* [PATCH 3.16 104/192] MIPS: Negate error syscall return in trace
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 015/192] Documentation: DMA API: fix a typo in a function name Ben Hutchings
` (191 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ingo Molnar, James Hogan, linux-mips, Ralf Baechle, Steven Rostedt
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 upstream.
The sys_exit trace event takes a single return value for the system
call, which MIPS passes the value of the $v0 (result) register, however
MIPS returns positive error codes in $v0 with $a3 specifying that $v0
contains an error code. As a result erroring system calls are traced
returning positive error numbers that can't always be distinguished from
success.
Use regs_return_value() to negate the error code if $a3 is set.
Fixes: 1d7bf993e073 ("MIPS: ftrace: Add support for syscall tracepoints.")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16651/
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/ptrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -804,7 +804,7 @@ asmlinkage void syscall_trace_leave(stru
audit_syscall_exit(regs);
if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
- trace_sys_exit(regs, regs->regs[2]);
+ trace_sys_exit(regs, regs_return_value(regs));
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall_exit(regs, 0);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 015/192] Documentation: DMA API: fix a typo in a function name
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 104/192] MIPS: Negate error syscall return in trace Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 071/192] MIPS: Fix unaligned PC interpretation in `compute_return_epc' Ben Hutchings
` (190 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Corbet, Wolfram Sang
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
commit 6a08d83e4324fcb23994dfd481acedf49e37cc06 upstream.
Correct the typo, the wrongly typed function does not exist.
Fixes: 6c9c6d6301287e ("dma-debug: New interfaces to debug dma mapping errors")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/DMA-API.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/DMA-API.txt
+++ b/Documentation/DMA-API.txt
@@ -691,7 +691,7 @@ of preallocated entries is defined per a
boot with 'dma_debug_entries=<your_desired_number>' to overwrite the
architectural default.
-void debug_dmap_mapping_error(struct device *dev, dma_addr_t dma_addr);
+void debug_dma_mapping_error(struct device *dev, dma_addr_t dma_addr);
dma-debug interface debug_dma_mapping_error() to debug drivers that fail
to check DMA mapping errors on addresses returned by dma_map_single() and
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 071/192] MIPS: Fix unaligned PC interpretation in `compute_return_epc'
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 104/192] MIPS: Negate error syscall return in trace Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 015/192] Documentation: DMA API: fix a typo in a function name Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 077/192] PCI/PM: Restore the status of PCI devices across hibernation Ben Hutchings
` (189 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Maciej W. Rozycki, Ralf Baechle, linux-mips, James Hogan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" <macro@imgtec.com>
commit 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a upstream.
Fix a regression introduced with commit fb6883e5809c ("MIPS: microMIPS:
Support handling of delay slots.") and defer to `__compute_return_epc'
if the ISA bit is set in EPC with non-MIPS16, non-microMIPS hardware,
which will then arrange for a SIGBUS due to an unaligned instruction
reference. Returning EPC here is never correct as the API defines this
function's result to be either a negative error code on failure or one
of 0 and BRANCH_LIKELY_TAKEN on success.
Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.")
Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16395/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/branch.h | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/arch/mips/include/asm/branch.h
+++ b/arch/mips/include/asm/branch.h
@@ -74,10 +74,7 @@ static inline int compute_return_epc(str
return __microMIPS_compute_return_epc(regs);
if (cpu_has_mips16)
return __MIPS16e_compute_return_epc(regs);
- return regs->cp0_epc;
- }
-
- if (!delay_slot(regs)) {
+ } else if (!delay_slot(regs)) {
regs->cp0_epc += 4;
return 0;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 077/192] PCI/PM: Restore the status of PCI devices across hibernation
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 071/192] MIPS: Fix unaligned PC interpretation in `compute_return_epc' Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 128/192] f2fs: Don't clear SGID when inheriting ACLs Ben Hutchings
` (188 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Bjorn Helgaas, Ying Huang, Chen Yu, Rafael J. Wysocki,
Rui Zhang, Dan Williams, Len Brown
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chen Yu <yu.c.chen@intel.com>
commit e60514bd4485c0c7c5a7cf779b200ce0b95c70d6 upstream.
Currently we saw a lot of "No irq handler" errors during hibernation, which
caused the system hang finally:
ata4.00: qc timeout (cmd 0xec)
ata4.00: failed to IDENTIFY (I/O error, err_mask=0x4)
ata4.00: revalidation failed (errno=-5)
ata4: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
do_IRQ: 31.151 No irq handler for vector
According to above logs, there is an interrupt triggered and it is
dispatched to CPU31 with a vector number 151, but there is no handler for
it, thus this IRQ will not get acked and will cause an IRQ flood which
kills the system. To be more specific, the 31.151 is an interrupt from the
AHCI host controller.
After some investigation, the reason why this issue is triggered is because
the thaw_noirq() function does not restore the MSI/MSI-X settings across
hibernation.
The scenario is illustrated below:
1. Before hibernation, IRQ 34 is the handler for the AHCI device, which
is bound to CPU31.
2. Hibernation starts, the AHCI device is put into low power state.
3. All the nonboot CPUs are put offline, so IRQ 34 has to be migrated to
the last alive one - CPU0.
4. After the snapshot has been created, all the nonboot CPUs are brought
up again; IRQ 34 remains bound to CPU0.
5. AHCI devices are put into D0.
6. The snapshot is written to the disk.
The issue is triggered in step 6. The AHCI interrupt should be delivered
to CPU0, however it is delivered to the original CPU31 instead, which
causes the "No irq handler" issue.
Ying Huang has provided a clue that, in step 3 it is possible that writing
to the register might not take effect as the PCI devices have been
suspended.
In step 3, the IRQ 34 affinity should be modified from CPU31 to CPU0, but
in fact it is not. In __pci_write_msi_msg(), if the device is already in
low power state, the low level MSI message entry will not be updated but
cached. During the device restore process after a normal suspend/resume,
pci_restore_msi_state() writes the cached MSI back to the hardware.
But this is not the case for hibernation. pci_restore_msi_state() is not
currently called in pci_pm_thaw_noirq(), although pci_save_state() has
saved the necessary PCI cached information in pci_pm_freeze_noirq().
Restore the PCI status for the device during hibernation. Otherwise the
status might be lost across hibernation (for example, settings for MSI,
MSI-X, ATS, ACS, IOV, etc.), which might cause problems during hibernation.
Suggested-by: Ying Huang <ying.huang@intel.com>
Suggested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Len Brown <len.brown@intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Rui Zhang <rui.zhang@intel.com>
Cc: Ying Huang <ying.huang@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/pci-driver.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -922,6 +922,7 @@ static int pci_pm_thaw_noirq(struct devi
return pci_legacy_resume_early(dev);
pci_update_current_state(pci_dev, PCI_D0);
+ pci_restore_state(pci_dev);
if (drv && drv->pm && drv->pm->thaw_noirq)
error = drv->pm->thaw_noirq(dev);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 128/192] f2fs: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (3 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 077/192] PCI/PM: Restore the status of PCI devices across hibernation Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 056/192] MIPS: module: Ensure we always clean up r_mips_hi16_list Ben Hutchings
` (187 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jaegeuk Kim, Chao Yu, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit c925dc162f770578ff4a65ec9b08270382dba9e6 upstream.
This patch copies commit b7f8a09f80:
"btrfs: Don't clear SGID when inheriting ACLs" written by Jan.
Fixes: 073931017b49d9458aa351605b43a7e34598caef
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/f2fs/acl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -212,7 +212,7 @@ static int __f2fs_set_acl(struct inode *
switch (type) {
case ACL_TYPE_ACCESS:
name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
- if (acl) {
+ if (acl && !ipage) {
error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
if (error)
return error;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 056/192] MIPS: module: Ensure we always clean up r_mips_hi16_list
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (4 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 128/192] f2fs: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 013/192] Fix serial console on SNI RM400 machines Ben Hutchings
` (186 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paul Burton, linux-mips, Ralf Baechle
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Burton <paul.burton@imgtec.com>
commit 351b0940d473146923711bc943fc881354a4c1f3 upstream.
If we hit an error whilst processing a reloc then we would return early
from apply_relocate & potentially not free entries in r_mips_hi16_list,
thereby leaking memory. Fix this by ensuring that we always run the code
to free r_mipps_hi16_list when errors occur.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 861667dc82f5 ("MIPS: Fix race condition in module relocation code.")
Fixes: 04211a574641 ("MIPS: Bail on unsupported module relocs")
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15831/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/module.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
--- a/arch/mips/kernel/module.c
+++ b/arch/mips/kernel/module.c
@@ -202,7 +202,7 @@ int apply_relocate(Elf_Shdr *sechdrs, co
u32 *location;
unsigned int i, type;
Elf_Addr v;
- int res;
+ int err = 0;
pr_debug("Applying relocate section %u to %u\n", relsec,
sechdrs[relsec].sh_info);
@@ -221,7 +221,8 @@ int apply_relocate(Elf_Shdr *sechdrs, co
continue;
printk(KERN_WARNING "%s: Unknown symbol %s\n",
me->name, strtab + sym->st_name);
- return -ENOENT;
+ err = -ENOENT;
+ goto out;
}
type = ELF_MIPS_R_TYPE(rel[i]);
@@ -234,29 +235,32 @@ int apply_relocate(Elf_Shdr *sechdrs, co
if (!handler) {
pr_err("%s: Unknown relocation type %u\n",
me->name, type);
- return -EINVAL;
+ err = -EINVAL;
+ goto out;
}
v = sym->st_value;
- res = handler(me, location, v);
- if (res)
- return res;
+ err = handler(me, location, v);
+ if (err)
+ goto out;
}
+out:
/*
- * Normally the hi16 list should be deallocated at this point. A
+ * Normally the hi16 list should be deallocated at this point. A
* malformed binary however could contain a series of R_MIPS_HI16
- * relocations not followed by a R_MIPS_LO16 relocation. In that
- * case, free up the list and return an error.
+ * relocations not followed by a R_MIPS_LO16 relocation, or if we hit
+ * an error processing a reloc we might have gotten here before
+ * reaching the R_MIPS_LO16. In either case, free up the list and
+ * return an error.
*/
if (me->arch.r_mips_hi16_list) {
free_relocation_chain(me->arch.r_mips_hi16_list);
me->arch.r_mips_hi16_list = NULL;
-
- return -ENOEXEC;
+ err = err ?: -ENOEXEC;
}
- return 0;
+ return err;
}
/* Given an address, look for it in the module exception tables. */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 013/192] Fix serial console on SNI RM400 machines
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (5 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 056/192] MIPS: module: Ensure we always clean up r_mips_hi16_list Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 060/192] ath9k: fix tx99 use after free Ben Hutchings
` (185 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Russell King - ARM Linux, Thomas Bogendoerfer, Greg Kroah-Hartman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
commit e279e6d98e0cf2c2fe008b3c29042b92f0e17b1d upstream.
sccnxp driver doesn't get the correct uart clock rate, if CONFIG_HAVE_CLOCK
is disabled. Correct usage of clk API to make it work with/without it.
Fixes: 90efa75f7ab0 (serial: sccnxp: Using CLK API for getting UART clock)
Suggested-by: Russell King - ARM Linux <linux@armlinux.org.uk>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/sccnxp.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/tty/serial/sccnxp.c
+++ b/drivers/tty/serial/sccnxp.c
@@ -890,14 +890,19 @@ static int sccnxp_probe(struct platform_
clk = devm_clk_get(&pdev->dev, NULL);
if (IS_ERR(clk)) {
- if (PTR_ERR(clk) == -EPROBE_DEFER) {
- ret = -EPROBE_DEFER;
+ ret = PTR_ERR(clk);
+ if (ret == -EPROBE_DEFER)
goto err_out;
- }
+ uartclk = 0;
+ } else {
+ clk_prepare_enable(clk);
+ uartclk = clk_get_rate(clk);
+ }
+
+ if (!uartclk) {
dev_notice(&pdev->dev, "Using default clock frequency\n");
uartclk = s->chip->freq_std;
- } else
- uartclk = clk_get_rate(clk);
+ }
/* Check input frequency */
if ((uartclk < s->chip->freq_min) || (uartclk > s->chip->freq_max)) {
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 060/192] ath9k: fix tx99 use after free
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (6 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 013/192] Fix serial console on SNI RM400 machines Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 006/192] sched/topology: Fix overlapping sched_group_capacity Ben Hutchings
` (184 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kalle Valo, Miaoqing Pan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqing Pan <miaoqing@codeaurora.org>
commit cf8ce1ea61b75712a154c93e40f2a5af2e4dd997 upstream.
One scenario that could lead to UAF is two threads writing
simultaneously to the "tx99" debug file. One of them would
set the "start" value to true and follow to ath9k_tx99_init().
Inside the function it would set the sc->tx99_state to true
after allocating sc->tx99skb. Then, the other thread would
execute write_file_tx99() and call ath9k_tx99_deinit().
sc->tx99_state would be freed. After that, the first thread
would continue inside ath9k_tx99_init() and call
r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl);
that would make use of the freed sc->tx99_skb memory.
Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/ath/ath9k/tx99.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/net/wireless/ath/ath9k/tx99.c
+++ b/drivers/net/wireless/ath/ath9k/tx99.c
@@ -184,22 +184,27 @@ static ssize_t write_file_tx99(struct fi
if (strtobool(buf, &start))
return -EINVAL;
+ mutex_lock(&sc->mutex);
+
if (start == sc->tx99_state) {
if (!start)
- return count;
+ goto out;
ath_dbg(common, XMIT, "Resetting TX99\n");
ath9k_tx99_deinit(sc);
}
if (!start) {
ath9k_tx99_deinit(sc);
- return count;
+ goto out;
}
r = ath9k_tx99_init(sc);
- if (r)
+ if (r) {
+ mutex_unlock(&sc->mutex);
return r;
-
+ }
+out:
+ mutex_unlock(&sc->mutex);
return count;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 006/192] sched/topology: Fix overlapping sched_group_capacity
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 060/192] ath9k: fix tx99 use after free Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 032/192] PCI: Correct PCI_STD_RESOURCE_END usage Ben Hutchings
` (183 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Ingo Molnar, Mike Galbraith,
Thomas Gleixner, Peter Zijlstra
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 1676330ecfa840113a37b25a49afda068380d19c upstream.
When building the overlapping groups we need to attach a consistent
sched_group_capacity structure. That is, all 'identical' sched_group's
should have the _same_ sched_group_capacity.
This can (once again) be demonstrated with a topology like:
node 0 1 2 3
0: 10 20 30 20
1: 20 10 20 30
2: 30 20 10 20
3: 20 30 20 10
But we need at least 2 CPUs per node for this to show up, after all,
if there is only one CPU per node, our CPU @i is per definition a
unique CPU that reaches this domain (aka balance-cpu).
Given the above NUMA topo and 2 CPUs per node:
[] CPU0 attaching sched-domain(s):
[] domain-0: span=0,4 level=DIE
[] groups: 0:{ span=0 }, 4:{ span=4 }
[] domain-1: span=0-1,3-5,7 level=NUMA
[] groups: 0:{ span=0,4 mask=0,4 cap=2048 }, 1:{ span=1,5 mask=1,5 cap=2048 }, 3:{ span=3,7 mask=3,7 cap=2048 }
[] domain-2: span=0-7 level=NUMA
[] groups: 0:{ span=0-1,3-5,7 mask=0,4 cap=6144 }, 2:{ span=1-3,5-7 mask=2,6 cap=6144 }
[] CPU1 attaching sched-domain(s):
[] domain-0: span=1,5 level=DIE
[] groups: 1:{ span=1 }, 5:{ span=5 }
[] domain-1: span=0-2,4-6 level=NUMA
[] groups: 1:{ span=1,5 mask=1,5 cap=2048 }, 2:{ span=2,6 mask=2,6 cap=2048 }, 4:{ span=0,4 mask=0,4 cap=2048 }
[] domain-2: span=0-7 level=NUMA
[] groups: 1:{ span=0-2,4-6 mask=1,5 cap=6144 }, 3:{ span=0,2-4,6-7 mask=3,7 cap=6144 }
Observe how CPU0-domain1-group0 and CPU1-domain1-group4 are the
'same' but have a different id (0 vs 4).
To fix this, use the group balance CPU to select the SGC. This means
we have to compute the full mask for each CPU and require a second
temporary mask to store the group mask in (it otherwise lives in the
SGC).
The fixed topology looks like:
[] CPU0 attaching sched-domain(s):
[] domain-0: span=0,4 level=DIE
[] groups: 0:{ span=0 }, 4:{ span=4 }
[] domain-1: span=0-1,3-5,7 level=NUMA
[] groups: 0:{ span=0,4 mask=0,4 cap=2048 }, 1:{ span=1,5 mask=1,5 cap=2048 }, 3:{ span=3,7 mask=3,7 cap=2048 }
[] domain-2: span=0-7 level=NUMA
[] groups: 0:{ span=0-1,3-5,7 mask=0,4 cap=6144 }, 2:{ span=1-3,5-7 mask=2,6 cap=6144 }
[] CPU1 attaching sched-domain(s):
[] domain-0: span=1,5 level=DIE
[] groups: 1:{ span=1 }, 5:{ span=5 }
[] domain-1: span=0-2,4-6 level=NUMA
[] groups: 1:{ span=1,5 mask=1,5 cap=2048 }, 2:{ span=2,6 mask=2,6 cap=2048 }, 0:{ span=0,4 mask=0,4 cap=2048 }
[] domain-2: span=0-7 level=NUMA
[] groups: 1:{ span=0-2,4-6 mask=1,5 cap=6144 }, 3:{ span=0,2-4,6-7 mask=3,7 cap=6144 }
Debugged-by: Lauro Ramos Venancio <lvenanci@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Fixes: e3589f6c81e4 ("sched: Allow for overlapping sched_domain spans")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5298,6 +5298,7 @@ early_initcall(migration_init);
#ifdef CONFIG_SMP
static cpumask_var_t sched_domains_tmpmask; /* sched_domains_mutex */
+cpumask_var_t sched_domains_tmpmask2;
#ifdef CONFIG_SCHED_DEBUG
@@ -5778,13 +5779,16 @@ enum s_alloc {
* Only CPUs that can arrive at this group should be considered to continue
* balancing.
*/
-static void build_group_mask(struct sched_domain *sd, struct sched_group *sg)
+static void
+build_group_mask(struct sched_domain *sd, struct sched_group *sg, struct cpumask *mask)
{
const struct cpumask *span = sched_domain_span(sd);
struct sd_data *sdd = sd->private;
struct sched_domain *sibling;
int i;
+ cpumask_clear(mask);
+
for_each_cpu(i, span) {
sibling = *per_cpu_ptr(sdd->sd, i);
@@ -5800,11 +5804,11 @@ static void build_group_mask(struct sche
if (!cpumask_equal(span, sched_domain_span(sibling->child)))
continue;
- cpumask_set_cpu(i, sched_group_mask(sg));
+ cpumask_set_cpu(i, mask);
}
/* We must not have empty masks here */
- WARN_ON_ONCE(cpumask_empty(sched_group_mask(sg)));
+ WARN_ON_ONCE(cpumask_empty(mask));
}
/*
@@ -5838,14 +5842,19 @@ build_group_from_child_sched_domain(stru
}
static void init_overlap_sched_group(struct sched_domain *sd,
- struct sched_group *sg, int cpu)
+ struct sched_group *sg)
{
+ struct cpumask *mask = sched_domains_tmpmask2;
struct sd_data *sdd = sd->private;
struct cpumask *sg_span;
+ int cpu;
+
+ build_group_mask(sd, sg, mask);
+ cpu = cpumask_first_and(sched_group_cpus(sg), mask);
sg->sgc = *per_cpu_ptr(sdd->sgc, cpu);
if (atomic_inc_return(&sg->sgc->ref) == 1)
- build_group_mask(sd, sg);
+ cpumask_copy(sched_group_mask(sg), mask);
/*
* Initialize sgc->capacity such that even if we mess up the
@@ -5888,7 +5897,7 @@ build_overlap_sched_groups(struct sched_
sg_span = sched_group_cpus(sg);
cpumask_or(covered, covered, sg_span);
- init_overlap_sched_group(sd, sg, i);
+ init_overlap_sched_group(sd, sg);
/*
* Make sure the first group of this domain contains the
@@ -7147,6 +7156,7 @@ void __init sched_init(void)
#ifdef CONFIG_SMP
zalloc_cpumask_var(&sched_domains_tmpmask, GFP_NOWAIT);
+ zalloc_cpumask_var(&sched_domains_tmpmask2, GFP_NOWAIT);
/* May be allocated at isolcpus cmdline parse time */
if (cpu_isolated_map == NULL)
zalloc_cpumask_var(&cpu_isolated_map, GFP_NOWAIT);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 032/192] PCI: Correct PCI_STD_RESOURCE_END usage
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (8 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 006/192] sched/topology: Fix overlapping sched_group_capacity Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 055/192] MIPS: Bail on unsupported module relocs Ben Hutchings
` (182 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bjorn Helgaas
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
commit 2f686f1d9beee135de6d08caea707ec7bfc916d4 upstream.
PCI_STD_RESOURCE_END is (confusingly) the index of the last valid BAR, not
the *number* of BARs. To iterate through all possible BARs, we need to
include PCI_STD_RESOURCE_END.
Fixes: 9fe373f9997b ("PCI: Increase IBM ipr SAS Crocodile BARs to at least system page size")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -293,7 +293,7 @@ static void quirk_extend_bar_to_page(str
{
int i;
- for (i = 0; i < PCI_STD_RESOURCE_END; i++) {
+ for (i = 0; i <= PCI_STD_RESOURCE_END; i++) {
struct resource *r = &dev->resource[i];
if (r->flags & IORESOURCE_MEM && resource_size(r) < PAGE_SIZE) {
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 055/192] MIPS: Bail on unsupported module relocs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (9 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 032/192] PCI: Correct PCI_STD_RESOURCE_END usage Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 007/192] mwifiex: fixup error cases in mwifiex_add_virtual_intf() Ben Hutchings
` (181 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux-mips, Ralf Baechle, James Hogan, Andrey Ryabinin,
Paul Burton, Steven J. Hill
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Burton <paul.burton@imgtec.com>
commit 04211a574641e29b529dcc84e75c03d7e9e368cf upstream.
When an unsupported reloc is encountered in a module, we currently
blindly branch to whatever would be at its entry in the reloc handler
function pointer arrays. This may be NULL, or if the unsupported reloc
has a type greater than that of the supported reloc with the highest
type then we'll dereference some value after the function pointer array
& branch to that. The result is at best a kernel oops.
Fix this by checking that the reloc type has an entry in the function
pointer array (ie. is less than the number of items in the array) and
that the handler is non-NULL, returning an error code to fail the module
load if no handler is found.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/12432/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/module-rela.c | 19 ++++++++++++++++---
arch/mips/kernel/module.c | 19 ++++++++++++++++---
2 files changed, 32 insertions(+), 6 deletions(-)
--- a/arch/mips/kernel/module-rela.c
+++ b/arch/mips/kernel/module-rela.c
@@ -109,9 +109,10 @@ int apply_relocate_add(Elf_Shdr *sechdrs
struct module *me)
{
Elf_Mips_Rela *rel = (void *) sechdrs[relsec].sh_addr;
+ int (*handler)(struct module *me, u32 *location, Elf_Addr v);
Elf_Sym *sym;
u32 *location;
- unsigned int i;
+ unsigned int i, type;
Elf_Addr v;
int res;
@@ -134,9 +135,21 @@ int apply_relocate_add(Elf_Shdr *sechdrs
return -ENOENT;
}
- v = sym->st_value + rel[i].r_addend;
+ type = ELF_MIPS_R_TYPE(rel[i]);
+
+ if (type < ARRAY_SIZE(reloc_handlers_rela))
+ handler = reloc_handlers_rela[type];
+ else
+ handler = NULL;
- res = reloc_handlers_rela[ELF_MIPS_R_TYPE(rel[i])](me, location, v);
+ if (!handler) {
+ pr_err("%s: Unknown relocation type %u\n",
+ me->name, type);
+ return -EINVAL;
+ }
+
+ v = sym->st_value + rel[i].r_addend;
+ res = handler(me, location, v);
if (res)
return res;
}
--- a/arch/mips/kernel/module.c
+++ b/arch/mips/kernel/module.c
@@ -197,9 +197,10 @@ int apply_relocate(Elf_Shdr *sechdrs, co
struct module *me)
{
Elf_Mips_Rel *rel = (void *) sechdrs[relsec].sh_addr;
+ int (*handler)(struct module *me, u32 *location, Elf_Addr v);
Elf_Sym *sym;
u32 *location;
- unsigned int i;
+ unsigned int i, type;
Elf_Addr v;
int res;
@@ -223,9 +224,21 @@ int apply_relocate(Elf_Shdr *sechdrs, co
return -ENOENT;
}
- v = sym->st_value;
+ type = ELF_MIPS_R_TYPE(rel[i]);
+
+ if (type < ARRAY_SIZE(reloc_handlers_rel))
+ handler = reloc_handlers_rel[type];
+ else
+ handler = NULL;
- res = reloc_handlers_rel[ELF_MIPS_R_TYPE(rel[i])](me, location, v);
+ if (!handler) {
+ pr_err("%s: Unknown relocation type %u\n",
+ me->name, type);
+ return -EINVAL;
+ }
+
+ v = sym->st_value;
+ res = handler(me, location, v);
if (res)
return res;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 007/192] mwifiex: fixup error cases in mwifiex_add_virtual_intf()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (10 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 055/192] MIPS: Bail on unsupported module relocs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 025/192] vt: fix unchecked __put_user() in tioclinux ioctls Ben Hutchings
` (180 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kalle Valo, Brian Norris
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Brian Norris <briannorris@chromium.org>
commit 8535107aa4ef92520cbb9a4739563b389c5f8e2c upstream.
If we fail to add an interface in mwifiex_add_virtual_intf(), we might
hit a BUG_ON() in the networking code, because we didn't tear things
down properly. Among the problems:
(a) when failing to allocate workqueues, we fail to unregister the
netdev before calling free_netdev()
(b) even if we do try to unregister the netdev, we're still holding the
rtnl lock, so the device never properly unregistered; we'll be at
state NETREG_UNREGISTERING, and then hit free_netdev()'s:
BUG_ON(dev->reg_state != NETREG_UNREGISTERED);
(c) we're allocating some dependent resources (e.g., DFS workqueues)
after we've registered the interface; this may or may not cause
problems, but it's good practice to allocate these before registering
(d) we're not even trying to unwind anything when mwifiex_send_cmd() or
mwifiex_sta_init_cmd() fail
To fix these issues, let's:
* add a stacked set of error handling labels, to keep error handling
consistent and properly ordered (resolving (a) and (d))
* move the workqueue allocations before the registration (to resolve
(c); also resolves (b) by avoiding error cases where we have to
unregister)
[Incidentally, it's pretty easy to interrupt the alloc_workqueue() in,
e.g., the following:
iw phy phy0 interface add mlan0 type station
by sending it SIGTERM.]
This bugfix covers commits like commit 7d652034d1a0 ("mwifiex: channel
switch support for mwifiex"), but parts of this bug exist all the way
back to the introduction of dynamic interface handling in commit
93a1df48d224 ("mwifiex: add cfg80211 handlers add/del_virtual_intf").
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- There is no workqueue allocation or cleanup needed here
- Add 'ret' variable
- Keep logging errors with wiphy_err()
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -2160,6 +2160,7 @@ struct wireless_dev *mwifiex_add_virtual
struct net_device *dev;
void *mdev_priv;
struct wireless_dev *wdev;
+ int ret;
if (!adapter)
return ERR_PTR(-EFAULT);
@@ -2254,8 +2255,8 @@ struct wireless_dev *mwifiex_add_virtual
priv->bss_num = 0;
if (mwifiex_cfg80211_init_p2p_client(priv)) {
- wdev = ERR_PTR(-EFAULT);
- goto done;
+ ret = -EFAULT;
+ goto err_set_bss_mode;
}
break;
@@ -2268,9 +2269,8 @@ struct wireless_dev *mwifiex_add_virtual
ether_setup, IEEE80211_NUM_ACS, 1);
if (!dev) {
wiphy_err(wiphy, "no memory available for netdevice\n");
- priv->bss_mode = NL80211_IFTYPE_UNSPECIFIED;
- wdev = ERR_PTR(-ENOMEM);
- goto done;
+ ret = -ENOMEM;
+ goto err_alloc_netdev;
}
mwifiex_init_priv_params(priv, dev);
@@ -2305,31 +2305,32 @@ struct wireless_dev *mwifiex_add_virtual
SET_NETDEV_DEV(dev, adapter->dev);
+ sema_init(&priv->async_sem, 1);
+
/* Register network device */
if (register_netdevice(dev)) {
wiphy_err(wiphy, "cannot register virtual network device\n");
- free_netdev(dev);
- priv->bss_mode = NL80211_IFTYPE_UNSPECIFIED;
- priv->netdev = NULL;
- wdev = ERR_PTR(-EFAULT);
- goto done;
+ ret = -EFAULT;
+ goto err_reg_netdev;
}
- sema_init(&priv->async_sem, 1);
-
dev_dbg(adapter->dev, "info: %s: Marvell 802.11 Adapter\n", dev->name);
#ifdef CONFIG_DEBUG_FS
mwifiex_dev_debugfs_init(priv);
#endif
-done:
- if (IS_ERR(wdev)) {
- kfree(priv->wdev);
- priv->wdev = NULL;
- }
-
return wdev;
+
+err_reg_netdev:
+ free_netdev(dev);
+ priv->netdev = NULL;
+err_set_bss_mode:
+err_alloc_netdev:
+ kfree(priv->wdev);
+ priv->wdev = NULL;
+ priv->bss_mode = NL80211_IFTYPE_UNSPECIFIED;
+ return ERR_PTR(ret);
}
EXPORT_SYMBOL_GPL(mwifiex_add_virtual_intf);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 025/192] vt: fix unchecked __put_user() in tioclinux ioctls
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (11 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 007/192] mwifiex: fixup error cases in mwifiex_add_virtual_intf() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 026/192] Bluetooth: use constant time memory comparison for secret values Ben Hutchings
` (179 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Adam Borowski
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adam Borowski <kilobyte@angband.pl>
commit 6987dc8a70976561d22450b5858fc9767788cc1c upstream.
Only read access is checked before this call.
Actually, at the moment this is not an issue, as every in-tree arch does
the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU
to tell them apart, but this wasn't the case in the past and may happen
again on some odd arch in the future.
If anyone cares about 3.7 and earlier, this is a security hole (untested)
on real 80386 CPUs.
Signed-off-by: Adam Borowski <kilobyte@angband.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/vt/vt.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -2687,13 +2687,13 @@ int tioclinux(struct tty_struct *tty, un
* related to the kernel should not use this.
*/
data = vt_get_shift_state();
- ret = __put_user(data, p);
+ ret = put_user(data, p);
break;
case TIOCL_GETMOUSEREPORTING:
console_lock(); /* May be overkill */
data = mouse_reporting();
console_unlock();
- ret = __put_user(data, p);
+ ret = put_user(data, p);
break;
case TIOCL_SETVESABLANK:
console_lock();
@@ -2702,7 +2702,7 @@ int tioclinux(struct tty_struct *tty, un
break;
case TIOCL_GETKMSGREDIRECT:
data = vt_get_kmsg_redirect();
- ret = __put_user(data, p);
+ ret = put_user(data, p);
break;
case TIOCL_SETKMSGREDIRECT:
if (!capable(CAP_SYS_ADMIN)) {
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 026/192] Bluetooth: use constant time memory comparison for secret values
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 025/192] vt: fix unchecked __put_user() in tioclinux ioctls Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 120/192] ext3: preserve i_mode if ext2_set_acl() fails Ben Hutchings
` (178 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jason A. Donenfeld, Marcel Holtmann
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
commit 329d82309824ff1082dc4a91a5bbed8c3bec1580 upstream.
This file is filled with complex cryptography. Thus, the comparisons of
MACs and secret keys and curve points and so forth should not add timing
attacks, which could either result in a direct forgery, or, given the
complexity, some other type of attack.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
[bwh: Backported to 3.16:
- Drop inapplicable changes
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -22,6 +22,7 @@
#include <linux/crypto.h>
#include <linux/scatterlist.h>
+#include <crypto/algapi.h>
#include <crypto/b128ops.h>
#include <net/bluetooth/bluetooth.h>
@@ -153,7 +154,7 @@ bool smp_irk_matches(struct crypto_blkci
if (err)
return false;
- return !memcmp(bdaddr->b, hash, 3);
+ return !crypto_memneq(bdaddr->b, hash, 3);
}
int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa)
@@ -533,7 +534,7 @@ static u8 smp_random(struct smp_chan *sm
if (ret)
return SMP_UNSPECIFIED;
- if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
+ if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
BT_ERR("Pairing failed (confirmation values mismatch)");
return SMP_CONFIRM_FAILED;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 120/192] ext3: preserve i_mode if ext2_set_acl() fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (13 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 026/192] Bluetooth: use constant time memory comparison for secret values Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 121/192] hfsplus: Don't clear SGID when inheriting ACLs Ben Hutchings
` (177 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Ernesto A. Fernández
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
Based on Ernesto A. Fernández's fix for ext2 (commit fe26569eb919), from
which the following description is taken:
> When changing a file's acl mask, ext2_set_acl() will first set the group
> bits of i_mode to the value of the mask, and only then set the actual
> extended attribute representing the new acl.
>
> If the second part fails (due to lack of space, for example) and the file
> had no acl attribute to begin with, the system will from now on assume
> that the mask permission bits are actual group permission bits, potentially
> granting access to the wrong users.
>
> Prevent this by only changing the inode mode after the acl has been set.
Cc: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext3/acl.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -227,19 +227,25 @@ ext3_set_acl(struct inode *inode, struct
{
handle_t *handle;
int error, retries = 0;
+ int update_mode = 0;
+ umode_t mode = inode->i_mode;
retry:
handle = ext3_journal_start(inode, EXT3_DATA_TRANS_BLOCKS(inode->i_sb));
if (IS_ERR(handle))
return PTR_ERR(handle);
if (type == ACL_TYPE_ACCESS && acl) {
- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ error = posix_acl_update_mode(inode, &mode, &acl);
if (error)
goto journal_stop;
+ update_mode = 1;
+ }
+ error = __ext3_set_acl(handle, inode, type, acl);
+ if (!error && update_mode) {
+ inode->i_mode = mode;
inode->i_ctime = CURRENT_TIME_SEC;
ext3_mark_inode_dirty(handle, inode);
}
- error = __ext3_set_acl(handle, inode, type, acl);
journal_stop:
ext3_journal_stop(handle);
if (error == -ENOSPC && ext3_should_retry_alloc(inode->i_sb, &retries))
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 121/192] hfsplus: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (14 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 120/192] ext3: preserve i_mode if ext2_set_acl() fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 011/192] wlcore: fix 64K page support Ben Hutchings
` (176 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 84969465ddc4f8aeb3b993123b571aa01c5f2683 upstream.
When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.
Fix the problem by creating __hfsplus_set_posix_acl() function that does
not call posix_acl_update_mode() and use it when inheriting ACLs. That
prevents SGID bit clearing and the mode has been properly set by
posix_acl_create() anyway.
Fixes: 073931017b49d9458aa351605b43a7e34598caef
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/hfsplus/posix_acl.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
--- a/fs/hfsplus/posix_acl.c
+++ b/fs/hfsplus/posix_acl.c
@@ -54,8 +54,8 @@ struct posix_acl *hfsplus_get_posix_acl(
return acl;
}
-int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
- int type)
+static int __hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl,
+ int type)
{
int err;
char *xattr_name;
@@ -67,12 +67,6 @@ int hfsplus_set_posix_acl(struct inode *
switch (type) {
case ACL_TYPE_ACCESS:
xattr_name = POSIX_ACL_XATTR_ACCESS;
- if (acl) {
- err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
- if (err)
- return err;
- }
- err = 0;
break;
case ACL_TYPE_DEFAULT:
@@ -108,6 +102,18 @@ end_set_acl:
return err;
}
+int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, int type)
+{
+ int err;
+
+ if (type == ACL_TYPE_ACCESS && acl) {
+ err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (err)
+ return err;
+ }
+ return __hfsplus_set_posix_acl(inode, acl, type);
+}
+
int hfsplus_init_posix_acl(struct inode *inode, struct inode *dir)
{
int err = 0;
@@ -125,15 +131,15 @@ int hfsplus_init_posix_acl(struct inode
return err;
if (default_acl) {
- err = hfsplus_set_posix_acl(inode, default_acl,
- ACL_TYPE_DEFAULT);
+ err = __hfsplus_set_posix_acl(inode, default_acl,
+ ACL_TYPE_DEFAULT);
posix_acl_release(default_acl);
}
if (acl) {
if (!err)
- err = hfsplus_set_posix_acl(inode, acl,
- ACL_TYPE_ACCESS);
+ err = __hfsplus_set_posix_acl(inode, acl,
+ ACL_TYPE_ACCESS);
posix_acl_release(acl);
}
return err;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 011/192] wlcore: fix 64K page support
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (15 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 121/192] hfsplus: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 066/192] PCI: Mark Haswell Power Control Unit as having non-compliant BARs Ben Hutchings
` (175 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Kalle Valo
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 4a4274bf2dbbd1c7a45be0c89a1687c9d2eef4a0 upstream.
In the stable linux-3.16 branch, I ran into a warning in the
wlcore driver:
drivers/net/wireless/ti/wlcore/spi.c: In function 'wl12xx_spi_raw_write':
drivers/net/wireless/ti/wlcore/spi.c:315:1: error: the frame size of 12848 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
Newer kernels no longer show the warning, but the bug is still there,
as the allocation is based on the CPU page size rather than the
actual capabilities of the hardware.
This replaces the PAGE_SIZE macro with the SZ_4K macro, i.e. 4096 bytes
per buffer.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- Include <linux/sizes.h> for definition of SZ_4K
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/ti/wlcore/spi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/ti/wlcore/spi.c
+++ b/drivers/net/wireless/ti/wlcore/spi.c
@@ -30,6 +30,7 @@
#include <linux/spi/spi.h>
#include <linux/wl12xx.h>
#include <linux/platform_device.h>
+#include <linux/sizes.h>
#include "wlcore.h"
#include "wl12xx_80211.h"
@@ -71,7 +72,7 @@
* only support SPI for 12xx - this code should be reworked when 18xx
* support is introduced
*/
-#define SPI_AGGR_BUFFER_SIZE (4 * PAGE_SIZE)
+#define SPI_AGGR_BUFFER_SIZE (4 * SZ_4K)
/* Maximum number of SPI write chunks */
#define WSPI_MAX_NUM_OF_CHUNKS \
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 066/192] PCI: Mark Haswell Power Control Unit as having non-compliant BARs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 011/192] wlcore: fix 64K page support Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 022/192] e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails Ben Hutchings
` (174 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Paul Menzel, Prarit Bhargava, Myron Stowe, Bjorn Helgaas
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
commit 6af7e4f77259ee946103387372cb159f2e99a6d4 upstream.
The Haswell Power Control Unit has a non-PCI register (CONFIG_TDP_NOMINAL)
where BAR 0 is supposed to be. This is erratum HSE43 in the spec update
referenced below:
The PCIe* Base Specification indicates that Configuration Space Headers
have a base address register at offset 0x10. Due to this erratum, the
Power Control Unit's CONFIG_TDP_NOMINAL CSR (Bus 1; Device 30; Function
3; Offset 0x10) is located where a base register is expected.
Mark the PCU as having non-compliant BARs so we don't try to probe any of
them. There are no other BARs on this device.
Rename the quirk so it's not Broadwell-specific.
Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html
Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-datasheet-vol-2.html (section 5.4, Device 30 Function 3)
Link: https://bugzilla.kernel.org/show_bug.cgi?id=153881
Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Myron Stowe <myron.stowe@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/pci/fixup.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -555,15 +555,21 @@ static void twinhead_reserve_killing_zon
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone);
/*
- * Broadwell EP Home Agent BARs erroneously return non-zero values when read.
+ * Device [8086:2fc0]
+ * Erratum HSE43
+ * CONFIG_TDP_NOMINAL CSR Implemented at Incorrect Offset
+ * http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html
*
- * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
- * entry BDF2.
+ * Devices [8086:6f60,6fa0,6fc0]
+ * Erratum BDF2
+ * PCI BARs in the Home Agent Will Return Non-Zero Values During Enumeration
+ * http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
*/
-static void pci_bdwep_bar(struct pci_dev *dev)
+static void pci_invalid_bar(struct pci_dev *dev)
{
dev->non_compliant_bars = 1;
}
-DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_bdwep_bar);
-DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_bdwep_bar);
-DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_bdwep_bar);
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x2fc0, pci_invalid_bar);
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_invalid_bar);
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_invalid_bar);
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_invalid_bar);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 022/192] e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (17 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 066/192] PCI: Mark Haswell Power Control Unit as having non-compliant BARs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 041/192] ASoC: compress: Derive substream from stream based on direction Ben Hutchings
` (173 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Chris Wilson, Aaron Brown, Jani Nikula, Jeff Kirsher
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris@chris-wilson.co.uk>
commit 833521ebc65b1c3092e5c0d8a97092f98eec595d upstream.
An error during suspend (e100e_pm_suspend),
[ 429.994338] ACPI : EC: event blocked
[ 429.994633] e1000e: EEE TX LPI TIMER: 00000011
[ 430.955451] pci_pm_suspend(): e1000e_pm_suspend+0x0/0x30 [e1000e] returns -2
[ 430.955454] dpm_run_callback(): pci_pm_suspend+0x0/0x140 returns -2
[ 430.955458] PM: Device 0000:00:19.0 failed to suspend async: error -2
[ 430.955581] PM: Some devices failed to suspend, or early wake event detected
[ 430.957709] ACPI : EC: event unblocked
lead to complete failure:
[ 432.585002] ------------[ cut here ]------------
[ 432.585013] WARNING: CPU: 3 PID: 8372 at kernel/irq/manage.c:1478 __free_irq+0x9f/0x280
[ 432.585015] Trying to free already-free IRQ 20
[ 432.585016] Modules linked in: cdc_ncm usbnet x86_pkg_temp_thermal intel_powerclamp coretemp mii crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep lpc_ich snd_hda_core snd_pcm mei_me mei sdhci_pci sdhci i915 mmc_core e1000e ptp pps_core prime_numbers
[ 432.585042] CPU: 3 PID: 8372 Comm: kworker/u16:40 Tainted: G U 4.10.0-rc8-CI-Patchwork_3870+ #1
[ 432.585044] Hardware name: LENOVO 2356GCG/2356GCG, BIOS G7ET31WW (1.13 ) 07/02/2012
[ 432.585050] Workqueue: events_unbound async_run_entry_fn
[ 432.585051] Call Trace:
[ 432.585058] dump_stack+0x67/0x92
[ 432.585062] __warn+0xc6/0xe0
[ 432.585065] warn_slowpath_fmt+0x4a/0x50
[ 432.585070] ? _raw_spin_lock_irqsave+0x49/0x60
[ 432.585072] __free_irq+0x9f/0x280
[ 432.585075] free_irq+0x34/0x80
[ 432.585089] e1000_free_irq+0x65/0x70 [e1000e]
[ 432.585098] e1000e_pm_freeze+0x7a/0xb0 [e1000e]
[ 432.585106] e1000e_pm_suspend+0x21/0x30 [e1000e]
[ 432.585113] pci_pm_suspend+0x71/0x140
[ 432.585118] dpm_run_callback+0x6f/0x330
[ 432.585122] ? pci_pm_freeze+0xe0/0xe0
[ 432.585125] __device_suspend+0xea/0x330
[ 432.585128] async_suspend+0x1a/0x90
[ 432.585132] async_run_entry_fn+0x34/0x160
[ 432.585137] process_one_work+0x1f4/0x6d0
[ 432.585140] ? process_one_work+0x16e/0x6d0
[ 432.585143] worker_thread+0x49/0x4a0
[ 432.585145] kthread+0x107/0x140
[ 432.585148] ? process_one_work+0x6d0/0x6d0
[ 432.585150] ? kthread_create_on_node+0x40/0x40
[ 432.585154] ret_from_fork+0x2e/0x40
[ 432.585156] ---[ end trace 6712df7f8c4b9124 ]---
The unwind failures stems from commit 2800209994f8 ("e1000e: Refactor PM
flows"), but it may be a later patch that introduced the non-recoverable
behaviour.
Fixes: 2800209994f8 ("e1000e: Refactor PM flows")
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99847
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/intel/e1000e/netdev.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -6352,12 +6352,17 @@ static int e1000e_pm_thaw(struct device
static int e1000e_pm_suspend(struct device *dev)
{
struct pci_dev *pdev = to_pci_dev(dev);
+ int rc;
e1000e_flush_lpic(pdev);
e1000e_pm_freeze(dev);
- return __e1000_shutdown(pdev, false);
+ rc = __e1000_shutdown(pdev, false);
+ if (rc)
+ e1000e_pm_thaw(dev);
+
+ return rc;
}
static int e1000e_pm_resume(struct device *dev)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 041/192] ASoC: compress: Derive substream from stream based on direction
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (18 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 022/192] e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 035/192] USB: serial: qcserial: new Sierra Wireless EM7305 device ID Ben Hutchings
` (172 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mark Brown, Banajit Goswami, Satish Babu Patakokila, Vinod Koul
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Satish Babu Patakokila <sbpata@codeaurora.org>
commit 01b8cedfd0422326caae308641dcadaa85e0ca72 upstream.
Currently compress driver hardcodes direction as playback to get
substream from the stream. This results in getting the incorrect
substream for compressed capture usecase.
To fix this, remove the hardcoding and derive substream based on
the stream direction.
Signed-off-by: Satish Babu Patakokila <sbpata@codeaurora.org>
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Acked-By: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/soc/soc-compress.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/sound/soc/soc-compress.c
+++ b/sound/soc/soc-compress.c
@@ -67,7 +67,8 @@ out:
static int soc_compr_open_fe(struct snd_compr_stream *cstream)
{
struct snd_soc_pcm_runtime *fe = cstream->private_data;
- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream;
+ struct snd_pcm_substream *fe_substream =
+ fe->pcm->streams[cstream->direction].substream;
struct snd_soc_platform *platform = fe->platform;
struct snd_soc_dpcm *dpcm;
struct snd_soc_dapm_widget_list *list;
@@ -411,7 +412,8 @@ static int soc_compr_set_params_fe(struc
struct snd_compr_params *params)
{
struct snd_soc_pcm_runtime *fe = cstream->private_data;
- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream;
+ struct snd_pcm_substream *fe_substream =
+ fe->pcm->streams[cstream->direction].substream;
struct snd_soc_platform *platform = fe->platform;
int ret = 0, stream;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 035/192] USB: serial: qcserial: new Sierra Wireless EM7305 device ID
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 041/192] ASoC: compress: Derive substream from stream based on direction Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 085/192] drm/i915: Disable MSI for all pre-gen5 Ben Hutchings
` (171 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bjørn Mork, Johan Hovold, Petr Kloc
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjørn Mork <bjorn@mork.no>
commit 996fab55d864ed604158f71724ff52db1c2454a3 upstream.
A new Sierra Wireless EM7305 device ID used in a Toshiba laptop.
Reported-by: Petr Kloc <petr_kloc@yahoo.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/qcserial.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -156,6 +156,7 @@ static const struct usb_device_id id_tab
{DEVICE_SWI(0x1199, 0x9056)}, /* Sierra Wireless Modem */
{DEVICE_SWI(0x1199, 0x9060)}, /* Sierra Wireless Modem */
{DEVICE_SWI(0x1199, 0x9061)}, /* Sierra Wireless Modem */
+ {DEVICE_SWI(0x1199, 0x9063)}, /* Sierra Wireless EM7305 */
{DEVICE_SWI(0x1199, 0x9070)}, /* Sierra Wireless MC74xx */
{DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */
{DEVICE_SWI(0x1199, 0x9078)}, /* Sierra Wireless EM74xx */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 085/192] drm/i915: Disable MSI for all pre-gen5
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (20 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 035/192] USB: serial: qcserial: new Sierra Wireless EM7305 device ID Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 047/192] spi: atmel: fix corrupted data issue on SAM9 family SoCs Ben Hutchings
` (170 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Diego Viola, Daniel Vetter, Jani Nikula, Ville Syrjälä
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit ce3f7163e4ce8fd583dcb36b6ee6b81fd1b419ae upstream.
We have pretty clear evidence that MSIs are getting lost on g4x and
somehow the interrupt logic doesn't seem to recover from that state
even if we try hard to clear the IIR.
Disabling IER around the normal IIR clearing in the irq handler isn't
sufficient to avoid this, so the problem really seems to be further
up the interrupt chain. This should guarantee that there's always
an edge if any IIR bits are set after the interrupt handler is done,
which should normally guarantee that the CPU interrupt is generated.
That approach seems to work perfectly on VLV/CHV, but apparently
not on g4x.
MSI is documented to be broken on 965gm at least. The chipset spec
says MSI is defeatured because interrupts can be delayed or lost,
which fits well with what we're seeing on g4x. Previously we've
already disabled GMBUS interrupts on g4x because somehow GMBUS
manages to raise legacy interrupts even when MSI is enabled.
Since there's such widespread MSI breakahge all over in the pre-gen5
land let's just give up on MSI on these platforms.
Seqno reporting might be negatively affected by this since the legcy
interrupts aren't guaranteed to be ordered with the seqno writes,
whereas MSI interrupts may be? But an occasioanlly missed seqno
seems like a small price to pay for generally working interrupts.
Cc: Diego Viola <diego.viola@gmail.com>
Tested-by: Diego Viola <diego.viola@gmail.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101261
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170626203051.28480-1-ville.syrjala@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
(cherry picked from commit e38c2da01f76cca82b59ca612529b81df82a7cc7)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
[bwh: Backported to 3.16:
- Open-code INTEL_GEN()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/i915_dma.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1747,10 +1747,12 @@ int i915_driver_load(struct drm_device *
* and the registers being closely associated.
*
* According to chipset errata, on the 965GM, MSI interrupts may
- * be lost or delayed, but we use them anyways to avoid
- * stuck interrupts on some machines.
+ * be lost or delayed, and was defeatured. MSI interrupts seem to
+ * get lost on g4x as well, and interrupt delivery seems to stay
+ * properly dead afterwards. So we'll just disable them for all
+ * pre-gen5 chipsets.
*/
- if (!IS_I945G(dev) && !IS_I945GM(dev))
+ if (INTEL_INFO(dev)->gen >= 5)
pci_enable_msi(dev->pdev);
intel_device_info_runtime_init(dev);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 047/192] spi: atmel: fix corrupted data issue on SAM9 family SoCs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (21 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 085/192] drm/i915: Disable MSI for all pre-gen5 Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 122/192] reiserfs: Don't clear SGID when inheriting ACLs Ben Hutchings
` (169 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Cyrille Pitchen, Mark Brown, Nicolas Ferre
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cyrille Pitchen <cyrille.pitchen@microchip.com>
commit 7094576ccdc3acfe1e06a1e2ab547add375baf7f upstream.
This patch disables the use of the DMA for data transfer and forces the
use of PIO transfers instead as a quick fixup to solve the cache aliasing
issue on ARM9 based cores, which embeds a VIVT data cache.
Indeed in the case of VIVT data caches, it is not safe to call dma_map_*()
functions to map buffers for DMA transfers when those buffers have been
allocated by vmalloc() or from any DMA-unsafe area.
Further patches may propose a better solution based on the use of a bounce
buffer at the SPI sub-system level but such solution needs more time to be
discussed. Then the use of DMA transfers could be enabled again to improve
the performances but before that, this patch already solves the issue.
Signed-off-by: Cyrille Pitchen <cyrille.pitchen@microchip.com>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/spi/spi-atmel.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c
index 1eb83c9613d5..78c885d80c96 100644
--- a/drivers/spi/spi-atmel.c
+++ b/drivers/spi/spi-atmel.c
@@ -269,6 +269,7 @@ struct atmel_spi_caps {
bool is_spi2;
bool has_wdrbt;
bool has_dma_support;
+ bool has_pdc_support;
};
/*
@@ -1426,7 +1427,28 @@ static void atmel_get_caps(struct atmel_spi *as)
as->caps.is_spi2 = version > 0x121;
as->caps.has_wdrbt = version >= 0x210;
+#ifdef CONFIG_SOC_SAM_V4_V5
+ /*
+ * Atmel SoCs based on ARM9 (SAM9x) cores should not use spi_map_buf()
+ * since this later function tries to map buffers with dma_map_sg()
+ * even if they have not been allocated inside DMA-safe areas.
+ * On SoCs based on Cortex A5 (SAMA5Dx), it works anyway because for
+ * those ARM cores, the data cache follows the PIPT model.
+ * Also the L2 cache controller of SAMA5D2 uses the PIPT model too.
+ * In case of PIPT caches, there cannot be cache aliases.
+ * However on ARM9 cores, the data cache follows the VIVT model, hence
+ * the cache aliases issue can occur when buffers are allocated from
+ * DMA-unsafe areas, by vmalloc() for instance, where cache coherency is
+ * not taken into account or at least not handled completely (cache
+ * lines of aliases are not invalidated).
+ * This is not a theorical issue: it was reproduced when trying to mount
+ * a UBI file-system on a at91sam9g35ek board.
+ */
+ as->caps.has_dma_support = false;
+#else
as->caps.has_dma_support = version >= 0x212;
+#endif
+ as->caps.has_pdc_support = version < 0x212;
}
/*-------------------------------------------------------------------------*/
@@ -1567,7 +1589,7 @@ static int atmel_spi_probe(struct platform_device *pdev)
if (as->caps.has_dma_support) {
if (atmel_spi_configure_dma(as) == 0)
as->use_dma = true;
- } else {
+ } else if (as->caps.has_pdc_support) {
as->use_pdc = true;
}
^ permalink raw reply related [flat|nested] 196+ messages in thread
* [PATCH 3.16 122/192] reiserfs: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 047/192] spi: atmel: fix corrupted data issue on SAM9 family SoCs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 034/192] USB: serial: option: add two Longcheer device ids Ben Hutchings
` (168 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, reiserfs-devel, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 6883cd7f68245e43e91e5ee583b7550abf14523f upstream.
When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.
Fix the problem by moving posix_acl_update_mode() out of
__reiserfs_set_acl() into reiserfs_set_acl(). That way the function will
not be called when inheriting ACLs which is what we want as it prevents
SGID bit clearing and the mode has been properly set by
posix_acl_create() anyway.
Fixes: 073931017b49d9458aa351605b43a7e34598caef
CC: reiserfs-devel@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/reiserfs/xattr_acl.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -37,7 +37,14 @@ reiserfs_set_acl(struct inode *inode, st
error = journal_begin(&th, inode->i_sb, jcreate_blocks);
reiserfs_write_unlock(inode->i_sb);
if (error == 0) {
+ if (type == ACL_TYPE_ACCESS && acl) {
+ error = posix_acl_update_mode(inode, &inode->i_mode,
+ &acl);
+ if (error)
+ goto unlock;
+ }
error = __reiserfs_set_acl(&th, inode, type, acl);
+unlock:
reiserfs_write_lock(inode->i_sb);
error2 = journal_end(&th);
reiserfs_write_unlock(inode->i_sb);
@@ -245,11 +252,6 @@ __reiserfs_set_acl(struct reiserfs_trans
switch (type) {
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
- if (acl) {
- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
- if (error)
- return error;
- }
break;
case ACL_TYPE_DEFAULT:
name = POSIX_ACL_XATTR_DEFAULT;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 034/192] USB: serial: option: add two Longcheer device ids
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (23 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 122/192] reiserfs: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 126/192] ext4: preserve i_mode if __ext4_set_acl() fails Ben Hutchings
` (167 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lars Melin, Johan Hovold, Bjørn Mork, Teemu Likonen
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8fb060da715ad10fe956d7c0077b2fb0c12bb9d7 upstream.
Add two Longcheer device-id entries which specifically enables a
Telewell TW-3G HSPA+ branded modem (0x9801).
Reported-by: Teemu Likonen <tlikonen@iki.fi>
Reported-by: Bjørn Mork <bjorn@mork.no>
Reported-by: Lars Melin <larsm17@gmail.com>
Tested-by: Teemu Likonen <tlikonen@iki.fi>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1888,6 +1888,10 @@ static const struct usb_device_id option
.driver_info = (kernel_ulong_t)&four_g_w100_blacklist
},
{ USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9801, 0xff),
+ .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
+ { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9803, 0xff),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) },
{ USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) },
{ USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) },
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 126/192] ext4: preserve i_mode if __ext4_set_acl() fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (24 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 034/192] USB: serial: option: add two Longcheer device ids Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 002/192] sched/topology: Refactor function build_overlap_sched_groups() Ben Hutchings
` (166 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ernesto A. Fernández, Theodore Ts'o, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ernesto A. Fernández
<ernesto.mnd.fernandez@gmail.com>
commit 397e434176bb62bc6068d2210af1d876c6212a7e upstream.
When changing a file's acl mask, __ext4_set_acl() will first set the group
bits of i_mode to the value of the mask, and only then set the actual
extended attribute representing the new acl.
If the second part fails (due to lack of space, for example) and the file
had no acl attribute to begin with, the system will from now on assume
that the mask permission bits are actual group permission bits, potentially
granting access to the wrong users.
Prevent this by only changing the inode mode after the acl has been set.
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: keep using ext4_current_time()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/acl.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -196,16 +196,17 @@ __ext4_set_acl(handle_t *handle, struct
void *value = NULL;
size_t size = 0;
int error;
+ int update_mode = 0;
+ umode_t mode = inode->i_mode;
switch (type) {
case ACL_TYPE_ACCESS:
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl) {
- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ error = posix_acl_update_mode(inode, &mode, &acl);
if (error)
return error;
- inode->i_ctime = ext4_current_time(inode);
- ext4_mark_inode_dirty(handle, inode);
+ update_mode = 1;
}
break;
@@ -228,8 +229,14 @@ __ext4_set_acl(handle_t *handle, struct
value, size, 0);
kfree(value);
- if (!error)
+ if (!error) {
set_cached_acl(inode, type, acl);
+ if (update_mode) {
+ inode->i_mode = mode;
+ inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
+ }
+ }
return error;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 002/192] sched/topology: Refactor function build_overlap_sched_groups()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (25 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 126/192] ext4: preserve i_mode if __ext4_set_acl() fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 131/192] [media] saa7164: fix sparse warnings Ben Hutchings
` (165 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lauro Ramos Venancio, Linus Torvalds, Ingo Molnar,
Thomas Gleixner, Mike Galbraith, Rik van Riel,
Peter Zijlstra (Intel)
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lauro Ramos Venancio <lvenanci@redhat.com>
commit 8c0334697dc37eb3d6d7632304d3a3662248daac upstream.
Create functions build_group_from_child_sched_domain() and
init_overlap_sched_group(). No functional change.
Signed-off-by: Lauro Ramos Venancio <lvenanci@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1492091769-19879-2-git-send-email-lvenanci@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- Ccode being moved is slightly different
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 62 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 43 insertions(+), 19 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5801,6 +5801,47 @@ int group_balance_cpu(struct sched_group
return cpumask_first_and(sched_group_cpus(sg), sched_group_mask(sg));
}
+static struct sched_group *
+build_group_from_child_sched_domain(struct sched_domain *sd, int cpu)
+{
+ struct sched_group *sg;
+ struct cpumask *sg_span;
+
+ sg = kzalloc_node(sizeof(struct sched_group) + cpumask_size(),
+ GFP_KERNEL, cpu_to_node(cpu));
+
+ if (!sg)
+ return NULL;
+
+ sg_span = sched_group_cpus(sg);
+ if (sd->child)
+ cpumask_copy(sg_span, sched_domain_span(sd->child));
+ else
+ cpumask_copy(sg_span, sched_domain_span(sd));
+
+ return sg;
+}
+
+static void init_overlap_sched_group(struct sched_domain *sd,
+ struct sched_group *sg, int cpu)
+{
+ struct sd_data *sdd = sd->private;
+ struct cpumask *sg_span;
+
+ sg->sgc = *per_cpu_ptr(sdd->sgc, cpu);
+ if (atomic_inc_return(&sg->sgc->ref) == 1)
+ build_group_mask(sd, sg);
+
+ /*
+ * Initialize sgc->capacity such that even if we mess up the
+ * domains and no possible iteration will get us here, we won't
+ * die on a /0 trap.
+ */
+ sg_span = sched_group_cpus(sg);
+ sg->sgc->capacity = SCHED_CAPACITY_SCALE * cpumask_weight(sg_span);
+ sg->sgc->capacity_orig = sg->sgc->capacity;
+}
+
static int
build_overlap_sched_groups(struct sched_domain *sd, int cpu)
{
@@ -5825,31 +5866,14 @@ build_overlap_sched_groups(struct sched_
if (!cpumask_test_cpu(i, sched_domain_span(sibling)))
continue;
- sg = kzalloc_node(sizeof(struct sched_group) + cpumask_size(),
- GFP_KERNEL, cpu_to_node(cpu));
-
+ sg = build_group_from_child_sched_domain(sibling, cpu);
if (!sg)
goto fail;
sg_span = sched_group_cpus(sg);
- if (sibling->child)
- cpumask_copy(sg_span, sched_domain_span(sibling->child));
- else
- cpumask_set_cpu(i, sg_span);
-
cpumask_or(covered, covered, sg_span);
- sg->sgc = *per_cpu_ptr(sdd->sgc, i);
- if (atomic_inc_return(&sg->sgc->ref) == 1)
- build_group_mask(sd, sg);
-
- /*
- * Initialize sgc->capacity such that even if we mess up the
- * domains and no possible iteration will get us here, we won't
- * die on a /0 trap.
- */
- sg->sgc->capacity = SCHED_CAPACITY_SCALE * cpumask_weight(sg_span);
- sg->sgc->capacity_orig = sg->sgc->capacity;
+ init_overlap_sched_group(sd, sg, i);
/*
* Make sure the first group of this domain contains the
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 131/192] [media] saa7164: fix sparse warnings
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (26 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 002/192] sched/topology: Refactor function build_overlap_sched_groups() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 049/192] i2c: cadance: fix ctrl/addr reg write order Ben Hutchings
` (164 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hans Verkuil, Steven Toth, Hans Verkuil, Mauro Carvalho Chehab
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil@xs4all.nl>
commit 065e1477d277174242e73e7334c717b840d0693f upstream.
Fix many sparse warnings:
drivers/media/pci/saa7164/saa7164-core.c:97:18: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:122:31: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:122:31: warning: incorrect type in initializer (different address spaces)
drivers/media/pci/saa7164/saa7164-core.c:122:31: expected unsigned char [noderef] [usertype] <asn:2>*bufcpu
drivers/media/pci/saa7164/saa7164-core.c:122:31: got unsigned char [usertype] *<noident>
drivers/media/pci/saa7164/saa7164-core.c:282:44: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:286:38: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:286:35: warning: incorrect type in assignment (different address spaces)
drivers/media/pci/saa7164/saa7164-core.c:286:35: expected unsigned char [noderef] [usertype] <asn:2>*p
drivers/media/pci/saa7164/saa7164-core.c:286:35: got unsigned char [usertype] *<noident>
drivers/media/pci/saa7164/saa7164-core.c:352:44: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:527:53: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-core.c:129:30: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:133:38: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:133:72: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:134:35: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:287:61: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:288:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:289:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:290:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:291:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:292:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:293:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-core.c:294:65: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-fw.c:548:52: warning: incorrect type in argument 5 (different address spaces)
drivers/media/pci/saa7164/saa7164-fw.c:548:52: expected unsigned char [usertype] *dst
drivers/media/pci/saa7164/saa7164-fw.c:548:52: got unsigned char [noderef] [usertype] <asn:2>*
drivers/media/pci/saa7164/saa7164-fw.c:579:44: warning: incorrect type in argument 5 (different address spaces)
drivers/media/pci/saa7164/saa7164-fw.c:579:44: expected unsigned char [usertype] *dst
drivers/media/pci/saa7164/saa7164-fw.c:579:44: got unsigned char [noderef] [usertype] <asn:2>*
drivers/media/pci/saa7164/saa7164-fw.c:597:44: warning: incorrect type in argument 5 (different address spaces)
drivers/media/pci/saa7164/saa7164-fw.c:597:44: expected unsigned char [usertype] *dst
drivers/media/pci/saa7164/saa7164-fw.c:597:44: got unsigned char [noderef] [usertype] <asn:2>*
drivers/media/pci/saa7164/saa7164-bus.c:36:36: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-bus.c:41:36: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-bus.c:151:19: warning: incorrect type in assignment (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:151:19: expected unsigned short [unsigned] [usertype] size
drivers/media/pci/saa7164/saa7164-bus.c:151:19: got restricted __le16 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:152:22: warning: incorrect type in assignment (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:152:22: expected unsigned int [unsigned] [usertype] command
drivers/media/pci/saa7164/saa7164-bus.c:152:22: got restricted __le32 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:153:30: warning: incorrect type in assignment (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:153:30: expected unsigned short [unsigned] [usertype] controlselector
drivers/media/pci/saa7164/saa7164-bus.c:153:30: got restricted __le16 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:172:20: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:173:20: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:206:28: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:287:9: warning: incorrect type in argument 1 (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:287:9: expected unsigned int [unsigned] val
drivers/media/pci/saa7164/saa7164-bus.c:287:9: got restricted __le32 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:339:20: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:340:20: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:463:9: warning: incorrect type in argument 1 (different base types)
drivers/media/pci/saa7164/saa7164-bus.c:463:9: expected unsigned int [unsigned] val
drivers/media/pci/saa7164/saa7164-bus.c:463:9: got restricted __le32 [usertype] <noident>
drivers/media/pci/saa7164/saa7164-bus.c:466:21: warning: cast to restricted __le16
drivers/media/pci/saa7164/saa7164-bus.c:467:24: warning: cast to restricted __le32
drivers/media/pci/saa7164/saa7164-bus.c:468:32: warning: cast to restricted __le16
drivers/media/pci/saa7164/saa7164-buffer.c:122:18: warning: incorrect type in assignment (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:122:18: expected unsigned long long [noderef] [usertype] <asn:2>*cpu
drivers/media/pci/saa7164/saa7164-buffer.c:122:18: got void *
drivers/media/pci/saa7164/saa7164-buffer.c:127:21: warning: incorrect type in assignment (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:127:21: expected unsigned long long [noderef] [usertype] <asn:2>*pt_cpu
drivers/media/pci/saa7164/saa7164-buffer.c:127:21: got void *
drivers/media/pci/saa7164/saa7164-buffer.c:134:20: warning: cast removes address space of expression
drivers/media/pci/saa7164/saa7164-buffer.c:156:63: warning: incorrect type in argument 3 (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:156:63: expected void *vaddr
drivers/media/pci/saa7164/saa7164-buffer.c:156:63: got unsigned long long [noderef] [usertype] <asn:2>*cpu
drivers/media/pci/saa7164/saa7164-buffer.c:179:57: warning: incorrect type in argument 3 (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:179:57: expected void *vaddr
drivers/media/pci/saa7164/saa7164-buffer.c:179:57: got unsigned long long [noderef] [usertype] <asn:2>*cpu
drivers/media/pci/saa7164/saa7164-buffer.c:180:56: warning: incorrect type in argument 3 (different address spaces)
drivers/media/pci/saa7164/saa7164-buffer.c:180:56: expected void *vaddr
drivers/media/pci/saa7164/saa7164-buffer.c:180:56: got unsigned long long [noderef] [usertype] <asn:2>*pt_cpu
drivers/media/pci/saa7164/saa7164-buffer.c:84:17: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-buffer.c:147:31: warning: dereference of noderef expression
drivers/media/pci/saa7164/saa7164-buffer.c:148:17: warning: dereference of noderef expression
Most are caused by pointers marked as __iomem when they aren't or not marked as
__iomem when they should.
Also note that readl/writel already do endian conversion, so there is no need to
do it again.
saa7164_bus_set/get were a bit tricky: you have to make sure the msg endian
conversion is done at the right time, and that the code isn't using fields that
are still little endian instead of cpu-endianness.
The approach chosen is to convert just before writing to the ring buffer
and to convert it back right after reading from the ring buffer.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Cc: Steven Toth <stoth@kernellabs.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/pci/saa7164/saa7164-buffer.c | 4 +-
drivers/media/pci/saa7164/saa7164-bus.c | 101 +++++++++++++++++------------
drivers/media/pci/saa7164/saa7164-core.c | 13 ++--
drivers/media/pci/saa7164/saa7164-fw.c | 6 +-
drivers/media/pci/saa7164/saa7164-types.h | 4 +-
drivers/media/pci/saa7164/saa7164.h | 4 +-
6 files changed, 74 insertions(+), 58 deletions(-)
--- a/drivers/media/pci/saa7164/saa7164-buffer.c
+++ b/drivers/media/pci/saa7164/saa7164-buffer.c
@@ -130,9 +130,9 @@ struct saa7164_buffer *saa7164_buffer_al
goto fail2;
/* init the buffers to a known pattern, easier during debugging */
- memset_io(buf->cpu, 0xff, buf->pci_size);
+ memset(buf->cpu, 0xff, buf->pci_size);
buf->crc = crc32(0, buf->cpu, buf->actual_size);
- memset_io(buf->pt_cpu, 0xff, buf->pt_size);
+ memset(buf->pt_cpu, 0xff, buf->pt_size);
dprintk(DBGLVL_BUF, "%s() allocated buffer @ 0x%p (%d pageptrs)\n",
__func__, buf, params->numpagetables);
--- a/drivers/media/pci/saa7164/saa7164-bus.c
+++ b/drivers/media/pci/saa7164/saa7164-bus.c
@@ -33,12 +33,12 @@ int saa7164_bus_setup(struct saa7164_dev
b->Type = TYPE_BUS_PCIe;
b->m_wMaxReqSize = SAA_DEVICE_MAXREQUESTSIZE;
- b->m_pdwSetRing = (u8 *)(dev->bmmio +
+ b->m_pdwSetRing = (u8 __iomem *)(dev->bmmio +
((u32)dev->busdesc.CommandRing));
b->m_dwSizeSetRing = SAA_DEVICE_BUFFERBLOCKSIZE;
- b->m_pdwGetRing = (u8 *)(dev->bmmio +
+ b->m_pdwGetRing = (u8 __iomem *)(dev->bmmio +
((u32)dev->busdesc.ResponseRing));
b->m_dwSizeGetRing = SAA_DEVICE_BUFFERBLOCKSIZE;
@@ -138,6 +138,7 @@ int saa7164_bus_set(struct saa7164_dev *
u32 bytes_to_write, free_write_space, timeout, curr_srp, curr_swp;
u32 new_swp, space_rem;
int ret = SAA_ERR_BAD_PARAMETER;
+ u16 size;
if (!msg) {
printk(KERN_ERR "%s() !msg\n", __func__);
@@ -148,10 +149,6 @@ int saa7164_bus_set(struct saa7164_dev *
saa7164_bus_verify(dev);
- msg->size = cpu_to_le16(msg->size);
- msg->command = cpu_to_le32(msg->command);
- msg->controlselector = cpu_to_le16(msg->controlselector);
-
if (msg->size > dev->bus.m_wMaxReqSize) {
printk(KERN_ERR "%s() Exceeded dev->bus.m_wMaxReqSize\n",
__func__);
@@ -169,8 +166,8 @@ int saa7164_bus_set(struct saa7164_dev *
bytes_to_write = sizeof(*msg) + msg->size;
free_write_space = 0;
timeout = SAA_BUS_TIMEOUT;
- curr_srp = le32_to_cpu(saa7164_readl(bus->m_dwSetReadPos));
- curr_swp = le32_to_cpu(saa7164_readl(bus->m_dwSetWritePos));
+ curr_srp = saa7164_readl(bus->m_dwSetReadPos);
+ curr_swp = saa7164_readl(bus->m_dwSetWritePos);
/* Deal with ring wrapping issues */
if (curr_srp > curr_swp)
@@ -203,7 +200,7 @@ int saa7164_bus_set(struct saa7164_dev *
mdelay(1);
/* Check the space usage again */
- curr_srp = le32_to_cpu(saa7164_readl(bus->m_dwSetReadPos));
+ curr_srp = saa7164_readl(bus->m_dwSetReadPos);
/* Deal with ring wrapping issues */
if (curr_srp > curr_swp)
@@ -223,6 +220,16 @@ int saa7164_bus_set(struct saa7164_dev *
dprintk(DBGLVL_BUS, "%s() bus->m_dwSizeSetRing = %x\n", __func__,
bus->m_dwSizeSetRing);
+ /*
+ * Make a copy of msg->size before it is converted to le16 since it is
+ * used in the code below.
+ */
+ size = msg->size;
+ /* Convert to le16/le32 */
+ msg->size = (__force u16)cpu_to_le16(msg->size);
+ msg->command = (__force u32)cpu_to_le32(msg->command);
+ msg->controlselector = (__force u16)cpu_to_le16(msg->controlselector);
+
/* Mental Note: line 462 tmmhComResBusPCIe.cpp */
/* Check if we're going to wrap again */
@@ -243,28 +250,28 @@ int saa7164_bus_set(struct saa7164_dev *
dprintk(DBGLVL_BUS, "%s() tr4\n", __func__);
/* Split the msg into pieces as the ring wraps */
- memcpy(bus->m_pdwSetRing + curr_swp, msg, space_rem);
- memcpy(bus->m_pdwSetRing, (u8 *)msg + space_rem,
+ memcpy_toio(bus->m_pdwSetRing + curr_swp, msg, space_rem);
+ memcpy_toio(bus->m_pdwSetRing, (u8 *)msg + space_rem,
sizeof(*msg) - space_rem);
- memcpy(bus->m_pdwSetRing + sizeof(*msg) - space_rem,
- buf, msg->size);
+ memcpy_toio(bus->m_pdwSetRing + sizeof(*msg) - space_rem,
+ buf, size);
} else if (space_rem == sizeof(*msg)) {
dprintk(DBGLVL_BUS, "%s() tr5\n", __func__);
/* Additional data at the beginning of the ring */
- memcpy(bus->m_pdwSetRing + curr_swp, msg, sizeof(*msg));
- memcpy(bus->m_pdwSetRing, buf, msg->size);
+ memcpy_toio(bus->m_pdwSetRing + curr_swp, msg, sizeof(*msg));
+ memcpy_toio(bus->m_pdwSetRing, buf, size);
} else {
/* Additional data wraps around the ring */
- memcpy(bus->m_pdwSetRing + curr_swp, msg, sizeof(*msg));
- if (msg->size > 0) {
- memcpy(bus->m_pdwSetRing + curr_swp +
+ memcpy_toio(bus->m_pdwSetRing + curr_swp, msg, sizeof(*msg));
+ if (size > 0) {
+ memcpy_toio(bus->m_pdwSetRing + curr_swp +
sizeof(*msg), buf, space_rem -
sizeof(*msg));
- memcpy(bus->m_pdwSetRing, (u8 *)buf +
+ memcpy_toio(bus->m_pdwSetRing, (u8 *)buf +
space_rem - sizeof(*msg),
bytes_to_write - space_rem);
}
@@ -276,15 +283,20 @@ int saa7164_bus_set(struct saa7164_dev *
dprintk(DBGLVL_BUS, "%s() tr6\n", __func__);
/* The ring buffer doesn't wrap, two simple copies */
- memcpy(bus->m_pdwSetRing + curr_swp, msg, sizeof(*msg));
- memcpy(bus->m_pdwSetRing + curr_swp + sizeof(*msg), buf,
- msg->size);
+ memcpy_toio(bus->m_pdwSetRing + curr_swp, msg, sizeof(*msg));
+ memcpy_toio(bus->m_pdwSetRing + curr_swp + sizeof(*msg), buf,
+ size);
}
dprintk(DBGLVL_BUS, "%s() new_swp = %x\n", __func__, new_swp);
/* Update the bus write position */
- saa7164_writel(bus->m_dwSetWritePos, cpu_to_le32(new_swp));
+ saa7164_writel(bus->m_dwSetWritePos, new_swp);
+
+ /* Convert back to cpu after writing the msg to the ringbuffer. */
+ msg->size = le16_to_cpu((__force __le16)msg->size);
+ msg->command = le32_to_cpu((__force __le32)msg->command);
+ msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
ret = SAA_OK;
out:
@@ -336,8 +348,8 @@ int saa7164_bus_get(struct saa7164_dev *
/* Peek the bus to see if a msg exists, if it's not what we're expecting
* then return cleanly else read the message from the bus.
*/
- curr_gwp = le32_to_cpu(saa7164_readl(bus->m_dwGetWritePos));
- curr_grp = le32_to_cpu(saa7164_readl(bus->m_dwGetReadPos));
+ curr_gwp = saa7164_readl(bus->m_dwGetWritePos);
+ curr_grp = saa7164_readl(bus->m_dwGetReadPos);
if (curr_gwp == curr_grp) {
ret = SAA_ERR_EMPTY;
@@ -369,14 +381,18 @@ int saa7164_bus_get(struct saa7164_dev *
new_grp -= bus->m_dwSizeGetRing;
space_rem = bus->m_dwSizeGetRing - curr_grp;
- memcpy(&msg_tmp, bus->m_pdwGetRing + curr_grp, space_rem);
- memcpy((u8 *)&msg_tmp + space_rem, bus->m_pdwGetRing,
+ memcpy_fromio(&msg_tmp, bus->m_pdwGetRing + curr_grp, space_rem);
+ memcpy_fromio((u8 *)&msg_tmp + space_rem, bus->m_pdwGetRing,
bytes_to_read - space_rem);
} else {
/* No wrapping */
- memcpy(&msg_tmp, bus->m_pdwGetRing + curr_grp, bytes_to_read);
+ memcpy_fromio(&msg_tmp, bus->m_pdwGetRing + curr_grp, bytes_to_read);
}
+ /* Convert from little endian to CPU */
+ msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
+ msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
+ msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
/* No need to update the read positions, because this was a peek */
/* If the caller specifically want to peek, return */
@@ -427,24 +443,24 @@ int saa7164_bus_get(struct saa7164_dev *
if (space_rem < sizeof(*msg)) {
/* msg wraps around the ring */
- memcpy(msg, bus->m_pdwGetRing + curr_grp, space_rem);
- memcpy((u8 *)msg + space_rem, bus->m_pdwGetRing,
+ memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
+ memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
sizeof(*msg) - space_rem);
if (buf)
- memcpy(buf, bus->m_pdwGetRing + sizeof(*msg) -
+ memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
space_rem, buf_size);
} else if (space_rem == sizeof(*msg)) {
- memcpy(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf)
- memcpy(buf, bus->m_pdwGetRing, buf_size);
+ memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
} else {
/* Additional data wraps around the ring */
- memcpy(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf) {
- memcpy(buf, bus->m_pdwGetRing + curr_grp +
+ memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
sizeof(*msg), space_rem - sizeof(*msg));
- memcpy(buf + space_rem - sizeof(*msg),
+ memcpy_fromio(buf + space_rem - sizeof(*msg),
bus->m_pdwGetRing, bytes_to_read -
space_rem);
}
@@ -453,19 +469,20 @@ int saa7164_bus_get(struct saa7164_dev *
} else {
/* No wrapping */
- memcpy(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
+ memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf)
- memcpy(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
+ memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
buf_size);
}
+ /* Convert from little endian to CPU */
+ msg->size = le16_to_cpu((__force __le16)msg->size);
+ msg->command = le32_to_cpu((__force __le32)msg->command);
+ msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
/* Update the read positions, adjusting the ring */
- saa7164_writel(bus->m_dwGetReadPos, cpu_to_le32(new_grp));
+ saa7164_writel(bus->m_dwGetReadPos, new_grp);
peekout:
- msg->size = le16_to_cpu(msg->size);
- msg->command = le32_to_cpu(msg->command);
- msg->controlselector = le16_to_cpu(msg->controlselector);
ret = SAA_OK;
out:
mutex_unlock(&bus->lock);
--- a/drivers/media/pci/saa7164/saa7164-core.c
+++ b/drivers/media/pci/saa7164/saa7164-core.c
@@ -119,7 +119,7 @@ static void saa7164_ts_verifier(struct s
u32 i;
u8 cc, a;
u16 pid;
- u8 __iomem *bufcpu = (u8 *)buf->cpu;
+ u8 *bufcpu = (u8 *)buf->cpu;
port->sync_errors = 0;
port->v_cc_errors = 0;
@@ -260,7 +260,7 @@ static void saa7164_work_enchandler_help
struct saa7164_user_buffer *ubuf = NULL;
struct list_head *c, *n;
int i = 0;
- u8 __iomem *p;
+ u8 *p;
mutex_lock(&port->dmaqueue_lock);
list_for_each_safe(c, n, &port->dmaqueue.list) {
@@ -318,8 +318,7 @@ static void saa7164_work_enchandler_help
if (buf->actual_size <= ubuf->actual_size) {
- memcpy_fromio(ubuf->data, buf->cpu,
- ubuf->actual_size);
+ memcpy(ubuf->data, buf->cpu, ubuf->actual_size);
if (crc_checking) {
/* Throw a new checksum on the read buffer */
@@ -346,7 +345,7 @@ static void saa7164_work_enchandler_help
* with known bad data. We check for this data at a later point
* in time. */
saa7164_buffer_zero_offsets(port, bufnr);
- memset_io(buf->cpu, 0xff, buf->pci_size);
+ memset(buf->cpu, 0xff, buf->pci_size);
if (crc_checking) {
/* Throw yet aanother new checksum on the dma buffer */
buf->crc = crc32(0, buf->cpu, buf->actual_size);
@@ -1096,7 +1095,7 @@ static int saa7164_proc_show(struct seq_
if (c == 0)
seq_printf(m, " %04x:", i);
- seq_printf(m, " %02x", *(b->m_pdwSetRing + i));
+ seq_printf(m, " %02x", readb(b->m_pdwSetRing + i));
if (++c == 16) {
seq_printf(m, "\n");
@@ -1111,7 +1110,7 @@ static int saa7164_proc_show(struct seq_
if (c == 0)
seq_printf(m, " %04x:", i);
- seq_printf(m, " %02x", *(b->m_pdwGetRing + i));
+ seq_printf(m, " %02x", readb(b->m_pdwGetRing + i));
if (++c == 16) {
seq_printf(m, "\n");
--- a/drivers/media/pci/saa7164/saa7164-fw.c
+++ b/drivers/media/pci/saa7164/saa7164-fw.c
@@ -72,7 +72,7 @@ static int saa7164_dl_wait_clr(struct sa
/* TODO: move dlflags into dev-> and change to write/readl/b */
/* TODO: Excessive levels of debug */
static int saa7164_downloadimage(struct saa7164_dev *dev, u8 *src, u32 srcsize,
- u32 dlflags, u8 *dst, u32 dstsize)
+ u32 dlflags, u8 __iomem *dst, u32 dstsize)
{
u32 reg, timeout, offset;
u8 *srcbuf = NULL;
@@ -136,7 +136,7 @@ static int saa7164_downloadimage(struct
srcsize -= dstsize, offset += dstsize) {
dprintk(DBGLVL_FW, "%s() memcpy %d\n", __func__, dstsize);
- memcpy(dst, srcbuf + offset, dstsize);
+ memcpy_toio(dst, srcbuf + offset, dstsize);
/* Flag the data as ready */
saa7164_writel(drflag, 1);
@@ -154,7 +154,7 @@ static int saa7164_downloadimage(struct
dprintk(DBGLVL_FW, "%s() memcpy(l) %d\n", __func__, dstsize);
/* Write last block to the device */
- memcpy(dst, srcbuf+offset, srcsize);
+ memcpy_toio(dst, srcbuf+offset, srcsize);
/* Flag the data as ready */
saa7164_writel(drflag, 1);
--- a/drivers/media/pci/saa7164/saa7164-types.h
+++ b/drivers/media/pci/saa7164/saa7164-types.h
@@ -78,9 +78,9 @@ enum tmBusType {
struct tmComResBusInfo {
enum tmBusType Type;
u16 m_wMaxReqSize;
- u8 *m_pdwSetRing;
+ u8 __iomem *m_pdwSetRing;
u32 m_dwSizeSetRing;
- u8 *m_pdwGetRing;
+ u8 __iomem *m_pdwGetRing;
u32 m_dwSizeGetRing;
u32 m_dwSetWritePos;
u32 m_dwSetReadPos;
--- a/drivers/media/pci/saa7164/saa7164.h
+++ b/drivers/media/pci/saa7164/saa7164.h
@@ -313,13 +313,13 @@ struct saa7164_buffer {
/* A block of page align PCI memory */
u32 pci_size; /* PCI allocation size in bytes */
- u64 __iomem *cpu; /* Virtual address */
+ u64 *cpu; /* Virtual address */
dma_addr_t dma; /* Physical address */
u32 crc; /* Checksum for the entire buffer data */
/* A page table that splits the block into a number of entries */
u32 pt_size; /* PCI allocation size in bytes */
- u64 __iomem *pt_cpu; /* Virtual address */
+ u64 *pt_cpu; /* Virtual address */
dma_addr_t pt_dma; /* Physical address */
/* Encoder fops */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 049/192] i2c: cadance: fix ctrl/addr reg write order
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (27 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 131/192] [media] saa7164: fix sparse warnings Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 069/192] MIPS: math-emu: Prevent wrong ISA mode instruction emulation Ben Hutchings
` (163 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, John Linn, Matt Weber, Wolfram Sang, Paresh Chaudhary
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Weber <matthew.weber@rockwellcollins.com>
commit 8064c616984eaa015f018dba595d78cd24a0cc8c upstream.
The driver was clearing the hold bit in the control register before
writing to the address register which resulted in a stop condition
being generated rather than a repeated start.
This issue was only observed when a system was running much
slower than a normal processor would execute. The IP data sheet
mentions a ordering of writing to the address register before
clearing the hold.
Fixes: df8eb5691c4 ("i2c: Add driver for Cadence I2C controller")
Signed-off-by: John Linn <john.linn@xilinx.com>
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/i2c/busses/i2c-cadence.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/i2c/busses/i2c-cadence.c
+++ b/drivers/i2c/busses/i2c-cadence.c
@@ -340,14 +340,14 @@ static void cdns_i2c_mrecv(struct cdns_i
CDNS_I2C_XFER_SIZE_OFFSET);
else
cdns_i2c_writereg(id->recv_count, CDNS_I2C_XFER_SIZE_OFFSET);
+ /* Set the slave address in address register - triggers operation */
+ cdns_i2c_writereg(id->p_msg->addr & CDNS_I2C_ADDR_MASK,
+ CDNS_I2C_ADDR_OFFSET);
/* Clear the bus hold flag if bytes to receive is less than FIFO size */
if (!id->bus_hold_flag &&
((id->p_msg->flags & I2C_M_RECV_LEN) != I2C_M_RECV_LEN) &&
(id->recv_count <= CDNS_I2C_FIFO_DEPTH))
cdns_i2c_clear_bus_hold(id);
- /* Set the slave address in address register - triggers operation */
- cdns_i2c_writereg(id->p_msg->addr & CDNS_I2C_ADDR_MASK,
- CDNS_I2C_ADDR_OFFSET);
cdns_i2c_writereg(CDNS_I2C_ENABLED_INTR_MASK, CDNS_I2C_IER_OFFSET);
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 069/192] MIPS: math-emu: Prevent wrong ISA mode instruction emulation
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (28 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 049/192] i2c: cadance: fix ctrl/addr reg write order Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 019/192] kvm: x86: Guest BNDCFGS requires guest MPX support Ben Hutchings
` (162 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, linux-mips, Maciej W. Rozycki, James Hogan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" <macro@imgtec.com>
commit 13769ebad0c42738831787e27c7c7f982e7da579 upstream.
Terminate FPU emulation immediately whenever an ISA mode switch has been
observed. This is so that we do not interpret machine code in the wrong
mode, for example when a regular MIPS FPU instruction has been placed in
a delay slot of a jump that switches into the MIPS16 mode, as with the
following code (taken from a GCC test suite case):
00400650 <set_fast_math>:
400650: 3c020100 lui v0,0x100
400654: 03e00008 jr ra
400658: 44c2f800 ctc1 v0,c1_fcsr
40065c: 00000000 nop
[...]
004012d0 <__libc_csu_init>:
4012d0: f000 6a02 li v0,2
4012d4: f150 0b1c la v1,3f9430 <_DYNAMIC-0x6df0>
4012d8: f400 3240 sll v0,16
4012dc: e269 addu v0,v1
4012de: 659a move gp,v0
4012e0: f00c 64f6 save a0-a2,48,ra,s0-s1
4012e4: 673c move s1,gp
4012e6: f010 9978 lw v1,-32744(s1)
4012ea: d204 sw v0,16(sp)
4012ec: eb40 jalr v1
4012ee: 653b move t9,v1
4012f0: f010 997c lw v1,-32740(s1)
4012f4: f030 9920 lw s1,-32736(s1)
4012f8: e32f subu v1,s1
4012fa: 326b sra v0,v1,2
4012fc: d206 sw v0,24(sp)
4012fe: 220c beqz v0,401318 <__libc_csu_init+0x48>
401300: 6800 li s0,0
401302: 99e0 lw a3,0(s1)
401304: 4801 addiu s0,1
401306: 960e lw a2,56(sp)
401308: 4904 addiu s1,4
40130a: 950d lw a1,52(sp)
40130c: 940c lw a0,48(sp)
40130e: ef40 jalr a3
401310: 653f move t9,a3
401312: 9206 lw v0,24(sp)
401314: ea0a cmp v0,s0
401316: 61f5 btnez 401302 <__libc_csu_init+0x32>
401318: 6476 restore 48,ra,s0-s1
40131a: e8a0 jrc ra
Here `set_fast_math' is called from `40130e' (`40130f' with the ISA bit)
and emulation triggers for the CTC1 instruction. As it is in a jump
delay slot emulation continues from `401312' (`401313' with the ISA
bit). However we have no path to handle MIPS16 FPU code emulation,
because there are no MIPS16 FPU instructions. So the default emulation
path is taken, interpreting a 32-bit word fetched by `get_user' from
`401313' as a regular MIPS instruction, which is:
401313: f5ea0a92 sdc1 $f10,2706(t7)
This makes the FPU emulator proceed with the supposed SDC1 instruction
and consequently makes the program considered here terminate with
SIGSEGV.
A similar although less severe issue exists with pure-microMIPS
processors in the case where similarly an FPU instruction is emulated in
a delay slot of a register jump that (incorrectly) switches into the
regular MIPS mode. A subsequent instruction fetch from the jump's
target is supposed to cause an Address Error exception, however instead
we proceed with regular MIPS FPU emulation.
For simplicity then, always terminate the emulation loop whenever a mode
change is detected, denoted by an ISA mode bit flip. As from commit
377cb1b6c16a ("MIPS: Disable MIPS16/microMIPS crap for platforms not
supporting these ASEs.") the result of `get_isa16_mode' can be hardcoded
to 0, so we need to examine the ISA mode bit by hand.
This complements commit 102cedc32a6e ("MIPS: microMIPS: Floating point
support.") which added JALX decoding to FPU emulation.
Fixes: 102cedc32a6e ("MIPS: microMIPS: Floating point support.")
Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16393/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/math-emu/cp1emu.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -1856,6 +1856,35 @@ dcopuop:
return 0;
}
+/*
+ * Emulate FPU instructions.
+ *
+ * If we use FPU hardware, then we have been typically called to handle
+ * an unimplemented operation, such as where an operand is a NaN or
+ * denormalized. In that case exit the emulation loop after a single
+ * iteration so as to let hardware execute any subsequent instructions.
+ *
+ * If we have no FPU hardware or it has been disabled, then continue
+ * emulating floating-point instructions until one of these conditions
+ * has occurred:
+ *
+ * - a non-FPU instruction has been encountered,
+ *
+ * - an attempt to emulate has ended with a signal,
+ *
+ * - the ISA mode has been switched.
+ *
+ * We need to terminate the emulation loop if we got switched to the
+ * MIPS16 mode, whether supported or not, so that we do not attempt
+ * to emulate a MIPS16 instruction as a regular MIPS FPU instruction.
+ * Similarly if we got switched to the microMIPS mode and only the
+ * regular MIPS mode is supported, so that we do not attempt to emulate
+ * a microMIPS instruction as a regular MIPS FPU instruction. Or if
+ * we got switched to the regular MIPS mode and only the microMIPS mode
+ * is supported, so that we do not attempt to emulate a regular MIPS
+ * instruction that should cause an Address Error exception instead.
+ * For simplicity we always terminate upon an ISA mode switch.
+ */
int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
int has_fpu, void *__user *fault_addr)
{
@@ -1943,6 +1972,15 @@ int fpu_emulator_cop1Handler(struct pt_r
break;
if (sig)
break;
+ /*
+ * We have to check for the ISA bit explicitly here,
+ * because `get_isa16_mode' may return 0 if support
+ * for code compression has been globally disabled,
+ * or otherwise we may produce the wrong signal or
+ * even proceed successfully where we must not.
+ */
+ if ((xcp->cp0_epc ^ prevepc) & 0x1)
+ break;
cond_resched();
} while (xcp->cp0_epc > prevepc);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 019/192] kvm: x86: Guest BNDCFGS requires guest MPX support
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (29 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 069/192] MIPS: math-emu: Prevent wrong ISA mode instruction emulation Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 046/192] iwlwifi: mvm: fix the recovery flow while connecting Ben Hutchings
` (161 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jim Mattson, Radim Krčmář
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 4439af9f911ae0243ffe4e2dfc12bace49605d8b upstream.
The BNDCFGS MSR should only be exposed to the guest if the guest
supports MPX. (cf. the TSC_AUX MSR and RDTSCP.)
Fixes: 0dd376e709975779 ("KVM: x86: add MSR_IA32_BNDCFGS to msrs_to_save")
Change-Id: I3ad7c01bda616715137ceac878f3fa7e66b6b387
Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/cpuid.h | 8 ++++++++
arch/x86/kvm/vmx.c | 4 ++--
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -95,4 +95,13 @@ static inline bool guest_cpuid_has_gbpag
best = kvm_find_cpuid_entry(vcpu, 0x80000001, 0);
return best && (best->edx & bit(X86_FEATURE_GBPAGES));
}
+
+static inline bool guest_cpuid_has_mpx(struct kvm_vcpu *vcpu)
+{
+ struct kvm_cpuid_entry2 *best;
+
+ best = kvm_find_cpuid_entry(vcpu, 7, 0);
+ return best && (best->ebx & bit(X86_FEATURE_MPX));
+}
+
#endif
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2514,7 +2514,7 @@ static int vmx_get_msr(struct kvm_vcpu *
data = vmcs_readl(GUEST_SYSENTER_ESP);
break;
case MSR_IA32_BNDCFGS:
- if (!vmx_mpx_supported())
+ if (!vmx_mpx_supported() || !guest_cpuid_has_mpx(vcpu))
return 1;
data = vmcs_read64(GUEST_BNDCFGS);
break;
@@ -2587,7 +2587,7 @@ static int vmx_set_msr(struct kvm_vcpu *
vmcs_writel(GUEST_SYSENTER_ESP, data);
break;
case MSR_IA32_BNDCFGS:
- if (!vmx_mpx_supported())
+ if (!vmx_mpx_supported() || !guest_cpuid_has_mpx(vcpu))
return 1;
vmcs_write64(GUEST_BNDCFGS, data);
break;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 046/192] iwlwifi: mvm: fix the recovery flow while connecting
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 019/192] kvm: x86: Guest BNDCFGS requires guest MPX support Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 132/192] [media] saa7164: fix double fetch PCIe access condition Ben Hutchings
` (160 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Luca Coelho, Emmanuel Grumbach
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
commit 6b28f9784c394f0692e160f81b07c82cb64af160 upstream.
In BSS mode in the disconnection flow, mac80211 removes
the AP station before the vif is set to unassociated.
Our firmware wants it the other way around: first set
the vif as unassociated, and then remove the AP station.
In order to bridge between those two different behaviors,
iwlmvm doesn't remove the station from the firmware when
mac80211 removes it, but only after the vif is set to
unassociated. The implementation is in
iwl_mvm_bss_info_changed_station:
if (assoc state was modified && mvmvif->ap_sta_id is VALID
&& assoc state is now UNASSC)
remove_the_station_from_the_firmware()
During the recovery flow, mac80211 re-adds the AP station
and then reconfigures the vif. Since the vif is not
associated, and then, we enter the if above (which was
intended to be taken in the disconnection flow only) and
remove the station we just added. This defeats the
recovery flow.
Fix this by not removing the AP station in this flow if
we are in recovery flow.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/iwlwifi/mvm/mac80211.c | 32 ++++++++++++++++++-----
1 file changed, 25 insertions(+), 7 deletions(-)
--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
@@ -1315,14 +1315,32 @@ static void iwl_mvm_bss_info_changed_sta
WARN_ONCE(iwl_mvm_sf_update(mvm, vif, false),
"Failed to update SF upon disassociation\n");
- /* remove AP station now that the MAC is unassoc */
- ret = iwl_mvm_rm_sta_id(mvm, vif, mvmvif->ap_sta_id);
- if (ret)
- IWL_ERR(mvm, "failed to remove AP station\n");
+ /*
+ * If we get an assert during the connection (after the
+ * station has been added, but before the vif is set
+ * to associated), mac80211 will re-add the station and
+ * then configure the vif. Since the vif is not
+ * associated, we would remove the station here and
+ * this would fail the recovery.
+ */
+ if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART,
+ &mvm->status)) {
+ /*
+ * Remove AP station now that
+ * the MAC is unassoc
+ */
+ ret = iwl_mvm_rm_sta_id(mvm, vif,
+ mvmvif->ap_sta_id);
+ if (ret)
+ IWL_ERR(mvm,
+ "failed to remove AP station\n");
+
+ if (mvm->d0i3_ap_sta_id == mvmvif->ap_sta_id)
+ mvm->d0i3_ap_sta_id =
+ IWL_MVM_STATION_COUNT;
+ mvmvif->ap_sta_id = IWL_MVM_STATION_COUNT;
+ }
- if (mvm->d0i3_ap_sta_id == mvmvif->ap_sta_id)
- mvm->d0i3_ap_sta_id = IWL_MVM_STATION_COUNT;
- mvmvif->ap_sta_id = IWL_MVM_STATION_COUNT;
/* remove quota for this interface */
ret = iwl_mvm_update_quotas(mvm, NULL);
if (ret)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 132/192] [media] saa7164: fix double fetch PCIe access condition
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (31 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 046/192] iwlwifi: mvm: fix the recovery flow while connecting Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 072/192] MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' Ben Hutchings
` (159 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pengfei Wang, Mauro Carvalho Chehab, Steven Toth
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steven Toth <stoth@kernellabs.com>
commit 6fb05e0dd32e566facb96ea61a48c7488daa5ac3 upstream.
Avoid a double fetch by reusing the values from the prior transfer.
Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559
Thanks to Pengfei Wang <wpengfeinudt@gmail.com> for reporting.
Signed-off-by: Steven Toth <stoth@kernellabs.com>
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
--- a/drivers/media/pci/saa7164/saa7164-bus.c
+++ b/drivers/media/pci/saa7164/saa7164-bus.c
@@ -393,11 +393,11 @@ int saa7164_bus_get(struct saa7164_dev *
msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size);
msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command);
msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector);
+ memcpy(msg, &msg_tmp, sizeof(*msg));
/* No need to update the read positions, because this was a peek */
/* If the caller specifically want to peek, return */
if (peekonly) {
- memcpy(msg, &msg_tmp, sizeof(*msg));
goto peekout;
}
@@ -442,21 +442,15 @@ int saa7164_bus_get(struct saa7164_dev *
space_rem = bus->m_dwSizeGetRing - curr_grp;
if (space_rem < sizeof(*msg)) {
- /* msg wraps around the ring */
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem);
- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing,
- sizeof(*msg) - space_rem);
if (buf)
memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) -
space_rem, buf_size);
} else if (space_rem == sizeof(*msg)) {
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf)
memcpy_fromio(buf, bus->m_pdwGetRing, buf_size);
} else {
/* Additional data wraps around the ring */
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf) {
memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp +
sizeof(*msg), space_rem - sizeof(*msg));
@@ -469,15 +463,10 @@ int saa7164_bus_get(struct saa7164_dev *
} else {
/* No wrapping */
- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg));
if (buf)
memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg),
buf_size);
}
- /* Convert from little endian to CPU */
- msg->size = le16_to_cpu((__force __le16)msg->size);
- msg->command = le32_to_cpu((__force __le32)msg->command);
- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector);
/* Update the read positions, adjusting the ring */
saa7164_writel(bus->m_dwGetReadPos, new_grp);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 072/192] MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn'
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (32 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 132/192] [media] saa7164: fix double fetch PCIe access condition Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 012/192] arm64: Preventing READ_IMPLIES_EXEC propagation Ben Hutchings
` (158 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Hogan, Maciej W. Rozycki, linux-mips, Ralf Baechle
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" <macro@imgtec.com>
commit 7b82c1058ac1f8f8b9f2b8786b1f710a57a870a8 upstream.
Fix commit e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") and
send SIGILL rather than SIGBUS whenever an unimplemented BPOSGE32 DSP
ASE instruction has been encountered in `__compute_return_epc_for_insn'
as our Reserved Instruction exception handler would in response to an
attempt to actually execute the instruction. Sending SIGBUS only makes
sense for the unaligned PC case, since moved to `__compute_return_epc'.
Adjust function documentation accordingly, correct formatting and use
`pr_info' rather than `printk' as the other exit path already does.
Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.")
Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16396/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/branch.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/arch/mips/kernel/branch.c
+++ b/arch/mips/kernel/branch.c
@@ -396,7 +396,7 @@ int __MIPS16e_compute_return_epc(struct
*
* @regs: Pointer to pt_regs
* @insn: branch instruction to decode
- * @returns: -EFAULT on error and forces SIGBUS, and on success
+ * @returns: -EFAULT on error and forces SIGILL, and on success
* returns 0 or BRANCH_LIKELY_TAKEN as appropriate after
* evaluating the branch.
*/
@@ -633,8 +633,9 @@ int __compute_return_epc_for_insn(struct
return ret;
sigill:
- printk("%s: DSP branch but not DSP ASE - sending SIGBUS.\n", current->comm);
- force_sig(SIGBUS, current);
+ pr_info("%s: DSP branch but not DSP ASE - sending SIGILL.\n",
+ current->comm);
+ force_sig(SIGILL, current);
return -EFAULT;
}
EXPORT_SYMBOL_GPL(__compute_return_epc_for_insn);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 012/192] arm64: Preventing READ_IMPLIES_EXEC propagation
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (33 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 072/192] MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn' Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 036/192] udf: Fix races with i_size changes during readpage Ben Hutchings
` (157 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Peter Maydell, Dong Bo, Will Deacon
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dong Bo <dongbo4@huawei.com>
commit 48f99c8ec0b25756d0283ab058826ae07d14fad7 upstream.
Like arch/arm/, we inherit the READ_IMPLIES_EXEC personality flag across
fork(). This is undesirable for a number of reasons:
* ELF files that don't require executable stack can end up with it
anyway
* We end up performing un-necessary I-cache maintenance when mapping
what should be non-executable pages
* Restricting what is executable is generally desirable when defending
against overflow attacks
This patch clears the personality flag when setting up the personality for
newly spwaned native tasks. Given that semi-recent AArch64 toolchains emit
a non-executable PT_GNU_STACK header, userspace applications can already
not rely on READ_IMPLIES_EXEC so shouldn't be adversely affected by this
change.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dong Bo <dongbo4@huawei.com>
[will: added comment to compat code, rewrote commit message]
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/include/asm/elf.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -135,7 +135,11 @@ extern unsigned long randomize_et_dyn(un
*/
#define ELF_PLAT_INIT(_r, load_addr) (_r)->regs[0] = 0
-#define SET_PERSONALITY(ex) clear_thread_flag(TIF_32BIT);
+#define SET_PERSONALITY(ex) \
+({ \
+ clear_thread_flag(TIF_32BIT); \
+ current->personality &= ~READ_IMPLIES_EXEC; \
+})
/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
#define ARCH_DLINFO \
@@ -183,6 +187,11 @@ typedef compat_elf_greg_t compat_elf_gr
((x)->e_flags & EF_ARM_EABI_MASK))
#define compat_start_thread compat_start_thread
+/*
+ * Unlike the native SET_PERSONALITY macro, the compat version inherits
+ * READ_IMPLIES_EXEC across a fork() since this is the behaviour on
+ * arch/arm/.
+ */
#define COMPAT_SET_PERSONALITY(ex) set_thread_flag(TIF_32BIT);
#define COMPAT_ARCH_DLINFO
extern int aarch32_setup_vectors_page(struct linux_binprm *bprm,
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 036/192] udf: Fix races with i_size changes during readpage
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (34 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 012/192] arm64: Preventing READ_IMPLIES_EXEC propagation Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 103/192] powerpc/asm: Mark cr0 as clobbered in mftb() Ben Hutchings
` (156 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 9795e0e8ac0d6a3ee092f1b555b284b57feef99e upstream.
__udf_adinicb_readpage() uses i_size several times. When truncate
changes i_size while the function is running, it can observe several
different values and thus e.g. expose uninitialized parts of page to
userspace. Also use i_size_read() in the function since it does not hold
inode_lock. Since i_size is guaranteed to be small, this cannot really
cause any issues even on 32-bit archs but let's be careful.
Fixes: 9c2fc0de1a6e638fe58c354a463f544f42a90a09
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/udf/file.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/fs/udf/file.c
+++ b/fs/udf/file.c
@@ -44,10 +44,15 @@ static void __udf_adinicb_readpage(struc
struct inode *inode = page->mapping->host;
char *kaddr;
struct udf_inode_info *iinfo = UDF_I(inode);
+ loff_t isize = i_size_read(inode);
+ /*
+ * We have to be careful here as truncate can change i_size under us.
+ * So just sample it once and use the same value everywhere.
+ */
kaddr = kmap(page);
- memcpy(kaddr, iinfo->i_ext.i_data + iinfo->i_lenEAttr, inode->i_size);
- memset(kaddr + inode->i_size, 0, PAGE_CACHE_SIZE - inode->i_size);
+ memcpy(kaddr, iinfo->i_ext.i_data + iinfo->i_lenEAttr, isize);
+ memset(kaddr + isize, 0, PAGE_CACHE_SIZE - isize);
flush_dcache_page(page);
SetPageUptodate(page);
kunmap(page);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 103/192] powerpc/asm: Mark cr0 as clobbered in mftb()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (35 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 036/192] udf: Fix races with i_size changes during readpage Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 017/192] [media] mceusb: fix memory leaks in error path Ben Hutchings
` (155 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Oliver O'Halloran, Michael Ellerman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver O'Halloran <oohall@gmail.com>
commit 2400fd822f467cb4c886c879d8ad99feac9cf319 upstream.
The workaround for the CELL timebase bug does not correctly mark cr0 as
being clobbered. This means GCC doesn't know that the asm block changes cr0 and
might leave the result of an unrelated comparison in cr0 across the block, which
we then trash, leading to basically random behaviour.
Fixes: 859deea949c3 ("[POWERPC] Cell timebase bug workaround")
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
[mpe: Tweak change log and flag for stable]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/reg.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/include/asm/reg.h
+++ b/arch/powerpc/include/asm/reg.h
@@ -1226,7 +1226,7 @@
" .llong 0\n" \
".previous" \
: "=r" (rval) \
- : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL)); \
+ : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL) : "cr0"); \
rval;})
#else
#define mftb() ({unsigned long rval; \
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 017/192] [media] mceusb: fix memory leaks in error path
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (36 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 103/192] powerpc/asm: Mark cr0 as clobbered in mftb() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 045/192] Btrfs: fix invalid extent maps due to hole punching Ben Hutchings
` (154 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sean Young, Johan Hovold, Jarod Wilson, Mauro Carvalho Chehab
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2d5a6ce71c72d98d4f7948672842e3e8c265a8b7 upstream.
Fix urb and transfer-buffer leaks in an urb-submission error path which
may be hit when a device is disconnected.
Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")
Cc: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16:
- Add check on urb_type, as async_buf and async_urb aren't always allocated
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -765,6 +765,7 @@ static void mce_request_packet(struct mc
} else if (urb_type == MCEUSB_RX) {
/* standard request */
async_urb = ir->urb_in;
+ async_buf = NULL;
ir->send_flags = RECV_FLAG_IN_PROGRESS;
} else {
@@ -780,6 +781,10 @@ static void mce_request_packet(struct mc
res = usb_submit_urb(async_urb, GFP_ATOMIC);
if (res) {
dev_err(dev, "receive request FAILED! (res=%d)", res);
+ if (urb_type == MCEUSB_TX) {
+ kfree(async_buf);
+ usb_free_urb(async_urb);
+ }
return;
}
dev_dbg(dev, "receive request complete (res=%d)", res);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 045/192] Btrfs: fix invalid extent maps due to hole punching
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (37 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 017/192] [media] mceusb: fix memory leaks in error path Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 130/192] btrfs: preserve i_mode if __btrfs_set_acl() fails Ben Hutchings
` (153 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Filipe Manana, David Sterba, Liu Bo
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 609805d809733d0c669f21f710bdac308cc63cba upstream.
While punching a hole in a range that is not aligned with the sector size
(currently the same as the page size) we can end up leaving an extent map
in memory with a length that is smaller then the sector size or with a
start offset that is not aligned to the sector size. Both cases are not
expected and can lead to problems. This issue is easily detected
after the patch from commit a7e3b975a0f9 ("Btrfs: fix reported number of
inode blocks"), introduced in kernel 4.12-rc1, in a scenario like the
following for example:
$ mkfs.btrfs -f /dev/sdb
$ mount /dev/sdb /mnt
$ xfs_io -c "pwrite -S 0xaa -b 100K 0 100K" /mnt/foo
$ xfs_io -c "fpunch 60K 90K" /mnt/foo
$ xfs_io -c "pwrite -S 0xbb -b 100K 50K 100K" /mnt/foo
$ xfs_io -c "pwrite -S 0xcc -b 50K 100K 50K" /mnt/foo
$ umount /mnt
After the unmount operation we can see several warnings emmitted due to
underflows related to space reservation counters:
[ 2837.443299] ------------[ cut here ]------------
[ 2837.447395] WARNING: CPU: 8 PID: 2474 at fs/btrfs/inode.c:9444 btrfs_destroy_inode+0xe8/0x27e [btrfs]
[ 2837.452108] Modules linked in: dm_flakey dm_mod ppdev parport_pc psmouse parport sg pcspkr acpi_cpufreq tpm_tis tpm_tis_core i2c_piix4 i2c_core evdev tpm button se
rio_raw sunrpc loop autofs4 ext4 crc16 jbd2 mbcache btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_gene
ric raid1 raid0 multipath linear md_mod sr_mod cdrom sd_mod ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring virtio e1000 scsi_mod floppy
[ 2837.458389] CPU: 8 PID: 2474 Comm: umount Tainted: G W 4.10.0-rc8-btrfs-next-43+ #1
[ 2837.459754] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
[ 2837.462379] Call Trace:
[ 2837.462379] dump_stack+0x68/0x92
[ 2837.462379] __warn+0xc2/0xdd
[ 2837.462379] warn_slowpath_null+0x1d/0x1f
[ 2837.462379] btrfs_destroy_inode+0xe8/0x27e [btrfs]
[ 2837.462379] destroy_inode+0x3d/0x55
[ 2837.462379] evict+0x177/0x17e
[ 2837.462379] dispose_list+0x50/0x71
[ 2837.462379] evict_inodes+0x132/0x141
[ 2837.462379] generic_shutdown_super+0x3f/0xeb
[ 2837.462379] kill_anon_super+0x12/0x1c
[ 2837.462379] btrfs_kill_super+0x16/0x21 [btrfs]
[ 2837.462379] deactivate_locked_super+0x30/0x68
[ 2837.462379] deactivate_super+0x36/0x39
[ 2837.462379] cleanup_mnt+0x58/0x76
[ 2837.462379] __cleanup_mnt+0x12/0x14
[ 2837.462379] task_work_run+0x77/0x9b
[ 2837.462379] prepare_exit_to_usermode+0x9d/0xc5
[ 2837.462379] syscall_return_slowpath+0x196/0x1b9
[ 2837.462379] entry_SYSCALL_64_fastpath+0xab/0xad
[ 2837.462379] RIP: 0033:0x7f3ef3e6b9a7
[ 2837.462379] RSP: 002b:00007ffdd0d8de58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 2837.462379] RAX: 0000000000000000 RBX: 0000556f76a39060 RCX: 00007f3ef3e6b9a7
[ 2837.462379] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000556f76a3f910
[ 2837.462379] RBP: 0000556f76a3f910 R08: 0000556f76a3e670 R09: 0000000000000015
[ 2837.462379] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f3ef436ce64
[ 2837.462379] R13: 0000000000000000 R14: 0000556f76a39240 R15: 00007ffdd0d8e0e0
[ 2837.519355] ---[ end trace e79345fe24b30b8d ]---
[ 2837.596256] ------------[ cut here ]------------
[ 2837.597625] WARNING: CPU: 8 PID: 2474 at fs/btrfs/extent-tree.c:5699 btrfs_free_block_groups+0x246/0x3eb [btrfs]
[ 2837.603547] Modules linked in: dm_flakey dm_mod ppdev parport_pc psmouse parport sg pcspkr acpi_cpufreq tpm_tis tpm_tis_core i2c_piix4 i2c_core evdev tpm button serio_raw sunrpc loop autofs4 ext4 crc16 jbd2 mbcache btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod sr_mod cdrom sd_mod ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring virtio e1000 scsi_mod floppy
[ 2837.659372] CPU: 8 PID: 2474 Comm: umount Tainted: G W 4.10.0-rc8-btrfs-next-43+ #1
[ 2837.663359] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
[ 2837.663359] Call Trace:
[ 2837.663359] dump_stack+0x68/0x92
[ 2837.663359] __warn+0xc2/0xdd
[ 2837.663359] warn_slowpath_null+0x1d/0x1f
[ 2837.663359] btrfs_free_block_groups+0x246/0x3eb [btrfs]
[ 2837.663359] close_ctree+0x1dd/0x2e1 [btrfs]
[ 2837.663359] ? evict_inodes+0x132/0x141
[ 2837.663359] btrfs_put_super+0x15/0x17 [btrfs]
[ 2837.663359] generic_shutdown_super+0x6a/0xeb
[ 2837.663359] kill_anon_super+0x12/0x1c
[ 2837.663359] btrfs_kill_super+0x16/0x21 [btrfs]
[ 2837.663359] deactivate_locked_super+0x30/0x68
[ 2837.663359] deactivate_super+0x36/0x39
[ 2837.663359] cleanup_mnt+0x58/0x76
[ 2837.663359] __cleanup_mnt+0x12/0x14
[ 2837.663359] task_work_run+0x77/0x9b
[ 2837.663359] prepare_exit_to_usermode+0x9d/0xc5
[ 2837.663359] syscall_return_slowpath+0x196/0x1b9
[ 2837.663359] entry_SYSCALL_64_fastpath+0xab/0xad
[ 2837.663359] RIP: 0033:0x7f3ef3e6b9a7
[ 2837.663359] RSP: 002b:00007ffdd0d8de58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 2837.663359] RAX: 0000000000000000 RBX: 0000556f76a39060 RCX: 00007f3ef3e6b9a7
[ 2837.663359] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000556f76a3f910
[ 2837.663359] RBP: 0000556f76a3f910 R08: 0000556f76a3e670 R09: 0000000000000015
[ 2837.663359] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f3ef436ce64
[ 2837.663359] R13: 0000000000000000 R14: 0000556f76a39240 R15: 00007ffdd0d8e0e0
[ 2837.739445] ---[ end trace e79345fe24b30b8e ]---
[ 2837.745595] ------------[ cut here ]------------
[ 2837.746412] WARNING: CPU: 8 PID: 2474 at fs/btrfs/extent-tree.c:5700 btrfs_free_block_groups+0x261/0x3eb [btrfs]
[ 2837.747955] Modules linked in: dm_flakey dm_mod ppdev parport_pc psmouse parport sg pcspkr acpi_cpufreq tpm_tis tpm_tis_core i2c_piix4 i2c_core evdev tpm button serio_raw sunrpc loop autofs4 ext4 crc16 jbd2 mbcache btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod sr_mod cdrom sd_mod ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring virtio e1000 scsi_mod floppy
[ 2837.755395] CPU: 8 PID: 2474 Comm: umount Tainted: G W 4.10.0-rc8-btrfs-next-43+ #1
[ 2837.756769] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
[ 2837.758526] Call Trace:
[ 2837.758925] dump_stack+0x68/0x92
[ 2837.759383] __warn+0xc2/0xdd
[ 2837.759383] warn_slowpath_null+0x1d/0x1f
[ 2837.759383] btrfs_free_block_groups+0x261/0x3eb [btrfs]
[ 2837.759383] close_ctree+0x1dd/0x2e1 [btrfs]
[ 2837.759383] ? evict_inodes+0x132/0x141
[ 2837.759383] btrfs_put_super+0x15/0x17 [btrfs]
[ 2837.759383] generic_shutdown_super+0x6a/0xeb
[ 2837.759383] kill_anon_super+0x12/0x1c
[ 2837.759383] btrfs_kill_super+0x16/0x21 [btrfs]
[ 2837.759383] deactivate_locked_super+0x30/0x68
[ 2837.759383] deactivate_super+0x36/0x39
[ 2837.759383] cleanup_mnt+0x58/0x76
[ 2837.759383] __cleanup_mnt+0x12/0x14
[ 2837.759383] task_work_run+0x77/0x9b
[ 2837.759383] prepare_exit_to_usermode+0x9d/0xc5
[ 2837.759383] syscall_return_slowpath+0x196/0x1b9
[ 2837.759383] entry_SYSCALL_64_fastpath+0xab/0xad
[ 2837.759383] RIP: 0033:0x7f3ef3e6b9a7
[ 2837.759383] RSP: 002b:00007ffdd0d8de58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 2837.759383] RAX: 0000000000000000 RBX: 0000556f76a39060 RCX: 00007f3ef3e6b9a7
[ 2837.759383] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000556f76a3f910
[ 2837.759383] RBP: 0000556f76a3f910 R08: 0000556f76a3e670 R09: 0000000000000015
[ 2837.759383] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f3ef436ce64
[ 2837.759383] R13: 0000000000000000 R14: 0000556f76a39240 R15: 00007ffdd0d8e0e0
[ 2837.777063] ---[ end trace e79345fe24b30b8f ]---
[ 2837.778235] ------------[ cut here ]------------
[ 2837.778856] WARNING: CPU: 8 PID: 2474 at fs/btrfs/extent-tree.c:9825 btrfs_free_block_groups+0x348/0x3eb [btrfs]
[ 2837.791385] Modules linked in: dm_flakey dm_mod ppdev parport_pc psmouse parport sg pcspkr acpi_cpufreq tpm_tis tpm_tis_core i2c_piix4 i2c_core evdev tpm button serio_raw sunrpc loop autofs4 ext4 crc16 jbd2 mbcache btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod sr_mod cdrom sd_mod ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring virtio e1000 scsi_mod floppy
[ 2837.797711] CPU: 8 PID: 2474 Comm: umount Tainted: G W 4.10.0-rc8-btrfs-next-43+ #1
[ 2837.798594] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
[ 2837.800118] Call Trace:
[ 2837.800515] dump_stack+0x68/0x92
[ 2837.801015] __warn+0xc2/0xdd
[ 2837.801471] warn_slowpath_null+0x1d/0x1f
[ 2837.801698] btrfs_free_block_groups+0x348/0x3eb [btrfs]
[ 2837.801698] close_ctree+0x1dd/0x2e1 [btrfs]
[ 2837.801698] ? evict_inodes+0x132/0x141
[ 2837.801698] btrfs_put_super+0x15/0x17 [btrfs]
[ 2837.801698] generic_shutdown_super+0x6a/0xeb
[ 2837.801698] kill_anon_super+0x12/0x1c
[ 2837.801698] btrfs_kill_super+0x16/0x21 [btrfs]
[ 2837.801698] deactivate_locked_super+0x30/0x68
[ 2837.801698] deactivate_super+0x36/0x39
[ 2837.801698] cleanup_mnt+0x58/0x76
[ 2837.801698] __cleanup_mnt+0x12/0x14
[ 2837.801698] task_work_run+0x77/0x9b
[ 2837.801698] prepare_exit_to_usermode+0x9d/0xc5
[ 2837.801698] syscall_return_slowpath+0x196/0x1b9
[ 2837.801698] entry_SYSCALL_64_fastpath+0xab/0xad
[ 2837.801698] RIP: 0033:0x7f3ef3e6b9a7
[ 2837.801698] RSP: 002b:00007ffdd0d8de58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 2837.801698] RAX: 0000000000000000 RBX: 0000556f76a39060 RCX: 00007f3ef3e6b9a7
[ 2837.801698] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000556f76a3f910
[ 2837.801698] RBP: 0000556f76a3f910 R08: 0000556f76a3e670 R09: 0000000000000015
[ 2837.801698] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f3ef436ce64
[ 2837.801698] R13: 0000000000000000 R14: 0000556f76a39240 R15: 00007ffdd0d8e0e0
[ 2837.818441] ---[ end trace e79345fe24b30b90 ]---
[ 2837.818991] BTRFS info (device sdc): space_info 1 has 7974912 free, is not full
[ 2837.819830] BTRFS info (device sdc): space_info total=8388608, used=417792, pinned=0, reserved=0, may_use=18446744073709547520, readonly=0
What happens in the above example is the following:
1) When punching the hole, at btrfs_punch_hole(), the variable tail_len
is set to 2048 (as tail_start is 148Kb + 1 and offset + len is 150Kb).
This results in the creation of an extent map with a length of 2Kb
starting at file offset 148Kb, through find_first_non_hole() ->
btrfs_get_extent().
2) The second write (first write after the hole punch operation), sets
the range [50Kb, 152Kb[ to delalloc.
3) The third write, at btrfs_find_new_delalloc_bytes(), sees the extent
map covering the range [148Kb, 150Kb[ and ends up calling
set_extent_bit() for the same range, which results in splitting an
existing extent state record, covering the range [148Kb, 152Kb[ into
two 2Kb extent state records, covering the ranges [148Kb, 150Kb[ and
[150Kb, 152Kb[.
4) Finally at lock_and_cleanup_extent_if_need(), immediately after calling
btrfs_find_new_delalloc_bytes() we clear the delalloc bit from the
range [100Kb, 152Kb[ which results in the btrfs_clear_bit_hook()
callback being invoked against the two 2Kb extent state records that
cover the ranges [148Kb, 150Kb[ and [150Kb, 152Kb[. When called against
the first 2Kb extent state, it calls btrfs_delalloc_release_metadata()
with a length argument of 2048 bytes. That function rounds up the length
to a sector size aligned length, so it ends up considering a length of
4096 bytes, and then calls calc_csum_metadata_size() which results in
decrementing the inode's csum_bytes counter by 4096 bytes, so after
it stays a value of 0 bytes. Then the same happens when
btrfs_clear_bit_hook() is called against the second extent state that
has a length of 2Kb, covering the range [150Kb, 152Kb[, the length is
rounded up to 4096 and calc_csum_metadata_size() ends up being called
to decrement 4096 bytes from the inode's csum_bytes counter, which
at that time has a value of 0, leading to an underflow, which is
exactly what triggers the first warning, at btrfs_destroy_inode().
All the other warnings relate to several space accounting counters
that underflow as well due to similar reasons.
A similar case but where the hole punching operation creates an extent map
with a start offset not aligned to the sector size is the following:
$ mkfs.btrfs -f /dev/sdb
$ mount /dev/sdb /mnt
$ xfs_io -f -c "fpunch 695K 820K" $SCRATCH_MNT/bar
$ xfs_io -c "pwrite -S 0xaa 1008K 307K" $SCRATCH_MNT/bar
$ xfs_io -c "pwrite -S 0xbb -b 630K 1073K 630K" $SCRATCH_MNT/bar
$ xfs_io -c "pwrite -S 0xcc -b 459K 1068K 459K" $SCRATCH_MNT/bar
$ umount /mnt
During the unmount operation we get similar traces for the same reasons as
in the first example.
So fix the hole punching operation to make sure it never creates extent
maps with a length that is not aligned to the sector size nor with a start
offset that is not aligned to the sector size, as this breaks all
assumptions and it's a land mine.
Fixes: d77815461f04 ("btrfs: Avoid trucating page or punching hole in a already existed hole.")
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16:
- sectorsize is a member of btrfs_root not btrfs_fs_info
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -2177,10 +2177,13 @@ out:
*/
static int find_first_non_hole(struct inode *inode, u64 *start, u64 *len)
{
+ struct btrfs_root *root = BTRFS_I(inode)->root;
struct extent_map *em;
int ret = 0;
- em = btrfs_get_extent(inode, NULL, 0, *start, *len, 0);
+ em = btrfs_get_extent(inode, NULL, 0,
+ round_down(*start, root->sectorsize),
+ round_up(*len, root->sectorsize), 0);
if (IS_ERR_OR_NULL(em)) {
if (!em)
ret = -ENOMEM;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 130/192] btrfs: preserve i_mode if __btrfs_set_acl() fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (38 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 045/192] Btrfs: fix invalid extent maps due to hole punching Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 043/192] xhci: Limit USB2 port wake support for AMD Promontory hosts Ben Hutchings
` (152 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Sterba, Ernesto A. Fernández
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ernesto A. Fernández
<ernesto.mnd.fernandez@gmail.com>
commit d7d824966530acfe32b94d1ed672e6fe1638cd68 upstream.
When changing a file's acl mask, btrfs_set_acl() will first set the
group bits of i_mode to the value of the mask, and only then set the
actual extended attribute representing the new acl.
If the second part fails (due to lack of space, for example) and the
file had no acl attribute to begin with, the system will from now on
assume that the mask permission bits are actual group permission bits,
potentially granting access to the wrong users.
Prevent this by restoring the original mode bits if __btrfs_set_acl
fails.
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/acl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -118,13 +118,17 @@ out:
int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
{
int ret;
+ umode_t old_mode = inode->i_mode;
if (type == ACL_TYPE_ACCESS && acl) {
ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
if (ret)
return ret;
}
- return __btrfs_set_acl(NULL, inode, acl, type);
+ ret = __btrfs_set_acl(NULL, inode, acl, type);
+ if (ret)
+ inode->i_mode = old_mode;
+ return ret;
}
/*
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 043/192] xhci: Limit USB2 port wake support for AMD Promontory hosts
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (39 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 130/192] btrfs: preserve i_mode if __btrfs_set_acl() fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 031/192] usb: Fix typo in the definition of Endpoint[out]Request Ben Hutchings
` (151 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jiahau Chang, Greg Kroah-Hartman, Jiahau Chang,
Mathias Nyman, Tsai Nicholas
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiahau Chang <jiahau@gmail.com>
commit dec08194ffeccfa1cf085906b53d301930eae18f upstream.
For AMD Promontory xHCI host, although you can disable USB 2.0 ports in
BIOS settings, those ports will be enabled anyway after you remove a
device on that port and re-plug it in again. It's a known limitation of
the chip. As a workaround we can clear the PORT_WAKE_BITS.
This will disable wake on connect, disconnect and overcurrent on
AMD Promontory USB2 ports
[checkpatch cleanup and commit message reword -Mathias]
Cc: Tsai Nicholas <nicholas.tsai@amd.com>
Signed-off-by: Jiahau Chang <Lars_Chang@asmedia.com.tw>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-hub.c | 3 +++
drivers/usb/host/xhci-pci.c | 12 ++++++++++++
drivers/usb/host/xhci.h | 1 +
3 files changed, 16 insertions(+)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1209,6 +1209,9 @@ int xhci_bus_suspend(struct usb_hcd *hcd
t2 |= PORT_WKOC_E | PORT_WKCONN_E;
t2 &= ~PORT_WKDISC_E;
}
+ if ((xhci->quirks & XHCI_U2_DISABLE_WAKE) &&
+ (hcd->speed < HCD_USB3))
+ t2 &= ~PORT_WAKE_BITS;
} else
t2 &= ~PORT_WAKE_BITS;
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -47,6 +47,11 @@
#define PCI_DEVICE_ID_INTEL_APL_XHCI 0x5aa8
#define PCI_DEVICE_ID_INTEL_DNV_XHCI 0x19d0
+#define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9
+#define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba
+#define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb
+#define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
+
static const char hcd_name[] = "xhci_hcd";
/* called after powerup, by probe or system-pm "wakeup" */
@@ -120,6 +125,13 @@ static void xhci_pci_quirks(struct devic
if (pdev->vendor == PCI_VENDOR_ID_AMD)
xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+ if ((pdev->vendor == PCI_VENDOR_ID_AMD) &&
+ ((pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4) ||
+ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_3) ||
+ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_2) ||
+ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_1)))
+ xhci->quirks |= XHCI_U2_DISABLE_WAKE;
+
if (pdev->vendor == PCI_VENDOR_ID_INTEL) {
xhci->quirks |= XHCI_LPM_SUPPORT;
xhci->quirks |= XHCI_INTEL_HOST;
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1569,6 +1569,7 @@ struct xhci_hcd {
#define XHCI_BROKEN_STREAMS (1 << 19)
#define XHCI_PME_STUCK_QUIRK (1 << 20)
#define XHCI_MISSING_CAS (1 << 24)
+#define XHCI_U2_DISABLE_WAKE (1 << 27)
unsigned int num_active_eps;
unsigned int limit_active_eps;
/* There are two roothubs to keep track of bus suspend info for */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 031/192] usb: Fix typo in the definition of Endpoint[out]Request
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 043/192] xhci: Limit USB2 port wake support for AMD Promontory hosts Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 058/192] MIPS: Save static registers before sysmips Ben Hutchings
` (150 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Benjamin Herrenschmidt, Greg Kroah-Hartman, Alan Stern
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
commit 7cf916bd639bd26db7214f2205bccdb4b9306256 upstream.
The current definition is wrong. This breaks my upcoming
Aspeed virtual hub driver.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/usb/hcd.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -542,9 +542,9 @@ extern void usb_ep0_reinit(struct usb_de
((USB_DIR_IN|USB_TYPE_STANDARD|USB_RECIP_INTERFACE)<<8)
#define EndpointRequest \
- ((USB_DIR_IN|USB_TYPE_STANDARD|USB_RECIP_INTERFACE)<<8)
+ ((USB_DIR_IN|USB_TYPE_STANDARD|USB_RECIP_ENDPOINT)<<8)
#define EndpointOutRequest \
- ((USB_DIR_OUT|USB_TYPE_STANDARD|USB_RECIP_INTERFACE)<<8)
+ ((USB_DIR_OUT|USB_TYPE_STANDARD|USB_RECIP_ENDPOINT)<<8)
/* class requests from the USB 2.0 hub spec, table 11-15 */
/* GetBusState and SetHubDescriptor are optional, omitted */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 058/192] MIPS: Save static registers before sysmips
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (41 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 031/192] usb: Fix typo in the definition of Endpoint[out]Request Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 053/192] xfs: Don't clear SGID when inheriting ACLs Ben Hutchings
` (149 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ralf Baechle, linux-mips, James Hogan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 49955d84cd9ccdca5a16a495e448e1a06fad9e49 upstream.
The MIPS sysmips system call handler may return directly from the
MIPS_ATOMIC_SET case (mips_atomic_set()) to syscall_exit. This path
restores the static (callee saved) registers, however they won't have
been saved on entry to the system call.
Use the save_static_function() macro to create a __sys_sysmips wrapper
function which saves the static registers before calling sys_sysmips, so
that the correct static register state is restored by syscall_exit.
Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16149/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/scall32-o32.S | 2 +-
arch/mips/kernel/scall64-64.S | 2 +-
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/scall64-o32.S | 2 +-
arch/mips/kernel/syscall.c | 6 ++++++
5 files changed, 10 insertions(+), 4 deletions(-)
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -363,7 +363,7 @@ EXPORT(sys_call_table)
PTR sys_writev
PTR sys_cacheflush
PTR sys_cachectl
- PTR sys_sysmips
+ PTR __sys_sysmips
PTR sys_ni_syscall /* 4150 */
PTR sys_getsid
PTR sys_fdatasync
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -318,7 +318,7 @@ EXPORT(sys_call_table)
PTR sys_sched_getaffinity
PTR sys_cacheflush
PTR sys_cachectl
- PTR sys_sysmips
+ PTR __sys_sysmips
PTR sys_io_setup /* 5200 */
PTR sys_io_destroy
PTR sys_io_getevents
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -307,7 +307,7 @@ EXPORT(sysn32_call_table)
PTR compat_sys_sched_getaffinity
PTR sys_cacheflush
PTR sys_cachectl
- PTR sys_sysmips
+ PTR __sys_sysmips
PTR compat_sys_io_setup /* 6200 */
PTR sys_io_destroy
PTR compat_sys_io_getevents
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -358,7 +358,7 @@ EXPORT(sys32_call_table)
PTR compat_sys_writev
PTR sys_cacheflush
PTR sys_cachectl
- PTR sys_sysmips
+ PTR __sys_sysmips
PTR sys_ni_syscall /* 4150 */
PTR sys_getsid
PTR sys_fdatasync
--- a/arch/mips/kernel/syscall.c
+++ b/arch/mips/kernel/syscall.c
@@ -197,6 +197,12 @@ static inline int mips_atomic_set(unsign
unreachable();
}
+/*
+ * mips_atomic_set() normally returns directly via syscall_exit potentially
+ * clobbering static registers, so be sure to preserve them.
+ */
+save_static_function(sys_sysmips);
+
SYSCALL_DEFINE3(sysmips, long, cmd, long, arg1, long, arg2)
{
switch (cmd) {
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 053/192] xfs: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (42 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 058/192] MIPS: Save static registers before sysmips Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 088/192] IB/core: Add inline function to validate port Ben Hutchings
` (148 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Darrick J. Wong, linux-xfs
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 8ba358756aa08414fa9e65a1a41d28304ed6fd7f upstream.
When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.
Fix the problem by calling __xfs_set_acl() instead of xfs_set_acl() when
setting up inode in xfs_generic_create(). That prevents SGID bit
clearing and mode is properly set by posix_acl_create() anyway. We also
reorder arguments of __xfs_set_acl() to match the ordering of
xfs_set_acl() to make things consistent.
Fixes: 073931017b49d9458aa351605b43a7e34598caef
CC: Darrick J. Wong <darrick.wong@oracle.com>
CC: linux-xfs@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xfs/xfs_acl.c | 6 +++---
fs/xfs/xfs_acl.h | 1 +
fs/xfs/xfs_iops.c | 4 ++--
3 files changed, 6 insertions(+), 5 deletions(-)
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -176,8 +176,8 @@ out:
return acl;
}
-STATIC int
-__xfs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
+int
+__xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
{
struct xfs_inode *ip = XFS_I(inode);
unsigned char *ea_name;
@@ -297,5 +297,5 @@ xfs_set_acl(struct inode *inode, struct
}
set_acl:
- return __xfs_set_acl(inode, type, acl);
+ return __xfs_set_acl(inode, acl, type);
}
--- a/fs/xfs/xfs_acl.h
+++ b/fs/xfs/xfs_acl.h
@@ -61,6 +61,7 @@ struct xfs_acl {
#ifdef CONFIG_XFS_POSIX_ACL
extern struct posix_acl *xfs_get_acl(struct inode *inode, int type);
extern int xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type);
+extern int __xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type);
extern int posix_acl_access_exists(struct inode *inode);
extern int posix_acl_default_exists(struct inode *inode);
#else
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -173,12 +173,12 @@ xfs_generic_create(
#ifdef CONFIG_XFS_POSIX_ACL
if (default_acl) {
- error = -xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
+ error = -__xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
if (error)
goto out_cleanup_inode;
}
if (acl) {
- error = -xfs_set_acl(inode, acl, ACL_TYPE_ACCESS);
+ error = -__xfs_set_acl(inode, acl, ACL_TYPE_ACCESS);
if (error)
goto out_cleanup_inode;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 088/192] IB/core: Add inline function to validate port
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 053/192] xfs: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 079/192] scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state Ben Hutchings
` (147 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Yuval Shaia, Doug Ledford
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yuval Shaia <yuval.shaia@oracle.com>
commit 24dc831b77eca9361cf835be59fa69ea0e471afc upstream.
Signed-off-by: Yuval Shaia <yuval.shaia@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16:
- Drop inapplicable changes
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -67,7 +67,7 @@ int ib_get_cached_gid(struct ib_device *
unsigned long flags;
int ret = 0;
- if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
+ if (!rdma_is_port_valid(device, port_num))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
@@ -129,7 +129,7 @@ int ib_get_cached_pkey(struct ib_device
unsigned long flags;
int ret = 0;
- if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
+ if (!rdma_is_port_valid(device, port_num))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
@@ -158,7 +158,7 @@ int ib_find_cached_pkey(struct ib_device
int ret = -ENOENT;
int partial_ix = -1;
- if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
+ if (!rdma_is_port_valid(device, port_num))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
@@ -198,7 +198,7 @@ int ib_find_exact_cached_pkey(struct ib_
int i;
int ret = -ENOENT;
- if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
+ if (!rdma_is_port_valid(device, port_num))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
@@ -227,7 +227,7 @@ int ib_get_cached_lmc(struct ib_device *
unsigned long flags;
int ret = 0;
- if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
+ if (!rdma_is_port_valid(device, port_num))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -563,7 +563,7 @@ int ib_query_port(struct ib_device *devi
u8 port_num,
struct ib_port_attr *port_attr)
{
- if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
+ if (!rdma_is_port_valid(device, port_num))
return -EINVAL;
return device->query_port(device, port_num, port_attr);
@@ -641,7 +641,7 @@ int ib_modify_port(struct ib_device *dev
if (!device->modify_port)
return -ENOSYS;
- if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
+ if (!rdma_is_port_valid(device, port_num))
return -EINVAL;
return device->modify_port(device, port_num, port_modify_mask,
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -1721,6 +1721,13 @@ static inline u8 rdma_end_port(const str
0 : device->phys_port_cnt;
}
+static inline int rdma_is_port_valid(const struct ib_device *device,
+ unsigned int port)
+{
+ return (port >= rdma_start_port(device) &&
+ port <= rdma_end_port(device));
+}
+
int ib_query_gid(struct ib_device *device,
u8 port_num, int index, union ib_gid *gid);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 079/192] scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (44 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 088/192] IB/core: Add inline function to validate port Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 099/192] cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES Ben Hutchings
` (146 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Laurence Oberman, David Jeffery, Martin K. Petersen,
Ewan D. Milne, Johannes Thumshirn
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Ewan D. Milne" <emilne@redhat.com>
commit f9279c968c257ee39b0d7bd2571a4d231a67bcc1 upstream.
The addition of the STARGET_REMOVE state had the side effect of
introducing a race condition that can cause a crash.
scsi_target_reap_ref_release() checks the starget->state to
see if it still in STARGET_CREATED, and if so, skips calling
transport_remove_device() and device_del(), because the starget->state
is only set to STARGET_RUNNING after scsi_target_add() has called
device_add() and transport_add_device().
However, if an rport loss occurs while a target is being scanned,
it can happen that scsi_remove_target() will be called while the
starget is still in the STARGET_CREATED state. In this case, the
starget->state will be set to STARGET_REMOVE, and as a result,
scsi_target_reap_ref_release() will take the wrong path. The end
result is a panic:
[ 1255.356653] Oops: 0000 [#1] SMP
[ 1255.360154] Modules linked in: x86_pkg_temp_thermal kvm_intel kvm irqbypass crc32c_intel ghash_clmulni_i
[ 1255.393234] CPU: 5 PID: 149 Comm: kworker/u96:4 Tainted: G W 4.11.0+ #8
[ 1255.401879] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.0.22 11/19/2013
[ 1255.410327] Workqueue: scsi_wq_6 fc_scsi_scan_rport [scsi_transport_fc]
[ 1255.417720] task: ffff88060ca8c8c0 task.stack: ffffc900048a8000
[ 1255.424331] RIP: 0010:kernfs_find_ns+0x13/0xc0
[ 1255.429287] RSP: 0018:ffffc900048abbf0 EFLAGS: 00010246
[ 1255.435123] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 1255.443083] RDX: 0000000000000000 RSI: ffffffff8188d659 RDI: 0000000000000000
[ 1255.451043] RBP: ffffc900048abc10 R08: 0000000000000000 R09: 0000012433fe0025
[ 1255.459005] R10: 0000000025e5a4b5 R11: 0000000025e5a4b5 R12: ffffffff8188d659
[ 1255.466972] R13: 0000000000000000 R14: ffff8805f55e5088 R15: 0000000000000000
[ 1255.474931] FS: 0000000000000000(0000) GS:ffff880616b40000(0000) knlGS:0000000000000000
[ 1255.483959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1255.490370] CR2: 0000000000000068 CR3: 0000000001c09000 CR4: 00000000000406e0
[ 1255.498332] Call Trace:
[ 1255.501058] kernfs_find_and_get_ns+0x31/0x60
[ 1255.505916] sysfs_unmerge_group+0x1d/0x60
[ 1255.510498] dpm_sysfs_remove+0x22/0x60
[ 1255.514783] device_del+0xf4/0x2e0
[ 1255.518577] ? device_remove_file+0x19/0x20
[ 1255.523241] attribute_container_class_device_del+0x1a/0x20
[ 1255.529457] transport_remove_classdev+0x4e/0x60
[ 1255.534607] ? transport_add_class_device+0x40/0x40
[ 1255.540046] attribute_container_device_trigger+0xb0/0xc0
[ 1255.546069] transport_remove_device+0x15/0x20
[ 1255.551025] scsi_target_reap_ref_release+0x25/0x40
[ 1255.556467] scsi_target_reap+0x2e/0x40
[ 1255.560744] __scsi_scan_target+0xaa/0x5b0
[ 1255.565312] scsi_scan_target+0xec/0x100
[ 1255.569689] fc_scsi_scan_rport+0xb1/0xc0 [scsi_transport_fc]
[ 1255.576099] process_one_work+0x14b/0x390
[ 1255.580569] worker_thread+0x4b/0x390
[ 1255.584651] kthread+0x109/0x140
[ 1255.588251] ? rescuer_thread+0x330/0x330
[ 1255.592730] ? kthread_park+0x60/0x60
[ 1255.596815] ret_from_fork+0x29/0x40
[ 1255.600801] Code: 24 08 48 83 42 40 01 5b 41 5c 5d c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90
[ 1255.621876] RIP: kernfs_find_ns+0x13/0xc0 RSP: ffffc900048abbf0
[ 1255.628479] CR2: 0000000000000068
[ 1255.632756] ---[ end trace 34a69ba0477d036f ]---
Fix this by adding another scsi_target state STARGET_CREATED_REMOVE
to distinguish this case.
Fixes: f05795d3d771 ("scsi: Add intermediate STARGET_REMOVE state to scsi_target_state")
Reported-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Laurence Oberman <loberman@redhat.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/scsi_scan.c | 5 +++--
drivers/scsi/scsi_sysfs.c | 8 ++++++--
include/scsi/scsi_device.h | 1 +
3 files changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -387,11 +387,12 @@ static void scsi_target_reap_ref_release
= container_of(kref, struct scsi_target, reap_ref);
/*
- * if we get here and the target is still in the CREATED state that
+ * if we get here and the target is still in a CREATED state that
* means it was allocated but never made visible (because a scan
* turned up no LUNs), so don't call device_del() on it.
*/
- if (starget->state != STARGET_CREATED) {
+ if ((starget->state != STARGET_CREATED) &&
+ (starget->state != STARGET_CREATED_REMOVE)) {
transport_remove_device(&starget->dev);
device_del(&starget->dev);
}
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1151,11 +1151,15 @@ restart:
spin_lock_irqsave(shost->host_lock, flags);
list_for_each_entry(starget, &shost->__targets, siblings) {
if (starget->state == STARGET_DEL ||
- starget->state == STARGET_REMOVE)
+ starget->state == STARGET_REMOVE ||
+ starget->state == STARGET_CREATED_REMOVE)
continue;
if (starget->dev.parent == dev || &starget->dev == dev) {
kref_get(&starget->reap_ref);
- starget->state = STARGET_REMOVE;
+ if (starget->state == STARGET_CREATED)
+ starget->state = STARGET_CREATED_REMOVE;
+ else
+ starget->state = STARGET_REMOVE;
spin_unlock_irqrestore(shost->host_lock, flags);
__scsi_remove_target(starget);
scsi_target_reap(starget);
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -265,6 +265,7 @@ enum scsi_target_state {
STARGET_CREATED = 1,
STARGET_RUNNING,
STARGET_REMOVE,
+ STARGET_CREATED_REMOVE,
STARGET_DEL,
};
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 099/192] cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (45 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 079/192] scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` Ben Hutchings
` (145 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Srinivas Dasari, Johannes Berg, Jouni Malinen
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Dasari <dasaris@qti.qualcomm.com>
commit d7f13f7450369281a5d0ea463cc69890a15923ae upstream.
validate_scan_freqs() retrieves frequencies from attributes
nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with
nla_get_u32(), which reads 4 bytes from each attribute
without validating the size of data received. Attributes
nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy.
Validate size of each attribute before parsing to avoid potential buffer
overread.
Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/wireless/nl80211.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5288,6 +5288,10 @@ static int validate_scan_freqs(struct nl
struct nlattr *attr1, *attr2;
int n_channels = 0, tmp1, tmp2;
+ nla_for_each_nested(attr1, freqs, tmp1)
+ if (nla_len(attr1) != sizeof(u32))
+ return 0;
+
nla_for_each_nested(attr1, freqs, tmp1) {
n_channels++;
/*
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 044/192] x86/nmi: Fix timeout test in test_nmi_ipi()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 015/192] Documentation: DMA API: fix a typo in a function name Ben Hutchings
` (191 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dan Carpenter, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, kernel-janitors, Linus Torvalds, Don Zickus
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit c133c7615751008f6c32ccae7cdfc5ff6e989c35 upstream.
We're supposed to exit the loop with "timeout" set to zero.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-janitors@vger.kernel.org
Fixes: 99e8b9ca90d6 ("x86, NMI: Add NMI IPI selftest")
Link: http://lkml.kernel.org/r/20170619105304.GA23995@elgon.mountain
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/nmi_selftest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/nmi_selftest.c
+++ b/arch/x86/kernel/nmi_selftest.c
@@ -78,7 +78,7 @@ static void __init test_nmi_ipi(struct c
/* Don't wait longer than a second */
timeout = USEC_PER_SEC;
- while (!cpumask_empty(mask) && timeout--)
+ while (!cpumask_empty(mask) && --timeout)
udelay(1);
/* What happens if we timeout, do we still unregister?? */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 044/192] x86/nmi: Fix timeout test in test_nmi_ipi()
@ 2017-10-09 12:44 ` Ben Hutchings
0 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dan Carpenter, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, kernel-janitors, Linus Torvalds, Don Zickus
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit c133c7615751008f6c32ccae7cdfc5ff6e989c35 upstream.
We're supposed to exit the loop with "timeout" set to zero.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-janitors@vger.kernel.org
Fixes: 99e8b9ca90d6 ("x86, NMI: Add NMI IPI selftest")
Link: http://lkml.kernel.org/r/20170619105304.GA23995@elgon.mountain
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/nmi_selftest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/nmi_selftest.c
+++ b/arch/x86/kernel/nmi_selftest.c
@@ -78,7 +78,7 @@ static void __init test_nmi_ipi(struct c
/* Don't wait longer than a second */
timeout = USEC_PER_SEC;
- while (!cpumask_empty(mask) && timeout--)
+ while (!cpumask_empty(mask) && --timeout)
udelay(1);
/* What happens if we timeout, do we still unregister?? */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 076/192] mwifiex: do not update MCS set from hostapd
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (47 preceding siblings ...)
2017-10-09 12:44 ` Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 115/192] ubifs: Don't leak kernel memory to the MTD Ben Hutchings
` (143 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kalle Valo, Ganapathi Bhat
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ganapathi Bhat <gbhat@marvell.com>
commit 8a063a27815a759b99ad710402da1ccd1b0987f7 upstream.
We should not copy the MCS set from hostapd RX-STBC. We
have to just use the MCS set supported by the hardware.
This fixes an issue, where mwifiex is advertising wrong
MCS sets in beacons.
Fixes: 474a41e94dfc ("mwifiex: update MCS set as per RX-STBC bit from hostapd")
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- Deleted code is slightly different
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/mwifiex/fw.h | 5 -----
drivers/net/wireless/mwifiex/uap_cmd.c | 22 ----------------------
2 files changed, 27 deletions(-)
--- a/drivers/net/wireless/mwifiex/fw.h
+++ b/drivers/net/wireless/mwifiex/fw.h
@@ -203,11 +203,6 @@ enum MWIFIEX_802_11_PRIVACY_FILTER {
#define MWIFIEX_DEF_AMPDU IEEE80211_HT_AMPDU_PARM_FACTOR
-#define GET_RXSTBC(x) (x & IEEE80211_HT_CAP_RX_STBC)
-#define MWIFIEX_RX_STBC1 0x0100
-#define MWIFIEX_RX_STBC12 0x0200
-#define MWIFIEX_RX_STBC123 0x0300
-
/* dev_cap bitmap
* BIT
* 0-16 reserved
--- a/drivers/net/wireless/mwifiex/uap_cmd.c
+++ b/drivers/net/wireless/mwifiex/uap_cmd.c
@@ -159,7 +159,6 @@ mwifiex_set_ht_params(struct mwifiex_pri
struct cfg80211_ap_settings *params)
{
const u8 *ht_ie;
- u16 cap_info;
if (!ISSUPP_11NENABLED(priv->adapter->fw_cap_info))
return;
@@ -169,27 +168,6 @@ mwifiex_set_ht_params(struct mwifiex_pri
if (ht_ie) {
memcpy(&bss_cfg->ht_cap, ht_ie + 2,
sizeof(struct ieee80211_ht_cap));
- cap_info = le16_to_cpu(bss_cfg->ht_cap.cap_info);
- memset(&bss_cfg->ht_cap.mcs, 0,
- priv->adapter->number_of_antenna);
- switch (GET_RXSTBC(cap_info)) {
- case MWIFIEX_RX_STBC1:
- /* HT_CAP 1X1 mode */
- bss_cfg->ht_cap.mcs.rx_mask[0] = 0xff;
- break;
- case MWIFIEX_RX_STBC12: /* fall through */
- case MWIFIEX_RX_STBC123:
- /* HT_CAP 2X2 mode */
- bss_cfg->ht_cap.mcs.rx_mask[0] = 0xff;
- bss_cfg->ht_cap.mcs.rx_mask[1] = 0xff;
- break;
- default:
- dev_warn(priv->adapter->dev,
- "Unsupported RX-STBC, default to 2x2\n");
- bss_cfg->ht_cap.mcs.rx_mask[0] = 0xff;
- bss_cfg->ht_cap.mcs.rx_mask[1] = 0xff;
- break;
- }
priv->ap_11n_enabled = 1;
} else {
memset(&bss_cfg->ht_cap , 0, sizeof(struct ieee80211_ht_cap));
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 115/192] ubifs: Don't leak kernel memory to the MTD
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (48 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 076/192] mwifiex: do not update MCS set from hostapd Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 050/192] af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers Ben Hutchings
` (142 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger, Boris Brezillon
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 4acadda74ff8b949c448c0282765ae747e088c87 upstream.
When UBIFS prepares data structures which will be written to the MTD it
ensues that their lengths are multiple of 8. Since it uses kmalloc() the
padded bytes are left uninitialized and we leak a few bytes of kernel
memory to the MTD.
To make sure that all bytes are initialized, let's switch to kzalloc().
Kzalloc() is fine in this case because the buffers are not huge and in
the IO path the performance bottleneck is anyway the MTD.
Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16:
- Drop change in ubifs_jnl_xrename()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ubifs/journal.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
@@ -573,7 +573,7 @@ int ubifs_jnl_update(struct ubifs_info *
aligned_dlen = ALIGN(dlen, 8);
aligned_ilen = ALIGN(ilen, 8);
len = aligned_dlen + aligned_ilen + UBIFS_INO_NODE_SZ;
- dent = kmalloc(len, GFP_NOFS);
+ dent = kzalloc(len, GFP_NOFS);
if (!dent)
return -ENOMEM;
@@ -956,7 +956,7 @@ int ubifs_jnl_rename(struct ubifs_info *
len = aligned_dlen1 + aligned_dlen2 + ALIGN(ilen, 8) + ALIGN(plen, 8);
if (old_dir != new_dir)
len += plen;
- dent = kmalloc(len, GFP_NOFS);
+ dent = kzalloc(len, GFP_NOFS);
if (!dent)
return -ENOMEM;
@@ -1303,7 +1303,7 @@ int ubifs_jnl_delete_xattr(struct ubifs_
hlen = host_ui->data_len + UBIFS_INO_NODE_SZ;
len = aligned_xlen + UBIFS_INO_NODE_SZ + ALIGN(hlen, 8);
- xent = kmalloc(len, GFP_NOFS);
+ xent = kzalloc(len, GFP_NOFS);
if (!xent)
return -ENOMEM;
@@ -1410,7 +1410,7 @@ int ubifs_jnl_change_xattr(struct ubifs_
aligned_len1 = ALIGN(len1, 8);
aligned_len = aligned_len1 + ALIGN(len2, 8);
- ino = kmalloc(aligned_len, GFP_NOFS);
+ ino = kzalloc(aligned_len, GFP_NOFS);
if (!ino)
return -ENOMEM;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 050/192] af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (49 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 115/192] ubifs: Don't leak kernel memory to the MTD Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 067/192] PCI: Work around poweroff & suspend-to-RAM issue on Macbook Pro 11 Ben Hutchings
` (141 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mateusz Jurczyk, Julian Wiedmann, David S. Miller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Jurczyk <mjurczyk@google.com>
commit e3c42b61ff813921ba58cfc0019e3fd63f651190 upstream.
Verify that the caller-provided sockaddr structure is large enough to
contain the sa_family field, before accessing it in bind() and connect()
handlers of the AF_IUCV socket. Since neither syscall enforces a minimum
size of the corresponding memory region, very short sockaddrs (zero or
one byte long) result in operating on uninitialized memory while
referencing .sa_family.
Fixes: 52a82e23b9f2 ("af_iucv: Validate socket address length in iucv_sock_bind()")
Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
[jwi: removed unneeded null-check for addr]
Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/iucv/af_iucv.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -706,10 +706,8 @@ static int iucv_sock_bind(struct socket
char uid[9];
/* Verify the input sockaddr */
- if (!addr || addr->sa_family != AF_IUCV)
- return -EINVAL;
-
- if (addr_len < sizeof(struct sockaddr_iucv))
+ if (addr_len < sizeof(struct sockaddr_iucv) ||
+ addr->sa_family != AF_IUCV)
return -EINVAL;
lock_sock(sk);
@@ -853,7 +851,7 @@ static int iucv_sock_connect(struct sock
struct iucv_sock *iucv = iucv_sk(sk);
int err;
- if (addr->sa_family != AF_IUCV || alen < sizeof(struct sockaddr_iucv))
+ if (alen < sizeof(struct sockaddr_iucv) || addr->sa_family != AF_IUCV)
return -EINVAL;
if (sk->sk_state != IUCV_OPEN && sk->sk_state != IUCV_BOUND)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 067/192] PCI: Work around poweroff & suspend-to-RAM issue on Macbook Pro 11
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 050/192] af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 005/192] sched/topology: Fix overlapping sched_group_mask Ben Hutchings
` (140 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Chen Yu, Bjorn Helgaas, thejoe, Rafael J. Wysocki, Lukas Wunner
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
commit 13cfc732160f7bc7e596128ce34cda361c556966 upstream.
Neither soft poweroff (transition to ACPI power state S5) nor
suspend-to-RAM (transition to state S3) works on the Macbook Pro 11,4 and
11,5.
The problem is related to the [mem 0x7fa00000-0x7fbfffff] space. When we
use that space, e.g., by assigning it to the 00:1c.0 Root Port, the ACPI
Power Management 1 Control Register (PM1_CNT) at [io 0x1804] doesn't work
anymore.
Linux does a soft poweroff (transition to S5) by writing to PM1_CNT. The
theory about why this doesn't work is:
- The write to PM1_CNT causes an SMI
- The BIOS SMI handler depends on something in
[mem 0x7fa00000-0x7fbfffff]
- When Linux assigns [mem 0x7fa00000-0x7fbfffff] to the 00:1c.0 Port, it
covers up whatever the SMI handler uses, so the SMI handler no longer
works correctly
Reserve the [mem 0x7fa00000-0x7fbfffff] space so we don't assign it to
anything.
This is voodoo programming, since we don't know what the real conflict is,
but we've failed to find the root cause.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=103211
Tested-by: thejoe@gmail.com
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: Chen Yu <yu.c.chen@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/pci/fixup.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -573,3 +573,35 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_IN
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_invalid_bar);
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_invalid_bar);
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_invalid_bar);
+
+/*
+ * Apple MacBook Pro: Avoid [mem 0x7fa00000-0x7fbfffff]
+ *
+ * Using the [mem 0x7fa00000-0x7fbfffff] region, e.g., by assigning it to
+ * the 00:1c.0 Root Port, causes a conflict with [io 0x1804], which is used
+ * for soft poweroff and suspend-to-RAM.
+ *
+ * As far as we know, this is related to the address space, not to the Root
+ * Port itself. Attaching the quirk to the Root Port is a convenience, but
+ * it could probably also be a standalone DMI quirk.
+ *
+ * https://bugzilla.kernel.org/show_bug.cgi?id=103211
+ */
+static void quirk_apple_mbp_poweroff(struct pci_dev *pdev)
+{
+ struct device *dev = &pdev->dev;
+ struct resource *res;
+
+ if ((!dmi_match(DMI_PRODUCT_NAME, "MacBookPro11,4") &&
+ !dmi_match(DMI_PRODUCT_NAME, "MacBookPro11,5")) ||
+ pdev->bus->number != 0 || pdev->devfn != PCI_DEVFN(0x1c, 0))
+ return;
+
+ res = request_mem_region(0x7fa00000, 0x200000,
+ "MacBook Pro poweroff workaround");
+ if (res)
+ dev_info(dev, "claimed %s %pR\n", res->name, res);
+ else
+ dev_info(dev, "can't work around MacBook Pro poweroff issue\n");
+}
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x8c10, quirk_apple_mbp_poweroff);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 005/192] sched/topology: Fix overlapping sched_group_mask
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (51 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 067/192] PCI: Work around poweroff & suspend-to-RAM issue on Macbook Pro 11 Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 110/192] PM / QoS: return -EINVAL for bogus strings Ben Hutchings
` (139 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Ingo Molnar, Thomas Gleixner,
Mike Galbraith, Peter Zijlstra
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 73bb059f9b8a00c5e1bf2f7ca83138c05d05e600 upstream.
The point of sched_group_mask is to select those CPUs from
sched_group_cpus that can actually arrive at this balance domain.
The current code gets it wrong, as can be readily demonstrated with a
topology like:
node 0 1 2 3
0: 10 20 30 20
1: 20 10 20 30
2: 30 20 10 20
3: 20 30 20 10
Where (for example) domain 1 on CPU1 ends up with a mask that includes
CPU0:
[] CPU1 attaching sched-domain:
[] domain 0: span 0-2 level NUMA
[] groups: 1 (mask: 1), 2, 0
[] domain 1: span 0-3 level NUMA
[] groups: 0-2 (mask: 0-2) (cpu_capacity: 3072), 0,2-3 (cpu_capacity: 3072)
This causes sched_balance_cpu() to compute the wrong CPU and
consequently should_we_balance() will terminate early resulting in
missed load-balance opportunities.
The fixed topology looks like:
[] CPU1 attaching sched-domain:
[] domain 0: span 0-2 level NUMA
[] groups: 1 (mask: 1), 2, 0
[] domain 1: span 0-3 level NUMA
[] groups: 0-2 (mask: 1) (cpu_capacity: 3072), 0,2-3 (cpu_capacity: 3072)
(note: this relies on OVERLAP domains to always have children, this is
true because the regular topology domains are still here -- this is
before degenerate trimming)
Debugged-by: Lauro Ramos Venancio <lvenanci@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Fixes: e3589f6c81e4 ("sched: Allow for overlapping sched_domain spans")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- Use span, not sg_span
- Adjust filename context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5775,6 +5775,8 @@ enum s_alloc {
* and our sibling sd spans will be empty. Domains should always include the
* cpu they're built on, so check that.
*
+ * Only CPUs that can arrive at this group should be considered to continue
+ * balancing.
*/
static void build_group_mask(struct sched_domain *sd, struct sched_group *sg)
{
@@ -5785,11 +5787,24 @@ static void build_group_mask(struct sche
for_each_cpu(i, span) {
sibling = *per_cpu_ptr(sdd->sd, i);
- if (!cpumask_test_cpu(i, sched_domain_span(sibling)))
+
+ /*
+ * Can happen in the asymmetric case, where these siblings are
+ * unused. The mask will not be empty because those CPUs that
+ * do have the top domain _should_ span the domain.
+ */
+ if (!sibling->child)
+ continue;
+
+ /* If we would not end up here, we can't continue from here */
+ if (!cpumask_equal(span, sched_domain_span(sibling->child)))
continue;
cpumask_set_cpu(i, sched_group_mask(sg));
}
+
+ /* We must not have empty masks here */
+ WARN_ON_ONCE(cpumask_empty(sched_group_mask(sg)));
}
/*
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 110/192] PM / QoS: return -EINVAL for bogus strings
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (52 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 005/192] sched/topology: Fix overlapping sched_group_mask Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 117/192] ext2: Don't clear SGID when inheriting ACLs Ben Hutchings
` (138 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pavel Machek, Rafael J. Wysocki, Dan Carpenter
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 2ca30331c156ca9e97643ad05dd8930b8fe78b01 upstream.
In the current code, if the user accidentally writes a bogus command to
this sysfs file, then we set the latency tolerance to an uninitialized
variable.
Fixes: 2d984ad132a8 (PM / QoS: Introcuce latency tolerance device PM QoS type)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/power/sysfs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/base/power/sysfs.c
+++ b/drivers/base/power/sysfs.c
@@ -272,6 +272,8 @@ static ssize_t pm_qos_latency_tolerance_
value = PM_QOS_LATENCY_TOLERANCE_NO_CONSTRAINT;
else if (!strcmp(buf, "any") || !strcmp(buf, "any\n"))
value = PM_QOS_LATENCY_ANY;
+ else
+ return -EINVAL;
}
ret = dev_pm_qos_update_user_latency_tolerance(dev, value);
return ret < 0 ? ret : n;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 117/192] ext2: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 110/192] PM / QoS: return -EINVAL for bogus strings Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 016/192] drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail Ben Hutchings
` (137 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, linux-ext4, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit a992f2d38e4ce17b8c7d1f7f67b2de0eebdea069 upstream.
When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.
Fix the problem by creating __ext2_set_acl() function that does not call
posix_acl_update_mode() and use it when inheriting ACLs. That prevents
SGID bit clearing and the mode has been properly set by
posix_acl_create() anyway.
Fixes: 073931017b49d9458aa351605b43a7e34598caef
CC: linux-ext4@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: keep using CURRENT_TIME_SEC]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext2/acl.c | 36 ++++++++++++++++++++++--------------
1 file changed, 22 insertions(+), 14 deletions(-)
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -178,11 +178,8 @@ ext2_get_acl(struct inode *inode, int ty
return acl;
}
-/*
- * inode->i_mutex: down
- */
-int
-ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+static int
+__ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
{
int name_index;
void *value = NULL;
@@ -192,13 +189,6 @@ ext2_set_acl(struct inode *inode, struct
switch(type) {
case ACL_TYPE_ACCESS:
name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
- if (acl) {
- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
- if (error)
- return error;
- inode->i_ctime = CURRENT_TIME_SEC;
- mark_inode_dirty(inode);
- }
break;
case ACL_TYPE_DEFAULT:
@@ -225,6 +215,24 @@ ext2_set_acl(struct inode *inode, struct
}
/*
+ * inode->i_mutex: down
+ */
+int
+ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+{
+ int error;
+
+ if (type == ACL_TYPE_ACCESS && acl) {
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
+ return error;
+ inode->i_ctime = CURRENT_TIME_SEC;
+ mark_inode_dirty(inode);
+ }
+ return __ext2_set_acl(inode, acl, type);
+}
+
+/*
* Initialize the ACLs of a new inode. Called from ext2_new_inode.
*
* dir->i_mutex: down
@@ -241,12 +249,12 @@ ext2_init_acl(struct inode *inode, struc
return error;
if (default_acl) {
- error = ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
+ error = __ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
posix_acl_release(default_acl);
}
if (acl) {
if (!error)
- error = ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
+ error = __ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
posix_acl_release(acl);
}
return error;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 016/192] drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (54 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 117/192] ext2: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 107/192] crypto: caam - fix signals handling Ben Hutchings
` (136 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jonas Aaberg, Ville Syrjälä, Mika Kahola
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit ec1b4ee2834e66884e5b0d3d465f347ff212e372 upstream.
The scanline counter is bonkers on VLV/CHV DSI. The scanline counter
increment is not lined up with the start of vblank like it is on
every other platform and output type. This causes problems for
both the vblank timestamping and atomic update vblank evasion.
On my FFRD8 machine at least, the scanline counter increment
happens about 1/3 of a scanline ahead of the start of vblank (which
is where all register latching happens still). That means we can't
trust the scanline counter to tell us whether we're in vblank or not
while we're on that particular line. In order to keep vblank
timestamping in working condition when called from the vblank irq,
we'll leave scanline_offset at one, which means that the entire
line containing the start of vblank is considered to be inside
the vblank.
For the vblank evasion we'll need to consider that entire line
to be bad, since we can't tell whether the registers already
got latched or not. And we can't actually use the start of vblank
interrupt to get us past that line as the interrupt would fire
too soon, and then we'd up waiting for the next start of vblank
instead. One way around that would using the frame start
interrupt instead since that wouldn't fire until the next
scanline, but that would require some bigger changes in the
interrupt code. So for simplicity we'll just poll until we get
past the bad line.
v2: Adjust the comments a bit
Cc: Jonas Aaberg <cja@gmx.net>
Tested-by: Jonas Aaberg <cja@gmx.net>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99086
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161215174734.28779-1-ville.syrjala@linux.intel.com
Tested-by: Mika Kahola <mika.kahola@intel.com>
Reviewed-by: Mika Kahola <mika.kahola@intel.com>
[bwh: Backported to 3.16:
- Pass dev instead of dev_priv to hardware type predicates
- Use intel_pipe_has_type() to check output type]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_display.c | 9 +++++++++
drivers/gpu/drm/i915/intel_sprite.c | 21 +++++++++++++++++++++
2 files changed, 30 insertions(+)
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -369,7 +369,7 @@ static void vlv_clock(int refclk, intel_
/**
* Returns whether any output on the specified pipe is of the specified type
*/
-static bool intel_pipe_has_type(struct drm_crtc *crtc, int type)
+bool intel_pipe_has_type(struct drm_crtc *crtc, int type)
{
struct drm_device *dev = crtc->dev;
struct intel_encoder *encoder;
@@ -10313,6 +10313,15 @@ static void update_scanline_offset(struc
* type. For DP ports it behaves like most other platforms, but on HDMI
* there's an extra 1 line difference. So we need to add two instead of
* one to the value.
+ *
+ * On VLV/CHV DSI the scanline counter would appear to increment
+ * approx. 1/3 of a scanline before start of vblank. Unfortunately
+ * that means we can't tell whether we're in vblank or not while
+ * we're on that particular line. We must still set scanline_offset
+ * to 1 so that the vblank timestamps come out correct when we query
+ * the scanline counter from within the vblank interrupt handler.
+ * However if queried just before the start of vblank we'll get an
+ * answer that's slightly in the future.
*/
if (IS_GEN2(dev)) {
const struct drm_display_mode *mode = &crtc->config.adjusted_mode;
--- a/drivers/gpu/drm/i915/intel_sprite.c
+++ b/drivers/gpu/drm/i915/intel_sprite.c
@@ -53,6 +53,8 @@ static bool intel_pipe_update_start(stru
enum pipe pipe = crtc->pipe;
long timeout = msecs_to_jiffies_timeout(1);
int scanline, min, max, vblank_start;
+ bool need_vlv_dsi_wa = (IS_VALLEYVIEW(dev) || IS_CHERRYVIEW(dev)) &&
+ intel_pipe_has_type(&crtc->base, INTEL_OUTPUT_DSI);
DEFINE_WAIT(wait);
WARN_ON(!drm_modeset_is_locked(&crtc->base.mutex));
@@ -104,6 +106,24 @@ static bool intel_pipe_update_start(stru
drm_vblank_put(dev, pipe);
+ /*
+ * On VLV/CHV DSI the scanline counter would appear to
+ * increment approx. 1/3 of a scanline before start of vblank.
+ * The registers still get latched at start of vblank however.
+ * This means we must not write any registers on the first
+ * line of vblank (since not the whole line is actually in
+ * vblank). And unfortunately we can't use the interrupt to
+ * wait here since it will fire too soon. We could use the
+ * frame start interrupt instead since it will fire after the
+ * critical scanline, but that would require more changes
+ * in the interrupt code. So for now we'll just do the nasty
+ * thing and poll for the bad scanline to pass us by.
+ *
+ * FIXME figure out if BXT+ DSI suffers from this as well
+ */
+ while (need_vlv_dsi_wa && scanline == vblank_start)
+ scanline = intel_get_crtc_scanline(crtc);
+
*start_vbl_count = dev->driver->get_vblank_counter(dev, pipe);
trace_i915_pipe_update_vblank_evaded(crtc, min, max, *start_vbl_count);
--- a/drivers/gpu/drm/i915/intel_drv.h
+++ b/drivers/gpu/drm/i915/intel_drv.h
@@ -721,6 +721,7 @@ void intel_ddi_get_config(struct intel_e
const char *intel_output_name(int output);
bool intel_has_pending_fb_unpin(struct drm_device *dev);
int intel_pch_rawclk(struct drm_device *dev);
+bool intel_pipe_has_type(struct drm_crtc *crtc, int type);
int valleyview_cur_cdclk(struct drm_i915_private *dev_priv);
void intel_mark_busy(struct drm_device *dev);
void intel_mark_fb_busy(struct drm_i915_gem_object *obj,
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 107/192] crypto: caam - fix signals handling
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (55 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 016/192] drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 108/192] crypto: atmel - only treat EBUSY as transient if backlog Ben Hutchings
` (135 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Horia Geantă
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Horia Geantă <horia.geanta@nxp.com>
commit 7459e1d25ffefa2b1be799477fcc1f6c62f6cec7 upstream.
Driver does not properly handle the case when signals interrupt
wait_for_completion_interruptible():
-it does not check for return value
-completion structure is allocated on stack; in case a signal interrupts
the sleep, it will go out of scope, causing the worker thread
(caam_jr_dequeue) to fail when it accesses it
wait_for_completion_interruptible() is replaced with uninterruptable
wait_for_completion().
We choose to block all signals while waiting for I/O (device executing
the split key generation job descriptor) since the alternative - in
order to have a deterministic device state - would be to flush the job
ring (aborting *all* in-progress jobs).
Fixes: 045e36780f115 ("crypto: caam - ahash hmac support")
Fixes: 4c1ec1f930154 ("crypto: caam - refactor key_gen, sg")
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/caam/caamhash.c | 2 +-
drivers/crypto/caam/key_gen.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -478,7 +478,7 @@ static int hash_digest_key(struct caam_h
ret = caam_jr_enqueue(jrdev, desc, split_key_done, &result);
if (!ret) {
/* in progress */
- wait_for_completion_interruptible(&result.completion);
+ wait_for_completion(&result.completion);
ret = result.err;
#ifdef DEBUG
print_hex_dump(KERN_ERR,
--- a/drivers/crypto/caam/key_gen.c
+++ b/drivers/crypto/caam/key_gen.c
@@ -103,7 +103,7 @@ int gen_split_key(struct device *jrdev,
ret = caam_jr_enqueue(jrdev, desc, split_key_done, &result);
if (!ret) {
/* in progress */
- wait_for_completion_interruptible(&result.completion);
+ wait_for_completion(&result.completion);
ret = result.err;
#ifdef DEBUG
print_hex_dump(KERN_ERR, "ctx.key@"__stringify(__LINE__)": ",
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 108/192] crypto: atmel - only treat EBUSY as transient if backlog
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (56 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 107/192] crypto: caam - fix signals handling Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 127/192] ext4: Don't clear SGID when inheriting ACLs Ben Hutchings
` (134 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Gilad Ben-Yossef, Herbert Xu
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gilad Ben-Yossef <gilad@benyossef.com>
commit 1606043f214f912a52195293614935811a6e3e53 upstream.
The Atmel SHA driver was treating -EBUSY as indication of queueing
to backlog without checking that backlog is enabled for the request.
Fix it by checking request flags.
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/atmel-sha.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/crypto/atmel-sha.c
+++ b/drivers/crypto/atmel-sha.c
@@ -957,7 +957,9 @@ static int atmel_sha_finup(struct ahash_
ctx->flags |= SHA_FLAGS_FINUP;
err1 = atmel_sha_update(req);
- if (err1 == -EINPROGRESS || err1 == -EBUSY)
+ if (err1 == -EINPROGRESS ||
+ (err1 == -EBUSY && (ahash_request_flags(req) &
+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
return err1;
/*
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 127/192] ext4: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (57 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 108/192] crypto: atmel - only treat EBUSY as transient if backlog Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 106/192] powerpc: Fix emulation of mfocrf in emulate_step() Ben Hutchings
` (133 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jan Kara, Theodore Ts'o, Andreas Gruenbacher
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit a3bb2d5587521eea6dab2d05326abb0afb460abd upstream.
When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.
Fix the problem by moving posix_acl_update_mode() out of
__ext4_set_acl() into ext4_set_acl(). That way the function will not be
called when inheriting ACLs which is what we want as it prevents SGID
bit clearing and the mode has been properly set by posix_acl_create()
anyway.
Fixes: 073931017b49d9458aa351605b43a7e34598caef
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Gruenbacher <agruenba@redhat.com>
[bwh: Backported to 3.16:
- Keep using ext4_current_time()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/acl.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -196,18 +196,10 @@ __ext4_set_acl(handle_t *handle, struct
void *value = NULL;
size_t size = 0;
int error;
- int update_mode = 0;
- umode_t mode = inode->i_mode;
switch (type) {
case ACL_TYPE_ACCESS:
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
- if (acl) {
- error = posix_acl_update_mode(inode, &mode, &acl);
- if (error)
- return error;
- update_mode = 1;
- }
break;
case ACL_TYPE_DEFAULT:
@@ -231,11 +223,6 @@ __ext4_set_acl(handle_t *handle, struct
kfree(value);
if (!error) {
set_cached_acl(inode, type, acl);
- if (update_mode) {
- inode->i_mode = mode;
- inode->i_ctime = ext4_current_time(inode);
- ext4_mark_inode_dirty(handle, inode);
- }
}
return error;
@@ -246,6 +233,8 @@ ext4_set_acl(struct inode *inode, struct
{
handle_t *handle;
int error, retries = 0;
+ umode_t mode = inode->i_mode;
+ int update_mode = 0;
retry:
handle = ext4_journal_start(inode, EXT4_HT_XATTR,
@@ -253,7 +242,20 @@ retry:
if (IS_ERR(handle))
return PTR_ERR(handle);
+ if ((type == ACL_TYPE_ACCESS) && acl) {
+ error = posix_acl_update_mode(inode, &mode, &acl);
+ if (error)
+ goto out_stop;
+ update_mode = 1;
+ }
+
error = __ext4_set_acl(handle, inode, type, acl);
+ if (!error && update_mode) {
+ inode->i_mode = mode;
+ inode->i_ctime = ext4_current_time(inode);
+ ext4_mark_inode_dirty(handle, inode);
+ }
+out_stop:
ext4_journal_stop(handle);
if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries))
goto retry;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 106/192] powerpc: Fix emulation of mfocrf in emulate_step()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 127/192] ext4: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 129/192] f2fs: preserve i_mode if __f2fs_set_acl() fails Ben Hutchings
` (132 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Ellerman, Naveen N. Rao, Anton Blanchard
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anton Blanchard <anton@samba.org>
commit 64e756c55aa46fc18fd53e8f3598b73b528d8637 upstream.
=46romPOWER4 onwards, mfocrf() only places the specified CR field into
the destination GPR, and the rest of it is set to 0. The PowerPC AS
from version 3.0 now requires this behaviour.
The emulation code currently puts the entire CR into the destination GPR.
Fix it.
Fixes: 6888199f7fe5 ("[POWERPC] Emulate more instructions in software")
Signed-off-by: Anton Blanchard <anton@samba.org>
Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/lib/sstep.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/arch/powerpc/lib/sstep.c
+++ b/arch/powerpc/lib/sstep.c
@@ -938,6 +938,19 @@ int __kprobes emulate_step(struct pt_reg
goto instr_done;
#endif
case 19: /* mfcr */
+ if ((instr >> 20) & 1) {
+ imm = 0xf0000000UL;
+ for (sh = 0; sh < 8; ++sh) {
+ if (instr & (0x80000 >> sh)) {
+ regs->gpr[rd] = regs->ccr & imm;
+ break;
+ }
+ imm >>= 4;
+ }
+
+ goto instr_done;
+ }
+
regs->gpr[rd] = regs->ccr;
regs->gpr[rd] &= 0xffffffffUL;
goto instr_done;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 129/192] f2fs: preserve i_mode if __f2fs_set_acl() fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (59 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 106/192] powerpc: Fix emulation of mfocrf in emulate_step() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 059/192] MIPS: Fix mips_atomic_set() with EVA Ben Hutchings
` (131 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Chao Yu, Ernesto A. Fernández, Jaegeuk Kim
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ernesto A. Fernández
<ernesto.mnd.fernandez@gmail.com>
commit 14af20fcb1833dd776822361891963c90f7b0262 upstream.
When changing a file's acl mask, __f2fs_set_acl() will first set the
group bits of i_mode to the value of the mask, and only then set the
actual extended attribute representing the new acl.
If the second part fails (due to lack of space, for example) and the
file had no acl attribute to begin with, the system will from now on
assume that the mask permission bits are actual group permission bits,
potentially granting access to the wrong users.
Prevent this by only changing the inode mode after the acl has been set.
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/f2fs/acl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -202,6 +202,7 @@ static int __f2fs_set_acl(struct inode *
void *value = NULL;
size_t size = 0;
int error;
+ umode_t mode = inode->i_mode;
if (acl) {
error = posix_acl_valid(acl);
@@ -213,10 +214,10 @@ static int __f2fs_set_acl(struct inode *
case ACL_TYPE_ACCESS:
name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
if (acl && !ipage) {
- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ error = posix_acl_update_mode(inode, &mode, &acl);
if (error)
return error;
- set_acl_inode(fi, inode->i_mode);
+ set_acl_inode(fi, mode);
}
break;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 059/192] MIPS: Fix mips_atomic_set() with EVA
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (60 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 129/192] f2fs: preserve i_mode if __f2fs_set_acl() fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 087/192] IB/core: Create common start/end port functions Ben Hutchings
` (130 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, linux-mips, Ralf Baechle, James Hogan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 4915e1b043d6286928207b1f6968197b50407294 upstream.
EVA linked loads (LLE) and conditional stores (SCE) should be used on
EVA kernels for the MIPS_ATOMIC_SET operation of the sysmips system
call, or else the atomic set will apply to the kernel view of the
virtual address space (potentially unmapped on EVA kernels) rather than
the user view (TLB mapped).
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16151/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/syscall.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/mips/kernel/syscall.c
+++ b/arch/mips/kernel/syscall.c
@@ -28,6 +28,7 @@
#include <linux/elf.h>
#include <asm/asm.h>
+#include <asm/asm-eva.h>
#include <asm/branch.h>
#include <asm/cachectl.h>
#include <asm/cacheflush.h>
@@ -137,9 +138,11 @@ static inline int mips_atomic_set(unsign
__asm__ __volatile__ (
" .set arch=r4000 \n"
" li %[err], 0 \n"
- "1: ll %[old], (%[addr]) \n"
+ "1: \n"
+ user_ll("%[old]", "(%[addr])")
" move %[tmp], %[new] \n"
- "2: sc %[tmp], (%[addr]) \n"
+ "2: \n"
+ user_sc("%[tmp]", "(%[addr])")
" beqz %[tmp], 4f \n"
"3: \n"
" .subsection 2 \n"
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 087/192] IB/core: Create common start/end port functions
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 059/192] MIPS: Fix mips_atomic_set() with EVA Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 101/192] mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack Ben Hutchings
` (129 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Doug Ledford, Ira Weiny
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ira Weiny <ira.weiny@intel.com>
commit 0cf18d7723055709faf51b50f5a33253b480637f upstream.
Previously start_port and end_port were defined in 2 places, cache.c and
device.c and this prevented their use in other modules.
Make these common functions, change the name to reflect the rdma
name space, and update existing users.
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/cache.c | 61 ++++++++++++++++------------------------
drivers/infiniband/core/device.c | 26 +++++------------
include/rdma/ib_verbs.h | 27 ++++++++++++++++++
3 files changed, 59 insertions(+), 55 deletions(-)
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -58,17 +58,6 @@ struct ib_update_work {
u8 port_num;
};
-static inline int start_port(struct ib_device *device)
-{
- return (device->node_type == RDMA_NODE_IB_SWITCH) ? 0 : 1;
-}
-
-static inline int end_port(struct ib_device *device)
-{
- return (device->node_type == RDMA_NODE_IB_SWITCH) ?
- 0 : device->phys_port_cnt;
-}
-
int ib_get_cached_gid(struct ib_device *device,
u8 port_num,
int index,
@@ -78,12 +67,12 @@ int ib_get_cached_gid(struct ib_device *
unsigned long flags;
int ret = 0;
- if (port_num < start_port(device) || port_num > end_port(device))
+ if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
- cache = device->cache.gid_cache[port_num - start_port(device)];
+ cache = device->cache.gid_cache[port_num - rdma_start_port(device)];
if (index < 0 || index >= cache->table_len)
ret = -EINVAL;
@@ -112,11 +101,11 @@ int ib_find_cached_gid(struct ib_device
read_lock_irqsave(&device->cache.lock, flags);
- for (p = 0; p <= end_port(device) - start_port(device); ++p) {
+ for (p = 0; p <= rdma_end_port(device) - rdma_start_port(device); ++p) {
cache = device->cache.gid_cache[p];
for (i = 0; i < cache->table_len; ++i) {
if (!memcmp(gid, &cache->table[i], sizeof *gid)) {
- *port_num = p + start_port(device);
+ *port_num = p + rdma_start_port(device);
if (index)
*index = i;
ret = 0;
@@ -140,12 +129,12 @@ int ib_get_cached_pkey(struct ib_device
unsigned long flags;
int ret = 0;
- if (port_num < start_port(device) || port_num > end_port(device))
+ if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
- cache = device->cache.pkey_cache[port_num - start_port(device)];
+ cache = device->cache.pkey_cache[port_num - rdma_start_port(device)];
if (index < 0 || index >= cache->table_len)
ret = -EINVAL;
@@ -169,12 +158,12 @@ int ib_find_cached_pkey(struct ib_device
int ret = -ENOENT;
int partial_ix = -1;
- if (port_num < start_port(device) || port_num > end_port(device))
+ if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
- cache = device->cache.pkey_cache[port_num - start_port(device)];
+ cache = device->cache.pkey_cache[port_num - rdma_start_port(device)];
*index = -1;
@@ -209,12 +198,12 @@ int ib_find_exact_cached_pkey(struct ib_
int i;
int ret = -ENOENT;
- if (port_num < start_port(device) || port_num > end_port(device))
+ if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
- cache = device->cache.pkey_cache[port_num - start_port(device)];
+ cache = device->cache.pkey_cache[port_num - rdma_start_port(device)];
*index = -1;
@@ -238,11 +227,11 @@ int ib_get_cached_lmc(struct ib_device *
unsigned long flags;
int ret = 0;
- if (port_num < start_port(device) || port_num > end_port(device))
+ if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
return -EINVAL;
read_lock_irqsave(&device->cache.lock, flags);
- *lmc = device->cache.lmc_cache[port_num - start_port(device)];
+ *lmc = device->cache.lmc_cache[port_num - rdma_start_port(device)];
read_unlock_irqrestore(&device->cache.lock, flags);
return ret;
@@ -303,13 +292,13 @@ static void ib_cache_update(struct ib_de
write_lock_irq(&device->cache.lock);
- old_pkey_cache = device->cache.pkey_cache[port - start_port(device)];
- old_gid_cache = device->cache.gid_cache [port - start_port(device)];
+ old_pkey_cache = device->cache.pkey_cache[port - rdma_start_port(device)];
+ old_gid_cache = device->cache.gid_cache [port - rdma_start_port(device)];
- device->cache.pkey_cache[port - start_port(device)] = pkey_cache;
- device->cache.gid_cache [port - start_port(device)] = gid_cache;
+ device->cache.pkey_cache[port - rdma_start_port(device)] = pkey_cache;
+ device->cache.gid_cache [port - rdma_start_port(device)] = gid_cache;
- device->cache.lmc_cache[port - start_port(device)] = tprops->lmc;
+ device->cache.lmc_cache[port - rdma_start_port(device)] = tprops->lmc;
write_unlock_irq(&device->cache.lock);
@@ -363,14 +352,14 @@ static void ib_cache_setup_one(struct ib
device->cache.pkey_cache =
kmalloc(sizeof *device->cache.pkey_cache *
- (end_port(device) - start_port(device) + 1), GFP_KERNEL);
+ (rdma_end_port(device) - rdma_start_port(device) + 1), GFP_KERNEL);
device->cache.gid_cache =
kmalloc(sizeof *device->cache.gid_cache *
- (end_port(device) - start_port(device) + 1), GFP_KERNEL);
+ (rdma_end_port(device) - rdma_start_port(device) + 1), GFP_KERNEL);
device->cache.lmc_cache = kmalloc(sizeof *device->cache.lmc_cache *
- (end_port(device) -
- start_port(device) + 1),
+ (rdma_end_port(device) -
+ rdma_start_port(device) + 1),
GFP_KERNEL);
if (!device->cache.pkey_cache || !device->cache.gid_cache ||
@@ -380,10 +369,10 @@ static void ib_cache_setup_one(struct ib
goto err;
}
- for (p = 0; p <= end_port(device) - start_port(device); ++p) {
+ for (p = 0; p <= rdma_end_port(device) - rdma_start_port(device); ++p) {
device->cache.pkey_cache[p] = NULL;
device->cache.gid_cache [p] = NULL;
- ib_cache_update(device, p + start_port(device));
+ ib_cache_update(device, p + rdma_start_port(device));
}
INIT_IB_EVENT_HANDLER(&device->cache.event_handler,
@@ -394,7 +383,7 @@ static void ib_cache_setup_one(struct ib
return;
err_cache:
- for (p = 0; p <= end_port(device) - start_port(device); ++p) {
+ for (p = 0; p <= rdma_end_port(device) - rdma_start_port(device); ++p) {
kfree(device->cache.pkey_cache[p]);
kfree(device->cache.gid_cache[p]);
}
@@ -412,7 +401,7 @@ static void ib_cache_cleanup_one(struct
ib_unregister_event_handler(&device->cache.event_handler);
flush_workqueue(ib_wq);
- for (p = 0; p <= end_port(device) - start_port(device); ++p) {
+ for (p = 0; p <= rdma_end_port(device) - rdma_start_port(device); ++p) {
kfree(device->cache.pkey_cache[p]);
kfree(device->cache.gid_cache[p]);
}
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -151,18 +151,6 @@ static int alloc_name(char *name)
return 0;
}
-static int start_port(struct ib_device *device)
-{
- return (device->node_type == RDMA_NODE_IB_SWITCH) ? 0 : 1;
-}
-
-
-static int end_port(struct ib_device *device)
-{
- return (device->node_type == RDMA_NODE_IB_SWITCH) ?
- 0 : device->phys_port_cnt;
-}
-
/**
* ib_alloc_device - allocate an IB device struct
* @size:size of structure to allocate
@@ -232,7 +220,7 @@ static int read_port_table_lengths(struc
if (!tprops)
goto out;
- num_ports = end_port(device) - start_port(device) + 1;
+ num_ports = rdma_end_port(device) - rdma_start_port(device) + 1;
device->pkey_tbl_len = kmalloc(sizeof *device->pkey_tbl_len * num_ports,
GFP_KERNEL);
@@ -242,7 +230,7 @@ static int read_port_table_lengths(struc
goto err;
for (port_index = 0; port_index < num_ports; ++port_index) {
- ret = ib_query_port(device, port_index + start_port(device),
+ ret = ib_query_port(device, port_index + rdma_start_port(device),
tprops);
if (ret)
goto err;
@@ -575,7 +563,7 @@ int ib_query_port(struct ib_device *devi
u8 port_num,
struct ib_port_attr *port_attr)
{
- if (port_num < start_port(device) || port_num > end_port(device))
+ if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
return -EINVAL;
return device->query_port(device, port_num, port_attr);
@@ -653,7 +641,7 @@ int ib_modify_port(struct ib_device *dev
if (!device->modify_port)
return -ENOSYS;
- if (port_num < start_port(device) || port_num > end_port(device))
+ if (port_num < rdma_start_port(device) || port_num > rdma_end_port(device))
return -EINVAL;
return device->modify_port(device, port_num, port_modify_mask,
@@ -676,8 +664,8 @@ int ib_find_gid(struct ib_device *device
union ib_gid tmp_gid;
int ret, port, i;
- for (port = start_port(device); port <= end_port(device); ++port) {
- for (i = 0; i < device->gid_tbl_len[port - start_port(device)]; ++i) {
+ for (port = rdma_start_port(device); port <= rdma_end_port(device); ++port) {
+ for (i = 0; i < device->gid_tbl_len[port - rdma_start_port(device)]; ++i) {
ret = ib_query_gid(device, port, i, &tmp_gid);
if (ret)
return ret;
@@ -709,7 +697,7 @@ int ib_find_pkey(struct ib_device *devic
u16 tmp_pkey;
int partial_ix = -1;
- for (i = 0; i < device->pkey_tbl_len[port_num - start_port(device)]; ++i) {
+ for (i = 0; i < device->pkey_tbl_len[port_num - rdma_start_port(device)]; ++i) {
ret = ib_query_pkey(device, port_num, i, &tmp_pkey);
if (ret)
return ret;
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -1694,6 +1694,33 @@ int ib_query_port(struct ib_device *devi
enum rdma_link_layer rdma_port_get_link_layer(struct ib_device *device,
u8 port_num);
+/**
+ * rdma_start_port - Return the first valid port number for the device
+ * specified
+ *
+ * @device: Device to be checked
+ *
+ * Return start port number
+ */
+static inline u8 rdma_start_port(const struct ib_device *device)
+{
+ return (device->node_type == RDMA_NODE_IB_SWITCH) ? 0 : 1;
+}
+
+/**
+ * rdma_end_port - Return the last valid port number for the device
+ * specified
+ *
+ * @device: Device to be checked
+ *
+ * Return last port number
+ */
+static inline u8 rdma_end_port(const struct ib_device *device)
+{
+ return (device->node_type == RDMA_NODE_IB_SWITCH) ?
+ 0 : device->phys_port_cnt;
+}
+
int ib_query_gid(struct ib_device *device,
u8 port_num, int index, union ib_gid *gid);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 101/192] mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (62 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 087/192] IB/core: Create common start/end port functions Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 102/192] fs/dcache.c: fix spin lockup issue on nlru->lock Ben Hutchings
` (128 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michal Hocko, Linus Torvalds, Oleg Nesterov, Hugh Dickins,
Rik van Riel, Willy Tarreau
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <mhocko@suse.com>
commit 561b5e0709e4a248c67d024d4d94b6e31e3edf2f upstream.
Commit 1be7107fbe18 ("mm: larger stack guard gap, between vmas") has
introduced a regression in some rust and Java environments which are
trying to implement their own stack guard page. They are punching a new
MAP_FIXED mapping inside the existing stack Vma.
This will confuse expand_{downwards,upwards} into thinking that the
stack expansion would in fact get us too close to an existing non-stack
vma which is a correct behavior wrt safety. It is a real regression on
the other hand.
Let's work around the problem by considering PROT_NONE mapping as a part
of the stack. This is a gros hack but overflowing to such a mapping
would trap anyway an we only can hope that usespace knows what it is
doing and handle it propely.
Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
Link: http://lkml.kernel.org/r/20170705182849.GA18027@dhcp22.suse.cz
Signed-off-by: Michal Hocko <mhocko@suse.com>
Debugged-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/mmap.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2153,7 +2153,8 @@ int expand_upwards(struct vm_area_struct
gap_addr = TASK_SIZE;
next = vma->vm_next;
- if (next && next->vm_start < gap_addr) {
+ if (next && next->vm_start < gap_addr &&
+ (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
if (!(next->vm_flags & VM_GROWSUP))
return -ENOMEM;
/* Check that both stack segments have the same anon_vma? */
@@ -2233,7 +2234,8 @@ int expand_downwards(struct vm_area_stru
if (gap_addr > address)
return -ENOMEM;
prev = vma->vm_prev;
- if (prev && prev->vm_end > gap_addr) {
+ if (prev && prev->vm_end > gap_addr &&
+ (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
if (!(prev->vm_flags & VM_GROWSDOWN))
return -ENOMEM;
/* Check that both stack segments have the same anon_vma? */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 102/192] fs/dcache.c: fix spin lockup issue on nlru->lock
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (63 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 101/192] mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 065/192] vfio: New external user group/file match Ben Hutchings
` (127 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sahitya Tummala, Al Viro, Vladimir Davydov, Jan Kara,
Alexander Polakov, Linus Torvalds
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sahitya Tummala <stummala@codeaurora.org>
commit b17c070fb624cf10162cf92ea5e1ec25cd8ac176 upstream.
__list_lru_walk_one() acquires nlru spin lock (nlru->lock) for longer
duration if there are more number of items in the lru list. As per the
current code, it can hold the spin lock for upto maximum UINT_MAX
entries at a time. So if there are more number of items in the lru
list, then "BUG: spinlock lockup suspected" is observed in the below
path:
spin_bug+0x90
do_raw_spin_lock+0xfc
_raw_spin_lock+0x28
list_lru_add+0x28
dput+0x1c8
path_put+0x20
terminate_walk+0x3c
path_lookupat+0x100
filename_lookup+0x6c
user_path_at_empty+0x54
SyS_faccessat+0xd0
el0_svc_naked+0x24
This nlru->lock is acquired by another CPU in this path -
d_lru_shrink_move+0x34
dentry_lru_isolate_shrink+0x48
__list_lru_walk_one.isra.10+0x94
list_lru_walk_node+0x40
shrink_dcache_sb+0x60
do_remount_sb+0xbc
do_emergency_remount+0xb0
process_one_work+0x228
worker_thread+0x2e0
kthread+0xf4
ret_from_fork+0x10
Fix this lockup by reducing the number of entries to be shrinked from
the lru list to 1024 at once. Also, add cond_resched() before
processing the lru list again.
Link: http://marc.info/?t=149722864900001&r=1&w=2
Link: http://lkml.kernel.org/r/1498707575-2472-1-git-send-email-stummala@codeaurora.org
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Suggested-by: Jan Kara <jack@suse.cz>
Suggested-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: Alexander Polakov <apolyakov@beget.ru>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/dcache.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1066,11 +1066,12 @@ void shrink_dcache_sb(struct super_block
LIST_HEAD(dispose);
freed = list_lru_walk(&sb->s_dentry_lru,
- dentry_lru_isolate_shrink, &dispose, UINT_MAX);
+ dentry_lru_isolate_shrink, &dispose, 1024);
this_cpu_sub(nr_dentry_unused, freed);
shrink_dentry_list(&dispose);
- } while (freed > 0);
+ cond_resched();
+ } while (list_lru_count(&sb->s_dentry_lru) > 0);
}
EXPORT_SYMBOL(shrink_dcache_sb);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 065/192] vfio: New external user group/file match
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 102/192] fs/dcache.c: fix spin lockup issue on nlru->lock Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 086/192] parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs Ben Hutchings
` (126 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Auger, Paolo Bonzini, Alex Williamson
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d upstream.
At the point where the kvm-vfio pseudo device wants to release its
vfio group reference, we can't always acquire a new reference to make
that happen. The group can be in a state where we wouldn't allow a
new reference to be added. This new helper function allows a caller
to match a file to a group to facilitate this. Given a file and
group, report if they match. Thus the caller needs to already have a
group reference to match to the file. This allows the deletion of a
group without acquiring a new reference.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/vfio/vfio.c | 9 +++++++++
include/linux/vfio.h | 2 ++
virt/kvm/vfio.c | 27 +++++++++++++++++++--------
3 files changed, 30 insertions(+), 8 deletions(-)
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -1436,6 +1436,15 @@ void vfio_group_put_external_user(struct
}
EXPORT_SYMBOL_GPL(vfio_group_put_external_user);
+bool vfio_external_group_match_file(struct vfio_group *test_group,
+ struct file *filep)
+{
+ struct vfio_group *group = filep->private_data;
+
+ return (filep->f_op == &vfio_group_fops) && (group == test_group);
+}
+EXPORT_SYMBOL_GPL(vfio_external_group_match_file);
+
int vfio_external_user_iommu_id(struct vfio_group *group)
{
return iommu_group_id(group->iommu_group);
--- a/include/linux/vfio.h
+++ b/include/linux/vfio.h
@@ -94,6 +94,8 @@ extern void vfio_unregister_iommu_driver
*/
extern struct vfio_group *vfio_group_get_external_user(struct file *filep);
extern void vfio_group_put_external_user(struct vfio_group *group);
+extern bool vfio_external_group_match_file(struct vfio_group *group,
+ struct file *filep);
extern int vfio_external_user_iommu_id(struct vfio_group *group);
extern long vfio_external_check_extension(struct vfio_group *group,
unsigned long arg);
--- a/virt/kvm/vfio.c
+++ b/virt/kvm/vfio.c
@@ -46,6 +46,22 @@ static struct vfio_group *kvm_vfio_group
return vfio_group;
}
+static bool kvm_vfio_external_group_match_file(struct vfio_group *group,
+ struct file *filep)
+{
+ bool ret, (*fn)(struct vfio_group *, struct file *);
+
+ fn = symbol_get(vfio_external_group_match_file);
+ if (!fn)
+ return false;
+
+ ret = fn(group, filep);
+
+ symbol_put(vfio_external_group_match_file);
+
+ return ret;
+}
+
static void kvm_vfio_group_put_external_user(struct vfio_group *vfio_group)
{
void (*fn)(struct vfio_group *);
@@ -168,18 +184,13 @@ static int kvm_vfio_set_group(struct kvm
if (!f.file)
return -EBADF;
- vfio_group = kvm_vfio_group_get_external_user(f.file);
- fdput(f);
-
- if (IS_ERR(vfio_group))
- return PTR_ERR(vfio_group);
-
ret = -ENOENT;
mutex_lock(&kv->lock);
list_for_each_entry(kvg, &kv->group_list, node) {
- if (kvg->vfio_group != vfio_group)
+ if (!kvm_vfio_external_group_match_file(kvg->vfio_group,
+ f.file))
continue;
list_del(&kvg->node);
@@ -191,7 +202,7 @@ static int kvm_vfio_set_group(struct kvm
mutex_unlock(&kv->lock);
- kvm_vfio_group_put_external_user(vfio_group);
+ fdput(f);
kvm_vfio_update_coherency(dev);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 086/192] parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (65 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 065/192] vfio: New external user group/file match Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 033/192] md: don't use flush_signals in userspace processes Ben Hutchings
` (125 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Thomas Bogendoerfer, Helge Deller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
commit 33f9e02495d15a061f0c94ef46f5103a2d0c20f3 upstream.
Enabling parport pc driver on a B2600 (and probably other 64bit PARISC
systems) produced following BUG:
CPU: 0 PID: 1 Comm: swapper Not tainted 4.12.0-rc5-30198-g1132d5e #156
task: 000000009e050000 task.stack: 000000009e04c000
YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW: 00001000000001101111111100001111 Not tainted
r00-03 000000ff0806ff0f 000000009e04c990 0000000040871b78 000000009e04cac0
r04-07 0000000040c14de0 ffffffffffffffff 000000009e07f098 000000009d82d200
r08-11 000000009d82d210 0000000000000378 0000000000000000 0000000040c345e0
r12-15 0000000000000005 0000000040c345e0 0000000000000000 0000000040c9d5e0
r16-19 0000000040c345e0 00000000f00001c4 00000000f00001bc 0000000000000061
r20-23 000000009e04ce28 0000000000000010 0000000000000010 0000000040b89e40
r24-27 0000000000000003 0000000000ffffff 000000009d82d210 0000000040c14de0
r28-31 0000000000000000 000000009e04ca90 000000009e04cb40 0000000000000000
sr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000000000
sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000404aece0 00000000404aece4
IIR: 03ffe01f ISR: 0000000010340000 IOR: 000001781304cac8
CPU: 0 CR30: 000000009e04c000 CR31: 00000000e2976de2
ORIG_R28: 0000000000000200
IAOQ[0]: sba_dma_supported+0x80/0xd0
IAOQ[1]: sba_dma_supported+0x84/0xd0
RP(r2): parport_pc_probe_port+0x178/0x1200
Cause is a call to dma_coerce_mask_and_coherenet in parport_pc_probe_port,
which PARISC DMA API doesn't handle very nicely. This commit gives back
DMA_ERROR_CODE for DMA API calls, if device isn't capable of DMA
transaction.
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/include/asm/dma-mapping.h | 11 +++++++----
drivers/parisc/ccio-dma.c | 12 ++++++++++++
drivers/parisc/dino.c | 5 ++++-
drivers/parisc/lba_pci.c | 6 ++++--
drivers/parisc/sba_iommu.c | 14 ++++++++++++++
5 files changed, 41 insertions(+), 7 deletions(-)
--- a/arch/parisc/include/asm/dma-mapping.h
+++ b/arch/parisc/include/asm/dma-mapping.h
@@ -39,6 +39,8 @@ struct hppa_dma_ops {
** flush/purge and allocate "regular" cacheable pages for everything.
*/
+#define DMA_ERROR_CODE (~(dma_addr_t)0)
+
#ifdef CONFIG_PA11
extern struct hppa_dma_ops pcxl_dma_ops;
extern struct hppa_dma_ops pcx_dma_ops;
@@ -209,12 +211,13 @@ parisc_walk_tree(struct device *dev)
break;
}
}
- BUG_ON(!dev->platform_data);
return dev->platform_data;
}
-
-#define GET_IOC(dev) (HBA_DATA(parisc_walk_tree(dev))->iommu)
-
+
+#define GET_IOC(dev) ({ \
+ void *__pdata = parisc_walk_tree(dev); \
+ __pdata ? HBA_DATA(__pdata)->iommu : NULL; \
+})
#ifdef CONFIG_IOMMU_CCIO
struct parisc_device;
--- a/drivers/parisc/ccio-dma.c
+++ b/drivers/parisc/ccio-dma.c
@@ -743,6 +743,8 @@ ccio_map_single(struct device *dev, void
BUG_ON(!dev);
ioc = GET_IOC(dev);
+ if (!ioc)
+ return DMA_ERROR_CODE;
BUG_ON(size <= 0);
@@ -807,6 +809,10 @@ ccio_unmap_single(struct device *dev, dm
BUG_ON(!dev);
ioc = GET_IOC(dev);
+ if (!ioc) {
+ WARN_ON(!ioc);
+ return;
+ }
DBG_RUN("%s() iovp 0x%lx/%x\n",
__func__, (long)iova, size);
@@ -910,6 +916,8 @@ ccio_map_sg(struct device *dev, struct s
BUG_ON(!dev);
ioc = GET_IOC(dev);
+ if (!ioc)
+ return 0;
DBG_RUN_SG("%s() START %d entries\n", __func__, nents);
@@ -982,6 +990,10 @@ ccio_unmap_sg(struct device *dev, struct
BUG_ON(!dev);
ioc = GET_IOC(dev);
+ if (!ioc) {
+ WARN_ON(!ioc);
+ return;
+ }
DBG_RUN_SG("%s() START %d entries, %08lx,%x\n",
__func__, nents, sg_virt_addr(sglist), sglist->length);
--- a/drivers/parisc/dino.c
+++ b/drivers/parisc/dino.c
@@ -154,7 +154,10 @@ struct dino_device
};
/* Looks nice and keeps the compiler happy */
-#define DINO_DEV(d) ((struct dino_device *) d)
+#define DINO_DEV(d) ({ \
+ void *__pdata = d; \
+ BUG_ON(!__pdata); \
+ (struct dino_device *)__pdata; })
/*
--- a/drivers/parisc/lba_pci.c
+++ b/drivers/parisc/lba_pci.c
@@ -111,8 +111,10 @@ static u32 lba_t32;
/* Looks nice and keeps the compiler happy */
-#define LBA_DEV(d) ((struct lba_device *) (d))
-
+#define LBA_DEV(d) ({ \
+ void *__pdata = d; \
+ BUG_ON(!__pdata); \
+ (struct lba_device *)__pdata; })
/*
** Only allow 8 subsidiary busses per LBA
--- a/drivers/parisc/sba_iommu.c
+++ b/drivers/parisc/sba_iommu.c
@@ -691,6 +691,8 @@ static int sba_dma_supported( struct dev
return 0;
ioc = GET_IOC(dev);
+ if (!ioc)
+ return 0;
/*
* check if mask is >= than the current max IO Virt Address
@@ -722,6 +724,8 @@ sba_map_single(struct device *dev, void
int pide;
ioc = GET_IOC(dev);
+ if (!ioc)
+ return DMA_ERROR_CODE;
/* save offset bits */
offset = ((dma_addr_t) (long) addr) & ~IOVP_MASK;
@@ -803,6 +807,10 @@ sba_unmap_single(struct device *dev, dma
DBG_RUN("%s() iovp 0x%lx/%x\n", __func__, (long) iova, size);
ioc = GET_IOC(dev);
+ if (!ioc) {
+ WARN_ON(!ioc);
+ return;
+ }
offset = iova & ~IOVP_MASK;
iova ^= offset; /* clear offset bits */
size += offset;
@@ -942,6 +950,8 @@ sba_map_sg(struct device *dev, struct sc
DBG_RUN_SG("%s() START %d entries\n", __func__, nents);
ioc = GET_IOC(dev);
+ if (!ioc)
+ return 0;
/* Fast path single entry scatterlists. */
if (nents == 1) {
@@ -1028,6 +1038,10 @@ sba_unmap_sg(struct device *dev, struct
__func__, nents, sg_virt_addr(sglist), sglist->length);
ioc = GET_IOC(dev);
+ if (!ioc) {
+ WARN_ON(!ioc);
+ return;
+ }
#ifdef SBA_COLLECT_STATS
ioc->usg_calls++;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 033/192] md: don't use flush_signals in userspace processes
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (66 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 086/192] parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 029/192] vxlan: dont migrate permanent fdb entries during learn Ben Hutchings
` (124 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, NeilBrown, Shaohua Li, Mikulas Patocka
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit f9c79bc05a2a91f4fba8bfd653579e066714b1ec upstream.
The function flush_signals clears all pending signals for the process. It
may be used by kernel threads when we need to prepare a kernel thread for
responding to signals. However using this function for an userspaces
processes is incorrect - clearing signals without the program expecting it
can cause misbehavior.
The raid1 and raid5 code uses flush_signals in its request routine because
it wants to prepare for an interruptible wait. This patch drops
flush_signals and uses sigprocmask instead to block all signals (including
SIGKILL) around the schedule() call. The signals are not lost, but the
schedule() call won't respond to them.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/raid1.c | 5 ++++-
drivers/md/raid5.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1122,13 +1122,16 @@ static void make_request(struct mddev *m
*/
DEFINE_WAIT(w);
for (;;) {
- flush_signals(current);
+ sigset_t full, old;
prepare_to_wait(&conf->wait_barrier,
&w, TASK_INTERRUPTIBLE);
if (bio_end_sector(bio) <= mddev->suspend_lo ||
bio->bi_iter.bi_sector >= mddev->suspend_hi)
break;
+ sigfillset(&full);
+ sigprocmask(SIG_BLOCK, &full, &old);
schedule();
+ sigprocmask(SIG_SETMASK, &old, NULL);
}
finish_wait(&conf->wait_barrier, &w);
}
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -4721,12 +4721,15 @@ static void make_request(struct mddev *m
* userspace, we want an interruptible
* wait.
*/
- flush_signals(current);
prepare_to_wait(&conf->wait_for_overlap,
&w, TASK_INTERRUPTIBLE);
if (logical_sector >= mddev->suspend_lo &&
logical_sector < mddev->suspend_hi) {
+ sigset_t full, old;
+ sigfillset(&full);
+ sigprocmask(SIG_BLOCK, &full, &old);
schedule();
+ sigprocmask(SIG_SETMASK, &old, NULL);
do_prepare = true;
}
goto retry;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 029/192] vxlan: dont migrate permanent fdb entries during learn
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (67 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 033/192] md: don't use flush_signals in userspace processes Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 093/192] CIFS: fix circular locking dependency Ben Hutchings
` (123 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Roopa Prabhu, David S. Miller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roopa Prabhu <roopa@cumulusnetworks.com>
commit e0090a9e979de5202c7d16c635dea2f005221073 upstream.
This patch fixes vxlan_snoop to not move permanent fdb entries
on learn events. This is consistent with the bridge fdb
handling of permanent entries.
Fixes: 26a41ae60438 ("vxlan: only migrate dynamic FDB entries")
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/vxlan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -991,7 +991,7 @@ static bool vxlan_snoop(struct net_devic
return false;
/* Don't migrate static entries, drop packets */
- if (f->state & NUD_NOARP)
+ if (f->state & (NUD_PERMANENT | NUD_NOARP))
return true;
if (net_ratelimit())
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 093/192] CIFS: fix circular locking dependency
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (68 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 029/192] vxlan: dont migrate permanent fdb entries during learn Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 040/192] crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD Ben Hutchings
` (122 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Rabin Vincent, Pavel Shilovsky
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rabin Vincent <rabinv@axis.com>
commit 966681c9f029afd5decee069b7658bb58ad0a863 upstream.
When a CIFS filesystem is mounted with the forcemand option and the
following command is run on it, lockdep warns about a circular locking
dependency between CifsInodeInfo::lock_sem and the inode lock.
while echo foo > hello; do :; done & while touch -c hello; do :; done
cifs_writev() takes the locks in the wrong order, but note that we can't
only flip the order around because it releases the inode lock before the
call to generic_write_sync() while it holds the lock_sem across that
call.
But, AFAICS, there is no need to hold the CifsInodeInfo::lock_sem across
the generic_write_sync() call either, so we can release both the locks
before generic_write_sync(), and change the order.
======================================================
WARNING: possible circular locking dependency detected
4.12.0-rc7+ #9 Not tainted
------------------------------------------------------
touch/487 is trying to acquire lock:
(&cifsi->lock_sem){++++..}, at: cifsFileInfo_put+0x88f/0x16a0
but task is already holding lock:
(&sb->s_type->i_mutex_key#11){+.+.+.}, at: utimes_common+0x3ad/0x870
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&sb->s_type->i_mutex_key#11){+.+.+.}:
__lock_acquire+0x1f74/0x38f0
lock_acquire+0x1cc/0x600
down_write+0x74/0x110
cifs_strict_writev+0x3cb/0x8c0
__vfs_write+0x4c1/0x930
vfs_write+0x14c/0x2d0
SyS_write+0xf7/0x240
entry_SYSCALL_64_fastpath+0x1f/0xbe
-> #0 (&cifsi->lock_sem){++++..}:
check_prevs_add+0xfa0/0x1d10
__lock_acquire+0x1f74/0x38f0
lock_acquire+0x1cc/0x600
down_write+0x74/0x110
cifsFileInfo_put+0x88f/0x16a0
cifs_setattr+0x992/0x1680
notify_change+0x61a/0xa80
utimes_common+0x3d4/0x870
do_utimes+0x1c1/0x220
SyS_utimensat+0x84/0x1a0
entry_SYSCALL_64_fastpath+0x1f/0xbe
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&sb->s_type->i_mutex_key#11);
lock(&cifsi->lock_sem);
lock(&sb->s_type->i_mutex_key#11);
lock(&cifsi->lock_sem);
*** DEADLOCK ***
2 locks held by touch/487:
#0: (sb_writers#10){.+.+.+}, at: mnt_want_write+0x41/0xb0
#1: (&sb->s_type->i_mutex_key#11){+.+.+.}, at: utimes_common+0x3ad/0x870
stack backtrace:
CPU: 0 PID: 487 Comm: touch Not tainted 4.12.0-rc7+ #9
Call Trace:
dump_stack+0xdb/0x185
print_circular_bug+0x45b/0x790
__lock_acquire+0x1f74/0x38f0
lock_acquire+0x1cc/0x600
down_write+0x74/0x110
cifsFileInfo_put+0x88f/0x16a0
cifs_setattr+0x992/0x1680
notify_change+0x61a/0xa80
utimes_common+0x3d4/0x870
do_utimes+0x1c1/0x220
SyS_utimensat+0x84/0x1a0
entry_SYSCALL_64_fastpath+0x1f/0xbe
Fixes: 19dfc1f5f2ef03a52 ("cifs: fix the race in cifs_writev()")
Signed-off-by: Rabin Vincent <rabinv@axis.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
[bwh: Backported to 3.16:
- Keep using mutex_{,un}lock()
- Update both branches of if (!cifs_find_lock_conflict(...))]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -2593,18 +2593,19 @@ cifs_writev(struct kiocb *iocb, struct i
ssize_t rc = -EACCES;
loff_t lock_pos = iocb->ki_pos;
+ mutex_lock(&inode->i_mutex);
/*
* We need to hold the sem to be sure nobody modifies lock list
* with a brlock that prevents writing.
*/
down_read(&cinode->lock_sem);
- mutex_lock(&inode->i_mutex);
if (file->f_flags & O_APPEND)
lock_pos = i_size_read(inode);
if (!cifs_find_lock_conflict(cfile, lock_pos, iov_iter_count(from),
server->vals->exclusive_lock_type, NULL,
CIFS_WRITE_OP)) {
rc = __generic_file_write_iter(iocb, from);
+ up_read(&cinode->lock_sem);
mutex_unlock(&inode->i_mutex);
if (rc > 0) {
@@ -2615,9 +2616,9 @@ cifs_writev(struct kiocb *iocb, struct i
rc = err;
}
} else {
+ up_read(&cinode->lock_sem);
mutex_unlock(&inode->i_mutex);
}
- up_read(&cinode->lock_sem);
return rc;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 040/192] crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (69 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 093/192] CIFS: fix circular locking dependency Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 064/192] vfio: Fix group release deadlock Ben Hutchings
` (121 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Martin Hicks, Horia Geantă, Herbert Xu
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Martin Hicks <mort@bork.org>
commit 03d2c5114c95797c0aa7d9f463348b171a274fd4 upstream.
An updated patch that also handles the additional key length requirements
for the AEAD algorithms.
The max keysize is not 96. For SHA384/512 it's 128, and for the AEAD
algorithms it's longer still. Extend the max keysize for the
AEAD size for AES256 + HMAC(SHA512).
Fixes: 357fb60502ede ("crypto: talitos - add sha224, sha384 and sha512 to existing AEAD algorithms")
Signed-off-by: Martin Hicks <mort@bork.org>
Acked-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/talitos.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -634,7 +634,7 @@ static void talitos_unregister_rng(struc
* crypto alg
*/
#define TALITOS_CRA_PRIORITY 3000
-#define TALITOS_MAX_KEY_SIZE 96
+#define TALITOS_MAX_KEY_SIZE (AES_MAX_KEY_SIZE + SHA512_BLOCK_SIZE)
#define TALITOS_MAX_IV_LENGTH 16 /* max of AES_BLOCK_SIZE, DES3_EDE_BLOCK_SIZE */
#define MD5_BLOCK_SIZE 64
@@ -1324,6 +1324,11 @@ static int ablkcipher_setkey(struct cryp
{
struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
+ if (keylen > TALITOS_MAX_KEY_SIZE) {
+ crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ return -EINVAL;
+ }
+
memcpy(&ctx->key, key, keylen);
ctx->keylen = keylen;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 064/192] vfio: Fix group release deadlock
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (70 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 040/192] crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 082/192] ipv6: always add flag an address that failed DAD with DADFAILED Ben Hutchings
` (120 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Auger, Alex Williamson
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit 811642d8d8a82c0cce8dc2debfdaf23c5a144839 upstream.
If vfio_iommu_group_notifier() acquires a group reference and that
reference becomes the last reference to the group, then vfio_group_put
introduces a deadlock code path where we're trying to unregister from
the iommu notifier chain from within a callout of that chain. Use a
work_struct to release this reference asynchronously.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/vfio/vfio.c | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
--- a/drivers/vfio/vfio.c
+++ b/drivers/vfio/vfio.c
@@ -278,6 +278,34 @@ static void vfio_group_put(struct vfio_g
kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock);
}
+struct vfio_group_put_work {
+ struct work_struct work;
+ struct vfio_group *group;
+};
+
+static void vfio_group_put_bg(struct work_struct *work)
+{
+ struct vfio_group_put_work *do_work;
+
+ do_work = container_of(work, struct vfio_group_put_work, work);
+
+ vfio_group_put(do_work->group);
+ kfree(do_work);
+}
+
+static void vfio_group_schedule_put(struct vfio_group *group)
+{
+ struct vfio_group_put_work *do_work;
+
+ do_work = kmalloc(sizeof(*do_work), GFP_KERNEL);
+ if (WARN_ON(!do_work))
+ return;
+
+ INIT_WORK(&do_work->work, vfio_group_put_bg);
+ do_work->group = group;
+ schedule_work(&do_work->work);
+}
+
/* Assume group_lock or group reference is held */
static void vfio_group_get(struct vfio_group *group)
{
@@ -553,7 +581,14 @@ static int vfio_iommu_group_notifier(str
break;
}
- vfio_group_put(group);
+ /*
+ * If we're the last reference to the group, the group will be
+ * released, which includes unregistering the iommu group notifier.
+ * We hold a read-lock on that notifier list, unregistering needs
+ * a write-lock... deadlock. Release our reference asynchronously
+ * to avoid that situation.
+ */
+ vfio_group_schedule_put(group);
return NOTIFY_OK;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 082/192] ipv6: always add flag an address that failed DAD with DADFAILED
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (71 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 064/192] vfio: Fix group release deadlock Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 008/192] pinctrl: imx: fix debug message for SHARE_MUX_CONF_REG case Ben Hutchings
` (119 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hannes Frederic Sowa, David S. Miller, Lubomir Rintel
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lubomir Rintel <lkundrak@v3.sk>
commit 3d171f3907329d4b1ce31d5ec9c852c5f0269578 upstream.
The userspace needs to know why is the address being removed so that it can
perhaps obtain a new address.
Without the DADFAILED flag it's impossible to distinguish removal of a
temporary and tentative address due to DAD failure from other reasons (device
removed, manual address removal).
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/addrconf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1610,12 +1610,13 @@ struct inet6_ifaddr *ipv6_get_ifaddr(str
static void addrconf_dad_stop(struct inet6_ifaddr *ifp, int dad_failed)
{
+ if (dad_failed)
+ ifp->flags |= IFA_F_DADFAILED;
+
if (ifp->flags&IFA_F_PERMANENT) {
spin_lock_bh(&ifp->lock);
addrconf_del_dad_work(ifp);
ifp->flags |= IFA_F_TENTATIVE;
- if (dad_failed)
- ifp->flags |= IFA_F_DADFAILED;
spin_unlock_bh(&ifp->lock);
if (dad_failed)
ipv6_ifa_notify(0, ifp);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 008/192] pinctrl: imx: fix debug message for SHARE_MUX_CONF_REG case
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (72 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 082/192] ipv6: always add flag an address that failed DAD with DADFAILED Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 118/192] ext2: preserve i_mode if ext2_set_acl() fails Ben Hutchings
` (118 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dong Aisheng, Shawn Guo, Linus Walleij
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dong Aisheng <aisheng.dong@nxp.com>
commit 66b54e3a5a64925d9819eae86b8f36e90e60037f upstream.
The original implemented debug message does not work for
SHARE_MUX_CONF_REG case. This patch fixes it.
Fixes: bf5a530971af ("pinctrl: imx: add VF610 support to imx pinctrl framework")
Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>
Acked-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pinctrl/pinctrl-imx.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/pinctrl/pinctrl-imx.c
+++ b/drivers/pinctrl/pinctrl-imx.c
@@ -216,11 +216,13 @@ static int imx_pmx_enable(struct pinctrl
reg &= ~(0x7 << 20);
reg |= (pin->mux_mode << 20);
writel(reg, ipctl->base + pin_reg->mux_reg);
+ dev_dbg(ipctl->dev, "write: offset 0x%x val 0x%x\n",
+ pin_reg->mux_reg, reg);
} else {
writel(pin->mux_mode, ipctl->base + pin_reg->mux_reg);
+ dev_dbg(ipctl->dev, "write: offset 0x%x val 0x%x\n",
+ pin_reg->mux_reg, pin->mux_mode);
}
- dev_dbg(ipctl->dev, "write: offset 0x%x val 0x%x\n",
- pin_reg->mux_reg, pin->mux_mode);
/*
* If the select input value begins with 0xff, it's a quirky
@@ -347,11 +349,13 @@ static int imx_pinconf_set(struct pinctr
reg &= ~0xffff;
reg |= configs[i];
writel(reg, ipctl->base + pin_reg->conf_reg);
+ dev_dbg(ipctl->dev, "write: offset 0x%x val 0x%x\n",
+ pin_reg->conf_reg, reg);
} else {
writel(configs[i], ipctl->base + pin_reg->conf_reg);
+ dev_dbg(ipctl->dev, "write: offset 0x%x val 0x%lx\n",
+ pin_reg->conf_reg, configs[i]);
}
- dev_dbg(ipctl->dev, "write: offset 0x%x val 0x%lx\n",
- pin_reg->conf_reg, configs[i]);
} /* for each config */
return 0;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 118/192] ext2: preserve i_mode if ext2_set_acl() fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (73 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 008/192] pinctrl: imx: fix debug message for SHARE_MUX_CONF_REG case Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 021/192] e1000e: Fix Runtime PM blocks EEE link negotiation in S5 Ben Hutchings
` (117 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ernesto A. Fernández, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ernesto A. Fernández
<ernesto.mnd.fernandez@gmail.com>
commit fe26569eb9197d845d73abe7dd20f603d79eb031 upstream.
When changing a file's acl mask, ext2_set_acl() will first set the group
bits of i_mode to the value of the mask, and only then set the actual
extended attribute representing the new acl.
If the second part fails (due to lack of space, for example) and the file
had no acl attribute to begin with, the system will from now on assume
that the mask permission bits are actual group permission bits, potentially
granting access to the wrong users.
Prevent this by only changing the inode mode after the acl has been set.
[JK: Rebased on top of "ext2: Don't clear SGID when inheriting ACLs"]
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext2/acl.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -221,15 +221,22 @@ int
ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
{
int error;
+ int update_mode = 0;
+ umode_t mode = inode->i_mode;
if (type == ACL_TYPE_ACCESS && acl) {
- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ error = posix_acl_update_mode(inode, &mode, &acl);
if (error)
return error;
+ update_mode = 1;
+ }
+ error = __ext2_set_acl(inode, acl, type);
+ if (!error && update_mode) {
+ inode->i_mode = mode;
inode->i_ctime = CURRENT_TIME_SEC;
mark_inode_dirty(inode);
}
- return __ext2_set_acl(inode, acl, type);
+ return error;
}
/*
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 021/192] e1000e: Fix Runtime PM blocks EEE link negotiation in S5
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 118/192] ext2: preserve i_mode if ext2_set_acl() fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 039/192] NFC: fix broken device allocation Ben Hutchings
` (116 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Ertman, Jeff Kirsher, Aaron Brown
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Ertman <david.m.ertman@intel.com>
commit 2a7e19af94104b270d675c52bba2ca1bc20efa70 upstream.
Adding a function, and associated calls, to flush writes to (read) the LPIC
MAC register before entering the shutdown flow. This fixes the problem
of the PHY never negotiating a 100M link (if both sides of the link support
EEE and 100M link) when Runtime PM is enabled.
Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/intel/e1000e/netdev.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -6031,6 +6031,28 @@ release:
return retval;
}
+static void e1000e_flush_lpic(struct pci_dev *pdev)
+{
+ struct net_device *netdev = pci_get_drvdata(pdev);
+ struct e1000_adapter *adapter = netdev_priv(netdev);
+ struct e1000_hw *hw = &adapter->hw;
+ u32 ret_val;
+
+ pm_runtime_get_sync(netdev->dev.parent);
+
+ ret_val = hw->phy.ops.acquire(hw);
+ if (ret_val)
+ goto fl_out;
+
+ pr_info("EEE TX LPI TIMER: %08X\n",
+ er32(LPIC) >> E1000_LPIC_LPIET_SHIFT);
+
+ hw->phy.ops.release(hw);
+
+fl_out:
+ pm_runtime_put_sync(netdev->dev.parent);
+}
+
static int e1000e_pm_freeze(struct device *dev)
{
struct net_device *netdev = pci_get_drvdata(to_pci_dev(dev));
@@ -6331,6 +6353,8 @@ static int e1000e_pm_suspend(struct devi
{
struct pci_dev *pdev = to_pci_dev(dev);
+ e1000e_flush_lpic(pdev);
+
e1000e_pm_freeze(dev);
return __e1000_shutdown(pdev, false);
@@ -6409,6 +6433,8 @@ static int e1000e_pm_runtime_suspend(str
static void e1000_shutdown(struct pci_dev *pdev)
{
+ e1000e_flush_lpic(pdev);
+
e1000e_pm_freeze(&pdev->dev);
__e1000_shutdown(pdev, false);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 039/192] NFC: fix broken device allocation
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (75 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 021/192] e1000e: Fix Runtime PM blocks EEE link negotiation in S5 Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 090/192] net: reflect mark on tcp syn ack packets Ben Hutchings
` (115 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Samuel Ortiz, Johan Hovold
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 20777bc57c346b6994f465e0d8261a7fbf213a09 upstream.
Commit 7eda8b8e9677 ("NFC: Use IDR library to assing NFC devices IDs")
moved device-id allocation and struct-device initialisation from
nfc_allocate_device() to nfc_register_device().
This broke just about every nfc-device-registration error path, which
continue to call nfc_free_device() that tries to put the device
reference of the now uninitialised (but zeroed) struct device:
kobject: '(null)' (ce316420): is not initialized, yet kobject_put() is being called.
The late struct-device initialisation also meant that various work
queues whose names are derived from the nfc device name were also
misnamed:
421 root 0 SW< [(null)_nci_cmd_]
422 root 0 SW< [(null)_nci_rx_w]
423 root 0 SW< [(null)_nci_tx_w]
Move the id-allocation and struct-device initialisation back to
nfc_allocate_device() and fix up the single call site which did not use
nfc_free_device() in its error path.
Fixes: 7eda8b8e9677 ("NFC: Use IDR library to assing NFC devices IDs")
Cc: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
[bwh: Backported to 3.16: drop change in nci_allocate_device()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -950,6 +950,8 @@ static void nfc_release(struct device *d
kfree(se);
}
+ ida_simple_remove(&nfc_index_ida, dev->idx);
+
kfree(dev);
}
@@ -1024,6 +1026,7 @@ struct nfc_dev *nfc_allocate_device(stru
int tx_headroom, int tx_tailroom)
{
struct nfc_dev *dev;
+ int rc;
if (!ops->start_poll || !ops->stop_poll || !ops->activate_target ||
!ops->deactivate_target || !ops->im_transceive)
@@ -1036,6 +1039,15 @@ struct nfc_dev *nfc_allocate_device(stru
if (!dev)
return NULL;
+ rc = ida_simple_get(&nfc_index_ida, 0, 0, GFP_KERNEL);
+ if (rc < 0)
+ goto err_free_dev;
+ dev->idx = rc;
+
+ dev->dev.class = &nfc_class;
+ dev_set_name(&dev->dev, "nfc%d", dev->idx);
+ device_initialize(&dev->dev);
+
dev->ops = ops;
dev->supported_protocols = supported_protocols;
dev->tx_headroom = tx_headroom;
@@ -1058,6 +1070,11 @@ struct nfc_dev *nfc_allocate_device(stru
}
return dev;
+
+err_free_dev:
+ kfree(dev);
+
+ return ERR_PTR(rc);
}
EXPORT_SYMBOL(nfc_allocate_device);
@@ -1072,14 +1089,6 @@ int nfc_register_device(struct nfc_dev *
pr_debug("dev_name=%s\n", dev_name(&dev->dev));
- dev->idx = ida_simple_get(&nfc_index_ida, 0, 0, GFP_KERNEL);
- if (dev->idx < 0)
- return dev->idx;
-
- dev->dev.class = &nfc_class;
- dev_set_name(&dev->dev, "nfc%d", dev->idx);
- device_initialize(&dev->dev);
-
mutex_lock(&nfc_devlist_mutex);
nfc_devlist_generation++;
rc = device_add(&dev->dev);
@@ -1117,12 +1126,10 @@ EXPORT_SYMBOL(nfc_register_device);
*/
void nfc_unregister_device(struct nfc_dev *dev)
{
- int rc, id;
+ int rc;
pr_debug("dev_name=%s\n", dev_name(&dev->dev));
- id = dev->idx;
-
if (dev->rfkill) {
rfkill_unregister(dev->rfkill);
rfkill_destroy(dev->rfkill);
@@ -1147,8 +1154,6 @@ void nfc_unregister_device(struct nfc_de
nfc_devlist_generation++;
device_del(&dev->dev);
mutex_unlock(&nfc_devlist_mutex);
-
- ida_simple_remove(&nfc_index_ida, id);
}
EXPORT_SYMBOL(nfc_unregister_device);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 090/192] net: reflect mark on tcp syn ack packets
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (76 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 039/192] NFC: fix broken device allocation Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 028/192] iio: magnetometer: st_magn_spi: fix spi_device_id table Ben Hutchings
` (114 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jamal Hadi Salim, David S. Miller, Lorenzo Colitti
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
commit e05a90ec9e1680952454ea9510da9a761a5baac9 upstream.
SYN-ACK responses on a server in response to a SYN from a client
did not get the injected skb mark that was tagged on the SYN packet.
Fixes: 84f39b08d786 ("net: support marking accepting TCP sockets")
Reviewed-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ip_output.c | 3 ++-
net/ipv4/tcp_output.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -158,7 +158,8 @@ int ip_build_and_send_pkt(struct sk_buff
}
skb->priority = sk->sk_priority;
- skb->mark = sk->sk_mark;
+ if (!skb->mark)
+ skb->mark = sk->sk_mark;
/* Send it out. */
return ip_local_out(skb);
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2863,6 +2863,7 @@ struct sk_buff *tcp_make_synack(struct s
TCP_ECN_make_synack(req, th);
th->source = htons(ireq->ir_num);
th->dest = ireq->ir_rmt_port;
+ skb->mark = ireq->ir_mark;
/* Setting of flags are superfluous here for callers (and ECE is
* not even correctly set)
*/
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 028/192] iio: magnetometer: st_magn_spi: fix spi_device_id table
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (77 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 090/192] net: reflect mark on tcp syn ack packets Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 116/192] mm: fix overflow check in expand_upwards() Ben Hutchings
` (113 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jonathan Cameron, Lorenzo Bianconi, Lorenzo Bianconi
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
commit c83761ff0aac954aa368c623bb0f0d1a3214e834 upstream.
Remove LSM303DLHC, LSM303DLM from st_magn_id_table since LSM303DL series
does not support spi interface
Fixes: 872e79add756 (iio: magn: Add STMicroelectronics magn driver)
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@st.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/magnetometer/st_magn_spi.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/iio/magnetometer/st_magn_spi.c
+++ b/drivers/iio/magnetometer/st_magn_spi.c
@@ -49,8 +49,6 @@ static int st_magn_spi_remove(struct spi
}
static const struct spi_device_id st_magn_id_table[] = {
- { LSM303DLHC_MAGN_DEV_NAME },
- { LSM303DLM_MAGN_DEV_NAME },
{ LIS3MDL_MAGN_DEV_NAME },
{},
};
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 116/192] mm: fix overflow check in expand_upwards()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (78 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 028/192] iio: magnetometer: st_magn_spi: fix spi_device_id table Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 109/192] powerpc/64: Fix atomic64_inc_not_zero() to return an int Ben Hutchings
` (112 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jörn Engel, Helge Deller, Linus Torvalds,
Oleg Nesterov, Hugh Dickins
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 37511fb5c91db93d8bd6e3f52f86e5a7ff7cfcdf upstream.
Jörn Engel noticed that the expand_upwards() function might not return
-ENOMEM in case the requested address is (unsigned long)-PAGE_SIZE and
if the architecture didn't defined TASK_SIZE as multiple of PAGE_SIZE.
Affected architectures are arm, frv, m68k, blackfin, h8300 and xtensa
which all define TASK_SIZE as 0xffffffff, but since none of those have
an upwards-growing stack we currently have no actual issue.
Nevertheless let's fix this just in case any of the architectures with
an upward-growing stack (currently parisc, metag and partly ia64) define
TASK_SIZE similar.
Link: http://lkml.kernel.org/r/20170702192452.GA11868@p100.box
Fixes: bd726c90b6b8 ("Allow stack to grow up to address space limit")
Signed-off-by: Helge Deller <deller@gmx.de>
Reported-by: Jörn Engel <joern@purestorage.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/mmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2141,7 +2141,7 @@ int expand_upwards(struct vm_area_struct
/* Guard against exceeding limits of the address space. */
address &= PAGE_MASK;
- if (address >= TASK_SIZE)
+ if (address >= (TASK_SIZE & PAGE_MASK))
return -ENOMEM;
address += PAGE_SIZE;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 109/192] powerpc/64: Fix atomic64_inc_not_zero() to return an int
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (79 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 116/192] mm: fix overflow check in expand_upwards() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 111/192] Input: i8042 - fix crash at boot time Ben Hutchings
` (111 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Ellerman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
commit 01e6a61aceb82e13bec29502a8eb70d9574f97ad upstream.
Although it's not documented anywhere, there is an expectation that
atomic64_inc_not_zero() returns a result which fits in an int. This is
the behaviour implemented on all arches except powerpc.
This has caused at least one bug in practice, in the percpu-refcount
code, where the long result from our atomic64_inc_not_zero() was
truncated to an int leading to lost references and stuck systems. That
was worked around in that code in commit 966d2b04e070 ("percpu-refcount:
fix reference leak during percpu-atomic transition").
To the best of my grepping abilities there are no other callers
in-tree which truncate the value, but we should fix it anyway. Because
the breakage is subtle and potentially very harmful I'm also tagging
it for stable.
Code generation is largely unaffected because in most cases the
callers are just using the result for a test anyway. In particular the
case of fget() that was mentioned in commit a6cf7ed5119f
("powerpc/atomic: Implement atomic*_inc_not_zero") generates exactly
the same code.
Fixes: a6cf7ed5119f ("powerpc/atomic: Implement atomic*_inc_not_zero")
Noticed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/atomic.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/powerpc/include/asm/atomic.h
+++ b/arch/powerpc/include/asm/atomic.h
@@ -497,7 +497,7 @@ static __inline__ int atomic64_add_unles
* Atomically increments @v by 1, so long as @v is non-zero.
* Returns non-zero if @v was non-zero, and zero otherwise.
*/
-static __inline__ long atomic64_inc_not_zero(atomic64_t *v)
+static __inline__ int atomic64_inc_not_zero(atomic64_t *v)
{
long t1, t2;
@@ -516,7 +516,7 @@ static __inline__ long atomic64_inc_not_
: "r" (&v->counter)
: "cc", "xer", "memory");
- return t1;
+ return t1 != 0;
}
#endif /* __powerpc64__ */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 111/192] Input: i8042 - fix crash at boot time
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (80 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 109/192] powerpc/64: Fix atomic64_inc_not_zero() to return an int Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 098/192] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE Ben Hutchings
` (110 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Chen Hong
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chen Hong <chenhong3@huawei.com>
commit 340d394a789518018f834ff70f7534fc463d3226 upstream.
The driver checks port->exists twice in i8042_interrupt(), first when
trying to assign temporary "serio" variable, and second time when deciding
whether it should call serio_interrupt(). The value of port->exists may
change between the 2 checks, and we may end up calling serio_interrupt()
with a NULL pointer:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
IP: [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
PGD 0
Oops: 0002 [#1] SMP
last sysfs file:
CPU 0
Modules linked in:
Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:[<ffffffff8150feaf>] [<ffffffff8150feaf>] _spin_lock_irqsave+0x1f/0x40
RSP: 0018:ffff880028203cc0 EFLAGS: 00010082
RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050
RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0
R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098
FS: 0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500)
Stack:
ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000
<d> 0000000000000000 0000000000000000 0000000000000000 0000000000000098
<d> ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac
Call Trace:
<IRQ>
[<ffffffff813de186>] serio_interrupt+0x36/0xa0
[<ffffffff813e0162>] i8042_interrupt+0x132/0x3a0
[<ffffffff8103b8ac>] ? kvm_clock_read+0x1c/0x20
[<ffffffff8103b8b9>] ? kvm_clock_get_cycles+0x9/0x10
[<ffffffff810e1640>] handle_IRQ_event+0x60/0x170
[<ffffffff8103b154>] ? kvm_guest_apic_eoi_write+0x44/0x50
[<ffffffff810e3d8e>] handle_edge_irq+0xde/0x180
[<ffffffff8100de89>] handle_irq+0x49/0xa0
[<ffffffff81516c8c>] do_IRQ+0x6c/0xf0
[<ffffffff8100b9d3>] ret_from_intr+0x0/0x11
[<ffffffff81076f63>] ? __do_softirq+0x73/0x1e0
[<ffffffff8109b75b>] ? hrtimer_interrupt+0x14b/0x260
[<ffffffff8100c1cc>] ? call_softirq+0x1c/0x30
[<ffffffff8100de05>] ? do_softirq+0x65/0xa0
[<ffffffff81076d95>] ? irq_exit+0x85/0x90
[<ffffffff81516d80>] ? smp_apic_timer_interrupt+0x70/0x9b
[<ffffffff8100bb93>] ? apic_timer_interrupt+0x13/0x20
To avoid the issue let's change the second check to test whether serio is
NULL or not.
Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of
trying to be overly smart and using memory barriers.
Signed-off-by: Chen Hong <chenhong3@huawei.com>
[dtor: take lock in i8042_start()/i8042_stop()]
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/serio/i8042.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -397,8 +397,10 @@ static int i8042_start(struct serio *ser
{
struct i8042_port *port = serio->port_data;
+ spin_lock_irq(&i8042_lock);
port->exists = true;
- mb();
+ spin_unlock_irq(&i8042_lock);
+
return 0;
}
@@ -411,16 +413,20 @@ static void i8042_stop(struct serio *ser
{
struct i8042_port *port = serio->port_data;
+ spin_lock_irq(&i8042_lock);
port->exists = false;
+ port->serio = NULL;
+ spin_unlock_irq(&i8042_lock);
/*
+ * We need to make sure that interrupt handler finishes using
+ * our serio port before we return from this function.
* We synchronize with both AUX and KBD IRQs because there is
* a (very unlikely) chance that AUX IRQ is raised for KBD port
* and vice versa.
*/
synchronize_irq(I8042_AUX_IRQ);
synchronize_irq(I8042_KBD_IRQ);
- port->serio = NULL;
}
/*
@@ -537,7 +543,7 @@ static irqreturn_t i8042_interrupt(int i
spin_unlock_irqrestore(&i8042_lock, flags);
- if (likely(port->exists && !filtered))
+ if (likely(serio && !filtered))
serio_interrupt(serio, data, dfl);
out:
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 098/192] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (81 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 111/192] Input: i8042 - fix crash at boot time Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 119/192] ext3: Don't clear SGID when inheriting ACLs Ben Hutchings
` (109 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jouni Malinen, Srinivas Dasari, Johannes Berg
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Dasari <dasaris@qti.qualcomm.com>
commit 8feb69c7bd89513be80eb19198d48f154b254021 upstream.
Buffer overread may happen as nl80211_set_station() reads 4 bytes
from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
validating the size of data received when userspace sends less
than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
the buffer overread.
Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/wireless/nl80211.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -354,6 +354,7 @@ static const struct nla_policy nl80211_p
[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
+ [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 119/192] ext3: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 098/192] cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 052/192] scsi: bnx2i: missing error code in bnx2i_ep_connect() Ben Hutchings
` (108 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, linux-ext4, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
Based on Jan Kara's fix for ext2 (commit a992f2d38e4c), from which the
following description is taken:
> When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
> set, DIR1 is expected to have SGID bit set (and owning group equal to
> the owning group of 'DIR0'). However when 'DIR0' also has some default
> ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
> 'DIR1' to get cleared if user is not member of the owning group.
Fix the problem by moving the posix_acl_update_mode() call up from
__ext3_set_acl() into ext3_set_acl().
Fixes: 073931017b49 ("posix_acl: Clear SGID bit when setting file permissions")
Cc: linux-ext4@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext3/acl.c | 36 ++++++++++++++++++++++--------------
1 file changed, 22 insertions(+), 14 deletions(-)
--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -194,13 +194,6 @@ __ext3_set_acl(handle_t *handle, struct
switch(type) {
case ACL_TYPE_ACCESS:
name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
- if (acl) {
- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
- if (error)
- return error;
- inode->i_ctime = CURRENT_TIME_SEC;
- ext3_mark_inode_dirty(handle, inode);
- }
break;
case ACL_TYPE_DEFAULT:
@@ -239,7 +232,15 @@ retry:
handle = ext3_journal_start(inode, EXT3_DATA_TRANS_BLOCKS(inode->i_sb));
if (IS_ERR(handle))
return PTR_ERR(handle);
+ if (type == ACL_TYPE_ACCESS && acl) {
+ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (error)
+ goto journal_stop;
+ inode->i_ctime = CURRENT_TIME_SEC;
+ ext3_mark_inode_dirty(handle, inode);
+ }
error = __ext3_set_acl(handle, inode, type, acl);
+journal_stop:
ext3_journal_stop(handle);
if (error == -ENOSPC && ext3_should_retry_alloc(inode->i_sb, &retries))
goto retry;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 052/192] scsi: bnx2i: missing error code in bnx2i_ep_connect()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (83 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 119/192] ext3: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 100/192] drm/radeon: Fix eDP for single-display iMac10,1 (v2) Ben Hutchings
` (107 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Johannes Thumshirn, Martin K. Petersen, Dan Carpenter
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 1d32a62c74b3bcb69822b0f4745af5410cfec3a7 upstream.
If bnx2i_map_ep_dbell_regs() then we accidentally return NULL instead of
an error pointer. It results in a NULL dereference in
iscsi_if_ep_connect().
Fixes: cf4e6363859d ("[SCSI] bnx2i: Add bnx2i iSCSI driver.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/bnx2i/bnx2i_iscsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/scsi/bnx2i/bnx2i_iscsi.c
+++ b/drivers/scsi/bnx2i/bnx2i_iscsi.c
@@ -1906,7 +1906,8 @@ static struct iscsi_endpoint *bnx2i_ep_c
bnx2i_ep_active_list_add(hba, bnx2i_ep);
- if (bnx2i_map_ep_dbell_regs(bnx2i_ep))
+ rc = bnx2i_map_ep_dbell_regs(bnx2i_ep);
+ if (rc)
goto del_active_ep;
mutex_unlock(&hba->net_dev_lock);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 100/192] drm/radeon: Fix eDP for single-display iMac10,1 (v2)
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (84 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 052/192] scsi: bnx2i: missing error code in bnx2i_ep_connect() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 038/192] drm/msm/hdmi: Use bitwise operators when building register values Ben Hutchings
` (106 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alex Deucher, Mario Kleiner, Michel Dänzer
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mario Kleiner <mario.kleiner.de@gmail.com>
commit 564d8a2cf3abf16575af48bdc3e86e92ee8a617d upstream.
The late 2009, 27 inch Apple iMac10,1 has an
internal eDP display and an external Mini-
Displayport output, driven by a DCE-3.2, RV730
Radeon Mobility HD-4670.
The machine worked fine in a dual-display setup
with eDP panel + externally connected HDMI
or DVI-D digital display sink, connected via
MiniDP to DVI or HDMI adapter.
However, booting the machine single-display with
only eDP panel results in a completely black
display - even backlight powering off, as soon as
the radeon modesetting driver loads.
This patch fixes the single dispay eDP case by
assigning encoders based on dig->linkb, similar
to DCE-4+. While this should not be generally
necessary (Alex: "...atom on normal boards
should be able to handle any mapping."), Apple
seems to use some special routing here.
One remaining problem not solved by this patch
is that an external Minidisplayport->DP sink
does still not work on iMac10,1, whereas external
DVI and HDMI sinks continue to work.
The problem affects at least all tested kernels
since Linux 3.13 - didn't test earlier kernels, so
backporting to stable probably makes sense.
v2: With the original patch from 2016, Alex was worried it
will break other DCE3.2 systems. Use dmi_match() to
apply this special encoder assignment only for the
Apple iMac 10,1 from late 2009.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[bwh: Backported to 3.16:
- Return the selected encoder rather than assiging it
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/atombios_encoders.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/radeon/atombios_encoders.c
+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
@@ -29,6 +29,7 @@
#include "radeon.h"
#include "atom.h"
#include <linux/backlight.h>
+#include <linux/dmi.h>
extern int atom_debug;
@@ -2095,9 +2096,17 @@ static int radeon_atom_pick_dig_encoder(
}
}
- /* on DCE32 and encoder can driver any block so just crtc id */
+ /*
+ * On DCE32 any encoder can drive any block so usually just use crtc id,
+ * but Apple thinks different at least on iMac10,1, so there use linkb,
+ * otherwise the internal eDP panel will stay dark.
+ */
if (ASIC_IS_DCE32(rdev)) {
- return radeon_crtc->crtc_id;
+ if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1"))
+ return (dig->linkb) ? 1 : 0;
+ else
+ return radeon_crtc->crtc_id;
+
}
/* on DCE3 - LVTMA can only be driven by DIGB */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 038/192] drm/msm/hdmi: Use bitwise operators when building register values
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (85 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 100/192] drm/radeon: Fix eDP for single-display iMac10,1 (v2) Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 097/192] cfg80211: Check if PMKID attribute is of expected size Ben Hutchings
` (105 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Liviu Dudau, Liviu Dudau, Rob Clark
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liviu Dudau <Liviu.Dudau@arm.com>
commit ffe8f53f9cc73fb25c8f78d4aed7ddf285503a60 upstream.
Commit c0c0d9eeeb8d ("drm/msm: hdmi audio support") uses logical
OR operators to build up a value to be written in the
REG_HDMI_AUDIO_INFO0 and REG_HDMI_AUDIO_INFO1 registers when it
should have used bitwise operators.
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Fixes: c0c0d9eeeb8d ("drm/msm: hdmi audio support")
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/msm/hdmi/hdmi_audio.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/msm/hdmi/hdmi_audio.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi_audio.c
@@ -182,10 +182,10 @@ int hdmi_audio_update(struct hdmi *hdmi)
/* configure infoframe: */
hdmi_audio_infoframe_pack(info, buf, sizeof(buf));
hdmi_write(hdmi, REG_HDMI_AUDIO_INFO0,
- (buf[3] << 0) || (buf[4] << 8) ||
- (buf[5] << 16) || (buf[6] << 24));
+ (buf[3] << 0) | (buf[4] << 8) |
+ (buf[5] << 16) | (buf[6] << 24));
hdmi_write(hdmi, REG_HDMI_AUDIO_INFO1,
- (buf[7] << 0) || (buf[8] << 8));
+ (buf[7] << 0) | (buf[8] << 8));
hdmi_write(hdmi, REG_HDMI_GC, 0);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 097/192] cfg80211: Check if PMKID attribute is of expected size
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (86 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 038/192] drm/msm/hdmi: Use bitwise operators when building register values Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 003/192] sched/fair, cpumask: Export for_each_cpu_wrap() Ben Hutchings
` (104 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jouni Malinen, Johannes Berg, Srinivas Dasari
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Dasari <dasaris@qti.qualcomm.com>
commit 9361df14d1cbf966409d5d6f48bb334384fbe138 upstream.
nla policy checks for only maximum length of the attribute data
when the attribute type is NLA_BINARY. If userspace sends less
data than specified, the wireless drivers may access illegal
memory. When type is NLA_UNSPEC, nla policy check ensures that
userspace sends minimum specified length number of bytes.
Remove type assignment to NLA_BINARY from nla_policy of
NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
WLAN_PMKID_LEN bytes are received from userspace with
NL80211_ATTR_PMKID.
Fixes: 67fbb16be69d ("nl80211: PMKSA caching support")
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/wireless/nl80211.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -299,8 +299,7 @@ static const struct nla_policy nl80211_p
[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
[NL80211_ATTR_PID] = { .type = NLA_U32 },
[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
- [NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
- .len = WLAN_PMKID_LEN },
+ [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 003/192] sched/fair, cpumask: Export for_each_cpu_wrap()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (87 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 097/192] cfg80211: Check if PMKID attribute is of expected size Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 062/192] USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick Ben Hutchings
` (103 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, Rik van Riel, Mike Galbraith,
Thomas Gleixner, lwang, Ingo Molnar, Linus Torvalds,
Lauro Ramos Venancio
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit c743f0a5c50f2fcbc628526279cfa24f3dabe182 upstream.
More users for for_each_cpu_wrap() have appeared. Promote the construct
to generic cpumask interface.
The implementation is slightly modified to reduce arguments.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Lauro Ramos Venancio <lvenanci@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: lwang@redhat.com
Link: http://lkml.kernel.org/r/20170414122005.o35me2h5nowqkxbv@hirez.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: there's no old version of the function to delete]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -225,6 +225,23 @@ int cpumask_set_cpu_local_first(int i, i
(cpu) = cpumask_next_zero((cpu), (mask)), \
(cpu) < nr_cpu_ids;)
+extern int cpumask_next_wrap(int n, const struct cpumask *mask, int start, bool wrap);
+
+/**
+ * for_each_cpu_wrap - iterate over every cpu in a mask, starting at a specified location
+ * @cpu: the (optionally unsigned) integer iterator
+ * @mask: the cpumask poiter
+ * @start: the start location
+ *
+ * The implementation does not assume any bit in @mask is set (including @start).
+ *
+ * After the loop, cpu is >= nr_cpu_ids.
+ */
+#define for_each_cpu_wrap(cpu, mask, start) \
+ for ((cpu) = cpumask_next_wrap((start)-1, (mask), (start), false); \
+ (cpu) < nr_cpumask_bits; \
+ (cpu) = cpumask_next_wrap((cpu), (mask), (start), true))
+
/**
* for_each_cpu_and - iterate over every cpu in both masks
* @cpu: the (optionally unsigned) integer iterator
--- a/lib/cpumask.c
+++ b/lib/cpumask.c
@@ -63,6 +63,38 @@ int cpumask_any_but(const struct cpumask
return i;
}
+/**
+ * cpumask_next_wrap - helper to implement for_each_cpu_wrap
+ * @n: the cpu prior to the place to search
+ * @mask: the cpumask pointer
+ * @start: the start point of the iteration
+ * @wrap: assume @n crossing @start terminates the iteration
+ *
+ * Returns >= nr_cpu_ids on completion
+ *
+ * Note: the @wrap argument is required for the start condition when
+ * we cannot assume @start is set in @mask.
+ */
+int cpumask_next_wrap(int n, const struct cpumask *mask, int start, bool wrap)
+{
+ int next;
+
+again:
+ next = cpumask_next(n, mask);
+
+ if (wrap && n < start && next >= start) {
+ return nr_cpumask_bits;
+
+ } else if (next >= nr_cpumask_bits) {
+ wrap = true;
+ n = -1;
+ goto again;
+ }
+
+ return next;
+}
+EXPORT_SYMBOL(cpumask_next_wrap);
+
/* These are not inline because of header tangles. */
#ifdef CONFIG_CPUMASK_OFFSTACK
/**
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 062/192] USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (88 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 003/192] sched/fair, cpumask: Export for_each_cpu_wrap() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 114/192] ubifs: Correctly evict xattr inodes Ben Hutchings
` (102 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Johan Hovold, Jeremie Rapin, Greg Kroah-Hartman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeremie Rapin <rapinj@gmail.com>
commit fd90f73a9925f248d696bde1cfc836d9fda5570d upstream.
Added the USB serial device ID for the CEL ZigBee EM3588
radio stick.
Signed-off-by: Jeremie Rapin <rapinj@gmail.com>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -134,6 +134,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
{ USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
{ USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
+ { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
{ USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
{ USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
{ USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 114/192] ubifs: Correctly evict xattr inodes
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (89 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 062/192] USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 048/192] staging: comedi: fix clean-up of comedi_class in comedi_init() Ben Hutchings
` (101 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 272eda8298dc82eb411ece82bbb2c62911087b24 upstream.
UBIFS handles extended attributes just like files, as consequence of
that, they also have inodes.
Therefore UBIFS does all the inode machinery also for xattrs. Since new
inodes have i_nlink of 1, a file or xattr inode will be evicted
if i_nlink goes down to 0 after an unlink. UBIFS assumes this model also
for xattrs, which is not correct.
One can create a file "foo" with xattr "user.test". By reading
"user.test" an inode will be created, and by deleting "user.test" it
will get evicted later. The assumption breaks if the file "foo", which
hosts the xattrs, will be removed. VFS nor UBIFS does not remove each
xattr via ubifs_xattr_remove(), it just removes the host inode from
the TNC and all underlying xattr nodes too and the inode will remain
in the cache and wastes memory.
To solve this problem, remove xattr inodes from the VFS inode cache in
ubifs_xattr_remove() to make sure that they get evicted.
Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ubifs/tnc.c | 2 ++
fs/ubifs/ubifs.h | 1 +
fs/ubifs/xattr.c | 22 ++++++++++++++++++++++
3 files changed, 25 insertions(+)
--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -2712,6 +2712,8 @@ int ubifs_tnc_remove_ino(struct ubifs_in
dbg_tnc("xent '%s', ino %lu", xent->name,
(unsigned long)xattr_inum);
+ ubifs_evict_xattr_inode(c, xattr_inum);
+
nm.name = xent->name;
nm.len = le16_to_cpu(xent->nlen);
err = ubifs_tnc_remove_nm(c, &key1, &nm);
--- a/fs/ubifs/ubifs.h
+++ b/fs/ubifs/ubifs.h
@@ -1756,6 +1756,7 @@ ssize_t ubifs_getxattr(struct dentry *de
size_t size);
ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size);
int ubifs_removexattr(struct dentry *dentry, const char *name);
+void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum);
/* super.c */
struct inode *ubifs_iget(struct super_block *sb, unsigned long inum);
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
@@ -481,6 +481,28 @@ ssize_t ubifs_listxattr(struct dentry *d
return written;
}
+/**
+ * ubifs_evict_xattr_inode - Evict an xattr inode.
+ * @c: UBIFS file-system description object
+ * @xattr_inum: xattr inode number
+ *
+ * When an inode that hosts xattrs is being removed we have to make sure
+ * that cached inodes of the xattrs also get removed from the inode cache
+ * otherwise we'd waste memory. This function looks up an inode from the
+ * inode cache and clears the link counter such that iput() will evict
+ * the inode.
+ */
+void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum)
+{
+ struct inode *inode;
+
+ inode = ilookup(c->vfs_sb, xattr_inum);
+ if (inode) {
+ clear_nlink(inode);
+ iput(inode);
+ }
+}
+
static int remove_xattr(struct ubifs_info *c, struct inode *host,
struct inode *inode, const struct qstr *nm)
{
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 048/192] staging: comedi: fix clean-up of comedi_class in comedi_init()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (90 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 114/192] ubifs: Correctly evict xattr inodes Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 113/192] sunrpc: use constant time memory comparison for mac Ben Hutchings
` (100 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Ian Abbott
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit a9332e9ad09c2644c99058fcf6ae2f355e93ce74 upstream.
There is a clean-up bug in the core comedi module initialization
functions, `comedi_init()`. If the `comedi_num_legacy_minors` module
parameter is non-zero (and valid), it creates that many "legacy" devices
and registers them in SysFS. A failure causes the function to clean up
and return an error. Unfortunately, it fails to destroy the "comedi"
class that was created earlier. Fix it by adding a call to
`class_destroy(comedi_class)` at the appropriate place in the clean-up
sequence.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/comedi/comedi_fops.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -2626,6 +2626,7 @@ static int __init comedi_init(void)
dev = comedi_alloc_board_minor(NULL);
if (IS_ERR(dev)) {
comedi_cleanup_board_minors();
+ class_destroy(comedi_class);
cdev_del(&comedi_cdev);
unregister_chrdev_region(MKDEV(COMEDI_MAJOR, 0),
COMEDI_NUM_MINORS);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 113/192] sunrpc: use constant time memory comparison for mac
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (91 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 048/192] staging: comedi: fix clean-up of comedi_class in comedi_init() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 081/192] parisc: Report SIGSEGV instead of SIGBUS when running out of stack Ben Hutchings
` (99 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Trond Myklebust, Anna Schumaker, Anna Schumaker,
Jeff Layton, Jason A. Donenfeld, linux-nfs, J. Bruce Fields
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
commit 15a8b93fd5690de017ce665382ea45e5d61811a4 upstream.
Otherwise, we enable a MAC forgery via timing attack.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Jeff Layton <jlayton@poochiereds.net>
Cc: Trond Myklebust <trond.myklebust@primarydata.com>
Cc: Anna Schumaker <anna.schumaker@netapp.com>
Cc: linux-nfs@vger.kernel.org
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sunrpc/auth_gss/gss_krb5_crypto.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -34,6 +34,7 @@
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
+#include <crypto/algapi.h>
#include <linux/err.h>
#include <linux/types.h>
#include <linux/mm.h>
@@ -838,7 +839,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kc
if (ret)
goto out_err;
- if (memcmp(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
+ if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
ret = GSS_S_BAD_SIG;
goto out_err;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 081/192] parisc: Report SIGSEGV instead of SIGBUS when running out of stack
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (92 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 113/192] sunrpc: use constant time memory comparison for mac Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 023/192] perf/core: Correct event creation with PERF_FORMAT_GROUP Ben Hutchings
` (98 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Helge Deller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 247462316f85a9e0479445c1a4223950b68ffac1 upstream.
When a process runs out of stack the parisc kernel wrongly faults with SIGBUS
instead of the expected SIGSEGV signal.
This example shows how the kernel faults:
do_page_fault() command='a.out' type=15 address=0xfaac2000 in libc-2.24.so[f8308000+16c000]
trap #15: Data TLB miss fault, vm_start = 0xfa2c2000, vm_end = 0xfaac2000
The vma->vm_end value is the first address which does not belong to the vma, so
adjust the check to include vma->vm_end to the range for which to send the
SIGSEGV signal.
This patch unbreaks building the debian libsigsegv package.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/mm/fault.c
+++ b/arch/parisc/mm/fault.c
@@ -303,7 +303,7 @@ bad_area:
case 15: /* Data TLB miss fault/Data page fault */
/* send SIGSEGV when outside of vma */
if (!vma ||
- address < vma->vm_start || address > vma->vm_end) {
+ address < vma->vm_start || address >= vma->vm_end) {
si.si_signo = SIGSEGV;
si.si_code = SEGV_MAPERR;
break;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 023/192] perf/core: Correct event creation with PERF_FORMAT_GROUP
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (93 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 081/192] parisc: Report SIGSEGV instead of SIGBUS when running out of stack Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 094/192] rtc: rtc-nuc900: fix loop timeout test Ben Hutchings
` (97 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alexander Shishkin, Jiri Olsa, Peter Zijlstra,
Arnaldo Carvalho de Melo, Thomas Gleixner, Andi Kleen,
Ingo Molnar, Vince Weaver, Linus Torvalds, Stephane Eranian
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit ba5213ae6b88fb170c4771fef6553f759c7d8cdd upstream.
Andi was asking about PERF_FORMAT_GROUP vs inherited events, which led
to the discovery of a bug from commit:
3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff")
- PERF_SAMPLE_GROUP = 1U << 4,
+ PERF_SAMPLE_READ = 1U << 4,
- if (attr->inherit && (attr->sample_type & PERF_SAMPLE_GROUP))
+ if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP))
is a clear fail :/
While this changes user visible behaviour; it was previously possible
to create an inherited event with PERF_SAMPLE_READ; this is deemed
acceptible because its results were always incorrect.
Reported-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vince@deater.net>
Fixes: 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff")
Link: http://lkml.kernel.org/r/20170530094512.dy2nljns2uq7qa3j@hirez.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/events/core.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4755,9 +4755,6 @@ static void perf_output_read_one(struct
__output_copy(handle, values, n * sizeof(u64));
}
-/*
- * XXX PERF_FORMAT_GROUP vs inherited events seems difficult.
- */
static void perf_output_read_group(struct perf_output_handle *handle,
struct perf_event *event,
u64 enabled, u64 running)
@@ -4802,6 +4799,13 @@ static void perf_output_read_group(struc
#define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\
PERF_FORMAT_TOTAL_TIME_RUNNING)
+/*
+ * XXX PERF_SAMPLE_READ vs inherited events seems difficult.
+ *
+ * The problem is that its both hard and excessively expensive to iterate the
+ * child list, not to mention that its impossible to IPI the children running
+ * on another CPU, from interrupt/NMI context.
+ */
static void perf_output_read(struct perf_output_handle *handle,
struct perf_event *event)
{
@@ -7088,9 +7092,10 @@ perf_event_alloc(struct perf_event_attr
local64_set(&hwc->period_left, hwc->sample_period);
/*
- * we currently do not support PERF_FORMAT_GROUP on inherited events
+ * We currently do not support PERF_SAMPLE_READ on inherited events.
+ * See perf_output_read().
*/
- if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP))
+ if (attr->inherit && (attr->sample_type & PERF_SAMPLE_READ))
goto err_ns;
pmu = perf_init_event(event);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 094/192] rtc: rtc-nuc900: fix loop timeout test
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 023/192] perf/core: Correct event creation with PERF_FORMAT_GROUP Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 123/192] reiserfs: preserve i_mode if __reiserfs_set_acl() fails Ben Hutchings
` (96 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexandre Belloni, Dan Carpenter
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit d0a67c372df410b579197ea818596001fe20070d upstream.
We should change this post-op to a pre-op because we want the loop to
exit with "timeout" set to zero.
Fixes: 0a89b55364e0 ("nuc900/rtc: change the waiting for device ready implement")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/rtc/rtc-nuc900.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/rtc/rtc-nuc900.c
+++ b/drivers/rtc/rtc-nuc900.c
@@ -93,7 +93,7 @@ static int *check_rtc_access_enable(stru
__raw_writel(AERPOWERON, nuc900_rtc->rtc_reg + REG_RTC_AER);
while (!(__raw_readl(nuc900_rtc->rtc_reg + REG_RTC_AER) & AERRWENB)
- && timeout--)
+ && --timeout)
mdelay(1);
if (!timeout)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 123/192] reiserfs: preserve i_mode if __reiserfs_set_acl() fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (95 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 094/192] rtc: rtc-nuc900: fix loop timeout test Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 078/192] scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails Ben Hutchings
` (95 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Ernesto A. Fernández
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ernesto A. Fernández
<ernesto.mnd.fernandez@gmail.com>
commit fcea8aed91f53b51f9b943dc01f12d8aa666c720 upstream.
When changing a file's acl mask, reiserfs_set_acl() will first set the
group bits of i_mode to the value of the mask, and only then set the
actual extended attribute representing the new acl.
If the second part fails (due to lack of space, for example) and the
file had no acl attribute to begin with, the system will from now on
assume that the mask permission bits are actual group permission bits,
potentially granting access to the wrong users.
Prevent this by only changing the inode mode after the acl has been set.
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/reiserfs/xattr_acl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -23,7 +23,8 @@ reiserfs_set_acl(struct inode *inode, st
struct reiserfs_transaction_handle th;
size_t jcreate_blocks;
int size = acl ? posix_acl_xattr_size(acl->a_count) : 0;
-
+ int update_mode = 0;
+ umode_t mode = inode->i_mode;
/*
* Pessimism: We can't assume that anything from the xattr root up
@@ -38,12 +39,14 @@ reiserfs_set_acl(struct inode *inode, st
reiserfs_write_unlock(inode->i_sb);
if (error == 0) {
if (type == ACL_TYPE_ACCESS && acl) {
- error = posix_acl_update_mode(inode, &inode->i_mode,
- &acl);
+ error = posix_acl_update_mode(inode, &mode, &acl);
if (error)
goto unlock;
+ update_mode = 1;
}
error = __reiserfs_set_acl(&th, inode, type, acl);
+ if (!error && update_mode)
+ inode->i_mode = mode;
unlock:
reiserfs_write_lock(inode->i_sb);
error2 = journal_end(&th);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 078/192] scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails.
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (96 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 123/192] reiserfs: preserve i_mode if __reiserfs_set_acl() fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 091/192] s390/syscalls: Fix out of bounds arguments access Ben Hutchings
` (94 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Bottomley, Maurizio Lombardi, Douglas Miller,
Martin K. Petersen
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
commit 62e62ffd95539b9220894a7900a619e0f3ef4756 upstream.
The enclosure_add_device() function should fail if it can't create the
relevant sysfs links.
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Tested-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
Acked-by: James Bottomley <jejb@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/misc/enclosure.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/misc/enclosure.c
+++ b/drivers/misc/enclosure.c
@@ -320,6 +320,7 @@ int enclosure_add_device(struct enclosur
struct device *dev)
{
struct enclosure_component *cdev;
+ int err;
if (!edev || component >= edev->components)
return -EINVAL;
@@ -329,12 +330,17 @@ int enclosure_add_device(struct enclosur
if (cdev->dev == dev)
return -EEXIST;
- if (cdev->dev)
+ if (cdev->dev) {
enclosure_remove_links(cdev);
-
- put_device(cdev->dev);
+ put_device(cdev->dev);
+ }
cdev->dev = get_device(dev);
- return enclosure_add_links(cdev);
+ err = enclosure_add_links(cdev);
+ if (err) {
+ put_device(cdev->dev);
+ cdev->dev = NULL;
+ }
+ return err;
}
EXPORT_SYMBOL_GPL(enclosure_add_device);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 091/192] s390/syscalls: Fix out of bounds arguments access
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (97 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 078/192] scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 075/192] btrfs: Don't clear SGID when inheriting ACLs Ben Hutchings
` (93 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jiri Olsa, Zorro Lang, Martin Schwidefsky
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
commit c46fc0424ced3fb71208e72bd597d91b9169a781 upstream.
Zorro reported following crash while having enabled
syscall tracing (CONFIG_FTRACE_SYSCALLS):
Unable to handle kernel pointer dereference at virtual ...
Oops: 0011 [#1] SMP DEBUG_PAGEALLOC
SNIP
Call Trace:
([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8)
[<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8
[<0000000000730f1c>] sysc_tracesys+0x1a/0x32
[<000003fffcf946a2>] 0x3fffcf946a2
INFO: lockdep is turned off.
Last Breaking-Event-Address:
[<000000000022dd44>] rb_event_data+0x34/0x40
---[ end trace 8c795f86b1b3f7b9 ]---
The crash happens in syscall_get_arguments function for
syscalls with zero arguments, that will try to access
first argument (args[0]) in event entry, but it's not
allocated.
Bail out of there are no arguments.
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/include/asm/syscall.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/s390/include/asm/syscall.h
+++ b/arch/s390/include/asm/syscall.h
@@ -64,6 +64,12 @@ static inline void syscall_get_arguments
{
unsigned long mask = -1UL;
+ /*
+ * No arguments for this syscall, there's nothing to do.
+ */
+ if (!n)
+ return;
+
BUG_ON(i + n > 6);
#ifdef CONFIG_COMPAT
if (test_tsk_thread_flag(task, TIF_31BIT))
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 075/192] btrfs: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (98 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 091/192] s390/syscalls: Fix out of bounds arguments access Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 057/192] MIPS: Fix mips_atomic_set() retry condition Ben Hutchings
` (92 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, linux-btrfs, David Sterba, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit b7f8a09f8097db776b8d160862540e4fc1f51296 upstream.
When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.
Fix the problem by moving posix_acl_update_mode() out of
__btrfs_set_acl() into btrfs_set_acl(). That way the function will not be
called when inheriting ACLs which is what we want as it prevents SGID
bit clearing and the mode has been properly set by posix_acl_create()
anyway.
Fixes: 073931017b49d9458aa351605b43a7e34598caef
CC: linux-btrfs@vger.kernel.org
CC: David Sterba <dsterba@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/acl.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -82,12 +82,6 @@ static int __btrfs_set_acl(struct btrfs_
switch (type) {
case ACL_TYPE_ACCESS:
name = POSIX_ACL_XATTR_ACCESS;
- if (acl) {
- ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
- if (ret)
- return ret;
- }
- ret = 0;
break;
case ACL_TYPE_DEFAULT:
if (!S_ISDIR(inode->i_mode))
@@ -123,6 +117,13 @@ out:
int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
{
+ int ret;
+
+ if (type == ACL_TYPE_ACCESS && acl) {
+ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (ret)
+ return ret;
+ }
return __btrfs_set_acl(NULL, inode, acl, type);
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 057/192] MIPS: Fix mips_atomic_set() retry condition
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (99 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 075/192] btrfs: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 010/192] f2fs: try to freeze in gc and discard threads Ben Hutchings
` (91 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Hogan, Ralf Baechle, linux-mips
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 upstream.
The inline asm retry check in the MIPS_ATOMIC_SET operation of the
sysmips system call has been backwards since commit f1e39a4a616c ("MIPS:
Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
merged in v2.6.32, resulting in the non R10000_LLSC_WAR case retrying
until the operation was inatomic, before returning the new value that
was probably just written multiple times instead of the old value.
Invert the branch condition to fix that particular issue.
Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16148/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/syscall.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/kernel/syscall.c
+++ b/arch/mips/kernel/syscall.c
@@ -140,7 +140,7 @@ static inline int mips_atomic_set(unsign
"1: ll %[old], (%[addr]) \n"
" move %[tmp], %[new] \n"
"2: sc %[tmp], (%[addr]) \n"
- " bnez %[tmp], 4f \n"
+ " beqz %[tmp], 4f \n"
"3: \n"
" .subsection 2 \n"
"4: b 1b \n"
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 010/192] f2fs: try to freeze in gc and discard threads
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (100 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 057/192] MIPS: Fix mips_atomic_set() retry condition Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 083/192] ipv6: dad: don't remove dynamic addresses if link is down Ben Hutchings
` (90 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jaegeuk Kim
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit 1d7be2708277edfef95171d52fb65ee26eaa076b upstream.
This allows to freeze gc and discard threads.
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[bwh: Backported to 3.16: drop changes to discard thread]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -35,13 +35,14 @@ static int gc_thread_func(void *data)
wait_ms = gc_th->min_sleep_time;
+ set_freezable();
do {
+ wait_event_interruptible_timeout(*wq,
+ kthread_should_stop() || freezing(current),
+ msecs_to_jiffies(wait_ms));
+
if (try_to_freeze())
continue;
- else
- wait_event_interruptible_timeout(*wq,
- kthread_should_stop(),
- msecs_to_jiffies(wait_ms));
if (kthread_should_stop())
break;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 083/192] ipv6: dad: don't remove dynamic addresses if link is down
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 010/192] f2fs: try to freeze in gc and discard threads Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 024/192] xen: avoid type warning in xchg_xen_ulong Ben Hutchings
` (89 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Sabrina Dubroca
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
commit ec8add2a4c9df723c94a863b8fcd6d93c472deed upstream.
Currently, when the link for $DEV is down, this command succeeds but the
address is removed immediately by DAD (1):
ip addr add 1111::12/64 dev $DEV valid_lft 3600 preferred_lft 1800
In the same situation, this will succeed and not remove the address (2):
ip addr add 1111::12/64 dev $DEV
ip addr change 1111::12/64 dev $DEV valid_lft 3600 preferred_lft 1800
The comment in addrconf_dad_begin() when !IF_READY makes it look like
this is the intended behavior, but doesn't explain why:
* If the device is not ready:
* - keep it tentative if it is a permanent address.
* - otherwise, kill it.
We clearly cannot prevent userspace from doing (2), but we can make (1)
work consistently with (2).
addrconf_dad_stop() is only called in two cases: if DAD failed, or to
skip DAD when the link is down. In that second case, the fix is to avoid
deleting the address, like we already do for permanent addresses.
Fixes: 3c21edbd1137 ("[IPV6]: Defer IPv6 device initialization until the link becomes ready.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/addrconf.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1613,15 +1613,7 @@ static void addrconf_dad_stop(struct ine
if (dad_failed)
ifp->flags |= IFA_F_DADFAILED;
- if (ifp->flags&IFA_F_PERMANENT) {
- spin_lock_bh(&ifp->lock);
- addrconf_del_dad_work(ifp);
- ifp->flags |= IFA_F_TENTATIVE;
- spin_unlock_bh(&ifp->lock);
- if (dad_failed)
- ipv6_ifa_notify(0, ifp);
- in6_ifa_put(ifp);
- } else if (ifp->flags&IFA_F_TEMPORARY) {
+ if (ifp->flags&IFA_F_TEMPORARY) {
struct inet6_ifaddr *ifpub;
spin_lock_bh(&ifp->lock);
ifpub = ifp->ifpub;
@@ -1634,6 +1626,14 @@ static void addrconf_dad_stop(struct ine
spin_unlock_bh(&ifp->lock);
}
ipv6_del_addr(ifp);
+ } else if (ifp->flags&IFA_F_PERMANENT || !dad_failed) {
+ spin_lock_bh(&ifp->lock);
+ addrconf_del_dad_work(ifp);
+ ifp->flags |= IFA_F_TENTATIVE;
+ spin_unlock_bh(&ifp->lock);
+ if (dad_failed)
+ ipv6_ifa_notify(0, ifp);
+ in6_ifa_put(ifp);
} else {
ipv6_del_addr(ifp);
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 024/192] xen: avoid type warning in xchg_xen_ulong
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (102 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 083/192] ipv6: dad: don't remove dynamic addresses if link is down Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 042/192] Btrfs: skip commit transaction if we don't have enough pinned bytes Ben Hutchings
` (88 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Stefano Stabellini, Arnd Bergmann, Ian Abbott
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 9cc91f212111cdcbefa02dcdb7dd443f224bf52c upstream.
The improved type-checking version of container_of() triggers a warning for
xchg_xen_ulong, pointing out that 'xen_ulong_t' is unsigned, but atomic64_t
contains a signed value:
drivers/xen/events/events_2l.c: In function 'evtchn_2l_handle_events':
drivers/xen/events/events_2l.c:187:1020: error: call to '__compiletime_assert_187' declared with attribute error: pointer type mismatch in container_of()
This adds a cast to work around the warning.
Cc: Ian Abbott <abbotti@mev.co.uk>
Fixes: 85323a991d40 ("xen: arm: mandate EABI and use generic atomic operations.")
Fixes: daa2ac80834d ("kernel.h: handle pointers to arrays better in container_of()")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/include/asm/xen/events.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/include/asm/xen/events.h
+++ b/arch/arm/include/asm/xen/events.h
@@ -16,7 +16,7 @@ static inline int xen_irqs_disabled(stru
return raw_irqs_disabled_flags(regs->ARM_cpsr);
}
-#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((ptr), \
+#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((long long*)(ptr),\
atomic64_t, \
counter), (val))
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 042/192] Btrfs: skip commit transaction if we don't have enough pinned bytes
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (103 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 024/192] xen: avoid type warning in xchg_xen_ulong Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 095/192] tpm: fix a kernel memory leak in tpm-sysfs.c Ben Hutchings
` (87 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Sterba, Nikolay Borisov, Liu Bo
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo <bo.li.liu@oracle.com>
commit 28785f70ef882e4798cd5706066a55dbf7adf80e upstream.
We commit transaction in order to reclaim space from pinned bytes because
it could process delayed refs, and in may_commit_transaction(), we check
first if pinned bytes are enough for the required space, we then check if
that plus bytes reserved for delayed insert are enough for the required
space.
This changes the code to the above logic.
Fixes: b150a4f10d87 ("Btrfs: use a percpu to keep track of possibly pinned bytes")
Tested-by: Nikolay Borisov <nborisov@suse.com>
Reported-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/extent-tree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -4230,7 +4230,7 @@ static int may_commit_transaction(struct
spin_lock(&delayed_rsv->lock);
if (percpu_counter_compare(&space_info->total_bytes_pinned,
- bytes - delayed_rsv->size) >= 0) {
+ bytes - delayed_rsv->size) < 0) {
spin_unlock(&delayed_rsv->lock);
return -ENOSPC;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 095/192] tpm: fix a kernel memory leak in tpm-sysfs.c
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (104 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 042/192] Btrfs: skip commit transaction if we don't have enough pinned bytes Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 014/192] tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth Ben Hutchings
` (86 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jarkko Sakkinen, Stefan Berger, Jason Gunthorpe, James Morris
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
commit 13b47cfcfc60495cde216eef4c01040d76174cbe upstream.
While cleaning up sysfs callback that prints EK we discovered a kernel
memory leak. This commit fixes the issue by zeroing the buffer used for
TPM command/response.
The leak happen when we use either tpm_vtpm_proxy, tpm_ibmvtpm or
xen-tpmfront.
Fixes: 0883743825e3 ("TPM: sysfs functions consolidation")
Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/tpm/tpm-sysfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/char/tpm/tpm-sysfs.c
+++ b/drivers/char/tpm/tpm-sysfs.c
@@ -54,9 +54,10 @@ static ssize_t pubek_show(struct device
ssize_t err;
int i, rc;
char *str = buf;
-
struct tpm_chip *chip = dev_get_drvdata(dev);
+ memset(&tpm_cmd, 0, sizeof(tpm_cmd));
+
tpm_cmd.header.in = tpm_readpubek_header;
err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
"attempting to read the PUBEK");
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 014/192] tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (105 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 095/192] tpm: fix a kernel memory leak in tpm-sysfs.c Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 070/192] MIPS: Actually decode JALX in `__compute_return_epc_for_insn' Ben Hutchings
` (85 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, a.p.zijlstra, Sasha Levin, Thomas Gleixner,
Ingo Molnar, Linus Torvalds
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit 98dcea0cfd04e083ac74137ceb9a632604740e2d upstream.
liblockdep has been broken since commit 75dd602a5198 ("lockdep: Fix
lock_chain::base size"), as that adds a check that MAX_LOCK_DEPTH is
within the range of lock_chain::depth and in liblockdep it is much
too large.
That should have resulted in a compiler error, but didn't because:
- the check uses ARRAY_SIZE(), which isn't yet defined in liblockdep
so is assumed to be an (undeclared) function
- putting a function call inside a BUILD_BUG_ON() expression quietly
turns it into some nonsense involving a variable-length array
It did produce a compiler warning, but I didn't notice because
liblockdep already produces too many warnings if -Wall is enabled
(which I'll fix shortly).
Even before that commit, which reduced lock_chain::depth from 8 bits
to 6, MAX_LOCK_DEPTH was too large.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: a.p.zijlstra@chello.nl
Link: http://lkml.kernel.org/r/20170525130005.5947-3-alexander.levin@verizon.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
tools/lib/lockdep/uinclude/linux/lockdep.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/lib/lockdep/uinclude/linux/lockdep.h
+++ b/tools/lib/lockdep/uinclude/linux/lockdep.h
@@ -8,7 +8,7 @@
#include <linux/utsname.h>
-#define MAX_LOCK_DEPTH 2000UL
+#define MAX_LOCK_DEPTH 255UL
#define asmlinkage
#define __visible
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 070/192] MIPS: Actually decode JALX in `__compute_return_epc_for_insn'
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (106 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 014/192] tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 124/192] jfs: Don't clear SGID when inheriting ACLs Ben Hutchings
` (84 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Hogan, Ralf Baechle, linux-mips, Maciej W. Rozycki
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" <macro@imgtec.com>
commit a9db101b735a9d49295326ae41f610f6da62b08c upstream.
Complement commit fb6883e5809c ("MIPS: microMIPS: Support handling of
delay slots.") and actually decode the regular MIPS JALX major
instruction opcode, the handling of which has been added with the said
commit for EPC calculation in `__compute_return_epc_for_insn'.
Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.")
Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16394/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/branch.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mips/kernel/branch.c
+++ b/arch/mips/kernel/branch.c
@@ -493,6 +493,7 @@ int __compute_return_epc_for_insn(struct
/*
* These are unconditional and in j_format.
*/
+ case jalx_op:
case jal_op:
regs->regs[31] = regs->cp0_epc + 8;
case j_op:
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 124/192] jfs: Don't clear SGID when inheriting ACLs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (107 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 070/192] MIPS: Actually decode JALX in `__compute_return_epc_for_insn' Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 030/192] usb: usbip: set buffer pointers to NULL after free Ben Hutchings
` (83 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dave Kleikamp, jfs-discussion, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 9bcf66c72d726322441ec82962994e69157613e4 upstream.
When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
set, DIR1 is expected to have SGID bit set (and owning group equal to
the owning group of 'DIR0'). However when 'DIR0' also has some default
ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
'DIR1' to get cleared if user is not member of the owning group.
Fix the problem by moving posix_acl_update_mode() out of
__jfs_set_acl() into jfs_set_acl(). That way the function will not be
called when inheriting ACLs which is what we want as it prevents SGID
bit clearing and the mode has been properly set by posix_acl_create()
anyway.
Fixes: 073931017b49d9458aa351605b43a7e34598caef
CC: jfs-discussion@lists.sourceforge.net
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
[bwh: Backported to 3.16:
- Keep using CURRENT_TIME
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/jfs/acl.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/fs/jfs/acl.c
+++ b/fs/jfs/acl.c
@@ -83,13 +83,6 @@ static int __jfs_set_acl(tid_t tid, stru
switch (type) {
case ACL_TYPE_ACCESS:
ea_name = POSIX_ACL_XATTR_ACCESS;
- if (acl) {
- rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
- if (rc)
- return rc;
- inode->i_ctime = CURRENT_TIME;
- mark_inode_dirty(inode);
- }
break;
case ACL_TYPE_DEFAULT:
ea_name = POSIX_ACL_XATTR_DEFAULT;
@@ -124,9 +117,17 @@ int jfs_set_acl(struct inode *inode, str
tid = txBegin(inode->i_sb, 0);
mutex_lock(&JFS_IP(inode)->commit_mutex);
+ if (type == ACL_TYPE_ACCESS && acl) {
+ rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ if (rc)
+ goto end_tx;
+ inode->i_ctime = CURRENT_TIME;
+ mark_inode_dirty(inode);
+ }
rc = __jfs_set_acl(tid, inode, type, acl);
if (!rc)
rc = txCommit(tid, 1, &inode, 0);
+end_tx:
txEnd(tid);
mutex_unlock(&JFS_IP(inode)->commit_mutex);
return rc;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 030/192] usb: usbip: set buffer pointers to NULL after free
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (108 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 124/192] jfs: Don't clear SGID when inheriting ACLs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 080/192] parisc: use compat_sys_keyctl() Ben Hutchings
` (82 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Shuah Khan, Michael Grzeschik, Greg Kroah-Hartman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Grzeschik <m.grzeschik@pengutronix.de>
commit b3b51417d0af63fb9a06662dc292200aed9ea53f upstream.
The usbip stack dynamically allocates the transfer_buffer and
setup_packet of each urb that got generated by the tcp to usb stub code.
As these pointers are always used only once we will set them to NULL
after use. This is done likewise to the free_urb code in vudc_dev.c.
This patch fixes double kfree situations where the usbip remote side
added the URB_FREE_BUFFER.
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/usbip/stub_main.c | 4 ++++
drivers/staging/usbip/stub_tx.c | 4 ++++
2 files changed, 8 insertions(+)
--- a/drivers/staging/usbip/stub_main.c
+++ b/drivers/staging/usbip/stub_main.c
@@ -266,7 +266,11 @@ void stub_device_cleanup_urbs(struct stu
kmem_cache_free(stub_priv_cache, priv);
kfree(urb->transfer_buffer);
+ urb->transfer_buffer = NULL;
+
kfree(urb->setup_packet);
+ urb->setup_packet = NULL;
+
usb_free_urb(urb);
}
}
--- a/drivers/staging/usbip/stub_tx.c
+++ b/drivers/staging/usbip/stub_tx.c
@@ -28,7 +28,11 @@ static void stub_free_priv_and_urb(struc
struct urb *urb = priv->urb;
kfree(urb->setup_packet);
+ urb->setup_packet = NULL;
+
kfree(urb->transfer_buffer);
+ urb->transfer_buffer = NULL;
+
list_del(&priv->list);
kmem_cache_free(stub_priv_cache, priv);
usb_free_urb(urb);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 080/192] parisc: use compat_sys_keyctl()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 030/192] usb: usbip: set buffer pointers to NULL after free Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 092/192] crypto: sha1-ssse3 - Disable avx2 Ben Hutchings
` (81 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric Biggers, Helge Deller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit b0f94efd5aa8daa8a07d7601714c2573266cd4c9 upstream.
Architectures with a compat syscall table must put compat_sys_keyctl()
in it, not sys_keyctl(). The parisc architecture was not doing this;
fix it.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/kernel/syscall_table.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/kernel/syscall_table.S
+++ b/arch/parisc/kernel/syscall_table.S
@@ -361,7 +361,7 @@
ENTRY_SAME(ni_syscall) /* 263: reserved for vserver */
ENTRY_SAME(add_key)
ENTRY_SAME(request_key) /* 265 */
- ENTRY_SAME(keyctl)
+ ENTRY_COMP(keyctl)
ENTRY_SAME(ioprio_set)
ENTRY_SAME(ioprio_get)
ENTRY_SAME(inotify_init)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 092/192] crypto: sha1-ssse3 - Disable avx2
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (110 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 080/192] parisc: use compat_sys_keyctl() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 074/192] arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails Ben Hutchings
` (80 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Stancek, Herbert Xu
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit b82ce24426a4071da9529d726057e4e642948667 upstream.
It has been reported that sha1-avx2 can cause page faults by reading
beyond the end of the input. This patch disables it until it can be
fixed.
Fixes: 7c1da8d0d046 ("crypto: sha - SHA1 transform x86_64 AVX2")
Reported-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/crypto/sha1_ssse3_glue.c
+++ b/arch/x86/crypto/sha1_ssse3_glue.c
@@ -224,7 +224,8 @@ static bool __init avx_usable(void)
#ifdef CONFIG_AS_AVX2
static bool __init avx2_usable(void)
{
- if (avx_usable() && cpu_has_avx2 && boot_cpu_has(X86_FEATURE_BMI1) &&
+ if (false && avx_usable() && cpu_has_avx2 &&
+ boot_cpu_has(X86_FEATURE_BMI1) &&
boot_cpu_has(X86_FEATURE_BMI2))
return true;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 074/192] arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (111 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 092/192] crypto: sha1-ssse3 - Disable avx2 Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 027/192] iio: accel: st_accel_spi: fix spi_device_id table Ben Hutchings
` (79 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dave Martin, Will Deacon
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Martin <Dave.Martin@arm.com>
commit 53b1a742ed251780267a57415bc955bd50f40c3d upstream.
If get_user() fails when reading the new FPSCR value from userspace
in compat_vfp_get(), then garbage* will be written to the task's
FPSR and FPCR registers.
This patch prevents this by checking the return from get_user()
first.
[*] Actually, zero, due to the behaviour of get_user() on error, but
that's still not what userspace expects.
Fixes: 478fcb2cdb23 ("arm64: Debugging support")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/ptrace.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -787,8 +787,10 @@ static int compat_vfp_set(struct task_st
if (count && !ret) {
ret = get_user(fpscr, (compat_ulong_t *)ubuf);
- uregs->fpsr = fpscr & VFP_FPSCR_STAT_MASK;
- uregs->fpcr = fpscr & VFP_FPSCR_CTRL_MASK;
+ if (!ret) {
+ uregs->fpsr = fpscr & VFP_FPSCR_STAT_MASK;
+ uregs->fpcr = fpscr & VFP_FPSCR_CTRL_MASK;
+ }
}
fpsimd_flush_task_state(target);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 027/192] iio: accel: st_accel_spi: fix spi_device_id table
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (112 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 074/192] arm64: ptrace: Avoid setting compat FP[SC]R to garbage if get_user fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 009/192] f2fs: load inode's flag from disk Ben Hutchings
` (78 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lorenzo Bianconi, Lorenzo Bianconi, Jonathan Cameron
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
commit 93b1b02fae8abff3efe570243e0f11f61e16e973 upstream.
Remove LSM303DL, LSM303DLM, LSM303DLH, LSM303DLHC from st_accel_id_table
since LSM303DL series does not support spi interface
Fixes: d62511689de5 (iio: accel: Add STMicroelectronics accel driver)
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@st.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/accel/st_accel_spi.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/iio/accel/st_accel_spi.c
+++ b/drivers/iio/accel/st_accel_spi.c
@@ -48,15 +48,11 @@ static int st_accel_spi_remove(struct sp
}
static const struct spi_device_id st_accel_id_table[] = {
- { LSM303DLH_ACCEL_DEV_NAME },
- { LSM303DLHC_ACCEL_DEV_NAME },
{ LIS3DH_ACCEL_DEV_NAME },
{ LSM330D_ACCEL_DEV_NAME },
{ LSM330DL_ACCEL_DEV_NAME },
{ LSM330DLC_ACCEL_DEV_NAME },
{ LIS331DLH_ACCEL_DEV_NAME },
- { LSM303DL_ACCEL_DEV_NAME },
- { LSM303DLM_ACCEL_DEV_NAME },
{ LSM330_ACCEL_DEV_NAME },
{},
};
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 009/192] f2fs: load inode's flag from disk
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (113 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 027/192] iio: accel: st_accel_spi: fix spi_device_id table Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 105/192] iscsi-target: Add login_keys_workaround attribute for non RFC initiators Ben Hutchings
` (77 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jaegeuk Kim, Tom Yan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit 93607124c5450148e592c3d18ac533b4e5f25b8b upstream.
This patch fixes missing inode flag loaded from disk, reported by Tom.
[tom@localhost ~]$ sudo mount /dev/loop0 /mnt/
[tom@localhost ~]$ sudo chown tom:tom /mnt/
[tom@localhost ~]$ touch /mnt/testfile
[tom@localhost ~]$ sudo chattr +i /mnt/testfile
[tom@localhost ~]$ echo test > /mnt/testfile
bash: /mnt/testfile: Operation not permitted
[tom@localhost ~]$ rm /mnt/testfile
rm: cannot remove '/mnt/testfile': Operation not permitted
[tom@localhost ~]$ sudo umount /mnt/
[tom@localhost ~]$ sudo mount /dev/loop0 /mnt/
[tom@localhost ~]$ lsattr /mnt/testfile
----i-------------- /mnt/testfile
[tom@localhost ~]$ echo test > /mnt/testfile
[tom@localhost ~]$ rm /mnt/testfile
[tom@localhost ~]$ sudo umount /mnt/
Reported-by: Tom Yan <tom.ty89@outlook.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[bwh: Backported to 3.16: mark_inode_dirty() is in the right place, so only
f2fs_iget() needs to be changed]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -168,6 +168,7 @@ make_now:
ret = -EIO;
goto bad_inode;
}
+ f2fs_set_inode_flags(inode);
unlock_new_inode(inode);
trace_f2fs_iget(inode);
return inode;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 105/192] iscsi-target: Add login_keys_workaround attribute for non RFC initiators
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 009/192] f2fs: load inode's flag from disk Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 018/192] kvm: vmx: Do not disable intercepts for BNDCFGS Ben Hutchings
` (76 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arun Easi, Nicholas Bellinger, Robert LeBlanc
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 upstream.
This patch re-introduces part of a long standing login workaround that
was recently dropped by:
commit 1c99de981f30b3e7868b8d20ce5479fa1c0fea46
Author: Nicholas Bellinger <nab@linux-iscsi.org>
Date: Sun Apr 2 13:36:44 2017 -0700
iscsi-target: Drop work-around for legacy GlobalSAN initiator
Namely, the workaround for FirstBurstLength ended up being required by
Mellanox Flexboot PXE boot ROMs as reported by Robert.
So this patch re-adds the work-around for FirstBurstLength within
iscsi_check_proposer_for_optional_reply(), and makes the key optional
to respond when the initiator does not propose, nor respond to it.
Also as requested by Arun, this patch introduces a new TPG attribute
named 'login_keys_workaround' that controls the use of both the
FirstBurstLength workaround, as well as the two other existing
workarounds for gPXE iSCSI boot client.
By default, the workaround is enabled with login_keys_workaround=1,
since Mellanox FlexBoot requires it, and Arun has verified the Qlogic
MSFT initiator already proposes FirstBurstLength, so it's uneffected
by this re-adding this part of the original work-around.
Reported-by: Robert LeBlanc <robert@leblancnet.us>
Cc: Robert LeBlanc <robert@leblancnet.us>
Reviewed-by: Arun Easi <arun.easi@cavium.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
[bwh: Backported to 3.16:
- Use DEF_TPG_ATTRIB() + TPG_ATTR() to define the attribute
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/target/iscsi/iscsi_target_configfs.c
+++ b/drivers/target/iscsi/iscsi_target_configfs.c
@@ -1057,6 +1057,8 @@ TPG_ATTR(default_erl, S_IRUGO | S_IWUSR)
*/
DEF_TPG_ATTRIB(t10_pi);
TPG_ATTR(t10_pi, S_IRUGO | S_IWUSR);
+DEF_TPG_ATTRIB(login_keys_workaround);
+TPG_ATTR(login_keys_workaround, S_IRUGO | S_IWUSR);
static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = {
&iscsi_tpg_attrib_authentication.attr,
@@ -1070,6 +1072,7 @@ static struct configfs_attribute *lio_ta
&iscsi_tpg_attrib_demo_mode_discovery.attr,
&iscsi_tpg_attrib_default_erl.attr,
&iscsi_tpg_attrib_t10_pi.attr,
+ &iscsi_tpg_attrib_login_keys_workaround.attr,
NULL,
};
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -887,7 +887,8 @@ static int iscsi_target_handle_csg_zero(
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
- conn->param_list);
+ conn->param_list,
+ conn->tpg->tpg_attrib.login_keys_workaround);
if (ret < 0)
return -1;
@@ -957,7 +958,8 @@ static int iscsi_target_handle_csg_one(s
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
- conn->param_list);
+ conn->param_list,
+ conn->tpg->tpg_attrib.login_keys_workaround);
if (ret < 0) {
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
ISCSI_LOGIN_STATUS_INIT_ERR);
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -787,7 +787,8 @@ static int iscsi_check_for_auth_key(char
return 0;
}
-static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param)
+static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param,
+ bool keys_workaround)
{
if (IS_TYPE_BOOL_AND(param)) {
if (!strcmp(param->value, NO))
@@ -795,19 +796,31 @@ static void iscsi_check_proposer_for_opt
} else if (IS_TYPE_BOOL_OR(param)) {
if (!strcmp(param->value, YES))
SET_PSTATE_REPLY_OPTIONAL(param);
- /*
- * Required for gPXE iSCSI boot client
- */
- if (!strcmp(param->name, IMMEDIATEDATA))
- SET_PSTATE_REPLY_OPTIONAL(param);
+
+ if (keys_workaround) {
+ /*
+ * Required for gPXE iSCSI boot client
+ */
+ if (!strcmp(param->name, IMMEDIATEDATA))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+ }
} else if (IS_TYPE_NUMBER(param)) {
if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH))
SET_PSTATE_REPLY_OPTIONAL(param);
- /*
- * Required for gPXE iSCSI boot client
- */
- if (!strcmp(param->name, MAXCONNECTIONS))
- SET_PSTATE_REPLY_OPTIONAL(param);
+
+ if (keys_workaround) {
+ /*
+ * Required for Mellanox Flexboot PXE boot ROM
+ */
+ if (!strcmp(param->name, FIRSTBURSTLENGTH))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+
+ /*
+ * Required for gPXE iSCSI boot client
+ */
+ if (!strcmp(param->name, MAXCONNECTIONS))
+ SET_PSTATE_REPLY_OPTIONAL(param);
+ }
} else if (IS_PHASE_DECLARATIVE(param))
SET_PSTATE_REPLY_OPTIONAL(param);
}
@@ -1657,7 +1670,8 @@ int iscsi_encode_text_output(
u8 sender,
char *textbuf,
u32 *length,
- struct iscsi_param_list *param_list)
+ struct iscsi_param_list *param_list,
+ bool keys_workaround)
{
char *output_buf = NULL;
struct iscsi_extra_response *er;
@@ -1693,7 +1707,8 @@ int iscsi_encode_text_output(
*length += 1;
output_buf = textbuf + *length;
SET_PSTATE_PROPOSER(param);
- iscsi_check_proposer_for_optional_reply(param);
+ iscsi_check_proposer_for_optional_reply(param,
+ keys_workaround);
pr_debug("Sending key: %s=%s\n",
param->name, param->value);
}
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -40,7 +40,7 @@ extern int iscsi_extract_key_value(char
extern int iscsi_update_param_value(struct iscsi_param *, char *);
extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsi_conn *);
extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
- struct iscsi_param_list *);
+ struct iscsi_param_list *, bool);
extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
struct iscsi_param_list *);
--- a/drivers/target/iscsi/iscsi_target_tpg.c
+++ b/drivers/target/iscsi/iscsi_target_tpg.c
@@ -228,6 +228,7 @@ static void iscsit_set_default_tpg_attri
a->demo_mode_discovery = TA_DEMO_MODE_DISCOVERY;
a->default_erl = TA_DEFAULT_ERL;
a->t10_pi = TA_DEFAULT_T10_PI;
+ a->login_keys_workaround = TA_DEFAULT_LOGIN_KEYS_WORKAROUND;
}
int iscsit_tpg_add_portal_group(struct iscsi_tiqn *tiqn, struct iscsi_portal_group *tpg)
@@ -878,3 +879,21 @@ int iscsit_ta_t10_pi(
return 0;
}
+
+int iscsit_ta_login_keys_workaround(
+ struct iscsi_portal_group *tpg,
+ u32 flag)
+{
+ struct iscsi_tpg_attrib *a = &tpg->tpg_attrib;
+
+ if ((flag != 0) && (flag != 1)) {
+ pr_err("Illegal value %d\n", flag);
+ return -EINVAL;
+ }
+
+ a->login_keys_workaround = flag;
+ pr_debug("iSCSI_TPG[%hu] - TPG enabled bit for login keys workaround: %s ",
+ tpg->tpgt, (a->login_keys_workaround) ? "ON" : "OFF");
+
+ return 0;
+}
--- a/drivers/target/iscsi/iscsi_target_tpg.h
+++ b/drivers/target/iscsi/iscsi_target_tpg.h
@@ -39,5 +39,6 @@ extern int iscsit_ta_prod_mode_write_pro
extern int iscsit_ta_demo_mode_discovery(struct iscsi_portal_group *, u32);
extern int iscsit_ta_default_erl(struct iscsi_portal_group *, u32);
extern int iscsit_ta_t10_pi(struct iscsi_portal_group *, u32);
+extern int iscsit_ta_login_keys_workaround(struct iscsi_portal_group *, u32);
#endif /* ISCSI_TARGET_TPG_H */
--- a/drivers/target/iscsi/iscsi_target_core.h
+++ b/drivers/target/iscsi/iscsi_target_core.h
@@ -60,6 +60,14 @@
#define TA_CACHE_CORE_NPS 0
/* T10 protection information disabled by default */
#define TA_DEFAULT_T10_PI 0
+/*
+ * Used to control the sending of keys with optional to respond state bit,
+ * as a workaround for non RFC compliant initiators,that do not propose,
+ * nor respond to specific keys required for login to complete.
+ *
+ * See iscsi_check_proposer_for_optional_reply() for more details.
+ */
+#define TA_DEFAULT_LOGIN_KEYS_WORKAROUND 1
#define ISCSI_IOV_DATA_BUFFER 5
@@ -774,6 +782,7 @@ struct iscsi_tpg_attrib {
u32 demo_mode_discovery;
u32 default_erl;
u8 t10_pi;
+ u32 login_keys_workaround;
struct iscsi_portal_group *tpg;
};
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 018/192] kvm: vmx: Do not disable intercepts for BNDCFGS
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (115 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 105/192] iscsi-target: Add login_keys_workaround attribute for non RFC initiators Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 112/192] sysctl: fix lax sysctl_check_table() sanity check Ben Hutchings
` (75 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Radim Krčmář, Jim Mattson
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit a8b6fda38f80e75afa3b125c9e7f2550b579454b upstream.
The MSR permission bitmaps are shared by all VMs. However, some VMs
may not be configured to support MPX, even when the host does. If the
host supports VMX and the guest does not, we should intercept accesses
to the BNDCFGS MSR, so that we can synthesize a #GP
fault. Furthermore, if the host does not support MPX and the
"ignore_msrs" kvm kernel parameter is set, then we should intercept
accesses to the BNDCFGS MSR, so that we can skip over the rdmsr/wrmsr
without raising a #GP fault.
Fixes: da8999d31818fdc8 ("KVM: x86: Intel MPX vmx and msr handle")
Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 1 -
1 file changed, 1 deletion(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9048,7 +9048,6 @@ static int __init vmx_init(void)
vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_CS, false);
vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_ESP, false);
vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_EIP, false);
- vmx_disable_intercept_for_msr(MSR_IA32_BNDCFGS, true);
memcpy(vmx_msr_bitmap_legacy_x2apic,
vmx_msr_bitmap_legacy, PAGE_SIZE);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 112/192] sysctl: fix lax sysctl_check_table() sanity check
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (116 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 018/192] kvm: vmx: Do not disable intercepts for BNDCFGS Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 096/192] target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce Ben Hutchings
` (74 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Al Viro, Linus Torvalds, Kees Cook, Alexey Dobriyan,
Eric W. Biederman, Luis R. Rodriguez
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Luis R. Rodriguez" <mcgrof@kernel.org>
commit 89c5b53b16bf577079d4f0311406dbea3c71202c upstream.
Patch series "sysctl: few fixes", v5.
I've been working on making kmod more deterministic, and as I did that I
couldn't help but notice a few issues with sysctl. My end goal was just
to fix unsigned int support, which back then was completely broken.
Liping Zhang has sent up small atomic fixes, however it still missed yet
one more fix and Alexey Dobriyan had also suggested to just drop array
support given its complexity.
I have inspected array support using Coccinelle and indeed its not that
popular, so if in fact we can avoid it for new interfaces, I agree its
best.
I did develop a sysctl stress driver but will hold that off for another
series.
This patch (of 5):
Commit 7c60c48f58a7 ("sysctl: Improve the sysctl sanity checks")
improved sanity checks considerbly, however the enhancements on
sysctl_check_table() meant adding a functional change so that only the
last table entry's sanity error is propagated. It also changed the way
errors were propagated so that each new check reset the err value, this
means only last sanity check computed is used for an error. This has
been in the kernel since v3.4 days.
Fix this by carrying on errors from previous checks and iterations as we
traverse the table and ensuring we keep any error from previous checks.
We keep iterating on the table even if an error is found so we can
complain for all errors found in one shot. This works as -EINVAL is
always returned on error anyway, and the check for error is any non-zero
value.
Fixes: 7c60c48f58a7 ("sysctl: Improve the sysctl sanity checks")
Link: http://lkml.kernel.org/r/20170519033554.18592-2-mcgrof@kernel.org
Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/proc/proc_sysctl.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -1030,7 +1030,7 @@ static int sysctl_check_table(const char
int err = 0;
for (; table->procname; table++) {
if (table->child)
- err = sysctl_err(path, table, "Not a file");
+ err |= sysctl_err(path, table, "Not a file");
if ((table->proc_handler == proc_dostring) ||
(table->proc_handler == proc_dointvec) ||
@@ -1041,15 +1041,15 @@ static int sysctl_check_table(const char
(table->proc_handler == proc_doulongvec_minmax) ||
(table->proc_handler == proc_doulongvec_ms_jiffies_minmax)) {
if (!table->data)
- err = sysctl_err(path, table, "No data");
+ err |= sysctl_err(path, table, "No data");
if (!table->maxlen)
- err = sysctl_err(path, table, "No maxlen");
+ err |= sysctl_err(path, table, "No maxlen");
}
if (!table->proc_handler)
- err = sysctl_err(path, table, "No proc_handler");
+ err |= sysctl_err(path, table, "No proc_handler");
if ((table->mode & (S_IRUGO|S_IWUGO)) != table->mode)
- err = sysctl_err(path, table, "bogus .mode 0%o",
+ err |= sysctl_err(path, table, "bogus .mode 0%o",
table->mode);
}
return err;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 096/192] target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (117 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 112/192] sysctl: fix lax sysctl_check_table() sanity check Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 125/192] jfs: preserve i_mode if __jfs_set_acl() fails Ben Hutchings
` (73 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nicholas Bellinger, Jiang Yi
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiang Yi <jiangyilism@gmail.com>
commit 1d6ef276594a781686058802996e09c8550fd767 upstream.
This patch addresses a COMPARE_AND_WRITE se_device->caw_sem leak,
that would be triggered during normal se_cmd shutdown or abort
via __transport_wait_for_tasks().
This would occur because target_complete_cmd() would catch this
early and do complete_all(&cmd->t_transport_stop_comp), but since
target_complete_ok_work() or target_complete_failure_work() are
never called to invoke se_cmd->transport_complete_callback(),
the COMPARE_AND_WRITE specific callbacks never release caw_sem.
To address this special case, go ahead and release caw_sem
directly from target_complete_cmd().
(Remove '&& success' from check, to release caw_sem regardless
of scsi_status - nab)
Signed-off-by: Jiang Yi <jiangyilism@gmail.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/target/target_core_transport.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -689,6 +689,15 @@ void target_complete_cmd(struct se_cmd *
if (cmd->transport_state & CMD_T_ABORTED ||
cmd->transport_state & CMD_T_STOP) {
spin_unlock_irqrestore(&cmd->t_state_lock, flags);
+ /*
+ * If COMPARE_AND_WRITE was stopped by __transport_wait_for_tasks(),
+ * release se_device->caw_sem obtained by sbc_compare_and_write()
+ * since target_complete_ok_work() or target_complete_failure_work()
+ * won't be called to invoke the normal CAW completion callbacks.
+ */
+ if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) {
+ up(&dev->caw_sem);
+ }
complete_all(&cmd->t_transport_stop_comp);
return;
} else if (!success) {
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 125/192] jfs: preserve i_mode if __jfs_set_acl() fails
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 096/192] target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 089/192] RDMA/uverbs: Check port number supplied by user verbs cmds Ben Hutchings
` (72 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ernesto A. Fernández, Dave Kleikamp
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ernesto A. Fernández
<ernesto.mnd.fernandez@gmail.com>
commit f070e5ac9bc7de71c34402048ce5526dccbd347c upstream.
When changing a file's acl mask, __jfs_set_acl() will first set the group
bits of i_mode to the value of the mask, and only then set the actual
extended attribute representing the new acl.
If the second part fails (due to lack of space, for example) and the file
had no acl attribute to begin with, the system will from now on assume
that the mask permission bits are actual group permission bits, potentially
granting access to the wrong users.
Prevent this by only changing the inode mode after the acl has been set.
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
[bwh: Backported to 3.16: keep using CURRENT_TIME]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/jfs/acl.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/fs/jfs/acl.c
+++ b/fs/jfs/acl.c
@@ -114,19 +114,26 @@ int jfs_set_acl(struct inode *inode, str
{
int rc;
tid_t tid;
+ int update_mode = 0;
+ umode_t mode = inode->i_mode;
tid = txBegin(inode->i_sb, 0);
mutex_lock(&JFS_IP(inode)->commit_mutex);
if (type == ACL_TYPE_ACCESS && acl) {
- rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ rc = posix_acl_update_mode(inode, &mode, &acl);
if (rc)
goto end_tx;
- inode->i_ctime = CURRENT_TIME;
- mark_inode_dirty(inode);
+ update_mode = 1;
}
rc = __jfs_set_acl(tid, inode, type, acl);
- if (!rc)
+ if (!rc) {
+ if (update_mode) {
+ inode->i_mode = mode;
+ inode->i_ctime = CURRENT_TIME;
+ mark_inode_dirty(inode);
+ }
rc = txCommit(tid, 1, &inode, 0);
+ }
end_tx:
txEnd(tid);
mutex_unlock(&JFS_IP(inode)->commit_mutex);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 089/192] RDMA/uverbs: Check port number supplied by user verbs cmds
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (119 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 125/192] jfs: preserve i_mode if __jfs_set_acl() fails Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 061/192] ath9k: fix tx99 bus error Ben Hutchings
` (71 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alex Polak, Doug Ledford, Leon Romanovsky, Boris Pismenny,
Tziporet Koren, Yevgeny Kliteynik, security
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Boris Pismenny <borisp@mellanox.com>
commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream.
The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
the port number from user input as part of its attributes and assumes
it is valid. Down on the stack, that parameter is used to access kernel
data structures. If the value is invalid, the kernel accesses memory
it should not. To prevent this, verify the port number before using it.
BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313
BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819
Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
Fixes: 189aba99e70 ("IB/uverbs: Extend modify_qp and support packet pacing")
Cc: <security@kernel.org>
Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
Cc: Tziporet Koren <tziporet@mellanox.com>
Cc: Alex Polak <alexpo@mellanox.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16:
- In modify_qp(), command structure is cmd not cmd->base
- In ib_uverbs_create_ah(), add definition of ib_dev
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/uverbs_cmd.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1915,6 +1915,11 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv
goto out;
}
+ if (!rdma_is_port_valid(qp->device, cmd.port_num)) {
+ ret = -EINVAL;
+ goto release_qp;
+ }
+
attr->qp_state = cmd.qp_state;
attr->cur_qp_state = cmd.cur_qp_state;
attr->path_mtu = cmd.path_mtu;
@@ -2397,6 +2402,7 @@ ssize_t ib_uverbs_create_ah(struct ib_uv
const char __user *buf, int in_len,
int out_len)
{
+ struct ib_device *ib_dev = file->device->ib_dev;
struct ib_uverbs_create_ah cmd;
struct ib_uverbs_create_ah_resp resp;
struct ib_uobject *uobj;
@@ -2411,6 +2417,9 @@ ssize_t ib_uverbs_create_ah(struct ib_uv
if (copy_from_user(&cmd, buf, sizeof cmd))
return -EFAULT;
+ if (!rdma_is_port_valid(ib_dev, cmd.attr.port_num))
+ return -EINVAL;
+
uobj = kmalloc(sizeof *uobj, GFP_KERNEL);
if (!uobj)
return -ENOMEM;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 061/192] ath9k: fix tx99 bus error
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 089/192] RDMA/uverbs: Check port number supplied by user verbs cmds Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 054/192] scsi: sun_esp: fix device reference leaks Ben Hutchings
` (70 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kalle Valo, Miaoqing Pan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqing Pan <miaoqing@codeaurora.org>
commit bde717ab473668377fc65872398a102d40cb2d58 upstream.
The hard coded register 0x9864 and 0x9924 are invalid
for ar9300 chips.
Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/ath/ath9k/ar9003_phy.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
@@ -1688,8 +1688,6 @@ static void ar9003_hw_spectral_scan_wait
static void ar9003_hw_tx99_start(struct ath_hw *ah, u32 qnum)
{
REG_SET_BIT(ah, AR_PHY_TEST, PHY_AGC_CLR);
- REG_SET_BIT(ah, 0x9864, 0x7f000);
- REG_SET_BIT(ah, 0x9924, 0x7f00fe);
REG_CLR_BIT(ah, AR_DIAG_SW, AR_DIAG_RX_DIS);
REG_WRITE(ah, AR_CR, AR_CR_RXD);
REG_WRITE(ah, AR_DLCL_IFS(qnum), 0);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 054/192] scsi: sun_esp: fix device reference leaks
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (121 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 061/192] ath9k: fix tx99 bus error Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 068/192] PM / Domains: Fix unsafe iteration over modified list of device links Ben Hutchings
` (69 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Martin K. Petersen
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit f62f9ffdb5ef683ef8cffb43932fa72cc3713e94 upstream.
Make sure to drop the reference to the dma device taken by
of_find_device_by_node() on probe errors and on driver unbind.
Fixes: 334ae614772b ("sparc: Kill SBUS DVMA layer.")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/sun_esp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/scsi/sun_esp.c
+++ b/drivers/scsi/sun_esp.c
@@ -566,6 +566,7 @@ static int esp_sbus_probe(struct platfor
struct device_node *dp = op->dev.of_node;
struct platform_device *dma_of = NULL;
int hme = 0;
+ int ret;
if (dp->parent &&
(!strcmp(dp->parent->name, "espdma") ||
@@ -580,7 +581,11 @@ static int esp_sbus_probe(struct platfor
if (!dma_of)
return -ENODEV;
- return esp_sbus_probe_one(op, dma_of, hme);
+ ret = esp_sbus_probe_one(op, dma_of, hme);
+ if (ret)
+ put_device(&dma_of->dev);
+
+ return ret;
}
static int esp_sbus_remove(struct platform_device *op)
@@ -613,6 +618,8 @@ static int esp_sbus_remove(struct platfo
dev_set_drvdata(&op->dev, NULL);
+ put_device(&dma_of->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 068/192] PM / Domains: Fix unsafe iteration over modified list of device links
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (122 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 054/192] scsi: sun_esp: fix device reference leaks Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 084/192] x86/xen: allow userspace access during hypercalls Ben Hutchings
` (68 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Krzysztof Kozlowski, Rafael J. Wysocki, Ulf Hansson
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzk@kernel.org>
commit c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 upstream.
pm_genpd_remove_subdomain() iterates over domain's master_links list and
removes matching element thus it has to use safe version of list
iteration.
Fixes: f721889ff65a ("PM / Domains: Support for generic I/O PM domains (v8)")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/power/domain.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -1704,7 +1704,7 @@ int pm_genpd_add_subdomain_names(const c
int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd,
struct generic_pm_domain *subdomain)
{
- struct gpd_link *link;
+ struct gpd_link *l, *link;
int ret = -EINVAL;
if (IS_ERR_OR_NULL(genpd) || IS_ERR_OR_NULL(subdomain))
@@ -1713,7 +1713,7 @@ int pm_genpd_remove_subdomain(struct gen
start:
genpd_acquire_lock(genpd);
- list_for_each_entry(link, &genpd->master_links, master_node) {
+ list_for_each_entry_safe(link, l, &genpd->master_links, master_node) {
if (link->slave != subdomain)
continue;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 084/192] x86/xen: allow userspace access during hypercalls
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (123 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 068/192] PM / Domains: Fix unsafe iteration over modified list of device links Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 073/192] Add USB quirk for HVR-950q to avoid intermittent device resets Ben Hutchings
` (67 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marek Marczykowski-Górecki, Juergen Gross
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marek Marczykowski-Górecki
<marmarek@invisiblethingslab.com>
commit c54590cac51db8ab5fd30156bdaba34af915e629 upstream.
Userspace application can do a hypercall through /dev/xen/privcmd, and
some for some hypercalls argument is a pointers to user-provided
structure. When SMAP is supported and enabled, hypervisor can't access.
So, lets allow it.
The same applies to HYPERVISOR_dm_op, where additionally privcmd driver
carefully verify buffer addresses.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
[bwh: Backported to 3.16: drop change in HYPERVISOR_dm_op()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -43,6 +43,7 @@
#include <asm/page.h>
#include <asm/pgtable.h>
+#include <asm/smap.h>
#include <xen/interface/xen.h>
#include <xen/interface/sched.h>
@@ -213,10 +214,12 @@ privcmd_call(unsigned call,
__HYPERCALL_DECLS;
__HYPERCALL_5ARG(a1, a2, a3, a4, a5);
+ stac();
asm volatile("call *%[call]"
: __HYPERCALL_5PARAM
: [call] "a" (&hypercall_page[call])
: __HYPERCALL_CLOBBER5);
+ clac();
return (long)__res;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 073/192] Add USB quirk for HVR-950q to avoid intermittent device resets
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (124 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 084/192] x86/xen: allow userspace access during hypercalls Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 051/192] scsi: virtio_scsi: let host do exception handling Ben Hutchings
` (66 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Devin Heitmueller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Devin Heitmueller <dheitmueller@kernellabs.com>
commit 6836796de4019944f4ba4c99a360e8250fd2e735 upstream.
The USB core and sysfs will attempt to enumerate certain parameters
which are unsupported by the au0828 - causing inconsistent behavior
and sometimes causing the chip to reset. Avoid making these calls.
This problem manifested as intermittent cases where the au8522 would
be reset on analog video startup, in particular when starting up ALSA
audio streaming in parallel - the sysfs entries created by
snd-usb-audio on streaming startup would result in unsupported control
messages being sent during tuning which would put the chip into an
unknown state.
Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -220,6 +220,10 @@ static const struct usb_device_id usb_qu
/* Blackmagic Design UltraStudio SDI */
{ USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM },
+ /* Hauppauge HVR-950q */
+ { USB_DEVICE(0x2040, 0x7200), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
/* INTEL VALUE SSD */
{ USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 051/192] scsi: virtio_scsi: let host do exception handling
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (125 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 073/192] Add USB quirk for HVR-950q to avoid intermittent device resets Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 020/192] kvm: vmx: Check value written to IA32_BNDCFGS Ben Hutchings
` (65 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hannes Reinecke, Martin K. Petersen, Douglas Miller,
linux-scsi, James E.J. Bottomley, Paolo Bonzini
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit e72c9a2a67a6400c8ef3d01d4c461dbbbfa0e1f0 upstream.
virtio_scsi tries to do exception handling after the default 30 seconds
timeout expires. However, it's better to let the host control the
timeout, otherwise with a heavy I/O load it is likely that an abort will
also timeout. This leads to fatal errors like filesystems going
offline.
Disable the 'sd' timeout and allow the host to do exception handling,
following the precedent of the storvsc driver.
Hannes has a proposal to introduce timeouts in virtio, but this provides
an immediate solution for stable kernels too.
[mkp: fixed typo]
Reported-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/virtio_scsi.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -686,6 +686,16 @@ static void virtscsi_target_destroy(stru
kfree(tgt);
}
+/*
+ * The host guarantees to respond to each command, although I/O
+ * latencies might be higher than on bare metal. Reset the timer
+ * unconditionally to give the host a chance to perform EH.
+ */
+static enum blk_eh_timer_return virtscsi_eh_timed_out(struct scsi_cmnd *scmnd)
+{
+ return BLK_EH_RESET_TIMER;
+}
+
static struct scsi_host_template virtscsi_host_template_single = {
.module = THIS_MODULE,
.name = "Virtio SCSI HBA",
@@ -695,6 +705,7 @@ static struct scsi_host_template virtscs
.queuecommand = virtscsi_queuecommand_single,
.eh_abort_handler = virtscsi_abort,
.eh_device_reset_handler = virtscsi_device_reset,
+ .eh_timed_out = virtscsi_eh_timed_out,
.can_queue = 1024,
.dma_boundary = UINT_MAX,
@@ -712,6 +723,7 @@ static struct scsi_host_template virtscs
.queuecommand = virtscsi_queuecommand_multi,
.eh_abort_handler = virtscsi_abort,
.eh_device_reset_handler = virtscsi_device_reset,
+ .eh_timed_out = virtscsi_eh_timed_out,
.can_queue = 1024,
.dma_boundary = UINT_MAX,
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 020/192] kvm: vmx: Check value written to IA32_BNDCFGS
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 051/192] scsi: virtio_scsi: let host do exception handling Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 063/192] libertas: Fix lbs_prb_rsp_limit_set() Ben Hutchings
` (64 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Radim Krčmář, Jim Mattson
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 4531662d1abf6c1f0e5c2b86ddb60e61509786c8 upstream.
Bits 11:2 must be zero and the linear addess in bits 63:12 must be
canonical. Otherwise, WRMSR(BNDCFGS) should raise #GP.
Fixes: 0dd376e709975779 ("KVM: x86: add MSR_IA32_BNDCFGS to msrs_to_save")
Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/uapi/asm/msr-index.h | 2 ++
arch/x86/kvm/vmx.c | 3 +++
2 files changed, 5 insertions(+)
--- a/arch/x86/include/uapi/asm/msr-index.h
+++ b/arch/x86/include/uapi/asm/msr-index.h
@@ -298,6 +298,8 @@
#define MSR_IA32_TSC_ADJUST 0x0000003b
#define MSR_IA32_BNDCFGS 0x00000d90
+#define MSR_IA32_BNDCFGS_RSVD 0x00000ffc
+
#define FEATURE_CONTROL_LOCKED (1<<0)
#define FEATURE_CONTROL_VMXON_ENABLED_INSIDE_SMX (1<<1)
#define FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX (1<<2)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2589,6 +2589,9 @@ static int vmx_set_msr(struct kvm_vcpu *
case MSR_IA32_BNDCFGS:
if (!vmx_mpx_supported() || !guest_cpuid_has_mpx(vcpu))
return 1;
+ if (is_noncanonical_address(data & PAGE_MASK) ||
+ (data & MSR_IA32_BNDCFGS_RSVD))
+ return 1;
vmcs_write64(GUEST_BNDCFGS, data);
break;
case MSR_IA32_TSC:
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 063/192] libertas: Fix lbs_prb_rsp_limit_set()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (127 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 020/192] kvm: vmx: Check value written to IA32_BNDCFGS Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 001/192] sched: Rename a misleading variable in build_overlap_sched_groups() Ben Hutchings
` (63 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Kalle Valo, James Cameron
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 69551f5f370cc20342fab17ca54716b6ec7e332d upstream.
The kstrtoul() test was reversed so this always returned -ENOTSUPP.
Fixes: 27d7f47756f4 ("net: wireless: replace strict_strtoul() with kstrtoul()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: James Cameron <quozl@laptop.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/libertas/mesh.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/libertas/mesh.c
+++ b/drivers/net/wireless/libertas/mesh.c
@@ -240,8 +240,9 @@ static ssize_t lbs_prb_rsp_limit_set(str
memset(&mesh_access, 0, sizeof(mesh_access));
mesh_access.data[0] = cpu_to_le32(CMD_ACT_SET);
- if (!kstrtoul(buf, 10, &retry_limit))
- return -ENOTSUPP;
+ ret = kstrtoul(buf, 10, &retry_limit);
+ if (ret)
+ return ret;
if (retry_limit > 15)
return -ENOTSUPP;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 001/192] sched: Rename a misleading variable in build_overlap_sched_groups()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (128 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 063/192] libertas: Fix lbs_prb_rsp_limit_set() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 004/192] sched/topology: Fix building of overlapping sched-groups Ben Hutchings
` (62 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Peter Zijlstra, Zhihui Zhang, Ingo Molnar
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zhihui Zhang <zzhsuny@gmail.com>
commit aaecac4ad46b35ad308245384d019633fb9bc21b upstream.
The child variable in build_overlap_sched_groups() actually refers to the
peer or sibling domain of the given CPU. Rename it to sibling to be consistent
with the naming in build_group_mask().
Signed-off-by: Zhihui Zhang <zzhsuny@gmail.com>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org
Link: http://lkml.kernel.org/r/1406942283-18249-1-git-send-email-zzhsuny@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5808,7 +5808,7 @@ build_overlap_sched_groups(struct sched_
const struct cpumask *span = sched_domain_span(sd);
struct cpumask *covered = sched_domains_tmpmask;
struct sd_data *sdd = sd->private;
- struct sched_domain *child;
+ struct sched_domain *sibling;
int i;
cpumask_clear(covered);
@@ -5819,10 +5819,10 @@ build_overlap_sched_groups(struct sched_
if (cpumask_test_cpu(i, covered))
continue;
- child = *per_cpu_ptr(sdd->sd, i);
+ sibling = *per_cpu_ptr(sdd->sd, i);
/* See the comment near build_group_mask(). */
- if (!cpumask_test_cpu(i, sched_domain_span(child)))
+ if (!cpumask_test_cpu(i, sched_domain_span(sibling)))
continue;
sg = kzalloc_node(sizeof(struct sched_group) + cpumask_size(),
@@ -5832,10 +5832,9 @@ build_overlap_sched_groups(struct sched_
goto fail;
sg_span = sched_group_cpus(sg);
- if (child->child) {
- child = child->child;
- cpumask_copy(sg_span, sched_domain_span(child));
- } else
+ if (sibling->child)
+ cpumask_copy(sg_span, sched_domain_span(sibling->child));
+ else
cpumask_set_cpu(i, sg_span);
cpumask_or(covered, covered, sg_span);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 004/192] sched/topology: Fix building of overlapping sched-groups
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (129 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 001/192] sched: Rename a misleading variable in build_overlap_sched_groups() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 037/192] udf: Fix deadlock between writeback and udf_setsize() Ben Hutchings
` (61 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mike Galbraith, Thomas Gleixner, Peter Zijlstra,
Linus Torvalds, Ingo Molnar
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 0372dd2736e02672ac6e189c31f7d8c02ad543cd upstream.
When building the overlapping groups, we very obviously should start
with the previous domain of _this_ @cpu, not CPU-0.
This can be readily demonstrated with a topology like:
node 0 1 2 3
0: 10 20 30 20
1: 20 10 20 30
2: 30 20 10 20
3: 20 30 20 10
Where (for example) CPU1 ends up generating the following nonsensical groups:
[] CPU1 attaching sched-domain:
[] domain 0: span 0-2 level NUMA
[] groups: 1 2 0
[] domain 1: span 0-3 level NUMA
[] groups: 1-3 (cpu_capacity = 3072) 0-1,3 (cpu_capacity = 3072)
Where the fact that domain 1 doesn't include a group with span 0-2 is
the obvious fail.
With patch this looks like:
[] CPU1 attaching sched-domain:
[] domain 0: span 0-2 level NUMA
[] groups: 1 0 2
[] domain 1: span 0-3 level NUMA
[] groups: 0-2 (cpu_capacity = 3072) 0,2-3 (cpu_capacity = 3072)
Debugged-by: Lauro Ramos Venancio <lvenanci@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Fixes: e3589f6c81e4 ("sched: Allow for overlapping sched_domain spans")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5854,7 +5854,7 @@ build_overlap_sched_groups(struct sched_
cpumask_clear(covered);
- for_each_cpu(i, span) {
+ for_each_cpu_wrap(i, span, cpu) {
struct cpumask *sg_span;
if (cpumask_test_cpu(i, covered))
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 037/192] udf: Fix deadlock between writeback and udf_setsize()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (130 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 004/192] sched/topology: Fix building of overlapping sched-groups Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 171/192] arm64: Rework valid_user_regs Ben Hutchings
` (60 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit f2e95355891153f66d4156bf3a142c6489cd78c6 upstream.
udf_setsize() called truncate_setsize() with i_data_sem held. Thus
truncate_pagecache() called from truncate_setsize() could lock a page
under i_data_sem which can deadlock as page lock ranks below
i_data_sem - e. g. writeback can hold page lock and try to acquire
i_data_sem to map a block.
Fix the problem by moving truncate_setsize() calls from under
i_data_sem. It is safe for us to change i_size without holding
i_data_sem as all the places that depend on i_size being stable already
hold inode_lock.
Fixes: 7e49b6f2480cb9a9e7322a91592e56a5c85361f5
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/udf/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1238,8 +1238,8 @@ int udf_setsize(struct inode *inode, lof
return err;
}
set_size:
- truncate_setsize(inode, newsize);
up_write(&iinfo->i_data_sem);
+ truncate_setsize(inode, newsize);
} else {
if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
down_write(&iinfo->i_data_sem);
@@ -1256,9 +1256,9 @@ set_size:
udf_get_block);
if (err)
return err;
+ truncate_setsize(inode, newsize);
down_write(&iinfo->i_data_sem);
udf_clear_extent_cache(inode);
- truncate_setsize(inode, newsize);
udf_truncate_extents(inode);
up_write(&iinfo->i_data_sem);
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 171/192] arm64: Rework valid_user_regs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (131 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 037/192] udf: Fix deadlock between writeback and udf_setsize() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 144/192] sparc: Fix system call tracing register handling Ben Hutchings
` (59 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mark Rutland, Peter Maydell, Will Deacon, Catalin Marinas,
James Morse, Dave Martin
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit dbd4d7ca563fd0a8949718d35ce197e5642d5d9d upstream.
We validate pstate using PSR_MODE32_BIT, which is part of the
user-provided pstate (and cannot be trusted). Also, we conflate
validation of AArch32 and AArch64 pstate values, making the code
difficult to reason about.
Instead, validate the pstate value based on the associated task. The
task may or may not be current (e.g. when using ptrace), so this must be
passed explicitly by callers. To avoid circular header dependencies via
sched.h, is_compat_task is pulled out of asm/ptrace.h.
To make the code possible to reason about, the AArch64 and AArch32
validation is split into separate functions. Software must respect the
RES0 policy for SPSR bits, and thus the kernel mirrors the hardware
policy (RAZ/WI) for bits as-yet unallocated. When these acquire an
architected meaning writes may be permitted (potentially with additional
validation).
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Dave Martin <dave.martin@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ rebased for v3.16
v3.16 does not support SETEND, support for this was added by
2d888f48e056 ("arm64: Emulate SETEND for AArch32 tasks") in v3.20
This backport forces the kernel endianness on userspace.
Added a DBG_SPSR_SS define hidden by #ifdefs to avoid conflicts with
other backports.
]
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/include/asm/ptrace.h | 34 +++--------------
arch/arm64/kernel/ptrace.c | 83 ++++++++++++++++++++++++++++++++++++++++-
arch/arm64/kernel/signal.c | 4 +-
arch/arm64/kernel/signal32.c | 2 +-
4 files changed, 89 insertions(+), 34 deletions(-)
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -58,6 +58,8 @@
#define COMPAT_PSR_Z_BIT 0x40000000
#define COMPAT_PSR_N_BIT 0x80000000
#define COMPAT_PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */
+#define COMPAT_PSR_GE_MASK 0x000f0000
+
/*
* These are 'magic' values for PTRACE_PEEKUSR that return info about where a
* process is located in memory.
@@ -144,35 +146,9 @@ static inline unsigned long regs_return_
return regs->regs[0];
}
-/*
- * Are the current registers suitable for user mode? (used to maintain
- * security in signal handlers)
- */
-static inline int valid_user_regs(struct user_pt_regs *regs)
-{
- if (user_mode(regs) && (regs->pstate & PSR_I_BIT) == 0) {
- regs->pstate &= ~(PSR_F_BIT | PSR_A_BIT);
-
- /* The T bit is reserved for AArch64 */
- if (!(regs->pstate & PSR_MODE32_BIT))
- regs->pstate &= ~COMPAT_PSR_T_BIT;
-
- return 1;
- }
-
- /*
- * Force PSR to something logical...
- */
- regs->pstate &= PSR_f | PSR_s | (PSR_x & ~PSR_A_BIT) | \
- COMPAT_PSR_T_BIT | PSR_MODE32_BIT;
-
- if (!(regs->pstate & PSR_MODE32_BIT)) {
- regs->pstate &= ~COMPAT_PSR_T_BIT;
- regs->pstate |= PSR_MODE_EL0t;
- }
-
- return 0;
-}
+/* We must avoid circular header include via sched.h */
+struct task_struct;
+int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task);
#define instruction_pointer(regs) ((unsigned long)(regs)->pc)
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -45,6 +45,10 @@
#define CREATE_TRACE_POINTS
#include <trace/events/syscalls.h>
+#ifndef DBG_SPSR_SS
+#define DBG_SPSR_SS (1 << 21)
+#endif
+
/*
* TODO: does not yet catch signals sent when the child dies.
* in exit.c or in signal.c.
@@ -501,7 +505,7 @@ static int gpr_set(struct task_struct *t
if (ret)
return ret;
- if (!valid_user_regs(&newregs))
+ if (!valid_user_regs(&newregs, target))
return -EINVAL;
task_pt_regs(target)->user_regs = newregs;
@@ -733,7 +737,7 @@ static int compat_gpr_set(struct task_st
}
- if (valid_user_regs(&newregs.user_regs))
+ if (valid_user_regs(&newregs.user_regs, target))
*task_pt_regs(target) = newregs;
else
ret = -EINVAL;
@@ -1138,3 +1142,78 @@ asmlinkage void syscall_trace_exit(struc
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
}
+
+/*
+ * Bits which are always architecturally RES0 per ARM DDI 0487A.h
+ * Userspace cannot use these until they have an architectural meaning.
+ * We also reserve IL for the kernel; SS is handled dynamically.
+ */
+#define SPSR_EL1_AARCH64_RES0_BITS \
+ (GENMASK_ULL(63,32) | GENMASK_ULL(27, 22) | GENMASK_ULL(20, 10) | \
+ GENMASK_ULL(5, 5))
+#define SPSR_EL1_AARCH32_RES0_BITS \
+ (GENMASK_ULL(63,32) | GENMASK_ULL(24, 22) | GENMASK_ULL(20,20))
+
+static int valid_compat_regs(struct user_pt_regs *regs)
+{
+ regs->pstate &= ~SPSR_EL1_AARCH32_RES0_BITS;
+
+ /* Force kernel endianness on user space */
+ if (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN))
+ regs->pstate |= COMPAT_PSR_E_BIT;
+ else
+ regs->pstate &= ~COMPAT_PSR_E_BIT;
+
+ if (user_mode(regs) && (regs->pstate & PSR_MODE32_BIT) &&
+ (regs->pstate & COMPAT_PSR_A_BIT) == 0 &&
+ (regs->pstate & COMPAT_PSR_I_BIT) == 0 &&
+ (regs->pstate & COMPAT_PSR_F_BIT) == 0) {
+ return 1;
+ }
+
+ /*
+ * Force PSR to a valid 32-bit EL0t, preserving the same bits as
+ * arch/arm.
+ */
+ regs->pstate &= COMPAT_PSR_N_BIT | COMPAT_PSR_Z_BIT |
+ COMPAT_PSR_C_BIT | COMPAT_PSR_V_BIT |
+ COMPAT_PSR_Q_BIT | COMPAT_PSR_IT_MASK |
+ COMPAT_PSR_GE_MASK | COMPAT_PSR_E_BIT |
+ COMPAT_PSR_T_BIT;
+ regs->pstate |= PSR_MODE32_BIT;
+
+ return 0;
+}
+
+static int valid_native_regs(struct user_pt_regs *regs)
+{
+ regs->pstate &= ~SPSR_EL1_AARCH64_RES0_BITS;
+
+ if (user_mode(regs) && !(regs->pstate & PSR_MODE32_BIT) &&
+ (regs->pstate & PSR_D_BIT) == 0 &&
+ (regs->pstate & PSR_A_BIT) == 0 &&
+ (regs->pstate & PSR_I_BIT) == 0 &&
+ (regs->pstate & PSR_F_BIT) == 0) {
+ return 1;
+ }
+
+ /* Force PSR to a valid 64-bit EL0t */
+ regs->pstate &= PSR_N_BIT | PSR_Z_BIT | PSR_C_BIT | PSR_V_BIT;
+
+ return 0;
+}
+
+/*
+ * Are the current registers suitable for user mode? (used to maintain
+ * security in signal handlers)
+ */
+int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task)
+{
+ if (!test_tsk_thread_flag(task, TIF_SINGLESTEP))
+ regs->pstate &= ~DBG_SPSR_SS;
+
+ if (is_compat_thread(task_thread_info(task)))
+ return valid_compat_regs(regs);
+ else
+ return valid_native_regs(regs);
+}
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -115,7 +115,7 @@ static int restore_sigframe(struct pt_re
*/
regs->syscallno = ~0UL;
- err |= !valid_user_regs(®s->user_regs);
+ err |= !valid_user_regs(®s->user_regs, current);
if (err == 0) {
struct fpsimd_context *fpsimd_ctx =
@@ -322,7 +322,7 @@ static void handle_signal(unsigned long
/*
* Check that the resulting registers are actually sane.
*/
- ret |= !valid_user_regs(®s->user_regs);
+ ret |= !valid_user_regs(®s->user_regs, current);
if (ret != 0) {
force_sigsegv(sig, tsk);
--- a/arch/arm64/kernel/signal32.c
+++ b/arch/arm64/kernel/signal32.c
@@ -350,7 +350,7 @@ static int compat_restore_sigframe(struc
*/
regs->syscallno = ~0UL;
- err |= !valid_user_regs(®s->user_regs);
+ err |= !valid_user_regs(®s->user_regs, current);
aux = (struct compat_aux_sigframe __user *) sf->uc.uc_regspace;
if (err == 0)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 144/192] sparc: Fix system call tracing register handling.
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (132 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 171/192] arm64: Rework valid_user_regs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 185/192] Move check for prefix path to within cifs_get_root() Ben Hutchings
` (58 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Mike Frysinger
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Frysinger <vapier@gentoo.org>
[ Upstream commit 1a40b95374f680625318ab61d81958e949e0afe3 ]
A system call trace trigger on entry allows the tracing
process to inspect and potentially change the traced
process's registers.
Account for that by reloading the %g1 (syscall number)
and %i0-%i5 (syscall argument) values. We need to be
careful to revalidate the range of %g1, and reload the
system call table entry it corresponds to into %l7.
Reported-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tested-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/kernel/entry.S | 17 +++++++++++++++++
arch/sparc/kernel/syscalls.S | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 53 insertions(+)
--- a/arch/sparc/kernel/entry.S
+++ b/arch/sparc/kernel/entry.S
@@ -948,7 +948,24 @@ linux_syscall_trace:
cmp %o0, 0
bne 3f
mov -ENOSYS, %o0
+
+ /* Syscall tracing can modify the registers. */
+ ld [%sp + STACKFRAME_SZ + PT_G1], %g1
+ sethi %hi(sys_call_table), %l7
+ ld [%sp + STACKFRAME_SZ + PT_I0], %i0
+ or %l7, %lo(sys_call_table), %l7
+ ld [%sp + STACKFRAME_SZ + PT_I1], %i1
+ ld [%sp + STACKFRAME_SZ + PT_I2], %i2
+ ld [%sp + STACKFRAME_SZ + PT_I3], %i3
+ ld [%sp + STACKFRAME_SZ + PT_I4], %i4
+ ld [%sp + STACKFRAME_SZ + PT_I5], %i5
+ cmp %g1, NR_syscalls
+ bgeu 3f
+ mov -ENOSYS, %o0
+
+ sll %g1, 2, %l4
mov %i0, %o0
+ ld [%l7 + %l4], %l7
mov %i1, %o1
mov %i2, %o2
mov %i3, %o3
--- a/arch/sparc/kernel/syscalls.S
+++ b/arch/sparc/kernel/syscalls.S
@@ -148,7 +148,25 @@ linux_syscall_trace32:
add %sp, PTREGS_OFF, %o0
brnz,pn %o0, 3f
mov -ENOSYS, %o0
+
+ /* Syscall tracing can modify the registers. */
+ ldx [%sp + PTREGS_OFF + PT_V9_G1], %g1
+ sethi %hi(sys_call_table32), %l7
+ ldx [%sp + PTREGS_OFF + PT_V9_I0], %i0
+ or %l7, %lo(sys_call_table32), %l7
+ ldx [%sp + PTREGS_OFF + PT_V9_I1], %i1
+ ldx [%sp + PTREGS_OFF + PT_V9_I2], %i2
+ ldx [%sp + PTREGS_OFF + PT_V9_I3], %i3
+ ldx [%sp + PTREGS_OFF + PT_V9_I4], %i4
+ ldx [%sp + PTREGS_OFF + PT_V9_I5], %i5
+
+ cmp %g1, NR_syscalls
+ bgeu,pn %xcc, 3f
+ mov -ENOSYS, %o0
+
+ sll %g1, 2, %l4
srl %i0, 0, %o0
+ lduw [%l7 + %l4], %l7
srl %i4, 0, %o4
srl %i1, 0, %o1
srl %i2, 0, %o2
@@ -160,7 +178,25 @@ linux_syscall_trace:
add %sp, PTREGS_OFF, %o0
brnz,pn %o0, 3f
mov -ENOSYS, %o0
+
+ /* Syscall tracing can modify the registers. */
+ ldx [%sp + PTREGS_OFF + PT_V9_G1], %g1
+ sethi %hi(sys_call_table64), %l7
+ ldx [%sp + PTREGS_OFF + PT_V9_I0], %i0
+ or %l7, %lo(sys_call_table64), %l7
+ ldx [%sp + PTREGS_OFF + PT_V9_I1], %i1
+ ldx [%sp + PTREGS_OFF + PT_V9_I2], %i2
+ ldx [%sp + PTREGS_OFF + PT_V9_I3], %i3
+ ldx [%sp + PTREGS_OFF + PT_V9_I4], %i4
+ ldx [%sp + PTREGS_OFF + PT_V9_I5], %i5
+
+ cmp %g1, NR_syscalls
+ bgeu,pn %xcc, 3f
+ mov -ENOSYS, %o0
+
+ sll %g1, 2, %l4
mov %i0, %o0
+ lduw [%l7 + %l4], %l7
mov %i1, %o1
mov %i2, %o2
mov %i3, %o3
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 185/192] Move check for prefix path to within cifs_get_root()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (133 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 144/192] sparc: Fix system call tracing register handling Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 189/192] sched: fix confusing PFA_NO_NEW_PRIVS constant Ben Hutchings
` (57 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aurelien Aptel, Steve French, Sachin Prabhu
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit 348c1bfa84dfc47da1f1234b7f2bf09fa798edea upstream.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/cifsfs.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -584,6 +584,9 @@ cifs_get_root(struct smb_vol *vol, struc
char *s, *p;
char sep;
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+ return dget(sb->s_root);
+
full_path = cifs_build_path_to_root(vol, cifs_sb,
cifs_sb_master_tcon(cifs_sb));
if (full_path == NULL)
@@ -708,11 +711,7 @@ cifs_do_mount(struct file_system_type *f
sb->s_flags |= MS_ACTIVE;
}
- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
- root = dget(sb->s_root);
- else
- root = cifs_get_root(volume_info, sb);
-
+ root = cifs_get_root(volume_info, sb);
if (IS_ERR(root))
goto out_super;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 189/192] sched: fix confusing PFA_NO_NEW_PRIVS constant
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 185/192] Move check for prefix path to within cifs_get_root() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 179/192] PCI: Limit config space size for Netronome NFP4000 Ben Hutchings
` (56 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Tetsuo Handa, Miao Xie, Zefan Li, Kees Cook, Ingo Molnar,
Tejun Heo, Peter Zijlstra
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zefan Li <lizefan@huawei.com>
commit a2b86f772227bcaf962c8b134f8d187046ac5f0e upstream.
Commit 1d4457f99928 ("sched: move no_new_privs into new atomic flags")
defined PFA_NO_NEW_PRIVS as hexadecimal value, but it is confusing
because it is used as bit number. Redefine it as decimal bit number.
Note this changes the bit position of PFA_NOW_NEW_PRIVS from 1 to 0.
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Miao Xie <miaox@cn.fujitsu.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Kees Cook <keescook@chromium.org>
[ lizf: slightly modified subject and changelog ]
Signed-off-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/sched.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1979,7 +1979,7 @@ static inline void memalloc_noio_restore
}
/* Per-process atomic flags. */
-#define PFA_NO_NEW_PRIVS 0x00000001 /* May not gain new privileges. */
+#define PFA_NO_NEW_PRIVS 0 /* May not gain new privileges. */
static inline bool task_no_new_privs(struct task_struct *p)
{
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 179/192] PCI: Limit config space size for Netronome NFP4000
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (135 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 189/192] sched: fix confusing PFA_NO_NEW_PRIVS constant Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 184/192] Compare prepaths when comparing superblocks Ben Hutchings
` (55 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Simon Horman, Bjorn Helgaas
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <simon.horman@netronome.com>
commit c2e771b02792d222cbcd9617fe71482a64f52647 upstream.
Like the NFP6000, the NFP4000 as an erratum where reading/writing to PCI
config space addresses above 0x600 can cause the NFP to generate PCIe
completion timeouts.
Limit the NFP4000's PF's config space size to 0x600 bytes as is already
done for the NFP6000.
The NFP4000's VF is 0x6004 (PCI_DEVICE_ID_NETRONOME_NFP6000_VF), the same
device ID as the NFP6000's VF. Thus, its config space is already limited
by the existing use of quirk_nfp6000().
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -296,6 +296,7 @@ static void quirk_nfp6000(struct pci_dev
{
dev->cfg_size = 0x600;
}
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NETRONOME, PCI_DEVICE_ID_NETRONOME_NFP4000, quirk_nfp6000);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NETRONOME, PCI_DEVICE_ID_NETRONOME_NFP6000, quirk_nfp6000);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NETRONOME, PCI_DEVICE_ID_NETRONOME_NFP6000_VF, quirk_nfp6000);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 184/192] Compare prepaths when comparing superblocks
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (136 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 179/192] PCI: Limit config space size for Netronome NFP4000 Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 173/192] s390/seccomp: fix error return for filtered system calls Ben Hutchings
` (54 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aurelien Aptel, Sachin Prabhu, Steve French
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit c1d8b24d18192764fe82067ec6aa8d4c3bf094e0 upstream.
The patch
fs/cifs: make share unaccessible at root level mountable
makes use of prepaths when any component of the underlying path is
inaccessible.
When mounting 2 separate shares having different prepaths but are other
wise similar in other respects, we end up sharing superblocks when we
shouldn't be doing so.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/connect.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2751,6 +2751,24 @@ compare_mount_options(struct super_block
return 1;
}
+static int
+match_prepath(struct super_block *sb, struct cifs_mnt_data *mnt_data)
+{
+ struct cifs_sb_info *old = CIFS_SB(sb);
+ struct cifs_sb_info *new = mnt_data->cifs_sb;
+
+ if (old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) {
+ if (!(new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH))
+ return 0;
+ /* The prepath should be null terminated strings */
+ if (strcmp(new->prepath, old->prepath))
+ return 0;
+
+ return 1;
+ }
+ return 0;
+}
+
int
cifs_match_super(struct super_block *sb, void *data)
{
@@ -2778,7 +2796,8 @@ cifs_match_super(struct super_block *sb,
if (!match_server(tcp_srv, volume_info) ||
!match_session(ses, volume_info) ||
- !match_tcon(tcon, volume_info->UNC)) {
+ !match_tcon(tcon, volume_info->UNC) ||
+ !match_prepath(sb, mnt_data)) {
rc = 0;
goto out;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 173/192] s390/seccomp: fix error return for filtered system calls
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (137 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 184/192] Compare prepaths when comparing superblocks Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 153/192] net: Don't forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC_DEBUG Ben Hutchings
` (53 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Holzheu, Jan Willeke, Martin Schwidefsky
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Willeke <willeke@de.ibm.com>
commit dc295880c6752076f8b94ba3885d0bfff09e3e82 upstream.
The syscall_set_return_value function of s390 negates the error argument
before storing the value to the return register gpr2. This is incorrect,
the seccomp code already passes the negative error value.
Store the unmodified error value to gpr2.
Signed-off-by: Jan Willeke <willeke@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/include/asm/syscall.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/include/asm/syscall.h
+++ b/arch/s390/include/asm/syscall.h
@@ -54,7 +54,7 @@ static inline void syscall_set_return_va
struct pt_regs *regs,
int error, long val)
{
- regs->gprs[2] = error ? -error : val;
+ regs->gprs[2] = error ? error : val;
}
static inline void syscall_get_arguments(struct task_struct *task,
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 153/192] net: Don't forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC_DEBUG
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (138 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 173/192] s390/seccomp: fix error return for filtered system calls Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 158/192] usb: musb: cppi41: correct the macro name EP_MODE_AUTOREG_* Ben Hutchings
` (52 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Jason A. Donenfeld, Tim Bingham
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
commit daddef76c3deaaa7922f9d7b18edbf0a061215c3 upstream.
The implementation of net_dbg_ratelimited in the CONFIG_DYNAMIC_DEBUG
case was added with 2c94b5373 ("net: Implement net_dbg_ratelimited() for
CONFIG_DYNAMIC_DEBUG case"). The implementation strategy was to take the
usual definition of the dynamic_pr_debug macro, but alter it by adding a
call to "net_ratelimit()" in the if statement. This is, in fact, the
correct approach.
However, while doing this, the author of the commit forgot to surround
fmt by pr_fmt, resulting in unprefixed log messages appearing in the
console. So, this commit adds back the pr_fmt(fmt) invocation, making
net_dbg_ratelimited properly consistent across DEBUG, no DEBUG, and
DYNAMIC_DEBUG cases, and bringing parity with the behavior of
dynamic_pr_debug as well.
Fixes: 2c94b5373 ("net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Tim Bingham <tbingham@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/net.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -248,7 +248,8 @@ do { \
DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \
if (unlikely(descriptor.flags & _DPRINTK_FLAGS_PRINT) && \
net_ratelimit()) \
- __dynamic_pr_debug(&descriptor, fmt, ##__VA_ARGS__); \
+ __dynamic_pr_debug(&descriptor, pr_fmt(fmt), \
+ ##__VA_ARGS__); \
} while (0)
#elif defined(DEBUG)
#define net_dbg_ratelimited(fmt, ...) \
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 158/192] usb: musb: cppi41: correct the macro name EP_MODE_AUTOREG_*
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (139 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 153/192] net: Don't forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC_DEBUG Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 167/192] perf/x86: Honor the architectural performance monitoring version Ben Hutchings
` (51 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Bin Liu
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bin Liu <b-liu@ti.com>
commit 0149b07a9e28b0d8bd2fc1c238ffe7d530c2673f upstream.
The macro EP_MODE_AUTOREG_* should be called EP_MODE_AUTOREQ_*, as they
are used for register AUTOREQ.
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/musb/musb_cppi41.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/usb/musb/musb_cppi41.c
+++ b/drivers/usb/musb/musb_cppi41.c
@@ -9,9 +9,9 @@
#define RNDIS_REG(x) (0x80 + ((x - 1) * 4))
-#define EP_MODE_AUTOREG_NONE 0
-#define EP_MODE_AUTOREG_ALL_NEOP 1
-#define EP_MODE_AUTOREG_ALWAYS 3
+#define EP_MODE_AUTOREQ_NONE 0
+#define EP_MODE_AUTOREQ_ALL_NEOP 1
+#define EP_MODE_AUTOREQ_ALWAYS 3
#define EP_MODE_DMA_TRANSPARENT 0
#define EP_MODE_DMA_RNDIS 1
@@ -426,19 +426,19 @@ static bool cppi41_configure_channel(str
/* auto req */
cppi41_set_autoreq_mode(cppi41_channel,
- EP_MODE_AUTOREG_ALL_NEOP);
+ EP_MODE_AUTOREQ_ALL_NEOP);
} else {
musb_writel(musb->ctrl_base,
RNDIS_REG(cppi41_channel->port_num), 0);
cppi41_set_dma_mode(cppi41_channel,
EP_MODE_DMA_TRANSPARENT);
cppi41_set_autoreq_mode(cppi41_channel,
- EP_MODE_AUTOREG_NONE);
+ EP_MODE_AUTOREQ_NONE);
}
} else {
/* fallback mode */
cppi41_set_dma_mode(cppi41_channel, EP_MODE_DMA_TRANSPARENT);
- cppi41_set_autoreq_mode(cppi41_channel, EP_MODE_AUTOREG_NONE);
+ cppi41_set_autoreq_mode(cppi41_channel, EP_MODE_AUTOREQ_NONE);
len = min_t(u32, packet_sz, len);
}
cppi41_channel->prog_len = len;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 167/192] perf/x86: Honor the architectural performance monitoring version
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (140 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 158/192] usb: musb: cppi41: correct the macro name EP_MODE_AUTOREG_* Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 136/192] xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present Ben Hutchings
` (50 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ingo Molnar, Brian Gerst, Oleg Nesterov, Borislav Petkov,
H. Peter Anvin, Paul Mackerras, Denys Vlasenko, Andy Lutomirski,
Linus Torvalds, Anthony Liguori, Palik, Imre,
Peter Zijlstra (Intel),
Arnaldo Carvalho de Melo, Thomas Gleixner
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Palik, Imre" <imrep@amazon.de>
commit 2c33645d366d13b969d936b68b9f4875b1fdddea upstream.
Architectural performance monitoring, version 1, doesn't support fixed counters.
Currently, even if a hypervisor advertises support for architectural
performance monitoring version 1, perf may still try to use the fixed
counters, as the constraints are set up based on the CPU model.
This patch ensures that perf honors the architectural performance monitoring
version returned by CPUID, and it only uses the fixed counters for version 2
and above.
(Some of the ideas in this patch came from Peter Zijlstra.)
Signed-off-by: Imre Palik <imrep@amazon.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Anthony Liguori <aliguori@amazon.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1433767609-1039-1-git-send-email-imrep.amz@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/perf_event_intel.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -2642,13 +2642,13 @@ __init int intel_pmu_init(void)
* counter, so do not extend mask to generic counters
*/
for_each_event_constraint(c, x86_pmu.event_constraints) {
- if (c->cmask != FIXED_EVENT_FLAGS
- || c->idxmsk64 == INTEL_PMC_MSK_FIXED_REF_CYCLES) {
- continue;
+ if (c->cmask == FIXED_EVENT_FLAGS
+ && c->idxmsk64 != INTEL_PMC_MSK_FIXED_REF_CYCLES) {
+ c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1;
}
-
- c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1;
- c->weight += x86_pmu.num_counters;
+ c->idxmsk64 &=
+ ~(~0UL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed));
+ c->weight = hweight64(c->idxmsk64);
}
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 136/192] xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (141 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 167/192] perf/x86: Honor the architectural performance monitoring version Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 164/192] serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() Ben Hutchings
` (49 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Wareing, Dave Chinner, Linus Torvalds
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Wareing <rwareing@fb.com>
commit b31ff3cdf540110da4572e3e29bd172087af65cc upstream.
If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
a directory in a filesystem that does not have a realtime device and
create a new file in that directory, it gets marked as a real time file.
When data is written and a fsync is issued, the filesystem attempts to
flush a non-existent rt device during the fsync process.
This results in a crash dereferencing a null buftarg pointer in
xfs_blkdev_issue_flush():
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: xfs_blkdev_issue_flush+0xd/0x20
.....
Call Trace:
xfs_file_fsync+0x188/0x1c0
vfs_fsync_range+0x3b/0xa0
do_fsync+0x3d/0x70
SyS_fsync+0x10/0x20
do_syscall_64+0x4d/0xb0
entry_SYSCALL64_slow_path+0x25/0x25
Setting RT inode flags does not require special privileges so any
unprivileged user can cause this oops to occur. To reproduce, confirm
kernel is compiled with CONFIG_XFS_RT=y and run:
# mkfs.xfs -f /dev/pmem0
# mount /dev/pmem0 /mnt/test
# mkdir /mnt/test/foo
# xfs_io -c 'chattr +t' /mnt/test/foo
# xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar
Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.
Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.
Fixes: f538d4da8d52 ("[XFS] write barrier support")
Signed-off-by: Richard Wareing <rwareing@fb.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xfs/xfs_dinode.h | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/xfs/xfs_dinode.h
+++ b/fs/xfs/xfs_dinode.h
@@ -228,7 +228,14 @@ static inline void xfs_dinode_put_rdev(s
#define XFS_DIFLAG_FILESTREAM (1 << XFS_DIFLAG_FILESTREAM_BIT)
#ifdef CONFIG_XFS_RT
-#define XFS_IS_REALTIME_INODE(ip) ((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME)
+
+/*
+ * make sure we ignore the inode flag if the filesystem doesn't have a
+ * configured realtime device.
+ */
+#define XFS_IS_REALTIME_INODE(ip) \
+ (((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) && \
+ (ip)->i_mount->m_rtdev_targp)
#else
#define XFS_IS_REALTIME_INODE(ip) (0)
#endif
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 164/192] serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (142 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 136/192] xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 190/192] sched: add macros to define bitops for task atomic flags Ben Hutchings
` (48 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Chanwoo Choi, Greg Kroah-Hartman, Marek Szyprowski
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chanwoo Choi <cw00.choi@samsung.com>
commit b8995f527aac143e83d3900ff39357651ea4e0f6 upstream.
This patch fixes the broken serial log when changing the clock source
of uart device. Before disabling the original clock source, this patch
enables the new clock source to protect the clock off state for a split second.
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/samsung.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -757,6 +757,8 @@ static void s3c24xx_serial_set_termios(s
/* check to see if we need to change clock source */
if (ourport->baudclk != clk) {
+ clk_prepare_enable(clk);
+
s3c24xx_serial_setsource(port, clk_sel);
if (!IS_ERR(ourport->baudclk)) {
@@ -764,8 +766,6 @@ static void s3c24xx_serial_set_termios(s
ourport->baudclk = ERR_PTR(-EINVAL);
}
- clk_prepare_enable(clk);
-
ourport->baudclk = clk;
ourport->baudclk_rate = clk ? clk_get_rate(clk) : 0;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 190/192] sched: add macros to define bitops for task atomic flags
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (143 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 164/192] serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 154/192] net sched filters: fix notification of filter delete with proper handle Ben Hutchings
` (47 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Miao Xie, Tetsuo Handa, Zefan Li, Kees Cook, Tejun Heo,
Ingo Molnar, Peter Zijlstra (Intel)
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zefan Li <lizefan@huawei.com>
commit e0e5070b20e01f0321f97db4e4e174f3f6b49e50 upstream.
This will simplify code when we add new flags.
v3:
- Kees pointed out that no_new_privs should never be cleared, so we
shouldn't define task_clear_no_new_privs(). we define 3 macros instead
of a single one.
v2:
- updated scripts/tags.sh, suggested by Peter
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Miao Xie <miaox@cn.fujitsu.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/sched.h | 21 ++++++++++++---------
scripts/tags.sh | 6 ++++++
2 files changed, 18 insertions(+), 9 deletions(-)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1981,15 +1981,18 @@ static inline void memalloc_noio_restore
/* Per-process atomic flags. */
#define PFA_NO_NEW_PRIVS 0 /* May not gain new privileges. */
-static inline bool task_no_new_privs(struct task_struct *p)
-{
- return test_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags);
-}
+#define TASK_PFA_TEST(name, func) \
+ static inline bool task_##func(struct task_struct *p) \
+ { return test_bit(PFA_##name, &p->atomic_flags); }
+#define TASK_PFA_SET(name, func) \
+ static inline void task_set_##func(struct task_struct *p) \
+ { set_bit(PFA_##name, &p->atomic_flags); }
+#define TASK_PFA_CLEAR(name, func) \
+ static inline void task_clear_##func(struct task_struct *p) \
+ { clear_bit(PFA_##name, &p->atomic_flags); }
-static inline void task_set_no_new_privs(struct task_struct *p)
-{
- set_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags);
-}
+TASK_PFA_TEST(NO_NEW_PRIVS, no_new_privs)
+TASK_PFA_SET(NO_NEW_PRIVS, no_new_privs)
/*
* task->jobctl flags
--- a/scripts/tags.sh
+++ b/scripts/tags.sh
@@ -197,6 +197,9 @@ exuberant()
--regex-c++='/SETPCGFLAG\(([^,)]*).*/SetPageCgroup\1/' \
--regex-c++='/CLEARPCGFLAG\(([^,)]*).*/ClearPageCgroup\1/' \
--regex-c++='/TESTCLEARPCGFLAG\(([^,)]*).*/TestClearPageCgroup\1/' \
+ --regex-c++='/TASK_PFA_TEST\([^,]*,\s*([^)]*)\)/task_\1/' \
+ --regex-c++='/TASK_PFA_SET\([^,]*,\s*([^)]*)\)/task_set_\1/' \
+ --regex-c++='/TASK_PFA_CLEAR\([^,]*,\s*([^)]*)\)/task_clear_\1/'\
--regex-c='/PCI_OP_READ\((\w*).*[1-4]\)/pci_bus_read_config_\1/' \
--regex-c='/PCI_OP_WRITE\((\w*).*[1-4]\)/pci_bus_write_config_\1/' \
--regex-c='/DEFINE_(MUTEX|SEMAPHORE|SPINLOCK)\((\w*)/\2/v/' \
@@ -259,6 +262,9 @@ emacs()
--regex='/SETPCGFLAG\(([^,)]*).*/SetPageCgroup\1/' \
--regex='/CLEARPCGFLAG\(([^,)]*).*/ClearPageCgroup\1/' \
--regex='/TESTCLEARPCGFLAG\(([^,)]*).*/TestClearPageCgroup\1/' \
+ --regex='/TASK_PFA_TEST\([^,]*,\s*([^)]*)\)/task_\1/' \
+ --regex='/TASK_PFA_SET\([^,]*,\s*([^)]*)\)/task_set_\1/' \
+ --regex='/TASK_PFA_CLEAR\([^,]*,\s*([^)]*)\)/task_clear_\1/' \
--regex='/_PE(\([^,)]*\).*/PEVENT_ERRNO__\1/' \
--regex='/PCI_OP_READ(\([a-z]*[a-z]\).*[1-4])/pci_bus_read_config_\1/' \
--regex='/PCI_OP_WRITE(\([a-z]*[a-z]\).*[1-4])/pci_bus_write_config_\1/'\
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 154/192] net sched filters: fix notification of filter delete with proper handle
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (144 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 190/192] sched: add macros to define bitops for task atomic flags Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 140/192] net/route: enforce hoplimit max value Ben Hutchings
` (46 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Cong Wang, David S. Miller, Jamal Hadi Salim, Daniel Borkmann
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 9ee7837449b3d6f0fcf9132c6b5e5aaa58cc67d4 ]
Daniel says:
While trying out [1][2], I noticed that tc monitor doesn't show the
correct handle on delete:
$ tc monitor
qdisc clsact ffff: dev eno1 parent ffff:fff1
filter dev eno1 ingress protocol all pref 49152 bpf handle 0x2a [...]
deleted filter dev eno1 ingress protocol all pref 49152 bpf handle 0xf3be0c80
some context to explain the above:
The user identity of any tc filter is represented by a 32-bit
identifier encoded in tcm->tcm_handle. Example 0x2a in the bpf filter
above. A user wishing to delete, get or even modify a specific filter
uses this handle to reference it.
Every classifier is free to provide its own semantics for the 32 bit handle.
Example: classifiers like u32 use schemes like 800:1:801 to describe
the semantics of their filters represented as hash table, bucket and
node ids etc.
Classifiers also have internal per-filter representation which is different
from this externally visible identity. Most classifiers set this
internal representation to be a pointer address (which allows fast retrieval
of said filters in their implementations). This internal representation
is referenced with the "fh" variable in the kernel control code.
When a user successfuly deletes a specific filter, by specifying the correct
tcm->tcm_handle, an event is generated to user space which indicates
which specific filter was deleted.
Before this patch, the "fh" value was sent to user space as the identity.
As an example what is shown in the sample bpf filter delete event above
is 0xf3be0c80. This is infact a 32-bit truncation of 0xffff8807f3be0c80
which happens to be a 64-bit memory address of the internal filter
representation (address of the corresponding filter's struct cls_bpf_prog);
After this patch the appropriate user identifiable handle as encoded
in the originating request tcm->tcm_handle is generated in the event.
One of the cardinal rules of netlink rules is to be able to take an
event (such as a delete in this case) and reflect it back to the
kernel and successfully delete the filter. This patch achieves that.
Note, this issue has existed since the original TC action
infrastructure code patch back in 2004 as found in:
https://git.kernel.org/cgit/linux/kernel/git/history/history.git/commit/
[1] http://patchwork.ozlabs.org/patch/682828/
[2] http://patchwork.ozlabs.org/patch/682829/
Fixes: 4e54c4816bfe ("[NET]: Add tc extensions infrastructure.")
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/cls_api.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -309,7 +309,8 @@ replay:
case RTM_DELTFILTER:
err = tp->ops->delete(tp, fh);
if (err == 0)
- tfilter_notify(net, skb, n, tp, fh, RTM_DELTFILTER);
+ tfilter_notify(net, skb, n, tp,
+ t->tcm_handle, RTM_DELTFILTER);
goto errout;
case RTM_GETTFILTER:
err = tfilter_notify(net, skb, n, tp, fh, RTM_NEWTFILTER);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 140/192] net/route: enforce hoplimit max value
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 154/192] net sched filters: fix notification of filter delete with proper handle Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 162/192] ARM: OMAP3: Fix booting with thumb2 kernel Ben Hutchings
` (45 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paolo Abeni, David S. Miller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 626abd59e51d4d8c6367e03aae252a8aa759ac78 ]
Currently, when creating or updating a route, no check is performed
in both ipv4 and ipv6 code to the hoplimit value.
The caller can i.e. set hoplimit to 256, and when such route will
be used, packets will be sent with hoplimit/ttl equal to 0.
This commit adds checks for the RTAX_HOPLIMIT value, in both ipv4
ipv6 route code, substituting any value greater than 255 with 255.
This is consistent with what is currently done for ADVMSS and MTU
in the ipv4 code.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: for IPv6, add the check to fib6_commit_metrics()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -862,6 +862,8 @@ struct fib_info *fib_create_info(struct
val = 65535 - 40;
if (type == RTAX_MTU && val > 65535 - 15)
val = 65535 - 15;
+ if (type == RTAX_HOPLIMIT && val > 255)
+ val = 255;
fi->fib_metrics[type - 1] = val;
}
}
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -653,10 +653,14 @@ static int fib6_commit_metrics(struct ds
int type = nla_type(nla);
if (type) {
+ u32 val = nla_get_u32(nla);
+
if (type > RTAX_MAX)
return -EINVAL;
- mp[type - 1] = nla_get_u32(nla);
+ if (type == RTAX_HOPLIMIT && val > 255)
+ val = 255;
+ mp[type - 1] = val;
}
}
return 0;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 162/192] ARM: OMAP3: Fix booting with thumb2 kernel
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (146 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 140/192] net/route: enforce hoplimit max value Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 186/192] Fix regression which breaks DFS mounting Ben Hutchings
` (44 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tony Lindgren, Kevin Hilman, Kevin Hilman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony@atomide.com>
commit d8a50941c91a68da202aaa96a3dacd471ea9c693 upstream.
We get a NULL pointer dereference on omap3 for thumb2 compiled kernels:
Internal error: Oops: 80000005 [#1] SMP THUMB2
...
[<c046497b>] (_raw_spin_unlock_irqrestore) from [<c0024375>]
(omap3_enter_idle_bm+0xc5/0x178)
[<c0024375>] (omap3_enter_idle_bm) from [<c0374e63>]
(cpuidle_enter_state+0x77/0x27c)
[<c0374e63>] (cpuidle_enter_state) from [<c00627f1>]
(cpu_startup_entry+0x155/0x23c)
[<c00627f1>] (cpu_startup_entry) from [<c06b9a47>]
(start_kernel+0x32f/0x338)
[<c06b9a47>] (start_kernel) from [<8000807f>] (0x8000807f)
The power management related assembly on omaps needs to interact with
ARM mode bootrom code, so we need to keep most of the related assembly
in ARM mode.
Turns out this error is because of missing ENDPROC for assembly code
as suggested by Stephen Boyd <sboyd@codeaurora.org>. Let's fix the
problem by adding ENDPROC in two places to sleep34xx.S.
Let's also remove the now duplicate custom code for mode switching.
This has been unnecessary since commit 6ebbf2ce437b ("ARM: convert
all "mov.* pc, reg" to "bx reg" for ARMv6+").
And let's also remove the comments about local variables, they are
now just confusing after the ENDPROC.
The reason why ENDPROC makes a difference is it sets .type and then
the compiler knows what to do with the thumb bit as explained at:
https://wiki.ubuntu.com/ARM/Thumb2PortingHowto
Reported-by: Kevin Hilman <khilman@kernel.org>
Tested-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-omap2/sleep34xx.S | 22 ++--------------------
1 file changed, 2 insertions(+), 20 deletions(-)
--- a/arch/arm/mach-omap2/sleep34xx.S
+++ b/arch/arm/mach-omap2/sleep34xx.S
@@ -203,23 +203,8 @@ save_context_wfi:
*/
ldr r1, kernel_flush
blx r1
- /*
- * The kernel doesn't interwork: v7_flush_dcache_all in particluar will
- * always return in Thumb state when CONFIG_THUMB2_KERNEL is enabled.
- * This sequence switches back to ARM. Note that .align may insert a
- * nop: bx pc needs to be word-aligned in order to work.
- */
- THUMB( .thumb )
- THUMB( .align )
- THUMB( bx pc )
- THUMB( nop )
- .arm
-
b omap3_do_wfi
-
-/*
- * Local variables
- */
+ENDPROC(omap34xx_cpu_suspend)
omap3_do_wfi_sram_addr:
.word omap3_do_wfi_sram
kernel_flush:
@@ -364,10 +349,7 @@ exit_nonoff_modes:
* ===================================
*/
ldmfd sp!, {r4 - r11, pc} @ restore regs and return
-
-/*
- * Local variables
- */
+ENDPROC(omap3_do_wfi)
sdrc_power:
.word SDRC_POWER_V
cm_idlest1_core:
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 186/192] Fix regression which breaks DFS mounting
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (147 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 162/192] ARM: OMAP3: Fix booting with thumb2 kernel Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 145/192] sparc64: Fix bootup regressions on some Kconfig combinations Ben Hutchings
` (43 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aurelien Aptel, Sachin Prabhu, Steve French
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit d171356ff11ab1825e456dfb979755e01b3c54a1 upstream.
Patch a6b5058 results in -EREMOTE returned by is_path_accessible() in
cifs_mount() to be ignored which breaks DFS mounting.
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/connect.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3638,14 +3638,16 @@ remote_path_check:
goto mount_fail_check;
}
- rc = cifs_are_all_path_components_accessible(server,
+ if (rc != -EREMOTE) {
+ rc = cifs_are_all_path_components_accessible(server,
xid, tcon, cifs_sb,
full_path);
- if (rc != 0) {
- cifs_dbg(VFS, "cannot query dirs between root and final path, "
- "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
- cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
- rc = 0;
+ if (rc != 0) {
+ cifs_dbg(VFS, "cannot query dirs between root and final path, "
+ "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
+ cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
+ rc = 0;
+ }
}
kfree(full_path);
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 145/192] sparc64: Fix bootup regressions on some Kconfig combinations.
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (148 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 186/192] Fix regression which breaks DFS mounting Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 151/192] net_dbg_ratelimited: turn into no-op when !DEBUG Ben Hutchings
` (42 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Joerg Abraham, Meelis Roos, David S. Miller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit 49fa5230462f9f2c4e97c81356473a6bdf06c422 ]
The system call tracing bug fix mentioned in the Fixes tag
below increased the amount of assembler code in the sequence
of assembler files included by head_64.S
This caused to total set of code to exceed 0x4000 bytes in
size, which overflows the expression in head_64.S that works
to place swapper_tsb at address 0x408000.
When this is violated, the TSB is not properly aligned, and
also the trap table is not aligned properly either. All of
this together results in failed boots.
So, do two things:
1) Simplify some code by using ba,a instead of ba/nop to get
those bytes back.
2) Add a linker script assertion to make sure that if this
happens again the build will fail.
Fixes: 1a40b95374f6 ("sparc: Fix system call tracing register handling.")
Reported-by: Meelis Roos <mroos@linux.ee>
Reported-by: Joerg Abraham <joerg.abraham@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/kernel/cherrs.S | 14 +++++---------
arch/sparc/kernel/fpu_traps.S | 11 +++++------
arch/sparc/kernel/head_64.S | 24 ++++++++----------------
arch/sparc/kernel/misctrap.S | 12 ++++--------
arch/sparc/kernel/spiterrs.S | 18 ++++++------------
arch/sparc/kernel/utrap.S | 3 +--
arch/sparc/kernel/vmlinux.lds.S | 4 ++++
arch/sparc/kernel/winfixup.S | 3 +--
8 files changed, 34 insertions(+), 55 deletions(-)
--- a/arch/sparc/kernel/cherrs.S
+++ b/arch/sparc/kernel/cherrs.S
@@ -214,8 +214,7 @@ do_dcpe_tl1_nonfatal: /* Ok we may use i
subcc %g1, %g2, %g1 ! Next cacheline
bge,pt %icc, 1b
nop
- ba,pt %xcc, dcpe_icpe_tl1_common
- nop
+ ba,a,pt %xcc, dcpe_icpe_tl1_common
do_dcpe_tl1_fatal:
sethi %hi(1f), %g7
@@ -224,8 +223,7 @@ do_dcpe_tl1_fatal:
mov 0x2, %o0
call cheetah_plus_parity_error
add %sp, PTREGS_OFF, %o1
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size do_dcpe_tl1,.-do_dcpe_tl1
.globl do_icpe_tl1
@@ -259,8 +257,7 @@ do_icpe_tl1_nonfatal: /* Ok we may use i
subcc %g1, %g2, %g1
bge,pt %icc, 1b
nop
- ba,pt %xcc, dcpe_icpe_tl1_common
- nop
+ ba,a,pt %xcc, dcpe_icpe_tl1_common
do_icpe_tl1_fatal:
sethi %hi(1f), %g7
@@ -269,8 +266,7 @@ do_icpe_tl1_fatal:
mov 0x3, %o0
call cheetah_plus_parity_error
add %sp, PTREGS_OFF, %o1
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size do_icpe_tl1,.-do_icpe_tl1
.type dcpe_icpe_tl1_common,#function
@@ -456,7 +452,7 @@ __cheetah_log_error:
cmp %g2, 0x63
be c_cee
nop
- ba,pt %xcc, c_deferred
+ ba,a,pt %xcc, c_deferred
.size __cheetah_log_error,.-__cheetah_log_error
/* Cheetah FECC trap handling, we get here from tl{0,1}_fecc
--- a/arch/sparc/kernel/fpu_traps.S
+++ b/arch/sparc/kernel/fpu_traps.S
@@ -100,8 +100,8 @@ do_fpdis:
fmuld %f0, %f2, %f26
faddd %f0, %f2, %f28
fmuld %f0, %f2, %f30
- b,pt %xcc, fpdis_exit
- nop
+ ba,a,pt %xcc, fpdis_exit
+
2: andcc %g5, FPRS_DU, %g0
bne,pt %icc, 3f
fzero %f32
@@ -144,8 +144,8 @@ do_fpdis:
fmuld %f32, %f34, %f58
faddd %f32, %f34, %f60
fmuld %f32, %f34, %f62
- ba,pt %xcc, fpdis_exit
- nop
+ ba,a,pt %xcc, fpdis_exit
+
3: mov SECONDARY_CONTEXT, %g3
add %g6, TI_FPREGS, %g1
@@ -197,8 +197,7 @@ fpdis_exit2:
fp_other_bounce:
call do_fpother
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size fp_other_bounce,.-fp_other_bounce
.align 32
--- a/arch/sparc/kernel/head_64.S
+++ b/arch/sparc/kernel/head_64.S
@@ -461,9 +461,8 @@ sun4v_chip_type:
subcc %g3, 1, %g3
bne,pt %xcc, 41b
add %g1, 1, %g1
- mov SUN4V_CHIP_SPARC64X, %g4
ba,pt %xcc, 5f
- nop
+ mov SUN4V_CHIP_SPARC64X, %g4
49:
mov SUN4V_CHIP_UNKNOWN, %g4
@@ -548,8 +547,7 @@ sun4u_init:
stxa %g0, [%g7] ASI_DMMU
membar #Sync
- ba,pt %xcc, sun4u_continue
- nop
+ ba,a,pt %xcc, sun4u_continue
sun4v_init:
/* Set ctx 0 */
@@ -560,14 +558,12 @@ sun4v_init:
mov SECONDARY_CONTEXT, %g7
stxa %g0, [%g7] ASI_MMU
membar #Sync
- ba,pt %xcc, niagara_tlb_fixup
- nop
+ ba,a,pt %xcc, niagara_tlb_fixup
sun4u_continue:
BRANCH_IF_ANY_CHEETAH(g1, g7, cheetah_tlb_fixup)
- ba,pt %xcc, spitfire_tlb_fixup
- nop
+ ba,a,pt %xcc, spitfire_tlb_fixup
niagara_tlb_fixup:
mov 3, %g2 /* Set TLB type to hypervisor. */
@@ -639,8 +635,7 @@ niagara_patch:
call hypervisor_patch_cachetlbops
nop
- ba,pt %xcc, tlb_fixup_done
- nop
+ ba,a,pt %xcc, tlb_fixup_done
cheetah_tlb_fixup:
mov 2, %g2 /* Set TLB type to cheetah+. */
@@ -659,8 +654,7 @@ cheetah_tlb_fixup:
call cheetah_patch_cachetlbops
nop
- ba,pt %xcc, tlb_fixup_done
- nop
+ ba,a,pt %xcc, tlb_fixup_done
spitfire_tlb_fixup:
/* Set TLB type to spitfire. */
@@ -782,8 +776,7 @@ setup_trap_table:
call %o1
add %sp, (2047 + 128), %o0
- ba,pt %xcc, 2f
- nop
+ ba,a,pt %xcc, 2f
1: sethi %hi(sparc64_ttable_tl0), %o0
set prom_set_trap_table_name, %g2
@@ -822,8 +815,7 @@ setup_trap_table:
BRANCH_IF_ANY_CHEETAH(o2, o3, 1f)
- ba,pt %xcc, 2f
- nop
+ ba,a,pt %xcc, 2f
/* Disable STICK_INT interrupts. */
1:
--- a/arch/sparc/kernel/misctrap.S
+++ b/arch/sparc/kernel/misctrap.S
@@ -18,8 +18,7 @@ __do_privact:
109: or %g7, %lo(109b), %g7
call do_privact
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size __do_privact,.-__do_privact
.type do_mna,#function
@@ -46,8 +45,7 @@ do_mna:
mov %l5, %o2
call mem_address_unaligned
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size do_mna,.-do_mna
.type do_lddfmna,#function
@@ -65,8 +63,7 @@ do_lddfmna:
mov %l5, %o2
call handle_lddfmna
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size do_lddfmna,.-do_lddfmna
.type do_stdfmna,#function
@@ -84,8 +81,7 @@ do_stdfmna:
mov %l5, %o2
call handle_stdfmna
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size do_stdfmna,.-do_stdfmna
.type breakpoint_trap,#function
--- a/arch/sparc/kernel/spiterrs.S
+++ b/arch/sparc/kernel/spiterrs.S
@@ -85,8 +85,7 @@ __spitfire_cee_trap_continue:
ba,pt %xcc, etraptl1
rd %pc, %g7
- ba,pt %xcc, 2f
- nop
+ ba,a,pt %xcc, 2f
1: ba,pt %xcc, etrap_irq
rd %pc, %g7
@@ -100,8 +99,7 @@ __spitfire_cee_trap_continue:
mov %l5, %o2
call spitfire_access_error
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size __spitfire_access_error,.-__spitfire_access_error
/* This is the trap handler entry point for ECC correctable
@@ -179,8 +177,7 @@ __spitfire_data_access_exception_tl1:
mov %l5, %o2
call spitfire_data_access_exception_tl1
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size __spitfire_data_access_exception_tl1,.-__spitfire_data_access_exception_tl1
.type __spitfire_data_access_exception,#function
@@ -200,8 +197,7 @@ __spitfire_data_access_exception:
mov %l5, %o2
call spitfire_data_access_exception
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size __spitfire_data_access_exception,.-__spitfire_data_access_exception
.type __spitfire_insn_access_exception_tl1,#function
@@ -220,8 +216,7 @@ __spitfire_insn_access_exception_tl1:
mov %l5, %o2
call spitfire_insn_access_exception_tl1
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size __spitfire_insn_access_exception_tl1,.-__spitfire_insn_access_exception_tl1
.type __spitfire_insn_access_exception,#function
@@ -240,6 +235,5 @@ __spitfire_insn_access_exception:
mov %l5, %o2
call spitfire_insn_access_exception
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
.size __spitfire_insn_access_exception,.-__spitfire_insn_access_exception
--- a/arch/sparc/kernel/utrap.S
+++ b/arch/sparc/kernel/utrap.S
@@ -11,8 +11,7 @@ utrap_trap: /* %g3=handler,%g4=level */
mov %l4, %o1
call bad_trap
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
invoke_utrap:
sllx %g3, 3, %g3
--- a/arch/sparc/kernel/vmlinux.lds.S
+++ b/arch/sparc/kernel/vmlinux.lds.S
@@ -33,6 +33,10 @@ ENTRY(_start)
jiffies = jiffies_64;
#endif
+#ifdef CONFIG_SPARC64
+ASSERT((swapper_tsb == 0x0000000000408000), "Error: sparc64 early assembler too large")
+#endif
+
SECTIONS
{
#ifdef CONFIG_SPARC64
--- a/arch/sparc/kernel/winfixup.S
+++ b/arch/sparc/kernel/winfixup.S
@@ -32,8 +32,7 @@ fill_fixup:
rd %pc, %g7
call do_sparc64_fault
add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+ ba,a,pt %xcc, rtrap
/* Be very careful about usage of the trap globals here.
* You cannot touch %g5 as that has the fault information.
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 151/192] net_dbg_ratelimited: turn into no-op when !DEBUG
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (149 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 145/192] sparc64: Fix bootup regressions on some Kconfig combinations Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 182/192] fs/cifs: make share unaccessible at root level mountable Ben Hutchings
` (41 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Jason A. Donenfeld
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
commit d92cff89a0c80e7e49796366e441d97f07b5d321 upstream.
The pr_debug family of functions turns into a no-op when -DDEBUG is not
specified, opting instead to call "no_printk", which gets compiled to a
no-op (but retains gcc's nice warnings about printf-style arguments).
The problem with net_dbg_ratelimited is that it is defined to be a
variant of net_ratelimited_function, which expands to essentially:
if (net_ratelimit())
pr_debug(fmt, ...);
When DEBUG is not defined, then this becomes,
if (net_ratelimit())
;
This seems benign, except it isn't. Firstly, there's the obvious
overhead of calling net_ratelimit needlessly, which does quite some book
keeping for the rate limiting. Given that the pr_debug and
net_dbg_ratelimited family of functions are sprinkled liberally through
performance critical code, with developers assuming they'll be compiled
out to a no-op most of the time, we certainly do not want this needless
book keeping. Secondly, and most visibly, even though no debug message
is printed when DEBUG is not defined, if there is a flood of
invocations, dmesg winds up peppered with messages such as
"net_ratelimit: 320 callbacks suppressed". This is because our
aforementioned net_ratelimit() function actually prints this text in
some circumstances. It's especially odd to see this when there isn't any
other accompanying debug message.
So, in sum, it doesn't make sense to have this function's current
behavior, and instead it should match what every other debug family of
functions in the kernel does with !DEBUG -- nothing.
This patch replaces calls to net_dbg_ratelimited when !DEBUG with
no_printk, keeping with the idiom of all the other debug print helpers.
Also, though not strictly neccessary, it guards the call with an if (0)
so that all evaluation of any arguments are sure to be compiled out.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/net.h | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -242,8 +242,16 @@ do { \
net_ratelimited_function(pr_warn, fmt, ##__VA_ARGS__)
#define net_info_ratelimited(fmt, ...) \
net_ratelimited_function(pr_info, fmt, ##__VA_ARGS__)
+#if defined(DEBUG)
#define net_dbg_ratelimited(fmt, ...) \
net_ratelimited_function(pr_debug, fmt, ##__VA_ARGS__)
+#else
+#define net_dbg_ratelimited(fmt, ...) \
+ do { \
+ if (0) \
+ no_printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__); \
+ } while (0)
+#endif
bool __net_get_random_once(void *buf, int nbytes, bool *done,
struct static_key *done_key);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 182/192] fs/cifs: make share unaccessible at root level mountable
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (150 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 151/192] net_dbg_ratelimited: turn into no-op when !DEBUG Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 150/192] sparc64: Fix return from trap window fill crashes Ben Hutchings
` (40 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pavel Shilovsky, Aurelien Aptel, Steve French
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aurelien Aptel <aaptel@suse.com>
commit a6b5058fafdf508904bbf16c29b24042cef3c496 upstream.
if, when mounting //HOST/share/sub/dir/foo we can query /sub/dir/foo but
not any of the path components above:
- store the /sub/dir/foo prefix in the cifs super_block info
- in the superblock, set root dentry to the subpath dentry (instead of
the share root)
- set a flag in the superblock to remember it
- use prefixpath when building path from a dentry
fixes bso#8950
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Pavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: use Jiri Slaby's backport of the change in
cifs_root_iget()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/cifs/cifs_fs_sb.h
+++ b/fs/cifs/cifs_fs_sb.h
@@ -45,6 +45,9 @@
#define CIFS_MOUNT_POSIXACL 0x100000 /* mirror of MS_POSIXACL in mnt_cifs_flags */
#define CIFS_MOUNT_CIFS_BACKUPUID 0x200000 /* backup intent bit for a user */
#define CIFS_MOUNT_CIFS_BACKUPGID 0x400000 /* backup intent bit for a group */
+#define CIFS_MOUNT_USE_PREFIX_PATH 0x1000000 /* make subpath with unaccessible
+ * root mountable
+ */
struct cifs_sb_info {
struct rb_root tlink_tree;
@@ -66,5 +69,6 @@ struct cifs_sb_info {
struct backing_dev_info bdi;
struct delayed_work prune_tlinks;
struct rcu_head rcu;
+ char *prepath;
};
#endif /* _CIFS_FS_SB_H */
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -666,6 +666,14 @@ cifs_do_mount(struct file_system_type *f
goto out_cifs_sb;
}
+ if (volume_info->prepath) {
+ cifs_sb->prepath = kstrdup(volume_info->prepath, GFP_KERNEL);
+ if (cifs_sb->prepath == NULL) {
+ root = ERR_PTR(-ENOMEM);
+ goto out_cifs_sb;
+ }
+ }
+
cifs_setup_cifs_sb(volume_info, cifs_sb);
rc = cifs_mount(cifs_sb, volume_info);
@@ -704,7 +712,11 @@ cifs_do_mount(struct file_system_type *f
sb->s_flags |= MS_ACTIVE;
}
- root = cifs_get_root(volume_info, sb);
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+ root = dget(sb->s_root);
+ else
+ root = cifs_get_root(volume_info, sb);
+
if (IS_ERR(root))
goto out_super;
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3446,6 +3446,44 @@ cifs_get_volume_info(char *mount_data, c
return volume_info;
}
+static int
+cifs_are_all_path_components_accessible(struct TCP_Server_Info *server,
+ unsigned int xid,
+ struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb,
+ char *full_path)
+{
+ int rc;
+ char *s;
+ char sep, tmp;
+
+ sep = CIFS_DIR_SEP(cifs_sb);
+ s = full_path;
+
+ rc = server->ops->is_path_accessible(xid, tcon, cifs_sb, "");
+ while (rc == 0) {
+ /* skip separators */
+ while (*s == sep)
+ s++;
+ if (!*s)
+ break;
+ /* next separator */
+ while (*s && *s != sep)
+ s++;
+
+ /*
+ * temporarily null-terminate the path at the end of
+ * the current component
+ */
+ tmp = *s;
+ *s = 0;
+ rc = server->ops->is_path_accessible(xid, tcon, cifs_sb,
+ full_path);
+ *s = tmp;
+ }
+ return rc;
+}
+
int
cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *volume_info)
{
@@ -3572,6 +3610,16 @@ remote_path_check:
kfree(full_path);
goto mount_fail_check;
}
+
+ rc = cifs_are_all_path_components_accessible(server,
+ xid, tcon, cifs_sb,
+ full_path);
+ if (rc != 0) {
+ cifs_dbg(VFS, "cannot query dirs between root and final path, "
+ "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
+ cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
+ rc = 0;
+ }
kfree(full_path);
}
@@ -3835,6 +3883,7 @@ cifs_umount(struct cifs_sb_info *cifs_sb
bdi_destroy(&cifs_sb->bdi);
kfree(cifs_sb->mountdata);
+ kfree(cifs_sb->prepath);
call_rcu(&cifs_sb->rcu, delayed_free);
}
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -84,6 +84,7 @@ build_path_from_dentry(struct dentry *di
struct dentry *temp;
int namelen;
int dfsplen;
+ int pplen = 0;
char *full_path;
char dirsep;
struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
@@ -95,8 +96,12 @@ build_path_from_dentry(struct dentry *di
dfsplen = strnlen(tcon->treeName, MAX_TREE_SIZE + 1);
else
dfsplen = 0;
+
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+ pplen = cifs_sb->prepath ? strlen(cifs_sb->prepath) + 1 : 0;
+
cifs_bp_rename_retry:
- namelen = dfsplen;
+ namelen = dfsplen + pplen;
seq = read_seqbegin(&rename_lock);
rcu_read_lock();
for (temp = direntry; !IS_ROOT(temp);) {
@@ -137,7 +142,7 @@ cifs_bp_rename_retry:
}
}
rcu_read_unlock();
- if (namelen != dfsplen || read_seqretry(&rename_lock, seq)) {
+ if (namelen != dfsplen + pplen || read_seqretry(&rename_lock, seq)) {
cifs_dbg(FYI, "did not end path lookup where expected. namelen=%ddfsplen=%d\n",
namelen, dfsplen);
/* presumably this is only possible if racing with a rename
@@ -153,6 +158,17 @@ cifs_bp_rename_retry:
those safely to '/' if any are found in the middle of the prepath */
/* BB test paths to Windows with '/' in the midst of prepath */
+ if (pplen) {
+ int i;
+
+ cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
+ memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
+ full_path[dfsplen] = '\\';
+ for (i = 0; i < pplen-1; i++)
+ if (full_path[dfsplen+1+i] == '/')
+ full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);
+ }
+
if (dfsplen) {
strncpy(full_path, tcon->treeName, dfsplen);
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) {
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -950,12 +950,29 @@ struct inode *cifs_root_iget(struct supe
struct inode *inode = NULL;
long rc;
struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+ char *path = NULL;
+ int len;
+
+ if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+ && cifs_sb->prepath) {
+ len = strlen(cifs_sb->prepath);
+ path = kzalloc(len + 2 /* leading sep + null */, GFP_KERNEL);
+ if (path == NULL)
+ return ERR_PTR(-ENOMEM);
+ path[0] = '/';
+ memcpy(path+1, cifs_sb->prepath, len);
+ } else {
+ path = kstrdup("", GFP_KERNEL);
+ if (path == NULL)
+ return ERR_PTR(-ENOMEM);
+ }
xid = get_xid();
+ convert_delimiter(path, CIFS_DIR_SEP(cifs_sb));
if (tcon->unix_ext)
- rc = cifs_get_inode_info_unix(&inode, "", sb, xid);
+ rc = cifs_get_inode_info_unix(&inode, path, sb, xid);
else
- rc = cifs_get_inode_info(&inode, "", NULL, sb, xid, NULL);
+ rc = cifs_get_inode_info(&inode, path, NULL, sb, xid, NULL);
if (!inode) {
inode = ERR_PTR(rc);
@@ -983,6 +1000,7 @@ struct inode *cifs_root_iget(struct supe
}
out:
+ kfree(path);
/* can not call macro free_xid here since in a void func
* TODO: This is no longer true
*/
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 150/192] sparc64: Fix return from trap window fill crashes.
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (151 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 182/192] fs/cifs: make share unaccessible at root level mountable Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 191/192] cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags Ben Hutchings
` (39 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nick Alcock, David S. Miller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit 7cafc0b8bf130f038b0ec2dcdd6a9de6dc59b65a ]
We must handle data access exception as well as memory address unaligned
exceptions from return from trap window fill faults, not just normal
TLB misses.
Otherwise we can get an OOPS that looks like this:
ld-linux.so.2(36808): Kernel bad sw trap 5 [#1]
CPU: 1 PID: 36808 Comm: ld-linux.so.2 Not tainted 4.6.0 #34
task: fff8000303be5c60 ti: fff8000301344000 task.ti: fff8000301344000
TSTATE: 0000004410001601 TPC: 0000000000a1a784 TNPC: 0000000000a1a788 Y: 00000002 Not tainted
TPC: <do_sparc64_fault+0x5c4/0x700>
g0: fff8000024fc8248 g1: 0000000000db04dc g2: 0000000000000000 g3: 0000000000000001
g4: fff8000303be5c60 g5: fff800030e672000 g6: fff8000301344000 g7: 0000000000000001
o0: 0000000000b95ee8 o1: 000000000000012b o2: 0000000000000000 o3: 0000000200b9b358
o4: 0000000000000000 o5: fff8000301344040 sp: fff80003013475c1 ret_pc: 0000000000a1a77c
RPC: <do_sparc64_fault+0x5bc/0x700>
l0: 00000000000007ff l1: 0000000000000000 l2: 000000000000005f l3: 0000000000000000
l4: fff8000301347e98 l5: fff8000024ff3060 l6: 0000000000000000 l7: 0000000000000000
i0: fff8000301347f60 i1: 0000000000102400 i2: 0000000000000000 i3: 0000000000000000
i4: 0000000000000000 i5: 0000000000000000 i6: fff80003013476a1 i7: 0000000000404d4c
I7: <user_rtt_fill_fixup+0x6c/0x7c>
Call Trace:
[0000000000404d4c] user_rtt_fill_fixup+0x6c/0x7c
The window trap handlers are slightly clever, the trap table entries for them are
composed of two pieces of code. First comes the code that actually performs
the window fill or spill trap handling, and then there are three instructions at
the end which are for exception processing.
The userland register window fill handler is:
add %sp, STACK_BIAS + 0x00, %g1; \
ldxa [%g1 + %g0] ASI, %l0; \
mov 0x08, %g2; \
mov 0x10, %g3; \
ldxa [%g1 + %g2] ASI, %l1; \
mov 0x18, %g5; \
ldxa [%g1 + %g3] ASI, %l2; \
ldxa [%g1 + %g5] ASI, %l3; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %l4; \
ldxa [%g1 + %g2] ASI, %l5; \
ldxa [%g1 + %g3] ASI, %l6; \
ldxa [%g1 + %g5] ASI, %l7; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %i0; \
ldxa [%g1 + %g2] ASI, %i1; \
ldxa [%g1 + %g3] ASI, %i2; \
ldxa [%g1 + %g5] ASI, %i3; \
add %g1, 0x20, %g1; \
ldxa [%g1 + %g0] ASI, %i4; \
ldxa [%g1 + %g2] ASI, %i5; \
ldxa [%g1 + %g3] ASI, %i6; \
ldxa [%g1 + %g5] ASI, %i7; \
restored; \
retry; nop; nop; nop; nop; \
b,a,pt %xcc, fill_fixup_dax; \
b,a,pt %xcc, fill_fixup_mna; \
b,a,pt %xcc, fill_fixup;
And the way this works is that if any of those memory accesses
generate an exception, the exception handler can revector to one of
those final three branch instructions depending upon which kind of
exception the memory access took. In this way, the fault handler
doesn't have to know if it was a spill or a fill that it's handling
the fault for. It just always branches to the last instruction in
the parent trap's handler.
For example, for a regular fault, the code goes:
winfix_trampoline:
rdpr %tpc, %g3
or %g3, 0x7c, %g3
wrpr %g3, %tnpc
done
All window trap handlers are 0x80 aligned, so if we "or" 0x7c into the
trap time program counter, we'll get that final instruction in the
trap handler.
On return from trap, we have to pull the register window in but we do
this by hand instead of just executing a "restore" instruction for
several reasons. The largest being that from Niagara and onward we
simply don't have enough levels in the trap stack to fully resolve all
possible exception cases of a window fault when we are already at
trap level 1 (which we enter to get ready to return from the original
trap).
This is executed inline via the FILL_*_RTRAP handlers. rtrap_64.S's
code branches directly to these to do the window fill by hand if
necessary. Now if you look at them, we'll see at the end:
ba,a,pt %xcc, user_rtt_fill_fixup;
ba,a,pt %xcc, user_rtt_fill_fixup;
ba,a,pt %xcc, user_rtt_fill_fixup;
And oops, all three cases are handled like a fault.
This doesn't work because each of these trap types (data access
exception, memory address unaligned, and faults) store their auxiliary
info in different registers to pass on to the C handler which does the
real work.
So in the case where the stack was unaligned, the unaligned trap
handler sets up the arg registers one way, and then we branched to
the fault handler which expects them setup another way.
So the FAULT_TYPE_* value ends up basically being garbage, and
randomly would generate the backtrace seen above.
Reported-by: Nick Alcock <nix@esperi.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/include/asm/head_64.h | 4 ++
arch/sparc/include/asm/ttable.h | 8 ++--
arch/sparc/kernel/Makefile | 1 +
arch/sparc/kernel/rtrap_64.S | 57 ++++-------------------
arch/sparc/kernel/urtt_fill.S | 98 ++++++++++++++++++++++++++++++++++++++++
5 files changed, 116 insertions(+), 52 deletions(-)
create mode 100644 arch/sparc/kernel/urtt_fill.S
--- a/arch/sparc/include/asm/head_64.h
+++ b/arch/sparc/include/asm/head_64.h
@@ -15,6 +15,10 @@
#define PTREGS_OFF (STACK_BIAS + STACKFRAME_SZ)
+#define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE)
+#define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV)
+#define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG)
+
#define __CHEETAH_ID 0x003e0014
#define __JALAPENO_ID 0x003e0016
#define __SERRANO_ID 0x003e0022
--- a/arch/sparc/include/asm/ttable.h
+++ b/arch/sparc/include/asm/ttable.h
@@ -589,8 +589,8 @@ user_rtt_fill_64bit: \
restored; \
nop; nop; nop; nop; nop; nop; \
nop; nop; nop; nop; nop; \
- ba,a,pt %xcc, user_rtt_fill_fixup; \
- ba,a,pt %xcc, user_rtt_fill_fixup; \
+ ba,a,pt %xcc, user_rtt_fill_fixup_dax; \
+ ba,a,pt %xcc, user_rtt_fill_fixup_mna; \
ba,a,pt %xcc, user_rtt_fill_fixup;
@@ -652,8 +652,8 @@ user_rtt_fill_32bit: \
restored; \
nop; nop; nop; nop; nop; \
nop; nop; nop; \
- ba,a,pt %xcc, user_rtt_fill_fixup; \
- ba,a,pt %xcc, user_rtt_fill_fixup; \
+ ba,a,pt %xcc, user_rtt_fill_fixup_dax; \
+ ba,a,pt %xcc, user_rtt_fill_fixup_mna; \
ba,a,pt %xcc, user_rtt_fill_fixup;
--- a/arch/sparc/kernel/Makefile
+++ b/arch/sparc/kernel/Makefile
@@ -21,6 +21,7 @@ CFLAGS_REMOVE_perf_event.o := -pg
CFLAGS_REMOVE_pcr.o := -pg
endif
+obj-$(CONFIG_SPARC64) += urtt_fill.o
obj-$(CONFIG_SPARC32) += entry.o wof.o wuf.o
obj-$(CONFIG_SPARC32) += etrap_32.o
obj-$(CONFIG_SPARC32) += rtrap_32.o
--- a/arch/sparc/kernel/rtrap_64.S
+++ b/arch/sparc/kernel/rtrap_64.S
@@ -14,10 +14,6 @@
#include <asm/visasm.h>
#include <asm/processor.h>
-#define RTRAP_PSTATE (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_IE)
-#define RTRAP_PSTATE_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV)
-#define RTRAP_PSTATE_AG_IRQOFF (PSTATE_TSO|PSTATE_PEF|PSTATE_PRIV|PSTATE_AG)
-
#ifdef CONFIG_CONTEXT_TRACKING
# define SCHEDULE_USER schedule_user
#else
@@ -236,52 +232,17 @@ rt_continue: ldx [%sp + PTREGS_OFF + P
wrpr %g1, %cwp
ba,a,pt %xcc, user_rtt_fill_64bit
-user_rtt_fill_fixup:
- rdpr %cwp, %g1
- add %g1, 1, %g1
- wrpr %g1, 0x0, %cwp
-
- rdpr %wstate, %g2
- sll %g2, 3, %g2
- wrpr %g2, 0x0, %wstate
-
- /* We know %canrestore and %otherwin are both zero. */
-
- sethi %hi(sparc64_kern_pri_context), %g2
- ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2
- mov PRIMARY_CONTEXT, %g1
-
-661: stxa %g2, [%g1] ASI_DMMU
- .section .sun4v_1insn_patch, "ax"
- .word 661b
- stxa %g2, [%g1] ASI_MMU
- .previous
-
- sethi %hi(KERNBASE), %g1
- flush %g1
+user_rtt_fill_fixup_dax:
+ ba,pt %xcc, user_rtt_fill_fixup_common
+ mov 1, %g3
+
+user_rtt_fill_fixup_mna:
+ ba,pt %xcc, user_rtt_fill_fixup_common
+ mov 2, %g3
- or %g4, FAULT_CODE_WINFIXUP, %g4
- stb %g4, [%g6 + TI_FAULT_CODE]
- stx %g5, [%g6 + TI_FAULT_ADDR]
-
- mov %g6, %l1
- wrpr %g0, 0x0, %tl
-
-661: nop
- .section .sun4v_1insn_patch, "ax"
- .word 661b
- SET_GL(0)
- .previous
-
- wrpr %g0, RTRAP_PSTATE, %pstate
-
- mov %l1, %g6
- ldx [%g6 + TI_TASK], %g4
- LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3)
- call do_sparc64_fault
- add %sp, PTREGS_OFF, %o0
- ba,pt %xcc, rtrap
- nop
+user_rtt_fill_fixup:
+ ba,pt %xcc, user_rtt_fill_fixup_common
+ clr %g3
user_rtt_pre_restore:
add %g1, 1, %g1
--- /dev/null
+++ b/arch/sparc/kernel/urtt_fill.S
@@ -0,0 +1,98 @@
+#include <asm/thread_info.h>
+#include <asm/trap_block.h>
+#include <asm/spitfire.h>
+#include <asm/ptrace.h>
+#include <asm/head.h>
+
+ .text
+ .align 8
+ .globl user_rtt_fill_fixup_common
+user_rtt_fill_fixup_common:
+ rdpr %cwp, %g1
+ add %g1, 1, %g1
+ wrpr %g1, 0x0, %cwp
+
+ rdpr %wstate, %g2
+ sll %g2, 3, %g2
+ wrpr %g2, 0x0, %wstate
+
+ /* We know %canrestore and %otherwin are both zero. */
+
+ sethi %hi(sparc64_kern_pri_context), %g2
+ ldx [%g2 + %lo(sparc64_kern_pri_context)], %g2
+ mov PRIMARY_CONTEXT, %g1
+
+661: stxa %g2, [%g1] ASI_DMMU
+ .section .sun4v_1insn_patch, "ax"
+ .word 661b
+ stxa %g2, [%g1] ASI_MMU
+ .previous
+
+ sethi %hi(KERNBASE), %g1
+ flush %g1
+
+ mov %g4, %l4
+ mov %g5, %l5
+ brnz,pn %g3, 1f
+ mov %g3, %l3
+
+ or %g4, FAULT_CODE_WINFIXUP, %g4
+ stb %g4, [%g6 + TI_FAULT_CODE]
+ stx %g5, [%g6 + TI_FAULT_ADDR]
+1:
+ mov %g6, %l1
+ wrpr %g0, 0x0, %tl
+
+661: nop
+ .section .sun4v_1insn_patch, "ax"
+ .word 661b
+ SET_GL(0)
+ .previous
+
+ wrpr %g0, RTRAP_PSTATE, %pstate
+
+ mov %l1, %g6
+ ldx [%g6 + TI_TASK], %g4
+ LOAD_PER_CPU_BASE(%g5, %g6, %g1, %g2, %g3)
+
+ brnz,pn %l3, 1f
+ nop
+
+ call do_sparc64_fault
+ add %sp, PTREGS_OFF, %o0
+ ba,pt %xcc, rtrap
+ nop
+
+1: cmp %g3, 2
+ bne,pn %xcc, 2f
+ nop
+
+ sethi %hi(tlb_type), %g1
+ lduw [%g1 + %lo(tlb_type)], %g1
+ cmp %g1, 3
+ bne,pt %icc, 1f
+ add %sp, PTREGS_OFF, %o0
+ mov %l4, %o2
+ call sun4v_do_mna
+ mov %l5, %o1
+ ba,a,pt %xcc, rtrap
+1: mov %l4, %o1
+ mov %l5, %o2
+ call mem_address_unaligned
+ nop
+ ba,a,pt %xcc, rtrap
+
+2: sethi %hi(tlb_type), %g1
+ mov %l4, %o1
+ lduw [%g1 + %lo(tlb_type)], %g1
+ mov %l5, %o2
+ cmp %g1, 3
+ bne,pt %icc, 1f
+ add %sp, PTREGS_OFF, %o0
+ call sun4v_data_access_exception
+ nop
+ ba,a,pt %xcc, rtrap
+
+1: call spitfire_data_access_exception
+ nop
+ ba,a,pt %xcc, rtrap
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 191/192] cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (152 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 150/192] sparc64: Fix return from trap window fill crashes Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 192/192] dm: flush queued bios when process blocks to avoid deadlock Ben Hutchings
` (38 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, Miao Xie, Tetsuo Handa, Ingo Molnar,
Tejun Heo, Zefan Li, Kees Cook
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zefan Li <lizefan@huawei.com>
commit 2ad654bc5e2b211e92f66da1d819e47d79a866f0 upstream.
When we change cpuset.memory_spread_{page,slab}, cpuset will flip
PF_SPREAD_{PAGE,SLAB} bit of tsk->flags for each task in that cpuset.
This should be done using atomic bitops, but currently we don't,
which is broken.
Tetsuo reported a hard-to-reproduce kernel crash on RHEL6, which happened
when one thread tried to clear PF_USED_MATH while at the same time another
thread tried to flip PF_SPREAD_PAGE/PF_SPREAD_SLAB. They both operate on
the same task.
Here's the full report:
https://lkml.org/lkml/2014/9/19/230
To fix this, we make PF_SPREAD_PAGE and PF_SPREAD_SLAB atomic flags.
v4:
- updated mm/slab.c. (Fengguang Wu)
- updated Documentation.
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Miao Xie <miaox@cn.fujitsu.com>
Cc: Kees Cook <keescook@chromium.org>
Fixes: 950592f7b991 ("cpusets: update tasks' page/slab spread flags in time")
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/cgroups/cpusets.txt | 6 +++---
include/linux/cpuset.h | 4 ++--
include/linux/sched.h | 13 +++++++++++--
kernel/cpuset.c | 9 +++++----
mm/slab.c | 4 ++--
5 files changed, 23 insertions(+), 13 deletions(-)
--- a/Documentation/cgroups/cpusets.txt
+++ b/Documentation/cgroups/cpusets.txt
@@ -345,14 +345,14 @@ the named feature on.
The implementation is simple.
Setting the flag 'cpuset.memory_spread_page' turns on a per-process flag
-PF_SPREAD_PAGE for each task that is in that cpuset or subsequently
+PFA_SPREAD_PAGE for each task that is in that cpuset or subsequently
joins that cpuset. The page allocation calls for the page cache
-is modified to perform an inline check for this PF_SPREAD_PAGE task
+is modified to perform an inline check for this PFA_SPREAD_PAGE task
flag, and if set, a call to a new routine cpuset_mem_spread_node()
returns the node to prefer for the allocation.
Similarly, setting 'cpuset.memory_spread_slab' turns on the flag
-PF_SPREAD_SLAB, and appropriately marked slab caches will allocate
+PFA_SPREAD_SLAB, and appropriately marked slab caches will allocate
pages from the node returned by cpuset_mem_spread_node().
The cpuset_mem_spread_node() routine is also simple. It uses the
--- a/include/linux/cpuset.h
+++ b/include/linux/cpuset.h
@@ -93,12 +93,12 @@ extern int cpuset_slab_spread_node(void)
static inline int cpuset_do_page_mem_spread(void)
{
- return current->flags & PF_SPREAD_PAGE;
+ return task_spread_page(current);
}
static inline int cpuset_do_slab_mem_spread(void)
{
- return current->flags & PF_SPREAD_SLAB;
+ return task_spread_slab(current);
}
extern int current_cpuset_is_being_rebound(void);
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1923,8 +1923,6 @@ extern void thread_group_cputime_adjuste
#define PF_KTHREAD 0x00200000 /* I am a kernel thread */
#define PF_RANDOMIZE 0x00400000 /* randomize virtual address space */
#define PF_SWAPWRITE 0x00800000 /* Allowed to write to swap */
-#define PF_SPREAD_PAGE 0x01000000 /* Spread page cache over cpuset */
-#define PF_SPREAD_SLAB 0x02000000 /* Spread some slab caches over cpuset */
#define PF_NO_SETAFFINITY 0x04000000 /* Userland is not allowed to meddle with cpus_allowed */
#define PF_MCE_EARLY 0x08000000 /* Early kill for mce process policy */
#define PF_MUTEX_TESTER 0x20000000 /* Thread belongs to the rt mutex tester */
@@ -1980,6 +1978,9 @@ static inline void memalloc_noio_restore
/* Per-process atomic flags. */
#define PFA_NO_NEW_PRIVS 0 /* May not gain new privileges. */
+#define PFA_SPREAD_PAGE 1 /* Spread page cache over cpuset */
+#define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */
+
#define TASK_PFA_TEST(name, func) \
static inline bool task_##func(struct task_struct *p) \
@@ -1994,6 +1995,14 @@ static inline void memalloc_noio_restore
TASK_PFA_TEST(NO_NEW_PRIVS, no_new_privs)
TASK_PFA_SET(NO_NEW_PRIVS, no_new_privs)
+TASK_PFA_TEST(SPREAD_PAGE, spread_page)
+TASK_PFA_SET(SPREAD_PAGE, spread_page)
+TASK_PFA_CLEAR(SPREAD_PAGE, spread_page)
+
+TASK_PFA_TEST(SPREAD_SLAB, spread_slab)
+TASK_PFA_SET(SPREAD_SLAB, spread_slab)
+TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab)
+
/*
* task->jobctl flags
*/
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -339,13 +339,14 @@ static void cpuset_update_task_spread_fl
struct task_struct *tsk)
{
if (is_spread_page(cs))
- tsk->flags |= PF_SPREAD_PAGE;
+ task_set_spread_page(tsk);
else
- tsk->flags &= ~PF_SPREAD_PAGE;
+ task_clear_spread_page(tsk);
+
if (is_spread_slab(cs))
- tsk->flags |= PF_SPREAD_SLAB;
+ task_set_spread_slab(tsk);
else
- tsk->flags &= ~PF_SPREAD_SLAB;
+ task_clear_spread_slab(tsk);
}
/*
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3112,7 +3112,7 @@ out:
#ifdef CONFIG_NUMA
/*
- * Try allocating on another node if PF_SPREAD_SLAB is a mempolicy is set.
+ * Try allocating on another node if PFA_SPREAD_SLAB is a mempolicy is set.
*
* If we are in_interrupt, then process context, including cpusets and
* mempolicy, may not apply and should not be used for allocation policy.
@@ -3344,7 +3344,7 @@ __do_cache_alloc(struct kmem_cache *cach
{
void *objp;
- if (current->mempolicy || unlikely(current->flags & PF_SPREAD_SLAB)) {
+ if (current->mempolicy || cpuset_do_slab_mem_spread()) {
objp = alternate_node_alloc(cache, flags);
if (objp)
goto out;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 192/192] dm: flush queued bios when process blocks to avoid deadlock
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (153 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 191/192] cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 156/192] drm/irq: BUG_ON() -> WARN_ON() Ben Hutchings
` (37 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mikulas Patocka, Mike Snitzer
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit d67a5f4b5947aba4bfe9a80a2b86079c215ca755 upstream.
Commit df2cb6daa4 ("block: Avoid deadlocks with bio allocation by
stacking drivers") created a workqueue for every bio set and code
in bio_alloc_bioset() that tries to resolve some low-memory deadlocks
by redirecting bios queued on current->bio_list to the workqueue if the
system is low on memory. However other deadlocks (see below **) may
happen, without any low memory condition, because generic_make_request
is queuing bios to current->bio_list (rather than submitting them).
** the related dm-snapshot deadlock is detailed here:
https://www.redhat.com/archives/dm-devel/2016-July/msg00065.html
Fix this deadlock by redirecting any bios on current->bio_list to the
bio_set's rescue workqueue on every schedule() call. Consequently,
when the process blocks on a mutex, the bios queued on
current->bio_list are dispatched to independent workqueus and they can
complete without waiting for the mutex to be available.
The structure blk_plug contains an entry cb_list and this list can contain
arbitrary callback functions that are called when the process blocks.
To implement this fix DM (ab)uses the onstack plug's cb_list interface
to get its flush_current_bio_list() called at schedule() time.
This fixes the snapshot deadlock - if the map method blocks,
flush_current_bio_list() will be called and it redirects bios waiting
on current->bio_list to appropriate workqueues.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1267650
Depends-on: df2cb6daa4 ("block: Avoid deadlocks with bio allocation by stacking drivers")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/dm.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1183,11 +1183,62 @@ void dm_accept_partial_bio(struct bio *b
}
EXPORT_SYMBOL_GPL(dm_accept_partial_bio);
+/*
+ * Flush current->bio_list when the target map method blocks.
+ * This fixes deadlocks in snapshot and possibly in other targets.
+ */
+struct dm_offload {
+ struct blk_plug plug;
+ struct blk_plug_cb cb;
+};
+
+static void flush_current_bio_list(struct blk_plug_cb *cb, bool from_schedule)
+{
+ struct dm_offload *o = container_of(cb, struct dm_offload, cb);
+ struct bio_list list;
+ struct bio *bio;
+
+ INIT_LIST_HEAD(&o->cb.list);
+
+ if (unlikely(!current->bio_list))
+ return;
+
+ list = *current->bio_list;
+ bio_list_init(current->bio_list);
+
+ while ((bio = bio_list_pop(&list))) {
+ struct bio_set *bs = bio->bi_pool;
+ if (unlikely(!bs) || bs == fs_bio_set) {
+ bio_list_add(current->bio_list, bio);
+ continue;
+ }
+
+ spin_lock(&bs->rescue_lock);
+ bio_list_add(&bs->rescue_list, bio);
+ queue_work(bs->rescue_workqueue, &bs->rescue_work);
+ spin_unlock(&bs->rescue_lock);
+ }
+}
+
+static void dm_offload_start(struct dm_offload *o)
+{
+ blk_start_plug(&o->plug);
+ o->cb.callback = flush_current_bio_list;
+ list_add(&o->cb.list, ¤t->plug->cb_list);
+}
+
+static void dm_offload_end(struct dm_offload *o)
+{
+ list_del(&o->cb.list);
+ blk_finish_plug(&o->plug);
+}
+
static void __map_bio(struct dm_target_io *tio)
{
int r;
sector_t sector;
struct mapped_device *md;
+ struct dm_offload o;
struct bio *clone = &tio->clone;
struct dm_target *ti = tio->ti;
@@ -1200,7 +1251,11 @@ static void __map_bio(struct dm_target_i
*/
atomic_inc(&tio->io->io_count);
sector = clone->bi_iter.bi_sector;
+
+ dm_offload_start(&o);
r = ti->type->map(ti, clone);
+ dm_offload_end(&o);
+
if (r == DM_MAPIO_REMAPPED) {
/* the bio has been remapped so dispatch it */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 156/192] drm/irq: BUG_ON() -> WARN_ON()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (154 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 192/192] dm: flush queued bios when process blocks to avoid deadlock Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 155/192] Revert "ACPI / EC: Add support to disallow QR_EC to be issued before completing previous QR_EC" Ben Hutchings
` (36 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rob Clark, Dave Airlie, Michel Dänzer
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@gmail.com>
commit 7f907bf284ba7bb8d271f094b226699d3fef2142 upstream.
Let's make things a bit easier to debug when things go bad (potentially
under console_lock).
Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_irq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -973,7 +973,8 @@ EXPORT_SYMBOL(drm_crtc_vblank_get);
*/
void drm_vblank_put(struct drm_device *dev, int crtc)
{
- BUG_ON(atomic_read(&dev->vblank[crtc].refcount) == 0);
+ if (WARN_ON(atomic_read(&dev->vblank[crtc].refcount) == 0))
+ return;
/* Last user schedules interrupt disable */
if (atomic_dec_and_test(&dev->vblank[crtc].refcount) &&
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 155/192] Revert "ACPI / EC: Add support to disallow QR_EC to be issued before completing previous QR_EC"
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (155 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 156/192] drm/irq: BUG_ON() -> WARN_ON() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 188/192] sched: move no_new_privs into new atomic flags Ben Hutchings
` (35 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Lv Zheng, Rafael J. Wysocki
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lv Zheng <lv.zheng@intel.com>
commit df9ff91801da603079018f21a9412385b62f0f8e upstream.
It is reported that the following commit breaks Samsung hardware:
Commit: 558e4736f2e1b0e6323adf7a5e4df77ed6cfc1a4.
Subject: ACPI / EC: Add support to disallow QR_EC to be issued before
completing previous QR_EC
Which means the Samsung behavior conflicts with the Acer behavior.
1. Samsung may behave like:
[ +event 1 ] SCI_EVT set
[ +event 2 ] SCI_EVT set
write QR_EC
read event
[ -event 1 ] SCI_EVT clear
Without the above commit, Samsung can work:
[ +event 1 ] SCI_EVT set
[ +event 2 ] SCI_EVT set
write QR_EC
CAN prepare next QR_EC as SCI_EVT=1
read event
[ -event 1 ] SCI_EVT clear
write QR_EC
read event
[ -event 2 ] SCI_EVT clear
With the above commit, Samsung cannot work:
[ +event 1 ] SCI_EVT set
[ +event 2 ] SCI_EVT set
write QR_EC
read event
[ -event 1 ] SCI_EVT clear
CANNOT prepare next QR_EC as SCI_EVT=0
2. Acer may behave like:
[ +event 1 ] SCI_EVT set
[ +event 2 ]
write QR_EC
read event
[ -event 1 ] SCI_EVT clear
[ +event 2 ] SCI_EVT set
Without the above commit, Acer cannot work when there is only 1 event:
[ +event 1 ] SCI_EVT set
write QR_EC
can prepared next QR_EC as SCI_EVT=1
read event
[ -event 1 ] SCI_EVT clear
CANNOT write QR_EC as SCI_EVT=0
With the above commit, Acer can work:
[ +event 1 ] SCI_EVT set
[ +event 2 ]
write QR_EC
read event
[ -event 1 ] SCI_EVT set
can prepare next QR_EC because SCI_EVT=0
CAN write QR_EC as SCI_EVT=1
Since Acer can also work with only the following commit applied:
Commit: 3afcf2ece453e1a8c2c6de19cdf06da3772a1b08
Subject: ACPI / EC: Add support to disallow QR_EC to be issued when
SCI_EVT isn't set
commit 558e4736f2e1b0e6323adf7a5e4df77ed6cfc1a4 can be reverted.
Fixes: 558e4736f2e1 (ACPI / EC: Add support to disallow QR_EC to be issued ...)
Link: https://bugzilla.kernel.org/show_bug.cgi?id=44161
Reported-and-tested-by: Ortwin Glück <odi@odi.ch>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/acpi/ec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -299,11 +299,11 @@ static int acpi_ec_transaction_unlocked(
/* following two actions should be kept atomic */
ec->curr = t;
start_transaction(ec);
+ if (ec->curr->command == ACPI_EC_COMMAND_QUERY)
+ clear_bit(EC_FLAGS_QUERY_PENDING, &ec->flags);
spin_unlock_irqrestore(&ec->lock, tmp);
ret = ec_poll(ec);
spin_lock_irqsave(&ec->lock, tmp);
- if (ec->curr->command == ACPI_EC_COMMAND_QUERY)
- clear_bit(EC_FLAGS_QUERY_PENDING, &ec->flags);
ec->curr = NULL;
spin_unlock_irqrestore(&ec->lock, tmp);
return ret;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 188/192] sched: move no_new_privs into new atomic flags
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (156 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 155/192] Revert "ACPI / EC: Add support to disallow QR_EC to be issued before completing previous QR_EC" Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 161/192] Input: ads7846 - correct the value got from SPI Ben Hutchings
` (34 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Oleg Nesterov, Kees Cook, Andy Lutomirski
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 1d4457f99928a968767f6405b4a1f50845aa15fd upstream.
Since seccomp transitions between threads requires updates to the
no_new_privs flag to be atomic, the flag must be part of an atomic flag
set. This moves the nnp flag into a separate task field, and introduces
accessors.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/exec.c | 4 ++--
include/linux/sched.h | 18 +++++++++++++++---
kernel/seccomp.c | 2 +-
kernel/sys.c | 4 ++--
security/apparmor/domain.c | 4 ++--
5 files changed, 22 insertions(+), 10 deletions(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1269,7 +1269,7 @@ static void check_unsafe_exec(struct lin
* This isn't strictly necessary, but it makes it harder for LSMs to
* mess up.
*/
- if (current->no_new_privs)
+ if (task_no_new_privs(current))
bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS;
t = p;
@@ -1303,7 +1303,7 @@ static void bprm_fill_uid(struct linux_b
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
return;
- if (current->no_new_privs)
+ if (task_no_new_privs(current))
return;
inode = file_inode(bprm->file);
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1317,13 +1317,12 @@ struct task_struct {
* execve */
unsigned in_iowait:1;
- /* task may not gain privileges */
- unsigned no_new_privs:1;
-
/* Revert to default priority/policy when forking */
unsigned sched_reset_on_fork:1;
unsigned sched_contributes_to_load:1;
+ unsigned long atomic_flags; /* Flags needing atomic access. */
+
pid_t pid;
pid_t tgid;
@@ -1979,6 +1978,19 @@ static inline void memalloc_noio_restore
current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags;
}
+/* Per-process atomic flags. */
+#define PFA_NO_NEW_PRIVS 0x00000001 /* May not gain new privileges. */
+
+static inline bool task_no_new_privs(struct task_struct *p)
+{
+ return test_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags);
+}
+
+static inline void task_set_no_new_privs(struct task_struct *p)
+{
+ set_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags);
+}
+
/*
* task->jobctl flags
*/
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -224,7 +224,7 @@ static long seccomp_attach_filter(struct
* This avoids scenarios where unprivileged tasks can affect the
* behavior of privileged children.
*/
- if (!current->no_new_privs &&
+ if (!task_no_new_privs(current) &&
security_capable_noaudit(current_cred(), current_user_ns(),
CAP_SYS_ADMIN) != 0)
return -EACCES;
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1989,12 +1989,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
if (arg2 != 1 || arg3 || arg4 || arg5)
return -EINVAL;
- current->no_new_privs = 1;
+ task_set_no_new_privs(current);
break;
case PR_GET_NO_NEW_PRIVS:
if (arg2 || arg3 || arg4 || arg5)
return -EINVAL;
- return current->no_new_privs ? 1 : 0;
+ return task_no_new_privs(current) ? 1 : 0;
case PR_GET_THP_DISABLE:
if (arg2 || arg3 || arg4 || arg5)
return -EINVAL;
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -621,7 +621,7 @@ int aa_change_hat(const char *hats[], in
* There is no exception for unconfined as change_hat is not
* available.
*/
- if (current->no_new_privs)
+ if (task_no_new_privs(current))
return -EPERM;
/* released below */
@@ -778,7 +778,7 @@ int aa_change_profile(const char *ns_nam
* no_new_privs is set because this aways results in a reduction
* of permissions.
*/
- if (current->no_new_privs && !unconfined(profile)) {
+ if (task_no_new_privs(current) && !unconfined(profile)) {
put_cred(cred);
return -EPERM;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 161/192] Input: ads7846 - correct the value got from SPI
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (157 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 188/192] sched: move no_new_privs into new atomic flags Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 137/192] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly Ben Hutchings
` (33 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Haibo Chen, Dmitry Torokhov, Igor Grinberg, Andrey Gelman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Gelman <andrey.gelman@compulab.co.il>
commit 879f2fea8a5a748bcbf98d2cdce9139c045505d3 upstream.
According to the touch controller spec, SPI return a 16 bit value, only 12
bits are valid, they are bit[14-3].
The value of MISO and MOSI can be configured when SPI is in idle mode.
Currently this touch driver assumes the SPI bus sets the MOSI and MISO in
low level when SPI bus is in idle mode. So the bit[15] of the value got
from SPI bus is always 0. But when SPI bus congfigures the MOSI and MISO in
high level during the SPI idle mode, the bit[15] of the value get from SPI
is always 1. If bit[15] is not masked, we may get the wrong value.
Mask the invalid bit to make sure the correct value gets returned.
Regardless of the SPI bus idle configuration.
Signed-off-by: Andrey Gelman <andrey.gelman@compulab.co.il>
Signed-off-by: Haibo Chen <haibo.chen@freescale.com>
Signed-off-by: Igor Grinberg <grinberg@compulab.co.il>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/touchscreen/ads7846.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/input/touchscreen/ads7846.c
+++ b/drivers/input/touchscreen/ads7846.c
@@ -668,18 +668,22 @@ static int ads7846_no_filter(void *ads,
static int ads7846_get_value(struct ads7846 *ts, struct spi_message *m)
{
+ int value;
struct spi_transfer *t =
list_entry(m->transfers.prev, struct spi_transfer, transfer_list);
if (ts->model == 7845) {
- return be16_to_cpup((__be16 *)&(((char*)t->rx_buf)[1])) >> 3;
+ value = be16_to_cpup((__be16 *)&(((char *)t->rx_buf)[1]));
} else {
/*
* adjust: on-wire is a must-ignore bit, a BE12 value, then
* padding; built from two 8 bit values written msb-first.
*/
- return be16_to_cpup((__be16 *)t->rx_buf) >> 3;
+ value = be16_to_cpup((__be16 *)t->rx_buf);
}
+
+ /* enforce ADC output is 12 bits width */
+ return (value >> 3) & 0xfff;
}
static void ads7846_update_value(struct spi_message *m, int val)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 137/192] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (158 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 161/192] Input: ads7846 - correct the value got from SPI Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 172/192] mm/swap.c: flush lru pvecs on compound page arrival Ben Hutchings
` (32 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, ChunYu Wang, Chris Leech, Xin Long, Martin K. Petersen
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit c88f0e6b06f4092995688211a631bb436125d77b upstream.
ChunYu found a kernel crash by syzkaller:
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
[...]
[ 651.627260] Call Trace:
[ 651.629156] skb_release_all+0x4f/0x60
[ 651.629450] consume_skb+0x1a5/0x600
[ 651.630705] netlink_unicast+0x505/0x720
[ 651.632345] netlink_sendmsg+0xab2/0xe70
[ 651.633704] sock_sendmsg+0xcf/0x110
[ 651.633942] ___sys_sendmsg+0x833/0x980
[ 651.637117] __sys_sendmsg+0xf3/0x240
[ 651.638820] SyS_sendmsg+0x32/0x50
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
It's caused by skb_shared_info at the end of sk_buff was overwritten by
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
new value to skb_shinfo(SKB)->nr_frags by ev->type.
This patch is to fix it by checking nlh->nlmsg_len properly there to
avoid over accessing sk_buff.
Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/scsi_transport_iscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
uint32_t group;
nlh = nlmsg_hdr(skb);
- if (nlh->nlmsg_len < sizeof(*nlh) ||
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
skb->len < nlh->nlmsg_len) {
break;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 172/192] mm/swap.c: flush lru pvecs on compound page arrival
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (159 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 137/192] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 160/192] v4l2-dv-timings.h: fix polarity for 4k formats Ben Hutchings
` (31 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Vladimir Davydov, Ming Li, Linus Torvalds, Lukasz Odzioba,
Andrea Arcangeli, Michal Hocko, Minchan Kim, Kirill Shutemov
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukasz Odzioba <lukasz.odzioba@intel.com>
commit 8f182270dfec432e93fae14f9208a6b9af01009f upstream.
Currently we can have compound pages held on per cpu pagevecs, which
leads to a lot of memory unavailable for reclaim when needed. In the
systems with hundreads of processors it can be GBs of memory.
On of the way of reproducing the problem is to not call munmap
explicitly on all mapped regions (i.e. after receiving SIGTERM). After
that some pages (with THP enabled also huge pages) may end up on
lru_add_pvec, example below.
void main() {
#pragma omp parallel
{
size_t size = 55 * 1000 * 1000; // smaller than MEM/CPUS
void *p = mmap(NULL, size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS , -1, 0);
if (p != MAP_FAILED)
memset(p, 0, size);
//munmap(p, size); // uncomment to make the problem go away
}
}
When we run it with THP enabled it will leave significant amount of
memory on lru_add_pvec. This memory will be not reclaimed if we hit
OOM, so when we run above program in a loop:
for i in `seq 100`; do ./a.out; done
many processes (95% in my case) will be killed by OOM.
The primary point of the LRU add cache is to save the zone lru_lock
contention with a hope that more pages will belong to the same zone and
so their addition can be batched. The huge page is already a form of
batched addition (it will add 512 worth of memory in one go) so skipping
the batching seems like a safer option when compared to a potential
excess in the caching which can be quite large and much harder to fix
because lru_add_drain_all is way to expensive and it is not really clear
what would be a good moment to call it.
Similarly we can reproduce the problem on lru_deactivate_pvec by adding:
madvise(p, size, MADV_FREE); after memset.
This patch flushes lru pvecs on compound page arrival making the problem
less severe - after applying it kill rate of above example drops to 0%,
due to reducing maximum amount of memory held on pvec from 28MB (with
THP) to 56kB per CPU.
Suggested-by: Michal Hocko <mhocko@suse.com>
Link: http://lkml.kernel.org/r/1466180198-18854-1-git-send-email-lukasz.odzioba@intel.com
Signed-off-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Kirill Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Vladimir Davydov <vdavydov@parallels.com>
Cc: Ming Li <mingli199x@qq.com>
Cc: Minchan Kim <minchan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Drop change in deactivate_file_page()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/swap.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/mm/swap.c
+++ b/mm/swap.c
@@ -474,7 +474,7 @@ void rotate_reclaimable_page(struct page
page_cache_get(page);
local_irq_save(flags);
pvec = this_cpu_ptr(&lru_rotate_pvecs);
- if (!pagevec_add(pvec, page))
+ if (!pagevec_add(pvec, page) || PageCompound(page))
pagevec_move_tail(pvec);
local_irq_restore(flags);
}
@@ -530,7 +530,7 @@ void activate_page(struct page *page)
struct pagevec *pvec = &get_cpu_var(activate_page_pvecs);
page_cache_get(page);
- if (!pagevec_add(pvec, page))
+ if (!pagevec_add(pvec, page) || PageCompound(page))
pagevec_lru_move_fn(pvec, __activate_page, NULL);
put_cpu_var(activate_page_pvecs);
}
@@ -630,9 +630,8 @@ static void __lru_cache_add(struct page
struct pagevec *pvec = &get_cpu_var(lru_add_pvec);
page_cache_get(page);
- if (!pagevec_space(pvec))
+ if (!pagevec_add(pvec, page) || PageCompound(page))
__pagevec_lru_add(pvec);
- pagevec_add(pvec, page);
put_cpu_var(lru_add_pvec);
}
@@ -811,7 +810,7 @@ void deactivate_page(struct page *page)
if (likely(get_page_unless_zero(page))) {
struct pagevec *pvec = &get_cpu_var(lru_deactivate_pvecs);
- if (!pagevec_add(pvec, page))
+ if (!pagevec_add(pvec, page) || PageCompound(page))
pagevec_lru_move_fn(pvec, lru_deactivate_fn, NULL);
put_cpu_var(lru_deactivate_pvecs);
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 160/192] v4l2-dv-timings.h: fix polarity for 4k formats
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (160 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 172/192] mm/swap.c: flush lru pvecs on compound page arrival Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 174/192] mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED Ben Hutchings
` (30 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hans Verkuil, Hans Verkuil, Martin Bugge, Mauro Carvalho Chehab
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil@xs4all.nl>
commit 3020ca711871fdaf0c15c8bab677a6bc302e28fe upstream.
The VSync polarity was negative instead of positive for the 4k CEA formats.
I probably copy-and-pasted these from the DMT 4k format, which does have a
negative VSync polarity.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reported-by: Martin Bugge <marbugge@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/uapi/linux/v4l2-dv-timings.h | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
--- a/include/uapi/linux/v4l2-dv-timings.h
+++ b/include/uapi/linux/v4l2-dv-timings.h
@@ -175,70 +175,80 @@
#define V4L2_DV_BT_CEA_3840X2160P24 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(3840, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(3840, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
297000000, 1276, 88, 296, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, V4L2_DV_FL_CAN_REDUCE_FPS) \
}
#define V4L2_DV_BT_CEA_3840X2160P25 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(3840, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(3840, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
297000000, 1056, 88, 296, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, 0) \
}
#define V4L2_DV_BT_CEA_3840X2160P30 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(3840, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(3840, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
297000000, 176, 88, 296, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, V4L2_DV_FL_CAN_REDUCE_FPS) \
}
#define V4L2_DV_BT_CEA_3840X2160P50 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(3840, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(3840, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
594000000, 1056, 88, 296, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, 0) \
}
#define V4L2_DV_BT_CEA_3840X2160P60 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(3840, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(3840, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
594000000, 176, 88, 296, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, V4L2_DV_FL_CAN_REDUCE_FPS) \
}
#define V4L2_DV_BT_CEA_4096X2160P24 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(4096, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(4096, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
297000000, 1020, 88, 296, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, V4L2_DV_FL_CAN_REDUCE_FPS) \
}
#define V4L2_DV_BT_CEA_4096X2160P25 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(4096, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(4096, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
297000000, 968, 88, 128, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, 0) \
}
#define V4L2_DV_BT_CEA_4096X2160P30 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(4096, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(4096, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
297000000, 88, 88, 128, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, V4L2_DV_FL_CAN_REDUCE_FPS) \
}
#define V4L2_DV_BT_CEA_4096X2160P50 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(4096, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(4096, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
594000000, 968, 88, 128, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, 0) \
}
#define V4L2_DV_BT_CEA_4096X2160P60 { \
.type = V4L2_DV_BT_656_1120, \
- V4L2_INIT_BT_TIMINGS(4096, 2160, 0, V4L2_DV_HSYNC_POS_POL, \
+ V4L2_INIT_BT_TIMINGS(4096, 2160, 0, \
+ V4L2_DV_HSYNC_POS_POL | V4L2_DV_VSYNC_POS_POL, \
594000000, 88, 88, 128, 8, 10, 72, 0, 0, 0, \
V4L2_DV_BT_STD_CEA861, V4L2_DV_FL_CAN_REDUCE_FPS) \
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 174/192] mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (161 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 160/192] v4l2-dv-timings.h: fix polarity for 4k formats Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 149/192] sparc: Harden signal return frame checks Ben Hutchings
` (29 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Kirill A. Shutemov, Jiri Slaby, Andrea Arcangeli
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrea Arcangeli <aarcange@redhat.com>
commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 upstream.
pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were
introduced to locklessy (but atomically) detect when a pmd is a regular
(stable) pmd or when the pmd is unstable and can infinitely transition
from pmd_none() and pmd_trans_huge() from under us, while only holding
the mmap_sem for reading (for writing not).
While holding the mmap_sem only for reading, MADV_DONTNEED can run from
under us and so before we can assume the pmd to be a regular stable pmd
we need to compare it against pmd_none() and pmd_trans_huge() in an
atomic way, with pmd_trans_unstable(). The old pmd_trans_huge() left a
tiny window for a race.
Useful applications are unlikely to notice the difference as doing
MADV_DONTNEED concurrently with a page fault would lead to undefined
behavior.
[akpm@linux-foundation.org: tidy up comment grammar/layout]
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[js] 3.12 backport: no pmd_devmap in 3.12 yet.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/memory.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3274,8 +3274,18 @@ static int __handle_mm_fault(struct mm_s
if (unlikely(pmd_none(*pmd)) &&
unlikely(__pte_alloc(mm, vma, pmd, address)))
return VM_FAULT_OOM;
- /* if an huge pmd materialized from under us just retry later */
- if (unlikely(pmd_trans_huge(*pmd)))
+ /*
+ * If a huge pmd materialized under us just retry later. Use
+ * pmd_trans_unstable() instead of pmd_trans_huge() to ensure the pmd
+ * didn't become pmd_trans_huge under us and then back to pmd_none, as
+ * a result of MADV_DONTNEED running immediately after a huge pmd fault
+ * in a different thread of this mm, in turn leading to a misleading
+ * pmd_trans_huge() retval. All we have to ensure is that it is a
+ * regular pmd that we can walk with pte_offset_map() and we can do that
+ * through an atomic read in C, which is what pmd_trans_unstable()
+ * provides.
+ */
+ if (unlikely(pmd_trans_unstable(pmd)))
return 0;
/*
* A regular pmd is established and it can't morph into a huge pmd
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 149/192] sparc: Harden signal return frame checks.
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (162 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 174/192] mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 175/192] PCI: Support PCIe devices with short cfg_size Ben Hutchings
` (28 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit d11c2a0de2824395656cf8ed15811580c9dd38aa ]
All signal frames must be at least 16-byte aligned, because that is
the alignment we explicitly create when we build signal return stack
frames.
All stack pointers must be at least 8-byte aligned.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/kernel/signal32.c | 46 +++++++++++++++++++++++++++---------------
arch/sparc/kernel/signal_32.c | 41 +++++++++++++++++++++++--------------
arch/sparc/kernel/signal_64.c | 31 ++++++++++++++++++----------
arch/sparc/kernel/sigutil_32.c | 9 ++++++++-
arch/sparc/kernel/sigutil_64.c | 10 +++++++--
5 files changed, 92 insertions(+), 45 deletions(-)
--- a/arch/sparc/kernel/signal32.c
+++ b/arch/sparc/kernel/signal32.c
@@ -138,12 +138,24 @@ int copy_siginfo_from_user32(siginfo_t *
return 0;
}
+/* Checks if the fp is valid. We always build signal frames which are
+ * 16-byte aligned, therefore we can always enforce that the restore
+ * frame has that property as well.
+ */
+static bool invalid_frame_pointer(void __user *fp, int fplen)
+{
+ if ((((unsigned long) fp) & 15) ||
+ ((unsigned long)fp) > 0x100000000ULL - fplen)
+ return true;
+ return false;
+}
+
void do_sigreturn32(struct pt_regs *regs)
{
struct signal_frame32 __user *sf;
compat_uptr_t fpu_save;
compat_uptr_t rwin_save;
- unsigned int psr;
+ unsigned int psr, ufp;
unsigned pc, npc;
sigset_t set;
compat_sigset_t seta;
@@ -158,11 +170,16 @@ void do_sigreturn32(struct pt_regs *regs
sf = (struct signal_frame32 __user *) regs->u_regs[UREG_FP];
/* 1. Make sure we are not getting garbage from the user */
- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
- (((unsigned long) sf) & 3))
+ if (invalid_frame_pointer(sf, sizeof(*sf)))
+ goto segv;
+
+ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
+ goto segv;
+
+ if (ufp & 0x7)
goto segv;
- if (get_user(pc, &sf->info.si_regs.pc) ||
+ if (__get_user(pc, &sf->info.si_regs.pc) ||
__get_user(npc, &sf->info.si_regs.npc))
goto segv;
@@ -227,7 +244,7 @@ segv:
asmlinkage void do_rt_sigreturn32(struct pt_regs *regs)
{
struct rt_signal_frame32 __user *sf;
- unsigned int psr, pc, npc;
+ unsigned int psr, pc, npc, ufp;
compat_uptr_t fpu_save;
compat_uptr_t rwin_save;
sigset_t set;
@@ -242,11 +259,16 @@ asmlinkage void do_rt_sigreturn32(struct
sf = (struct rt_signal_frame32 __user *) regs->u_regs[UREG_FP];
/* 1. Make sure we are not getting garbage from the user */
- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
- (((unsigned long) sf) & 3))
+ if (invalid_frame_pointer(sf, sizeof(*sf)))
goto segv;
- if (get_user(pc, &sf->regs.pc) ||
+ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
+ goto segv;
+
+ if (ufp & 0x7)
+ goto segv;
+
+ if (__get_user(pc, &sf->regs.pc) ||
__get_user(npc, &sf->regs.npc))
goto segv;
@@ -307,14 +329,6 @@ segv:
force_sig(SIGSEGV, current);
}
-/* Checks if the fp is valid */
-static int invalid_frame_pointer(void __user *fp, int fplen)
-{
- if ((((unsigned long) fp) & 7) || ((unsigned long)fp) > 0x100000000ULL - fplen)
- return 1;
- return 0;
-}
-
static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
{
unsigned long sp;
--- a/arch/sparc/kernel/signal_32.c
+++ b/arch/sparc/kernel/signal_32.c
@@ -60,10 +60,22 @@ struct rt_signal_frame {
#define SF_ALIGNEDSZ (((sizeof(struct signal_frame) + 7) & (~7)))
#define RT_ALIGNEDSZ (((sizeof(struct rt_signal_frame) + 7) & (~7)))
+/* Checks if the fp is valid. We always build signal frames which are
+ * 16-byte aligned, therefore we can always enforce that the restore
+ * frame has that property as well.
+ */
+static inline bool invalid_frame_pointer(void __user *fp, int fplen)
+{
+ if ((((unsigned long) fp) & 15) || !__access_ok((unsigned long)fp, fplen))
+ return true;
+
+ return false;
+}
+
asmlinkage void do_sigreturn(struct pt_regs *regs)
{
+ unsigned long up_psr, pc, npc, ufp;
struct signal_frame __user *sf;
- unsigned long up_psr, pc, npc;
sigset_t set;
__siginfo_fpu_t __user *fpu_save;
__siginfo_rwin_t __user *rwin_save;
@@ -77,10 +89,13 @@ asmlinkage void do_sigreturn(struct pt_r
sf = (struct signal_frame __user *) regs->u_regs[UREG_FP];
/* 1. Make sure we are not getting garbage from the user */
- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)))
+ if (!invalid_frame_pointer(sf, sizeof(*sf)))
goto segv_and_exit;
- if (((unsigned long) sf) & 3)
+ if (get_user(ufp, &sf->info.si_regs.u_regs[UREG_FP]))
+ goto segv_and_exit;
+
+ if (ufp & 0x7)
goto segv_and_exit;
err = __get_user(pc, &sf->info.si_regs.pc);
@@ -127,7 +142,7 @@ segv_and_exit:
asmlinkage void do_rt_sigreturn(struct pt_regs *regs)
{
struct rt_signal_frame __user *sf;
- unsigned int psr, pc, npc;
+ unsigned int psr, pc, npc, ufp;
__siginfo_fpu_t __user *fpu_save;
__siginfo_rwin_t __user *rwin_save;
sigset_t set;
@@ -135,8 +150,13 @@ asmlinkage void do_rt_sigreturn(struct p
synchronize_user_stack();
sf = (struct rt_signal_frame __user *) regs->u_regs[UREG_FP];
- if (!access_ok(VERIFY_READ, sf, sizeof(*sf)) ||
- (((unsigned long) sf) & 0x03))
+ if (!invalid_frame_pointer(sf, sizeof(*sf)))
+ goto segv;
+
+ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
+ goto segv;
+
+ if (ufp & 0x7)
goto segv;
err = __get_user(pc, &sf->regs.pc);
@@ -178,15 +198,6 @@ segv:
force_sig(SIGSEGV, current);
}
-/* Checks if the fp is valid */
-static inline int invalid_frame_pointer(void __user *fp, int fplen)
-{
- if ((((unsigned long) fp) & 7) || !__access_ok((unsigned long)fp, fplen))
- return 1;
-
- return 0;
-}
-
static inline void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
{
unsigned long sp = regs->u_regs[UREG_FP];
--- a/arch/sparc/kernel/signal_64.c
+++ b/arch/sparc/kernel/signal_64.c
@@ -234,6 +234,17 @@ do_sigsegv:
goto out;
}
+/* Checks if the fp is valid. We always build rt signal frames which
+ * are 16-byte aligned, therefore we can always enforce that the
+ * restore frame has that property as well.
+ */
+static bool invalid_frame_pointer(void __user *fp)
+{
+ if (((unsigned long) fp) & 15)
+ return true;
+ return false;
+}
+
struct rt_signal_frame {
struct sparc_stackf ss;
siginfo_t info;
@@ -246,8 +257,8 @@ struct rt_signal_frame {
void do_rt_sigreturn(struct pt_regs *regs)
{
+ unsigned long tpc, tnpc, tstate, ufp;
struct rt_signal_frame __user *sf;
- unsigned long tpc, tnpc, tstate;
__siginfo_fpu_t __user *fpu_save;
__siginfo_rwin_t __user *rwin_save;
sigset_t set;
@@ -261,10 +272,16 @@ void do_rt_sigreturn(struct pt_regs *reg
(regs->u_regs [UREG_FP] + STACK_BIAS);
/* 1. Make sure we are not getting garbage from the user */
- if (((unsigned long) sf) & 3)
+ if (invalid_frame_pointer(sf))
+ goto segv;
+
+ if (get_user(ufp, &sf->regs.u_regs[UREG_FP]))
goto segv;
- err = get_user(tpc, &sf->regs.tpc);
+ if ((ufp + STACK_BIAS) & 0x7)
+ goto segv;
+
+ err = __get_user(tpc, &sf->regs.tpc);
err |= __get_user(tnpc, &sf->regs.tnpc);
if (test_thread_flag(TIF_32BIT)) {
tpc &= 0xffffffff;
@@ -308,14 +325,6 @@ segv:
force_sig(SIGSEGV, current);
}
-/* Checks if the fp is valid */
-static int invalid_frame_pointer(void __user *fp)
-{
- if (((unsigned long) fp) & 15)
- return 1;
- return 0;
-}
-
static inline void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs, unsigned long framesize)
{
unsigned long sp = regs->u_regs[UREG_FP] + STACK_BIAS;
--- a/arch/sparc/kernel/sigutil_32.c
+++ b/arch/sparc/kernel/sigutil_32.c
@@ -48,6 +48,10 @@ int save_fpu_state(struct pt_regs *regs,
int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
{
int err;
+
+ if (((unsigned long) fpu) & 3)
+ return -EFAULT;
+
#ifdef CONFIG_SMP
if (test_tsk_thread_flag(current, TIF_USEDFPU))
regs->psr &= ~PSR_EF;
@@ -97,7 +101,10 @@ int restore_rwin_state(__siginfo_rwin_t
struct thread_info *t = current_thread_info();
int i, wsaved, err;
- __get_user(wsaved, &rp->wsaved);
+ if (((unsigned long) rp) & 3)
+ return -EFAULT;
+
+ get_user(wsaved, &rp->wsaved);
if (wsaved > NSWINS)
return -EFAULT;
--- a/arch/sparc/kernel/sigutil_64.c
+++ b/arch/sparc/kernel/sigutil_64.c
@@ -37,7 +37,10 @@ int restore_fpu_state(struct pt_regs *re
unsigned long fprs;
int err;
- err = __get_user(fprs, &fpu->si_fprs);
+ if (((unsigned long) fpu) & 7)
+ return -EFAULT;
+
+ err = get_user(fprs, &fpu->si_fprs);
fprs_write(0);
regs->tstate &= ~TSTATE_PEF;
if (fprs & FPRS_DL)
@@ -72,7 +75,10 @@ int restore_rwin_state(__siginfo_rwin_t
struct thread_info *t = current_thread_info();
int i, wsaved, err;
- __get_user(wsaved, &rp->wsaved);
+ if (((unsigned long) rp) & 7)
+ return -EFAULT;
+
+ get_user(wsaved, &rp->wsaved);
if (wsaved > NSWINS)
return -EFAULT;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 175/192] PCI: Support PCIe devices with short cfg_size
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (163 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 149/192] sparc: Harden signal return frame checks Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 165/192] misc: ad525x_dpot: Fix the enabling of the "otpXen" attributes Ben Hutchings
` (27 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Simon Horman, Bjorn Helgaas, Jason S. McMullan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason S. McMullan" <jason.mcmullan@netronome.com>
commit c20aecf6963d1273d8f6d61c042b4845441ca592 upstream.
If a device quirk modifies the pci_dev->cfg_size to be less than
PCI_CFG_SPACE_EXP_SIZE (4096), but greater than PCI_CFG_SPACE_SIZE (256),
the PCI sysfs interface truncates the readable size to PCI_CFG_SPACE_SIZE.
Allow sysfs access to config space up to cfg_size, even if the device
doesn't support the entire 4096-byte PCIe config space.
Note that pci_read_config() and pci_write_config() limit access to
dev->cfg_size even though pcie_config_attr contains 4096 (the maximum
size).
Signed-off-by: Jason S. McMullan <jason.mcmullan@netronome.com>
[simon: edited changelog]
Signed-off-by: Simon Horman <simon.horman@netronome.com>
[bhelgaas: more changelog edits]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/pci-sysfs.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -1367,10 +1367,10 @@ int __must_check pci_create_sysfs_dev_fi
if (!sysfs_initialized)
return -EACCES;
- if (pdev->cfg_size < PCI_CFG_SPACE_EXP_SIZE)
- retval = sysfs_create_bin_file(&pdev->dev.kobj, &pci_config_attr);
- else
+ if (pdev->cfg_size > PCI_CFG_SPACE_SIZE)
retval = sysfs_create_bin_file(&pdev->dev.kobj, &pcie_config_attr);
+ else
+ retval = sysfs_create_bin_file(&pdev->dev.kobj, &pci_config_attr);
if (retval)
goto err;
@@ -1422,10 +1422,10 @@ err_rom_file:
err_resource_files:
pci_remove_resource_files(pdev);
err_config_file:
- if (pdev->cfg_size < PCI_CFG_SPACE_EXP_SIZE)
- sysfs_remove_bin_file(&pdev->dev.kobj, &pci_config_attr);
- else
+ if (pdev->cfg_size > PCI_CFG_SPACE_SIZE)
sysfs_remove_bin_file(&pdev->dev.kobj, &pcie_config_attr);
+ else
+ sysfs_remove_bin_file(&pdev->dev.kobj, &pci_config_attr);
err:
return retval;
}
@@ -1459,10 +1459,10 @@ void pci_remove_sysfs_dev_files(struct p
pci_remove_capabilities_sysfs(pdev);
- if (pdev->cfg_size < PCI_CFG_SPACE_EXP_SIZE)
- sysfs_remove_bin_file(&pdev->dev.kobj, &pci_config_attr);
- else
+ if (pdev->cfg_size > PCI_CFG_SPACE_SIZE)
sysfs_remove_bin_file(&pdev->dev.kobj, &pcie_config_attr);
+ else
+ sysfs_remove_bin_file(&pdev->dev.kobj, &pci_config_attr);
pci_remove_resource_files(pdev);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 165/192] misc: ad525x_dpot: Fix the enabling of the "otpXen" attributes
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (164 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 175/192] PCI: Support PCIe devices with short cfg_size Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 146/192] sparc64: Fix sparc64_set_context stack handling Ben Hutchings
` (26 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Bogdan Nechita, Greg Kroah-Hartman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Bogdan Nechita <dan.bogdan.nechita@gmail.com>
commit 1bb850a1b7f68b66361e658e334f9fdf8231f17d upstream.
Currently writing the attributes with "echo" will result in comparing:
"enabled\n" with "enabled\0" and attribute is always set to false.
Use the sysfs_streq() instead because it treats both NUL and
new-line-then-NUL as equivalent string terminations.
Signed-off-by: Dan Bogdan Nechita <dan.bogdan.nechita@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/misc/ad525x_dpot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/ad525x_dpot.c
+++ b/drivers/misc/ad525x_dpot.c
@@ -457,7 +457,7 @@ static ssize_t sysfs_set_reg(struct devi
int err;
if (reg & DPOT_ADDR_OTP_EN) {
- if (!strncmp(buf, "enabled", sizeof("enabled")))
+ if (sysfs_streq(buf, "enabled"))
set_bit(DPOT_RDAC_MASK & reg, data->otp_en_mask);
else
clear_bit(DPOT_RDAC_MASK & reg, data->otp_en_mask);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 146/192] sparc64: Fix sparc64_set_context stack handling.
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (165 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 165/192] misc: ad525x_dpot: Fix the enabling of the "otpXen" attributes Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 168/192] perf/x86: Fix undefined shift on 32-bit kernels Ben Hutchings
` (25 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ilya Malakhov, David S. Miller
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit 397d1533b6cce0ccb5379542e2e6d079f6936c46 ]
Like a signal return, we should use synchronize_user_stack() rather
than flush_user_windows().
Reported-by: Ilya Malakhov <ilmalakhovthefirst@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/kernel/signal_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/sparc/kernel/signal_64.c
+++ b/arch/sparc/kernel/signal_64.c
@@ -52,7 +52,7 @@ asmlinkage void sparc64_set_context(stru
unsigned char fenab;
int err;
- flush_user_windows();
+ synchronize_user_stack();
if (get_thread_wsaved() ||
(((unsigned long)ucp) & (sizeof(unsigned long)-1)) ||
(!__access_ok(ucp, sizeof(*ucp))))
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 168/192] perf/x86: Fix undefined shift on 32-bit kernels
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (166 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 146/192] sparc64: Fix sparc64_set_context stack handling Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 169/192] macintosh/therm_windtunnel: Export I2C module alias information Ben Hutchings
` (24 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Stephane Eranian, Linus Torvalds, Peter Zijlstra (Intel),
Imre Palik, Andrey Ryabinin, Thomas Gleixner, Jim Cromie,
Ingo Molnar, H. Peter Anvin, Jiri Olsa, Alexander Shishkin,
Vince Weaver, Arnaldo Carvalho de Melo
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
commit 6d6f2833bfbf296101f9f085e10488aef2601ba5 upstream.
Jim reported:
UBSAN: Undefined behaviour in arch/x86/events/intel/core.c:3708:12
shift exponent 35 is too large for 32-bit type 'long unsigned int'
The use of 'unsigned long' type obviously is not correct here, make it
'unsigned long long' instead.
Reported-by: Jim Cromie <jim.cromie@gmail.com>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Imre Palik <imrep@amazon.de>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 2c33645d366d ("perf/x86: Honor the architectural performance monitoring version")
Link: http://lkml.kernel.org/r/1462974711-10037-1-git-send-email-aryabinin@virtuozzo.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/perf_event_intel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -2647,7 +2647,7 @@ __init int intel_pmu_init(void)
c->idxmsk64 |= (1ULL << x86_pmu.num_counters) - 1;
}
c->idxmsk64 &=
- ~(~0UL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed));
+ ~(~0ULL << (INTEL_PMC_IDX_FIXED + x86_pmu.num_counters_fixed));
c->weight = hweight64(c->idxmsk64);
}
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 169/192] macintosh/therm_windtunnel: Export I2C module alias information
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (167 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 168/192] perf/x86: Fix undefined shift on 32-bit kernels Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 135/192] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Ben Hutchings
` (23 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Javier Martinez Canillas, Michael Ellerman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Javier Martinez Canillas <javier@osg.samsung.com>
commit cb0eefcc3271ea1d370476dd29685918b99c5a9f upstream.
The I2C core always reports the MODALIAS uevent as "i2c:<client name"
regardless if the driver was matched using the I2C id_table or the
of_match_table. So the driver needs to export the I2C table and this
be built into the module or udev won't have the necessary information
to auto load the correct module when the device is added.
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/macintosh/therm_windtunnel.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/macintosh/therm_windtunnel.c
+++ b/drivers/macintosh/therm_windtunnel.c
@@ -408,6 +408,7 @@ static const struct i2c_device_id therm_
{ "therm_adm1030", adm1030 },
{ }
};
+MODULE_DEVICE_TABLE(i2c, therm_windtunnel_id);
static int
do_probe(struct i2c_client *cl, const struct i2c_device_id *id)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 135/192] video: fbdev: aty: do not leak uninitialized padding in clk to userspace
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (168 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 169/192] macintosh/therm_windtunnel: Export I2C module alias information Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 134/192] kvm: nVMX: Don't allow L2 to access the hardware CR8 Ben Hutchings
` (22 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Vladis Dronov, Bartlomiej Zolnierkiewicz, sohu0106
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vladis Dronov <vdronov@redhat.com>
commit 8e75f7a7a00461ef6d91797a60b606367f6e344d upstream.
'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.
References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/video/fbdev/aty/atyfb_base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/aty/atyfb_base.c
+++ b/drivers/video/fbdev/aty/atyfb_base.c
@@ -1852,7 +1852,7 @@ static int atyfb_ioctl(struct fb_info *i
#if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
case ATYIO_CLKR:
if (M64_HAS(INTEGRATED)) {
- struct atyclk clk;
+ struct atyclk clk = { 0 };
union aty_pll *pll = &par->pll;
u32 dsp_config = pll->ct.dsp_config;
u32 dsp_on_off = pll->ct.dsp_on_off;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 134/192] kvm: nVMX: Don't allow L2 to access the hardware CR8
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (169 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 135/192] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 163/192] Btrfs: don't use src fd for printk Ben Hutchings
` (21 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jim Mattson, David Hildenbrand, Paolo Bonzini
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f upstream.
If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
exiting" VM-execution controls in vmcs02. Failure to do so will give
the L2 VM unrestricted read/write access to the hardware CR8.
This fixes CVE-2017-12154.
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8048,6 +8048,14 @@ static void prepare_vmcs02(struct kvm_vc
exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
exec_control &= ~CPU_BASED_TPR_SHADOW;
exec_control |= vmcs12->cpu_based_vm_exec_control;
+
+ if (!(exec_control & CPU_BASED_TPR_SHADOW)) {
+#ifdef CONFIG_X86_64
+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
+ CPU_BASED_CR8_STORE_EXITING;
+#endif
+ }
+
/*
* Merging of IO and MSR bitmaps not currently supported.
* Rather, exit every time.
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 163/192] Btrfs: don't use src fd for printk
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (170 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 134/192] kvm: nVMX: Don't allow L2 to access the hardware CR8 Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 181/192] netvsc: fix incorrect receive checksum offloading Ben Hutchings
` (20 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Sterba, Jeff Mahoney, Josef Bacik
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <jbacik@fb.com>
commit c79b4713304f812d3d6c95826fc3e5fc2c0b0c14 upstream.
The fd we pass in may not be on a btrfs file system, so don't try to do
BTRFS_I() on it. Thanks,
Signed-off-by: Josef Bacik <jbacik@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Cc: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1681,7 +1681,7 @@ static noinline int btrfs_ioctl_snap_cre
src_inode = file_inode(src.file);
if (src_inode->i_sb != file_inode(file)->i_sb) {
- btrfs_info(BTRFS_I(src_inode)->root->fs_info,
+ btrfs_info(BTRFS_I(file_inode(file))->root->fs_info,
"Snapshot src from another FS");
ret = -EXDEV;
} else if (!inode_owner_or_capable(src_inode)) {
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 181/192] netvsc: fix incorrect receive checksum offloading
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (171 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 163/192] Btrfs: don't use src fd for printk Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 143/192] m32r: add io*_rep helpers Ben Hutchings
` (19 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Stephen Hemminger
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Hemminger <sthemmin@microsoft.com>
commit e52fed7177f74382f742c27de2cc5314790aebb6 upstream.
The Hyper-V netvsc driver was looking at the incorrect status bits
in the checksum info. It was setting the receive checksum unnecessary
flag based on the IP header checksum being correct. The checksum
flag is skb is about TCP and UDP checksum status. Because of this
bug, any packet received with bad TCP checksum would be passed
up the stack and to the application causing data corruption.
The problem is reproducible via netcat and netem.
This had a side effect of not doing receive checksum offload
on IPv6. The driver was also also always doing checksum offload
independent of the checksum setting done via ethtool.
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/hyperv/netvsc_drv.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -643,15 +643,18 @@ int netvsc_recv_callback(struct hv_devic
packet->total_data_buflen);
skb->protocol = eth_type_trans(skb, net);
- if (csum_info) {
- /* We only look at the IP checksum here.
- * Should we be dropping the packet if checksum
- * failed? How do we deal with other checksums - TCP/UDP?
- */
- if (csum_info->receive.ip_checksum_succeeded)
+
+ /* skb is already created with CHECKSUM_NONE */
+ skb_checksum_none_assert(skb);
+
+ /*
+ * In Linux, the IP checksum is always checked.
+ * Do L4 checksum offload if enabled and present.
+ */
+ if (csum_info && (net->features & NETIF_F_RXCSUM)) {
+ if (csum_info->receive.tcp_checksum_succeeded ||
+ csum_info->receive.udp_checksum_succeeded)
skb->ip_summed = CHECKSUM_UNNECESSARY;
- else
- skb->ip_summed = CHECKSUM_NONE;
}
if (packet->vlan_tci & VLAN_TAG_PRESENT)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 143/192] m32r: add io*_rep helpers
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (172 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 181/192] netvsc: fix incorrect receive checksum offloading Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 148/192] sparc64: Take ctx_alloc_lock properly in hugetlb_setup() Ben Hutchings
` (18 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sudip Mukherjee, Linus Torvalds, Sudip Mukherjee
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
commit 92a8ed4c7643809123ef0a65424569eaacc5c6b0 upstream.
m32r allmodconfig was failing with the error:
error: implicit declaration of function 'read'
On checking io.h it turned out that 'read' is not defined but 'readb' is
defined and 'ioread8' will then obviously mean 'readb'.
At the same time some of the helper functions ioreadN_rep() and
iowriteN_rep() were missing which also led to the build failure.
Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/m32r/include/asm/io.h | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/arch/m32r/include/asm/io.h
+++ b/arch/m32r/include/asm/io.h
@@ -163,13 +163,21 @@ static inline void _writel(unsigned long
#define __raw_writew writew
#define __raw_writel writel
-#define ioread8 read
+#define ioread8 readb
#define ioread16 readw
#define ioread32 readl
#define iowrite8 writeb
#define iowrite16 writew
#define iowrite32 writel
+#define ioread8_rep(p, dst, count) insb((unsigned long)(p), (dst), (count))
+#define ioread16_rep(p, dst, count) insw((unsigned long)(p), (dst), (count))
+#define ioread32_rep(p, dst, count) insl((unsigned long)(p), (dst), (count))
+
+#define iowrite8_rep(p, src, count) outsb((unsigned long)(p), (src), (count))
+#define iowrite16_rep(p, src, count) outsw((unsigned long)(p), (src), (count))
+#define iowrite32_rep(p, src, count) outsl((unsigned long)(p), (src), (count))
+
#define mmiowb()
#define flush_write_buffers() do { } while (0) /* M32R_FIXME */
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 148/192] sparc64: Take ctx_alloc_lock properly in hugetlb_setup().
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (173 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 143/192] m32r: add io*_rep helpers Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 141/192] ipv4/fib: don't warn when primary address is missing if in_dev is dead Ben Hutchings
` (17 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Meelis Roos
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit 9ea46abe22550e3366ff7cee2f8391b35b12f730 ]
On cheetahplus chips we take the ctx_alloc_lock in order to
modify the TLB lookup parameters for the indexed TLBs, which
are stored in the context register.
This is called with interrupts disabled, however ctx_alloc_lock
is an IRQ safe lock, therefore we must take acquire/release it
properly with spin_{lock,unlock}_irq().
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/mm/init_64.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/arch/sparc/mm/init_64.c
+++ b/arch/sparc/mm/init_64.c
@@ -2682,9 +2682,10 @@ void hugetlb_setup(struct pt_regs *regs)
* the Data-TLB for huge pages.
*/
if (tlb_type == cheetah_plus) {
+ bool need_context_reload = false;
unsigned long ctx;
- spin_lock(&ctx_alloc_lock);
+ spin_lock_irq(&ctx_alloc_lock);
ctx = mm->context.sparc64_ctx_val;
ctx &= ~CTX_PGSZ_MASK;
ctx |= CTX_PGSZ_BASE << CTX_PGSZ0_SHIFT;
@@ -2703,9 +2704,12 @@ void hugetlb_setup(struct pt_regs *regs)
* also executing in this address space.
*/
mm->context.sparc64_ctx_val = ctx;
- on_each_cpu(context_reload, mm, 0);
+ need_context_reload = true;
}
- spin_unlock(&ctx_alloc_lock);
+ spin_unlock_irq(&ctx_alloc_lock);
+
+ if (need_context_reload)
+ on_each_cpu(context_reload, mm, 0);
}
}
#endif
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 141/192] ipv4/fib: don't warn when primary address is missing if in_dev is dead
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (174 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 148/192] sparc64: Take ctx_alloc_lock properly in hugetlb_setup() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 166/192] MIPS: Fix 64k page support for 32 bit kernels Ben Hutchings
` (16 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Paolo Abeni
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 391a20333b8393ef2e13014e6e59d192c5594471 ]
After commit fbd40ea0180a ("ipv4: Don't do expensive useless work
during inetdev destroy.") when deleting an interface,
fib_del_ifaddr() can be executed without any primary address
present on the dead interface.
The above is safe, but triggers some "bug: prim == NULL" warnings.
This commit avoids warning if the in_dev is dead
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/fib_frontend.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -797,7 +797,11 @@ void fib_del_ifaddr(struct in_ifaddr *if
if (ifa->ifa_flags & IFA_F_SECONDARY) {
prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask);
if (prim == NULL) {
- pr_warn("%s: bug: prim == NULL\n", __func__);
+ /* if the device has been deleted, we don't perform
+ * address promotion
+ */
+ if (!in_dev->dead)
+ pr_warn("%s: bug: prim == NULL\n", __func__);
return;
}
if (iprim && iprim != prim) {
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 166/192] MIPS: Fix 64k page support for 32 bit kernels.
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (175 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 141/192] ipv4/fib: don't warn when primary address is missing if in_dev is dead Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 180/192] ALSA: oxygen: Fix logical-not-parentheses warning Ben Hutchings
` (15 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Hogan, Ralf Baechle, Joshua Henderson
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ralf Baechle <ralf@linux-mips.org>
commit d7de413475f443957a0c1d256e405d19b3a2cb22 upstream.
TASK_SIZE was defined as 0x7fff8000UL which for 64k pages is not a
multiple of the page size. Somewhere further down the math fails
such that executing an ELF binary fails.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Tested-by: Joshua Henderson <joshua.henderson@microchip.com>
Cc: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/processor.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/include/asm/processor.h
+++ b/arch/mips/include/asm/processor.h
@@ -51,7 +51,7 @@ extern unsigned int vced_count, vcei_cou
* User space process size: 2GB. This is hardcoded into a few places,
* so don't change it unless you know what you are doing.
*/
-#define TASK_SIZE 0x7fff8000UL
+#define TASK_SIZE 0x80000000UL
#endif
#ifdef __KERNEL__
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 180/192] ALSA: oxygen: Fix logical-not-parentheses warning
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (176 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 166/192] MIPS: Fix 64k page support for 32 bit kernels Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 176/192] PCI: Add Netronome vendor and device IDs Ben Hutchings
` (14 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Tomer Barletz
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tomer Barletz <barletz@gmail.com>
commit 8ec7cfce3762299ae289c384e281b2f4010ae231 upstream.
This fixes the following warning, that is seen with gcc 5.1:
warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses].
Signed-off-by: Tomer Barletz <barletz@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/oxygen/oxygen_mixer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/oxygen/oxygen_mixer.c
+++ b/sound/pci/oxygen/oxygen_mixer.c
@@ -88,7 +88,7 @@ static int dac_mute_put(struct snd_kcont
int changed;
mutex_lock(&chip->mutex);
- changed = !value->value.integer.value[0] != chip->dac_mute;
+ changed = (!value->value.integer.value[0]) != chip->dac_mute;
if (changed) {
chip->dac_mute = !value->value.integer.value[0];
chip->model.update_dac_mute(chip);
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 176/192] PCI: Add Netronome vendor and device IDs
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (177 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 180/192] ALSA: oxygen: Fix logical-not-parentheses warning Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 187/192] Fix match_prepath() Ben Hutchings
` (13 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Simon Horman, Jason S. McMullan, Bjorn Helgaas
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason S. McMullan" <jason.mcmullan@netronome.com>
commit a755e169031dac9ebaed03302c4921687c271d62 upstream.
Device IDs for the Netronome NFP3200, NFP3240, NFP6000, and NFP6000 SR-IOV
devices.
Signed-off-by: Jason S. McMullan <jason.mcmullan@netronome.com>
[simon: edited changelog]
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/pci_ids.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -2474,6 +2474,12 @@
#define PCI_DEVICE_ID_KORENIX_JETCARDF2 0x1700
#define PCI_DEVICE_ID_KORENIX_JETCARDF3 0x17ff
+#define PCI_VENDOR_ID_NETRONOME 0x19ee
+#define PCI_DEVICE_ID_NETRONOME_NFP3200 0x3200
+#define PCI_DEVICE_ID_NETRONOME_NFP3240 0x3240
+#define PCI_DEVICE_ID_NETRONOME_NFP6000 0x6000
+#define PCI_DEVICE_ID_NETRONOME_NFP6000_VF 0x6003
+
#define PCI_VENDOR_ID_QMI 0x1a32
#define PCI_VENDOR_ID_AZWAVE 0x1a3b
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 187/192] Fix match_prepath()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (178 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 176/192] PCI: Add Netronome vendor and device IDs Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 159/192] usb: musb: cppi41: improve rx channel abort routine Ben Hutchings
` (12 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pavel Shilovsky, Sachin Prabhu, Steve French, Aurélien Aptel
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit cd8c42968ee651b69e00f8661caff32b0086e82d upstream.
Incorrect return value for shares not using the prefix path means that
we will never match superblocks for these shares.
Fixes: commit c1d8b24d1819 ("Compare prepaths when comparing superblocks")
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Cc: Aurélien Aptel <aaptel@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/connect.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2756,16 +2756,14 @@ match_prepath(struct super_block *sb, st
{
struct cifs_sb_info *old = CIFS_SB(sb);
struct cifs_sb_info *new = mnt_data->cifs_sb;
+ bool old_set = old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH;
+ bool new_set = new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH;
- if (old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) {
- if (!(new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH))
- return 0;
- /* The prepath should be null terminated strings */
- if (strcmp(new->prepath, old->prepath))
- return 0;
-
+ if (old_set && new_set && !strcmp(new->prepath, old->prepath))
+ return 1;
+ else if (!old_set && !new_set)
return 1;
- }
+
return 0;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 159/192] usb: musb: cppi41: improve rx channel abort routine
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (179 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 187/192] Fix match_prepath() Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 157/192] x86/efi: Avoid triple faults during EFI mixed mode calls Ben Hutchings
` (11 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bin Liu, Felipe Balbi
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bin Liu <b-liu@ti.com>
commit cb83df77f3ec151d68a1b6be957207e6fc7b7f50 upstream.
1. set AUTOREQ to NONE at the beginning of teardown;
2. add delay for dma pipeline to drain;
3. Do not set USB_TDOWN bit for RX teardown.
The CPPI hw has an issue that when tearing down a RX channel, if
another RX channel is receiving data, the CPPI will lockup.
To workaround the issue, do not set the CPPI TD bit. The steps before
this point ensures the CPPI channel will be torn down properly.
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/musb/musb_cppi41.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/usb/musb/musb_cppi41.c
+++ b/drivers/usb/musb/musb_cppi41.c
@@ -570,10 +570,15 @@ static int cppi41_dma_channel_abort(stru
csr &= ~MUSB_TXCSR_DMAENAB;
musb_writew(epio, MUSB_TXCSR, csr);
} else {
+ cppi41_set_autoreq_mode(cppi41_channel, EP_MODE_AUTOREQ_NONE);
+
csr = musb_readw(epio, MUSB_RXCSR);
csr &= ~(MUSB_RXCSR_H_REQPKT | MUSB_RXCSR_DMAENAB);
musb_writew(epio, MUSB_RXCSR, csr);
+ /* wait to drain cppi dma pipe line */
+ udelay(50);
+
csr = musb_readw(epio, MUSB_RXCSR);
if (csr & MUSB_RXCSR_RXPKTRDY) {
csr |= MUSB_RXCSR_FLUSHFIFO;
@@ -587,13 +592,14 @@ static int cppi41_dma_channel_abort(stru
tdbit <<= 16;
do {
- musb_writel(musb->ctrl_base, USB_TDOWN, tdbit);
+ if (is_tx)
+ musb_writel(musb->ctrl_base, USB_TDOWN, tdbit);
ret = dmaengine_terminate_all(cppi41_channel->dc);
} while (ret == -EAGAIN);
- musb_writel(musb->ctrl_base, USB_TDOWN, tdbit);
-
if (is_tx) {
+ musb_writel(musb->ctrl_base, USB_TDOWN, tdbit);
+
csr = musb_readw(epio, MUSB_TXCSR);
if (csr & MUSB_TXCSR_TXPKTRDY) {
csr |= MUSB_TXCSR_FLUSHFIFO;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 157/192] x86/efi: Avoid triple faults during EFI mixed mode calls
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (180 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 159/192] usb: musb: cppi41: improve rx channel abort routine Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 138/192] Bluetooth: Properly check L2CAP config option output buffer length Ben Hutchings
` (10 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Borislav Petkov, Matt Fleming, Andy Lutomirski
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Fleming <matt.fleming@intel.com>
commit 96738c69a7fcdbf0d7c9df0c8a27660011e82a7b upstream.
Andy pointed out that if an NMI or MCE is received while we're in the
middle of an EFI mixed mode call a triple fault will occur. This can
happen, for example, when issuing an EFI mixed mode call while running
perf.
The reason for the triple fault is that we execute the mixed mode call
in 32-bit mode with paging disabled but with 64-bit kernel IDT handlers
installed throughout the call.
At Andy's suggestion, stop playing the games we currently do at runtime,
such as disabling paging and installing a 32-bit GDT for __KERNEL_CS. We
can simply switch to the __KERNEL32_CS descriptor before invoking
firmware services, and run in compatibility mode. This way, if an
NMI/MCE does occur the kernel IDT handler will execute correctly, since
it'll jump to __KERNEL_CS automatically.
However, this change is only possible post-ExitBootServices(). Before
then the firmware "owns" the machine and expects for its 32-bit IDT
handlers to be left intact to service interrupts, etc.
So, we now need to distinguish between early boot and runtime
invocations of EFI services. During early boot, we need to restore the
GDT that the firmware expects to be present. We can only jump to the
__KERNEL32_CS code segment for mixed mode calls after ExitBootServices()
has been invoked.
A liberal sprinkling of comments in the thunking code should make the
differences in early and late environments more apparent.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Tested-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
[bwh: Backported to 3.16: in arch/x86/boot/compressed/Makefile, add the new
object file to VMLINUX_OBJS]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -34,6 +34,9 @@ $(obj)/eboot.o: KBUILD_CFLAGS += -fshort
ifeq ($(CONFIG_EFI_STUB), y)
VMLINUX_OBJS += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o
+ifeq ($(CONFIG_EFI_MIXED), y)
+ VMLINUX_OBJS += $(obj)/efi_thunk_$(BITS).o
+endif
endif
$(obj)/vmlinux: $(VMLINUX_OBJS) FORCE
--- a/arch/x86/boot/compressed/efi_stub_64.S
+++ b/arch/x86/boot/compressed/efi_stub_64.S
@@ -3,28 +3,3 @@
#include <asm/processor-flags.h>
#include "../../platform/efi/efi_stub_64.S"
-
-#ifdef CONFIG_EFI_MIXED
- .code64
- .text
-ENTRY(efi64_thunk)
- push %rbp
- push %rbx
-
- subq $16, %rsp
- leaq efi_exit32(%rip), %rax
- movl %eax, 8(%rsp)
- leaq efi_gdt64(%rip), %rax
- movl %eax, 4(%rsp)
- movl %eax, 2(%rax) /* Fixup the gdt base address */
- leaq efi32_boot_gdt(%rip), %rax
- movl %eax, (%rsp)
-
- call __efi64_thunk
-
- addq $16, %rsp
- pop %rbx
- pop %rbp
- ret
-ENDPROC(efi64_thunk)
-#endif /* CONFIG_EFI_MIXED */
--- /dev/null
+++ b/arch/x86/boot/compressed/efi_thunk_64.S
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2014, 2015 Intel Corporation; author Matt Fleming
+ *
+ * Early support for invoking 32-bit EFI services from a 64-bit kernel.
+ *
+ * Because this thunking occurs before ExitBootServices() we have to
+ * restore the firmware's 32-bit GDT before we make EFI serivce calls,
+ * since the firmware's 32-bit IDT is still currently installed and it
+ * needs to be able to service interrupts.
+ *
+ * On the plus side, we don't have to worry about mangling 64-bit
+ * addresses into 32-bits because we're executing with an identify
+ * mapped pagetable and haven't transitioned to 64-bit virtual addresses
+ * yet.
+ */
+
+#include <linux/linkage.h>
+#include <asm/msr.h>
+#include <asm/page_types.h>
+#include <asm/processor-flags.h>
+#include <asm/segment.h>
+
+ .code64
+ .text
+ENTRY(efi64_thunk)
+ push %rbp
+ push %rbx
+
+ subq $8, %rsp
+ leaq efi_exit32(%rip), %rax
+ movl %eax, 4(%rsp)
+ leaq efi_gdt64(%rip), %rax
+ movl %eax, (%rsp)
+ movl %eax, 2(%rax) /* Fixup the gdt base address */
+
+ movl %ds, %eax
+ push %rax
+ movl %es, %eax
+ push %rax
+ movl %ss, %eax
+ push %rax
+
+ /*
+ * Convert x86-64 ABI params to i386 ABI
+ */
+ subq $32, %rsp
+ movl %esi, 0x0(%rsp)
+ movl %edx, 0x4(%rsp)
+ movl %ecx, 0x8(%rsp)
+ movq %r8, %rsi
+ movl %esi, 0xc(%rsp)
+ movq %r9, %rsi
+ movl %esi, 0x10(%rsp)
+
+ sgdt save_gdt(%rip)
+
+ leaq 1f(%rip), %rbx
+ movq %rbx, func_rt_ptr(%rip)
+
+ /*
+ * Switch to gdt with 32-bit segments. This is the firmware GDT
+ * that was installed when the kernel started executing. This
+ * pointer was saved at the EFI stub entry point in head_64.S.
+ */
+ leaq efi32_boot_gdt(%rip), %rax
+ lgdt (%rax)
+
+ pushq $__KERNEL_CS
+ leaq efi_enter32(%rip), %rax
+ pushq %rax
+ lretq
+
+1: addq $32, %rsp
+
+ lgdt save_gdt(%rip)
+
+ pop %rbx
+ movl %ebx, %ss
+ pop %rbx
+ movl %ebx, %es
+ pop %rbx
+ movl %ebx, %ds
+
+ /*
+ * Convert 32-bit status code into 64-bit.
+ */
+ test %rax, %rax
+ jz 1f
+ movl %eax, %ecx
+ andl $0x0fffffff, %ecx
+ andl $0xf0000000, %eax
+ shl $32, %rax
+ or %rcx, %rax
+1:
+ addq $8, %rsp
+ pop %rbx
+ pop %rbp
+ ret
+ENDPROC(efi64_thunk)
+
+ENTRY(efi_exit32)
+ movq func_rt_ptr(%rip), %rax
+ push %rax
+ mov %rdi, %rax
+ ret
+ENDPROC(efi_exit32)
+
+ .code32
+/*
+ * EFI service pointer must be in %edi.
+ *
+ * The stack should represent the 32-bit calling convention.
+ */
+ENTRY(efi_enter32)
+ movl $__KERNEL_DS, %eax
+ movl %eax, %ds
+ movl %eax, %es
+ movl %eax, %ss
+
+ /* Reload pgtables */
+ movl %cr3, %eax
+ movl %eax, %cr3
+
+ /* Disable paging */
+ movl %cr0, %eax
+ btrl $X86_CR0_PG_BIT, %eax
+ movl %eax, %cr0
+
+ /* Disable long mode via EFER */
+ movl $MSR_EFER, %ecx
+ rdmsr
+ btrl $_EFER_LME, %eax
+ wrmsr
+
+ call *%edi
+
+ /* We must preserve return value */
+ movl %eax, %edi
+
+ /*
+ * Some firmware will return with interrupts enabled. Be sure to
+ * disable them before we switch GDTs.
+ */
+ cli
+
+ movl 56(%esp), %eax
+ movl %eax, 2(%eax)
+ lgdtl (%eax)
+
+ movl %cr4, %eax
+ btsl $(X86_CR4_PAE_BIT), %eax
+ movl %eax, %cr4
+
+ movl %cr3, %eax
+ movl %eax, %cr3
+
+ movl $MSR_EFER, %ecx
+ rdmsr
+ btsl $_EFER_LME, %eax
+ wrmsr
+
+ xorl %eax, %eax
+ lldt %ax
+
+ movl 60(%esp), %eax
+ pushl $__KERNEL_CS
+ pushl %eax
+
+ /* Enable paging */
+ movl %cr0, %eax
+ btsl $X86_CR0_PG_BIT, %eax
+ movl %eax, %cr0
+ lret
+ENDPROC(efi_enter32)
+
+ .data
+ .balign 8
+ .global efi32_boot_gdt
+efi32_boot_gdt: .word 0
+ .quad 0
+
+save_gdt: .word 0
+ .quad 0
+func_rt_ptr: .quad 0
+
+ .global efi_gdt64
+efi_gdt64:
+ .word efi_gdt64_end - efi_gdt64
+ .long 0 /* Filled out by user */
+ .word 0
+ .quad 0x0000000000000000 /* NULL descriptor */
+ .quad 0x00af9a000000ffff /* __KERNEL_CS */
+ .quad 0x00cf92000000ffff /* __KERNEL_DS */
+ .quad 0x0080890000000000 /* TS descriptor */
+ .quad 0x0000000000000000 /* TS continued */
+efi_gdt64_end:
--- a/arch/x86/platform/efi/efi_stub_64.S
+++ b/arch/x86/platform/efi/efi_stub_64.S
@@ -91,167 +91,6 @@ ENTRY(efi_call)
ret
ENDPROC(efi_call)
-#ifdef CONFIG_EFI_MIXED
-
-/*
- * We run this function from the 1:1 mapping.
- *
- * This function must be invoked with a 1:1 mapped stack.
- */
-ENTRY(__efi64_thunk)
- movl %ds, %eax
- push %rax
- movl %es, %eax
- push %rax
- movl %ss, %eax
- push %rax
-
- subq $32, %rsp
- movl %esi, 0x0(%rsp)
- movl %edx, 0x4(%rsp)
- movl %ecx, 0x8(%rsp)
- movq %r8, %rsi
- movl %esi, 0xc(%rsp)
- movq %r9, %rsi
- movl %esi, 0x10(%rsp)
-
- sgdt save_gdt(%rip)
-
- leaq 1f(%rip), %rbx
- movq %rbx, func_rt_ptr(%rip)
-
- /* Switch to gdt with 32-bit segments */
- movl 64(%rsp), %eax
- lgdt (%rax)
-
- leaq efi_enter32(%rip), %rax
- pushq $__KERNEL_CS
- pushq %rax
- lretq
-
-1: addq $32, %rsp
-
- lgdt save_gdt(%rip)
-
- pop %rbx
- movl %ebx, %ss
- pop %rbx
- movl %ebx, %es
- pop %rbx
- movl %ebx, %ds
-
- /*
- * Convert 32-bit status code into 64-bit.
- */
- test %rax, %rax
- jz 1f
- movl %eax, %ecx
- andl $0x0fffffff, %ecx
- andl $0xf0000000, %eax
- shl $32, %rax
- or %rcx, %rax
-1:
- ret
-ENDPROC(__efi64_thunk)
-
-ENTRY(efi_exit32)
- movq func_rt_ptr(%rip), %rax
- push %rax
- mov %rdi, %rax
- ret
-ENDPROC(efi_exit32)
-
- .code32
-/*
- * EFI service pointer must be in %edi.
- *
- * The stack should represent the 32-bit calling convention.
- */
-ENTRY(efi_enter32)
- movl $__KERNEL_DS, %eax
- movl %eax, %ds
- movl %eax, %es
- movl %eax, %ss
-
- /* Reload pgtables */
- movl %cr3, %eax
- movl %eax, %cr3
-
- /* Disable paging */
- movl %cr0, %eax
- btrl $X86_CR0_PG_BIT, %eax
- movl %eax, %cr0
-
- /* Disable long mode via EFER */
- movl $MSR_EFER, %ecx
- rdmsr
- btrl $_EFER_LME, %eax
- wrmsr
-
- call *%edi
-
- /* We must preserve return value */
- movl %eax, %edi
-
- /*
- * Some firmware will return with interrupts enabled. Be sure to
- * disable them before we switch GDTs.
- */
- cli
-
- movl 68(%esp), %eax
- movl %eax, 2(%eax)
- lgdtl (%eax)
-
- movl %cr4, %eax
- btsl $(X86_CR4_PAE_BIT), %eax
- movl %eax, %cr4
-
- movl %cr3, %eax
- movl %eax, %cr3
-
- movl $MSR_EFER, %ecx
- rdmsr
- btsl $_EFER_LME, %eax
- wrmsr
-
- xorl %eax, %eax
- lldt %ax
-
- movl 72(%esp), %eax
- pushl $__KERNEL_CS
- pushl %eax
-
- /* Enable paging */
- movl %cr0, %eax
- btsl $X86_CR0_PG_BIT, %eax
- movl %eax, %cr0
- lret
-ENDPROC(efi_enter32)
-
- .data
- .balign 8
- .global efi32_boot_gdt
-efi32_boot_gdt: .word 0
- .quad 0
-
-save_gdt: .word 0
- .quad 0
-func_rt_ptr: .quad 0
-
- .global efi_gdt64
-efi_gdt64:
- .word efi_gdt64_end - efi_gdt64
- .long 0 /* Filled out by user */
- .word 0
- .quad 0x0000000000000000 /* NULL descriptor */
- .quad 0x00af9a000000ffff /* __KERNEL_CS */
- .quad 0x00cf92000000ffff /* __KERNEL_DS */
- .quad 0x0080890000000000 /* TS descriptor */
- .quad 0x0000000000000000 /* TS continued */
-efi_gdt64_end:
-#endif /* CONFIG_EFI_MIXED */
-
.data
ENTRY(efi_scratch)
.fill 3,8,0
--- a/arch/x86/platform/efi/efi_thunk_64.S
+++ b/arch/x86/platform/efi/efi_thunk_64.S
@@ -1,9 +1,26 @@
/*
* Copyright (C) 2014 Intel Corporation; author Matt Fleming
+ *
+ * Support for invoking 32-bit EFI runtime services from a 64-bit
+ * kernel.
+ *
+ * The below thunking functions are only used after ExitBootServices()
+ * has been called. This simplifies things considerably as compared with
+ * the early EFI thunking because we can leave all the kernel state
+ * intact (GDT, IDT, etc) and simply invoke the the 32-bit EFI runtime
+ * services from __KERNEL32_CS. This means we can continue to service
+ * interrupts across an EFI mixed mode call.
+ *
+ * We do however, need to handle the fact that we're running in a full
+ * 64-bit virtual address space. Things like the stack and instruction
+ * addresses need to be accessible by the 32-bit firmware, so we rely on
+ * using the identity mappings in the EFI page table to access the stack
+ * and kernel text (see efi_setup_page_tables()).
*/
#include <linux/linkage.h>
#include <asm/page_types.h>
+#include <asm/segment.h>
.text
.code64
@@ -33,14 +50,6 @@ ENTRY(efi64_thunk)
leaq efi_exit32(%rip), %rbx
subq %rax, %rbx
movl %ebx, 8(%rsp)
- leaq efi_gdt64(%rip), %rbx
- subq %rax, %rbx
- movl %ebx, 2(%ebx)
- movl %ebx, 4(%rsp)
- leaq efi_gdt32(%rip), %rbx
- subq %rax, %rbx
- movl %ebx, 2(%ebx)
- movl %ebx, (%rsp)
leaq __efi64_thunk(%rip), %rbx
subq %rax, %rbx
@@ -52,14 +61,92 @@ ENTRY(efi64_thunk)
retq
ENDPROC(efi64_thunk)
- .data
-efi_gdt32:
- .word efi_gdt32_end - efi_gdt32
- .long 0 /* Filled out above */
- .word 0
- .quad 0x0000000000000000 /* NULL descriptor */
- .quad 0x00cf9a000000ffff /* __KERNEL_CS */
- .quad 0x00cf93000000ffff /* __KERNEL_DS */
-efi_gdt32_end:
+/*
+ * We run this function from the 1:1 mapping.
+ *
+ * This function must be invoked with a 1:1 mapped stack.
+ */
+ENTRY(__efi64_thunk)
+ movl %ds, %eax
+ push %rax
+ movl %es, %eax
+ push %rax
+ movl %ss, %eax
+ push %rax
+
+ subq $32, %rsp
+ movl %esi, 0x0(%rsp)
+ movl %edx, 0x4(%rsp)
+ movl %ecx, 0x8(%rsp)
+ movq %r8, %rsi
+ movl %esi, 0xc(%rsp)
+ movq %r9, %rsi
+ movl %esi, 0x10(%rsp)
+
+ leaq 1f(%rip), %rbx
+ movq %rbx, func_rt_ptr(%rip)
+
+ /* Switch to 32-bit descriptor */
+ pushq $__KERNEL32_CS
+ leaq efi_enter32(%rip), %rax
+ pushq %rax
+ lretq
+
+1: addq $32, %rsp
+
+ pop %rbx
+ movl %ebx, %ss
+ pop %rbx
+ movl %ebx, %es
+ pop %rbx
+ movl %ebx, %ds
+ /*
+ * Convert 32-bit status code into 64-bit.
+ */
+ test %rax, %rax
+ jz 1f
+ movl %eax, %ecx
+ andl $0x0fffffff, %ecx
+ andl $0xf0000000, %eax
+ shl $32, %rax
+ or %rcx, %rax
+1:
+ ret
+ENDPROC(__efi64_thunk)
+
+ENTRY(efi_exit32)
+ movq func_rt_ptr(%rip), %rax
+ push %rax
+ mov %rdi, %rax
+ ret
+ENDPROC(efi_exit32)
+
+ .code32
+/*
+ * EFI service pointer must be in %edi.
+ *
+ * The stack should represent the 32-bit calling convention.
+ */
+ENTRY(efi_enter32)
+ movl $__KERNEL_DS, %eax
+ movl %eax, %ds
+ movl %eax, %es
+ movl %eax, %ss
+
+ call *%edi
+
+ /* We must preserve return value */
+ movl %eax, %edi
+
+ movl 72(%esp), %eax
+ pushl $__KERNEL_CS
+ pushl %eax
+
+ lret
+ENDPROC(efi_enter32)
+
+ .data
+ .balign 8
+func_rt_ptr: .quad 0
efi_saved_sp: .quad 0
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 138/192] Bluetooth: Properly check L2CAP config option output buffer length
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (181 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 157/192] x86/efi: Avoid triple faults during EFI mixed mode calls Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 139/192] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv Ben Hutchings
` (9 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Marcel Holtmann, Ben Seri
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Seri <ben@armis.com>
commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/l2cap_core.c | 80 +++++++++++++++++++++++++---------------------
1 file changed, 43 insertions(+), 37 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -59,7 +59,7 @@ static struct sk_buff *l2cap_build_cmd(s
u8 code, u8 ident, u16 dlen, void *data);
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
void *data);
-static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
@@ -1401,7 +1401,7 @@ static void l2cap_conn_start(struct l2ca
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
@@ -2978,12 +2978,15 @@ static inline int l2cap_get_conf_opt(voi
return len;
}
-static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
+static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
{
struct l2cap_conf_opt *opt = *ptr;
BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
+ if (size < L2CAP_CONF_OPT_SIZE + len)
+ return;
+
opt->type = type;
opt->len = len;
@@ -3008,7 +3011,7 @@ static void l2cap_add_conf_opt(void **pt
*ptr += L2CAP_CONF_OPT_SIZE + len;
}
-static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
+static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
{
struct l2cap_conf_efs efs;
@@ -3036,7 +3039,7 @@ static void l2cap_add_opt_efs(void **ptr
}
l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs, size);
}
static void l2cap_ack_timeout(struct work_struct *work)
@@ -3180,11 +3183,12 @@ static inline void l2cap_txwin_setup(str
chan->ack_win = chan->tx_win;
}
-static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
{
struct l2cap_conf_req *req = data;
struct l2cap_conf_rfc rfc = { .mode = chan->mode };
void *ptr = req->data;
+ void *endptr = data + data_size;
u16 size;
BT_DBG("chan %p", chan);
@@ -3209,7 +3213,7 @@ static int l2cap_build_conf_req(struct l
done:
if (chan->imtu != L2CAP_DEFAULT_MTU)
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
switch (chan->mode) {
case L2CAP_MODE_BASIC:
@@ -3225,7 +3229,7 @@ done:
rfc.max_pdu_size = 0;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
break;
case L2CAP_MODE_ERTM:
@@ -3245,21 +3249,21 @@ done:
L2CAP_DEFAULT_TX_WINDOW);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
- l2cap_add_opt_efs(&ptr, chan);
+ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
if (test_bit(FLAG_EXT_CTRL, &chan->flags))
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
- chan->tx_win);
+ chan->tx_win, endptr - ptr);
if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
if (chan->fcs == L2CAP_FCS_NONE ||
test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
chan->fcs = L2CAP_FCS_NONE;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
- chan->fcs);
+ chan->fcs, endptr - ptr);
}
break;
@@ -3277,17 +3281,17 @@ done:
rfc.max_pdu_size = cpu_to_le16(size);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
- l2cap_add_opt_efs(&ptr, chan);
+ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
if (chan->fcs == L2CAP_FCS_NONE ||
test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
chan->fcs = L2CAP_FCS_NONE;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
- chan->fcs);
+ chan->fcs, endptr - ptr);
}
break;
}
@@ -3298,10 +3302,11 @@ done:
return ptr - data;
}
-static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
+static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
{
struct l2cap_conf_rsp *rsp = data;
void *ptr = rsp->data;
+ void *endptr = data + data_size;
void *req = chan->conf_req;
int len = chan->conf_len;
int type, hint, olen;
@@ -3403,7 +3408,7 @@ done:
return -ECONNREFUSED;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
}
if (result == L2CAP_CONF_SUCCESS) {
@@ -3416,7 +3421,7 @@ done:
chan->omtu = mtu;
set_bit(CONF_MTU_DONE, &chan->conf_state);
}
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
if (remote_efs) {
if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
@@ -3430,7 +3435,7 @@ done:
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs, endptr - ptr);
} else {
/* Send PENDING Conf Rsp */
result = L2CAP_CONF_PENDING;
@@ -3463,7 +3468,7 @@ done:
set_bit(CONF_MODE_DONE, &chan->conf_state);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
- sizeof(rfc), (unsigned long) &rfc);
+ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
chan->remote_id = efs.id;
@@ -3477,7 +3482,7 @@ done:
le32_to_cpu(efs.sdu_itime);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs, endptr - ptr);
}
break;
@@ -3491,7 +3496,7 @@ done:
set_bit(CONF_MODE_DONE, &chan->conf_state);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
break;
@@ -3513,10 +3518,11 @@ done:
}
static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
- void *data, u16 *result)
+ void *data, size_t size, u16 *result)
{
struct l2cap_conf_req *req = data;
void *ptr = req->data;
+ void *endptr = data + size;
int type, olen;
unsigned long val;
struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
@@ -3534,13 +3540,13 @@ static int l2cap_parse_conf_rsp(struct l
chan->imtu = L2CAP_DEFAULT_MIN_MTU;
} else
chan->imtu = val;
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
break;
case L2CAP_CONF_FLUSH_TO:
chan->flush_to = val;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
- 2, chan->flush_to);
+ 2, chan->flush_to, endptr - ptr);
break;
case L2CAP_CONF_RFC:
@@ -3554,13 +3560,13 @@ static int l2cap_parse_conf_rsp(struct l
chan->fcs = 0;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
- sizeof(rfc), (unsigned long) &rfc);
+ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
break;
case L2CAP_CONF_EWS:
chan->ack_win = min_t(u16, val, chan->ack_win);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
- chan->tx_win);
+ chan->tx_win, endptr - ptr);
break;
case L2CAP_CONF_EFS:
@@ -3573,7 +3579,7 @@ static int l2cap_parse_conf_rsp(struct l
return -ECONNREFUSED;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs, endptr - ptr);
break;
case L2CAP_CONF_FCS:
@@ -3678,7 +3684,7 @@ void __l2cap_connect_rsp_defer(struct l2
return;
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
@@ -3885,7 +3891,7 @@ sendresp:
u8 buf[128];
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
@@ -3965,7 +3971,7 @@ static int l2cap_connect_create_rsp(stru
break;
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, req), req);
+ l2cap_build_conf_req(chan, req, sizeof(req)), req);
chan->num_conf_req++;
break;
@@ -4077,7 +4083,7 @@ static inline int l2cap_config_req(struc
}
/* Complete config. */
- len = l2cap_parse_conf_req(chan, rsp);
+ len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
if (len < 0) {
l2cap_send_disconn_req(chan, ECONNRESET);
goto unlock;
@@ -4111,7 +4117,7 @@ static inline int l2cap_config_req(struc
if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
u8 buf[64];
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
@@ -4171,7 +4177,7 @@ static inline int l2cap_config_rsp(struc
char buf[64];
len = l2cap_parse_conf_rsp(chan, rsp->data, len,
- buf, &result);
+ buf, sizeof(buf), &result);
if (len < 0) {
l2cap_send_disconn_req(chan, ECONNRESET);
goto done;
@@ -4201,7 +4207,7 @@ static inline int l2cap_config_rsp(struc
/* throw out any old stored conf requests */
result = L2CAP_CONF_SUCCESS;
len = l2cap_parse_conf_rsp(chan, rsp->data, len,
- req, &result);
+ req, sizeof(req), &result);
if (len < 0) {
l2cap_send_disconn_req(chan, ECONNRESET);
goto done;
@@ -4782,7 +4788,7 @@ static void l2cap_do_create(struct l2cap
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
}
@@ -7361,7 +7367,7 @@ int l2cap_security_cfm(struct hci_conn *
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(conn, l2cap_get_ident(conn),
L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf),
+ l2cap_build_conf_req(chan, buf, sizeof(buf)),
buf);
chan->num_conf_req++;
}
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 139/192] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (182 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 138/192] Bluetooth: Properly check L2CAP config option output buffer length Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 178/192] PCI: Add Netronome NFP4000 PF device ID Ben Hutchings
` (8 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Paul Hüber
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Hüber <phueber@kernsp.in>
commit 51fb60eb162ab84c5edf2ae9c63cf0b878e5547e upstream.
l2tp_ip_backlog_recv may not return -1 if the packet gets dropped.
The return value is passed up to ip_local_deliver_finish, which treats
negative values as an IP protocol number for resubmission.
Signed-off-by: Paul Hüber <phueber@kernsp.in>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_ip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -390,7 +390,7 @@ static int l2tp_ip_backlog_recv(struct s
drop:
IP_INC_STATS(sock_net(sk), IPSTATS_MIB_INDISCARDS);
kfree_skb(skb);
- return -1;
+ return 0;
}
/* Userspace will call sendmsg() on the tunnel socket to send L2TP
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 178/192] PCI: Add Netronome NFP4000 PF device ID
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (183 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 139/192] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 142/192] m32r: add definition of ioremap_wc to io.h Ben Hutchings
` (7 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Simon Horman, Bjorn Helgaas
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <simon.horman@netronome.com>
commit 69874ec233871a62e1bc8c89e643993af93a8630 upstream.
Add the device ID for the PF of the NFP4000. The device ID for the VF,
0x6003, is already present as PCI_DEVICE_ID_NETRONOME_NFP6000_VF.
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/pci_ids.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -2477,6 +2477,7 @@
#define PCI_VENDOR_ID_NETRONOME 0x19ee
#define PCI_DEVICE_ID_NETRONOME_NFP3200 0x3200
#define PCI_DEVICE_ID_NETRONOME_NFP3240 0x3240
+#define PCI_DEVICE_ID_NETRONOME_NFP4000 0x4000
#define PCI_DEVICE_ID_NETRONOME_NFP6000 0x6000
#define PCI_DEVICE_ID_NETRONOME_NFP6000_VF 0x6003
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 142/192] m32r: add definition of ioremap_wc to io.h
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (184 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 178/192] PCI: Add Netronome NFP4000 PF device ID Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 177/192] PCI: Limit config space size for Netronome NFP6000 family Ben Hutchings
` (6 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Catalin Marinas, Sudip Mukherjee, Abhilash Kesavan,
Greg Kroah-Hartman
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Abhilash Kesavan <a.kesavan@samsung.com>
commit 71a49d16f06de2ccdf52ca247d496a2bb1ca36fe upstream.
Before adding a resource managed ioremap_wc function, we need
to have ioremap_wc defined for m32r to prevent build errors.
Signed-off-by: Abhilash Kesavan <a.kesavan@samsung.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/m32r/include/asm/io.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/m32r/include/asm/io.h
+++ b/arch/m32r/include/asm/io.h
@@ -67,6 +67,7 @@ static inline void __iomem *ioremap(unsi
extern void iounmap(volatile void __iomem *addr);
#define ioremap_nocache(off,size) ioremap(off,size)
+#define ioremap_wc ioremap_nocache
/*
* IO bus memory addresses are also 1:1 with the physical address
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 177/192] PCI: Limit config space size for Netronome NFP6000 family
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (185 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 142/192] m32r: add definition of ioremap_wc to io.h Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 170/192] MIPS: KVM: Fix modular KVM under QEMU Ben Hutchings
` (5 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Simon Horman, Jason S. McMullan, Bjorn Helgaas
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason S. McMullan" <jason.mcmullan@netronome.com>
commit 9f33a2ae59f24452c1076749deb615bccd435ca9 upstream.
The NFP6000 has an erratum where reading/writing to PCI config space
addresses above 0x600 can cause the NFP to generate PCIe completion
timeouts.
Limit the NFP6000's config space size to 0x600 bytes.
Signed-off-by: Jason S. McMullan <jason.mcmullan@netronome.com>
[simon: edited changelog]
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/quirks.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -288,6 +288,17 @@ static void quirk_citrine(struct pci_dev
}
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, PCI_DEVICE_ID_IBM_CITRINE, quirk_citrine);
+/*
+ * This chip can cause bus lockups if config addresses above 0x600
+ * are read or written.
+ */
+static void quirk_nfp6000(struct pci_dev *dev)
+{
+ dev->cfg_size = 0x600;
+}
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NETRONOME, PCI_DEVICE_ID_NETRONOME_NFP6000, quirk_nfp6000);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_NETRONOME, PCI_DEVICE_ID_NETRONOME_NFP6000_VF, quirk_nfp6000);
+
/* On IBM Crocodile ipr SAS adapters, expand BAR to system page size */
static void quirk_extend_bar_to_page(struct pci_dev *dev)
{
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 170/192] MIPS: KVM: Fix modular KVM under QEMU
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (186 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 177/192] PCI: Limit config space size for Netronome NFP6000 family Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 147/192] sparc/PCI: Fix for panic while enabling SR-IOV Ben Hutchings
` (4 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Radim Krčmář,
Paolo Bonzini, Ralf Baechle, James Hogan, kvm, linux-mips
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 797179bc4fe06c89e47a9f36f886f68640b423f8 upstream.
Copy __kvm_mips_vcpu_run() into unmapped memory, so that we can never
get a TLB refill exception in it when KVM is built as a module.
This was observed to happen with the host MIPS kernel running under
QEMU, due to a not entirely transparent optimisation in the QEMU TLB
handling where TLB entries replaced with TLBWR are copied to a separate
part of the TLB array. Code in those pages continue to be executable,
but those mappings persist only until the next ASID switch, even if they
are marked global.
An ASID switch happens in __kvm_mips_vcpu_run() at exception level after
switching to the guest exception base. Subsequent TLB mapped kernel
instructions just prior to switching to the guest trigger a TLB refill
exception, which enters the guest exception handlers without updating
EPC. This appears as a guest triggered TLB refill on a host kernel
mapped (host KSeg2) address, which is not handled correctly as user
(guest) mode accesses to kernel (host) segments always generate address
error exceptions.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: kvm@vger.kernel.org
Cc: linux-mips@linux-mips.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[james.hogan@imgtec.com: backported for stable 3.14]
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/kvm_host.h | 1 +
arch/mips/kvm/kvm_locore.S | 1 +
arch/mips/kvm/kvm_mips.c | 11 ++++++++++-
arch/mips/kvm/kvm_mips_int.h | 2 ++
4 files changed, 14 insertions(+), 1 deletion(-)
--- a/arch/mips/include/asm/kvm_host.h
+++ b/arch/mips/include/asm/kvm_host.h
@@ -378,6 +378,7 @@ struct kvm_mips_tlb {
#define KVM_MIPS_GUEST_TLB_SIZE 64
struct kvm_vcpu_arch {
void *host_ebase, *guest_ebase;
+ int (*vcpu_run)(struct kvm_run *run, struct kvm_vcpu *vcpu);
unsigned long host_stack;
unsigned long host_gp;
--- a/arch/mips/kvm/kvm_locore.S
+++ b/arch/mips/kvm/kvm_locore.S
@@ -229,6 +229,7 @@ FEXPORT(__kvm_mips_load_k0k1)
/* Jump to guest */
eret
+EXPORT(__kvm_mips_vcpu_run_end)
VECTOR(MIPSX(exception), unknown)
/*
--- a/arch/mips/kvm/kvm_mips.c
+++ b/arch/mips/kvm/kvm_mips.c
@@ -342,6 +342,15 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
memcpy(gebase + offset, mips32_GuestException,
mips32_GuestExceptionEnd - mips32_GuestException);
+#ifdef MODULE
+ offset += mips32_GuestExceptionEnd - mips32_GuestException;
+ memcpy(gebase + offset, (char *)__kvm_mips_vcpu_run,
+ __kvm_mips_vcpu_run_end - (char *)__kvm_mips_vcpu_run);
+ vcpu->arch.vcpu_run = gebase + offset;
+#else
+ vcpu->arch.vcpu_run = __kvm_mips_vcpu_run;
+#endif
+
/* Invalidate the icache for these ranges */
flush_icache_range((unsigned long)gebase,
(unsigned long)gebase + ALIGN(size, PAGE_SIZE));
@@ -426,7 +435,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v
kvm_guest_enter();
- r = __kvm_mips_vcpu_run(run, vcpu);
+ r = vcpu->arch.vcpu_run(run, vcpu);
kvm_guest_exit();
local_irq_enable();
--- a/arch/mips/kvm/kvm_mips_int.h
+++ b/arch/mips/kvm/kvm_mips_int.h
@@ -27,6 +27,8 @@
#define MIPS_EXC_MAX 12
/* XXXSL More to follow */
+extern char __kvm_mips_vcpu_run_end[];
+
#define C_TI (_ULCAST_(1) << 30)
#define KVM_MIPS_IRQ_DELIVER_ALL_AT_ONCE (0)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 147/192] sparc/PCI: Fix for panic while enabling SR-IOV
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (187 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 170/192] MIPS: KVM: Fix modular KVM under QEMU Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 133/192] nl80211: check for the required netlink attributes presence Ben Hutchings
` (3 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Ethan Zhao, Babu Moger, Sowmini Varadhan
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Babu Moger <babu.moger@oracle.com>
[ Upstream commit d0c31e02005764dae0aab130a57e9794d06b824d ]
We noticed this panic while enabling SR-IOV in sparc.
mlx4_core: Mellanox ConnectX core driver v2.2-1 (Jan 1 2015)
mlx4_core: Initializing 0007:01:00.0
mlx4_core 0007:01:00.0: Enabling SR-IOV with 5 VFs
mlx4_core: Initializing 0007:01:00.1
Unable to handle kernel NULL pointer dereference
insmod(10010): Oops [#1]
CPU: 391 PID: 10010 Comm: insmod Not tainted
4.1.12-32.el6uek.kdump2.sparc64 #1
TPC: <dma_supported+0x20/0x80>
I7: <__mlx4_init_one+0x324/0x500 [mlx4_core]>
Call Trace:
[00000000104c5ea4] __mlx4_init_one+0x324/0x500 [mlx4_core]
[00000000104c613c] mlx4_init_one+0xbc/0x120 [mlx4_core]
[0000000000725f14] local_pci_probe+0x34/0xa0
[0000000000726028] pci_call_probe+0xa8/0xe0
[0000000000726310] pci_device_probe+0x50/0x80
[000000000079f700] really_probe+0x140/0x420
[000000000079fa24] driver_probe_device+0x44/0xa0
[000000000079fb5c] __device_attach+0x3c/0x60
[000000000079d85c] bus_for_each_drv+0x5c/0xa0
[000000000079f588] device_attach+0x88/0xc0
[000000000071acd0] pci_bus_add_device+0x30/0x80
[0000000000736090] virtfn_add.clone.1+0x210/0x360
[00000000007364a4] sriov_enable+0x2c4/0x520
[000000000073672c] pci_enable_sriov+0x2c/0x40
[00000000104c2d58] mlx4_enable_sriov+0xf8/0x180 [mlx4_core]
[00000000104c49ac] mlx4_load_one+0x42c/0xd40 [mlx4_core]
Disabling lock debugging due to kernel taint
Caller[00000000104c5ea4]: __mlx4_init_one+0x324/0x500 [mlx4_core]
Caller[00000000104c613c]: mlx4_init_one+0xbc/0x120 [mlx4_core]
Caller[0000000000725f14]: local_pci_probe+0x34/0xa0
Caller[0000000000726028]: pci_call_probe+0xa8/0xe0
Caller[0000000000726310]: pci_device_probe+0x50/0x80
Caller[000000000079f700]: really_probe+0x140/0x420
Caller[000000000079fa24]: driver_probe_device+0x44/0xa0
Caller[000000000079fb5c]: __device_attach+0x3c/0x60
Caller[000000000079d85c]: bus_for_each_drv+0x5c/0xa0
Caller[000000000079f588]: device_attach+0x88/0xc0
Caller[000000000071acd0]: pci_bus_add_device+0x30/0x80
Caller[0000000000736090]: virtfn_add.clone.1+0x210/0x360
Caller[00000000007364a4]: sriov_enable+0x2c4/0x520
Caller[000000000073672c]: pci_enable_sriov+0x2c/0x40
Caller[00000000104c2d58]: mlx4_enable_sriov+0xf8/0x180 [mlx4_core]
Caller[00000000104c49ac]: mlx4_load_one+0x42c/0xd40 [mlx4_core]
Caller[00000000104c5f90]: __mlx4_init_one+0x410/0x500 [mlx4_core]
Caller[00000000104c613c]: mlx4_init_one+0xbc/0x120 [mlx4_core]
Caller[0000000000725f14]: local_pci_probe+0x34/0xa0
Caller[0000000000726028]: pci_call_probe+0xa8/0xe0
Caller[0000000000726310]: pci_device_probe+0x50/0x80
Caller[000000000079f700]: really_probe+0x140/0x420
Caller[000000000079fa24]: driver_probe_device+0x44/0xa0
Caller[000000000079fb08]: __driver_attach+0x88/0xa0
Caller[000000000079d90c]: bus_for_each_dev+0x6c/0xa0
Caller[000000000079f29c]: driver_attach+0x1c/0x40
Caller[000000000079e35c]: bus_add_driver+0x17c/0x220
Caller[00000000007a02d4]: driver_register+0x74/0x120
Caller[00000000007263fc]: __pci_register_driver+0x3c/0x60
Caller[00000000104f62bc]: mlx4_init+0x60/0xcc [mlx4_core]
Kernel panic - not syncing: Fatal exception
Press Stop-A (L1-A) to return to the boot prom
---[ end Kernel panic - not syncing: Fatal exception
Details:
Here is the call sequence
virtfn_add->__mlx4_init_one->dma_set_mask->dma_supported
The panic happened at line 760(file arch/sparc/kernel/iommu.c)
758 int dma_supported(struct device *dev, u64 device_mask)
759 {
760 struct iommu *iommu = dev->archdata.iommu;
761 u64 dma_addr_mask = iommu->dma_addr_mask;
762
763 if (device_mask >= (1UL << 32UL))
764 return 0;
765
766 if ((device_mask & dma_addr_mask) == dma_addr_mask)
767 return 1;
768
769 #ifdef CONFIG_PCI
770 if (dev_is_pci(dev))
771 return pci64_dma_supported(to_pci_dev(dev), device_mask);
772 #endif
773
774 return 0;
775 }
776 EXPORT_SYMBOL(dma_supported);
Same panic happened with Intel ixgbe driver also.
SR-IOV code looks for arch specific data while enabling
VFs. When VF device is added, driver probe function makes set
of calls to initialize the pci device. Because the VF device is
added different way than the normal PF device(which happens via
of_create_pci_dev for sparc), some of the arch specific initialization
does not happen for VF device. That causes panic when archdata is
accessed.
To fix this, I have used already defined weak function
pcibios_setup_device to copy archdata from PF to VF.
Also verified the fix.
Signed-off-by: Babu Moger <babu.moger@oracle.com>
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Reviewed-by: Ethan Zhao <ethan.zhao@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sparc/kernel/pci.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/arch/sparc/kernel/pci.c
+++ b/arch/sparc/kernel/pci.c
@@ -930,6 +930,23 @@ void pcibios_set_master(struct pci_dev *
/* No special bus mastering setup handling */
}
+#ifdef CONFIG_PCI_IOV
+int pcibios_add_device(struct pci_dev *dev)
+{
+ struct pci_dev *pdev;
+
+ /* Add sriov arch specific initialization here.
+ * Copy dev_archdata from PF to VF
+ */
+ if (dev->is_virtfn) {
+ pdev = dev->physfn;
+ memcpy(&dev->dev.archdata, &pdev->dev.archdata,
+ sizeof(struct dev_archdata));
+ }
+ return 0;
+}
+#endif /* CONFIG_PCI_IOV */
+
static int __init pcibios_init(void)
{
pci_dfl_cache_line_size = 64 >> 2;
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 133/192] nl80211: check for the required netlink attributes presence
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (188 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 147/192] sparc/PCI: Fix for panic while enabling SR-IOV Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 152/192] net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case Ben Hutchings
` (2 subsequent siblings)
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, bo Zhang, Johannes Berg, Vladis Dronov
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vladis Dronov <vdronov@redhat.com>
commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.
nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attributes presence.
This patch is based on the patch by bo Zhang.
This fixes CVE-2017-12153.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -8927,6 +8927,9 @@ static int nl80211_set_rekey_data(struct
if (err)
return err;
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+ !tb[NL80211_REKEY_DATA_KCK])
+ return -EINVAL;
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
return -ERANGE;
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 152/192] net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (189 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 133/192] nl80211: check for the required netlink attributes presence Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 12:44 ` [PATCH 3.16 183/192] Fix memory leaks in cifs_do_mount() Ben Hutchings
2017-10-09 20:13 ` [PATCH 3.16 000/192] 3.16.49-rc1 review Guenter Roeck
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Tim Bingham
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tim Bingham <tbingham@akamai.com>
commit 2c94b53738549d81dc7464a32117d1f5112c64d3 upstream.
Prior to commit d92cff89a0c8 ("net_dbg_ratelimited: turn into no-op
when !DEBUG") the implementation of net_dbg_ratelimited() was buggy
for both the DEBUG and CONFIG_DYNAMIC_DEBUG cases.
The bug was that net_ratelimit() was being called and, despite
returning true, nothing was being printed to the console. This
resulted in messages like the following -
"net_ratelimit: %d callbacks suppressed"
with no other output nearby.
After commit d92cff89a0c8 ("net_dbg_ratelimited: turn into no-op when
!DEBUG") the bug is fixed for the DEBUG case. However, there's no
output at all for CONFIG_DYNAMIC_DEBUG case.
This patch restores debug output (if enabled) for the
CONFIG_DYNAMIC_DEBUG case.
Add a definition of net_dbg_ratelimited() for the CONFIG_DYNAMIC_DEBUG
case. The implementation takes care to check that dynamic debugging is
enabled before calling net_ratelimit().
Fixes: d92cff89a0c8 ("net_dbg_ratelimited: turn into no-op when !DEBUG")
Signed-off-by: Tim Bingham <tbingham@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/net.h | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/include/linux/net.h
+++ b/include/linux/net.h
@@ -242,7 +242,15 @@ do { \
net_ratelimited_function(pr_warn, fmt, ##__VA_ARGS__)
#define net_info_ratelimited(fmt, ...) \
net_ratelimited_function(pr_info, fmt, ##__VA_ARGS__)
-#if defined(DEBUG)
+#if defined(CONFIG_DYNAMIC_DEBUG)
+#define net_dbg_ratelimited(fmt, ...) \
+do { \
+ DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \
+ if (unlikely(descriptor.flags & _DPRINTK_FLAGS_PRINT) && \
+ net_ratelimit()) \
+ __dynamic_pr_debug(&descriptor, fmt, ##__VA_ARGS__); \
+} while (0)
+#elif defined(DEBUG)
#define net_dbg_ratelimited(fmt, ...) \
net_ratelimited_function(pr_debug, fmt, ##__VA_ARGS__)
#else
^ permalink raw reply [flat|nested] 196+ messages in thread
* [PATCH 3.16 183/192] Fix memory leaks in cifs_do_mount()
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (190 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 152/192] net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case Ben Hutchings
@ 2017-10-09 12:44 ` Ben Hutchings
2017-10-09 20:13 ` [PATCH 3.16 000/192] 3.16.49-rc1 review Guenter Roeck
192 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 12:44 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aurelien Aptel, Sachin Prabhu, Steve French
3.16.49-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit 4214ebf4654798309364d0c678b799e402f38288 upstream.
Fix memory leaks introduced by the patch
fs/cifs: make share unaccessible at root level mountable
Also move allocation of cifs_sb->prepath to cifs_setup_cifs_sb().
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/cifsfs.c | 20 ++++++++------------
fs/cifs/cifsproto.h | 2 +-
fs/cifs/connect.c | 10 +++++++++-
3 files changed, 18 insertions(+), 14 deletions(-)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -663,26 +663,22 @@ cifs_do_mount(struct file_system_type *f
cifs_sb->mountdata = kstrndup(data, PAGE_SIZE, GFP_KERNEL);
if (cifs_sb->mountdata == NULL) {
root = ERR_PTR(-ENOMEM);
- goto out_cifs_sb;
+ goto out_free;
}
- if (volume_info->prepath) {
- cifs_sb->prepath = kstrdup(volume_info->prepath, GFP_KERNEL);
- if (cifs_sb->prepath == NULL) {
- root = ERR_PTR(-ENOMEM);
- goto out_cifs_sb;
- }
+ rc = cifs_setup_cifs_sb(volume_info, cifs_sb);
+ if (rc) {
+ root = ERR_PTR(rc);
+ goto out_free;
}
- cifs_setup_cifs_sb(volume_info, cifs_sb);
-
rc = cifs_mount(cifs_sb, volume_info);
if (rc) {
if (!(flags & MS_SILENT))
cifs_dbg(VFS, "cifs_mount failed w/return code = %d\n",
rc);
root = ERR_PTR(rc);
- goto out_mountdata;
+ goto out_free;
}
mnt_data.vol = volume_info;
@@ -729,9 +725,9 @@ out:
cifs_cleanup_volume_info(volume_info);
return root;
-out_mountdata:
+out_free:
+ kfree(cifs_sb->prepath);
kfree(cifs_sb->mountdata);
-out_cifs_sb:
kfree(cifs_sb);
out_nls:
unload_nls(volume_info->local_nls);
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -183,7 +183,7 @@ extern int cifs_read_from_socket(struct
extern int cifs_readv_from_socket(struct TCP_Server_Info *server,
struct kvec *iov_orig, unsigned int nr_segs,
unsigned int to_read);
-extern void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
+extern int cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
struct cifs_sb_info *cifs_sb);
extern int cifs_match_super(struct super_block *, void *);
extern void cifs_cleanup_volume_info(struct smb_vol *pvolume_info);
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3194,7 +3194,7 @@ void reset_cifs_unix_caps(unsigned int x
}
}
-void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
+int cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
struct cifs_sb_info *cifs_sb)
{
INIT_DELAYED_WORK(&cifs_sb->prune_tlinks, cifs_prune_tlinks);
@@ -3276,6 +3276,14 @@ void cifs_setup_cifs_sb(struct smb_vol *
if ((pvolume_info->cifs_acl) && (pvolume_info->dynperm))
cifs_dbg(VFS, "mount option dynperm ignored if cifsacl mount option supported\n");
+
+ if (pvolume_info->prepath) {
+ cifs_sb->prepath = kstrdup(pvolume_info->prepath, GFP_KERNEL);
+ if (cifs_sb->prepath == NULL)
+ return -ENOMEM;
+ }
+
+ return 0;
}
static void
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH 3.16 000/192] 3.16.49-rc1 review
2017-10-09 12:44 [PATCH 3.16 000/192] 3.16.49-rc1 review Ben Hutchings
` (191 preceding siblings ...)
2017-10-09 12:44 ` [PATCH 3.16 183/192] Fix memory leaks in cifs_do_mount() Ben Hutchings
@ 2017-10-09 20:13 ` Guenter Roeck
2017-10-09 21:17 ` Ben Hutchings
192 siblings, 1 reply; 196+ messages in thread
From: Guenter Roeck @ 2017-10-09 20:13 UTC (permalink / raw)
To: Ben Hutchings; +Cc: linux-kernel, stable, torvalds, akpm
On Mon, Oct 09, 2017 at 01:44:23PM +0100, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.49 release.
> There are 192 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Oct 11 20:00:00 UTC 2017.
> Anything received after that time might be too late.
>
Build results:
total: 136 pass: 136 fail: 0
Qemu test results:
total: 108 pass: 108 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
^ permalink raw reply [flat|nested] 196+ messages in thread
* Re: [PATCH 3.16 000/192] 3.16.49-rc1 review
2017-10-09 20:13 ` [PATCH 3.16 000/192] 3.16.49-rc1 review Guenter Roeck
@ 2017-10-09 21:17 ` Ben Hutchings
0 siblings, 0 replies; 196+ messages in thread
From: Ben Hutchings @ 2017-10-09 21:17 UTC (permalink / raw)
To: Guenter Roeck; +Cc: linux-kernel, stable, torvalds, akpm
[-- Attachment #1: Type: text/plain, Size: 775 bytes --]
On Mon, 2017-10-09 at 13:13 -0700, Guenter Roeck wrote:
> On Mon, Oct 09, 2017 at 01:44:23PM +0100, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.49 release.
> > There are 192 patches in this series, which will be posted as responses
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed Oct 11 20:00:00 UTC 2017.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 136 pass: 136 fail: 0
> Qemu test results:
> total: 108 pass: 108 fail: 0
>
> Details are available at http://kerneltests.org/builders.
Thanks for checking.
Ben.
--
Ben Hutchings
Humour is the best antidote to reality.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 196+ messages in thread