @ drain WB\n\ - ldmfd sp!, {r4-r9, pc}" - : - : "r" (kto), "r" (kfrom), "I" (PAGE_SIZE)); + mcr p15, 0, %2, c7, c10, 4 @ drain WB" + : "+&r" (kto), "+&r" (kfrom), "=&r" (tmp) + : "2" (PAGE_SIZE) + : "r2", "r3", "r4", "r5", "r6", "r7", "ip", "lr"); } void feroceon_copy_user_highpage(struct page *to, struct page *from, --- a/arch/arm/mm/copypage-v4mc.c +++ b/arch/arm/mm/copypage-v4mc.c @@ -40,12 +40,11 @@ static DEFINE_RAW_SPINLOCK(minicache_loc * instruction. If your processor does not supply this, you have to write your * own copy_user_highpage that does the right thing. */ -static void __naked -mc_copy_user_page(void *from, void *to) +static void mc_copy_user_page(void *from, void *to) { - asm volatile( - "stmfd sp!, {r4, lr} @ 2\n\ - mov r4, %2 @ 1\n\ + int tmp; + + asm volatile ("\ ldmia %0!, {r2, r3, ip, lr} @ 4\n\ 1: mcr p15, 0, %1, c7, c6, 1 @ 1 invalidate D line\n\ stmia %1!, {r2, r3, ip, lr} @ 4\n\ @@ -55,13 +54,13 @@ mc_copy_user_page(void *from, void *to) mcr p15, 0, %1, c7, c6, 1 @ 1 invalidate D line\n\ stmia %1!, {r2, r3, ip, lr} @ 4\n\ ldmia %0!, {r2, r3, ip, lr} @ 4\n\ - subs r4, r4, #1 @ 1\n\ + subs %2, %2, #1 @ 1\n\ stmia %1!, {r2, r3, ip, lr} @ 4\n\ ldmneia %0!, {r2, r3, ip, lr} @ 4\n\ - bne 1b @ 1\n\ - ldmfd sp!, {r4, pc} @ 3" - : - : "r" (from), "r" (to), "I" (PAGE_SIZE / 64)); + bne 1b @ " + : "+&r" (from), "+&r" (to), "=&r" (tmp) + : "2" (PAGE_SIZE / 64) + : "r2", "r3", "ip", "lr"); } void v4_mc_copy_user_highpage(struct page *to, struct page *from, --- a/arch/arm/mm/copypage-v4wb.c +++ b/arch/arm/mm/copypage-v4wb.c @@ -22,29 +22,28 @@ * instruction. If your processor does not supply this, you have to write your * own copy_user_highpage that does the right thing. */ -static void __naked -v4wb_copy_user_page(void *kto, const void *kfrom) +static void v4wb_copy_user_page(void *kto, const void *kfrom) { - asm("\ - stmfd sp!, {r4, lr} @ 2\n\ - mov r2, %2 @ 1\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4\n\ -1: mcr p15, 0, r0, c7, c6, 1 @ 1 invalidate D line\n\ - stmia r0!, {r3, r4, ip, lr} @ 4\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4+1\n\ - stmia r0!, {r3, r4, ip, lr} @ 4\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4\n\ - mcr p15, 0, r0, c7, c6, 1 @ 1 invalidate D line\n\ - stmia r0!, {r3, r4, ip, lr} @ 4\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4\n\ - subs r2, r2, #1 @ 1\n\ - stmia r0!, {r3, r4, ip, lr} @ 4\n\ - ldmneia r1!, {r3, r4, ip, lr} @ 4\n\ + int tmp; + + asm volatile ("\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ +1: mcr p15, 0, %0, c7, c6, 1 @ 1 invalidate D line\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4+1\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + mcr p15, 0, %0, c7, c6, 1 @ 1 invalidate D line\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + subs %2, %2, #1 @ 1\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmneia %1!, {r3, r4, ip, lr} @ 4\n\ bne 1b @ 1\n\ - mcr p15, 0, r1, c7, c10, 4 @ 1 drain WB\n\ - ldmfd sp!, {r4, pc} @ 3" - : - : "r" (kto), "r" (kfrom), "I" (PAGE_SIZE / 64)); + mcr p15, 0, %1, c7, c10, 4 @ 1 drain WB" + : "+&r" (kto), "+&r" (kfrom), "=&r" (tmp) + : "2" (PAGE_SIZE / 64) + : "r3", "r4", "ip", "lr"); } void v4wb_copy_user_highpage(struct page *to, struct page *from, --- a/arch/arm/mm/copypage-v4wt.c +++ b/arch/arm/mm/copypage-v4wt.c @@ -20,27 +20,26 @@ * dirty data in the cache. However, we do have to ensure that * subsequent reads are up to date. */ -static void __naked -v4wt_copy_user_page(void *kto, const void *kfrom) +static void v4wt_copy_user_page(void *kto, const void *kfrom) { - asm("\ - stmfd sp!, {r4, lr} @ 2\n\ - mov r2, %2 @ 1\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4\n\ -1: stmia r0!, {r3, r4, ip, lr} @ 4\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4+1\n\ - stmia r0!, {r3, r4, ip, lr} @ 4\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4\n\ - stmia r0!, {r3, r4, ip, lr} @ 4\n\ - ldmia r1!, {r3, r4, ip, lr} @ 4\n\ - subs r2, r2, #1 @ 1\n\ - stmia r0!, {r3, r4, ip, lr} @ 4\n\ - ldmneia r1!, {r3, r4, ip, lr} @ 4\n\ + int tmp; + + asm volatile ("\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ +1: stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4+1\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmia %1!, {r3, r4, ip, lr} @ 4\n\ + subs %2, %2, #1 @ 1\n\ + stmia %0!, {r3, r4, ip, lr} @ 4\n\ + ldmneia %1!, {r3, r4, ip, lr} @ 4\n\ bne 1b @ 1\n\ - mcr p15, 0, r2, c7, c7, 0 @ flush ID cache\n\ - ldmfd sp!, {r4, pc} @ 3" - : - : "r" (kto), "r" (kfrom), "I" (PAGE_SIZE / 64)); + mcr p15, 0, %2, c7, c7, 0 @ flush ID cache" + : "+&r" (kto), "+&r" (kfrom), "=&r" (tmp) + : "2" (PAGE_SIZE / 64) + : "r3", "r4", "ip", "lr"); } void v4wt_copy_user_highpage(struct page *to, struct page *from, --- a/arch/arm/mm/copypage-xsc3.c +++ b/arch/arm/mm/copypage-xsc3.c @@ -21,53 +21,46 @@ /* * XSC3 optimised copy_user_highpage - * r0 = destination - * r1 = source * * The source page may have some clean entries in the cache already, but we * can safely ignore them - break_cow() will flush them out of the cache * if we eventually end up using our copied page. * */ -static void __naked -xsc3_mc_copy_user_page(void *kto, const void *kfrom) +static void xsc3_mc_copy_user_page(void *kto, const void *kfrom) { - asm("\ - stmfd sp!, {r4, r5, lr} \n\ - mov lr, %2 \n\ - \n\ - pld [r1, #0] \n\ - pld [r1, #32] \n\ -1: pld [r1, #64] \n\ - pld [r1, #96] \n\ + int tmp; + + asm volatile ("\ + pld [%1, #0] \n\ + pld [%1, #32] \n\ +1: pld [%1, #64] \n\ + pld [%1, #96] \n\ \n\ -2: ldrd r2, [r1], #8 \n\ - mov ip, r0 \n\ - ldrd r4, [r1], #8 \n\ - mcr p15, 0, ip, c7, c6, 1 @ invalidate\n\ - strd r2, [r0], #8 \n\ - ldrd r2, [r1], #8 \n\ - strd r4, [r0], #8 \n\ - ldrd r4, [r1], #8 \n\ - strd r2, [r0], #8 \n\ - strd r4, [r0], #8 \n\ - ldrd r2, [r1], #8 \n\ - mov ip, r0 \n\ - ldrd r4, [r1], #8 \n\ - mcr p15, 0, ip, c7, c6, 1 @ invalidate\n\ - strd r2, [r0], #8 \n\ - ldrd r2, [r1], #8 \n\ - subs lr, lr, #1 \n\ - strd r4, [r0], #8 \n\ - ldrd r4, [r1], #8 \n\ - strd r2, [r0], #8 \n\ - strd r4, [r0], #8 \n\ +2: ldrd r2, [%1], #8 \n\ + ldrd r4, [%1], #8 \n\ + mcr p15, 0, %0, c7, c6, 1 @ invalidate\n\ + strd r2, [%0], #8 \n\ + ldrd r2, [%1], #8 \n\ + strd r4, [%0], #8 \n\ + ldrd r4, [%1], #8 \n\ + strd r2, [%0], #8 \n\ + strd r4, [%0], #8 \n\ + ldrd r2, [%1], #8 \n\ + ldrd r4, [%1], #8 \n\ + mcr p15, 0, %0, c7, c6, 1 @ invalidate\n\ + strd r2, [%0], #8 \n\ + ldrd r2, [%1], #8 \n\ + subs %2, %2, #1 \n\ + strd r4, [%0], #8 \n\ + ldrd r4, [%1], #8 \n\ + strd r2, [%0], #8 \n\ + strd r4, [%0], #8 \n\ bgt 1b \n\ - beq 2b \n\ - \n\ - ldmfd sp!, {r4, r5, pc}" - : - : "r" (kto), "r" (kfrom), "I" (PAGE_SIZE / 64 - 1)); + beq 2b " + : "+&r" (kto), "+&r" (kfrom), "=&r" (tmp) + : "2" (PAGE_SIZE / 64 - 1) + : "r2", "r3", "r4", "r5"); } void xsc3_mc_copy_user_highpage(struct page *to, struct page *from, @@ -85,8 +78,6 @@ void xsc3_mc_copy_user_highpage(struct p /* * XScale optimised clear_user_page - * r0 = destination - * r1 = virtual user address of ultimate destination page */ void xsc3_mc_clear_user_highpage(struct page *page, unsigned long vaddr) { --- a/arch/arm/mm/copypage-xscale.c +++ b/arch/arm/mm/copypage-xscale.c @@ -36,52 +36,51 @@ static DEFINE_RAW_SPINLOCK(minicache_loc * Dcache aliasing issue. The writes will be forwarded to the write buffer, * and merged as appropriate. */ -static void __naked -mc_copy_user_page(void *from, void *to) +static void mc_copy_user_page(void *from, void *to) { + int tmp; + /* * Strangely enough, best performance is achieved * when prefetching destination as well. (NP) */ - asm volatile( - "stmfd sp!, {r4, r5, lr} \n\ - mov lr, %2 \n\ - pld [r0, #0] \n\ - pld [r0, #32] \n\ - pld [r1, #0] \n\ - pld [r1, #32] \n\ -1: pld [r0, #64] \n\ - pld [r0, #96] \n\ - pld [r1, #64] \n\ - pld [r1, #96] \n\ -2: ldrd r2, [r0], #8 \n\ - ldrd r4, [r0], #8 \n\ - mov ip, r1 \n\ - strd r2, [r1], #8 \n\ - ldrd r2, [r0], #8 \n\ - strd r4, [r1], #8 \n\ - ldrd r4, [r0], #8 \n\ - strd r2, [r1], #8 \n\ - strd r4, [r1], #8 \n\ + asm volatile ("\ + pld [%0, #0] \n\ + pld [%0, #32] \n\ + pld [%1, #0] \n\ + pld [%1, #32] \n\ +1: pld [%0, #64] \n\ + pld [%0, #96] \n\ + pld [%1, #64] \n\ + pld [%1, #96] \n\ +2: ldrd r2, [%0], #8 \n\ + ldrd r4, [%0], #8 \n\ + mov ip, %1 \n\ + strd r2, [%1], #8 \n\ + ldrd r2, [%0], #8 \n\ + strd r4, [%1], #8 \n\ + ldrd r4, [%0], #8 \n\ + strd r2, [%1], #8 \n\ + strd r4, [%1], #8 \n\ mcr p15, 0, ip, c7, c10, 1 @ clean D line\n\ - ldrd r2, [r0], #8 \n\ + ldrd r2, [%0], #8 \n\ mcr p15, 0, ip, c7, c6, 1 @ invalidate D line\n\ - ldrd r4, [r0], #8 \n\ - mov ip, r1 \n\ - strd r2, [r1], #8 \n\ - ldrd r2, [r0], #8 \n\ - strd r4, [r1], #8 \n\ - ldrd r4, [r0], #8 \n\ - strd r2, [r1], #8 \n\ - strd r4, [r1], #8 \n\ + ldrd r4, [%0], #8 \n\ + mov ip, %1 \n\ + strd r2, [%1], #8 \n\ + ldrd r2, [%0], #8 \n\ + strd r4, [%1], #8 \n\ + ldrd r4, [%0], #8 \n\ + strd r2, [%1], #8 \n\ + strd r4, [%1], #8 \n\ mcr p15, 0, ip, c7, c10, 1 @ clean D line\n\ - subs lr, lr, #1 \n\ + subs %2, %2, #1 \n\ mcr p15, 0, ip, c7, c6, 1 @ invalidate D line\n\ bgt 1b \n\ - beq 2b \n\ - ldmfd sp!, {r4, r5, pc} " - : - : "r" (from), "r" (to), "I" (PAGE_SIZE / 64 - 1)); + beq 2b " + : "+&r" (from), "+&r" (to), "=&r" (tmp) + : "2" (PAGE_SIZE / 64 - 1) + : "r2", "r3", "r4", "r5", "ip"); } void xscale_mc_copy_user_highpage(struct page *to, struct page *from, ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 19/23] Input: touchscreen - avoid bitwise vs logical OR warning 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (17 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 18/23] ARM: 8805/2: remove unneeded naked function usage Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 20/23] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman ` (8 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers, Dmitry Torokhov, Anders Roxell From: Nathan Chancellor <nathan@kernel.org> commit a02dcde595f7cbd240ccd64de96034ad91cffc40 upstream. A new warning in clang points out a few places in this driver where a bitwise OR is being used with boolean types: drivers/input/touchscreen.c:81:17: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical] data_present = touchscreen_get_prop_u32(dev, "touchscreen-min-x", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This use of a bitwise OR is intentional, as bitwise operations do not short circuit, which allows all the calls to touchscreen_get_prop_u32() to happen so that the last parameter is initialized while coalescing the results of the calls to make a decision after they are all evaluated. To make this clearer to the compiler, use the '|=' operator to assign the result of each touchscreen_get_prop_u32() call to data_present, which keeps the meaning of the code the same but makes it obvious that every one of these calls is expected to happen. Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reported-by: Nick Desaulniers <ndesaulniers@google.com> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Link: https://lore.kernel.org/r/20211014205757.3474635-1-nathan@kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Anders Roxell <anders.roxell@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/input/touchscreen/of_touchscreen.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) --- a/drivers/input/touchscreen/of_touchscreen.c +++ b/drivers/input/touchscreen/of_touchscreen.c @@ -75,8 +75,8 @@ void touchscreen_parse_properties(struct data_present = touchscreen_get_prop_u32(dev, "touchscreen-size-x", input_abs_get_max(input, axis) + 1, - &maximum) | - touchscreen_get_prop_u32(dev, "touchscreen-fuzz-x", + &maximum); + data_present |= touchscreen_get_prop_u32(dev, "touchscreen-fuzz-x", input_abs_get_fuzz(input, axis), &fuzz); if (data_present) @@ -86,8 +86,8 @@ void touchscreen_parse_properties(struct data_present = touchscreen_get_prop_u32(dev, "touchscreen-size-y", input_abs_get_max(input, axis) + 1, - &maximum) | - touchscreen_get_prop_u32(dev, "touchscreen-fuzz-y", + &maximum); + data_present |= touchscreen_get_prop_u32(dev, "touchscreen-fuzz-y", input_abs_get_fuzz(input, axis), &fuzz); if (data_present) @@ -97,11 +97,11 @@ void touchscreen_parse_properties(struct data_present = touchscreen_get_prop_u32(dev, "touchscreen-max-pressure", input_abs_get_max(input, axis), - &maximum) | - touchscreen_get_prop_u32(dev, - "touchscreen-fuzz-pressure", - input_abs_get_fuzz(input, axis), - &fuzz); + &maximum); + data_present |= touchscreen_get_prop_u32(dev, + "touchscreen-fuzz-pressure", + input_abs_get_fuzz(input, axis), + &fuzz); if (data_present) touchscreen_set_params(input, axis, maximum, fuzz); } ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 20/23] xen/blkfront: harden blkfront against event channel storms 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (18 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 19/23] Input: touchscreen - avoid bitwise vs logical OR warning Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 21/23] xen/netfront: harden netfront " Greg Kroah-Hartman ` (7 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich From: Juergen Gross <jgross@suse.com> commit 0fd08a34e8e3b67ec9bd8287ac0facf8374b844a upstream. The Xen blkfront driver is still vulnerable for an attack via excessive number of events sent by the backend. Fix that by using lateeoi event channels. This is part of XSA-391 Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/block/xen-blkfront.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -1319,11 +1319,13 @@ static irqreturn_t blkif_interrupt(int i unsigned long flags; struct blkfront_info *info = (struct blkfront_info *)dev_id; int error; + unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS; spin_lock_irqsave(&info->io_lock, flags); if (unlikely(info->connected != BLKIF_STATE_CONNECTED)) { spin_unlock_irqrestore(&info->io_lock, flags); + xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS); return IRQ_HANDLED; } @@ -1340,6 +1342,8 @@ static irqreturn_t blkif_interrupt(int i unsigned long id; unsigned int op; + eoiflag = 0; + RING_COPY_RESPONSE(&info->ring, i, &bret); id = bret.id; @@ -1444,6 +1448,8 @@ static irqreturn_t blkif_interrupt(int i spin_unlock_irqrestore(&info->io_lock, flags); + xen_irq_lateeoi(irq, eoiflag); + return IRQ_HANDLED; err: @@ -1451,6 +1457,8 @@ static irqreturn_t blkif_interrupt(int i spin_unlock_irqrestore(&info->io_lock, flags); + /* No EOI in order to avoid further interrupts. */ + pr_alert("%s disabled for further use\n", info->gd->disk_name); return IRQ_HANDLED; } @@ -1489,8 +1497,8 @@ static int setup_blkring(struct xenbus_d if (err) goto fail; - err = bind_evtchn_to_irqhandler(info->evtchn, blkif_interrupt, 0, - "blkif", info); + err = bind_evtchn_to_irqhandler_lateeoi(info->evtchn, blkif_interrupt, + 0, "blkif", info); if (err <= 0) { xenbus_dev_fatal(dev, err, "bind_evtchn_to_irqhandler failed"); ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 21/23] xen/netfront: harden netfront against event channel storms 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (19 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 20/23] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 22/23] xen/console: harden hvc_xen " Greg Kroah-Hartman ` (6 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich From: Juergen Gross <jgross@suse.com> commit b27d47950e481f292c0a5ad57357edb9d95d03ba upstream. The Xen netfront driver is still vulnerable for an attack via excessive number of events sent by the backend. Fix that by using lateeoi event channels. For being able to detect the case of no rx responses being added while the carrier is down a new lock is needed in order to update and test rsp_cons and the number of seen unconsumed responses atomically. This is part of XSA-391 Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/net/xen-netfront.c | 125 +++++++++++++++++++++++++++++++++------------ 1 file changed, 94 insertions(+), 31 deletions(-) --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -141,6 +141,9 @@ struct netfront_queue { struct sk_buff *rx_skbs[NET_RX_RING_SIZE]; grant_ref_t gref_rx_head; grant_ref_t grant_rx_ref[NET_RX_RING_SIZE]; + + unsigned int rx_rsp_unconsumed; + spinlock_t rx_cons_lock; }; struct netfront_info { @@ -365,11 +368,12 @@ static int xennet_open(struct net_device return 0; } -static void xennet_tx_buf_gc(struct netfront_queue *queue) +static bool xennet_tx_buf_gc(struct netfront_queue *queue) { RING_IDX cons, prod; unsigned short id; struct sk_buff *skb; + bool work_done = false; const struct device *dev = &queue->info->netdev->dev; BUG_ON(!netif_carrier_ok(queue->info->netdev)); @@ -386,6 +390,8 @@ static void xennet_tx_buf_gc(struct netf for (cons = queue->tx.rsp_cons; cons != prod; cons++) { struct xen_netif_tx_response txrsp; + work_done = true; + RING_COPY_RESPONSE(&queue->tx, cons, &txrsp); if (txrsp.status == XEN_NETIF_RSP_NULL) continue; @@ -439,11 +445,13 @@ static void xennet_tx_buf_gc(struct netf xennet_maybe_wake_tx(queue); - return; + return work_done; err: queue->info->broken = true; dev_alert(dev, "Disabled for further use\n"); + + return work_done; } struct xennet_gnttab_make_txreq { @@ -748,6 +756,16 @@ static int xennet_close(struct net_devic return 0; } +static void xennet_set_rx_rsp_cons(struct netfront_queue *queue, RING_IDX val) +{ + unsigned long flags; + + spin_lock_irqsave(&queue->rx_cons_lock, flags); + queue->rx.rsp_cons = val; + queue->rx_rsp_unconsumed = RING_HAS_UNCONSUMED_RESPONSES(&queue->rx); + spin_unlock_irqrestore(&queue->rx_cons_lock, flags); +} + static void xennet_move_rx_slot(struct netfront_queue *queue, struct sk_buff *skb, grant_ref_t ref) { @@ -799,7 +817,7 @@ static int xennet_get_extras(struct netf xennet_move_rx_slot(queue, skb, ref); } while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE); - queue->rx.rsp_cons = cons; + xennet_set_rx_rsp_cons(queue, cons); return err; } @@ -879,7 +897,7 @@ next: } if (unlikely(err)) - queue->rx.rsp_cons = cons + slots; + xennet_set_rx_rsp_cons(queue, cons + slots); return err; } @@ -933,7 +951,8 @@ static int xennet_fill_frags(struct netf __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); } if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { - queue->rx.rsp_cons = ++cons + skb_queue_len(list); + xennet_set_rx_rsp_cons(queue, + ++cons + skb_queue_len(list)); kfree_skb(nskb); return -ENOENT; } @@ -946,7 +965,7 @@ static int xennet_fill_frags(struct netf kfree_skb(nskb); } - queue->rx.rsp_cons = cons; + xennet_set_rx_rsp_cons(queue, cons); return 0; } @@ -1067,7 +1086,9 @@ err: if (unlikely(xennet_set_skb_gso(skb, gso))) { __skb_queue_head(&tmpq, skb); - queue->rx.rsp_cons += skb_queue_len(&tmpq); + xennet_set_rx_rsp_cons(queue, + queue->rx.rsp_cons + + skb_queue_len(&tmpq)); goto err; } } @@ -1091,7 +1112,8 @@ err: __skb_queue_tail(&rxq, skb); - i = ++queue->rx.rsp_cons; + i = queue->rx.rsp_cons + 1; + xennet_set_rx_rsp_cons(queue, i); work_done++; } @@ -1275,40 +1297,79 @@ static int xennet_set_features(struct ne return 0; } -static irqreturn_t xennet_tx_interrupt(int irq, void *dev_id) +static bool xennet_handle_tx(struct netfront_queue *queue, unsigned int *eoi) { - struct netfront_queue *queue = dev_id; unsigned long flags; - if (queue->info->broken) - return IRQ_HANDLED; + if (unlikely(queue->info->broken)) + return false; spin_lock_irqsave(&queue->tx_lock, flags); - xennet_tx_buf_gc(queue); + if (xennet_tx_buf_gc(queue)) + *eoi = 0; spin_unlock_irqrestore(&queue->tx_lock, flags); + return true; +} + +static irqreturn_t xennet_tx_interrupt(int irq, void *dev_id) +{ + unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS; + + if (likely(xennet_handle_tx(dev_id, &eoiflag))) + xen_irq_lateeoi(irq, eoiflag); + return IRQ_HANDLED; } -static irqreturn_t xennet_rx_interrupt(int irq, void *dev_id) +static bool xennet_handle_rx(struct netfront_queue *queue, unsigned int *eoi) { - struct netfront_queue *queue = dev_id; - struct net_device *dev = queue->info->netdev; + unsigned int work_queued; + unsigned long flags; + + if (unlikely(queue->info->broken)) + return false; - if (queue->info->broken) - return IRQ_HANDLED; + spin_lock_irqsave(&queue->rx_cons_lock, flags); + work_queued = RING_HAS_UNCONSUMED_RESPONSES(&queue->rx); + if (work_queued > queue->rx_rsp_unconsumed) { + queue->rx_rsp_unconsumed = work_queued; + *eoi = 0; + } else if (unlikely(work_queued < queue->rx_rsp_unconsumed)) { + const struct device *dev = &queue->info->netdev->dev; + + spin_unlock_irqrestore(&queue->rx_cons_lock, flags); + dev_alert(dev, "RX producer index going backwards\n"); + dev_alert(dev, "Disabled for further use\n"); + queue->info->broken = true; + return false; + } + spin_unlock_irqrestore(&queue->rx_cons_lock, flags); - if (likely(netif_carrier_ok(dev) && - RING_HAS_UNCONSUMED_RESPONSES(&queue->rx))) + if (likely(netif_carrier_ok(queue->info->netdev) && work_queued)) napi_schedule(&queue->napi); + return true; +} + +static irqreturn_t xennet_rx_interrupt(int irq, void *dev_id) +{ + unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS; + + if (likely(xennet_handle_rx(dev_id, &eoiflag))) + xen_irq_lateeoi(irq, eoiflag); + return IRQ_HANDLED; } static irqreturn_t xennet_interrupt(int irq, void *dev_id) { - xennet_tx_interrupt(irq, dev_id); - xennet_rx_interrupt(irq, dev_id); + unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS; + + if (xennet_handle_tx(dev_id, &eoiflag) && + xennet_handle_rx(dev_id, &eoiflag)) + xen_irq_lateeoi(irq, eoiflag); + return IRQ_HANDLED; } @@ -1540,9 +1601,10 @@ static int setup_netfront_single(struct if (err < 0) goto fail; - err = bind_evtchn_to_irqhandler(queue->tx_evtchn, - xennet_interrupt, - 0, queue->info->netdev->name, queue); + err = bind_evtchn_to_irqhandler_lateeoi(queue->tx_evtchn, + xennet_interrupt, 0, + queue->info->netdev->name, + queue); if (err < 0) goto bind_fail; queue->rx_evtchn = queue->tx_evtchn; @@ -1570,18 +1632,18 @@ static int setup_netfront_split(struct n snprintf(queue->tx_irq_name, sizeof(queue->tx_irq_name), "%s-tx", queue->name); - err = bind_evtchn_to_irqhandler(queue->tx_evtchn, - xennet_tx_interrupt, - 0, queue->tx_irq_name, queue); + err = bind_evtchn_to_irqhandler_lateeoi(queue->tx_evtchn, + xennet_tx_interrupt, 0, + queue->tx_irq_name, queue); if (err < 0) goto bind_tx_fail; queue->tx_irq = err; snprintf(queue->rx_irq_name, sizeof(queue->rx_irq_name), "%s-rx", queue->name); - err = bind_evtchn_to_irqhandler(queue->rx_evtchn, - xennet_rx_interrupt, - 0, queue->rx_irq_name, queue); + err = bind_evtchn_to_irqhandler_lateeoi(queue->rx_evtchn, + xennet_rx_interrupt, 0, + queue->rx_irq_name, queue); if (err < 0) goto bind_rx_fail; queue->rx_irq = err; @@ -1683,6 +1745,7 @@ static int xennet_init_queue(struct netf spin_lock_init(&queue->tx_lock); spin_lock_init(&queue->rx_lock); + spin_lock_init(&queue->rx_cons_lock); setup_timer(&queue->rx_refill_timer, rx_refill_timeout, (unsigned long)queue); ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 22/23] xen/console: harden hvc_xen against event channel storms 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (20 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 21/23] xen/netfront: harden netfront " Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 23/23] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman ` (5 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich From: Juergen Gross <jgross@suse.com> commit fe415186b43df0db1f17fa3a46275fd92107fe71 upstream. The Xen console driver is still vulnerable for an attack via excessive number of events sent by the backend. Fix that by using a lateeoi event channel. For the normal domU initial console this requires the introduction of bind_evtchn_to_irq_lateeoi() as there is no xenbus device available at the time the event channel is bound to the irq. As the decision whether an interrupt was spurious or not requires to test for bytes having been read from the backend, move sending the event into the if statement, as sending an event without having found any bytes to be read is making no sense at all. This is part of XSA-391 Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/tty/hvc/hvc_xen.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) --- a/drivers/tty/hvc/hvc_xen.c +++ b/drivers/tty/hvc/hvc_xen.c @@ -49,6 +49,8 @@ struct xencons_info { struct xenbus_device *xbdev; struct xencons_interface *intf; unsigned int evtchn; + XENCONS_RING_IDX out_cons; + unsigned int out_cons_same; struct hvc_struct *hvc; int irq; int vtermno; @@ -150,6 +152,8 @@ static int domU_read_console(uint32_t vt XENCONS_RING_IDX cons, prod; int recv = 0; struct xencons_info *xencons = vtermno_to_xencons(vtermno); + unsigned int eoiflag = 0; + if (xencons == NULL) return -EINVAL; intf = xencons->intf; @@ -169,7 +173,27 @@ static int domU_read_console(uint32_t vt mb(); /* read ring before consuming */ intf->in_cons = cons; - notify_daemon(xencons); + /* + * When to mark interrupt having been spurious: + * - there was no new data to be read, and + * - the backend did not consume some output bytes, and + * - the previous round with no read data didn't see consumed bytes + * (we might have a race with an interrupt being in flight while + * updating xencons->out_cons, so account for that by allowing one + * round without any visible reason) + */ + if (intf->out_cons != xencons->out_cons) { + xencons->out_cons = intf->out_cons; + xencons->out_cons_same = 0; + } + if (recv) { + notify_daemon(xencons); + } else if (xencons->out_cons_same++ > 1) { + eoiflag = XEN_EOI_FLAG_SPURIOUS; + } + + xen_irq_lateeoi(xencons->irq, eoiflag); + return recv; } @@ -391,7 +415,7 @@ static int xencons_connect_backend(struc if (ret) return ret; info->evtchn = evtchn; - irq = bind_evtchn_to_irq(evtchn); + irq = bind_interdomain_evtchn_to_irq_lateeoi(dev->otherend_id, evtchn); if (irq < 0) return irq; info->irq = irq; @@ -555,7 +579,7 @@ static int __init xen_hvc_init(void) return r; info = vtermno_to_xencons(HVC_COOKIE); - info->irq = bind_evtchn_to_irq(info->evtchn); + info->irq = bind_evtchn_to_irq_lateeoi(info->evtchn); } if (info->irq < 0) info->irq = 0; /* NO_IRQ */ ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 4.4 23/23] xen/netback: dont queue unlimited number of packages 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (21 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 22/23] xen/console: harden hvc_xen " Greg Kroah-Hartman @ 2021-12-20 14:34 ` Greg Kroah-Hartman 2021-12-20 18:25 ` [PATCH 4.4 00/23] 4.4.296-rc1 review Jon Hunter ` (4 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw) To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich From: Juergen Gross <jgross@suse.com> commit be81992f9086b230623ae3ebbc85ecee4d00a3d3 upstream. In case a guest isn't consuming incoming network traffic as fast as it is coming in, xen-netback is buffering network packages in unlimited numbers today. This can result in host OOM situations. Commit f48da8b14d04ca8 ("xen-netback: fix unlimited guest Rx internal queue and carrier flapping") meant to introduce a mechanism to limit the amount of buffered data by stopping the Tx queue when reaching the data limit, but this doesn't work for cases like UDP. When hitting the limit don't queue further SKBs, but drop them instead. In order to be able to tell Rx packages have been dropped increment the rx_dropped statistics counter in this case. It should be noted that the old solution to continue queueing SKBs had the additional problem of an overflow of the 32-bit rx_queue_len value would result in intermittent Tx queue enabling. This is part of XSA-392 Fixes: f48da8b14d04ca8 ("xen-netback: fix unlimited guest Rx internal queue and carrier flapping") Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/net/xen-netback/netback.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -189,11 +189,15 @@ void xenvif_rx_queue_tail(struct xenvif_ spin_lock_irqsave(&queue->rx_queue.lock, flags); - __skb_queue_tail(&queue->rx_queue, skb); - - queue->rx_queue_len += skb->len; - if (queue->rx_queue_len > queue->rx_queue_max) + if (queue->rx_queue_len >= queue->rx_queue_max) { netif_tx_stop_queue(netdev_get_tx_queue(queue->vif->dev, queue->id)); + kfree_skb(skb); + queue->vif->dev->stats.rx_dropped++; + } else { + __skb_queue_tail(&queue->rx_queue, skb); + + queue->rx_queue_len += skb->len; + } spin_unlock_irqrestore(&queue->rx_queue.lock, flags); } @@ -243,6 +247,7 @@ static void xenvif_rx_queue_drop_expired break; xenvif_rx_dequeue(queue); kfree_skb(skb); + queue->vif->dev->stats.rx_dropped++; } } ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH 4.4 00/23] 4.4.296-rc1 review 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (22 preceding siblings ...) 2021-12-20 14:34 ` [PATCH 4.4 23/23] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman @ 2021-12-20 18:25 ` Jon Hunter 2021-12-20 20:04 ` Pavel Machek ` (3 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Jon Hunter @ 2021-12-20 18:25 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli, stable, linux-tegra On Mon, 20 Dec 2021 15:34:01 +0100, Greg Kroah-Hartman wrote: > This is the start of the stable review cycle for the 4.4.296 release. > There are 23 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. > > Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000. > Anything received after that time might be too late. > > The whole patch series can be found in one patch at: > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.296-rc1.gz > or in the git tree and branch at: > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y > and the diffstat can be found below. > > thanks, > > greg k-h All tests passing for Tegra ... Test results for stable-v4.4: 6 builds: 6 pass, 0 fail 12 boots: 12 pass, 0 fail 30 tests: 30 pass, 0 fail Linux version: 4.4.296-rc1-gf46f7fed4810 Boards tested: tegra124-jetson-tk1, tegra20-ventana, tegra30-cardhu-a04 Tested-by: Jon Hunter <jonathanh@nvidia.com> Jon ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH 4.4 00/23] 4.4.296-rc1 review 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (23 preceding siblings ...) 2021-12-20 18:25 ` [PATCH 4.4 00/23] 4.4.296-rc1 review Jon Hunter @ 2021-12-20 20:04 ` Pavel Machek 2021-12-20 23:19 ` Shuah Khan ` (2 subsequent siblings) 27 siblings, 0 replies; 29+ messages in thread From: Pavel Machek @ 2021-12-20 20:04 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli, stable [-- Attachment #1: Type: text/plain, Size: 659 bytes --] Hi! > This is the start of the stable review cycle for the 4.4.296 release. > There are 23 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. CIP testing did not find any problems here: https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.4.y Tested-by: Pavel Machek (CIP) <pavel@denx.de> Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH 4.4 00/23] 4.4.296-rc1 review 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (24 preceding siblings ...) 2021-12-20 20:04 ` Pavel Machek @ 2021-12-20 23:19 ` Shuah Khan 2021-12-21 17:34 ` Naresh Kamboju 2021-12-21 23:11 ` Guenter Roeck 27 siblings, 0 replies; 29+ messages in thread From: Shuah Khan @ 2021-12-20 23:19 UTC (permalink / raw) To: Greg Kroah-Hartman, linux-kernel Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli, stable, Shuah Khan On 12/20/21 7:34 AM, Greg Kroah-Hartman wrote: > This is the start of the stable review cycle for the 4.4.296 release. > There are 23 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. > > Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000. > Anything received after that time might be too late. > > The whole patch series can be found in one patch at: > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.296-rc1.gz > or in the git tree and branch at: > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y > and the diffstat can be found below. > > thanks, > > greg k-h > Compiled and booted on my test system. No dmesg regressions. Tested-by: Shuah Khan <skhan@linuxfoundation.org> thanks, -- Shuah ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH 4.4 00/23] 4.4.296-rc1 review 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (25 preceding siblings ...) 2021-12-20 23:19 ` Shuah Khan @ 2021-12-21 17:34 ` Naresh Kamboju 2021-12-21 23:11 ` Guenter Roeck 27 siblings, 0 replies; 29+ messages in thread From: Naresh Kamboju @ 2021-12-21 17:34 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: linux-kernel, shuah, f.fainelli, patches, lkft-triage, jonathanh, stable, pavel, akpm, torvalds, linux On Mon, 20 Dec 2021 at 20:07, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote: > > This is the start of the stable review cycle for the 4.4.296 release. > There are 23 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. > > Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000. > Anything received after that time might be too late. > > The whole patch series can be found in one patch at: > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.296-rc1.gz > or in the git tree and branch at: > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y > and the diffstat can be found below. > > thanks, > > greg k-h Results from Linaro’s test farm. No regressions on arm64, arm, x86_64, and i386. Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> ## Build * kernel: 4.4.296-rc1 * git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc * git branch: linux-4.4.y * git commit: f46f7fed481068d1389efbf0122c45cb9f36480d * git describe: v4.4.295-24-gf46f7fed4810 * test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.4.y/build/v4.4.295-24-gf46f7fed4810 ## No Test Regressions (compared to v4.4.295-6-ge478503b16a3) ## No Test Fixes (compared to v4.4.295-6-ge478503b16a3) ## Test result summary total: 46356, pass: 37461, fail: 177, skip: 7721, xfail: 997 ## Build Summary * arm: 129 total, 129 passed, 0 failed * arm64: 31 total, 31 passed, 0 failed * i386: 18 total, 18 passed, 0 failed * juno-r2: 1 total, 1 passed, 0 failed * mips: 22 total, 22 passed, 0 failed * sparc: 12 total, 12 passed, 0 failed * x15: 1 total, 1 passed, 0 failed * x86: 1 total, 1 passed, 0 failed * x86_64: 30 total, 24 passed, 6 failed ## Test suites summary * fwts * kselftest-android * kselftest-bpf * kselftest-capabilities * kselftest-cgroup * kselftest-clone3 * kselftest-core * kselftest-cpu-hotplug * kselftest-cpufreq * kselftest-efivarfs * kselftest-filesystems * kselftest-firmware * kselftest-fpu * kselftest-futex * kselftest-gpio * kselftest-intel_pstate * kselftest-ipc * kselftest-ir * kselftest-kcmp * kselftest-kexec * kselftest-kvm * kselftest-lib * kselftest-livepatch * kselftest-membarrier * kselftest-ptrace * kselftest-rseq * kselftest-rtc * kselftest-seccomp * kselftest-sigaltstack * kselftest-size * kselftest-splice * kselftest-static_keys * kselftest-sync * kselftest-sysctl * kselftest-timens * kselftest-timers * kselftest-tmpfs * kselftest-tpm2 * kselftest-user * kselftest-vm * kselftest-x86 * kselftest-zram * kvm-unit-tests * libhugetlbfs * linux-log-parser * ltp-cap_bounds-tests * ltp-commands-tests * ltp-containers-tests * ltp-controllers-tests * ltp-cpuhotplug-tests * ltp-crypto-tests * ltp-cve-tests * ltp-dio-tests * ltp-fcntl-locktests-tests * ltp-filecaps-tests * ltp-fs-tests * ltp-fs_bind-tests * ltp-fs_perms_simple-tests * ltp-fsx-tests * ltp-hugetlb-tests * ltp-io-tests * ltp-ipc-tests * ltp-math-tests * ltp-mm-tests * ltp-nptl-tests * ltp-open-posix-tests * ltp-pty-tests * ltp-sched-tests * ltp-securebits-tests * ltp-syscalls-tests * ltp-tracing-tests * network-basic-tests * packetdrill * perf * ssuite * v4l2-compliance -- Linaro LKFT https://lkft.linaro.org ^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH 4.4 00/23] 4.4.296-rc1 review 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman ` (26 preceding siblings ...) 2021-12-21 17:34 ` Naresh Kamboju @ 2021-12-21 23:11 ` Guenter Roeck 27 siblings, 0 replies; 29+ messages in thread From: Guenter Roeck @ 2021-12-21 23:11 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli, stable On Mon, Dec 20, 2021 at 03:34:01PM +0100, Greg Kroah-Hartman wrote: > This is the start of the stable review cycle for the 4.4.296 release. > There are 23 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. > > Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000. > Anything received after that time might be too late. > Build results: total: 160 pass: 160 fail: 0 Qemu test results: total: 339 pass: 339 fail: 0 Tested-by: Guenter Roeck <linux@roeck-us.net> Guenter ^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2021-12-21 23:11 UTC | newest] Thread overview: 29+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-12-20 14:34 [PATCH 4.4 00/23] 4.4.296-rc1 review Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 01/23] nfc: fix segfault in nfc_genl_dump_devices_done Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 02/23] parisc/agp: Annotate parisc agp init functions with __init Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 03/23] i2c: rk3x: Handle a spurious start completion interrupt flag Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 04/23] net: netlink: af_netlink: Prevent empty skb by adding a check on len Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 05/23] hwmon: (dell-smm) Fix warning on /proc/i8k creation error Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 06/23] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 07/23] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 08/23] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 09/23] nfsd: fix use-after-free due to delegation race Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 10/23] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 11/23] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 12/23] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 13/23] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 14/23] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 15/23] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 16/23] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 17/23] net: lan78xx: Avoid unnecessary self assignment Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 18/23] ARM: 8805/2: remove unneeded naked function usage Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 19/23] Input: touchscreen - avoid bitwise vs logical OR warning Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 20/23] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 21/23] xen/netfront: harden netfront " Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 22/23] xen/console: harden hvc_xen " Greg Kroah-Hartman 2021-12-20 14:34 ` [PATCH 4.4 23/23] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman 2021-12-20 18:25 ` [PATCH 4.4 00/23] 4.4.296-rc1 review Jon Hunter 2021-12-20 20:04 ` Pavel Machek 2021-12-20 23:19 ` Shuah Khan 2021-12-21 17:34 ` Naresh Kamboju 2021-12-21 23:11 ` Guenter Roeck
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.