* [PATCH 4.7 000/184] 4.7.5-stable review
@ 2016-09-22 17:38 ` Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 001/184] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Greg Kroah-Hartman
` (177 more replies)
0 siblings, 178 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:38 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah.kh, patches,
ben.hutchings, stable
This is the start of the stable review cycle for the 4.7.5 release.
There are 184 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat Sep 24 17:40:23 UTC 2016.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.7.5-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.7.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.7.5-rc1
Linus Torvalds <torvalds@linux-foundation.org>
Add braces to avoid "ambiguous ‘else’" compiler warnings
Thomas Gleixner <tglx@linutronix.de>
genirq/msi: Fix broken debug output
Arnd Bergmann <arnd@arndb.de>
iwlegacy: avoid warning about missing braces
Al Viro <viro@zeniv.linux.org.uk>
ia64: copy_from_user() should zero the destination on access_ok() failure
Al Viro <viro@zeniv.linux.org.uk>
ppc32: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
sparc32: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
mn10300: copy_from_user() should zero on access_ok() failure...
Al Viro <viro@zeniv.linux.org.uk>
nios2: copy_from_user() should zero the tail of destination
Al Viro <viro@zeniv.linux.org.uk>
openrisc: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
parisc: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
metag: copy_from_user() should zero the destination on access_ok() failure
Al Viro <viro@zeniv.linux.org.uk>
alpha: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
asm-generic: make copy_from_user() zero the destination properly
Al Viro <viro@zeniv.linux.org.uk>
mips: copy_from_user() must zero the destination on access_ok() failure
Al Viro <viro@zeniv.linux.org.uk>
hexagon: fix strncpy_from_user() error return
Pan Xinhui <xinhui.pan@linux.vnet.ibm.com>
sh: cmpxchg: fix a bit shift bug in big_endian os
Al Viro <viro@zeniv.linux.org.uk>
sh: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
score: fix copy_from_user() and friends
Al Viro <viro@zeniv.linux.org.uk>
blackfin: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
cris: buggered copy_from_user/copy_to_user/clear_user
Al Viro <viro@zeniv.linux.org.uk>
frv: fix clear_user()
Al Viro <viro@zeniv.linux.org.uk>
asm-generic: make get_user() clear the destination on errors
Vineet Gupta <Vineet.Gupta1@synopsys.com>
ARC: uaccess: get_user to zero out dest in cause of fault
Al Viro <viro@zeniv.linux.org.uk>
s390: get_user() should zero on failure
Al Viro <viro@zeniv.linux.org.uk>
score: fix __get_user/get_user
Al Viro <viro@zeniv.linux.org.uk>
nios2: fix __get_user()
Al Viro <viro@zeniv.linux.org.uk>
sh64: failing __get_user() should zero
Al Viro <viro@zeniv.linux.org.uk>
m32r: fix __get_user()
Al Viro <viro@zeniv.linux.org.uk>
mn10300: failing __get_user() and get_user() should zero
Al Viro <viro@ZenIV.linux.org.uk>
fix minor infoleak in get_user_ex()
Al Viro <viro@zeniv.linux.org.uk>
microblaze: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
avr32: fix copy_from_user()
Al Viro <viro@zeniv.linux.org.uk>
microblaze: fix __get_user()
Al Viro <viro@ZenIV.linux.org.uk>
fix iov_iter_fault_in_readable()
Boris Brezillon <boris.brezillon@free-electrons.com>
irqchip/atmel-aic: Fix potential deadlock in ->xlate()
Boris Brezillon <boris.brezillon@free-electrons.com>
genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers
Lee Jones <lee.jones@linaro.org>
mmc: sdhci-st: Handle interconnect clock
Chuck Lever <chuck.lever@oracle.com>
svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation")
Kristian H. Kristensen <hoegsberg@gmail.com>
drm: Only use compat ioctl for addfb2 on X86/IA64
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Ignore OpRegion panel type except on select machines
Jan Leupold <leupold@rsi-elektrotechnik.de>
drm: atmel-hlcdc: Fix vertical scaling
Arnd Bergmann <arnd@arndb.de>
kconfig: tinyconfig: provide whole choice blocks to avoid warnings
Mike Danese <mikedanese@google.com>
mpssd: fix buffer overflow warning
Christophe Leroy <christophe.leroy@c-s.fr>
powerpc/32: Fix again csum_partial_copy_generic()
Christophe Leroy <christophe.leroy@c-s.fr>
powerpc/32: Fix csum_partial_copy_generic()
Jeffrey Hugo <jhugo@codeaurora.org>
x86/efi: Use efi_exit_boot_services()
Jeffrey Hugo <jhugo@codeaurora.org>
efi/libstub: Use efi_exit_boot_services() in FDT
Jeffrey Hugo <jhugo@codeaurora.org>
efi/libstub: Introduce ExitBootServices helper
Jeffrey Hugo <jhugo@codeaurora.org>
efi/libstub: Allocate headspace in efi_get_memory_map()
Jan Beulich <JBeulich@suse.com>
efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen
Eli Cooper <elicooper@gmx.com>
ipv6: Don't unset flowi6_proto in ipxip6_tnl_xmit()
Balbir Singh <bsingharora@gmail.com>
sched/core: Fix a race between try_to_wake_up() and a woken up task
Johannes Berg <johannes.berg@intel.com>
Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel"
Alexander Shishkin <alexander.shishkin@linux.intel.com>
perf/x86/intel/pt: Do validate the size of a kernel address filter
Alexander Shishkin <alexander.shishkin@linux.intel.com>
perf/x86/intel/pt: Fix kernel address filter's offset validation
Alexander Shishkin <alexander.shishkin@linux.intel.com>
perf/x86/intel/pt: Fix an off-by-one in address filter configuration
Matt Fleming <matt@codeblueprint.co.uk>
perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2
Jiri Olsa <jolsa@kernel.org>
perf/x86/intel/cqm: Check cqm/mbm enabled state in event init
Peter Zijlstra <peterz@infradead.org>
perf/x86/intel: Fix PEBSv3 record drain
Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
ath9k: bring back direction setting in ath9k_{start_stop}
Felix Fietkau <nbd@nbd.name>
ath9k: fix using sta->drv_priv before initializing it
Guoqing Jiang <gqjiang@suse.com>
md-cluster: make md-cluster also can work when compiled into kernel
Arend Van Spriel <arend.vanspriel@broadcom.com>
brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: fix null pointer dereference in stop command timeout function
Miklos Szeredi <mszeredi@redhat.com>
fuse: direct-io: don't dirty ITER_BVEC pages
Chris Mason <clm@fb.com>
Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
Ard Biesheuvel <ard.biesheuvel@linaro.org>
crypto: cryptd - initialize child shash_desc on import
Will Deacon <will.deacon@arm.com>
arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
Johan Hovold <johan@kernel.org>
memory: omap-gpmc: allow probe of child nodes to fail
Icenowy Zheng <icenowy@aosc.xyz>
pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33
James Hartley <james.hartley@imgtec.com>
pinctrl: pistachio: fix mfio pll_lock pinmux
Mikulas Patocka <mpatocka@redhat.com>
dm crypt: fix error with too large bios
Mikulas Patocka <mpatocka@redhat.com>
dm log writes: move IO accounting earlier to fix error path
Eric Biggers <ebiggers@google.com>
dm crypt: fix free of bad values after tfm allocation failure
Vladimir Zapolskiy <vz@mleia.com>
dm log writes: fix check of kthread_run() return value
Pawel Moll <pawel.moll@arm.com>
bus: arm-ccn: Fix XP watchpoint settings bitmask
Pawel Moll <pawel.moll@arm.com>
bus: arm-ccn: Do not attempt to configure XPs for cycle counter
Pawel Moll <pawel.moll@arm.com>
bus: arm-ccn: Fix PMU handling of MN
Lee Jones <lee.jones@linaro.org>
ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI
Johan Hovold <johan@kernel.org>
ARM: dts: overo: fix gpmc nand on boards with ethernet
Johan Hovold <johan@kernel.org>
ARM: dts: overo: fix gpmc nand cs0 range
Russell King <rmk+kernel@armlinux.org.uk>
ARM: dts: armada-388-clearfog: number LAN ports properly
Fabio Estevam <fabio.estevam@nxp.com>
ARM: dts: imx6qdl: Fix SPDIF regression
Gregory CLEMENT <gregory.clement@free-electrons.com>
ARM: dts: kirkwood: Fix PCIe label on OpenRD
Sebastian Reichel <sre@kernel.org>
ARM: OMAP3: hwmod data: Add sysc information for DSI
Simon Baatz <gmbnomis@gmail.com>
ARM: kirkwood: ib62x0: fix size of u-boot environment partition
Anson Huang <Anson.Huang@nxp.com>
ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx
Peter Chen <peter.chen@nxp.com>
ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul
Keerthy <j-keerthy@ti.com>
ARM: AM43XX: hwmod: Fix RSTST register offset for pruss
Caesar Wang <wxt@rock-chips.com>
arm: dts: rockchip: add reset node for the exist saradc SoCs
Zefan Li <lizefan@huawei.com>
cpuset: make sure new tasks conform to the current config of the cpuset
Harini Katakam <harini.katakam@xilinx.com>
net: macb: Correct CAPS mask
David Daney <david.daney@cavium.com>
net: thunderx: Fix OOPs with ethtool --register-dump
Andrew Donnellan <andrew.donnellan@au1.ibm.com>
cxl: use pcibios_free_controller_deferred() when removing vPHBs
Linus Torvalds <torvalds@linux-foundation.org>
devpts: return NULL pts 'priv' entry for non-devpts nodes
Alan Stern <stern@rowland.harvard.edu>
USB: change bInterval default to 10 ms
Lee Jones <lee.jones@linaro.org>
ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB)
Clemens Gruber <clemens.gruber@pqgruber.com>
usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase
Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON
Daniele Palmas <dnlplm@gmail.com>
USB: serial: simple: add support for another Infineon flashloader
Jimi Damon <jdamon@accesio.com>
serial: 8250: added acces i/o products quad and octal serial cards
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
serial: 8250_mid: fix divide error bug if baud rate is 0
Colin Ian King <colin.king@canonical.com>
iio: ensure ret is initialized to zero before entering do loop
Gregor Boirie <gregor.boirie@parrot.com>
iio:core: fix IIO_VAL_FRACTIONAL sign handling
Linus Walleij <linus.walleij@linaro.org>
iio: accel: kxsd9: Fix scaling bug
Kweh, Hock Leong <hock.leong.kweh@intel.com>
iio: fix pressure data output unit in hid-sensor-attributes
Olof Johansson <olof@lixom.net>
iio: accel: bmc150: reset chip at init time
Alison Schofield <amsfield22@gmail.com>
iio: humidity: hdc100x: fix sensor data reads of temp and humidity
Anders Darander <anders@chargestorm.se>
iio: adc: at91: unbreak channel adc channel 3
Alison Schofield <amsfield22@gmail.com>
iio: humidity: am2315: set up buffer timestamps for non-zero values
Lars-Peter Clausen <lars@metafoo.de>
iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999
Giorgio Dal Molin <giorgio.nicole@arcor.de>
iio:ti-ads1015: fix a wrong pointer definition.
Vignesh R <vigneshr@ti.com>
iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample
Vignesh R <vigneshr@ti.com>
iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
Caesar Wang <wxt@rock-chips.com>
iio: adc: rockchip_saradc: reset saradc controller before programming it
Alison Schofield <amsfield22@gmail.com>
iio: proximity: as3935: set up buffer timestamps for non-zero values
Lars-Peter Clausen <lars@metafoo.de>
iio: sw-trigger: Fix config group initialization
Linus Walleij <linus.walleij@linaro.org>
iio: accel: kxsd9: Fix raw read return
Paolo Bonzini <pbonzini@redhat.com>
kvm: x86: correctly reset dest_map->vector when restoring LAPIC state
Suzuki K Poulose <suzuki.poulose@arm.com>
kvm-arm: Unmap shadow pagetables properly
David Hildenbrand <dahi@linux.vnet.ibm.com>
KVM: s390: don't use current->thread.fpu.* when accessing registers
Emanuel Czirai <icanrealizeum@gmail.com>
x86/AMD: Apply erratum 665 on machines without a BIOS fix
Steven Rostedt <rostedt@goodmis.org>
x86/paravirt: Do not trace _paravirt_ident_*() functions
Dan Williams <dan.j.williams@intel.com>
mm: fix cache mode of dax pmd mappings
Easwar Hariharan <easwar.hariharan@intel.com>
IB/hfi1: Reset QSFP on every run through channel tuning
Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
IB/uverbs: Fix race between uverbs_close and remove_one
Mike Marciniszyn <mike.marciniszyn@intel.com>
IB/hfi1,IB/qib: Fix qp_stats sleep with rcu read lock held
Mike Snitzer <snitzer@redhat.com>
dm flakey: fix reads to be issued if drop_writes configured
Mateusz Guzik <mguzik@redhat.com>
audit: fix exe_file access in audit_exe_compare
Mateusz Guzik <mguzik@redhat.com>
mm: introduce get_task_exe_file
Alexandre Bounine <alexandre.bounine@idt.com>
rapidio/tsi721: fix incorrect detection of address translation condition
Christoph Hellwig <hch@lst.de>
ahci: disable correct irq for dummy ports
David Rientjes <rientjes@google.com>
mm, mempolicy: task->mempolicy must be NULL before dropping final reference
Michal Hocko <mhocko@suse.com>
mm, oom: prevent premature OOM killer invocation for high order request
Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
kexec: fix double-free when failing to relocate the purgatory
Trond Myklebust <trond.myklebust@primarydata.com>
NFSv4.1: Fix the CREATE_SESSION slot number accounting
Trond Myklebust <trond.myklebust@primarydata.com>
pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised
Chuck Lever <chuck.lever@oracle.com>
nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock
Trond Myklebust <trond.myklebust@primarydata.com>
NFSv4.x: Fix a refcount leak in nfs_callback_up_net
Trond Myklebust <trond.myklebust@primarydata.com>
NFSv4.1: Fix Oopsable condition in server callback races
Trond Myklebust <trond.myklebust@primarydata.com>
pNFS: The client must not do I/O to the DS if it's lease has expired
Trond Myklebust <trond.myklebust@primarydata.com>
pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails
Tejun Heo <tj@kernel.org>
kernfs: don't depend on d_find_any_alias() when generating notifications
Gavin Shan <gwshan@linux.vnet.ibm.com>
powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE
Paul Mackerras <paulus@ozlabs.org>
powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
Christophe Leroy <christophe.leroy@c-s.fr>
powerpc: sysdev: cpm: fix gpio save_regs functions
Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
powerpc/powernv : Drop reference added by kset_find_obj()
Nicholas Piggin <npiggin@gmail.com>
powerpc/tm: do not use r13 for tabort_syscall
Artem Germanov <agermanov@anchorfree.com>
tcp: cwnd does not increase in TCP YeAH
Gal Pressman <galp@mellanox.com>
net/mlx5e: Fix parsing of vlan packets when updating lro header
Eric Dumazet <edumazet@google.com>
tcp: fastopen: avoid negative sk_forward_alloc
Wei Yongjun <weiyongjun1@huawei.com>
ipv6: addrconf: fix dev refcont leak when DAD failed
Michael Chan <michael.chan@broadcom.com>
bnxt_en: Fix TX push operation on ARM64.
Dave Jones <davej@codemonkey.org.uk>
ipv6: release dst in ping_v6_sendmsg
Linus Torvalds <torvalds@linux-foundation.org>
af_unix: split 'u->readlock' into two: 'iolock' and 'bindlock'
Linus Torvalds <torvalds@linux-foundation.org>
Revert "af_unix: Fix splice-bind deadlock"
Mahesh Bandewar <maheshb@google.com>
bonding: Fix bonding crash
WANG Cong <xiyou.wangcong@gmail.com>
kcm: fix a socket double free
Davide Caratti <dcaratti@redhat.com>
bridge: re-introduce 'fix parsing of MLDv2 reports'
Russell King <rmk+kernel@armlinux.org.uk>
net: smc91x: fix SMC accesses
Xander Huff <xander.huff@ni.com>
Revert "phy: IRQ cannot be shared"
Florian Fainelli <f.fainelli@gmail.com>
net: dsa: bcm_sf2: Fix race condition while unmasking interrupts
Soheil Hassas Yeganeh <soheil@google.com>
tun: fix transmit timestamp support
Lance Richardson <lrichard@redhat.com>
sctp: fix overrun in sctp_diag_dump_one()
Eric Dumazet <edumazet@google.com>
tcp: properly scale window in tcp_v[46]_reqsk_send_ack()
Eric Dumazet <edumazet@google.com>
udp: fix poll() issue with zero sized packets
Jamal Hadi Salim <jhs@mojatatu.com>
net sched: fix encoding to use real length
Hadar Hen Zion <hadarh@mellanox.com>
net/mlx5e: Use correct flow dissector key on flower offloading
Paul Blakey <paulb@mellanox.com>
net/mlx5: Added missing check of msg length in verifying its signature
Mohamad Haj Yahia <mohamad@mellanox.com>
net/mlx5: Fix pci error recovery flow
Eric Dumazet <edumazet@google.com>
tcp: fix use after free in tcp_xmit_retransmit_queue()
Vegard Nossum <vegard.nossum@oracle.com>
tipc: fix NULL pointer dereference in shutdown()
Mike Manning <mmanning@brocade.com>
net: ipv6: Do not keep IPv6 addresses when IPv6 is disabled
Vegard Nossum <vegard.nossum@oracle.com>
net/sctp: always initialise sctp_ht_iter::start_fail
Vegard Nossum <vegard.nossum@oracle.com>
net/irda: handle iriap_register_lsap() allocation failure
Daniel Borkmann <daniel@iogearbox.net>
bpf: fix write helpers with regards to non-linear parts
Lance Richardson <lrichard@redhat.com>
vti: flush x-netns xfrm cache when vti interface is removed
David Forster <dforster@brocade.com>
ipv4: panic in leaf_walk_rcu due to stale node pointer
Jakub Kicinski <jakub.kicinski@netronome.com>
bpf: fix method of PTR_TO_PACKET reg id generation
Rob Clark <robdclark@gmail.com>
drm/msm: protect against faults from copy_from_user() in submit ioctl
Eric Biggers <ebiggers@google.com>
fscrypto: require write access to mount to set encryption policy
James Hogan <james.hogan@imgtec.com>
MIPS: KVM: Check for pfn noslot case
Chen-Yu Tsai <wens@csie.org>
clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function
-------------
Diffstat:
.../bindings/iio/adc/rockchip-saradc.txt | 7 +
Documentation/mic/mpssd/mpssd.c | 4 +-
Makefile | 4 +-
arch/alpha/include/asm/uaccess.h | 19 +--
arch/arc/include/asm/uaccess.h | 11 +-
arch/arm/boot/dts/armada-388-clearfog.dts | 8 +-
arch/arm/boot/dts/imx6qdl.dtsi | 2 +-
arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +-
arch/arm/boot/dts/kirkwood-openrd.dtsi | 4 +
arch/arm/boot/dts/omap3-overo-base.dtsi | 4 +-
.../boot/dts/omap3-overo-chestnut43-common.dtsi | 2 -
arch/arm/boot/dts/omap3-overo-tobi-common.dtsi | 2 -
arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi | 3 -
arch/arm/boot/dts/rk3066a.dtsi | 2 +
arch/arm/boot/dts/rk3288.dtsi | 2 +
arch/arm/boot/dts/rk3xxx.dtsi | 2 +
arch/arm/boot/dts/stih407-family.dtsi | 10 +-
arch/arm/boot/dts/stih410.dtsi | 12 +-
arch/arm/kvm/arm.c | 2 -
arch/arm/kvm/mmu.c | 1 +
arch/arm/mach-imx/pm-imx6.c | 4 +-
.../mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 +
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++
arch/arm/mach-omap2/prcm43xx.h | 1 +
arch/arm/mach-pxa/idp.c | 3 +-
arch/arm/mach-pxa/xcep.c | 3 +-
arch/arm/mach-realview/core.c | 3 +-
arch/arm/mach-sa1100/pleb.c | 2 +-
arch/arm64/include/asm/spinlock.h | 10 ++
arch/avr32/include/asm/uaccess.h | 11 +-
arch/avr32/kernel/avr32_ksyms.c | 2 +-
arch/avr32/lib/copy_user.S | 4 +-
arch/blackfin/include/asm/uaccess.h | 9 +-
arch/blackfin/mach-bf561/boards/cm_bf561.c | 3 +-
arch/blackfin/mach-bf561/boards/ezkit.c | 3 +-
arch/cris/include/asm/uaccess.h | 71 ++++-----
arch/frv/include/asm/uaccess.h | 12 +-
arch/hexagon/include/asm/uaccess.h | 3 +-
arch/ia64/include/asm/uaccess.h | 20 ++-
arch/m32r/include/asm/uaccess.h | 2 +-
arch/metag/include/asm/uaccess.h | 3 +-
arch/microblaze/include/asm/uaccess.h | 11 +-
arch/mips/include/asm/uaccess.h | 3 +
arch/mips/kvm/tlb.c | 2 +-
arch/mn10300/include/asm/uaccess.h | 1 +
arch/mn10300/lib/usercopy.c | 4 +-
arch/nios2/include/asm/uaccess.h | 13 +-
arch/openrisc/include/asm/uaccess.h | 35 ++---
arch/parisc/include/asm/uaccess.h | 6 +-
arch/powerpc/include/asm/uaccess.h | 21 +--
arch/powerpc/kernel/entry_64.S | 12 +-
arch/powerpc/lib/checksum_32.S | 8 +-
arch/powerpc/mm/slb_low.S | 7 +-
arch/powerpc/platforms/powernv/opal-dump.c | 7 +-
arch/powerpc/platforms/powernv/opal-elog.c | 7 +-
arch/powerpc/platforms/powernv/pci-ioda.c | 3 +-
arch/powerpc/sysdev/cpm1.c | 6 +-
arch/powerpc/sysdev/cpm_common.c | 3 +-
arch/s390/include/asm/uaccess.h | 8 +-
arch/s390/kvm/kvm-s390.c | 10 +-
arch/score/include/asm/uaccess.h | 46 +++---
arch/sh/include/asm/cmpxchg-xchg.h | 2 +-
arch/sh/include/asm/uaccess.h | 5 +-
arch/sh/include/asm/uaccess_64.h | 1 +
arch/sparc/include/asm/uaccess_32.h | 4 +-
arch/x86/boot/compressed/eboot.c | 134 ++++++++--------
arch/x86/configs/tiny.config | 2 +
arch/x86/events/amd/core.c | 4 +-
arch/x86/events/intel/cqm.c | 9 ++
arch/x86/events/intel/ds.c | 19 ++-
arch/x86/events/intel/pt.c | 18 ++-
arch/x86/include/asm/uaccess.h | 6 +-
arch/x86/kernel/cpu/amd.c | 12 ++
arch/x86/kernel/paravirt.c | 4 +-
arch/x86/kvm/ioapic.c | 8 +-
arch/x86/kvm/pmu_amd.c | 4 +-
arch/x86/mm/pat.c | 17 ++-
crypto/cryptd.c | 9 +-
drivers/ata/libahci.c | 2 +-
drivers/bus/arm-ccn.c | 27 +++-
drivers/clocksource/sun4i_timer.c | 9 +-
drivers/firmware/efi/libstub/efi-stub-helper.c | 169 +++++++++++++++++----
drivers/firmware/efi/libstub/fdt.c | 54 +++++--
drivers/firmware/efi/libstub/random.c | 12 +-
drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 10 +-
drivers/gpu/drm/drm_ioc32.c | 4 +
drivers/gpu/drm/i915/i915_debugfs.c | 3 +-
drivers/gpu/drm/i915/intel_opregion.c | 27 ++++
drivers/gpu/drm/msm/msm_drv.h | 6 +
drivers/gpu/drm/msm/msm_gem.c | 9 ++
drivers/gpu/drm/msm/msm_gem_submit.c | 2 +
drivers/iio/accel/bmc150-accel-core.c | 11 ++
drivers/iio/accel/kxsd9.c | 2 +
drivers/iio/adc/Kconfig | 1 +
drivers/iio/adc/ad799x.c | 1 +
drivers/iio/adc/at91_adc.c | 4 +-
drivers/iio/adc/rockchip_saradc.c | 30 ++++
drivers/iio/adc/ti-ads1015.c | 3 +-
drivers/iio/adc/ti_am335x_adc.c | 16 +-
.../iio/common/hid-sensors/hid-sensor-attributes.c | 4 +-
drivers/iio/humidity/am2315.c | 2 +-
drivers/iio/humidity/hdc100x.c | 27 +---
drivers/iio/industrialio-buffer.c | 4 +-
drivers/iio/industrialio-core.c | 5 +-
drivers/iio/proximity/as3935.c | 2 +-
drivers/infiniband/core/uverbs.h | 1 +
drivers/infiniband/core/uverbs_main.c | 37 +++--
drivers/infiniband/hw/hfi1/debugfs.c | 14 +-
drivers/infiniband/hw/hfi1/platform.c | 6 +-
drivers/infiniband/hw/hfi1/qp.c | 4 -
drivers/infiniband/hw/qib/qib_debugfs.c | 12 +-
drivers/infiniband/hw/qib/qib_qp.c | 4 -
drivers/iommu/dmar.c | 3 +-
drivers/iommu/intel-iommu.c | 3 +-
drivers/irqchip/irq-atmel-aic.c | 5 +-
drivers/irqchip/irq-atmel-aic5.c | 5 +-
drivers/md/dm-crypt.c | 9 +-
drivers/md/dm-flakey.c | 27 ++--
drivers/md/dm-log-writes.c | 6 +-
drivers/md/md.c | 12 +-
drivers/memory/omap-gpmc.c | 21 +--
drivers/misc/cxl/vphb.c | 10 +-
drivers/mmc/host/sdhci-st.c | 15 +-
drivers/net/bonding/bond_main.c | 7 +-
drivers/net/dsa/bcm_sf2.h | 2 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 +-
drivers/net/ethernet/cadence/macb.h | 2 +-
drivers/net/ethernet/cavium/thunder/nic_reg.h | 1 -
.../net/ethernet/cavium/thunder/nicvf_ethtool.c | 5 +-
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 85 +++++++----
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 22 ++-
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/main.c | 59 ++++---
drivers/net/ethernet/smsc/smc91x.c | 7 +
drivers/net/ethernet/smsc/smc91x.h | 65 +++++---
drivers/net/phy/phy.c | 6 +-
drivers/net/tun.c | 6 +-
drivers/net/wireless/ath/ath9k/main.c | 17 ++-
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
drivers/net/wireless/intel/iwlegacy/3945.c | 3 +-
drivers/pci/host-bridge.c | 1 +
drivers/pinctrl/pinctrl-pistachio.c | 12 +-
drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c | 4 +-
drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c | 4 +-
drivers/rapidio/devices/tsi721.c | 2 +-
drivers/tty/serial/8250/8250_mid.c | 3 +
drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++
drivers/usb/chipidea/udc.c | 9 ++
drivers/usb/core/config.c | 28 ++--
drivers/usb/gadget/udc/renesas_usb3.c | 2 +
drivers/usb/host/xhci-ring.c | 6 +-
drivers/usb/renesas_usbhs/mod.c | 11 +-
drivers/usb/serial/usb-serial-simple.c | 3 +-
fs/btrfs/tree-log.c | 1 +
fs/devpts/inode.c | 3 +-
fs/ext4/ioctl.c | 6 +
fs/fuse/file.c | 7 +-
fs/kernfs/file.c | 28 +++-
fs/nfs/callback.c | 1 +
fs/nfs/callback_proc.c | 5 +-
fs/nfs/flexfilelayout/flexfilelayout.c | 37 +++--
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 19 +--
fs/nfs/nfs4proc.c | 12 +-
fs/nfs/nfs4session.c | 33 ++++
fs/nfs/nfs4session.h | 1 +
fs/nfs/pnfs.c | 4 +
fs/nfsd/nfs4state.c | 40 +++--
fs/proc/base.c | 7 +-
include/asm-generic/uaccess.h | 20 ++-
include/linux/efi.h | 28 +++-
include/linux/iio/sw_trigger.h | 2 +-
include/linux/irq.h | 10 ++
include/linux/mempolicy.h | 4 +
include/linux/mfd/ti_am335x_tscadc.h | 8 +-
include/linux/mm.h | 1 +
include/linux/netdevice.h | 1 +
include/linux/smc91x.h | 10 ++
include/linux/uio.h | 2 +-
include/net/af_unix.h | 2 +-
include/net/tcp.h | 2 +
kernel/audit_watch.c | 8 +-
kernel/bpf/verifier.c | 3 +-
kernel/configs/tiny.config | 8 +
kernel/cpuset.c | 15 ++
kernel/exit.c | 7 +-
kernel/fork.c | 23 +++
kernel/irq/msi.c | 1 +
kernel/kexec_file.c | 3 +
kernel/memremap.c | 9 ++
kernel/sched/core.c | 22 +++
lib/iov_iter.c | 24 +--
mm/mempolicy.c | 17 +++
mm/page_alloc.c | 50 +-----
net/bridge/br_multicast.c | 2 +-
net/core/dev.c | 16 ++
net/core/filter.c | 70 +++------
net/ipv4/fib_trie.c | 8 +-
net/ipv4/ip_vti.c | 31 ++++
net/ipv4/tcp_fastopen.c | 1 +
net/ipv4/tcp_ipv4.c | 8 +-
net/ipv4/tcp_yeah.c | 2 +-
net/ipv4/udp.c | 12 +-
net/ipv6/addrconf.c | 6 +-
net/ipv6/ip6_tunnel.c | 2 +
net/ipv6/ping.c | 9 +-
net/ipv6/tcp_ipv6.c | 8 +-
net/irda/iriap.c | 8 +-
net/kcm/kcmsock.c | 3 +-
net/sched/act_ife.c | 18 ++-
net/sctp/proc.c | 1 +
net/sctp/sctp_diag.c | 6 +-
net/sunrpc/auth_gss/svcauth_gss.c | 5 +-
net/tipc/socket.c | 3 +-
net/unix/af_unix.c | 111 ++++++--------
net/wireless/wext-core.c | 25 +--
215 files changed, 1783 insertions(+), 971 deletions(-)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 001/184] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
@ 2016-09-22 17:38 ` Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 003/184] fscrypto: require write access to mount to set encryption policy Greg Kroah-Hartman
` (176 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:38 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Daniel Lezcano, Maxime Ripard
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wens@csie.org>
commit b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e upstream.
The bootloader (U-boot) sometimes uses this timer for various delays.
It uses it as a ongoing counter, and does comparisons on the current
counter value. The timer counter is never stopped.
In some cases when the user interacts with the bootloader, or lets
it idle for some time before loading Linux, the timer may expire,
and an interrupt will be pending. This results in an unexpected
interrupt when the timer interrupt is enabled by the kernel, at
which point the event_handler isn't set yet. This results in a NULL
pointer dereference exception, panic, and no way to reboot.
Clear any pending interrupts after we stop the timer in the probe
function to avoid this.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clocksource/sun4i_timer.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/clocksource/sun4i_timer.c
+++ b/drivers/clocksource/sun4i_timer.c
@@ -123,12 +123,16 @@ static struct clock_event_device sun4i_c
.set_next_event = sun4i_clkevt_next_event,
};
+static void sun4i_timer_clear_interrupt(void)
+{
+ writel(TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_ST_REG);
+}
static irqreturn_t sun4i_timer_interrupt(int irq, void *dev_id)
{
struct clock_event_device *evt = (struct clock_event_device *)dev_id;
- writel(0x1, timer_base + TIMER_IRQ_ST_REG);
+ sun4i_timer_clear_interrupt();
evt->event_handler(evt);
return IRQ_HANDLED;
@@ -193,6 +197,9 @@ static void __init sun4i_timer_init(stru
/* Make sure timer is stopped before playing with interrupts */
sun4i_clkevt_time_stop(0);
+ /* clear timer0 interrupt */
+ sun4i_timer_clear_interrupt();
+
sun4i_clockevent.cpumask = cpu_possible_mask;
sun4i_clockevent.irq = irq;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 003/184] fscrypto: require write access to mount to set encryption policy
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 001/184] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Greg Kroah-Hartman
@ 2016-09-22 17:38 ` Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 004/184] drm/msm: protect against faults from copy_from_user() in submit ioctl Greg Kroah-Hartman
` (175 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:38 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Biggers, Theodore Tso, Jaegeuk Kim
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit ba63f23d69a3a10e7e527a02702023da68ef8a6d upstream.
Since setting an encryption policy requires writing metadata to the
filesystem, it should be guarded by mnt_want_write/mnt_drop_write.
Otherwise, a user could cause a write to a frozen or readonly
filesystem. This was handled correctly by f2fs but not by ext4. Make
fscrypt_process_policy() handle it rather than relying on the filesystem
to get it right.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ioctl.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -782,7 +782,13 @@ resizefs_out:
goto encryption_policy_out;
}
+ err = mnt_want_write_file(filp);
+ if (err)
+ goto encryption_policy_out;
+
err = ext4_process_policy(&policy, inode);
+
+ mnt_drop_write_file(filp);
encryption_policy_out:
return err;
#else
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 004/184] drm/msm: protect against faults from copy_from_user() in submit ioctl
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 001/184] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 003/184] fscrypto: require write access to mount to set encryption policy Greg Kroah-Hartman
@ 2016-09-22 17:38 ` Greg Kroah-Hartman
2016-10-03 9:38 ` Vegard Nossum
2016-09-22 17:38 ` [PATCH 4.7 005/184] bpf: fix method of PTR_TO_PACKET reg id generation Greg Kroah-Hartman
` (174 subsequent siblings)
177 siblings, 1 reply; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:38 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rob Clark
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@gmail.com>
commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream.
An evil userspace could try to cause deadlock by passing an unfaulted-in
GEM bo as submit->bos (or submit->cmds) table. Which will trigger
msm_gem_fault() while we already hold struct_mutex. See:
https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c
Signed-off-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/msm_drv.h | 6 ++++++
drivers/gpu/drm/msm/msm_gem.c | 9 +++++++++
drivers/gpu/drm/msm/msm_gem_submit.c | 2 ++
3 files changed, 17 insertions(+)
--- a/drivers/gpu/drm/msm/msm_drv.h
+++ b/drivers/gpu/drm/msm/msm_drv.h
@@ -148,6 +148,12 @@ struct msm_drm_private {
} vram;
struct msm_vblank_ctrl vblank_ctrl;
+
+ /* task holding struct_mutex.. currently only used in submit path
+ * to detect and reject faults from copy_from_user() for submit
+ * ioctl.
+ */
+ struct task_struct *struct_mutex_task;
};
struct msm_format {
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct
{
struct drm_gem_object *obj = vma->vm_private_data;
struct drm_device *dev = obj->dev;
+ struct msm_drm_private *priv = dev->dev_private;
struct page **pages;
unsigned long pfn;
pgoff_t pgoff;
int ret;
+ /* This should only happen if userspace tries to pass a mmap'd
+ * but unfaulted gem bo vaddr into submit ioctl, triggering
+ * a page fault while struct_mutex is already held. This is
+ * not a valid use-case so just bail.
+ */
+ if (priv->struct_mutex_task == current)
+ return VM_FAULT_SIGBUS;
+
/* Make sure we don't parallel update on a fault, nor move or remove
* something from beneath our feet
*/
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -394,6 +394,7 @@ int msm_ioctl_gem_submit(struct drm_devi
return -ENOMEM;
mutex_lock(&dev->struct_mutex);
+ priv->struct_mutex_task = current;
ret = submit_lookup_objects(submit, args, file);
if (ret)
@@ -479,6 +480,7 @@ out:
submit_cleanup(submit);
if (ret)
msm_gem_submit_free(submit);
+ priv->struct_mutex_task = NULL;
mutex_unlock(&dev->struct_mutex);
return ret;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 005/184] bpf: fix method of PTR_TO_PACKET reg id generation
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (2 preceding siblings ...)
2016-09-22 17:38 ` [PATCH 4.7 004/184] drm/msm: protect against faults from copy_from_user() in submit ioctl Greg Kroah-Hartman
@ 2016-09-22 17:38 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 006/184] ipv4: panic in leaf_walk_rcu due to stale node pointer Greg Kroah-Hartman
` (173 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:38 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, Alexei Starovoitov,
Daniel Borkmann, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <jakub.kicinski@netronome.com>
[ Upstream commit 1f415a74b0ca64b5bfacbb12d71ed2ec050a8cfb ]
Using per-register incrementing ID can lead to
find_good_pkt_pointers() confusing registers which
have completely different values. Consider example:
0: (bf) r6 = r1
1: (61) r8 = *(u32 *)(r6 +76)
2: (61) r0 = *(u32 *)(r6 +80)
3: (bf) r7 = r8
4: (07) r8 += 32
5: (2d) if r8 > r0 goto pc+9
R0=pkt_end R1=ctx R6=ctx R7=pkt(id=0,off=0,r=32) R8=pkt(id=0,off=32,r=32) R10=fp
6: (bf) r8 = r7
7: (bf) r9 = r7
8: (71) r1 = *(u8 *)(r7 +0)
9: (0f) r8 += r1
10: (71) r1 = *(u8 *)(r7 +1)
11: (0f) r9 += r1
12: (07) r8 += 32
13: (2d) if r8 > r0 goto pc+1
R0=pkt_end R1=inv56 R6=ctx R7=pkt(id=0,off=0,r=32) R8=pkt(id=1,off=32,r=32) R9=pkt(id=1,off=0,r=32) R10=fp
14: (71) r1 = *(u8 *)(r9 +16)
15: (b7) r7 = 0
16: (bf) r0 = r7
17: (95) exit
We need to get a UNKNOWN_VALUE with imm to force id
generation so lines 0-5 make r7 a valid packet pointer.
We then read two different bytes from the packet and
add them to copies of the constructed packet pointer.
r8 (line 9) and r9 (line 11) will get the same id of 1,
independently. When either of them is validated (line
13) - find_good_pkt_pointers() will also mark the other
as safe. This leads to access on line 14 being mistakenly
considered safe.
Fixes: 969bf05eb3ce ("bpf: direct packet access")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -194,6 +194,7 @@ struct verifier_env {
struct verifier_state_list **explored_states; /* search pruning optimization */
struct bpf_map *used_maps[MAX_USED_MAPS]; /* array of map's used by eBPF program */
u32 used_map_cnt; /* number of used maps */
+ u32 id_gen; /* used to generate unique reg IDs */
bool allow_ptr_leaks;
};
@@ -1277,7 +1278,7 @@ add_imm:
/* dst_reg stays as pkt_ptr type and since some positive
* integer value was added to the pointer, increment its 'id'
*/
- dst_reg->id++;
+ dst_reg->id = ++env->id_gen;
/* something was added to pkt_ptr, set range and off to zero */
dst_reg->off = 0;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 006/184] ipv4: panic in leaf_walk_rcu due to stale node pointer
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (3 preceding siblings ...)
2016-09-22 17:38 ` [PATCH 4.7 005/184] bpf: fix method of PTR_TO_PACKET reg id generation Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 007/184] vti: flush x-netns xfrm cache when vti interface is removed Greg Kroah-Hartman
` (172 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dave Forster, Alexander Duyck,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Forster <dforster@brocade.com>
[ Upstream commit 94d9f1c5906b20053efe375b6d66610bca4b8b64 ]
Panic occurs when issuing "cat /proc/net/route" whilst
populating FIB with > 1M routes.
Use of cached node pointer in fib_route_get_idx is unsafe.
BUG: unable to handle kernel paging request at ffffc90001630024
IP: [<ffffffff814cf6a0>] leaf_walk_rcu+0x10/0xe0
PGD 11b08d067 PUD 11b08e067 PMD dac4b067 PTE 0
Oops: 0000 [#1] SMP
Modules linked in: nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscac
snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep virti
acpi_cpufreq button parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd
tio_ring virtio floppy uhci_hcd ehci_hcd usbcore usb_common libata scsi_mod
CPU: 1 PID: 785 Comm: cat Not tainted 4.2.0-rc8+ #4
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
task: ffff8800da1c0bc0 ti: ffff88011a05c000 task.ti: ffff88011a05c000
RIP: 0010:[<ffffffff814cf6a0>] [<ffffffff814cf6a0>] leaf_walk_rcu+0x10/0xe0
RSP: 0018:ffff88011a05fda0 EFLAGS: 00010202
RAX: ffff8800d8a40c00 RBX: ffff8800da4af940 RCX: ffff88011a05ff20
RDX: ffffc90001630020 RSI: 0000000001013531 RDI: ffff8800da4af950
RBP: 0000000000000000 R08: ffff8800da1f9a00 R09: 0000000000000000
R10: ffff8800db45b7e4 R11: 0000000000000246 R12: ffff8800da4af950
R13: ffff8800d97a74c0 R14: 0000000000000000 R15: ffff8800d97a7480
FS: 00007fd3970e0700(0000) GS:ffff88011fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffc90001630024 CR3: 000000011a7e4000 CR4: 00000000000006e0
Stack:
ffffffff814d00d3 0000000000000000 ffff88011a05ff20 ffff8800da1f9a00
ffffffff811dd8b9 0000000000000800 0000000000020000 00007fd396f35000
ffffffff811f8714 0000000000003431 ffffffff8138dce0 0000000000000f80
Call Trace:
[<ffffffff814d00d3>] ? fib_route_seq_start+0x93/0xc0
[<ffffffff811dd8b9>] ? seq_read+0x149/0x380
[<ffffffff811f8714>] ? fsnotify+0x3b4/0x500
[<ffffffff8138dce0>] ? process_echoes+0x70/0x70
[<ffffffff8121cfa7>] ? proc_reg_read+0x47/0x70
[<ffffffff811bb823>] ? __vfs_read+0x23/0xd0
[<ffffffff811bbd42>] ? rw_verify_area+0x52/0xf0
[<ffffffff811bbe61>] ? vfs_read+0x81/0x120
[<ffffffff811bcbc2>] ? SyS_read+0x42/0xa0
[<ffffffff81549ab2>] ? entry_SYSCALL_64_fastpath+0x16/0x75
Code: 48 85 c0 75 d8 f3 c3 31 c0 c3 f3 c3 66 66 66 66 66 66 2e 0f 1f 84 00 00
a 04 89 f0 33 02 44 89 c9 48 d3 e8 0f b6 4a 05 49 89
RIP [<ffffffff814cf6a0>] leaf_walk_rcu+0x10/0xe0
RSP <ffff88011a05fda0>
CR2: ffffc90001630024
Signed-off-by: Dave Forster <dforster@brocade.com>
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/fib_trie.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -2452,9 +2452,7 @@ struct fib_route_iter {
static struct key_vector *fib_route_get_idx(struct fib_route_iter *iter,
loff_t pos)
{
- struct fib_table *tb = iter->main_tb;
struct key_vector *l, **tp = &iter->tnode;
- struct trie *t;
t_key key;
/* use cache location of next-to-find key */
@@ -2462,8 +2460,6 @@ static struct key_vector *fib_route_get_
pos -= iter->pos;
key = iter->key;
} else {
- t = (struct trie *)tb->tb_data;
- iter->tnode = t->kv;
iter->pos = 0;
key = 0;
}
@@ -2504,12 +2500,12 @@ static void *fib_route_seq_start(struct
return NULL;
iter->main_tb = tb;
+ t = (struct trie *)tb->tb_data;
+ iter->tnode = t->kv;
if (*pos != 0)
return fib_route_get_idx(iter, *pos);
- t = (struct trie *)tb->tb_data;
- iter->tnode = t->kv;
iter->pos = 0;
iter->key = 0;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 007/184] vti: flush x-netns xfrm cache when vti interface is removed
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (4 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 006/184] ipv4: panic in leaf_walk_rcu due to stale node pointer Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 008/184] bpf: fix write helpers with regards to non-linear parts Greg Kroah-Hartman
` (171 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hangbin Liu, Jan Tluka,
Lance Richardson, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lance Richardson <lrichard@redhat.com>
[ Upstream commit a5d0dc810abf3d6b241777467ee1d6efb02575fc ]
When executing the script included below, the netns delete operation
hangs with the following message (repeated at 10 second intervals):
kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1
This occurs because a reference to the lo interface in the "secure" netns
is still held by a dst entry in the xfrm bundle cache in the init netns.
Address this problem by garbage collecting the tunnel netns flow cache
when a cross-namespace vti interface receives a NETDEV_DOWN notification.
A more detailed description of the problem scenario (referencing commands
in the script below):
(1) ip link add vti_test type vti local 1.1.1.1 remote 1.1.1.2 key 1
The vti_test interface is created in the init namespace. vti_tunnel_init()
attaches a struct ip_tunnel to the vti interface's netdev_priv(dev),
setting the tunnel net to &init_net.
(2) ip link set vti_test netns secure
The vti_test interface is moved to the "secure" netns. Note that
the associated struct ip_tunnel still has tunnel->net set to &init_net.
(3) ip netns exec secure ping -c 4 -i 0.02 -I 192.168.100.1 192.168.200.1
The first packet sent using the vti device causes xfrm_lookup() to be
called as follows:
dst = xfrm_lookup(tunnel->net, skb_dst(skb), fl, NULL, 0);
Note that tunnel->net is the init namespace, while skb_dst(skb) references
the vti_test interface in the "secure" namespace. The returned dst
references an interface in the init namespace.
Also note that the first parameter to xfrm_lookup() determines which flow
cache is used to store the computed xfrm bundle, so after xfrm_lookup()
returns there will be a cached bundle in the init namespace flow cache
with a dst referencing a device in the "secure" namespace.
(4) ip netns del secure
Kernel begins to delete the "secure" namespace. At some point the
vti_test interface is deleted, at which point dst_ifdown() changes
the dst->dev in the cached xfrm bundle flow from vti_test to lo (still
in the "secure" namespace however).
Since nothing has happened to cause the init namespace's flow cache
to be garbage collected, this dst remains attached to the flow cache,
so the kernel loops waiting for the last reference to lo to go away.
<Begin script>
ip link add br1 type bridge
ip link set dev br1 up
ip addr add dev br1 1.1.1.1/8
ip netns add secure
ip link add vti_test type vti local 1.1.1.1 remote 1.1.1.2 key 1
ip link set vti_test netns secure
ip netns exec secure ip link set vti_test up
ip netns exec secure ip link s lo up
ip netns exec secure ip addr add dev lo 192.168.100.1/24
ip netns exec secure ip route add 192.168.200.0/24 dev vti_test
ip xfrm policy flush
ip xfrm state flush
ip xfrm policy add dir out tmpl src 1.1.1.1 dst 1.1.1.2 \
proto esp mode tunnel mark 1
ip xfrm policy add dir in tmpl src 1.1.1.2 dst 1.1.1.1 \
proto esp mode tunnel mark 1
ip xfrm state add src 1.1.1.1 dst 1.1.1.2 proto esp spi 1 \
mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788
ip xfrm state add src 1.1.1.2 dst 1.1.1.1 proto esp spi 1 \
mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788
ip netns exec secure ping -c 4 -i 0.02 -I 192.168.100.1 192.168.200.1
ip netns del secure
<End script>
Reported-by: Hangbin Liu <haliu@redhat.com>
Reported-by: Jan Tluka <jtluka@redhat.com>
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_vti.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -557,6 +557,33 @@ static struct rtnl_link_ops vti_link_ops
.get_link_net = ip_tunnel_get_link_net,
};
+static bool is_vti_tunnel(const struct net_device *dev)
+{
+ return dev->netdev_ops == &vti_netdev_ops;
+}
+
+static int vti_device_event(struct notifier_block *unused,
+ unsigned long event, void *ptr)
+{
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct ip_tunnel *tunnel = netdev_priv(dev);
+
+ if (!is_vti_tunnel(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_DOWN:
+ if (!net_eq(tunnel->net, dev_net(dev)))
+ xfrm_garbage_collect(tunnel->net);
+ break;
+ }
+ return NOTIFY_DONE;
+}
+
+static struct notifier_block vti_notifier_block __read_mostly = {
+ .notifier_call = vti_device_event,
+};
+
static int __init vti_init(void)
{
const char *msg;
@@ -564,6 +591,8 @@ static int __init vti_init(void)
pr_info("IPv4 over IPsec tunneling driver\n");
+ register_netdevice_notifier(&vti_notifier_block);
+
msg = "tunnel device";
err = register_pernet_device(&vti_net_ops);
if (err < 0)
@@ -596,6 +625,7 @@ xfrm_proto_ah_failed:
xfrm_proto_esp_failed:
unregister_pernet_device(&vti_net_ops);
pernet_dev_failed:
+ unregister_netdevice_notifier(&vti_notifier_block);
pr_err("vti init: failed to register %s\n", msg);
return err;
}
@@ -607,6 +637,7 @@ static void __exit vti_fini(void)
xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP);
unregister_pernet_device(&vti_net_ops);
+ unregister_netdevice_notifier(&vti_notifier_block);
}
module_init(vti_init);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 008/184] bpf: fix write helpers with regards to non-linear parts
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (5 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 007/184] vti: flush x-netns xfrm cache when vti interface is removed Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 009/184] net/irda: handle iriap_register_lsap() allocation failure Greg Kroah-Hartman
` (170 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Borkmann, Alexei Starovoitov,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 0ed661d5a48fa6df0b50ae64d27fe759a3ce42cf ]
Fix the bpf_try_make_writable() helper and all call sites we have in BPF,
it's currently defect with regards to skbs when the write_len spans into
non-linear parts, no matter if cloned or not.
There are multiple issues at once. First, using skb_store_bits() is not
correct since even if we have a cloned skb, page frags can still be shared.
To really make them private, we need to pull them in via __pskb_pull_tail()
first, which also gets us a private head via pskb_expand_head() implicitly.
This is for helpers like bpf_skb_store_bytes(), bpf_l3_csum_replace(),
bpf_l4_csum_replace(). Really, the only thing reasonable and working here
is to call skb_ensure_writable() before any write operation. Meaning, via
pskb_may_pull() it makes sure that parts we want to access are pulled in and
if not does so plus unclones the skb implicitly. If our write_len still fits
the headlen and we're cloned and our header of the clone is not writable,
then we need to make a private copy via pskb_expand_head(). skb_store_bits()
is a bit misleading and only safe to store into non-linear data in different
contexts such as 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can
corrupt kernel memory").
For above BPF helper functions, it means after fixed bpf_try_make_writable(),
we've pulled in enough, so that we operate always based on skb->data. Thus,
the call to skb_header_pointer() and skb_store_bits() becomes superfluous.
In bpf_skb_store_bytes(), the len check is unnecessary too since it can
only pass in maximum of BPF stack size, so adding offset is guaranteed to
never overflow. Also bpf_l3/4_csum_replace() helpers must test for proper
offset alignment since they use __sum16 pointer for writing resulting csum.
The remaining helpers that change skb data not discussed here yet are
bpf_skb_vlan_push(), bpf_skb_vlan_pop() and bpf_skb_change_proto(). The
vlan helpers internally call either skb_ensure_writable() (pop case) and
skb_cow_head() (push case, for head expansion), respectively. Similarly,
bpf_skb_proto_xlat() takes care to not mangle page frags.
Fixes: 608cd71a9c7c ("tc: bpf: generalize pedit action")
Fixes: 91bc4822c3d6 ("tc: bpf: add checksum helpers")
Fixes: 3697649ff29e ("bpf: try harder on clones when writing into skb")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 70 +++++++++++++-----------------------------------------
1 file changed, 18 insertions(+), 52 deletions(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1353,54 +1353,33 @@ static inline int bpf_try_make_writable(
{
int err;
- if (!skb_cloned(skb))
- return 0;
- if (skb_clone_writable(skb, write_len))
- return 0;
- err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
- if (!err)
- bpf_compute_data_end(skb);
+ err = skb_ensure_writable(skb, write_len);
+ bpf_compute_data_end(skb);
+
return err;
}
static u64 bpf_skb_store_bytes(u64 r1, u64 r2, u64 r3, u64 r4, u64 flags)
{
- struct bpf_scratchpad *sp = this_cpu_ptr(&bpf_sp);
struct sk_buff *skb = (struct sk_buff *) (long) r1;
- int offset = (int) r2;
+ unsigned int offset = (unsigned int) r2;
void *from = (void *) (long) r3;
unsigned int len = (unsigned int) r4;
void *ptr;
if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
return -EINVAL;
-
- /* bpf verifier guarantees that:
- * 'from' pointer points to bpf program stack
- * 'len' bytes of it were initialized
- * 'len' > 0
- * 'skb' is a valid pointer to 'struct sk_buff'
- *
- * so check for invalid 'offset' and too large 'len'
- */
- if (unlikely((u32) offset > 0xffff || len > sizeof(sp->buff)))
+ if (unlikely(offset > 0xffff))
return -EFAULT;
if (unlikely(bpf_try_make_writable(skb, offset + len)))
return -EFAULT;
- ptr = skb_header_pointer(skb, offset, len, sp->buff);
- if (unlikely(!ptr))
- return -EFAULT;
-
+ ptr = skb->data + offset;
if (flags & BPF_F_RECOMPUTE_CSUM)
skb_postpull_rcsum(skb, ptr, len);
memcpy(ptr, from, len);
- if (ptr == sp->buff)
- /* skb_store_bits cannot return -EFAULT here */
- skb_store_bits(skb, offset, ptr, len);
-
if (flags & BPF_F_RECOMPUTE_CSUM)
skb_postpush_rcsum(skb, ptr, len);
if (flags & BPF_F_INVALIDATE_HASH)
@@ -1423,12 +1402,12 @@ static const struct bpf_func_proto bpf_s
static u64 bpf_skb_load_bytes(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
{
const struct sk_buff *skb = (const struct sk_buff *)(unsigned long) r1;
- int offset = (int) r2;
+ unsigned int offset = (unsigned int) r2;
void *to = (void *)(unsigned long) r3;
unsigned int len = (unsigned int) r4;
void *ptr;
- if (unlikely((u32) offset > 0xffff))
+ if (unlikely(offset > 0xffff))
goto err_clear;
ptr = skb_header_pointer(skb, offset, len, to);
@@ -1456,20 +1435,17 @@ static const struct bpf_func_proto bpf_s
static u64 bpf_l3_csum_replace(u64 r1, u64 r2, u64 from, u64 to, u64 flags)
{
struct sk_buff *skb = (struct sk_buff *) (long) r1;
- int offset = (int) r2;
- __sum16 sum, *ptr;
+ unsigned int offset = (unsigned int) r2;
+ __sum16 *ptr;
if (unlikely(flags & ~(BPF_F_HDR_FIELD_MASK)))
return -EINVAL;
- if (unlikely((u32) offset > 0xffff))
+ if (unlikely(offset > 0xffff || offset & 1))
return -EFAULT;
- if (unlikely(bpf_try_make_writable(skb, offset + sizeof(sum))))
- return -EFAULT;
-
- ptr = skb_header_pointer(skb, offset, sizeof(sum), &sum);
- if (unlikely(!ptr))
+ if (unlikely(bpf_try_make_writable(skb, offset + sizeof(*ptr))))
return -EFAULT;
+ ptr = (__sum16 *)(skb->data + offset);
switch (flags & BPF_F_HDR_FIELD_MASK) {
case 0:
if (unlikely(from != 0))
@@ -1487,10 +1463,6 @@ static u64 bpf_l3_csum_replace(u64 r1, u
return -EINVAL;
}
- if (ptr == &sum)
- /* skb_store_bits guaranteed to not return -EFAULT here */
- skb_store_bits(skb, offset, ptr, sizeof(sum));
-
return 0;
}
@@ -1510,20 +1482,18 @@ static u64 bpf_l4_csum_replace(u64 r1, u
struct sk_buff *skb = (struct sk_buff *) (long) r1;
bool is_pseudo = flags & BPF_F_PSEUDO_HDR;
bool is_mmzero = flags & BPF_F_MARK_MANGLED_0;
- int offset = (int) r2;
- __sum16 sum, *ptr;
+ unsigned int offset = (unsigned int) r2;
+ __sum16 *ptr;
if (unlikely(flags & ~(BPF_F_MARK_MANGLED_0 | BPF_F_PSEUDO_HDR |
BPF_F_HDR_FIELD_MASK)))
return -EINVAL;
- if (unlikely((u32) offset > 0xffff))
+ if (unlikely(offset > 0xffff || offset & 1))
return -EFAULT;
- if (unlikely(bpf_try_make_writable(skb, offset + sizeof(sum))))
+ if (unlikely(bpf_try_make_writable(skb, offset + sizeof(*ptr))))
return -EFAULT;
- ptr = skb_header_pointer(skb, offset, sizeof(sum), &sum);
- if (unlikely(!ptr))
- return -EFAULT;
+ ptr = (__sum16 *)(skb->data + offset);
if (is_mmzero && !*ptr)
return 0;
@@ -1546,10 +1516,6 @@ static u64 bpf_l4_csum_replace(u64 r1, u
if (is_mmzero && !*ptr)
*ptr = CSUM_MANGLED_0;
- if (ptr == &sum)
- /* skb_store_bits guaranteed to not return -EFAULT here */
- skb_store_bits(skb, offset, ptr, sizeof(sum));
-
return 0;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 009/184] net/irda: handle iriap_register_lsap() allocation failure
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (6 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 008/184] bpf: fix write helpers with regards to non-linear parts Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 010/184] net/sctp: always initialise sctp_ht_iter::start_fail Greg Kroah-Hartman
` (169 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vegard Nossum, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
[ Upstream commit 5ba092efc7ddff040777ae7162f1d195f513571b ]
If iriap_register_lsap() fails to allocate memory, self->lsap is
set to NULL. However, none of the callers handle the failure and
irlmp_connect_request() will happily dereference it:
iriap_register_lsap: Unable to allocated LSAP!
================================================================================
UBSAN: Undefined behaviour in net/irda/irlmp.c:378:2
member access within null pointer of type 'struct lsap_cb'
CPU: 1 PID: 15403 Comm: trinity-c0 Not tainted 4.8.0-rc1+ #81
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org
04/01/2014
0000000000000000 ffff88010c7e78a8 ffffffff82344f40 0000000041b58ab3
ffffffff84f98000 ffffffff82344e94 ffff88010c7e78d0 ffff88010c7e7880
ffff88010630ad00 ffffffff84a5fae0 ffffffff84d3f5c0 000000000000017a
Call Trace:
[<ffffffff82344f40>] dump_stack+0xac/0xfc
[<ffffffff8242f5a8>] ubsan_epilogue+0xd/0x8a
[<ffffffff824302bf>] __ubsan_handle_type_mismatch+0x157/0x411
[<ffffffff83b7bdbc>] irlmp_connect_request+0x7ac/0x970
[<ffffffff83b77cc0>] iriap_connect_request+0xa0/0x160
[<ffffffff83b77f48>] state_s_disconnect+0x88/0xd0
[<ffffffff83b78904>] iriap_do_client_event+0x94/0x120
[<ffffffff83b77710>] iriap_getvaluebyclass_request+0x3e0/0x6d0
[<ffffffff83ba6ebb>] irda_find_lsap_sel+0x1eb/0x630
[<ffffffff83ba90c8>] irda_connect+0x828/0x12d0
[<ffffffff833c0dfb>] SYSC_connect+0x22b/0x340
[<ffffffff833c7e09>] SyS_connect+0x9/0x10
[<ffffffff81007bd3>] do_syscall_64+0x1b3/0x4b0
[<ffffffff845f946a>] entry_SYSCALL64_slow_path+0x25/0x25
================================================================================
The bug seems to have been around since forever.
There's more problems with missing error checks in iriap_init() (and
indeed all of irda_init()), but that's a bigger problem that needs
very careful review and testing. This patch will fix the most serious
bug (as it's easily reached from unprivileged userspace).
I have tested my patch with a reproducer.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/irda/iriap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -185,8 +185,12 @@ struct iriap_cb *iriap_open(__u8 slsap_s
self->magic = IAS_MAGIC;
self->mode = mode;
- if (mode == IAS_CLIENT)
- iriap_register_lsap(self, slsap_sel, mode);
+ if (mode == IAS_CLIENT) {
+ if (iriap_register_lsap(self, slsap_sel, mode)) {
+ kfree(self);
+ return NULL;
+ }
+ }
self->confirm = callback;
self->priv = priv;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 010/184] net/sctp: always initialise sctp_ht_iter::start_fail
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (7 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 009/184] net/irda: handle iriap_register_lsap() allocation failure Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 011/184] net: ipv6: Do not keep IPv6 addresses when IPv6 is disabled Greg Kroah-Hartman
` (168 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xin Long, Herbert Xu,
Eric W. Biederman, Marcelo Ricardo Leitner, Vegard Nossum,
Neil Horman, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
[ Upstream commit 54236ab09e9696a27baaae693c288920a26e8588 ]
sctp_transport_seq_start() does not currently clear iter->start_fail on
success, but relies on it being zero when it is allocated (by
seq_open_net()).
This can be a problem in the following sequence:
open() // allocates iter (and implicitly sets iter->start_fail = 0)
read()
- iter->start() // fails and sets iter->start_fail = 1
- iter->stop() // doesn't call sctp_transport_walk_stop() (correct)
read() again
- iter->start() // succeeds, but doesn't change iter->start_fail
- iter->stop() // doesn't call sctp_transport_walk_stop() (wrong)
We should initialize sctp_ht_iter::start_fail to zero if ->start()
succeeds, otherwise it's possible that we leave an old value of 1 there,
which will cause ->stop() to not call sctp_transport_walk_stop(), which
causes all sorts of problems like not calling rcu_read_unlock() (and
preempt_enable()), eventually leading to more warnings like this:
BUG: sleeping function called from invalid context at mm/slab.h:388
in_atomic(): 0, irqs_disabled(): 0, pid: 16551, name: trinity-c2
Preemption disabled at:[<ffffffff819bceb6>] rhashtable_walk_start+0x46/0x150
[<ffffffff81149abb>] preempt_count_add+0x1fb/0x280
[<ffffffff83295892>] _raw_spin_lock+0x12/0x40
[<ffffffff819bceb6>] rhashtable_walk_start+0x46/0x150
[<ffffffff82ec665f>] sctp_transport_walk_start+0x2f/0x60
[<ffffffff82edda1d>] sctp_transport_seq_start+0x4d/0x150
[<ffffffff81439e50>] traverse+0x170/0x850
[<ffffffff8143aeec>] seq_read+0x7cc/0x1180
[<ffffffff814f996c>] proc_reg_read+0xbc/0x180
[<ffffffff813d0384>] do_loop_readv_writev+0x134/0x210
[<ffffffff813d2a95>] do_readv_writev+0x565/0x660
[<ffffffff813d6857>] vfs_readv+0x67/0xa0
[<ffffffff813d6c16>] do_preadv+0x126/0x170
[<ffffffff813d710c>] SyS_preadv+0xc/0x10
[<ffffffff8100334c>] do_syscall_64+0x19c/0x410
[<ffffffff83296225>] return_from_SYSCALL_64+0x0/0x6a
[<ffffffffffffffff>] 0xffffffffffffffff
Notice that this is a subtly different stacktrace from the one in commit
5fc382d875 ("net/sctp: terminate rhashtable walk correctly").
Cc: Xin Long <lucien.xin@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-By: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/proc.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -293,6 +293,7 @@ static void *sctp_transport_seq_start(st
return ERR_PTR(err);
}
+ iter->start_fail = 0;
return sctp_transport_get_idx(seq_file_net(seq), &iter->hti, *pos);
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 011/184] net: ipv6: Do not keep IPv6 addresses when IPv6 is disabled
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (8 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 010/184] net/sctp: always initialise sctp_ht_iter::start_fail Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 012/184] tipc: fix NULL pointer dereference in shutdown() Greg Kroah-Hartman
` (167 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mike Manning, David Ahern, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Manning <mmanning@brocade.com>
[ Upstream commit bc561632dddd5af0c4444d919f01cbf6d553aa0a ]
If IPv6 is disabled when the option is set to keep IPv6
addresses on link down, userspace is unaware of this as
there is no such indication via netlink. The solution is to
remove the IPv6 addresses in this case, which results in
netlink messages indicating removal of addresses in the
usual manner. This fix also makes the behavior consistent
with the case of having IPv6 disabled first, which stops
IPv6 addresses from being added.
Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional")
Signed-off-by: Mike Manning <mmanning@brocade.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/addrconf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3469,7 +3469,7 @@ static int addrconf_ifdown(struct net_de
/* combine the user config with event to determine if permanent
* addresses are to be removed from address hash table
*/
- keep_addr = !(how || _keep_addr <= 0);
+ keep_addr = !(how || _keep_addr <= 0 || idev->cnf.disable_ipv6);
/* Step 2: clear hash table */
for (i = 0; i < IN6_ADDR_HSIZE; i++) {
@@ -3525,7 +3525,7 @@ restart:
/* re-combine the user config with event to determine if permanent
* addresses are to be removed from the interface list
*/
- keep_addr = (!how && _keep_addr > 0);
+ keep_addr = (!how && _keep_addr > 0 && !idev->cnf.disable_ipv6);
INIT_LIST_HEAD(&del_list);
list_for_each_entry_safe(ifa, tmp, &idev->addr_list, if_list) {
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 012/184] tipc: fix NULL pointer dereference in shutdown()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (9 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 011/184] net: ipv6: Do not keep IPv6 addresses when IPv6 is disabled Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 014/184] net/mlx5: Fix pci error recovery flow Greg Kroah-Hartman
` (166 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vegard Nossum, Ying Xue, Jon Maloy,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
[ Upstream commit d2fbdf76b85bcdfe57b8ef2ba09d20e8ada79abd ]
tipc_msg_create() can return a NULL skb and if so, we shouldn't try to
call tipc_node_xmit_skb() on it.
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 3 PID: 30298 Comm: trinity-c0 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff8800baf09980 ti: ffff8800595b8000 task.ti: ffff8800595b8000
RIP: 0010:[<ffffffff830bb46b>] [<ffffffff830bb46b>] tipc_node_xmit_skb+0x6b/0x140
RSP: 0018:ffff8800595bfce8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003023b0e0
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff83d12580
RBP: ffff8800595bfd78 R08: ffffed000b2b7f32 R09: 0000000000000000
R10: fffffbfff0759725 R11: 0000000000000000 R12: 1ffff1000b2b7f9f
R13: ffff8800595bfd58 R14: ffffffff83d12580 R15: dffffc0000000000
FS: 00007fcdde242700(0000) GS:ffff88011af80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcddde1db10 CR3: 000000006874b000 CR4: 00000000000006e0
DR0: 00007fcdde248000 DR1: 00007fcddd73d000 DR2: 00007fcdde248000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602
Stack:
0000000000000018 0000000000000018 0000000041b58ab3 ffffffff83954208
ffffffff830bb400 ffff8800595bfd30 ffffffff8309d767 0000000000000018
0000000000000018 ffff8800595bfd78 ffffffff8309da1a 00000000810ee611
Call Trace:
[<ffffffff830c84a3>] tipc_shutdown+0x553/0x880
[<ffffffff825b4a3b>] SyS_shutdown+0x14b/0x170
[<ffffffff8100334c>] do_syscall_64+0x19c/0x410
[<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 90 00 b4 0b 83 c7 00 f1 f1 f1 f1 4c 8d 6d e0 c7 40 04 00 00 00 f4 c7 40 08 f3 f3 f3 f3 48 89 d8 48 c1 e8 03 c7 45 b4 00 00 00 00 <80> 3c 30 00 75 78 48 8d 7b 08 49 8d 75 c0 48 b8 00 00 00 00 00
RIP [<ffffffff830bb46b>] tipc_node_xmit_skb+0x6b/0x140
RSP <ffff8800595bfce8>
---[ end trace 57b0484e351e71f1 ]---
I feel like we should maybe return -ENOMEM or -ENOBUFS, but I'm not sure
userspace is equipped to handle that. Anyway, this is better than a GPF
and looks somewhat consistent with other tipc_msg_create() callers.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/socket.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2180,7 +2180,8 @@ restart:
TIPC_CONN_MSG, SHORT_H_SIZE,
0, dnode, onode, dport, oport,
TIPC_CONN_SHUTDOWN);
- tipc_node_xmit_skb(net, skb, dnode, tsk->portid);
+ if (skb)
+ tipc_node_xmit_skb(net, skb, dnode, tsk->portid);
}
tsk->connected = 0;
sock->state = SS_DISCONNECTING;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 014/184] net/mlx5: Fix pci error recovery flow
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (10 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 012/184] tipc: fix NULL pointer dereference in shutdown() Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 015/184] net/mlx5: Added missing check of msg length in verifying its signature Greg Kroah-Hartman
` (165 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mohamad Haj Yahia, Saeed Mahameed,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohamad Haj Yahia <mohamad@mellanox.com>
[ Upstream commit 1061c90f524963a0a90e7d2f9a6bfa666458af51 ]
When PCI error is detected we should save the state of the pci prior to
disabling it.
Also when receiving pci slot reset call we need to verify that the
device is responsive.
Fixes: 89d44f0a6c73 ('net/mlx5_core: Add pci error handlers to mlx5_core
driver')
Signed-off-by: Mohamad Haj Yahia <mohamad@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/main.c | 59 ++++++++++++-------------
1 file changed, 29 insertions(+), 30 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -1392,36 +1392,12 @@ static pci_ers_result_t mlx5_pci_err_det
dev_info(&pdev->dev, "%s was called\n", __func__);
mlx5_enter_error_state(dev);
mlx5_unload_one(dev, priv);
+ pci_save_state(pdev);
mlx5_pci_disable_device(dev);
return state == pci_channel_io_perm_failure ?
PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_NEED_RESET;
}
-static pci_ers_result_t mlx5_pci_slot_reset(struct pci_dev *pdev)
-{
- struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
- int err = 0;
-
- dev_info(&pdev->dev, "%s was called\n", __func__);
-
- err = mlx5_pci_enable_device(dev);
- if (err) {
- dev_err(&pdev->dev, "%s: mlx5_pci_enable_device failed with error code: %d\n"
- , __func__, err);
- return PCI_ERS_RESULT_DISCONNECT;
- }
- pci_set_master(pdev);
- pci_set_power_state(pdev, PCI_D0);
- pci_restore_state(pdev);
-
- return err ? PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_RECOVERED;
-}
-
-void mlx5_disable_device(struct mlx5_core_dev *dev)
-{
- mlx5_pci_err_detected(dev->pdev, 0);
-}
-
/* wait for the device to show vital signs by waiting
* for the health counter to start counting.
*/
@@ -1449,21 +1425,44 @@ static int wait_vital(struct pci_dev *pd
return -ETIMEDOUT;
}
-static void mlx5_pci_resume(struct pci_dev *pdev)
+static pci_ers_result_t mlx5_pci_slot_reset(struct pci_dev *pdev)
{
struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
- struct mlx5_priv *priv = &dev->priv;
int err;
dev_info(&pdev->dev, "%s was called\n", __func__);
- pci_save_state(pdev);
- err = wait_vital(pdev);
+ err = mlx5_pci_enable_device(dev);
if (err) {
+ dev_err(&pdev->dev, "%s: mlx5_pci_enable_device failed with error code: %d\n"
+ , __func__, err);
+ return PCI_ERS_RESULT_DISCONNECT;
+ }
+
+ pci_set_master(pdev);
+ pci_restore_state(pdev);
+
+ if (wait_vital(pdev)) {
dev_err(&pdev->dev, "%s: wait_vital timed out\n", __func__);
- return;
+ return PCI_ERS_RESULT_DISCONNECT;
}
+ return PCI_ERS_RESULT_RECOVERED;
+}
+
+void mlx5_disable_device(struct mlx5_core_dev *dev)
+{
+ mlx5_pci_err_detected(dev->pdev, 0);
+}
+
+static void mlx5_pci_resume(struct pci_dev *pdev)
+{
+ struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
+ struct mlx5_priv *priv = &dev->priv;
+ int err;
+
+ dev_info(&pdev->dev, "%s was called\n", __func__);
+
err = mlx5_load_one(dev, priv);
if (err)
dev_err(&pdev->dev, "%s: mlx5_load_one failed with error code: %d\n"
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 015/184] net/mlx5: Added missing check of msg length in verifying its signature
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (11 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 014/184] net/mlx5: Fix pci error recovery flow Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 016/184] net/mlx5e: Use correct flow dissector key on flower offloading Greg Kroah-Hartman
` (164 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paul Blakey, Saeed Mahameed, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Blakey <paulb@mellanox.com>
[ Upstream commit 2c0f8ce1b584a4d7b8ff53140d21dfed99834940 ]
Set and verify signature calculates the signature for each of the
mailbox nodes, even for those that are unused (from cache). Added
a missing length check to set and verify only those which are used.
While here, also moved the setting of msg's nodes token to where we
already go over them. This saves a pass because checksum is disabled,
and the only useful thing remaining that set signature does is setting
the token.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB
adapters')
Signed-off-by: Paul Blakey <paulb@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 83 ++++++++++++++++----------
1 file changed, 53 insertions(+), 30 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -143,13 +143,14 @@ static struct mlx5_cmd_layout *get_inst(
return cmd->cmd_buf + (idx << cmd->log_stride);
}
-static u8 xor8_buf(void *buf, int len)
+static u8 xor8_buf(void *buf, size_t offset, int len)
{
u8 *ptr = buf;
u8 sum = 0;
int i;
+ int end = len + offset;
- for (i = 0; i < len; i++)
+ for (i = offset; i < end; i++)
sum ^= ptr[i];
return sum;
@@ -157,41 +158,49 @@ static u8 xor8_buf(void *buf, int len)
static int verify_block_sig(struct mlx5_cmd_prot_block *block)
{
- if (xor8_buf(block->rsvd0, sizeof(*block) - sizeof(block->data) - 1) != 0xff)
+ size_t rsvd0_off = offsetof(struct mlx5_cmd_prot_block, rsvd0);
+ int xor_len = sizeof(*block) - sizeof(block->data) - 1;
+
+ if (xor8_buf(block, rsvd0_off, xor_len) != 0xff)
return -EINVAL;
- if (xor8_buf(block, sizeof(*block)) != 0xff)
+ if (xor8_buf(block, 0, sizeof(*block)) != 0xff)
return -EINVAL;
return 0;
}
-static void calc_block_sig(struct mlx5_cmd_prot_block *block, u8 token,
- int csum)
+static void calc_block_sig(struct mlx5_cmd_prot_block *block)
{
- block->token = token;
- if (csum) {
- block->ctrl_sig = ~xor8_buf(block->rsvd0, sizeof(*block) -
- sizeof(block->data) - 2);
- block->sig = ~xor8_buf(block, sizeof(*block) - 1);
- }
+ int ctrl_xor_len = sizeof(*block) - sizeof(block->data) - 2;
+ size_t rsvd0_off = offsetof(struct mlx5_cmd_prot_block, rsvd0);
+
+ block->ctrl_sig = ~xor8_buf(block, rsvd0_off, ctrl_xor_len);
+ block->sig = ~xor8_buf(block, 0, sizeof(*block) - 1);
}
-static void calc_chain_sig(struct mlx5_cmd_msg *msg, u8 token, int csum)
+static void calc_chain_sig(struct mlx5_cmd_msg *msg)
{
struct mlx5_cmd_mailbox *next = msg->next;
+ int size = msg->len;
+ int blen = size - min_t(int, sizeof(msg->first.data), size);
+ int n = (blen + MLX5_CMD_DATA_BLOCK_SIZE - 1)
+ / MLX5_CMD_DATA_BLOCK_SIZE;
+ int i = 0;
- while (next) {
- calc_block_sig(next->buf, token, csum);
+ for (i = 0; i < n && next; i++) {
+ calc_block_sig(next->buf);
next = next->next;
}
}
static void set_signature(struct mlx5_cmd_work_ent *ent, int csum)
{
- ent->lay->sig = ~xor8_buf(ent->lay, sizeof(*ent->lay));
- calc_chain_sig(ent->in, ent->token, csum);
- calc_chain_sig(ent->out, ent->token, csum);
+ ent->lay->sig = ~xor8_buf(ent->lay, 0, sizeof(*ent->lay));
+ if (csum) {
+ calc_chain_sig(ent->in);
+ calc_chain_sig(ent->out);
+ }
}
static void poll_timeout(struct mlx5_cmd_work_ent *ent)
@@ -222,12 +231,17 @@ static int verify_signature(struct mlx5_
struct mlx5_cmd_mailbox *next = ent->out->next;
int err;
u8 sig;
+ int size = ent->out->len;
+ int blen = size - min_t(int, sizeof(ent->out->first.data), size);
+ int n = (blen + MLX5_CMD_DATA_BLOCK_SIZE - 1)
+ / MLX5_CMD_DATA_BLOCK_SIZE;
+ int i = 0;
- sig = xor8_buf(ent->lay, sizeof(*ent->lay));
+ sig = xor8_buf(ent->lay, 0, sizeof(*ent->lay));
if (sig != 0xff)
return -EINVAL;
- while (next) {
+ for (i = 0; i < n && next; i++) {
err = verify_block_sig(next->buf);
if (err)
return err;
@@ -656,7 +670,6 @@ static void cmd_work_handler(struct work
spin_unlock_irqrestore(&cmd->alloc_lock, flags);
}
- ent->token = alloc_token(cmd);
cmd->ent_arr[ent->idx] = ent;
lay = get_inst(cmd, ent->idx);
ent->lay = lay;
@@ -766,7 +779,8 @@ static u8 *get_status_ptr(struct mlx5_ou
static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
struct mlx5_cmd_msg *out, void *uout, int uout_size,
mlx5_cmd_cbk_t callback,
- void *context, int page_queue, u8 *status)
+ void *context, int page_queue, u8 *status,
+ u8 token)
{
struct mlx5_cmd *cmd = &dev->cmd;
struct mlx5_cmd_work_ent *ent;
@@ -783,6 +797,8 @@ static int mlx5_cmd_invoke(struct mlx5_c
if (IS_ERR(ent))
return PTR_ERR(ent);
+ ent->token = token;
+
if (!callback)
init_completion(&ent->done);
@@ -854,7 +870,8 @@ static const struct file_operations fops
.write = dbg_write,
};
-static int mlx5_copy_to_msg(struct mlx5_cmd_msg *to, void *from, int size)
+static int mlx5_copy_to_msg(struct mlx5_cmd_msg *to, void *from, int size,
+ u8 token)
{
struct mlx5_cmd_prot_block *block;
struct mlx5_cmd_mailbox *next;
@@ -880,6 +897,7 @@ static int mlx5_copy_to_msg(struct mlx5_
memcpy(block->data, from, copy);
from += copy;
size -= copy;
+ block->token = token;
next = next->next;
}
@@ -949,7 +967,8 @@ static void free_cmd_box(struct mlx5_cor
}
static struct mlx5_cmd_msg *mlx5_alloc_cmd_msg(struct mlx5_core_dev *dev,
- gfp_t flags, int size)
+ gfp_t flags, int size,
+ u8 token)
{
struct mlx5_cmd_mailbox *tmp, *head = NULL;
struct mlx5_cmd_prot_block *block;
@@ -978,6 +997,7 @@ static struct mlx5_cmd_msg *mlx5_alloc_c
tmp->next = head;
block->next = cpu_to_be64(tmp->next ? tmp->next->dma : 0);
block->block_num = cpu_to_be32(n - i - 1);
+ block->token = token;
head = tmp;
}
msg->next = head;
@@ -1352,7 +1372,7 @@ static struct mlx5_cmd_msg *alloc_msg(st
}
if (IS_ERR(msg))
- msg = mlx5_alloc_cmd_msg(dev, gfp, in_size);
+ msg = mlx5_alloc_cmd_msg(dev, gfp, in_size, 0);
return msg;
}
@@ -1377,6 +1397,7 @@ static int cmd_exec(struct mlx5_core_dev
int err;
u8 status = 0;
u32 drv_synd;
+ u8 token;
if (pci_channel_offline(dev->pdev) ||
dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
@@ -1395,20 +1416,22 @@ static int cmd_exec(struct mlx5_core_dev
return err;
}
- err = mlx5_copy_to_msg(inb, in, in_size);
+ token = alloc_token(&dev->cmd);
+
+ err = mlx5_copy_to_msg(inb, in, in_size, token);
if (err) {
mlx5_core_warn(dev, "err %d\n", err);
goto out_in;
}
- outb = mlx5_alloc_cmd_msg(dev, gfp, out_size);
+ outb = mlx5_alloc_cmd_msg(dev, gfp, out_size, token);
if (IS_ERR(outb)) {
err = PTR_ERR(outb);
goto out_in;
}
err = mlx5_cmd_invoke(dev, inb, outb, out, out_size, callback, context,
- pages_queue, &status);
+ pages_queue, &status, token);
if (err)
goto out_out;
@@ -1476,7 +1499,7 @@ static int create_msg_cache(struct mlx5_
INIT_LIST_HEAD(&cmd->cache.med.head);
for (i = 0; i < NUM_LONG_LISTS; i++) {
- msg = mlx5_alloc_cmd_msg(dev, GFP_KERNEL, LONG_LIST_SIZE);
+ msg = mlx5_alloc_cmd_msg(dev, GFP_KERNEL, LONG_LIST_SIZE, 0);
if (IS_ERR(msg)) {
err = PTR_ERR(msg);
goto ex_err;
@@ -1486,7 +1509,7 @@ static int create_msg_cache(struct mlx5_
}
for (i = 0; i < NUM_MED_LISTS; i++) {
- msg = mlx5_alloc_cmd_msg(dev, GFP_KERNEL, MED_LIST_SIZE);
+ msg = mlx5_alloc_cmd_msg(dev, GFP_KERNEL, MED_LIST_SIZE, 0);
if (IS_ERR(msg)) {
err = PTR_ERR(msg);
goto ex_err;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 016/184] net/mlx5e: Use correct flow dissector key on flower offloading
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (12 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 015/184] net/mlx5: Added missing check of msg length in verifying its signature Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 017/184] net sched: fix encoding to use real length Greg Kroah-Hartman
` (163 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hadar Hen Zion, Saeed Mahameed,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hadar Hen Zion <hadarh@mellanox.com>
[ Upstream commit 1dbd0d373ac338903d27fab5204b13122cc5accd ]
The wrong key is used when extracting the address type field set by
the flower offload code. We have to use the control key and not the
basic key, fix that.
Fixes: e3a2b7ed018e ('net/mlx5e: Support offload cls_flower with drop action')
Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -150,7 +150,7 @@ static int parse_cls_flower(struct mlx5e
if (dissector_uses_key(f->dissector, FLOW_DISSECTOR_KEY_CONTROL)) {
struct flow_dissector_key_control *key =
skb_flow_dissector_target(f->dissector,
- FLOW_DISSECTOR_KEY_BASIC,
+ FLOW_DISSECTOR_KEY_CONTROL,
f->key);
addr_type = key->addr_type;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 017/184] net sched: fix encoding to use real length
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (13 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 016/184] net/mlx5e: Use correct flow dissector key on flower offloading Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 018/184] udp: fix poll() issue with zero sized packets Greg Kroah-Hartman
` (162 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jamal Hadi Salim, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 28a10c426e81afc88514bca8e73affccf850fdf6 ]
Encoding of the metadata was using the padded length as opposed to
the real length of the data which is a bug per specification.
This has not been an issue todate because all metadatum specified
so far has been 32 bit where aligned and data length are the same width.
This also includes a bug fix for validating the length of a u16 field.
But since there is no metadata of size u16 yes we are fine to include it
here.
While at it get rid of magic numbers.
Fixes: ef6980b6becb ("net sched: introduce IFE action")
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/act_ife.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -52,7 +52,7 @@ int ife_tlv_meta_encode(void *skbdata, u
u32 *tlv = (u32 *)(skbdata);
u16 totlen = nla_total_size(dlen); /*alignment + hdr */
char *dptr = (char *)tlv + NLA_HDRLEN;
- u32 htlv = attrtype << 16 | totlen;
+ u32 htlv = attrtype << 16 | dlen;
*tlv = htonl(htlv);
memset(dptr, 0, totlen - NLA_HDRLEN);
@@ -134,7 +134,7 @@ EXPORT_SYMBOL_GPL(ife_release_meta_gen);
int ife_validate_meta_u32(void *val, int len)
{
- if (len == 4)
+ if (len == sizeof(u32))
return 0;
return -EINVAL;
@@ -143,8 +143,8 @@ EXPORT_SYMBOL_GPL(ife_validate_meta_u32)
int ife_validate_meta_u16(void *val, int len)
{
- /* length will include padding */
- if (len == NLA_ALIGN(2))
+ /* length will not include padding */
+ if (len == sizeof(u16))
return 0;
return -EINVAL;
@@ -652,12 +652,14 @@ static int tcf_ife_decode(struct sk_buff
u8 *tlvdata = (u8 *)tlv;
u16 mtype = tlv->type;
u16 mlen = tlv->len;
+ u16 alen;
mtype = ntohs(mtype);
mlen = ntohs(mlen);
+ alen = NLA_ALIGN(mlen);
- if (find_decode_metaid(skb, ife, mtype, (mlen - 4),
- (void *)(tlvdata + 4))) {
+ if (find_decode_metaid(skb, ife, mtype, (mlen - NLA_HDRLEN),
+ (void *)(tlvdata + NLA_HDRLEN))) {
/* abuse overlimits to count when we receive metadata
* but dont have an ops for it
*/
@@ -666,8 +668,8 @@ static int tcf_ife_decode(struct sk_buff
ife->tcf_qstats.overlimits++;
}
- tlvdata += mlen;
- ifehdrln -= mlen;
+ tlvdata += alen;
+ ifehdrln -= alen;
tlv = (struct meta_tlvhdr *)tlvdata;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 018/184] udp: fix poll() issue with zero sized packets
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (14 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 017/184] net sched: fix encoding to use real length Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 019/184] tcp: properly scale window in tcp_v[46]_reqsk_send_ack() Greg Kroah-Hartman
` (161 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Laura Abbott, Eric Dumazet, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e83c6744e81abc93a20d0eb3b7f504a176a6126a ]
Laura tracked poll() [and friends] regression caused by commit
e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
udp_poll() needs to know if there is a valid packet in receive queue,
even if its payload length is 0.
Change first_packet_length() to return an signed int, and use -1
as the indication of an empty queue.
Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Reported-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/udp.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1182,13 +1182,13 @@ out:
* @sk: socket
*
* Drops all bad checksum frames, until a valid one is found.
- * Returns the length of found skb, or 0 if none is found.
+ * Returns the length of found skb, or -1 if none is found.
*/
-static unsigned int first_packet_length(struct sock *sk)
+static int first_packet_length(struct sock *sk)
{
struct sk_buff_head list_kill, *rcvq = &sk->sk_receive_queue;
struct sk_buff *skb;
- unsigned int res;
+ int res;
__skb_queue_head_init(&list_kill);
@@ -1203,7 +1203,7 @@ static unsigned int first_packet_length(
__skb_unlink(skb, rcvq);
__skb_queue_tail(&list_kill, skb);
}
- res = skb ? skb->len : 0;
+ res = skb ? skb->len : -1;
spin_unlock_bh(&rcvq->lock);
if (!skb_queue_empty(&list_kill)) {
@@ -1232,7 +1232,7 @@ int udp_ioctl(struct sock *sk, int cmd,
case SIOCINQ:
{
- unsigned int amount = first_packet_length(sk);
+ int amount = max_t(int, 0, first_packet_length(sk));
return put_user(amount, (int __user *)arg);
}
@@ -2184,7 +2184,7 @@ unsigned int udp_poll(struct file *file,
/* Check for false positives due to checksum errors */
if ((mask & POLLRDNORM) && !(file->f_flags & O_NONBLOCK) &&
- !(sk->sk_shutdown & RCV_SHUTDOWN) && !first_packet_length(sk))
+ !(sk->sk_shutdown & RCV_SHUTDOWN) && first_packet_length(sk) == -1)
mask &= ~(POLLIN | POLLRDNORM);
return mask;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 019/184] tcp: properly scale window in tcp_v[46]_reqsk_send_ack()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (15 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 018/184] udp: fix poll() issue with zero sized packets Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 020/184] sctp: fix overrun in sctp_diag_dump_one() Greg Kroah-Hartman
` (160 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Yuchung Cheng,
Neal Cardwell, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 20a2b49fc538540819a0c552877086548cff8d8d ]
When sending an ack in SYN_RECV state, we must scale the offered
window if wscale option was negotiated and accepted.
Tested:
Following packetdrill test demonstrates the issue :
0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
// Establish a connection.
+0 < S 0:0(0) win 20000 <mss 1000,sackOK,wscale 7, nop, TS val 100 ecr 0>
+0 > S. 0:0(0) ack 1 win 28960 <mss 1460,sackOK, TS val 100 ecr 100, nop, wscale 7>
+0 < . 1:11(10) ack 1 win 156 <nop,nop,TS val 99 ecr 100>
// check that window is properly scaled !
+0 > . 1:1(0) ack 1 win 226 <nop,nop,TS val 200 ecr 100>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_ipv4.c | 8 +++++++-
net/ipv6/tcp_ipv6.c | 8 +++++++-
2 files changed, 14 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -814,8 +814,14 @@ static void tcp_v4_reqsk_send_ack(const
u32 seq = (sk->sk_state == TCP_LISTEN) ? tcp_rsk(req)->snt_isn + 1 :
tcp_sk(sk)->snd_nxt;
+ /* RFC 7323 2.3
+ * The window field (SEG.WND) of every outgoing segment, with the
+ * exception of <SYN> segments, MUST be right-shifted by
+ * Rcv.Wind.Shift bits:
+ */
tcp_v4_send_ack(sock_net(sk), skb, seq,
- tcp_rsk(req)->rcv_nxt, req->rsk_rcv_wnd,
+ tcp_rsk(req)->rcv_nxt,
+ req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,
tcp_time_stamp,
req->ts_recent,
0,
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -937,9 +937,15 @@ static void tcp_v6_reqsk_send_ack(const
/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
* sk->sk_state == TCP_SYN_RECV -> for Fast Open.
*/
+ /* RFC 7323 2.3
+ * The window field (SEG.WND) of every outgoing segment, with the
+ * exception of <SYN> segments, MUST be right-shifted by
+ * Rcv.Wind.Shift bits:
+ */
tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?
tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
- tcp_rsk(req)->rcv_nxt, req->rsk_rcv_wnd,
+ tcp_rsk(req)->rcv_nxt,
+ req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,
tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
0, 0);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 020/184] sctp: fix overrun in sctp_diag_dump_one()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (16 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 019/184] tcp: properly scale window in tcp_v[46]_reqsk_send_ack() Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 021/184] tun: fix transmit timestamp support Greg Kroah-Hartman
` (159 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lance Richardson, Xin Long,
Marcelo Ricardo Leitner, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lance Richardson <lrichard@redhat.com>
[ Upstream commit 232cb53a45965f8789fbf0a9a1962f8c67ab1a3c ]
The function sctp_diag_dump_one() currently performs a memcpy()
of 64 bytes from a 16 byte field into another 16 byte field. Fix
by using correct size, use sizeof to obtain correct size instead
of using a hard-coded constant.
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/sctp_diag.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/sctp/sctp_diag.c
+++ b/net/sctp/sctp_diag.c
@@ -418,11 +418,13 @@ static int sctp_diag_dump_one(struct sk_
paddr.v4.sin_family = AF_INET;
} else {
laddr.v6.sin6_port = req->id.idiag_sport;
- memcpy(&laddr.v6.sin6_addr, req->id.idiag_src, 64);
+ memcpy(&laddr.v6.sin6_addr, req->id.idiag_src,
+ sizeof(laddr.v6.sin6_addr));
laddr.v6.sin6_family = AF_INET6;
paddr.v6.sin6_port = req->id.idiag_dport;
- memcpy(&paddr.v6.sin6_addr, req->id.idiag_dst, 64);
+ memcpy(&paddr.v6.sin6_addr, req->id.idiag_dst,
+ sizeof(paddr.v6.sin6_addr));
paddr.v6.sin6_family = AF_INET6;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 021/184] tun: fix transmit timestamp support
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (17 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 020/184] sctp: fix overrun in sctp_diag_dump_one() Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 022/184] net: dsa: bcm_sf2: Fix race condition while unmasking interrupts Greg Kroah-Hartman
` (158 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Soheil Hassas Yeganeh, Francis Yan,
Eric Dumazet, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Soheil Hassas Yeganeh <soheil@google.com>
[ Upstream commit 7b996243fab46092fb3a29c773c54be8152366e4 ]
Instead of using sock_tx_timestamp, use skb_tx_timestamp to record
software transmit timestamp of a packet.
sock_tx_timestamp resets and overrides the tx_flags of the skb.
The function is intended to be called from within the protocol
layer when creating the skb, not from a device driver. This is
inconsistent with other drivers and will cause issues for TCP.
In TCP, we intend to sample the timestamps for the last byte
for each sendmsg/sendpage. For that reason, tcp_sendmsg calls
tcp_tx_timestamp only with the last skb that it generates.
For example, if a 128KB message is split into two 64KB packets
we want to sample the SND timestamp of the last packet. The current
code in the tun driver, however, will result in sampling the SND
timestamp for both packets.
Also, when the last packet is split into smaller packets for
retranmission (see tcp_fragment), the tun driver will record
timestamps for all of the retransmitted packets and not only the
last packet.
Fixes: eda297729171 (tun: Support software transmit time stamping.)
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Francis Yan <francisyyan@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/tun.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -878,11 +878,7 @@ static netdev_tx_t tun_net_xmit(struct s
if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC)))
goto drop;
- if (skb->sk && sk_fullsock(skb->sk)) {
- sock_tx_timestamp(skb->sk, skb->sk->sk_tsflags,
- &skb_shinfo(skb)->tx_flags);
- sw_tx_timestamp(skb);
- }
+ skb_tx_timestamp(skb);
/* Orphan the skb - required as we might hang on to it
* for indefinite time.
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 022/184] net: dsa: bcm_sf2: Fix race condition while unmasking interrupts
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (18 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 021/184] tun: fix transmit timestamp support Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 023/184] Revert "phy: IRQ cannot be shared" Greg Kroah-Hartman
` (157 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
[ Upstream commit 4f101c47791cdcb831b3ef1f831b1cc51e4fe03c ]
We kept shadow copies of which interrupt sources we have enabled and
disabled, but due to an order bug in how intrl2_mask_clear was defined,
we could run into the following scenario:
CPU0 CPU1
intrl2_1_mask_clear(..)
sets INTRL2_CPU_MASK_CLEAR
bcm_sf2_switch_1_isr
read INTRL2_CPU_STATUS and masks with stale
irq1_mask value
updates irq1_mask value
Which would make us loop again and again trying to process and interrupt
we are not clearing since our copy of whether it was enabled before
still indicates it was not. Fix this by updating the shadow copy first,
and then unasking at the HW level.
Fixes: 246d7f773c13 ("net: dsa: add Broadcom SF2 switch driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/bcm_sf2.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/dsa/bcm_sf2.h
+++ b/drivers/net/dsa/bcm_sf2.h
@@ -189,8 +189,8 @@ static inline void name##_writeq(struct
static inline void intrl2_##which##_mask_clear(struct bcm_sf2_priv *priv, \
u32 mask) \
{ \
- intrl2_##which##_writel(priv, mask, INTRL2_CPU_MASK_CLEAR); \
priv->irq##which##_mask &= ~(mask); \
+ intrl2_##which##_writel(priv, mask, INTRL2_CPU_MASK_CLEAR); \
} \
static inline void intrl2_##which##_mask_set(struct bcm_sf2_priv *priv, \
u32 mask) \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 023/184] Revert "phy: IRQ cannot be shared"
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (19 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 022/184] net: dsa: bcm_sf2: Fix race condition while unmasking interrupts Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 024/184] net: smc91x: fix SMC accesses Greg Kroah-Hartman
` (156 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xander Huff, Nathan Sullivan,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xander Huff <xander.huff@ni.com>
[ Upstream commit c3e70edd7c2eed6acd234627a6007627f5c76e8e ]
This reverts:
commit 33c133cc7598 ("phy: IRQ cannot be shared")
On hardware with multiple PHY devices hooked up to the same IRQ line, allow
them to share it.
Sergei Shtylyov says:
"I'm not sure now what was the reason I concluded that the IRQ sharing
was impossible... most probably I thought that the kernel IRQ handling
code exited the loop over the IRQ actions once IRQ_HANDLED was returned
-- which is obviously not so in reality..."
Signed-off-by: Xander Huff <xander.huff@ni.com>
Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/phy.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -722,8 +722,10 @@ phy_err:
int phy_start_interrupts(struct phy_device *phydev)
{
atomic_set(&phydev->irq_disable, 0);
- if (request_irq(phydev->irq, phy_interrupt, 0, "phy_interrupt",
- phydev) < 0) {
+ if (request_irq(phydev->irq, phy_interrupt,
+ IRQF_SHARED,
+ "phy_interrupt",
+ phydev) < 0) {
pr_warn("%s: Can't get IRQ %d (PHY)\n",
phydev->mdio.bus->name, phydev->irq);
phydev->irq = PHY_POLL;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 024/184] net: smc91x: fix SMC accesses
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (20 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 023/184] Revert "phy: IRQ cannot be shared" Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 025/184] bridge: re-introduce fix parsing of MLDv2 reports Greg Kroah-Hartman
` (155 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Russell King, Robert Jarzmik,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
[ Upstream commit 2fb04fdf30192ff1e2b5834e9b7745889ea8bbcb ]
Commit b70661c70830 ("net: smc91x: use run-time configuration on all ARM
machines") broke some ARM platforms through several mistakes. Firstly,
the access size must correspond to the following rule:
(a) at least one of 16-bit or 8-bit access size must be supported
(b) 32-bit accesses are optional, and may be enabled in addition to
the above.
Secondly, it provides no emulation of 16-bit accesses, instead blindly
making 16-bit accesses even when the platform specifies that only 8-bit
is supported.
Reorganise smc91x.h so we can make use of the existing 16-bit access
emulation already provided - if 16-bit accesses are supported, use
16-bit accesses directly, otherwise if 8-bit accesses are supported,
use the provided 16-bit access emulation. If neither, BUG(). This
exactly reflects the driver behaviour prior to the commit being fixed.
Since the conversion incorrectly cut down the available access sizes on
several platforms, we also need to go through every platform and fix up
the overly-restrictive access size: Arnd assumed that if a platform can
perform 32-bit, 16-bit and 8-bit accesses, then only a 32-bit access
size needed to be specified - not so, all available access sizes must
be specified.
This likely fixes some performance regressions in doing this: if a
platform does not support 8-bit accesses, 8-bit accesses have been
emulated by performing a 16-bit read-modify-write access.
Tested on the Intel Assabet/Neponset platform, which supports only 8-bit
accesses, which was broken by the original commit.
Fixes: b70661c70830 ("net: smc91x: use run-time configuration on all ARM machines")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-pxa/idp.c | 3 -
arch/arm/mach-pxa/xcep.c | 3 -
arch/arm/mach-realview/core.c | 3 -
arch/arm/mach-sa1100/pleb.c | 2
arch/blackfin/mach-bf561/boards/cm_bf561.c | 3 -
arch/blackfin/mach-bf561/boards/ezkit.c | 3 -
drivers/net/ethernet/smsc/smc91x.c | 7 +++
drivers/net/ethernet/smsc/smc91x.h | 65 ++++++++++++++++++++---------
include/linux/smc91x.h | 10 ++++
9 files changed, 73 insertions(+), 26 deletions(-)
--- a/arch/arm/mach-pxa/idp.c
+++ b/arch/arm/mach-pxa/idp.c
@@ -83,7 +83,8 @@ static struct resource smc91x_resources[
};
static struct smc91x_platdata smc91x_platdata = {
- .flags = SMC91X_USE_32BIT | SMC91X_USE_DMA | SMC91X_NOWAIT,
+ .flags = SMC91X_USE_8BIT | SMC91X_USE_16BIT | SMC91X_USE_32BIT |
+ SMC91X_USE_DMA | SMC91X_NOWAIT,
};
static struct platform_device smc91x_device = {
--- a/arch/arm/mach-pxa/xcep.c
+++ b/arch/arm/mach-pxa/xcep.c
@@ -120,7 +120,8 @@ static struct resource smc91x_resources[
};
static struct smc91x_platdata xcep_smc91x_info = {
- .flags = SMC91X_USE_32BIT | SMC91X_NOWAIT | SMC91X_USE_DMA,
+ .flags = SMC91X_USE_8BIT | SMC91X_USE_16BIT | SMC91X_USE_32BIT |
+ SMC91X_NOWAIT | SMC91X_USE_DMA,
};
static struct platform_device smc91x_device = {
--- a/arch/arm/mach-realview/core.c
+++ b/arch/arm/mach-realview/core.c
@@ -93,7 +93,8 @@ static struct smsc911x_platform_config s
};
static struct smc91x_platdata smc91x_platdata = {
- .flags = SMC91X_USE_32BIT | SMC91X_NOWAIT,
+ .flags = SMC91X_USE_8BIT | SMC91X_USE_16BIT | SMC91X_USE_32BIT |
+ SMC91X_NOWAIT,
};
static struct platform_device realview_eth_device = {
--- a/arch/arm/mach-sa1100/pleb.c
+++ b/arch/arm/mach-sa1100/pleb.c
@@ -45,7 +45,7 @@ static struct resource smc91x_resources[
};
static struct smc91x_platdata smc91x_platdata = {
- .flags = SMC91X_USE_16BIT | SMC91X_NOWAIT,
+ .flags = SMC91X_USE_16BIT | SMC91X_USE_8BIT | SMC91X_NOWAIT,
};
static struct platform_device smc91x_device = {
--- a/arch/blackfin/mach-bf561/boards/cm_bf561.c
+++ b/arch/blackfin/mach-bf561/boards/cm_bf561.c
@@ -146,7 +146,8 @@ static struct platform_device hitachi_fb
#include <linux/smc91x.h>
static struct smc91x_platdata smc91x_info = {
- .flags = SMC91X_USE_32BIT | SMC91X_NOWAIT,
+ .flags = SMC91X_USE_8BIT | SMC91X_USE_16BIT | SMC91X_USE_32BIT |
+ SMC91X_NOWAIT,
.leda = RPC_LED_100_10,
.ledb = RPC_LED_TX_RX,
};
--- a/arch/blackfin/mach-bf561/boards/ezkit.c
+++ b/arch/blackfin/mach-bf561/boards/ezkit.c
@@ -134,7 +134,8 @@ static struct platform_device net2272_bf
#include <linux/smc91x.h>
static struct smc91x_platdata smc91x_info = {
- .flags = SMC91X_USE_32BIT | SMC91X_NOWAIT,
+ .flags = SMC91X_USE_8BIT | SMC91X_USE_16BIT | SMC91X_USE_32BIT |
+ SMC91X_NOWAIT,
.leda = RPC_LED_100_10,
.ledb = RPC_LED_TX_RX,
};
--- a/drivers/net/ethernet/smsc/smc91x.c
+++ b/drivers/net/ethernet/smsc/smc91x.c
@@ -2269,6 +2269,13 @@ static int smc_drv_probe(struct platform
if (pd) {
memcpy(&lp->cfg, pd, sizeof(lp->cfg));
lp->io_shift = SMC91X_IO_SHIFT(lp->cfg.flags);
+
+ if (!SMC_8BIT(lp) && !SMC_16BIT(lp)) {
+ dev_err(&pdev->dev,
+ "at least one of 8-bit or 16-bit access support is required.\n");
+ ret = -ENXIO;
+ goto out_free_netdev;
+ }
}
#if IS_BUILTIN(CONFIG_OF)
--- a/drivers/net/ethernet/smsc/smc91x.h
+++ b/drivers/net/ethernet/smsc/smc91x.h
@@ -37,6 +37,27 @@
#include <linux/smc91x.h>
/*
+ * Any 16-bit access is performed with two 8-bit accesses if the hardware
+ * can't do it directly. Most registers are 16-bit so those are mandatory.
+ */
+#define SMC_outw_b(x, a, r) \
+ do { \
+ unsigned int __val16 = (x); \
+ unsigned int __reg = (r); \
+ SMC_outb(__val16, a, __reg); \
+ SMC_outb(__val16 >> 8, a, __reg + (1 << SMC_IO_SHIFT)); \
+ } while (0)
+
+#define SMC_inw_b(a, r) \
+ ({ \
+ unsigned int __val16; \
+ unsigned int __reg = r; \
+ __val16 = SMC_inb(a, __reg); \
+ __val16 |= SMC_inb(a, __reg + (1 << SMC_IO_SHIFT)) << 8; \
+ __val16; \
+ })
+
+/*
* Define your architecture specific bus configuration parameters here.
*/
@@ -55,10 +76,30 @@
#define SMC_IO_SHIFT (lp->io_shift)
#define SMC_inb(a, r) readb((a) + (r))
-#define SMC_inw(a, r) readw((a) + (r))
+#define SMC_inw(a, r) \
+ ({ \
+ unsigned int __smc_r = r; \
+ SMC_16BIT(lp) ? readw((a) + __smc_r) : \
+ SMC_8BIT(lp) ? SMC_inw_b(a, __smc_r) : \
+ ({ BUG(); 0; }); \
+ })
+
#define SMC_inl(a, r) readl((a) + (r))
#define SMC_outb(v, a, r) writeb(v, (a) + (r))
+#define SMC_outw(v, a, r) \
+ do { \
+ unsigned int __v = v, __smc_r = r; \
+ if (SMC_16BIT(lp)) \
+ __SMC_outw(__v, a, __smc_r); \
+ else if (SMC_8BIT(lp)) \
+ SMC_outw_b(__v, a, __smc_r); \
+ else \
+ BUG(); \
+ } while (0)
+
#define SMC_outl(v, a, r) writel(v, (a) + (r))
+#define SMC_insb(a, r, p, l) readsb((a) + (r), p, l)
+#define SMC_outsb(a, r, p, l) writesb((a) + (r), p, l)
#define SMC_insw(a, r, p, l) readsw((a) + (r), p, l)
#define SMC_outsw(a, r, p, l) writesw((a) + (r), p, l)
#define SMC_insl(a, r, p, l) readsl((a) + (r), p, l)
@@ -66,7 +107,7 @@
#define SMC_IRQ_FLAGS (-1) /* from resource */
/* We actually can't write halfwords properly if not word aligned */
-static inline void SMC_outw(u16 val, void __iomem *ioaddr, int reg)
+static inline void __SMC_outw(u16 val, void __iomem *ioaddr, int reg)
{
if ((machine_is_mainstone() || machine_is_stargate2() ||
machine_is_pxa_idp()) && reg & 2) {
@@ -416,24 +457,8 @@ smc_pxa_dma_insw(void __iomem *ioaddr, s
#if ! SMC_CAN_USE_16BIT
-/*
- * Any 16-bit access is performed with two 8-bit accesses if the hardware
- * can't do it directly. Most registers are 16-bit so those are mandatory.
- */
-#define SMC_outw(x, ioaddr, reg) \
- do { \
- unsigned int __val16 = (x); \
- SMC_outb( __val16, ioaddr, reg ); \
- SMC_outb( __val16 >> 8, ioaddr, reg + (1 << SMC_IO_SHIFT));\
- } while (0)
-#define SMC_inw(ioaddr, reg) \
- ({ \
- unsigned int __val16; \
- __val16 = SMC_inb( ioaddr, reg ); \
- __val16 |= SMC_inb( ioaddr, reg + (1 << SMC_IO_SHIFT)) << 8; \
- __val16; \
- })
-
+#define SMC_outw(x, ioaddr, reg) SMC_outw_b(x, ioaddr, reg)
+#define SMC_inw(ioaddr, reg) SMC_inw_b(ioaddr, reg)
#define SMC_insw(a, r, p, l) BUG()
#define SMC_outsw(a, r, p, l) BUG()
--- a/include/linux/smc91x.h
+++ b/include/linux/smc91x.h
@@ -1,6 +1,16 @@
#ifndef __SMC91X_H__
#define __SMC91X_H__
+/*
+ * These bits define which access sizes a platform can support, rather
+ * than the maximal access size. So, if your platform can do 16-bit
+ * and 32-bit accesses to the SMC91x device, but not 8-bit, set both
+ * SMC91X_USE_16BIT and SMC91X_USE_32BIT.
+ *
+ * The SMC91x driver requires at least one of SMC91X_USE_8BIT or
+ * SMC91X_USE_16BIT to be supported - just setting SMC91X_USE_32BIT is
+ * an invalid configuration.
+ */
#define SMC91X_USE_8BIT (1 << 0)
#define SMC91X_USE_16BIT (1 << 1)
#define SMC91X_USE_32BIT (1 << 2)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 025/184] bridge: re-introduce fix parsing of MLDv2 reports
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (21 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 024/184] net: smc91x: fix SMC accesses Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 026/184] kcm: fix a socket double free Greg Kroah-Hartman
` (154 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Davide Caratti, Nikolay Aleksandrov,
Thadeu Lima de Souza Cascardo, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 9264251ee2a55bce8fb93826b3f581fb9eb7e2c2 ]
commit bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with
INCLUDE and no sources as a leave") seems to have accidentally reverted
commit 47cc84ce0c2f ("bridge: fix parsing of MLDv2 reports"). This
commit brings back a change to br_ip6_multicast_mld2_report() where
parsing of MLDv2 reports stops when the first group is successfully
added to the MDB cache.
Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_multicast.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1121,7 +1121,7 @@ static int br_ip6_multicast_mld2_report(
} else {
err = br_ip6_multicast_add_group(br, port,
&grec->grec_mca, vid);
- if (!err)
+ if (err)
break;
}
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 026/184] kcm: fix a socket double free
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (22 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 025/184] bridge: re-introduce fix parsing of MLDv2 reports Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 027/184] bonding: Fix bonding crash Greg Kroah-Hartman
` (153 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov, Tom Herbert,
Cong Wang, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
[ Upstream commit c0338aff2260ea6c092806312dbb154cec07a242 ]
Dmitry reported a double free on kcm socket, which could
be easily reproduced by:
#include <unistd.h>
#include <sys/syscall.h>
int main()
{
int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0);
syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0);
return 0;
}
This is because on the error path, after we install
the new socket file, we call sock_release() to clean
up the socket, which leaves the fd pointing to a freed
socket. Fix this by calling sys_close() on that fd
directly.
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Tom Herbert <tom@herbertland.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/kcm/kcmsock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -13,6 +13,7 @@
#include <linux/socket.h>
#include <linux/uaccess.h>
#include <linux/workqueue.h>
+#include <linux/syscalls.h>
#include <net/kcm.h>
#include <net/netns/generic.h>
#include <net/sock.h>
@@ -2035,7 +2036,7 @@ static int kcm_ioctl(struct socket *sock
if (copy_to_user((void __user *)arg, &info,
sizeof(info))) {
err = -EFAULT;
- sock_release(newsock);
+ sys_close(info.fd);
}
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 027/184] bonding: Fix bonding crash
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (23 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 026/184] kcm: fix a socket double free Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 028/184] Revert "af_unix: Fix splice-bind deadlock" Greg Kroah-Hartman
` (152 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mahesh Bandewar, Eric Dumazet,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Bandewar <maheshb@google.com>
[ Upstream commit 24b27fc4cdf9e10c5e79e5923b6b7c2c5c95096c ]
Following few steps will crash kernel -
(a) Create bonding master
> modprobe bonding miimon=50
(b) Create macvlan bridge on eth2
> ip link add link eth2 dev mvl0 address aa:0:0:0:0:01 \
type macvlan
(c) Now try adding eth2 into the bond
> echo +eth2 > /sys/class/net/bond0/bonding/slaves
<crash>
Bonding does lots of things before checking if the device enslaved is
busy or not.
In this case when the notifier call-chain sends notifications, the
bond_netdev_event() assumes that the rx_handler /rx_handler_data is
registered while the bond_enslave() hasn't progressed far enough to
register rx_handler for the new slave.
This patch adds a rx_handler check that can be performed right at the
beginning of the enslave code to avoid getting into this situation.
Signed-off-by: Mahesh Bandewar <maheshb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 7 ++++---
include/linux/netdevice.h | 1 +
net/core/dev.c | 16 ++++++++++++++++
3 files changed, 21 insertions(+), 3 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1341,9 +1341,10 @@ int bond_enslave(struct net_device *bond
slave_dev->name);
}
- /* already enslaved */
- if (slave_dev->flags & IFF_SLAVE) {
- netdev_dbg(bond_dev, "Error: Device was already enslaved\n");
+ /* already in-use? */
+ if (netdev_is_rx_handler_busy(slave_dev)) {
+ netdev_err(bond_dev,
+ "Error: Device is in use and cannot be enslaved\n");
return -EBUSY;
}
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3225,6 +3225,7 @@ static inline void napi_free_frags(struc
napi->skb = NULL;
}
+bool netdev_is_rx_handler_busy(struct net_device *dev);
int netdev_rx_handler_register(struct net_device *dev,
rx_handler_func_t *rx_handler,
void *rx_handler_data);
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3979,6 +3979,22 @@ sch_handle_ingress(struct sk_buff *skb,
}
/**
+ * netdev_is_rx_handler_busy - check if receive handler is registered
+ * @dev: device to check
+ *
+ * Check if a receive handler is already registered for a given device.
+ * Return true if there one.
+ *
+ * The caller must hold the rtnl_mutex.
+ */
+bool netdev_is_rx_handler_busy(struct net_device *dev)
+{
+ ASSERT_RTNL();
+ return dev && rtnl_dereference(dev->rx_handler);
+}
+EXPORT_SYMBOL_GPL(netdev_is_rx_handler_busy);
+
+/**
* netdev_rx_handler_register - register receive handler
* @dev: device to register a handler for
* @rx_handler: receive handler to register
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 028/184] Revert "af_unix: Fix splice-bind deadlock"
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (24 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 027/184] bonding: Fix bonding crash Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 029/184] af_unix: split u->readlock into two: iolock and bindlock Greg Kroah-Hartman
` (151 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Torvalds, Shmulik Ladkani,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit 38f7bd94a97b542de86a2be9229289717e33a7a4 ]
This reverts commit c845acb324aa85a39650a14e7696982ceea75dc1.
It turns out that it just replaces one deadlock with another one: we can
still get the wrong lock ordering with the readlock due to overlayfs
calling back into the filesystem layer and still taking the vfs locks
after the readlock.
The proper solution ends up being to just split the readlock into two
pieces: the bind lock (taken *outside* the vfs locks) and the IO lock
(taken *inside* the filesystem locks). The two locks are independent
anyway.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/unix/af_unix.c | 68 +++++++++++++++++++++--------------------------------
1 file changed, 27 insertions(+), 41 deletions(-)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -953,20 +953,32 @@ fail:
return NULL;
}
-static int unix_mknod(struct dentry *dentry, const struct path *path, umode_t mode,
- struct path *res)
+static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
{
- int err;
-
- err = security_path_mknod(path, dentry, mode, 0);
+ struct dentry *dentry;
+ struct path path;
+ int err = 0;
+ /*
+ * Get the parent directory, calculate the hash for last
+ * component.
+ */
+ dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0);
+ err = PTR_ERR(dentry);
+ if (IS_ERR(dentry))
+ return err;
+
+ /*
+ * All right, let's create it.
+ */
+ err = security_path_mknod(&path, dentry, mode, 0);
if (!err) {
- err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0);
+ err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0);
if (!err) {
- res->mnt = mntget(path->mnt);
+ res->mnt = mntget(path.mnt);
res->dentry = dget(dentry);
}
}
-
+ done_path_create(&path, dentry);
return err;
}
@@ -977,12 +989,10 @@ static int unix_bind(struct socket *sock
struct unix_sock *u = unix_sk(sk);
struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
char *sun_path = sunaddr->sun_path;
- int err, name_err;
+ int err;
unsigned int hash;
struct unix_address *addr;
struct hlist_head *list;
- struct path path;
- struct dentry *dentry;
err = -EINVAL;
if (sunaddr->sun_family != AF_UNIX)
@@ -998,34 +1008,14 @@ static int unix_bind(struct socket *sock
goto out;
addr_len = err;
- name_err = 0;
- dentry = NULL;
- if (sun_path[0]) {
- /* Get the parent directory, calculate the hash for last
- * component.
- */
- dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0);
-
- if (IS_ERR(dentry)) {
- /* delay report until after 'already bound' check */
- name_err = PTR_ERR(dentry);
- dentry = NULL;
- }
- }
-
err = mutex_lock_interruptible(&u->readlock);
if (err)
- goto out_path;
+ goto out;
err = -EINVAL;
if (u->addr)
goto out_up;
- if (name_err) {
- err = name_err == -EEXIST ? -EADDRINUSE : name_err;
- goto out_up;
- }
-
err = -ENOMEM;
addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL);
if (!addr)
@@ -1036,11 +1026,11 @@ static int unix_bind(struct socket *sock
addr->hash = hash ^ sk->sk_type;
atomic_set(&addr->refcnt, 1);
- if (dentry) {
- struct path u_path;
+ if (sun_path[0]) {
+ struct path path;
umode_t mode = S_IFSOCK |
(SOCK_INODE(sock)->i_mode & ~current_umask());
- err = unix_mknod(dentry, &path, mode, &u_path);
+ err = unix_mknod(sun_path, mode, &path);
if (err) {
if (err == -EEXIST)
err = -EADDRINUSE;
@@ -1048,9 +1038,9 @@ static int unix_bind(struct socket *sock
goto out_up;
}
addr->hash = UNIX_HASH_SIZE;
- hash = d_real_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1);
+ hash = d_real_inode(path.dentry)->i_ino & (UNIX_HASH_SIZE - 1);
spin_lock(&unix_table_lock);
- u->path = u_path;
+ u->path = path;
list = &unix_socket_table[hash];
} else {
spin_lock(&unix_table_lock);
@@ -1073,10 +1063,6 @@ out_unlock:
spin_unlock(&unix_table_lock);
out_up:
mutex_unlock(&u->readlock);
-out_path:
- if (dentry)
- done_path_create(&path, dentry);
-
out:
return err;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 029/184] af_unix: split u->readlock into two: iolock and bindlock
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (25 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 028/184] Revert "af_unix: Fix splice-bind deadlock" Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 030/184] ipv6: release dst in ping_v6_sendmsg Greg Kroah-Hartman
` (150 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Rainer Weikusat, Al Viro,
Linus Torvalds, Hannes Frederic Sowa, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit 6e1ce3c3451291142a57c4f3f6f999a29fb5b3bc ]
Right now we use the 'readlock' both for protecting some of the af_unix
IO path and for making the bind be single-threaded.
The two are independent, but using the same lock makes for a nasty
deadlock due to ordering with regards to filesystem locking. The bind
locking would want to nest outside the VSF pathname locking, but the IO
locking wants to nest inside some of those same locks.
We tried to fix this earlier with commit c845acb324aa ("af_unix: Fix
splice-bind deadlock") which moved the readlock inside the vfs locks,
but that caused problems with overlayfs that will then call back into
filesystem routines that take the lock in the wrong order anyway.
Splitting the locks means that we can go back to having the bind lock be
the outermost lock, and we don't have any deadlocks with lock ordering.
Acked-by: Rainer Weikusat <rweikusat@cyberadapt.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/af_unix.h | 2 +-
net/unix/af_unix.c | 45 +++++++++++++++++++++++----------------------
2 files changed, 24 insertions(+), 23 deletions(-)
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -52,7 +52,7 @@ struct unix_sock {
struct sock sk;
struct unix_address *addr;
struct path path;
- struct mutex readlock;
+ struct mutex iolock, bindlock;
struct sock *peer;
struct list_head link;
atomic_long_t inflight;
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -661,11 +661,11 @@ static int unix_set_peek_off(struct sock
{
struct unix_sock *u = unix_sk(sk);
- if (mutex_lock_interruptible(&u->readlock))
+ if (mutex_lock_interruptible(&u->iolock))
return -EINTR;
sk->sk_peek_off = val;
- mutex_unlock(&u->readlock);
+ mutex_unlock(&u->iolock);
return 0;
}
@@ -778,7 +778,8 @@ static struct sock *unix_create1(struct
spin_lock_init(&u->lock);
atomic_long_set(&u->inflight, 0);
INIT_LIST_HEAD(&u->link);
- mutex_init(&u->readlock); /* single task reading lock */
+ mutex_init(&u->iolock); /* single task reading lock */
+ mutex_init(&u->bindlock); /* single task binding lock */
init_waitqueue_head(&u->peer_wait);
init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
unix_insert_socket(unix_sockets_unbound(sk), sk);
@@ -847,7 +848,7 @@ static int unix_autobind(struct socket *
int err;
unsigned int retries = 0;
- err = mutex_lock_interruptible(&u->readlock);
+ err = mutex_lock_interruptible(&u->bindlock);
if (err)
return err;
@@ -894,7 +895,7 @@ retry:
spin_unlock(&unix_table_lock);
err = 0;
-out: mutex_unlock(&u->readlock);
+out: mutex_unlock(&u->bindlock);
return err;
}
@@ -1008,7 +1009,7 @@ static int unix_bind(struct socket *sock
goto out;
addr_len = err;
- err = mutex_lock_interruptible(&u->readlock);
+ err = mutex_lock_interruptible(&u->bindlock);
if (err)
goto out;
@@ -1062,7 +1063,7 @@ static int unix_bind(struct socket *sock
out_unlock:
spin_unlock(&unix_table_lock);
out_up:
- mutex_unlock(&u->readlock);
+ mutex_unlock(&u->bindlock);
out:
return err;
}
@@ -1954,17 +1955,17 @@ static ssize_t unix_stream_sendpage(stru
if (false) {
alloc_skb:
unix_state_unlock(other);
- mutex_unlock(&unix_sk(other)->readlock);
+ mutex_unlock(&unix_sk(other)->iolock);
newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
&err, 0);
if (!newskb)
goto err;
}
- /* we must acquire readlock as we modify already present
+ /* we must acquire iolock as we modify already present
* skbs in the sk_receive_queue and mess with skb->len
*/
- err = mutex_lock_interruptible(&unix_sk(other)->readlock);
+ err = mutex_lock_interruptible(&unix_sk(other)->iolock);
if (err) {
err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS;
goto err;
@@ -2031,7 +2032,7 @@ alloc_skb:
}
unix_state_unlock(other);
- mutex_unlock(&unix_sk(other)->readlock);
+ mutex_unlock(&unix_sk(other)->iolock);
other->sk_data_ready(other);
scm_destroy(&scm);
@@ -2040,7 +2041,7 @@ alloc_skb:
err_state_unlock:
unix_state_unlock(other);
err_unlock:
- mutex_unlock(&unix_sk(other)->readlock);
+ mutex_unlock(&unix_sk(other)->iolock);
err:
kfree_skb(newskb);
if (send_sigpipe && !(flags & MSG_NOSIGNAL))
@@ -2108,7 +2109,7 @@ static int unix_dgram_recvmsg(struct soc
timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
do {
- mutex_lock(&u->readlock);
+ mutex_lock(&u->iolock);
skip = sk_peek_offset(sk, flags);
skb = __skb_try_recv_datagram(sk, flags, &peeked, &skip, &err,
@@ -2116,14 +2117,14 @@ static int unix_dgram_recvmsg(struct soc
if (skb)
break;
- mutex_unlock(&u->readlock);
+ mutex_unlock(&u->iolock);
if (err != -EAGAIN)
break;
} while (timeo &&
!__skb_wait_for_more_packets(sk, &err, &timeo, last));
- if (!skb) { /* implies readlock unlocked */
+ if (!skb) { /* implies iolock unlocked */
unix_state_lock(sk);
/* Signal EOF on disconnected non-blocking SEQPACKET socket. */
if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
@@ -2188,7 +2189,7 @@ static int unix_dgram_recvmsg(struct soc
out_free:
skb_free_datagram(sk, skb);
- mutex_unlock(&u->readlock);
+ mutex_unlock(&u->iolock);
out:
return err;
}
@@ -2283,7 +2284,7 @@ static int unix_stream_read_generic(stru
/* Lock the socket to prevent queue disordering
* while sleeps in memcpy_tomsg
*/
- mutex_lock(&u->readlock);
+ mutex_lock(&u->iolock);
if (flags & MSG_PEEK)
skip = sk_peek_offset(sk, flags);
@@ -2325,7 +2326,7 @@ again:
break;
}
- mutex_unlock(&u->readlock);
+ mutex_unlock(&u->iolock);
timeo = unix_stream_data_wait(sk, timeo, last,
last_len);
@@ -2336,7 +2337,7 @@ again:
goto out;
}
- mutex_lock(&u->readlock);
+ mutex_lock(&u->iolock);
goto redo;
unlock:
unix_state_unlock(sk);
@@ -2439,7 +2440,7 @@ unlock:
}
} while (size);
- mutex_unlock(&u->readlock);
+ mutex_unlock(&u->iolock);
if (state->msg)
scm_recv(sock, state->msg, &scm, flags);
else
@@ -2480,9 +2481,9 @@ static ssize_t skb_unix_socket_splice(st
int ret;
struct unix_sock *u = unix_sk(sk);
- mutex_unlock(&u->readlock);
+ mutex_unlock(&u->iolock);
ret = splice_to_pipe(pipe, spd);
- mutex_lock(&u->readlock);
+ mutex_lock(&u->iolock);
return ret;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 030/184] ipv6: release dst in ping_v6_sendmsg
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (26 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 029/184] af_unix: split u->readlock into two: iolock and bindlock Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 031/184] bnxt_en: Fix TX push operation on ARM64 Greg Kroah-Hartman
` (149 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Martin Lau, Dave Jones, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Jones <davej@codemonkey.org.uk>
[ Upstream commit 03c2778a938aaba0893f6d6cdc29511d91a79848 ]
Neither the failure or success paths of ping_v6_sendmsg release
the dst it acquires. This leads to a flood of warnings from
"net/core/dst.c:288 dst_release" on older kernels that
don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported.
That patch optimistically hoped this had been fixed post 3.10, but
it seems at least one case wasn't, where I've seen this triggered
a lot from machines doing unprivileged icmp sockets.
Cc: Martin Lau <kafai@fb.com>
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ping.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -122,8 +122,10 @@ static int ping_v6_sendmsg(struct sock *
rt = (struct rt6_info *) dst;
np = inet6_sk(sk);
- if (!np)
- return -EBADF;
+ if (!np) {
+ err = -EBADF;
+ goto dst_err_out;
+ }
if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
fl6.flowi6_oif = np->mcast_oif;
@@ -160,6 +162,9 @@ static int ping_v6_sendmsg(struct sock *
}
release_sock(sk);
+dst_err_out:
+ dst_release(dst);
+
if (err)
return err;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 031/184] bnxt_en: Fix TX push operation on ARM64.
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (27 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 030/184] ipv6: release dst in ping_v6_sendmsg Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 032/184] ipv6: addrconf: fix dev refcont leak when DAD failed Greg Kroah-Hartman
` (148 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, JD Zheng, Michael Chan, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Chan <michael.chan@broadcom.com>
[ Upstream commit 9d13744bb75078175ab49408f2abb980e4dbccc9 ]
There is a code path where we are calling __iowrite64_copy() on
an address that is not 64-bit aligned. This causes an exception on
some architectures such as arm64. Fix that code path by using
__iowrite32_copy().
Reported-by: JD Zheng <jiandong.zheng@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -293,8 +293,8 @@ static netdev_tx_t bnxt_start_xmit(struc
push_len = (length + sizeof(*tx_push) + 7) / 8;
if (push_len > 16) {
__iowrite64_copy(txr->tx_doorbell, tx_push_buf, 16);
- __iowrite64_copy(txr->tx_doorbell + 4, tx_push_buf + 1,
- push_len - 16);
+ __iowrite32_copy(txr->tx_doorbell + 4, tx_push_buf + 1,
+ (push_len - 16) << 1);
} else {
__iowrite64_copy(txr->tx_doorbell, tx_push_buf,
push_len);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 032/184] ipv6: addrconf: fix dev refcont leak when DAD failed
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (28 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 031/184] bnxt_en: Fix TX push operation on ARM64 Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 033/184] tcp: fastopen: avoid negative sk_forward_alloc Greg Kroah-Hartman
` (147 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wei Yongjun, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Yongjun <weiyongjun1@huawei.com>
[ Upstream commit 751eb6b6042a596b0080967c1a529a9fe98dac1d ]
In general, when DAD detected IPv6 duplicate address, ifp->state
will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
delayed work, the call tree should be like this:
ndisc_recv_ns
-> addrconf_dad_failure <- missing ifp put
-> addrconf_mod_dad_work
-> schedule addrconf_dad_work()
-> addrconf_dad_stop() <- missing ifp hold before call it
addrconf_dad_failure() called with ifp refcont holding but not put.
addrconf_dad_work() call addrconf_dad_stop() without extra holding
refcount. This will not cause any issue normally.
But the race between addrconf_dad_failure() and addrconf_dad_work()
may cause ifp refcount leak and netdevice can not be unregister,
dmesg show the following messages:
IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
...
unregister_netdevice: waiting for eth0 to become free. Usage count = 1
Cc: stable@vger.kernel.org
Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing
to workqueue")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/addrconf.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1906,6 +1906,7 @@ errdad:
spin_unlock_bh(&ifp->lock);
addrconf_mod_dad_work(ifp, 0);
+ in6_ifa_put(ifp);
}
/* Join to solicited addr multicast group.
@@ -3771,6 +3772,7 @@ static void addrconf_dad_work(struct wor
addrconf_dad_begin(ifp);
goto out;
} else if (action == DAD_ABORT) {
+ in6_ifa_hold(ifp);
addrconf_dad_stop(ifp, 1);
goto out;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 033/184] tcp: fastopen: avoid negative sk_forward_alloc
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (29 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 032/184] ipv6: addrconf: fix dev refcont leak when DAD failed Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 034/184] net/mlx5e: Fix parsing of vlan packets when updating lro header Greg Kroah-Hartman
` (146 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Josh Hunt, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 76061f631c2ea4ab9c4d66f3a96ecc5737f5aaf7 ]
When DATA and/or FIN are carried in a SYN/ACK message or SYN message,
we append an skb in socket receive queue, but we forget to call
sk_forced_mem_schedule().
Effect is that the socket has a negative sk->sk_forward_alloc as long as
the message is not read by the application.
Josh Hunt fixed a similar issue in commit d22e15371811 ("tcp: fix tcp
fin memory accounting")
Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_fastopen.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -150,6 +150,7 @@ void tcp_fastopen_add_skb(struct sock *s
tp->segs_in = 0;
tcp_segs_in(tp, skb);
__skb_pull(skb, tcp_hdrlen(skb));
+ sk_forced_mem_schedule(sk, skb->truesize);
skb_set_owner_r(skb, sk);
TCP_SKB_CB(skb)->seq++;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 034/184] net/mlx5e: Fix parsing of vlan packets when updating lro header
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (30 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 033/184] tcp: fastopen: avoid negative sk_forward_alloc Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 035/184] tcp: cwnd does not increase in TCP YeAH Greg Kroah-Hartman
` (145 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gal Pressman, Saeed Mahameed,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <galp@mellanox.com>
[ Upstream commit cd17d230dd060a12f7451c0caeedb3fd5158eaf9 ]
Currently vlan tagged packets were not parsed correctly
and assumed to be regular IPv4/IPv6 packets.
We should check for 802.1Q/802.1ad tags and update the lro header
accordingly.
This fixes the use case where LRO is on and rxvlan is off
(vlan stripping is off).
Fixes: e586b3b0baee ('net/mlx5: Ethernet Datapath files')
Signed-off-by: Gal Pressman <galp@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -648,24 +648,32 @@ bool mlx5e_post_rx_wqes(struct mlx5e_rq
static void mlx5e_lro_update_hdr(struct sk_buff *skb, struct mlx5_cqe64 *cqe,
u32 cqe_bcnt)
{
- struct ethhdr *eth = (struct ethhdr *)(skb->data);
- struct iphdr *ipv4 = (struct iphdr *)(skb->data + ETH_HLEN);
- struct ipv6hdr *ipv6 = (struct ipv6hdr *)(skb->data + ETH_HLEN);
+ struct ethhdr *eth = (struct ethhdr *)(skb->data);
+ struct iphdr *ipv4;
+ struct ipv6hdr *ipv6;
struct tcphdr *tcp;
+ int network_depth = 0;
+ __be16 proto;
+ u16 tot_len;
u8 l4_hdr_type = get_cqe_l4_hdr_type(cqe);
int tcp_ack = ((CQE_L4_HDR_TYPE_TCP_ACK_NO_DATA == l4_hdr_type) ||
(CQE_L4_HDR_TYPE_TCP_ACK_AND_DATA == l4_hdr_type));
- u16 tot_len = cqe_bcnt - ETH_HLEN;
+ skb->mac_len = ETH_HLEN;
+ proto = __vlan_get_protocol(skb, eth->h_proto, &network_depth);
- if (eth->h_proto == htons(ETH_P_IP)) {
- tcp = (struct tcphdr *)(skb->data + ETH_HLEN +
+ ipv4 = (struct iphdr *)(skb->data + network_depth);
+ ipv6 = (struct ipv6hdr *)(skb->data + network_depth);
+ tot_len = cqe_bcnt - network_depth;
+
+ if (proto == htons(ETH_P_IP)) {
+ tcp = (struct tcphdr *)(skb->data + network_depth +
sizeof(struct iphdr));
ipv6 = NULL;
skb_shinfo(skb)->gso_type = SKB_GSO_TCPV4;
} else {
- tcp = (struct tcphdr *)(skb->data + ETH_HLEN +
+ tcp = (struct tcphdr *)(skb->data + network_depth +
sizeof(struct ipv6hdr));
ipv4 = NULL;
skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 035/184] tcp: cwnd does not increase in TCP YeAH
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (31 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 034/184] net/mlx5e: Fix parsing of vlan packets when updating lro header Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 036/184] powerpc/tm: do not use r13 for tabort_syscall Greg Kroah-Hartman
` (144 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Artem Germanov, Dmitry Adamushko,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Germanov <agermanov@anchorfree.com>
[ Upstream commit db7196a0d0984b933ccf2cd6a60e26abf466e8a3 ]
Commit 76174004a0f19785a328f40388e87e982bbf69b9
(tcp: do not slow start when cwnd equals ssthresh )
introduced regression in TCP YeAH. Using 100ms delay 1% loss virtual
ethernet link kernel 4.2 shows bandwidth ~500KB/s for single TCP
connection and kernel 4.3 and above (including 4.8-rc4) shows bandwidth
~100KB/s.
That is caused by stalled cwnd when cwnd equals ssthresh. This patch
fixes it by proper increasing cwnd in this case.
Signed-off-by: Artem Germanov <agermanov@anchorfree.com>
Acked-by: Dmitry Adamushko <d.adamushko@anchorfree.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_yeah.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/tcp_yeah.c
+++ b/net/ipv4/tcp_yeah.c
@@ -76,7 +76,7 @@ static void tcp_yeah_cong_avoid(struct s
if (!tcp_is_cwnd_limited(sk))
return;
- if (tp->snd_cwnd <= tp->snd_ssthresh)
+ if (tcp_in_slow_start(tp))
tcp_slow_start(tp, acked);
else if (!yeah->doing_reno_now) {
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 036/184] powerpc/tm: do not use r13 for tabort_syscall
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (32 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 035/184] tcp: cwnd does not increase in TCP YeAH Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 037/184] powerpc/powernv : Drop reference added by kset_find_obj() Greg Kroah-Hartman
` (143 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nick Piggin, Benjamin Herrenschmidt
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Piggin <npiggin@gmail.com>
commit cc7786d3ee7e3c979799db834b528db2c0834c2e upstream.
tabort_syscall runs with RI=1, so a nested recoverable machine
check will load the paca into r13 and overwrite what we loaded
it with, because exceptions returning to privileged mode do not
restore r13.
Fixes: b4b56f9ecab4 (powerpc/tm: Abort syscalls in active transactions)
Signed-off-by: Nick Piggin <npiggin@gmail.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/entry_64.S | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -368,13 +368,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
tabort_syscall:
/* Firstly we need to enable TM in the kernel */
mfmsr r10
- li r13, 1
- rldimi r10, r13, MSR_TM_LG, 63-MSR_TM_LG
+ li r9, 1
+ rldimi r10, r9, MSR_TM_LG, 63-MSR_TM_LG
mtmsrd r10, 0
/* tabort, this dooms the transaction, nothing else */
- li r13, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)
- TABORT(R13)
+ li r9, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)
+ TABORT(R9)
/*
* Return directly to userspace. We have corrupted user register state,
@@ -382,8 +382,8 @@ tabort_syscall:
* resume after the tbegin of the aborted transaction with the
* checkpointed register state.
*/
- li r13, MSR_RI
- andc r10, r10, r13
+ li r9, MSR_RI
+ andc r10, r10, r9
mtmsrd r10, 1
mtspr SPRN_SRR0, r11
mtspr SPRN_SRR1, r12
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 037/184] powerpc/powernv : Drop reference added by kset_find_obj()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (33 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 036/184] powerpc/tm: do not use r13 for tabort_syscall Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 038/184] powerpc: sysdev: cpm: fix gpio save_regs functions Greg Kroah-Hartman
` (142 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mukesh Ojha, Vasant Hegde,
Benjamin Herrenschmidt
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a upstream.
In a situation, where Linux kernel gets notified about duplicate error log
from OPAL, it is been observed that kernel fails to remove sysfs entries
(/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because,
we currently search the error log/dump kobject in the kset list via
'kset_find_obj()' routine. Which eventually increment the reference count
by one, once it founds the kobject.
So, unless we decrement the reference count by one after it found the kobject,
we would not be able to release the kobject properly later.
This patch adds the 'kobject_put()' which was missing earlier.
Signed-off-by: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/powernv/opal-dump.c | 7 ++++++-
arch/powerpc/platforms/powernv/opal-elog.c | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
--- a/arch/powerpc/platforms/powernv/opal-dump.c
+++ b/arch/powerpc/platforms/powernv/opal-dump.c
@@ -370,6 +370,7 @@ static irqreturn_t process_dump(int irq,
uint32_t dump_id, dump_size, dump_type;
struct dump_obj *dump;
char name[22];
+ struct kobject *kobj;
rc = dump_read_info(&dump_id, &dump_size, &dump_type);
if (rc != OPAL_SUCCESS)
@@ -381,8 +382,12 @@ static irqreturn_t process_dump(int irq,
* that gracefully and not create two conflicting
* entries.
*/
- if (kset_find_obj(dump_kset, name))
+ kobj = kset_find_obj(dump_kset, name);
+ if (kobj) {
+ /* Drop reference added by kset_find_obj() */
+ kobject_put(kobj);
return 0;
+ }
dump = create_dump_obj(dump_id, dump_size, dump_type);
if (!dump)
--- a/arch/powerpc/platforms/powernv/opal-elog.c
+++ b/arch/powerpc/platforms/powernv/opal-elog.c
@@ -247,6 +247,7 @@ static irqreturn_t elog_event(int irq, v
uint64_t elog_type;
int rc;
char name[2+16+1];
+ struct kobject *kobj;
rc = opal_get_elog_size(&id, &size, &type);
if (rc != OPAL_SUCCESS) {
@@ -269,8 +270,12 @@ static irqreturn_t elog_event(int irq, v
* that gracefully and not create two conflicting
* entries.
*/
- if (kset_find_obj(elog_kset, name))
+ kobj = kset_find_obj(elog_kset, name);
+ if (kobj) {
+ /* Drop reference added by kset_find_obj() */
+ kobject_put(kobj);
return IRQ_HANDLED;
+ }
create_elog_obj(log_id, elog_size, elog_type);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 038/184] powerpc: sysdev: cpm: fix gpio save_regs functions
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (34 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 037/184] powerpc/powernv : Drop reference added by kset_find_obj() Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 039/184] powerpc/mm: Dont alias user region to other regions below PAGE_OFFSET Greg Kroah-Hartman
` (141 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Linus Walleij,
Benjamin Herrenschmidt
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@c-s.fr>
commit 41017a7579cf49cb5513e17df1570dc918760079 upstream.
of_mm_gpiochip_add_data() calls mm_gc->save_regs() before
setting the data. Therefore ->save_regs() cannot use
gpiochip_get_data()
[ 0.275940] Unable to handle kernel paging request for data at address 0x00000130
[ 0.283120] Faulting instruction address: 0xc01b44cc
[ 0.288175] Oops: Kernel access of bad area, sig: 11 [#1]
[ 0.293343] PREEMPT CMPC885
[ 0.296141] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-g65124df-dirty #68
[ 0.304131] task: c6074000 ti: c6080000 task.ti: c6080000
[ 0.309459] NIP: c01b44cc LR: c0011720 CTR: c0011708
[ 0.314372] REGS: c6081d90 TRAP: 0300 Not tainted (4.7.0-g65124df-dirty)
[ 0.322267] MSR: 00009032 <EE,ME,IR,DR,RI> CR: 24000028 XER: 20000000
[ 0.328813] DAR: 00000130 DSISR: c0000000
GPR00: c01b6d0c c6081e40 c6074000 c6017000 c9028000 c601d028 c6081dd8 00000000
GPR08: c601d028 00000000 ffffffff 00000001 24000044 00000000 c0002790 00000000
GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c05643b0 00000083
GPR24: c04a1a6c c0560000 c04a8308 c04c6480 c0012498 c6017000 c7ffcc78 c6017000
[ 0.360806] NIP [c01b44cc] gpiochip_get_data+0x4/0xc
[ 0.365684] LR [c0011720] cpm1_gpio16_save_regs+0x18/0x44
[ 0.370972] Call Trace:
[ 0.373451] [c6081e50] [c01b6d0c] of_mm_gpiochip_add_data+0x70/0xdc
[ 0.379624] [c6081e70] [c00124c0] cpm_init_par_io+0x28/0x118
[ 0.385238] [c6081e80] [c04a8ac0] do_one_initcall+0xb0/0x17c
[ 0.390819] [c6081ef0] [c04a8cbc] kernel_init_freeable+0x130/0x1dc
[ 0.396924] [c6081f30] [c00027a4] kernel_init+0x14/0x110
[ 0.402177] [c6081f40] [c000b424] ret_from_kernel_thread+0x5c/0x64
[ 0.408233] Instruction dump:
[ 0.411168] 4182fafc 3f80c040 48234c6d 3bc0fff0 3b9c5ed0 4bfffaf4 81290020 712a0004
[ 0.418825] 4182fb34 48234c51 4bfffb2c 81230004 <80690130> 4e800020 7c0802a6 9421ffe0
[ 0.426763] ---[ end trace fe4113ee21d72ffa ]---
fixes: e65078f1f3490 ("powerpc: sysdev: cpm1: use gpiochip data pointer")
fixes: a14a2d484b386 ("powerpc: cpm_common: use gpiochip data pointer")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/sysdev/cpm1.c | 6 ++++--
arch/powerpc/sysdev/cpm_common.c | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
--- a/arch/powerpc/sysdev/cpm1.c
+++ b/arch/powerpc/sysdev/cpm1.c
@@ -534,7 +534,8 @@ struct cpm1_gpio16_chip {
static void cpm1_gpio16_save_regs(struct of_mm_gpio_chip *mm_gc)
{
- struct cpm1_gpio16_chip *cpm1_gc = gpiochip_get_data(&mm_gc->gc);
+ struct cpm1_gpio16_chip *cpm1_gc =
+ container_of(mm_gc, struct cpm1_gpio16_chip, mm_gc);
struct cpm_ioport16 __iomem *iop = mm_gc->regs;
cpm1_gc->cpdata = in_be16(&iop->dat);
@@ -649,7 +650,8 @@ struct cpm1_gpio32_chip {
static void cpm1_gpio32_save_regs(struct of_mm_gpio_chip *mm_gc)
{
- struct cpm1_gpio32_chip *cpm1_gc = gpiochip_get_data(&mm_gc->gc);
+ struct cpm1_gpio32_chip *cpm1_gc =
+ container_of(mm_gc, struct cpm1_gpio32_chip, mm_gc);
struct cpm_ioport32b __iomem *iop = mm_gc->regs;
cpm1_gc->cpdata = in_be32(&iop->dat);
--- a/arch/powerpc/sysdev/cpm_common.c
+++ b/arch/powerpc/sysdev/cpm_common.c
@@ -82,7 +82,8 @@ struct cpm2_gpio32_chip {
static void cpm2_gpio32_save_regs(struct of_mm_gpio_chip *mm_gc)
{
- struct cpm2_gpio32_chip *cpm2_gc = gpiochip_get_data(&mm_gc->gc);
+ struct cpm2_gpio32_chip *cpm2_gc =
+ container_of(mm_gc, struct cpm2_gpio32_chip, mm_gc);
struct cpm2_ioports __iomem *iop = mm_gc->regs;
cpm2_gc->cpdata = in_be32(&iop->dat);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 039/184] powerpc/mm: Dont alias user region to other regions below PAGE_OFFSET
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (35 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 038/184] powerpc: sysdev: cpm: fix gpio save_regs functions Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 040/184] powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE Greg Kroah-Hartman
` (140 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paul Mackerras, Aneesh Kumar K.V,
Michael Ellerman
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Mackerras <paulus@ozlabs.org>
commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream.
In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13)
we lost a check on the region number (the top four bits of the effective
address) for addresses below PAGE_OFFSET. That commit replaced a check
that the top 18 bits were all zero with a check that bits 46 - 59 were
zero (performed for all addresses, not just user addresses).
This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
and we will insert a valid SLB entry for it. The VSID used will be the
same as if the top 4 bits were 0, but the page size will be some random
value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
array in the paca. If that page size is the same as would be used for
region 0, then userspace just has an alias of the region 0 space. If the
page size is different, then no HPTE will be found for the access, and
the process will get a SIGSEGV (since hash_page_mm() will refuse to create
a HPTE for the bogus address).
The access beyond the end of the mm_ctx_high_slices_psize can be at most
5.5MB past the array, and so will be in RAM somewhere. Since the access
is a load performed in real mode, it won't fault or crash the kernel.
At most this bug could perhaps leak a little bit of information about
blocks of 32 bytes of memory located at offsets of i * 512kB past the
paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.
Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range")
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/mm/slb_low.S | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/powerpc/mm/slb_low.S
+++ b/arch/powerpc/mm/slb_low.S
@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION
END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
b slb_finish_load_1T
-0:
+0: /*
+ * For userspace addresses, make sure this is region 0.
+ */
+ cmpdi r9, 0
+ bne 8f
+
/* when using slices, we extract the psize off the slice bitmaps
* and then we need to get the sllp encoding off the mmu_psize_defs
* array.
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 040/184] powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (36 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 039/184] powerpc/mm: Dont alias user region to other regions below PAGE_OFFSET Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 041/184] kernfs: dont depend on d_find_any_alias() when generating notifications Greg Kroah-Hartman
` (139 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gavin Shan, Michael Ellerman
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavin Shan <gwshan@linux.vnet.ibm.com>
commit caa58f808834fca9a4443233fd09df5ab639690d upstream.
In pnv_ioda_free_pe(), the PE object (including the associated PE
number) is cleared before resetting the corresponding bit in the
PE allocation bitmap. It means PE#0 is always released to the bitmap
wrongly.
This fixes above issue by caching the PE number before the PE object
is cleared.
Fixes: 1e9167726c41 ("powerpc/powernv: Use PE instead of number during setup and release"
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/powerpc/platforms/powernv/pci-ioda.c
+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
@@ -156,11 +156,12 @@ static struct pnv_ioda_pe *pnv_ioda_allo
static void pnv_ioda_free_pe(struct pnv_ioda_pe *pe)
{
struct pnv_phb *phb = pe->phb;
+ unsigned int pe_num = pe->pe_number;
WARN_ON(pe->pdev);
memset(pe, 0, sizeof(struct pnv_ioda_pe));
- clear_bit(pe->pe_number, phb->ioda.pe_alloc);
+ clear_bit(pe_num, phb->ioda.pe_alloc);
}
/* The default M64 BAR is shared by all PEs */
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 041/184] kernfs: dont depend on d_find_any_alias() when generating notifications
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (37 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 040/184] powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 042/184] pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails Greg Kroah-Hartman
` (138 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tejun Heo, Evgeny Vereshchagin,
John McCutchan, Robert Love, Eric Paris
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream.
kernfs_notify_workfn() sends out file modified events for the
scheduled kernfs_nodes. Because the modifications aren't from
userland, it doesn't have the matching file struct at hand and can't
use fsnotify_modify(). Instead, it looked up the inode and then used
d_find_any_alias() to find the dentry and used fsnotify_parent() and
fsnotify() directly to generate notifications.
The assumption was that the relevant dentries would have been pinned
if there are listeners, which isn't true as inotify doesn't pin
dentries at all and watching the parent doesn't pin the child dentries
even for dnotify. This led to, for example, inotify watchers not
getting notifications if the system is under memory pressure and the
matching dentries got reclaimed. It can also be triggered through
/proc/sys/vm/drop_caches or a remount attempt which involves shrinking
dcache.
fsnotify_parent() only uses the dentry to access the parent inode,
which kernfs can do easily. Update kernfs_notify_workfn() so that it
uses fsnotify() directly for both the parent and target inodes without
going through d_find_any_alias(). While at it, supply the target file
name to fsnotify() from kernfs_node->name.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too")
Cc: John McCutchan <john@johnmccutchan.com>
Cc: Robert Love <rlove@rlove.org>
Cc: Eric Paris <eparis@parisplace.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/kernfs/file.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -840,21 +840,35 @@ repeat:
mutex_lock(&kernfs_mutex);
list_for_each_entry(info, &kernfs_root(kn)->supers, node) {
+ struct kernfs_node *parent;
struct inode *inode;
- struct dentry *dentry;
+ /*
+ * We want fsnotify_modify() on @kn but as the
+ * modifications aren't originating from userland don't
+ * have the matching @file available. Look up the inodes
+ * and generate the events manually.
+ */
inode = ilookup(info->sb, kn->ino);
if (!inode)
continue;
- dentry = d_find_any_alias(inode);
- if (dentry) {
- fsnotify_parent(NULL, dentry, FS_MODIFY);
- fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
- NULL, 0);
- dput(dentry);
+ parent = kernfs_get_parent(kn);
+ if (parent) {
+ struct inode *p_inode;
+
+ p_inode = ilookup(info->sb, parent->ino);
+ if (p_inode) {
+ fsnotify(p_inode, FS_MODIFY | FS_EVENT_ON_CHILD,
+ inode, FSNOTIFY_EVENT_INODE, kn->name, 0);
+ iput(p_inode);
+ }
+
+ kernfs_put(parent);
}
+ fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
+ kn->name, 0);
iput(inode);
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 042/184] pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (38 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 041/184] kernfs: dont depend on d_find_any_alias() when generating notifications Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 043/184] pNFS: The client must not do I/O to the DS if its lease has expired Greg Kroah-Hartman
` (137 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit 3dc147359e3dcdf0648f1e2c11f62cfae3160df0 upstream.
If the attempt to connect to a DS fails inside ff_layout_pg_init_read or
ff_layout_pg_init_write, then we currently end up clearing the layout
segment carried by the struct nfs_pageio_descriptor, causing an Oops
when we later call into ff_layout_read_pagelist/ff_layout_write_pagelist.
The fix is to ensure we return the layout and then retry.
Fixes: 446ca2195303 ("pNFS/flexfiles: When initing reads or writes, we...")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/flexfilelayout/flexfilelayout.c | 37 ++++++++++++++----------------
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 19 ++++++++-------
2 files changed, 28 insertions(+), 28 deletions(-)
--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -806,11 +806,14 @@ ff_layout_choose_best_ds_for_read(struct
{
struct nfs4_ff_layout_segment *fls = FF_LAYOUT_LSEG(lseg);
struct nfs4_pnfs_ds *ds;
+ bool fail_return = false;
int idx;
/* mirrors are sorted by efficiency */
for (idx = start_idx; idx < fls->mirror_array_cnt; idx++) {
- ds = nfs4_ff_layout_prepare_ds(lseg, idx, false);
+ if (idx+1 == fls->mirror_array_cnt)
+ fail_return = true;
+ ds = nfs4_ff_layout_prepare_ds(lseg, idx, fail_return);
if (ds) {
*best_idx = idx;
return ds;
@@ -859,6 +862,7 @@ ff_layout_pg_init_read(struct nfs_pageio
struct nfs4_pnfs_ds *ds;
int ds_idx;
+retry:
/* Use full layout for now */
if (!pgio->pg_lseg)
ff_layout_pg_get_read(pgio, req, false);
@@ -871,10 +875,13 @@ ff_layout_pg_init_read(struct nfs_pageio
ds = ff_layout_choose_best_ds_for_read(pgio->pg_lseg, 0, &ds_idx);
if (!ds) {
- if (ff_layout_no_fallback_to_mds(pgio->pg_lseg))
- goto out_pnfs;
- else
+ if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg))
goto out_mds;
+ pnfs_put_lseg(pgio->pg_lseg);
+ pgio->pg_lseg = NULL;
+ /* Sleep for 1 second before retrying */
+ ssleep(1);
+ goto retry;
}
mirror = FF_LAYOUT_COMP(pgio->pg_lseg, ds_idx);
@@ -890,12 +897,6 @@ out_mds:
pnfs_put_lseg(pgio->pg_lseg);
pgio->pg_lseg = NULL;
nfs_pageio_reset_read_mds(pgio);
- return;
-
-out_pnfs:
- pnfs_set_lo_fail(pgio->pg_lseg);
- pnfs_put_lseg(pgio->pg_lseg);
- pgio->pg_lseg = NULL;
}
static void
@@ -909,6 +910,7 @@ ff_layout_pg_init_write(struct nfs_pagei
int i;
int status;
+retry:
if (!pgio->pg_lseg) {
pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode,
req->wb_context,
@@ -940,10 +942,13 @@ ff_layout_pg_init_write(struct nfs_pagei
for (i = 0; i < pgio->pg_mirror_count; i++) {
ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, i, true);
if (!ds) {
- if (ff_layout_no_fallback_to_mds(pgio->pg_lseg))
- goto out_pnfs;
- else
+ if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg))
goto out_mds;
+ pnfs_put_lseg(pgio->pg_lseg);
+ pgio->pg_lseg = NULL;
+ /* Sleep for 1 second before retrying */
+ ssleep(1);
+ goto retry;
}
pgm = &pgio->pg_mirrors[i];
mirror = FF_LAYOUT_COMP(pgio->pg_lseg, i);
@@ -956,12 +961,6 @@ out_mds:
pnfs_put_lseg(pgio->pg_lseg);
pgio->pg_lseg = NULL;
nfs_pageio_reset_write_mds(pgio);
- return;
-
-out_pnfs:
- pnfs_set_lo_fail(pgio->pg_lseg);
- pnfs_put_lseg(pgio->pg_lseg);
- pgio->pg_lseg = NULL;
}
static unsigned int
--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
@@ -379,7 +379,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
devid = &mirror->mirror_ds->id_node;
if (ff_layout_test_devid_unavailable(devid))
- goto out;
+ goto out_fail;
ds = mirror->mirror_ds->ds;
/* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */
@@ -405,15 +405,16 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
mirror->mirror_ds->ds_versions[0].rsize = max_payload;
if (mirror->mirror_ds->ds_versions[0].wsize > max_payload)
mirror->mirror_ds->ds_versions[0].wsize = max_payload;
- } else {
- ff_layout_track_ds_error(FF_LAYOUT_FROM_HDR(lseg->pls_layout),
- mirror, lseg->pls_range.offset,
- lseg->pls_range.length, NFS4ERR_NXIO,
- OP_ILLEGAL, GFP_NOIO);
- if (fail_return || !ff_layout_has_available_ds(lseg))
- pnfs_error_mark_layout_for_return(ino, lseg);
- ds = NULL;
+ goto out;
}
+ ff_layout_track_ds_error(FF_LAYOUT_FROM_HDR(lseg->pls_layout),
+ mirror, lseg->pls_range.offset,
+ lseg->pls_range.length, NFS4ERR_NXIO,
+ OP_ILLEGAL, GFP_NOIO);
+out_fail:
+ if (fail_return || !ff_layout_has_available_ds(lseg))
+ pnfs_error_mark_layout_for_return(ino, lseg);
+ ds = NULL;
out:
return ds;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 043/184] pNFS: The client must not do I/O to the DS if its lease has expired
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (39 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 042/184] pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 044/184] NFSv4.1: Fix Oopsable condition in server callback races Greg Kroah-Hartman
` (136 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit b88fa69eaa8649f11828158c7b65c4bcd886ebd5 upstream.
Ensure that the client conforms to the normative behaviour described in
RFC5661 Section 12.7.2: "If a client believes its lease has expired,
it MUST NOT send I/O to the storage device until it has validated its
lease."
So ensure that we wait for the lease to be validated before using
the layout.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/pnfs.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1527,6 +1527,7 @@ pnfs_update_layout(struct inode *ino,
}
lookup_again:
+ nfs4_client_recover_expired_lease(clp);
first = false;
spin_lock(&ino->i_lock);
lo = pnfs_find_alloc_layout(ino, ctx, gfp_flags);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 044/184] NFSv4.1: Fix Oopsable condition in server callback races
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (40 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 043/184] pNFS: The client must not do I/O to the DS if its lease has expired Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 045/184] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Greg Kroah-Hartman
` (135 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit e09c978aae5bedfdb379be80363b024b7d82638b upstream.
The slot table hasn't been an array since v3.7. Ensure that we
use nfs4_lookup_slot() to access the slot correctly.
Fixes: 87dda67e7386 ("NFSv4.1: Allow SEQUENCE to resize the slot table...")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/callback_proc.c | 5 +----
fs/nfs/nfs4session.c | 33 +++++++++++++++++++++++++++++++++
fs/nfs/nfs4session.h | 1 +
3 files changed, 35 insertions(+), 4 deletions(-)
--- a/fs/nfs/callback_proc.c
+++ b/fs/nfs/callback_proc.c
@@ -430,11 +430,8 @@ static bool referring_call_exists(struct
((u32 *)&rclist->rcl_sessionid.data)[3],
ref->rc_sequenceid, ref->rc_slotid);
- spin_lock(&tbl->slot_tbl_lock);
- status = (test_bit(ref->rc_slotid, tbl->used_slots) &&
- tbl->slots[ref->rc_slotid].seq_nr ==
+ status = nfs4_slot_seqid_in_use(tbl, ref->rc_slotid,
ref->rc_sequenceid);
- spin_unlock(&tbl->slot_tbl_lock);
if (status)
goto out;
}
--- a/fs/nfs/nfs4session.c
+++ b/fs/nfs/nfs4session.c
@@ -172,6 +172,39 @@ struct nfs4_slot *nfs4_lookup_slot(struc
return ERR_PTR(-E2BIG);
}
+static int nfs4_slot_get_seqid(struct nfs4_slot_table *tbl, u32 slotid,
+ u32 *seq_nr)
+ __must_hold(&tbl->slot_tbl_lock)
+{
+ struct nfs4_slot *slot;
+
+ slot = nfs4_lookup_slot(tbl, slotid);
+ if (IS_ERR(slot))
+ return PTR_ERR(slot);
+ *seq_nr = slot->seq_nr;
+ return 0;
+}
+
+/*
+ * nfs4_slot_seqid_in_use - test if a slot sequence id is still in use
+ *
+ * Given a slot table, slot id and sequence number, determine if the
+ * RPC call in question is still in flight. This function is mainly
+ * intended for use by the callback channel.
+ */
+bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr)
+{
+ u32 cur_seq;
+ bool ret = false;
+
+ spin_lock(&tbl->slot_tbl_lock);
+ if (nfs4_slot_get_seqid(tbl, slotid, &cur_seq) == 0 &&
+ cur_seq == seq_nr && test_bit(slotid, tbl->used_slots))
+ ret = true;
+ spin_unlock(&tbl->slot_tbl_lock);
+ return ret;
+}
+
/*
* nfs4_alloc_slot - efficiently look for a free slot
*
--- a/fs/nfs/nfs4session.h
+++ b/fs/nfs/nfs4session.h
@@ -78,6 +78,7 @@ extern int nfs4_setup_slot_table(struct
extern void nfs4_shutdown_slot_table(struct nfs4_slot_table *tbl);
extern struct nfs4_slot *nfs4_alloc_slot(struct nfs4_slot_table *tbl);
extern struct nfs4_slot *nfs4_lookup_slot(struct nfs4_slot_table *tbl, u32 slotid);
+extern bool nfs4_slot_seqid_in_use(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr);
extern bool nfs4_try_to_lock_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot);
extern void nfs4_free_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot);
extern void nfs4_slot_tbl_drain_complete(struct nfs4_slot_table *tbl);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 045/184] NFSv4.x: Fix a refcount leak in nfs_callback_up_net
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (41 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 044/184] NFSv4.1: Fix Oopsable condition in server callback races Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 046/184] nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock Greg Kroah-Hartman
` (134 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream.
On error, the callers expect us to return without bumping
nn->cb_users[].
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/callback.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -275,6 +275,7 @@ static int nfs_callback_up_net(int minor
err_socks:
svc_rpcb_cleanup(serv, net);
err_bind:
+ nn->cb_users[minorversion]--;
dprintk("NFS: Couldn't create callback socket: err = %d; "
"net = %p\n", ret, net);
return ret;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 046/184] nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (42 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 045/184] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 047/184] pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised Greg Kroah-Hartman
` (133 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeff Layton, Chuck Lever, J. Bruce Fields
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 885848186fbc2d1d8fb6d2fdc2156638ae289a46 upstream.
nfsd4_release_lockowner finds a lock owner that has no lock state,
and drops cl_lock. Then release_lockowner picks up cl_lock and
unhashes the lock owner.
During the window where cl_lock is dropped, I don't see anything
preventing a concurrent nfsd4_lock from finding that same lock owner
and adding lock state to it.
Move release_lockowner() into nfsd4_release_lockowner and hang onto
the cl_lock until after the lock owner's state cannot be found
again.
Found by inspection, we don't currently have a reproducer.
Fixes: 2c41beb0e5cf ("nfsd: reduce cl_lock thrashing in ... ")
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 40 +++++++++++++++++-----------------------
1 file changed, 17 insertions(+), 23 deletions(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1200,27 +1200,6 @@ free_ol_stateid_reaplist(struct list_hea
}
}
-static void release_lockowner(struct nfs4_lockowner *lo)
-{
- struct nfs4_client *clp = lo->lo_owner.so_client;
- struct nfs4_ol_stateid *stp;
- struct list_head reaplist;
-
- INIT_LIST_HEAD(&reaplist);
-
- spin_lock(&clp->cl_lock);
- unhash_lockowner_locked(lo);
- while (!list_empty(&lo->lo_owner.so_stateids)) {
- stp = list_first_entry(&lo->lo_owner.so_stateids,
- struct nfs4_ol_stateid, st_perstateowner);
- WARN_ON(!unhash_lock_stateid(stp));
- put_ol_stateid_locked(stp, &reaplist);
- }
- spin_unlock(&clp->cl_lock);
- free_ol_stateid_reaplist(&reaplist);
- nfs4_put_stateowner(&lo->lo_owner);
-}
-
static void release_open_stateid_locks(struct nfs4_ol_stateid *open_stp,
struct list_head *reaplist)
{
@@ -5976,6 +5955,7 @@ nfsd4_release_lockowner(struct svc_rqst
__be32 status;
struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
struct nfs4_client *clp;
+ LIST_HEAD (reaplist);
dprintk("nfsd4_release_lockowner clientid: (%08x/%08x):\n",
clid->cl_boot, clid->cl_id);
@@ -6006,9 +5986,23 @@ nfsd4_release_lockowner(struct svc_rqst
nfs4_get_stateowner(sop);
break;
}
+ if (!lo) {
+ spin_unlock(&clp->cl_lock);
+ return status;
+ }
+
+ unhash_lockowner_locked(lo);
+ while (!list_empty(&lo->lo_owner.so_stateids)) {
+ stp = list_first_entry(&lo->lo_owner.so_stateids,
+ struct nfs4_ol_stateid,
+ st_perstateowner);
+ WARN_ON(!unhash_lock_stateid(stp));
+ put_ol_stateid_locked(stp, &reaplist);
+ }
spin_unlock(&clp->cl_lock);
- if (lo)
- release_lockowner(lo);
+ free_ol_stateid_reaplist(&reaplist);
+ nfs4_put_stateowner(&lo->lo_owner);
+
return status;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 047/184] pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (43 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 046/184] nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 048/184] NFSv4.1: Fix the CREATE_SESSION slot number accounting Greg Kroah-Hartman
` (132 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 upstream.
According to RFC5661, the client is responsible for serialising
LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case
where we send both in parallel.
Client Server
====== ======
LAYOUTGET(seqid=X)
LAYOUTRETURN(seqid=X)
LAYOUTGET return seqid=X+1
LAYOUTRETURN return seqid=X+2
Process LAYOUTRETURN
Forget layout stateid
Process LAYOUTGET
Set seqid=X+1
The client processes the layoutget/layoutreturn in the wrong order,
and since the result of the layoutreturn was to clear the only
existing layout segment, the client forgets the layout stateid.
When the LAYOUTGET comes in, it is treated as having a completely
new stateid, and so the client sets the wrong sequence id...
Fix is to check if there are outstanding LAYOUTGET requests
before we send the LAYOUTRETURN (note that LAYOUGET will already
wait if it sees an outstanding LAYOUTRETURN).
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/pnfs.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -876,6 +876,9 @@ void pnfs_clear_layoutreturn_waitbit(str
static bool
pnfs_prepare_layoutreturn(struct pnfs_layout_hdr *lo)
{
+ /* Serialise LAYOUTGET/LAYOUTRETURN */
+ if (atomic_read(&lo->plh_outstanding) != 0)
+ return false;
if (test_and_set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags))
return false;
lo->plh_return_iomode = 0;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 048/184] NFSv4.1: Fix the CREATE_SESSION slot number accounting
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (44 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 047/184] pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 049/184] kexec: fix double-free when failing to relocate the purgatory Greg Kroah-Hartman
` (131 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit b519d408ea32040b1c7e10b155a3ee9a36660947 upstream.
Ensure that we conform to the algorithm described in RFC5661, section
18.36.4 for when to bump the sequence id. In essence we do it for all
cases except when the RPC call timed out, or in case of the server returning
NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/nfs4proc.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -7509,12 +7509,20 @@ static int _nfs4_proc_create_session(str
status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);
trace_nfs4_create_session(clp, status);
+ switch (status) {
+ case -NFS4ERR_STALE_CLIENTID:
+ case -NFS4ERR_DELAY:
+ case -ETIMEDOUT:
+ case -EACCES:
+ case -EAGAIN:
+ goto out;
+ };
+
+ clp->cl_seqid++;
if (!status) {
/* Verify the session's negotiated channel_attrs values */
status = nfs4_verify_channel_attrs(&args, &res);
/* Increment the clientid slot sequence id */
- if (clp->cl_seqid == res.seqid)
- clp->cl_seqid++;
if (status)
goto out;
nfs4_update_session(session, &res);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 049/184] kexec: fix double-free when failing to relocate the purgatory
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (45 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 048/184] NFSv4.1: Fix the CREATE_SESSION slot number accounting Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 050/184] mm, oom: prevent premature OOM killer invocation for high order request Greg Kroah-Hartman
` (130 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thiago Jung Bauermann, Baoquan He,
Eric W. Biederman, Vivek Goyal, Dave Young, Andrew Morton,
Linus Torvalds
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
commit 070c43eea5043e950daa423707ae3c77e2f48edb upstream.
If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs
and pi->purgatory_buf. This is redundant, because in case of error
kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which
will also free those buffers.
This causes two warnings like the following, one for pi->sechdrs and the
other for pi->purgatory_buf:
kexec-bzImage64: Loading purgatory failed
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0
Trying to vfree() nonexistent vm area (ffffc90000e91000)
Modules linked in:
CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
dump_stack+0x4d/0x65
__warn+0xcb/0xf0
warn_slowpath_fmt+0x4f/0x60
? find_vmap_area+0x19/0x70
? kimage_file_post_load_cleanup+0x47/0xb0
__vunmap+0xc1/0xd0
vfree+0x2e/0x70
kimage_file_post_load_cleanup+0x5e/0xb0
SyS_kexec_file_load+0x448/0x680
? putname+0x54/0x60
? do_sys_open+0x190/0x1f0
entry_SYSCALL_64_fastpath+0x13/0x8f
---[ end trace 158bb74f5950ca2b ]---
Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree
won't try to free a NULL pointer.
Link: http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauerman@linux.vnet.ibm.com
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kexec_file.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -887,7 +887,10 @@ int kexec_load_purgatory(struct kimage *
return 0;
out:
vfree(pi->sechdrs);
+ pi->sechdrs = NULL;
+
vfree(pi->purgatory_buf);
+ pi->purgatory_buf = NULL;
return ret;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 050/184] mm, oom: prevent premature OOM killer invocation for high order request
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (46 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 049/184] kexec: fix double-free when failing to relocate the purgatory Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 051/184] mm, mempolicy: task->mempolicy must be NULL before dropping final reference Greg Kroah-Hartman
` (129 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Michal Hocko, Olaf Hering,
Ralf-Peter Rohbeck, Markus Trippelsdorf, Arkadiusz Miskiewicz,
Jiri Slaby, Vlastimil Babka, Joonsoo Kim, Tetsuo Handa,
David Rientjes, Andrew Morton, Linus Torvalds
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <mhocko@suse.com>
commit 6b4e3181d7bd5ca5ab6f45929e4a5ffa7ab4ab7f upstream.
There have been several reports about pre-mature OOM killer invocation
in 4.7 kernel when order-2 allocation request (for the kernel stack)
invoked OOM killer even during basic workloads (light IO or even kernel
compile on some filesystems). In all reported cases the memory is
fragmented and there are no order-2+ pages available. There is usually
a large amount of slab memory (usually dentries/inodes) and further
debugging has shown that there are way too many unmovable blocks which
are skipped during the compaction. Multiple reporters have confirmed
that the current linux-next which includes [1] and [2] helped and OOMs
are not reproducible anymore.
A simpler fix for the late rc and stable is to simply ignore the
compaction feedback and retry as long as there is a reclaim progress and
we are not getting OOM for order-0 pages. We already do that for
CONFING_COMPACTION=n so let's reuse the same code when compaction is
enabled as well.
[1] http://lkml.kernel.org/r/20160810091226.6709-1-vbabka@suse.cz
[2] http://lkml.kernel.org/r/f7a9ea9d-bb88-bfd6-e340-3a933559305a@suse.cz
Fixes: 0a0337e0d1d1 ("mm, oom: rework oom detection")
Link: http://lkml.kernel.org/r/20160823074339.GB23577@dhcp22.suse.cz
Signed-off-by: Michal Hocko <mhocko@suse.com>
Tested-by: Olaf Hering <olaf@aepfle.de>
Tested-by: Ralf-Peter Rohbeck <Ralf-Peter.Rohbeck@quantum.com>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Arkadiusz Miskiewicz <a.miskiewicz@gmail.com>
Cc: Ralf-Peter Rohbeck <Ralf-Peter.Rohbeck@quantum.com>
Cc: Jiri Slaby <jslaby@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Joonsoo Kim <js1304@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_alloc.c | 50 ++------------------------------------------------
1 file changed, 2 insertions(+), 48 deletions(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -3254,53 +3254,6 @@ __alloc_pages_direct_compact(gfp_t gfp_m
return NULL;
}
-static inline bool
-should_compact_retry(struct alloc_context *ac, int order, int alloc_flags,
- enum compact_result compact_result, enum migrate_mode *migrate_mode,
- int compaction_retries)
-{
- int max_retries = MAX_COMPACT_RETRIES;
-
- if (!order)
- return false;
-
- /*
- * compaction considers all the zone as desperately out of memory
- * so it doesn't really make much sense to retry except when the
- * failure could be caused by weak migration mode.
- */
- if (compaction_failed(compact_result)) {
- if (*migrate_mode == MIGRATE_ASYNC) {
- *migrate_mode = MIGRATE_SYNC_LIGHT;
- return true;
- }
- return false;
- }
-
- /*
- * make sure the compaction wasn't deferred or didn't bail out early
- * due to locks contention before we declare that we should give up.
- * But do not retry if the given zonelist is not suitable for
- * compaction.
- */
- if (compaction_withdrawn(compact_result))
- return compaction_zonelist_suitable(ac, order, alloc_flags);
-
- /*
- * !costly requests are much more important than __GFP_REPEAT
- * costly ones because they are de facto nofail and invoke OOM
- * killer to move on while costly can fail and users are ready
- * to cope with that. 1/4 retries is rather arbitrary but we
- * would need much more detailed feedback from compaction to
- * make a better decision.
- */
- if (order > PAGE_ALLOC_COSTLY_ORDER)
- max_retries /= 4;
- if (compaction_retries <= max_retries)
- return true;
-
- return false;
-}
#else
static inline struct page *
__alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order,
@@ -3311,6 +3264,8 @@ __alloc_pages_direct_compact(gfp_t gfp_m
return NULL;
}
+#endif /* CONFIG_COMPACTION */
+
static inline bool
should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_flags,
enum compact_result compact_result,
@@ -3337,7 +3292,6 @@ should_compact_retry(struct alloc_contex
}
return false;
}
-#endif /* CONFIG_COMPACTION */
/* Perform direct synchronous page reclaim */
static int
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 051/184] mm, mempolicy: task->mempolicy must be NULL before dropping final reference
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (47 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 050/184] mm, oom: prevent premature OOM killer invocation for high order request Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 052/184] ahci: disable correct irq for dummy ports Greg Kroah-Hartman
` (128 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Rientjes, Vegard Nossum,
Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov,
Andrew Morton, Linus Torvalds
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Rientjes <rientjes@google.com>
commit c11600e4fed67ae4cd6a8096936afd445410e8ed upstream.
KASAN allocates memory from the page allocator as part of
kmem_cache_free(), and that can reference current->mempolicy through any
number of allocation functions. It needs to be NULL'd out before the
final reference is dropped to prevent a use-after-free bug:
BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c
CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140
...
Call Trace:
dump_stack
kasan_object_err
kasan_report_error
__asan_report_load2_noabort
alloc_pages_current <-- use after free
depot_save_stack
save_stack
kasan_slab_free
kmem_cache_free
__mpol_put <-- free
do_exit
This patch sets current->mempolicy to NULL before dropping the final
reference.
Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com
Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
Signed-off-by: David Rientjes <rientjes@google.com>
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mempolicy.h | 4 ++++
kernel/exit.c | 7 +------
mm/mempolicy.c | 17 +++++++++++++++++
3 files changed, 22 insertions(+), 6 deletions(-)
--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -195,6 +195,7 @@ static inline bool vma_migratable(struct
}
extern int mpol_misplaced(struct page *, struct vm_area_struct *, unsigned long);
+extern void mpol_put_task_policy(struct task_struct *);
#else
@@ -297,5 +298,8 @@ static inline int mpol_misplaced(struct
return -1; /* no node preference */
}
+static inline void mpol_put_task_policy(struct task_struct *task)
+{
+}
#endif /* CONFIG_NUMA */
#endif
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -768,12 +768,7 @@ void do_exit(long code)
TASKS_RCU(preempt_enable());
exit_notify(tsk, group_dead);
proc_exit_connector(tsk);
-#ifdef CONFIG_NUMA
- task_lock(tsk);
- mpol_put(tsk->mempolicy);
- tsk->mempolicy = NULL;
- task_unlock(tsk);
-#endif
+ mpol_put_task_policy(tsk);
#ifdef CONFIG_FUTEX
if (unlikely(current->pi_state_cache))
kfree(current->pi_state_cache);
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2334,6 +2334,23 @@ out:
return ret;
}
+/*
+ * Drop the (possibly final) reference to task->mempolicy. It needs to be
+ * dropped after task->mempolicy is set to NULL so that any allocation done as
+ * part of its kmem_cache_free(), such as by KASAN, doesn't reference a freed
+ * policy.
+ */
+void mpol_put_task_policy(struct task_struct *task)
+{
+ struct mempolicy *pol;
+
+ task_lock(task);
+ pol = task->mempolicy;
+ task->mempolicy = NULL;
+ task_unlock(task);
+ mpol_put(pol);
+}
+
static void sp_delete(struct shared_policy *sp, struct sp_node *n)
{
pr_debug("deleting %lx-l%lx\n", n->start, n->end);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 052/184] ahci: disable correct irq for dummy ports
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (48 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 051/184] mm, mempolicy: task->mempolicy must be NULL before dropping final reference Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 053/184] rapidio/tsi721: fix incorrect detection of address translation condition Greg Kroah-Hartman
` (127 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Tejun Heo
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
commit 9b4b3f6a062b22550e62523efe5213776cdd426b upstream.
irq already contains the interrupt number for the port, don't add the
port index to it.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: d684a90d38e2 ("ahci: per-port msix support")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libahci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -2516,7 +2516,7 @@ static int ahci_host_activate_multi_irqs
/* Do not receive interrupts sent by dummy ports */
if (!pp) {
- disable_irq(irq + i);
+ disable_irq(irq);
continue;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 053/184] rapidio/tsi721: fix incorrect detection of address translation condition
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (49 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 052/184] ahci: disable correct irq for dummy ports Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 054/184] mm: introduce get_task_exe_file Greg Kroah-Hartman
` (126 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alexandre Bounine, Matt Porter,
Andre van Herk, Barry Wood, Andrew Morton, Linus Torvalds
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Bounine <alexandre.bounine@idt.com>
commit b30069291dc7f9b9a073c33d619818fe4a8e50de upstream.
Fix incorrect condition to identify involvment of a address translation
mechanism.
This bug results in NULL pointer kernel crash dump in cases when mapping
of inbound RapidIO address range is requested within existing aprture.
Link: http://lkml.kernel.org/r/20160901173144.2983-1-alexandre.bounine@idt.com
Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Andre van Herk <andre.van.herk@prodrive-technologies.com>
Cc: Barry Wood <barry.wood@idt.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rapidio/devices/tsi721.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/rapidio/devices/tsi721.c
+++ b/drivers/rapidio/devices/tsi721.c
@@ -1148,7 +1148,7 @@ static int tsi721_rio_map_inb_mem(struct
} else if (ibw_start < (ib_win->rstart + ib_win->size) &&
(ibw_start + ibw_size) > ib_win->rstart) {
/* Return error if address translation involved */
- if (direct && ib_win->xlat) {
+ if (!direct || ib_win->xlat) {
ret = -EFAULT;
break;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 054/184] mm: introduce get_task_exe_file
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (50 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 053/184] rapidio/tsi721: fix incorrect detection of address translation condition Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 055/184] audit: fix exe_file access in audit_exe_compare Greg Kroah-Hartman
` (125 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mateusz Guzik, Konstantin Khlebnikov,
Richard Guy Briggs, Paul Moore
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Guzik <mguzik@redhat.com>
commit cd81a9170e69e018bbaba547c1fd85a585f5697a upstream.
For more convenient access if one has a pointer to the task.
As a minor nit take advantage of the fact that only task lock + rcu are
needed to safely grab ->exe_file. This saves mm refcount dance.
Use the helper in proc_exe_link.
Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/base.c | 7 +------
include/linux/mm.h | 1 +
kernel/fork.c | 23 +++++++++++++++++++++++
3 files changed, 25 insertions(+), 6 deletions(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1552,18 +1552,13 @@ static const struct file_operations proc
static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
{
struct task_struct *task;
- struct mm_struct *mm;
struct file *exe_file;
task = get_proc_task(d_inode(dentry));
if (!task)
return -ENOENT;
- mm = get_task_mm(task);
+ exe_file = get_task_exe_file(task);
put_task_struct(task);
- if (!mm)
- return -ENOENT;
- exe_file = get_mm_exe_file(mm);
- mmput(mm);
if (exe_file) {
*exe_path = exe_file->f_path;
path_get(&exe_file->f_path);
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1975,6 +1975,7 @@ extern void mm_drop_all_locks(struct mm_
extern void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file);
extern struct file *get_mm_exe_file(struct mm_struct *mm);
+extern struct file *get_task_exe_file(struct task_struct *task);
extern bool may_expand_vm(struct mm_struct *, vm_flags_t, unsigned long npages);
extern void vm_stat_account(struct mm_struct *, vm_flags_t, long npages);
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -801,6 +801,29 @@ struct file *get_mm_exe_file(struct mm_s
EXPORT_SYMBOL(get_mm_exe_file);
/**
+ * get_task_exe_file - acquire a reference to the task's executable file
+ *
+ * Returns %NULL if task's mm (if any) has no associated executable file or
+ * this is a kernel thread with borrowed mm (see the comment above get_task_mm).
+ * User must release file via fput().
+ */
+struct file *get_task_exe_file(struct task_struct *task)
+{
+ struct file *exe_file = NULL;
+ struct mm_struct *mm;
+
+ task_lock(task);
+ mm = task->mm;
+ if (mm) {
+ if (!(task->flags & PF_KTHREAD))
+ exe_file = get_mm_exe_file(mm);
+ }
+ task_unlock(task);
+ return exe_file;
+}
+EXPORT_SYMBOL(get_task_exe_file);
+
+/**
* get_task_mm - acquire a reference to the task's mm
*
* Returns %NULL if the task has no mm. Checks PF_KTHREAD (meaning
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 055/184] audit: fix exe_file access in audit_exe_compare
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (51 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 054/184] mm: introduce get_task_exe_file Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 056/184] dm flakey: fix reads to be issued if drop_writes configured Greg Kroah-Hartman
` (124 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mateusz Guzik, Konstantin Khlebnikov,
Richard Guy Briggs, Paul Moore
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Guzik <mguzik@redhat.com>
commit 5efc244346f9f338765da3d592f7947b0afdc4b5 upstream.
Prior to the change the function would blindly deference mm, exe_file
and exe_file->f_inode, each of which could have been NULL or freed.
Use get_task_exe_file to safely obtain stable exe_file.
Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/audit_watch.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -19,6 +19,7 @@
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
+#include <linux/file.h>
#include <linux/kernel.h>
#include <linux/audit.h>
#include <linux/kthread.h>
@@ -544,10 +545,11 @@ int audit_exe_compare(struct task_struct
unsigned long ino;
dev_t dev;
- rcu_read_lock();
- exe_file = rcu_dereference(tsk->mm->exe_file);
+ exe_file = get_task_exe_file(tsk);
+ if (!exe_file)
+ return 0;
ino = exe_file->f_inode->i_ino;
dev = exe_file->f_inode->i_sb->s_dev;
- rcu_read_unlock();
+ fput(exe_file);
return audit_mark_compare(mark, ino, dev);
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 056/184] dm flakey: fix reads to be issued if drop_writes configured
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (52 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 055/184] audit: fix exe_file access in audit_exe_compare Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 057/184] IB/hfi1,IB/qib: Fix qp_stats sleep with rcu read lock held Greg Kroah-Hartman
` (123 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Mike Snitzer
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@redhat.com>
commit 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc upstream.
v4.8-rc3 commit 99f3c90d0d ("dm flakey: error READ bios during the
down_interval") overlooked the 'drop_writes' feature, which is meant to
allow reads to be issued rather than errored, during the down_interval.
Fixes: 99f3c90d0d ("dm flakey: error READ bios during the down_interval")
Reported-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-flakey.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -289,15 +289,13 @@ static int flakey_map(struct dm_target *
pb->bio_submitted = true;
/*
- * Map reads as normal only if corrupt_bio_byte set.
+ * Error reads if neither corrupt_bio_byte or drop_writes are set.
+ * Otherwise, flakey_end_io() will decide if the reads should be modified.
*/
if (bio_data_dir(bio) == READ) {
- /* If flags were specified, only corrupt those that match. */
- if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
- all_corrupt_bio_flags_match(bio, fc))
- goto map_bio;
- else
+ if (!fc->corrupt_bio_byte && !test_bit(DROP_WRITES, &fc->flags))
return -EIO;
+ goto map_bio;
}
/*
@@ -334,14 +332,21 @@ static int flakey_end_io(struct dm_targe
struct flakey_c *fc = ti->private;
struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data));
- /*
- * Corrupt successful READs while in down state.
- */
if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
- if (fc->corrupt_bio_byte)
+ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
+ all_corrupt_bio_flags_match(bio, fc)) {
+ /*
+ * Corrupt successful matching READs while in down state.
+ */
corrupt_bio_data(bio, fc);
- else
+
+ } else if (!test_bit(DROP_WRITES, &fc->flags)) {
+ /*
+ * Error read during the down_interval if drop_writes
+ * wasn't configured.
+ */
return -EIO;
+ }
}
return error;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 057/184] IB/hfi1,IB/qib: Fix qp_stats sleep with rcu read lock held
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (53 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 056/184] dm flakey: fix reads to be issued if drop_writes configured Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 058/184] IB/uverbs: Fix race between uverbs_close and remove_one Greg Kroah-Hartman
` (122 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ira Weiny, Mike Marciniszyn,
Leon Romanovsky, Doug Ledford
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Marciniszyn <mike.marciniszyn@intel.com>
commit c62fb260a86dde3df5b2905432caa0e9f6898434 upstream.
The qp init function does a kzalloc() while holding the RCU
lock that encounters the following warning with a debug kernel
when a cat of the qp_stats is done:
[ 231.723948] rcu_scheduler_active = 1, debug_locks = 0
[ 231.731939] 3 locks held by cat/11355:
[ 231.736492] #0: (debugfs_srcu){......}, at: [<ffffffff813001a5>] debugfs_use_file_start+0x5/0x90
[ 231.746955] #1: (&p->lock){+.+.+.}, at: [<ffffffff81289a6c>] seq_read+0x4c/0x3c0
[ 231.755873] #2: (rcu_read_lock){......}, at: [<ffffffffa0a0c535>] _qp_stats_seq_start+0x5/0xd0 [hfi1]
[ 231.766862]
The init functions do an implicit next which requires the rcu read lock
before the kzalloc().
Fix for both drivers is to change the scope of the init function to only
do the allocation and the initialization of the just allocated iter.
The implict next is moved back into the respective start functions to fix
the issue.
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/hfi1/debugfs.c | 14 +++++++++-----
drivers/infiniband/hw/hfi1/qp.c | 4 ----
drivers/infiniband/hw/qib/qib_debugfs.c | 12 +++++++++---
drivers/infiniband/hw/qib/qib_qp.c | 4 ----
4 files changed, 18 insertions(+), 16 deletions(-)
--- a/drivers/infiniband/hw/hfi1/debugfs.c
+++ b/drivers/infiniband/hw/hfi1/debugfs.c
@@ -223,28 +223,32 @@ DEBUGFS_SEQ_FILE_OPEN(ctx_stats)
DEBUGFS_FILE_OPS(ctx_stats);
static void *_qp_stats_seq_start(struct seq_file *s, loff_t *pos)
-__acquires(RCU)
+ __acquires(RCU)
{
struct qp_iter *iter;
loff_t n = *pos;
- rcu_read_lock();
iter = qp_iter_init(s->private);
+
+ /* stop calls rcu_read_unlock */
+ rcu_read_lock();
+
if (!iter)
return NULL;
- while (n--) {
+ do {
if (qp_iter_next(iter)) {
kfree(iter);
return NULL;
}
- }
+ } while (n--);
return iter;
}
static void *_qp_stats_seq_next(struct seq_file *s, void *iter_ptr,
loff_t *pos)
+ __must_hold(RCU)
{
struct qp_iter *iter = iter_ptr;
@@ -259,7 +263,7 @@ static void *_qp_stats_seq_next(struct s
}
static void _qp_stats_seq_stop(struct seq_file *s, void *iter_ptr)
-__releases(RCU)
+ __releases(RCU)
{
rcu_read_unlock();
}
--- a/drivers/infiniband/hw/hfi1/qp.c
+++ b/drivers/infiniband/hw/hfi1/qp.c
@@ -595,10 +595,6 @@ struct qp_iter *qp_iter_init(struct hfi1
iter->dev = dev;
iter->specials = dev->rdi.ibdev.phys_port_cnt * 2;
- if (qp_iter_next(iter)) {
- kfree(iter);
- return NULL;
- }
return iter;
}
--- a/drivers/infiniband/hw/qib/qib_debugfs.c
+++ b/drivers/infiniband/hw/qib/qib_debugfs.c
@@ -189,27 +189,32 @@ static int _ctx_stats_seq_show(struct se
DEBUGFS_FILE(ctx_stats)
static void *_qp_stats_seq_start(struct seq_file *s, loff_t *pos)
+ __acquires(RCU)
{
struct qib_qp_iter *iter;
loff_t n = *pos;
- rcu_read_lock();
iter = qib_qp_iter_init(s->private);
+
+ /* stop calls rcu_read_unlock */
+ rcu_read_lock();
+
if (!iter)
return NULL;
- while (n--) {
+ do {
if (qib_qp_iter_next(iter)) {
kfree(iter);
return NULL;
}
- }
+ } while (n--);
return iter;
}
static void *_qp_stats_seq_next(struct seq_file *s, void *iter_ptr,
loff_t *pos)
+ __must_hold(RCU)
{
struct qib_qp_iter *iter = iter_ptr;
@@ -224,6 +229,7 @@ static void *_qp_stats_seq_next(struct s
}
static void _qp_stats_seq_stop(struct seq_file *s, void *iter_ptr)
+ __releases(RCU)
{
rcu_read_unlock();
}
--- a/drivers/infiniband/hw/qib/qib_qp.c
+++ b/drivers/infiniband/hw/qib/qib_qp.c
@@ -530,10 +530,6 @@ struct qib_qp_iter *qib_qp_iter_init(str
return NULL;
iter->dev = dev;
- if (qib_qp_iter_next(iter)) {
- kfree(iter);
- return NULL;
- }
return iter;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 058/184] IB/uverbs: Fix race between uverbs_close and remove_one
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (54 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 057/184] IB/hfi1,IB/qib: Fix qp_stats sleep with rcu read lock held Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 059/184] IB/hfi1: Reset QSFP on every run through channel tuning Greg Kroah-Hartman
` (121 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Devesh Sharma, Jason Gunthorpe,
Yishai Hadas, Leon Romanovsky, Doug Ledford
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
commit d1e09f304a1d9651c5059ebfeb696dc2effc9b32 upstream.
Fixes an oops that might happen if uverbs_close races with
remove_one.
Both contexts may run ib_uverbs_cleanup_ucontext, it depends
on the flow.
Currently, there is no protection for a case that remove_one
didn't make the cleanup it runs to its end, the underlying
ib_device was freed then uverbs_close will call
ib_uverbs_cleanup_ucontext and OOPs.
Above might happen if uverbs_close deleted the file from the list
then remove_one didn't find it and runs to its end.
Fixes to protect against that case by a new cleanup lock so that
ib_uverbs_cleanup_ucontext will be called always before that
remove_one is ended.
Fixes: 35d4a0b63dc0 ("IB/uverbs: Fix race between ib_uverbs_open and remove_one")
Reported-by: Devesh Sharma <devesh.sharma@broadcom.com>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/uverbs.h | 1
drivers/infiniband/core/uverbs_main.c | 37 ++++++++++++++++++++++------------
2 files changed, 25 insertions(+), 13 deletions(-)
--- a/drivers/infiniband/core/uverbs.h
+++ b/drivers/infiniband/core/uverbs.h
@@ -116,6 +116,7 @@ struct ib_uverbs_event_file {
struct ib_uverbs_file {
struct kref ref;
struct mutex mutex;
+ struct mutex cleanup_mutex; /* protect cleanup */
struct ib_uverbs_device *device;
struct ib_ucontext *ucontext;
struct ib_event_handler event_handler;
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -931,6 +931,7 @@ static int ib_uverbs_open(struct inode *
file->async_file = NULL;
kref_init(&file->ref);
mutex_init(&file->mutex);
+ mutex_init(&file->cleanup_mutex);
filp->private_data = file;
kobject_get(&dev->kobj);
@@ -956,18 +957,20 @@ static int ib_uverbs_close(struct inode
{
struct ib_uverbs_file *file = filp->private_data;
struct ib_uverbs_device *dev = file->device;
- struct ib_ucontext *ucontext = NULL;
+
+ mutex_lock(&file->cleanup_mutex);
+ if (file->ucontext) {
+ ib_uverbs_cleanup_ucontext(file, file->ucontext);
+ file->ucontext = NULL;
+ }
+ mutex_unlock(&file->cleanup_mutex);
mutex_lock(&file->device->lists_mutex);
- ucontext = file->ucontext;
- file->ucontext = NULL;
if (!file->is_closed) {
list_del(&file->list);
file->is_closed = 1;
}
mutex_unlock(&file->device->lists_mutex);
- if (ucontext)
- ib_uverbs_cleanup_ucontext(file, ucontext);
if (file->async_file)
kref_put(&file->async_file->ref, ib_uverbs_release_event_file);
@@ -1181,22 +1184,30 @@ static void ib_uverbs_free_hw_resources(
mutex_lock(&uverbs_dev->lists_mutex);
while (!list_empty(&uverbs_dev->uverbs_file_list)) {
struct ib_ucontext *ucontext;
-
file = list_first_entry(&uverbs_dev->uverbs_file_list,
struct ib_uverbs_file, list);
file->is_closed = 1;
- ucontext = file->ucontext;
list_del(&file->list);
- file->ucontext = NULL;
kref_get(&file->ref);
mutex_unlock(&uverbs_dev->lists_mutex);
- /* We must release the mutex before going ahead and calling
- * disassociate_ucontext. disassociate_ucontext might end up
- * indirectly calling uverbs_close, for example due to freeing
- * the resources (e.g mmput).
- */
+
ib_uverbs_event_handler(&file->event_handler, &event);
+
+ mutex_lock(&file->cleanup_mutex);
+ ucontext = file->ucontext;
+ file->ucontext = NULL;
+ mutex_unlock(&file->cleanup_mutex);
+
+ /* At this point ib_uverbs_close cannot be running
+ * ib_uverbs_cleanup_ucontext
+ */
if (ucontext) {
+ /* We must release the mutex before going ahead and
+ * calling disassociate_ucontext. disassociate_ucontext
+ * might end up indirectly calling uverbs_close,
+ * for example due to freeing the resources
+ * (e.g mmput).
+ */
ib_dev->disassociate_ucontext(ucontext);
ib_uverbs_cleanup_ucontext(file, ucontext);
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 059/184] IB/hfi1: Reset QSFP on every run through channel tuning
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (55 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 058/184] IB/uverbs: Fix race between uverbs_close and remove_one Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 060/184] mm: fix cache mode of dax pmd mappings Greg Kroah-Hartman
` (120 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dean Luick, Easwar Hariharan,
Dennis Dalessandro, Doug Ledford
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Easwar Hariharan <easwar.hariharan@intel.com>
commit b5e710195492f682d93097cddac13e594d39a946 upstream.
Active QSFP cables were reset only every alternate iteration of the
channel tuning algorithm instead of every iteration due to incorrect
reset of the flag that controlled QSFP reset, resulting in using stale
QSFP status in the channel tuning algorithm.
Fixes: 8ebd4cf1852a ("Add active and optical cable support")
Reviewed-by: Dean Luick <dean.luick@intel.com>
Signed-off-by: Easwar Hariharan <easwar.hariharan@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/hfi1/platform.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/hfi1/platform.c
+++ b/drivers/infiniband/hw/hfi1/platform.c
@@ -638,9 +638,13 @@ static int tune_active_qsfp(struct hfi1_
if (ret)
return ret;
+ /*
+ * We'll change the QSFP memory contents from here on out, thus we set a
+ * flag here to remind ourselves to reset the QSFP module. This prevents
+ * reuse of stale settings established in our previous pass through.
+ */
if (ppd->qsfp_info.reset_needed) {
reset_qsfp(ppd);
- ppd->qsfp_info.reset_needed = 0;
refresh_qsfp_cache(ppd, &ppd->qsfp_info);
} else {
ppd->qsfp_info.reset_needed = 1;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 060/184] mm: fix cache mode of dax pmd mappings
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (56 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 059/184] IB/hfi1: Reset QSFP on every run through channel tuning Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 062/184] x86/AMD: Apply erratum 665 on machines without a BIOS fix Greg Kroah-Hartman
` (119 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Matthew Wilcox, Ross Zwisler,
Nilesh Choudhury, Kirill A. Shutemov, Toshi Kani, Kai Zhang,
Andrew Morton, Dan Williams
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Williams <dan.j.williams@intel.com>
commit 9049771f7d5490a302589976984810064c83ab40 upstream.
track_pfn_insert() in vmf_insert_pfn_pmd() is marking dax mappings as
uncacheable rendering them impractical for application usage. DAX-pte
mappings are cached and the goal of establishing DAX-pmd mappings is to
attain more performance, not dramatically less (3 orders of magnitude).
track_pfn_insert() relies on a previous call to reserve_memtype() to
establish the expected page_cache_mode for the range. While memremap()
arranges for reserve_memtype() to be called, devm_memremap_pages() does
not. So, teach track_pfn_insert() and untrack_pfn() how to handle
tracking without a vma, and arrange for devm_memremap_pages() to
establish the write-back-cache reservation in the memtype tree.
Cc: Matthew Wilcox <mawilcox@microsoft.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Nilesh Choudhury <nilesh.choudhury@oracle.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Toshi Kani <toshi.kani@hpe.com>
Reported-by: Kai Zhang <kai.ka.zhang@oracle.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/pat.c | 17 ++++++++++-------
kernel/memremap.c | 9 +++++++++
2 files changed, 19 insertions(+), 7 deletions(-)
--- a/arch/x86/mm/pat.c
+++ b/arch/x86/mm/pat.c
@@ -931,9 +931,10 @@ int track_pfn_copy(struct vm_area_struct
}
/*
- * prot is passed in as a parameter for the new mapping. If the vma has a
- * linear pfn mapping for the entire range reserve the entire vma range with
- * single reserve_pfn_range call.
+ * prot is passed in as a parameter for the new mapping. If the vma has
+ * a linear pfn mapping for the entire range, or no vma is provided,
+ * reserve the entire pfn + size range with single reserve_pfn_range
+ * call.
*/
int track_pfn_remap(struct vm_area_struct *vma, pgprot_t *prot,
unsigned long pfn, unsigned long addr, unsigned long size)
@@ -942,11 +943,12 @@ int track_pfn_remap(struct vm_area_struc
enum page_cache_mode pcm;
/* reserve the whole chunk starting from paddr */
- if (addr == vma->vm_start && size == (vma->vm_end - vma->vm_start)) {
+ if (!vma || (addr == vma->vm_start
+ && size == (vma->vm_end - vma->vm_start))) {
int ret;
ret = reserve_pfn_range(paddr, size, prot, 0);
- if (!ret)
+ if (ret == 0 && vma)
vma->vm_flags |= VM_PAT;
return ret;
}
@@ -1001,7 +1003,7 @@ void untrack_pfn(struct vm_area_struct *
resource_size_t paddr;
unsigned long prot;
- if (!(vma->vm_flags & VM_PAT))
+ if (vma && !(vma->vm_flags & VM_PAT))
return;
/* free the chunk starting from pfn or the whole chunk */
@@ -1015,7 +1017,8 @@ void untrack_pfn(struct vm_area_struct *
size = vma->vm_end - vma->vm_start;
}
free_pfn_range(paddr, size);
- vma->vm_flags &= ~VM_PAT;
+ if (vma)
+ vma->vm_flags &= ~VM_PAT;
}
/*
--- a/kernel/memremap.c
+++ b/kernel/memremap.c
@@ -253,6 +253,7 @@ static void devm_memremap_pages_release(
align_start = res->start & ~(SECTION_SIZE - 1);
align_size = ALIGN(resource_size(res), SECTION_SIZE);
arch_remove_memory(align_start, align_size);
+ untrack_pfn(NULL, PHYS_PFN(align_start), align_size);
pgmap_radix_release(res);
dev_WARN_ONCE(dev, pgmap->altmap && pgmap->altmap->alloc,
"%s: failed to free all reserved pages\n", __func__);
@@ -288,6 +289,7 @@ void *devm_memremap_pages(struct device
struct percpu_ref *ref, struct vmem_altmap *altmap)
{
resource_size_t key, align_start, align_size, align_end;
+ pgprot_t pgprot = PAGE_KERNEL;
struct dev_pagemap *pgmap;
struct page_map *page_map;
int error, nid, is_ram;
@@ -363,6 +365,11 @@ void *devm_memremap_pages(struct device
if (nid < 0)
nid = numa_mem_id();
+ error = track_pfn_remap(NULL, &pgprot, PHYS_PFN(align_start), 0,
+ align_size);
+ if (error)
+ goto err_pfn_remap;
+
error = arch_add_memory(nid, align_start, align_size, true);
if (error)
goto err_add_memory;
@@ -383,6 +390,8 @@ void *devm_memremap_pages(struct device
return __va(res->start);
err_add_memory:
+ untrack_pfn(NULL, PHYS_PFN(align_start), align_size);
+ err_pfn_remap:
err_radix:
pgmap_radix_release(res);
devres_free(page_map);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 062/184] x86/AMD: Apply erratum 665 on machines without a BIOS fix
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (57 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 060/184] mm: fix cache mode of dax pmd mappings Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 063/184] KVM: s390: dont use current->thread.fpu.* when accessing registers Greg Kroah-Hartman
` (118 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Emanuel Czirai, Borislav Petkov,
Yaowu Xu, Thomas Gleixner
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emanuel Czirai <icanrealizeum@gmail.com>
commit d1992996753132e2dafe955cccb2fb0714d3cfc4 upstream.
AMD F12h machines have an erratum which can cause DIV/IDIV to behave
unpredictably. The workaround is to set MSRC001_1029[31] but sometimes
there is no BIOS update containing that workaround so let's do it
ourselves unconditionally. It is simple enough.
[ Borislav: Wrote commit message. ]
Signed-off-by: Emanuel Czirai <icanrealizeum@gmail.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Yaowu Xu <yaowu@google.com>
Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/amd.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -669,6 +669,17 @@ static void init_amd_gh(struct cpuinfo_x
set_cpu_bug(c, X86_BUG_AMD_TLB_MMATCH);
}
+#define MSR_AMD64_DE_CFG 0xC0011029
+
+static void init_amd_ln(struct cpuinfo_x86 *c)
+{
+ /*
+ * Apply erratum 665 fix unconditionally so machines without a BIOS
+ * fix work.
+ */
+ msr_set_bit(MSR_AMD64_DE_CFG, 31);
+}
+
static void init_amd_bd(struct cpuinfo_x86 *c)
{
u64 value;
@@ -726,6 +737,7 @@ static void init_amd(struct cpuinfo_x86
case 6: init_amd_k7(c); break;
case 0xf: init_amd_k8(c); break;
case 0x10: init_amd_gh(c); break;
+ case 0x12: init_amd_ln(c); break;
case 0x15: init_amd_bd(c); break;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 063/184] KVM: s390: dont use current->thread.fpu.* when accessing registers
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (58 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 062/184] x86/AMD: Apply erratum 665 on machines without a BIOS fix Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 064/184] kvm-arm: Unmap shadow pagetables properly Greg Kroah-Hartman
` (117 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hao QingFeng, David Hildenbrand,
Christian Borntraeger
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <dahi@linux.vnet.ibm.com>
commit a7d4b8f2565ad0dfdff9a222d1d87990c73b36e8 upstream.
As the meaning of these variables and pointers seems to change more
frequently, let's directly access our save area, instead of going via
current->thread.
Right now, this is broken for set/get_fpu. They simply overwrite the
host registers, as the pointers to the current save area were turned
into the static host save area.
Fixes: 3f6813b9a5e0 ("s390/fpu: allocate 'struct fpu' with the task_struct")
Reported-by: Hao QingFeng <haoqf@linux.vnet.ibm.com>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kvm/kvm-s390.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -1951,9 +1951,10 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct k
return -EINVAL;
current->thread.fpu.fpc = fpu->fpc;
if (MACHINE_HAS_VX)
- convert_fp_to_vx(current->thread.fpu.vxrs, (freg_t *)fpu->fprs);
+ convert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs,
+ (freg_t *) fpu->fprs);
else
- memcpy(current->thread.fpu.fprs, &fpu->fprs, sizeof(fpu->fprs));
+ memcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs));
return 0;
}
@@ -1962,9 +1963,10 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct k
/* make sure we have the latest values */
save_fpu_regs();
if (MACHINE_HAS_VX)
- convert_vx_to_fp((freg_t *)fpu->fprs, current->thread.fpu.vxrs);
+ convert_vx_to_fp((freg_t *) fpu->fprs,
+ (__vector128 *) vcpu->run->s.regs.vrs);
else
- memcpy(fpu->fprs, current->thread.fpu.fprs, sizeof(fpu->fprs));
+ memcpy(fpu->fprs, vcpu->run->s.regs.fprs, sizeof(fpu->fprs));
fpu->fpc = current->thread.fpu.fpc;
return 0;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 064/184] kvm-arm: Unmap shadow pagetables properly
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (59 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 063/184] KVM: s390: dont use current->thread.fpu.* when accessing registers Greg Kroah-Hartman
@ 2016-09-22 17:39 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 066/184] iio: accel: kxsd9: Fix raw read return Greg Kroah-Hartman
` (116 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Itaru Kitayama, James Morse,
Marc Zyngier, Catalin Marinas, Christoffer Dall,
Suzuki K Poulose
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suzuki K Poulose <suzuki.poulose@arm.com>
commit 293f293637b55db4f9f522a5a72514e98a541076 upstream.
On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via
mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when
the userspace buffer gets unmapped. However, when the Hypervisor
process exits without explicit unmap of the guest buffers, the only
notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release
) which does nothing on arm. Later this causes us to access pages that
were already released [via exit_mmap() -> unmap_vmas()] when we actually
get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() ->
kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC,
which unmaps any free'd pages from the linear map.
[ 757.644120] Unable to handle kernel paging request at virtual address
ffff800661e00000
[ 757.652046] pgd = ffff20000b1a2000
[ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003,
*pmd=00000047fcc7c003, *pte=00e8004661e00712
[ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP
[ 757.672041] Modules linked in:
[ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D
4.8.0-rc1 #3
[ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board,
BIOS 3.06.15 Aug 19 2016
[ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000
[ 757.698840] PC is at __flush_dcache_area+0x1c/0x40
[ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70
[ 757.708469] pc : [<ffff20000809dbdc>] lr : [<ffff2000080b4a70>] pstate: 20000145
...
[ 758.357249] [<ffff20000809dbdc>] __flush_dcache_area+0x1c/0x40
[ 758.363059] [<ffff2000080b6748>] unmap_stage2_range+0x458/0x5f0
[ 758.368954] [<ffff2000080b708c>] kvm_free_stage2_pgd+0x34/0x60
[ 758.374761] [<ffff2000080b2280>] kvm_arch_destroy_vm+0x20/0x68
[ 758.380570] [<ffff2000080aa330>] kvm_put_kvm+0x210/0x358
[ 758.385860] [<ffff2000080aa524>] kvm_vm_release+0x2c/0x40
[ 758.391239] [<ffff2000082ad234>] __fput+0x114/0x2e8
[ 758.396096] [<ffff2000082ad46c>] ____fput+0xc/0x18
[ 758.400869] [<ffff200008104658>] task_work_run+0x108/0x138
[ 758.406332] [<ffff2000080dc8ec>] do_exit+0x48c/0x10e8
[ 758.411363] [<ffff2000080dd5fc>] do_group_exit+0x6c/0x130
[ 758.416739] [<ffff2000080ed924>] get_signal+0x284/0xa18
[ 758.421943] [<ffff20000808a098>] do_signal+0x158/0x860
[ 758.427060] [<ffff20000808aad4>] do_notify_resume+0x6c/0x88
[ 758.432608] [<ffff200008083624>] work_pending+0x10/0x14
[ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20)
This patch fixes the issue by moving the kvm_free_stage2_pgd() to
kvm_arch_flush_shadow_all().
Tested-by: Itaru Kitayama <itaru.kitayama@riken.jp>
Reported-by: Itaru Kitayama <itaru.kitayama@riken.jp>
Reported-by: James Morse <james.morse@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/kvm/arm.c | 2 --
arch/arm/kvm/mmu.c | 1 +
2 files changed, 1 insertion(+), 2 deletions(-)
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -157,8 +157,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm
{
int i;
- kvm_free_stage2_pgd(kvm);
-
for (i = 0; i < KVM_MAX_VCPUS; ++i) {
if (kvm->vcpus[i]) {
kvm_arch_vcpu_free(kvm->vcpus[i]);
--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -1909,6 +1909,7 @@ void kvm_arch_memslots_updated(struct kv
void kvm_arch_flush_shadow_all(struct kvm *kvm)
{
+ kvm_free_stage2_pgd(kvm);
}
void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 066/184] iio: accel: kxsd9: Fix raw read return
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (60 preceding siblings ...)
2016-09-22 17:39 ` [PATCH 4.7 064/184] kvm-arm: Unmap shadow pagetables properly Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 067/184] iio: sw-trigger: Fix config group initialization Greg Kroah-Hartman
` (115 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Linus Walleij, Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream.
Any readings from the raw interface of the KXSD9 driver will
return an empty string, because it does not return
IIO_VAL_INT but rather some random value from the accelerometer
to the caller.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/kxsd9.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -160,6 +160,7 @@ static int kxsd9_read_raw(struct iio_dev
if (ret < 0)
goto error_ret;
*val = ret;
+ ret = IIO_VAL_INT;
break;
case IIO_CHAN_INFO_SCALE:
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 067/184] iio: sw-trigger: Fix config group initialization
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (61 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 066/184] iio: accel: kxsd9: Fix raw read return Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 068/184] iio: proximity: as3935: set up buffer timestamps for non-zero values Greg Kroah-Hartman
` (114 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Daniel Baluta,
Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit b2f0c09664b72b2f8c581383a9337ac3092e42c8 upstream.
Use the IS_ENABLED() helper macro to ensure that the configfs group is
initialized either when configfs is built-in or when configfs is built as a
module. Otherwise software trigger creation will result in undefined
behaviour when configfs is built as a mdoule since the configfs group for
the trigger is not properly initialized.
Fixes: b662f809d410 ("iio: core: Introduce IIO software triggers")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Daniel Baluta <daniel.baluta@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/iio/sw_trigger.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/iio/sw_trigger.h
+++ b/include/linux/iio/sw_trigger.h
@@ -62,7 +62,7 @@ void iio_swt_group_init_type_name(struct
const char *name,
struct config_item_type *type)
{
-#ifdef CONFIG_CONFIGFS_FS
+#if IS_ENABLED(CONFIG_CONFIGFS_FS)
config_group_init_type_name(&t->group, name, type);
#endif
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 068/184] iio: proximity: as3935: set up buffer timestamps for non-zero values
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (62 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 067/184] iio: sw-trigger: Fix config group initialization Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 069/184] iio: adc: rockchip_saradc: reset saradc controller before programming it Greg Kroah-Hartman
` (113 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alison Schofield, Daniel Baluta,
Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alison Schofield <amsfield22@gmail.com>
commit f8adf645db03345af2d9a8b6095b02327ea50885 upstream.
Use the iio_pollfunc_store_time parameter during triggered buffer
set-up to get valid timestamps.
Signed-off-by: Alison Schofield <amsfield22@gmail.com>
Cc: Daniel Baluta <daniel.baluta@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/proximity/as3935.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/proximity/as3935.c
+++ b/drivers/iio/proximity/as3935.c
@@ -392,7 +392,7 @@ static int as3935_probe(struct spi_devic
return ret;
}
- ret = iio_triggered_buffer_setup(indio_dev, NULL,
+ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time,
&as3935_trigger_handler, NULL);
if (ret) {
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 069/184] iio: adc: rockchip_saradc: reset saradc controller before programming it
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (63 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 068/184] iio: proximity: as3935: set up buffer timestamps for non-zero values Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 070/184] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access Greg Kroah-Hartman
` (112 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Caesar Wang, Jonathan Cameron,
Heiko Stuebner, Rob Herring, linux-iio, linux-rockchip,
Guenter Roeck
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caesar Wang <wxt@rock-chips.com>
commit 543852af8e5902aee8f7c72c89e1513663e0f696 upstream.
SARADC controller needs to be reset before programming it, otherwise
it will not function properly.
Signed-off-by: Caesar Wang <wxt@rock-chips.com>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: Heiko Stuebner <heiko@sntech.de>
Cc: Rob Herring <robh+dt@kernel.org>
Cc: linux-iio@vger.kernel.org
Cc: linux-rockchip@lists.infradead.org
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt | 7 ++
drivers/iio/adc/Kconfig | 1
drivers/iio/adc/rockchip_saradc.c | 30 ++++++++++
3 files changed, 38 insertions(+)
--- a/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt
+++ b/Documentation/devicetree/bindings/iio/adc/rockchip-saradc.txt
@@ -16,6 +16,11 @@ Required properties:
- vref-supply: The regulator supply ADC reference voltage.
- #io-channel-cells: Should be 1, see ../iio-bindings.txt
+Optional properties:
+- resets: Must contain an entry for each entry in reset-names if need support
+ this option. See ../reset/reset.txt for details.
+- reset-names: Must include the name "saradc-apb".
+
Example:
saradc: saradc@2006c000 {
compatible = "rockchip,saradc";
@@ -23,6 +28,8 @@ Example:
interrupts = <GIC_SPI 26 IRQ_TYPE_LEVEL_HIGH>;
clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>;
clock-names = "saradc", "apb_pclk";
+ resets = <&cru SRST_SARADC>;
+ reset-names = "saradc-apb";
#io-channel-cells = <1>;
vref-supply = <&vcc18>;
};
--- a/drivers/iio/adc/Kconfig
+++ b/drivers/iio/adc/Kconfig
@@ -377,6 +377,7 @@ config QCOM_SPMI_VADC
config ROCKCHIP_SARADC
tristate "Rockchip SARADC driver"
depends on ARCH_ROCKCHIP || (ARM && COMPILE_TEST)
+ depends on RESET_CONTROLLER
help
Say yes here to build support for the SARADC found in SoCs from
Rockchip.
--- a/drivers/iio/adc/rockchip_saradc.c
+++ b/drivers/iio/adc/rockchip_saradc.c
@@ -21,6 +21,8 @@
#include <linux/of_device.h>
#include <linux/clk.h>
#include <linux/completion.h>
+#include <linux/delay.h>
+#include <linux/reset.h>
#include <linux/regulator/consumer.h>
#include <linux/iio/iio.h>
@@ -53,6 +55,7 @@ struct rockchip_saradc {
struct clk *clk;
struct completion completion;
struct regulator *vref;
+ struct reset_control *reset;
const struct rockchip_saradc_data *data;
u16 last_val;
};
@@ -190,6 +193,16 @@ static const struct of_device_id rockchi
};
MODULE_DEVICE_TABLE(of, rockchip_saradc_match);
+/**
+ * Reset SARADC Controller.
+ */
+static void rockchip_saradc_reset_controller(struct reset_control *reset)
+{
+ reset_control_assert(reset);
+ usleep_range(10, 20);
+ reset_control_deassert(reset);
+}
+
static int rockchip_saradc_probe(struct platform_device *pdev)
{
struct rockchip_saradc *info = NULL;
@@ -218,6 +231,20 @@ static int rockchip_saradc_probe(struct
if (IS_ERR(info->regs))
return PTR_ERR(info->regs);
+ /*
+ * The reset should be an optional property, as it should work
+ * with old devicetrees as well
+ */
+ info->reset = devm_reset_control_get(&pdev->dev, "saradc-apb");
+ if (IS_ERR(info->reset)) {
+ ret = PTR_ERR(info->reset);
+ if (ret != -ENOENT)
+ return ret;
+
+ dev_dbg(&pdev->dev, "no reset control found\n");
+ info->reset = NULL;
+ }
+
init_completion(&info->completion);
irq = platform_get_irq(pdev, 0);
@@ -252,6 +279,9 @@ static int rockchip_saradc_probe(struct
return PTR_ERR(info->vref);
}
+ if (info->reset)
+ rockchip_saradc_reset_controller(info->reset);
+
/*
* Use a default value for the converter clock.
* This may become user-configurable in the future.
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 070/184] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (64 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 069/184] iio: adc: rockchip_saradc: reset saradc controller before programming it Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 071/184] iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample Greg Kroah-Hartman
` (111 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vignesh R, Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vignesh R <vigneshr@ti.com>
commit 90c43ec6997a892448f1f86180a515f59cafd8a3 upstream.
It is possible that two or more ADC channels can be simultaneously
requested for raw samples, in which case there can be race in access to
FIFO data resulting in loss of samples.
If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when
ADC is still acquired to sample one of the channels, the second process
might be put into uninterruptible sleep state. Fix these issues, by
protecting FIFO access and channel configurations with a mutex. Since
tiadc_read_raw() might take anywhere between few microseconds to few
milliseconds to finish execution (depending on averaging and delay
values supplied via DT), its better to use mutex instead of spinlock.
Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization")
Signed-off-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti_am335x_adc.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/iio/adc/ti_am335x_adc.c
+++ b/drivers/iio/adc/ti_am335x_adc.c
@@ -32,6 +32,7 @@
struct tiadc_device {
struct ti_tscadc_dev *mfd_tscadc;
+ struct mutex fifo1_lock; /* to protect fifo access */
int channels;
u8 channel_line[8];
u8 channel_step[8];
@@ -360,6 +361,7 @@ static int tiadc_read_raw(struct iio_dev
int *val, int *val2, long mask)
{
struct tiadc_device *adc_dev = iio_priv(indio_dev);
+ int ret = IIO_VAL_INT;
int i, map_val;
unsigned int fifo1count, read, stepid;
bool found = false;
@@ -373,6 +375,7 @@ static int tiadc_read_raw(struct iio_dev
if (!step_en)
return -EINVAL;
+ mutex_lock(&adc_dev->fifo1_lock);
fifo1count = tiadc_readl(adc_dev, REG_FIFO1CNT);
while (fifo1count--)
tiadc_readl(adc_dev, REG_FIFO1);
@@ -389,7 +392,8 @@ static int tiadc_read_raw(struct iio_dev
if (time_after(jiffies, timeout)) {
am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
- return -EAGAIN;
+ ret = -EAGAIN;
+ goto err_unlock;
}
}
map_val = adc_dev->channel_step[chan->scan_index];
@@ -415,8 +419,11 @@ static int tiadc_read_raw(struct iio_dev
am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
if (found == false)
- return -EBUSY;
- return IIO_VAL_INT;
+ ret = -EBUSY;
+
+err_unlock:
+ mutex_unlock(&adc_dev->fifo1_lock);
+ return ret;
}
static const struct iio_info tiadc_info = {
@@ -485,6 +492,7 @@ static int tiadc_probe(struct platform_d
tiadc_step_config(indio_dev);
tiadc_writel(adc_dev, REG_FIFO1THR, FIFO1_THRESHOLD);
+ mutex_init(&adc_dev->fifo1_lock);
err = tiadc_channel_init(indio_dev, adc_dev->channels);
if (err < 0)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 071/184] iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (65 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 070/184] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 072/184] iio:ti-ads1015: fix a wrong pointer definition Greg Kroah-Hartman
` (110 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vignesh R, Lee Jones, Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vignesh R <vigneshr@ti.com>
commit 7175cce1c3f1d8c8840d2004f78f96a3904249b5 upstream.
Now that open delay and sample delay for each channel is configurable
via DT, the default IDLE_TIMEOUT value is not enough as this is
calculated based on hardcoded macros. This results in driver returning
EBUSY sometimes. Fix this by increasing the timeout
value based on maximum value possible to open delay and sample delays
for each channel.
Fixes: 5dc11e810676e ("iio: adc: ti_am335x_adc: make sample delay, open delay, averaging DT parameters")
Signed-off-by: Vignesh R <vigneshr@ti.com>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti_am335x_adc.c | 2 +-
include/linux/mfd/ti_am335x_tscadc.h | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/iio/adc/ti_am335x_adc.c
+++ b/drivers/iio/adc/ti_am335x_adc.c
@@ -382,7 +382,7 @@ static int tiadc_read_raw(struct iio_dev
am335x_tsc_se_set_once(adc_dev->mfd_tscadc, step_en);
- timeout = jiffies + usecs_to_jiffies
+ timeout = jiffies + msecs_to_jiffies
(IDLE_TIMEOUT * adc_dev->channels);
/* Wait for Fifo threshold interrupt */
while (1) {
--- a/include/linux/mfd/ti_am335x_tscadc.h
+++ b/include/linux/mfd/ti_am335x_tscadc.h
@@ -138,16 +138,16 @@
/*
* time in us for processing a single channel, calculated as follows:
*
- * num cycles = open delay + (sample delay + conv time) * averaging
+ * max num cycles = open delay + (sample delay + conv time) * averaging
*
- * num cycles: 152 + (1 + 13) * 16 = 376
+ * max num cycles: 262143 + (255 + 13) * 16 = 266431
*
* clock frequency: 26MHz / 8 = 3.25MHz
* clock period: 1 / 3.25MHz = 308ns
*
- * processing time: 376 * 308ns = 116us
+ * max processing time: 266431 * 308ns = 83ms(approx)
*/
-#define IDLE_TIMEOUT 116 /* microsec */
+#define IDLE_TIMEOUT 83 /* milliseconds */
#define TSCADC_CELLS 2
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 072/184] iio:ti-ads1015: fix a wrong pointer definition.
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (66 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 071/184] iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 073/184] iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999 Greg Kroah-Hartman
` (109 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Giorgio Dal Molin, Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giorgio Dal Molin <giorgio.nicole@arcor.de>
commit 522caebb2c3684f4a1d154526fb5e33f1381e92a upstream.
The call to i2c_get_clientdata(client) returns a struct iio_dev*, not
the needed struct ads1015_data*. We need here an intermediate step as
in the function: void ads1015_get_channels_config(struct i2c_client *client).
Signed-off-by: Giorgio Dal Molin <giorgio.nicole@arcor.de>
Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support")
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti-ads1015.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/iio/adc/ti-ads1015.c
+++ b/drivers/iio/adc/ti-ads1015.c
@@ -403,7 +403,8 @@ static const struct iio_info ads1015_inf
#ifdef CONFIG_OF
static int ads1015_get_channels_config_of(struct i2c_client *client)
{
- struct ads1015_data *data = i2c_get_clientdata(client);
+ struct iio_dev *indio_dev = i2c_get_clientdata(client);
+ struct ads1015_data *data = iio_priv(indio_dev);
struct device_node *node;
if (!client->dev.of_node ||
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 073/184] iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (67 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 072/184] iio:ti-ads1015: fix a wrong pointer definition Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 074/184] iio: humidity: am2315: set up buffer timestamps for non-zero values Greg Kroah-Hartman
` (108 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 7d3cc21dab5313a02f2f3ca8164529b828a030d1 upstream.
The data buffer for captured mode for the ad799x driver is allocated in the
update_scan_mode() callback. This callback is not set in the iio_info
struct for the ad7791/ad7995/ad7999, which means that the data buffer is
not allocated when a captured transfer is started. As a result the driver
crashes when the first sample is received. To fix this properly set the
update_scan_mode() callback.
Fixes: d8dca33027c1 ("staging:iio:ad799x: Preallocate sample buffer")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad799x.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/ad799x.c
+++ b/drivers/iio/adc/ad799x.c
@@ -533,6 +533,7 @@ static struct attribute_group ad799x_eve
static const struct iio_info ad7991_info = {
.read_raw = &ad799x_read_raw,
.driver_module = THIS_MODULE,
+ .update_scan_mode = ad799x_update_scan_mode,
};
static const struct iio_info ad7993_4_7_8_noirq_info = {
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 074/184] iio: humidity: am2315: set up buffer timestamps for non-zero values
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (68 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 073/184] iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999 Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 075/184] iio: adc: at91: unbreak channel adc channel 3 Greg Kroah-Hartman
` (107 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alison Schofield, Daniel Baluta,
Tiberiu Breana, Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alison Schofield <amsfield22@gmail.com>
commit 3c68858df7c2f0c4c343bb4702733fe827491f9e upstream.
Use the iio_pollfunc_store_time parameter during triggered buffer
set-up to get valid timestamps.
Signed-off-by: Alison Schofield <amsfield22@gmail.com>
Cc: Daniel Baluta <daniel.baluta@gmail.com>
Reviewed-By: Tiberiu Breana <tiberiu.a.breana@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/humidity/am2315.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/humidity/am2315.c
+++ b/drivers/iio/humidity/am2315.c
@@ -244,7 +244,7 @@ static int am2315_probe(struct i2c_clien
indio_dev->channels = am2315_channels;
indio_dev->num_channels = ARRAY_SIZE(am2315_channels);
- ret = iio_triggered_buffer_setup(indio_dev, NULL,
+ ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time,
am2315_trigger_handler, NULL);
if (ret < 0) {
dev_err(&client->dev, "iio triggered buffer setup failed\n");
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 075/184] iio: adc: at91: unbreak channel adc channel 3
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (69 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 074/184] iio: humidity: am2315: set up buffer timestamps for non-zero values Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 076/184] iio: humidity: hdc100x: fix sensor data reads of temp and humidity Greg Kroah-Hartman
` (106 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anders Darander, Alexandre Belloni,
Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anders Darander <anders@chargestorm.se>
commit c2ab447454d498e709d9011c0f2d2945ee321f9b upstream.
The driver always assumes that an input device has been created when
reading channel 3. This causes a kernel panic when dereferencing
st->ts_input.
The change was introduced in
commit 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens
without TSMR"). Earlier versions only entered that part of the if-else
statement if only the following flags are set:
AT91_ADC_IER_XRDY | AT91_ADC_IER_YRDY | AT91_ADC_IER_PRDY
Signed-off-by: Anders Darander <anders@chargestorm.se>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/at91_adc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/at91_adc.c
+++ b/drivers/iio/adc/at91_adc.c
@@ -381,8 +381,8 @@ static irqreturn_t at91_adc_rl_interrupt
st->ts_bufferedmeasure = false;
input_report_key(st->ts_input, BTN_TOUCH, 0);
input_sync(st->ts_input);
- } else if (status & AT91_ADC_EOC(3)) {
- /* Conversion finished */
+ } else if (status & AT91_ADC_EOC(3) && st->ts_input) {
+ /* Conversion finished and we've a touchscreen */
if (st->ts_bufferedmeasure) {
/*
* Last measurement is always discarded, since it can
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 076/184] iio: humidity: hdc100x: fix sensor data reads of temp and humidity
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (70 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 075/184] iio: adc: at91: unbreak channel adc channel 3 Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 077/184] iio: accel: bmc150: reset chip at init time Greg Kroah-Hartman
` (105 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alison Schofield, Daniel Baluta,
Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alison Schofield <amsfield22@gmail.com>
commit 0d9dcf852334b796bacc7020364afba3122db81e upstream.
Replace the i2c_smbus_read_byte commmands used to retrieve the sensor
data with an i2c_master_recv command.
The smbus read byte method fails because the device does not expect a
stop condition after sending the first byte. When we issue the second
read, we are getting the first byte again. Net effect is that of the 14
bits used for the measurement, the 8 most significant bits are correct,
the lower 6 are not.
None of the smbus read protocols follow the pattern this device requires
(S Addr Rd [A] Data [A] Data NA P), hence the switch to an i2c receive
transaction.
Applicable from original introduction of this driver, but will require
backporting due to churn in the code.
Signed-off-by: Alison Schofield <amsfield22@gmail.com>
Cc: Daniel Baluta <daniel.baluta@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/humidity/hdc100x.c | 27 +++++++--------------------
1 file changed, 7 insertions(+), 20 deletions(-)
--- a/drivers/iio/humidity/hdc100x.c
+++ b/drivers/iio/humidity/hdc100x.c
@@ -142,7 +142,7 @@ static int hdc100x_get_measurement(struc
struct i2c_client *client = data->client;
int delay = data->adc_int_us[chan->address];
int ret;
- int val;
+ __be16 val;
/* start measurement */
ret = i2c_smbus_write_byte(client, chan->address);
@@ -154,26 +154,13 @@ static int hdc100x_get_measurement(struc
/* wait for integration time to pass */
usleep_range(delay, delay + 1000);
- /*
- * i2c_smbus_read_word_data cannot() be used here due to the command
- * value not being understood and causes NAKs preventing any reading
- * from being accessed.
- */
- ret = i2c_smbus_read_byte(client);
+ /* read measurement */
+ ret = i2c_master_recv(data->client, (char *)&val, sizeof(val));
if (ret < 0) {
- dev_err(&client->dev, "cannot read high byte measurement");
+ dev_err(&client->dev, "cannot read sensor data\n");
return ret;
}
- val = ret << 8;
-
- ret = i2c_smbus_read_byte(client);
- if (ret < 0) {
- dev_err(&client->dev, "cannot read low byte measurement");
- return ret;
- }
- val |= ret;
-
- return val;
+ return be16_to_cpu(val);
}
static int hdc100x_get_heater_status(struct hdc100x_data *data)
@@ -272,8 +259,8 @@ static int hdc100x_probe(struct i2c_clie
struct iio_dev *indio_dev;
struct hdc100x_data *data;
- if (!i2c_check_functionality(client->adapter,
- I2C_FUNC_SMBUS_WORD_DATA | I2C_FUNC_SMBUS_BYTE))
+ if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_WORD_DATA |
+ I2C_FUNC_SMBUS_BYTE | I2C_FUNC_I2C))
return -EOPNOTSUPP;
indio_dev = devm_iio_device_alloc(&client->dev, sizeof(*data));
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 077/184] iio: accel: bmc150: reset chip at init time
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (71 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 076/184] iio: humidity: hdc100x: fix sensor data reads of temp and humidity Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 078/184] iio: fix pressure data output unit in hid-sensor-attributes Greg Kroah-Hartman
` (104 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Olof Johansson, Srinivas Pandruvada,
Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olof Johansson <olof@lixom.net>
commit 1c500840934a138bd6b13556c210516e9301fbee upstream.
In at least one known setup, the chip comes up in a state where reading
the chip ID returns garbage unless it's been reset, due to noise on the
wires during system boot.
All supported chips have the same reset method, and based on the
datasheets they all need 1.3 or 1.8ms to recover after reset. So, do
the conservative thing here and always reset the chip.
Signed-off-by: Olof Johansson <olof@lixom.net>
Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/bmc150-accel-core.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/iio/accel/bmc150-accel-core.c
+++ b/drivers/iio/accel/bmc150-accel-core.c
@@ -67,6 +67,9 @@
#define BMC150_ACCEL_REG_PMU_BW 0x10
#define BMC150_ACCEL_DEF_BW 125
+#define BMC150_ACCEL_REG_RESET 0x14
+#define BMC150_ACCEL_RESET_VAL 0xB6
+
#define BMC150_ACCEL_REG_INT_MAP_0 0x19
#define BMC150_ACCEL_INT_MAP_0_BIT_SLOPE BIT(2)
@@ -1497,6 +1500,14 @@ static int bmc150_accel_chip_init(struct
int ret, i;
unsigned int val;
+ /*
+ * Reset chip to get it in a known good state. A delay of 1.8ms after
+ * reset is required according to the data sheets of supported chips.
+ */
+ regmap_write(data->regmap, BMC150_ACCEL_REG_RESET,
+ BMC150_ACCEL_RESET_VAL);
+ usleep_range(1800, 2500);
+
ret = regmap_read(data->regmap, BMC150_ACCEL_REG_CHIP_ID, &val);
if (ret < 0) {
dev_err(dev, "Error: Reading chip id\n");
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 078/184] iio: fix pressure data output unit in hid-sensor-attributes
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (72 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 077/184] iio: accel: bmc150: reset chip at init time Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 079/184] iio: accel: kxsd9: Fix scaling bug Greg Kroah-Hartman
` (103 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kweh, Hock Leong,
Srinivas Pandruvada, Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kweh, Hock Leong <hock.leong.kweh@intel.com>
commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream.
According to IIO ABI definition, IIO_PRESSURE data output unit is
kilopascal:
http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio
This patch fix output unit of HID pressure sensor IIO driver from pascal to
kilopascal to follow IIO ABI definition.
Signed-off-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
@@ -56,8 +56,8 @@ static struct {
{HID_USAGE_SENSOR_ALS, 0, 1, 0},
{HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0},
- {HID_USAGE_SENSOR_PRESSURE, 0, 100000, 0},
- {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 1, 0},
+ {HID_USAGE_SENSOR_PRESSURE, 0, 100, 0},
+ {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000},
};
static int pow_10(unsigned power)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 079/184] iio: accel: kxsd9: Fix scaling bug
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (73 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 078/184] iio: fix pressure data output unit in hid-sensor-attributes Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 080/184] iio:core: fix IIO_VAL_FRACTIONAL sign handling Greg Kroah-Hartman
` (102 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonathan Cameron, Linus Walleij
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.
All the scaling of the KXSD9 involves multiplication with a
fraction number < 1.
However the scaling value returned from IIO_INFO_SCALE was
unpredictable as only the micros of the value was assigned, and
not the integer part, resulting in scaling like this:
$cat in_accel_scale
-1057462640.011978
Fix this by assigning zero to the integer part.
Tested-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/accel/kxsd9.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
if (ret < 0)
goto error_ret;
+ *val = 0;
*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
ret = IIO_VAL_INT_PLUS_MICRO;
break;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 080/184] iio:core: fix IIO_VAL_FRACTIONAL sign handling
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (74 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 079/184] iio: accel: kxsd9: Fix scaling bug Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 081/184] iio: ensure ret is initialized to zero before entering do loop Greg Kroah-Hartman
` (101 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gregor Boirie, Lars-Peter Clausen,
Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gregor Boirie <gregor.boirie@parrot.com>
commit 171c0091837c81ed5c949fec6966bb5afff2d1cf upstream.
7985e7c100 ("iio: Introduce a new fractional value type") introduced a
new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers
expressed by a numerator and denominator combination.
Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This
fails handling negative values properly since parameters are reevaluated
as unsigned values.
Fix this by using div_s64_rem() instead. Computed integer part will carry
properly signed value. Formatted fractional part will always be positive.
Fixes: 7985e7c100 ("iio: Introduce a new fractional value type")
Signed-off-by: Gregor Boirie <gregor.boirie@parrot.com>
Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-core.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -532,9 +532,8 @@ ssize_t iio_format_value(char *buf, unsi
return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
case IIO_VAL_FRACTIONAL:
tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]);
- vals[1] = do_div(tmp, 1000000000LL);
- vals[0] = tmp;
- return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
+ vals[0] = (int)div_s64_rem(tmp, 1000000000, &vals[1]);
+ return sprintf(buf, "%d.%09u\n", vals[0], abs(vals[1]));
case IIO_VAL_FRACTIONAL_LOG2:
tmp = (s64)vals[0] * 1000000000LL >> vals[1];
vals[1] = do_div(tmp, 1000000000LL);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 081/184] iio: ensure ret is initialized to zero before entering do loop
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (75 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 080/184] iio:core: fix IIO_VAL_FRACTIONAL sign handling Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 082/184] serial: 8250_mid: fix divide error bug if baud rate is 0 Greg Kroah-Hartman
` (100 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King, Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
commit 5dba4b14bafe801083d01e1f400816df7e5a8f2e upstream.
A recent fix to iio_buffer_read_first_n_outer removed ret from being set by
a return from wait_event_interruptible and also added a continue in a loop
which causes the variable ret to not be set when it reaches the end of the
loop. Fix this by initializing ret to zero.
Also remove extraneous white space at the end of the loop.
Fixes: fcf68f3c0bb2a5 ("fix sched WARNING "do not call blocking ops when !TASK_RUNNING")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -110,7 +110,7 @@ ssize_t iio_buffer_read_first_n_outer(st
DEFINE_WAIT_FUNC(wait, woken_wake_function);
size_t datum_size;
size_t to_wait;
- int ret;
+ int ret = 0;
if (!indio_dev->info)
return -ENODEV;
@@ -153,7 +153,7 @@ ssize_t iio_buffer_read_first_n_outer(st
ret = rb->access->read_first_n(rb, n, buf);
if (ret == 0 && (filp->f_flags & O_NONBLOCK))
ret = -EAGAIN;
- } while (ret == 0);
+ } while (ret == 0);
remove_wait_queue(&rb->pollq, &wait);
return ret;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 082/184] serial: 8250_mid: fix divide error bug if baud rate is 0
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (76 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 081/184] iio: ensure ret is initialized to zero before entering do loop Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 083/184] serial: 8250: added acces i/o products quad and octal serial cards Greg Kroah-Hartman
` (99 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mendez Salinas, Fernando, Andy Shevchenko
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 upstream.
Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by
formula for Intel MID"), the 8250 driver crashes in the byt_set_termios()
function with a divide error. This is caused by the fact that a baud rate of 0
(B0) is not handled properly. Fix it by falling back to B9600 in this case.
Reported-by: "Mendez Salinas, Fernando" <fernando.mendez.salinas@intel.com>
Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_mid.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/tty/serial/8250/8250_mid.c
+++ b/drivers/tty/serial/8250/8250_mid.c
@@ -154,6 +154,9 @@ static void mid8250_set_termios(struct u
unsigned long w = BIT(24) - 1;
unsigned long mul, div;
+ /* Gracefully handle the B0 case: fall back to B9600 */
+ fuart = fuart ? fuart : 9600 * 16;
+
if (mid->board->freq < fuart) {
/* Find prescaler value that satisfies Fuart < Fref */
if (mid->board->freq > baud)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 083/184] serial: 8250: added acces i/o products quad and octal serial cards
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (77 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 082/184] serial: 8250_mid: fix divide error bug if baud rate is 0 Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 084/184] USB: serial: simple: add support for another Infineon flashloader Greg Kroah-Hartman
` (98 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jimi Damon
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jimi Damon <jdamon@accesio.com>
commit c8d192428f52f244130b84650ad616df09f2b1e1 upstream.
Added devices ids for acces i/o products quad and octal serial cards
that make use of existing Pericom PI7C9X7954 and PI7C9X7958
configurations .
Signed-off-by: Jimi Damon <jdamon@accesio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1939,6 +1939,43 @@ pci_wch_ch38x_setup(struct serial_privat
#define PCI_DEVICE_ID_PERICOM_PI7C9X7954 0x7954
#define PCI_DEVICE_ID_PERICOM_PI7C9X7958 0x7958
+#define PCI_VENDOR_ID_ACCESIO 0x494f
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB 0x1051
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S 0x1053
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB 0x105C
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S 0x105E
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB 0x1091
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2 0x1093
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB 0x1099
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4 0x109B
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB 0x10D1
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM 0x10D3
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB 0x10DA
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM 0x10DC
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1 0x1108
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2 0x1110
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2 0x1111
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4 0x1118
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4 0x1119
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S 0x1152
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S 0x115A
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2 0x1190
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2 0x1191
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4 0x1198
+#define PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4 0x1199
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM 0x11D0
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4 0x105A
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4 0x105B
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8 0x106A
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8 0x106B
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4 0x1098
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8 0x10A9
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM 0x10D9
+#define PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM 0x10E9
+#define PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM 0x11D8
+
+
+
/* Unknown vendors/cards - this should not be in linux/pci_ids.h */
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588
@@ -5093,6 +5130,108 @@ static struct pci_device_id serial_pci_t
0,
0, pbn_pericom_PI7C9X7958 },
/*
+ * ACCES I/O Products quad
+ */
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7954 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_8,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM,
+ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
+ pbn_pericom_PI7C9X7958 },
+ /*
* Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke)
*/
{ PCI_VENDOR_ID_TOPIC, PCI_DEVICE_ID_TOPIC_TP560,
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 084/184] USB: serial: simple: add support for another Infineon flashloader
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (78 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 083/184] serial: 8250: added acces i/o products quad and octal serial cards Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 085/184] usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON Greg Kroah-Hartman
` (97 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniele Palmas, Johan Hovold
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniele Palmas <dnlplm@gmail.com>
commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream.
This patch adds support for Infineon flashloader 0x8087/0x0801.
The flashloader is used in Telit LE940B modem family with Telit
flashing application.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/usb-serial-simple.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
/* Infineon Flashloader driver */
#define FLASHLOADER_IDS() \
{ USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
- { USB_DEVICE(0x8087, 0x0716) }
+ { USB_DEVICE(0x8087, 0x0716) }, \
+ { USB_DEVICE(0x8087, 0x0801) }
DEVICE(flashloader, FLASHLOADER_IDS);
/* Google Serial USB SubClass */
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 085/184] usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (79 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 084/184] USB: serial: simple: add support for another Infineon flashloader Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 086/184] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Greg Kroah-Hartman
` (96 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yoshihiro Shimoda, Felipe Balbi
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit b2f1eaaee564c5593c303f4d15d827924cb6d20d upstream.
This driver should clear the bit. Otherwise, the VBUS will output
wrongly if the usb port on a board has VBUS output capability.
Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for
Renesas USB3.0 peripheral controller")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/renesas_usb3.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -106,6 +106,7 @@
/* DRD_CON */
#define DRD_CON_PERI_CON BIT(24)
+#define DRD_CON_VBOUT BIT(0)
/* USB_INT_ENA_1 and USB_INT_STA_1 */
#define USB_INT_1_B3_PLLWKUP BIT(31)
@@ -363,6 +364,7 @@ static void usb3_init_epc_registers(stru
{
/* FIXME: How to change host / peripheral mode as well? */
usb3_set_bit(usb3, DRD_CON_PERI_CON, USB3_DRD_CON);
+ usb3_clear_bit(usb3, DRD_CON_VBOUT, USB3_DRD_CON);
usb3_write(usb3, ~0, USB3_USB_INT_STA_1);
usb3_enable_irq_1(usb3, USB_INT_1_VBUS_CNG);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 086/184] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (80 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 085/184] usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 087/184] usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase Greg Kroah-Hartman
` (95 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yoshihiro Shimoda, Felipe Balbi
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 upstream.
The previous driver is possible to stop the transfer wrongly.
For example:
1) An interrupt happens, but not BRDY interruption.
2) Read INTSTS0. And than state->intsts0 is not set to BRDY.
3) BRDY is set to 1 here.
4) Read BRDYSTS.
5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly.
Remarks:
- The INTSTS0.BRDY is read only.
- If any bits of BRDYSTS are set to 1, the BRDY is set to 1.
- If BRDYSTS is 0, the BRDY is set to 0.
So, this patch adds condition to avoid such situation. (And about
NRDYSTS, this is not used for now. But, avoiding any side effects,
this patch doesn't touch it.)
Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/mod.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/usb/renesas_usbhs/mod.c
+++ b/drivers/usb/renesas_usbhs/mod.c
@@ -282,9 +282,16 @@ static irqreturn_t usbhs_interrupt(int i
if (usbhs_mod_is_host(priv))
usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC);
- usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
+ /*
+ * The driver should not clear the xxxSTS after the line of
+ * "call irq callback functions" because each "if" statement is
+ * possible to call the callback function for avoiding any side effects.
+ */
+ if (irq_state.intsts0 & BRDY)
+ usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts);
- usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
+ if (irq_state.intsts0 & BEMP)
+ usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
/*
* call irq callback functions
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 087/184] usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (81 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 086/184] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 088/184] ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) Greg Kroah-Hartman
` (94 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Clemens Gruber, Peter Chen
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Gruber <clemens.gruber@pqgruber.com>
commit 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 upstream.
Problems with the signal integrity of the high speed USB data lines or
noise on reference ground lines can cause the i.MX6 USB controller to
violate USB specs and exhibit unexpected behavior.
It was observed that USBi_UI interrupts were triggered first and when
isr_setup_status_phase was called, ci->status was NULL, which lead to a
NULL pointer dereference kernel panic.
This patch fixes the kernel panic, emits a warning once and returns
-EPIPE to halt the device and let the host get stalled.
It also adds a comment to point people, who are experiencing this issue,
to their USB hardware design.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/chipidea/udc.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/chipidea/udc.c
+++ b/drivers/usb/chipidea/udc.c
@@ -949,6 +949,15 @@ static int isr_setup_status_phase(struct
int retval;
struct ci_hw_ep *hwep;
+ /*
+ * Unexpected USB controller behavior, caused by bad signal integrity
+ * or ground reference problems, can lead to isr_setup_status_phase
+ * being called with ci->status equal to NULL.
+ * If this situation occurs, you should review your USB hardware design.
+ */
+ if (WARN_ON_ONCE(!ci->status))
+ return -EPIPE;
+
hwep = (ci->ep0_dir == TX) ? ci->ep0out : ci->ep0in;
ci->status->context = ci;
ci->status->complete = isr_setup_status_complete;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 088/184] ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB)
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (82 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 087/184] usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 089/184] USB: change bInterval default to 10 ms Greg Kroah-Hartman
` (93 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Griffin, Lee Jones, Patrice Chotard
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee.jones@linaro.org>
commit 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 upstream.
The STiH4{07,10} platform contains some interconnect clocks which are used
by various IPs. If this clock isn't handled correctly by ST's EHCI/OHCI
drivers, their hub won't be found, the following error be shown and the
result will be non-working USB:
[ 97.221963] hub 2-1:1.0: hub_ext_port_status failed (err = -110)
Tested-by: Peter Griffin <peter.griffin@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Acked-by: Patrice Chotard <patrice.chotard@st.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/stih410.dtsi | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/arch/arm/boot/dts/stih410.dtsi
+++ b/arch/arm/boot/dts/stih410.dtsi
@@ -41,7 +41,8 @@
compatible = "st,st-ohci-300x";
reg = <0x9a03c00 0x100>;
interrupts = <GIC_SPI 180 IRQ_TYPE_NONE>;
- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
+ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
+ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
<&softreset STIH407_USB2_PORT0_SOFTRESET>;
reset-names = "power", "softreset";
@@ -57,7 +58,8 @@
interrupts = <GIC_SPI 151 IRQ_TYPE_NONE>;
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_usb0>;
- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
+ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
+ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
<&softreset STIH407_USB2_PORT0_SOFTRESET>;
reset-names = "power", "softreset";
@@ -71,7 +73,8 @@
compatible = "st,st-ohci-300x";
reg = <0x9a83c00 0x100>;
interrupts = <GIC_SPI 181 IRQ_TYPE_NONE>;
- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
+ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
+ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
<&softreset STIH407_USB2_PORT1_SOFTRESET>;
reset-names = "power", "softreset";
@@ -87,7 +90,8 @@
interrupts = <GIC_SPI 153 IRQ_TYPE_NONE>;
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_usb1>;
- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
+ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
+ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
<&softreset STIH407_USB2_PORT1_SOFTRESET>;
reset-names = "power", "softreset";
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 089/184] USB: change bInterval default to 10 ms
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (83 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 088/184] ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 090/184] devpts: return NULL pts priv entry for non-devpts nodes Greg Kroah-Hartman
` (92 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Wade Berrier
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 08c5cd37480f59ea39682f4585d92269be6b1424 upstream.
Some full-speed mceusb infrared transceivers contain invalid endpoint
descriptors for their interrupt endpoints, with bInterval set to 0.
In the past they have worked out okay with the mceusb driver, because
the driver sets the bInterval field in the descriptor to 1,
overwriting whatever value may have been there before. However, this
approach was never sanctioned by the USB core, and in fact it does not
work with xHCI controllers, because they use the bInterval value that
was present when the configuration was installed.
Currently usbcore uses 32 ms as the default interval if the value in
the endpoint descriptor is invalid. It turns out that these IR
transceivers don't work properly unless the interval is set to 10 ms
or below. To work around this mceusb problem, this patch changes the
endpoint-descriptor parsing routine, making the default interval value
be 10 ms rather than 32 ms.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Wade Berrier <wberrier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -240,8 +240,10 @@ static int usb_parse_endpoint(struct dev
memcpy(&endpoint->desc, d, n);
INIT_LIST_HEAD(&endpoint->urb_list);
- /* Fix up bInterval values outside the legal range. Use 32 ms if no
- * proper value can be guessed. */
+ /*
+ * Fix up bInterval values outside the legal range.
+ * Use 10 or 8 ms if no proper value can be guessed.
+ */
i = 0; /* i = min, j = max, n = default */
j = 255;
if (usb_endpoint_xfer_int(d)) {
@@ -250,13 +252,15 @@ static int usb_parse_endpoint(struct dev
case USB_SPEED_SUPER_PLUS:
case USB_SPEED_SUPER:
case USB_SPEED_HIGH:
- /* Many device manufacturers are using full-speed
+ /*
+ * Many device manufacturers are using full-speed
* bInterval values in high-speed interrupt endpoint
- * descriptors. Try to fix those and fall back to a
- * 32 ms default value otherwise. */
+ * descriptors. Try to fix those and fall back to an
+ * 8-ms default value otherwise.
+ */
n = fls(d->bInterval*8);
if (n == 0)
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
j = 16;
/*
@@ -271,10 +275,12 @@ static int usb_parse_endpoint(struct dev
}
break;
default: /* USB_SPEED_FULL or _LOW */
- /* For low-speed, 10 ms is the official minimum.
+ /*
+ * For low-speed, 10 ms is the official minimum.
* But some "overclocked" devices might want faster
- * polling so we'll allow it. */
- n = 32;
+ * polling so we'll allow it.
+ */
+ n = 10;
break;
}
} else if (usb_endpoint_xfer_isoc(d)) {
@@ -282,10 +288,10 @@ static int usb_parse_endpoint(struct dev
j = 16;
switch (to_usb_device(ddev)->speed) {
case USB_SPEED_HIGH:
- n = 9; /* 32 ms = 2^(9-1) uframes */
+ n = 7; /* 8 ms = 2^(7-1) uframes */
break;
default: /* USB_SPEED_FULL */
- n = 6; /* 32 ms = 2^(6-1) frames */
+ n = 4; /* 8 ms = 2^(4-1) frames */
break;
}
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 090/184] devpts: return NULL pts priv entry for non-devpts nodes
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (84 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 089/184] USB: change bInterval default to 10 ms Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 091/184] cxl: use pcibios_free_controller_deferred() when removing vPHBs Greg Kroah-Hartman
` (91 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov, Eric W Biederman,
Linus Torvalds
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 3e423945ea94412283eaba8bfbe9d6e0a80b434f upstream.
In commit 8ead9dd54716 ("devpts: more pty driver interface cleanups") I
made devpts_get_priv() just return the dentry->fs_data directly. And
because I thought it wouldn't happen, I added a warning if you ever saw
a pts node that wasn't on devpts.
And no, that warning never triggered under any actual real use, but you
can trigger it by creating nonsensical pts nodes by hand.
So just revert the warning, and make devpts_get_priv() return NULL for
that case like it used to.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: "Eric W Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/devpts/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -584,7 +584,8 @@ struct dentry *devpts_pty_new(struct pts
*/
void *devpts_get_priv(struct dentry *dentry)
{
- WARN_ON_ONCE(dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC);
+ if (dentry->d_sb->s_magic != DEVPTS_SUPER_MAGIC)
+ return NULL;
return dentry->d_fsdata;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 091/184] cxl: use pcibios_free_controller_deferred() when removing vPHBs
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (85 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 090/184] devpts: return NULL pts priv entry for non-devpts nodes Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 092/184] net: thunderx: Fix OOPs with ethtool --register-dump Greg Kroah-Hartman
` (90 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrew Donnellan, Matthew R. Ochs,
Ian Munsie, Benjamin Herrenschmidt
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
commit 6f38a8b9a45833495dc878c335c5431cd98a16ed upstream.
When cxl removes a vPHB, it's possible that the pci_controller may be freed
before all references to the devices on the vPHB have been released. This
in turn causes an invalid memory access when the devices are eventually
released, as pcibios_release_device() attempts to call the phb's
release_device hook.
In cxl_pci_vphb_remove(), remove the existing call to
pcibios_free_controller(). Instead, use
pcibios_free_controller_deferred() to free the pci_controller after all
devices have been released. Export pci_set_host_bridge_release() so we can
do this.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Reviewed-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
Acked-by: Ian Munsie <imunsie@au1.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/cxl/vphb.c | 10 +++++++++-
drivers/pci/host-bridge.c | 1 +
2 files changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/misc/cxl/vphb.c
+++ b/drivers/misc/cxl/vphb.c
@@ -243,6 +243,11 @@ int cxl_pci_vphb_add(struct cxl_afu *afu
if (phb->bus == NULL)
return -ENXIO;
+ /* Set release hook on root bus */
+ pci_set_host_bridge_release(to_pci_host_bridge(phb->bus->bridge),
+ pcibios_free_controller_deferred,
+ (void *) phb);
+
/* Claim resources. This might need some rework as well depending
* whether we are doing probe-only or not, like assigning unassigned
* resources etc...
@@ -269,7 +274,10 @@ void cxl_pci_vphb_remove(struct cxl_afu
afu->phb = NULL;
pci_remove_root_bus(phb->bus);
- pcibios_free_controller(phb);
+ /*
+ * We don't free phb here - that's handled by
+ * pcibios_free_controller_deferred()
+ */
}
bool cxl_pci_is_vphb_device(struct pci_dev *dev)
--- a/drivers/pci/host-bridge.c
+++ b/drivers/pci/host-bridge.c
@@ -44,6 +44,7 @@ void pci_set_host_bridge_release(struct
bridge->release_fn = release_fn;
bridge->release_data = release_data;
}
+EXPORT_SYMBOL_GPL(pci_set_host_bridge_release);
void pcibios_resource_to_bus(struct pci_bus *bus, struct pci_bus_region *region,
struct resource *res)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 092/184] net: thunderx: Fix OOPs with ethtool --register-dump
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (86 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 091/184] cxl: use pcibios_free_controller_deferred() when removing vPHBs Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 093/184] net: macb: Correct CAPS mask Greg Kroah-Hartman
` (89 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Daney, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Daney <david.daney@cavium.com>
commit 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 upstream.
The ethtool_ops .get_regs function attempts to read the nonexistent
register NIC_QSET_SQ_0_7_CNM_CHG, which produces a "bus error" type
OOPs.
Fix by not attempting to read, and removing the definition of,
NIC_QSET_SQ_0_7_CNM_CHG. A zero is written into the register dump to
keep the layout unchanged.
Signed-off-by: David Daney <david.daney@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cavium/thunder/nic_reg.h | 1 -
drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c | 5 ++++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/cavium/thunder/nic_reg.h
+++ b/drivers/net/ethernet/cavium/thunder/nic_reg.h
@@ -170,7 +170,6 @@
#define NIC_QSET_SQ_0_7_DOOR (0x010838)
#define NIC_QSET_SQ_0_7_STATUS (0x010840)
#define NIC_QSET_SQ_0_7_DEBUG (0x010848)
-#define NIC_QSET_SQ_0_7_CNM_CHG (0x010860)
#define NIC_QSET_SQ_0_7_STAT_0_1 (0x010900)
#define NIC_QSET_RBDR_0_1_CFG (0x010C00)
--- a/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c
@@ -382,7 +382,10 @@ static void nicvf_get_regs(struct net_de
p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DOOR, q);
p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STATUS, q);
p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_DEBUG, q);
- p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_CNM_CHG, q);
+ /* Padding, was NIC_QSET_SQ_0_7_CNM_CHG, which
+ * produces bus errors when read
+ */
+ p[i++] = 0;
p[i++] = nicvf_queue_reg_read(nic, NIC_QSET_SQ_0_7_STAT_0_1, q);
reg_offset = NIC_QSET_SQ_0_7_STAT_0_1 | (1 << 3);
p[i++] = nicvf_queue_reg_read(nic, reg_offset, q);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 093/184] net: macb: Correct CAPS mask
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (87 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 092/184] net: thunderx: Fix OOPs with ethtool --register-dump Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 094/184] cpuset: make sure new tasks conform to the current config of the cpuset Greg Kroah-Hartman
` (88 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Harini Katakam, Nicolas Ferre,
David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini Katakam <harini.katakam@xilinx.com>
commit c518189567eaf42b2ec50a4d982484c8e38799f8 upstream.
USRIO and JUMBO CAPS have the same mask.
Fix the same.
Fixes: ce721a702197 ("net: ethernet: cadence-macb: Add disabled usrio caps")
Signed-off-by: Harini Katakam <harinik@xilinx.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/cadence/macb.h
+++ b/drivers/net/ethernet/cadence/macb.h
@@ -403,11 +403,11 @@
#define MACB_CAPS_USRIO_DEFAULT_IS_MII_GMII 0x00000004
#define MACB_CAPS_NO_GIGABIT_HALF 0x00000008
#define MACB_CAPS_USRIO_DISABLED 0x00000010
+#define MACB_CAPS_JUMBO 0x00000020
#define MACB_CAPS_FIFO_MODE 0x10000000
#define MACB_CAPS_GIGABIT_MODE_AVAILABLE 0x20000000
#define MACB_CAPS_SG_DISABLED 0x40000000
#define MACB_CAPS_MACB_IS_GEM 0x80000000
-#define MACB_CAPS_JUMBO 0x00000010
/* Bit manipulation macros */
#define MACB_BIT(name) \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 094/184] cpuset: make sure new tasks conform to the current config of the cpuset
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (88 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 093/184] net: macb: Correct CAPS mask Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 095/184] arm: dts: rockchip: add reset node for the exist saradc SoCs Greg Kroah-Hartman
` (87 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zefan Li, Tejun Heo
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zefan Li <lizefan@huawei.com>
commit 06f4e94898918bcad00cdd4d349313a439d6911e upstream.
A new task inherits cpus_allowed and mems_allowed masks from its parent,
but if someone changes cpuset's config by writing to cpuset.cpus/cpuset.mems
before this new task is inserted into the cgroup's task list, the new task
won't be updated accordingly.
Signed-off-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/cpuset.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/kernel/cpuset.c
+++ b/kernel/cpuset.c
@@ -2078,6 +2078,20 @@ static void cpuset_bind(struct cgroup_su
mutex_unlock(&cpuset_mutex);
}
+/*
+ * Make sure the new task conform to the current state of its parent,
+ * which could have been changed by cpuset just after it inherits the
+ * state from the parent and before it sits on the cgroup's task list.
+ */
+void cpuset_fork(struct task_struct *task)
+{
+ if (task_css_is_root(task, cpuset_cgrp_id))
+ return;
+
+ set_cpus_allowed_ptr(task, ¤t->cpus_allowed);
+ task->mems_allowed = current->mems_allowed;
+}
+
struct cgroup_subsys cpuset_cgrp_subsys = {
.css_alloc = cpuset_css_alloc,
.css_online = cpuset_css_online,
@@ -2088,6 +2102,7 @@ struct cgroup_subsys cpuset_cgrp_subsys
.attach = cpuset_attach,
.post_attach = cpuset_post_attach,
.bind = cpuset_bind,
+ .fork = cpuset_fork,
.legacy_cftypes = files,
.early_init = true,
};
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 095/184] arm: dts: rockchip: add reset node for the exist saradc SoCs
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (89 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 094/184] cpuset: make sure new tasks conform to the current config of the cpuset Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 096/184] ARM: AM43XX: hwmod: Fix RSTST register offset for pruss Greg Kroah-Hartman
` (86 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Caesar Wang, Heiko Stuebner,
Jonathan Cameron
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caesar Wang <wxt@rock-chips.com>
commit 3d4267a5a3a4b7619b80ad1839d8b3bedd8b7a8d upstream.
SARADC controller needs to be reset before programming it, otherwise
it will not function properly.
Signed-off-by: Caesar Wang <wxt@rock-chips.com>
Acked-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/rk3066a.dtsi | 2 ++
arch/arm/boot/dts/rk3288.dtsi | 2 ++
arch/arm/boot/dts/rk3xxx.dtsi | 2 ++
3 files changed, 6 insertions(+)
--- a/arch/arm/boot/dts/rk3066a.dtsi
+++ b/arch/arm/boot/dts/rk3066a.dtsi
@@ -197,6 +197,8 @@
clock-names = "saradc", "apb_pclk";
interrupts = <GIC_SPI 21 IRQ_TYPE_LEVEL_HIGH>;
#io-channel-cells = <1>;
+ resets = <&cru SRST_SARADC>;
+ reset-names = "saradc-apb";
status = "disabled";
};
--- a/arch/arm/boot/dts/rk3288.dtsi
+++ b/arch/arm/boot/dts/rk3288.dtsi
@@ -279,6 +279,8 @@
#io-channel-cells = <1>;
clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>;
clock-names = "saradc", "apb_pclk";
+ resets = <&cru SRST_SARADC>;
+ reset-names = "saradc-apb";
status = "disabled";
};
--- a/arch/arm/boot/dts/rk3xxx.dtsi
+++ b/arch/arm/boot/dts/rk3xxx.dtsi
@@ -399,6 +399,8 @@
#io-channel-cells = <1>;
clocks = <&cru SCLK_SARADC>, <&cru PCLK_SARADC>;
clock-names = "saradc", "apb_pclk";
+ resets = <&cru SRST_SARADC>;
+ reset-names = "saradc-apb";
status = "disabled";
};
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 096/184] ARM: AM43XX: hwmod: Fix RSTST register offset for pruss
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (90 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 095/184] arm: dts: rockchip: add reset node for the exist saradc SoCs Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 097/184] ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul Greg Kroah-Hartman
` (85 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Keerthy, Tony Lindgren
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keerthy <j-keerthy@ti.com>
commit b00ccf5b684992829610d162e78a7836933a1b19 upstream.
pruss hwmod RSTST register wrongly points to PWRSTCTRL register in case of
am43xx. Fix the RSTST register offset value.
This can lead to setting of wrong power state values for PER domain.
Fixes: 1c7e224d ("ARM: OMAP2+: hwmod: AM335x: runtime register update")
Signed-off-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 +
arch/arm/mach-omap2/prcm43xx.h | 1 +
2 files changed, 2 insertions(+)
--- a/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
@@ -1476,6 +1476,7 @@ static void omap_hwmod_am43xx_rst(void)
{
RSTCTRL(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTCTRL_OFFSET);
RSTCTRL(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTCTRL_OFFSET);
+ RSTST(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTST_OFFSET);
RSTST(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTST_OFFSET);
}
--- a/arch/arm/mach-omap2/prcm43xx.h
+++ b/arch/arm/mach-omap2/prcm43xx.h
@@ -39,6 +39,7 @@
/* RM RSTST offsets */
#define AM43XX_RM_GFX_RSTST_OFFSET 0x0014
+#define AM43XX_RM_PER_RSTST_OFFSET 0x0014
#define AM43XX_RM_WKUP_RSTST_OFFSET 0x0014
/* CM instances */
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 097/184] ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (91 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 096/184] ARM: AM43XX: hwmod: Fix RSTST register offset for pruss Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 098/184] ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx Greg Kroah-Hartman
` (84 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Chen, Anson Huang, Shawn Guo
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@nxp.com>
commit f5a49057c71433e35a4712ab8d8f00641b3e1ec0 upstream.
There is a missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul,
without it, the "standby" mode can't work well, the system can't be
resumed.
With this commit, the "standby" mode works well.
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Cc: Anson Huang <anson.huang@nxp.com>
Fixes: ee4a5f838c84 ("ARM: imx: add suspend/resume support for i.mx6ul")
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-imx/pm-imx6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/mach-imx/pm-imx6.c
+++ b/arch/arm/mach-imx/pm-imx6.c
@@ -295,7 +295,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m
val &= ~BM_CLPCR_SBYOS;
if (cpu_is_imx6sl())
val |= BM_CLPCR_BYPASS_PMIC_READY;
- if (cpu_is_imx6sl() || cpu_is_imx6sx())
+ if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul())
val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
else
val |= BM_CLPCR_BYP_MMDC_CH1_LPM_HS;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 098/184] ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (92 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 097/184] ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 099/184] ARM: kirkwood: ib62x0: fix size of u-boot environment partition Greg Kroah-Hartman
` (83 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anson Huang, Peter Chen, Shawn Guo
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anson Huang <Anson.Huang@nxp.com>
commit 8aade778f787305fdbfd3c1d54e6b583601b5902 upstream.
i.MX6SX has bypass PMIC ready function, as this function
is normally NOT enabled on the board design, so we need
to bypass the PMIC ready pin check during DSM mode resume
flow, otherwise, the internal DSM resume logic will be
waiting for this signal to be ready forever and cause
resume fail.
Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx")
Tested-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-imx/pm-imx6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/mach-imx/pm-imx6.c
+++ b/arch/arm/mach-imx/pm-imx6.c
@@ -310,7 +310,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m
val |= 0x3 << BP_CLPCR_STBY_COUNT;
val |= BM_CLPCR_VSTBY;
val |= BM_CLPCR_SBYOS;
- if (cpu_is_imx6sl())
+ if (cpu_is_imx6sl() || cpu_is_imx6sx())
val |= BM_CLPCR_BYPASS_PMIC_READY;
if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul())
val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 099/184] ARM: kirkwood: ib62x0: fix size of u-boot environment partition
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (93 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 098/184] ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 100/184] ARM: OMAP3: hwmod data: Add sysc information for DSI Greg Kroah-Hartman
` (82 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Simon Baatz, Jason Cooper,
Andrew Lunn, Gregory Clement, Sebastian Hesselbarth, Luka Perkov
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Baatz <gmbnomis@gmail.com>
commit a778937888867aac17a33887d1c429120790fbc2 upstream.
Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment
partition") split the "u-boot" partition into "u-boot" and "u-boot
environment". However, instead of the size of the environment, an offset
was given, resulting in overlapping partitions.
Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition")
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Gregory Clement <gregory.clement@free-electrons.com>
Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Cc: Luka Perkov <luka@openwrt.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
+++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
@@ -113,7 +113,7 @@
partition@e0000 {
label = "u-boot environment";
- reg = <0xe0000 0x100000>;
+ reg = <0xe0000 0x20000>;
};
partition@100000 {
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 100/184] ARM: OMAP3: hwmod data: Add sysc information for DSI
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (94 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 099/184] ARM: kirkwood: ib62x0: fix size of u-boot environment partition Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 101/184] ARM: dts: kirkwood: Fix PCIe label on OpenRD Greg Kroah-Hartman
` (81 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sebastian Reichel, Tony Lindgren
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sre@kernel.org>
commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.
Add missing sysconfig/sysstatus information
to OMAP3 hwmod. The information has been
checked against OMAP34xx and OMAP36xx TRM.
Without this change DSI block is not reset
during boot, which is required for working
Nokia N950 display.
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -722,8 +722,20 @@ static struct omap_hwmod omap3xxx_dss_di
* display serial interface controller
*/
+static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
+ .rev_offs = 0x0000,
+ .sysc_offs = 0x0010,
+ .syss_offs = 0x0014,
+ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
+ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
+ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
+ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
+ .sysc_fields = &omap_hwmod_sysc_type1,
+};
+
static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
.name = "dsi",
+ .sysc = &omap3xxx_dsi_sysc,
};
static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 101/184] ARM: dts: kirkwood: Fix PCIe label on OpenRD
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (95 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 100/184] ARM: OMAP3: hwmod data: Add sysc information for DSI Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 102/184] ARM: dts: imx6qdl: Fix SPDIF regression Greg Kroah-Hartman
` (80 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Andrew Lunn, Gregory CLEMENT
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gregory CLEMENT <gregory.clement@free-electrons.com>
commit c721da1d05760ad0b4e7670896dae31b6b07d8d6 upstream.
While converting PCIe node on kirkwood by using label, the following
commit eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings")
introduced a regression on the OpenRD boards: the PCIe didn't work
anymore. As reported by Aaro Koskinen, the display/framebuffer was
lost. This commit adds the forgotten label.
Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Fixes: eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/kirkwood-openrd.dtsi | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/arm/boot/dts/kirkwood-openrd.dtsi
+++ b/arch/arm/boot/dts/kirkwood-openrd.dtsi
@@ -116,6 +116,10 @@
};
};
+&pciec {
+ status = "okay";
+};
+
&pcie0 {
status = "okay";
};
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 102/184] ARM: dts: imx6qdl: Fix SPDIF regression
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (96 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 101/184] ARM: dts: kirkwood: Fix PCIe label on OpenRD Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 103/184] ARM: dts: armada-388-clearfog: number LAN ports properly Greg Kroah-Hartman
` (79 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xavi Drudis Ferran, Fabio Estevam, Shawn Guo
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <fabio.estevam@nxp.com>
commit f065e9e4addd75c21bb976bb2558648bf4f61de6 upstream.
Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
changed many more clocks than only the SPDIF core clock as stated in
the commit message.
The MLB clock has been added and this causes SPDIF regression as
reported by Xavi Drudis Ferran and also in this forum post:
https://forum.digikey.com/thread/34240
The MX6Q Reference Manual does not mention that MLB is a clock related
to SPDIF, so change it back to a dummy clock to restore SPDIF
functionality.
Thanks to Ambika for providing the fix at:
https://community.nxp.com/thread/387131
Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
Reported-by: Xavi Drudis Ferran <xdrudis@tinet.cat>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Tested-by: Xavi Drudis Ferran <xdrudis@tinet.cat>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/imx6qdl.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/imx6qdl.dtsi
+++ b/arch/arm/boot/dts/imx6qdl.dtsi
@@ -242,7 +242,7 @@
clocks = <&clks IMX6QDL_CLK_SPDIF_GCLK>, <&clks IMX6QDL_CLK_OSC>,
<&clks IMX6QDL_CLK_SPDIF>, <&clks IMX6QDL_CLK_ASRC>,
<&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_ESAI_EXTAL>,
- <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_MLB>,
+ <&clks IMX6QDL_CLK_IPG>, <&clks IMX6QDL_CLK_DUMMY>,
<&clks IMX6QDL_CLK_DUMMY>, <&clks IMX6QDL_CLK_SPBA>;
clock-names = "core", "rxtx0",
"rxtx1", "rxtx2",
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 103/184] ARM: dts: armada-388-clearfog: number LAN ports properly
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (97 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 102/184] ARM: dts: imx6qdl: Fix SPDIF regression Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 104/184] ARM: dts: overo: fix gpmc nand cs0 range Greg Kroah-Hartman
` (78 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Russell King, Andrew Lunn, Gregory CLEMENT
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit d9fd3c918114cfd3995947339549c7341181efb0 upstream.
Currently, the ports as seen from the rear number as:
eth0 sfp lan5 lan4 lan3 lan2 lan1 lan6
which is illogical - this came about because the rev 2.0 boards have the
LEDs on the front for the DSA switch (lan5-1) reversed. Rev 2.1 boards
fixed the LED issue, and the Clearfog case numbers the lan ports
increasing from left to right.
Maintaining this illogical numbering causes confusion, with reports that
"my link isn't coming up" and "my connection negotiates 10base-Half"
both of which are due to people thinking that the port next to the SFP
is lan1.
Fix this by renumbering the ports to match people's expectations.
[gregory.clement@free-electrons.com: added the Fixes and stable tags]
Fixes: 4c945e8556ec ("ARM: dts: Add SolidRun Armada 388 Clearfog A1 DT
file")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/armada-388-clearfog.dts | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/arm/boot/dts/armada-388-clearfog.dts
+++ b/arch/arm/boot/dts/armada-388-clearfog.dts
@@ -406,12 +406,12 @@
port@0 {
reg = <0>;
- label = "lan1";
+ label = "lan5";
};
port@1 {
reg = <1>;
- label = "lan2";
+ label = "lan4";
};
port@2 {
@@ -421,12 +421,12 @@
port@3 {
reg = <3>;
- label = "lan4";
+ label = "lan2";
};
port@4 {
reg = <4>;
- label = "lan5";
+ label = "lan1";
};
port@5 {
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 104/184] ARM: dts: overo: fix gpmc nand cs0 range
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (98 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 103/184] ARM: dts: armada-388-clearfog: number LAN ports properly Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 105/184] ARM: dts: overo: fix gpmc nand on boards with ethernet Greg Kroah-Hartman
` (77 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Tony Lindgren
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5e0568dfbfb8c13cdb69c9fd06d600593ad4b430 upstream.
The gpmc ranges property for NAND at CS0 has been broken since it was
first added.
This currently prevents the nand gpmc child node from being probed:
omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has
malformed 'reg' property
and consequently the NAND device from being registered.
Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/omap3-overo-base.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/omap3-overo-base.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-base.dtsi
@@ -223,7 +223,7 @@
};
&gpmc {
- ranges = <0 0 0x00000000 0x20000000>;
+ ranges = <0 0 0x30000000 0x1000000>; /* CS0 */
nand@0,0 {
compatible = "ti,omap2-nand";
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 105/184] ARM: dts: overo: fix gpmc nand on boards with ethernet
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (99 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 104/184] ARM: dts: overo: fix gpmc nand cs0 range Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 106/184] ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI Greg Kroah-Hartman
` (76 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Tony Lindgren
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 153b58ea932b2d0642fa5cd41c93bb0555f3f09b upstream.
The gpmc ranges property for NAND at CS0 was being overridden by later
includes that defined gpmc ethernet nodes, effectively breaking NAND on
these systems:
omap-gpmc 6e000000.gpmc: /ocp/gpmc@6e000000/nand@0,0 has
malformed 'reg' property
Instead of redefining the NAND range in every such dtsi, define all
currently used ranges in omap3-overo-base.dtsi.
Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/omap3-overo-base.dtsi | 4 +++-
arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi | 2 --
arch/arm/boot/dts/omap3-overo-tobi-common.dtsi | 2 --
arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi | 3 ---
4 files changed, 3 insertions(+), 8 deletions(-)
--- a/arch/arm/boot/dts/omap3-overo-base.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-base.dtsi
@@ -223,7 +223,9 @@
};
&gpmc {
- ranges = <0 0 0x30000000 0x1000000>; /* CS0 */
+ ranges = <0 0 0x30000000 0x1000000>, /* CS0 */
+ <4 0 0x2b000000 0x1000000>, /* CS4 */
+ <5 0 0x2c000000 0x1000000>; /* CS5 */
nand@0,0 {
compatible = "ti,omap2-nand";
--- a/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi
@@ -55,8 +55,6 @@
#include "omap-gpmc-smsc9221.dtsi"
&gpmc {
- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */
-
ethernet@gpmc {
reg = <5 0 0xff>;
interrupt-parent = <&gpio6>;
--- a/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi
@@ -27,8 +27,6 @@
#include "omap-gpmc-smsc9221.dtsi"
&gpmc {
- ranges = <5 0 0x2c000000 0x1000000>; /* CS5 */
-
ethernet@gpmc {
reg = <5 0 0xff>;
interrupt-parent = <&gpio6>;
--- a/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
@@ -15,9 +15,6 @@
#include "omap-gpmc-smsc9221.dtsi"
&gpmc {
- ranges = <4 0 0x2b000000 0x1000000>, /* CS4 */
- <5 0 0x2c000000 0x1000000>; /* CS5 */
-
smsc1: ethernet@gpmc {
reg = <5 0 0xff>;
interrupt-parent = <&gpio6>;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 106/184] ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (100 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 105/184] ARM: dts: overo: fix gpmc nand on boards with ethernet Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 107/184] bus: arm-ccn: Fix PMU handling of MN Greg Kroah-Hartman
` (75 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Griffin, Lee Jones, Patrice Chotard
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee.jones@linaro.org>
commit 78567f135d9bbbaf4538f63656d3e4d957c35fe9 upstream.
The STiH4{07,10} platform contains some interconnect clocks which are used
by various IPs. If these clocks aren't handled correctly by ST's SDHCI
driver MMC will break and the following output can be observed:
[ 13.916949] mmc0: Timeout waiting for hardware interrupt.
[ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)===========
[ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002
[ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001
[ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013
[ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011
[ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080
[ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07
[ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000
[ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b
[ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000
[ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000
[ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000
[ 13.992252] sdhci: Host ctl2: 0x00000000
[ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200
[ 14.001990] sdhci: ===========================================
[ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress.
Tested-by: Peter Griffin <peter.griffin@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Acked-by: Patrice Chotard <patrice.chotard@st.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/stih407-family.dtsi | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/arch/arm/boot/dts/stih407-family.dtsi
+++ b/arch/arm/boot/dts/stih407-family.dtsi
@@ -550,8 +550,9 @@
interrupt-names = "mmcirq";
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_mmc0>;
- clock-names = "mmc";
- clocks = <&clk_s_c0_flexgen CLK_MMC_0>;
+ clock-names = "mmc", "icn";
+ clocks = <&clk_s_c0_flexgen CLK_MMC_0>,
+ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>;
bus-width = <8>;
non-removable;
};
@@ -565,8 +566,9 @@
interrupt-names = "mmcirq";
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_sd1>;
- clock-names = "mmc";
- clocks = <&clk_s_c0_flexgen CLK_MMC_1>;
+ clock-names = "mmc", "icn";
+ clocks = <&clk_s_c0_flexgen CLK_MMC_1>,
+ <&clk_s_c0_flexgen CLK_RX_ICN_HVA>;
resets = <&softreset STIH407_MMC1_SOFTRESET>;
bus-width = <4>;
};
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 107/184] bus: arm-ccn: Fix PMU handling of MN
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (101 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 106/184] ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 108/184] bus: arm-ccn: Do not attempt to configure XPs for cycle counter Greg Kroah-Hartman
` (74 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pawel Moll
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Moll <pawel.moll@arm.com>
commit 4e486cba285ff06a1f28f0fc2991dde1482d1dcf upstream.
The "Miscellaneous Node" fell through cracks of node initialisation,
as its ID is shared with HN-I.
This patch treats MN as a special case (which it is), adding separate
validation check for it and pre-defining the node ID in relevant events
descriptions. That way one can simply run:
# perf stat -a -e ccn/mn_ecbarrier/ <workload>
Additionally, direction in the MN pseudo-events XP watchpoint
definitions is corrected to be "TX" (1) as they are defined from the
crosspoint point of view (thus barriers are transmitted from XP to MN).
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/arm-ccn.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -187,6 +187,7 @@ struct arm_ccn {
struct arm_ccn_component *xp;
struct arm_ccn_dt dt;
+ int mn_id;
};
@@ -326,6 +327,7 @@ struct arm_ccn_pmu_event {
static ssize_t arm_ccn_pmu_event_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
+ struct arm_ccn *ccn = pmu_to_arm_ccn(dev_get_drvdata(dev));
struct arm_ccn_pmu_event *event = container_of(attr,
struct arm_ccn_pmu_event, attr);
ssize_t res;
@@ -352,6 +354,9 @@ static ssize_t arm_ccn_pmu_event_show(st
res += snprintf(buf + res, PAGE_SIZE - res,
",cmp_l=?,cmp_h=?,mask=?");
break;
+ case CCN_TYPE_MN:
+ res += snprintf(buf + res, PAGE_SIZE - res, ",node=%d", ccn->mn_id);
+ break;
default:
res += snprintf(buf + res, PAGE_SIZE - res, ",node=?");
break;
@@ -381,9 +386,9 @@ static umode_t arm_ccn_pmu_events_is_vis
}
static struct arm_ccn_pmu_event arm_ccn_pmu_events[] = {
- CCN_EVENT_MN(eobarrier, "dir=0,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE),
- CCN_EVENT_MN(ecbarrier, "dir=0,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE),
- CCN_EVENT_MN(dvmop, "dir=0,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE),
+ CCN_EVENT_MN(eobarrier, "dir=1,vc=0,cmp_h=0x1c00", CCN_IDX_MASK_OPCODE),
+ CCN_EVENT_MN(ecbarrier, "dir=1,vc=0,cmp_h=0x1e00", CCN_IDX_MASK_OPCODE),
+ CCN_EVENT_MN(dvmop, "dir=1,vc=0,cmp_h=0x2800", CCN_IDX_MASK_OPCODE),
CCN_EVENT_HNI(txdatflits, "dir=1,vc=3", CCN_IDX_MASK_ANY),
CCN_EVENT_HNI(rxdatflits, "dir=0,vc=3", CCN_IDX_MASK_ANY),
CCN_EVENT_HNI(txreqflits, "dir=1,vc=0", CCN_IDX_MASK_ANY),
@@ -757,6 +762,12 @@ static int arm_ccn_pmu_event_init(struct
/* Validate node/xp vs topology */
switch (type) {
+ case CCN_TYPE_MN:
+ if (node_xp != ccn->mn_id) {
+ dev_warn(ccn->dev, "Invalid MN ID %d!\n", node_xp);
+ return -EINVAL;
+ }
+ break;
case CCN_TYPE_XP:
if (node_xp >= ccn->num_xps) {
dev_warn(ccn->dev, "Invalid XP ID %d!\n", node_xp);
@@ -1369,6 +1380,8 @@ static int arm_ccn_init_nodes(struct arm
switch (type) {
case CCN_TYPE_MN:
+ ccn->mn_id = id;
+ return 0;
case CCN_TYPE_DT:
return 0;
case CCN_TYPE_XP:
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 108/184] bus: arm-ccn: Do not attempt to configure XPs for cycle counter
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (102 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 107/184] bus: arm-ccn: Fix PMU handling of MN Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 109/184] bus: arm-ccn: Fix XP watchpoint settings bitmask Greg Kroah-Hartman
` (73 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mark Rutland, Pawel Moll
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Moll <pawel.moll@arm.com>
commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 upstream.
Fuzzing the CCN perf driver revealed a small but definitely dangerous
mistake in the event setup code. When a cycle counter is requested, the
driver should not reconfigure the events bus at all, otherwise it will
corrupt (in most but the simplest cases) its configuration and may end
up accessing XP array out of its bounds and corrupting control
registers.
Reported-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/arm-ccn.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -895,6 +895,10 @@ static void arm_ccn_pmu_xp_dt_config(str
struct arm_ccn_component *xp;
u32 val, dt_cfg;
+ /* Nothing to do for cycle counter */
+ if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER)
+ return;
+
if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP)
xp = &ccn->xp[CCN_CONFIG_XP(event->attr.config)];
else
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 109/184] bus: arm-ccn: Fix XP watchpoint settings bitmask
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (103 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 108/184] bus: arm-ccn: Do not attempt to configure XPs for cycle counter Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 110/184] dm log writes: fix check of kthread_run() return value Greg Kroah-Hartman
` (72 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pawel Moll
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Moll <pawel.moll@arm.com>
commit b928466b2169e061822daad48ecf55b005445547 upstream.
The code setting XP watchpoint comparator and mask registers should, in
order to be fully compliant with specification, zero one or more most
significant bits of each field. In both L cases it means zeroing bit 63.
The bitmask doing this was wrong, though, zeroing bit 60 instead.
Fortunately, due to a lucky coincidence, this turned out to be fairly
innocent with the existing hardware.
Fixed now.
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/arm-ccn.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -1001,7 +1001,7 @@ static void arm_ccn_pmu_xp_watchpoint_co
/* Comparison values */
writel(cmp_l & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_L(wp));
- writel((cmp_l >> 32) & 0xefffffff,
+ writel((cmp_l >> 32) & 0x7fffffff,
source->base + CCN_XP_DT_CMP_VAL_L(wp) + 4);
writel(cmp_h & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_H(wp));
writel((cmp_h >> 32) & 0x0fffffff,
@@ -1009,7 +1009,7 @@ static void arm_ccn_pmu_xp_watchpoint_co
/* Mask */
writel(mask_l & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_L(wp));
- writel((mask_l >> 32) & 0xefffffff,
+ writel((mask_l >> 32) & 0x7fffffff,
source->base + CCN_XP_DT_CMP_MASK_L(wp) + 4);
writel(mask_h & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_H(wp));
writel((mask_h >> 32) & 0x0fffffff,
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 110/184] dm log writes: fix check of kthread_run() return value
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (104 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 109/184] bus: arm-ccn: Fix XP watchpoint settings bitmask Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 111/184] dm crypt: fix free of bad values after tfm allocation failure Greg Kroah-Hartman
` (71 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vladimir Zapolskiy, Mike Snitzer
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vz@mleia.com>
commit 91e630d9ae6de6f740ef7c8176736eb55366833e upstream.
The kthread_run() function returns either a valid task_struct or
ERR_PTR() value, check for NULL is invalid. This change fixes potential
for oops, e.g. in OOM situation.
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-log-writes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/md/dm-log-writes.c
+++ b/drivers/md/dm-log-writes.c
@@ -456,9 +456,9 @@ static int log_writes_ctr(struct dm_targ
goto bad;
}
- ret = -EINVAL;
lc->log_kthread = kthread_run(log_writes_kthread, lc, "log-write");
- if (!lc->log_kthread) {
+ if (IS_ERR(lc->log_kthread)) {
+ ret = PTR_ERR(lc->log_kthread);
ti->error = "Couldn't alloc kthread";
dm_put_device(ti, lc->dev);
dm_put_device(ti, lc->logdev);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 111/184] dm crypt: fix free of bad values after tfm allocation failure
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (105 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 110/184] dm log writes: fix check of kthread_run() return value Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 112/184] dm log writes: move IO accounting earlier to fix error path Greg Kroah-Hartman
` (70 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Mike Snitzer
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd upstream.
If crypt_alloc_tfms() had to allocate multiple tfms and it failed before
the last allocation, then it would call crypt_free_tfms() and could free
pointers from uninitialized memory -- due to the crypt_free_tfms() check
for non-zero cc->tfms[i]. Fix by allocating zeroed memory.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-crypt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1453,7 +1453,7 @@ static int crypt_alloc_tfms(struct crypt
unsigned i;
int err;
- cc->tfms = kmalloc(cc->tfms_count * sizeof(struct crypto_skcipher *),
+ cc->tfms = kzalloc(cc->tfms_count * sizeof(struct crypto_skcipher *),
GFP_KERNEL);
if (!cc->tfms)
return -ENOMEM;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 112/184] dm log writes: move IO accounting earlier to fix error path
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (106 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 111/184] dm crypt: fix free of bad values after tfm allocation failure Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 113/184] dm crypt: fix error with too large bios Greg Kroah-Hartman
` (69 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Josef Bacik, Mike Snitzer
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 upstream.
Move log_one_block()'s atomic_inc(&lc->io_blocks) before bio_alloc() to
fix a bug that the target hangs if bio_alloc() fails. The error path
does put_io_block(lc), so atomic_inc(&lc->io_blocks) must occur before
invoking the error path to avoid underflow of lc->io_blocks.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-log-writes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-log-writes.c
+++ b/drivers/md/dm-log-writes.c
@@ -258,12 +258,12 @@ static int log_one_block(struct log_writ
goto out;
sector++;
+ atomic_inc(&lc->io_blocks);
bio = bio_alloc(GFP_KERNEL, block->vec_cnt);
if (!bio) {
DMERR("Couldn't alloc log bio");
goto error;
}
- atomic_inc(&lc->io_blocks);
bio->bi_iter.bi_size = 0;
bio->bi_iter.bi_sector = sector;
bio->bi_bdev = lc->logdev->bdev;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 113/184] dm crypt: fix error with too large bios
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (107 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 112/184] dm log writes: move IO accounting earlier to fix error path Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 114/184] pinctrl: pistachio: fix mfio pll_lock pinmux Greg Kroah-Hartman
` (68 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 4e870e948fbabf62b78e8410f04c67703e7c816b upstream.
When dm-crypt processes writes, it allocates a new bio in
crypt_alloc_buffer(). The bio is allocated from a bio set and it can
have at most BIO_MAX_PAGES vector entries, however the incoming bio can be
larger (e.g. if it was allocated by bcache). If the incoming bio is
larger, bio_alloc_bioset() fails and an error is returned.
To avoid the error, we test for a too large bio in the function
crypt_map() and use dm_accept_partial_bio() to split the bio.
dm_accept_partial_bio() trims the current bio to the desired size and
asks DM core to send another bio with the rest of the data.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-crypt.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1923,6 +1923,13 @@ static int crypt_map(struct dm_target *t
return DM_MAPIO_REMAPPED;
}
+ /*
+ * Check if bio is too large, split as needed.
+ */
+ if (unlikely(bio->bi_iter.bi_size > (BIO_MAX_PAGES << PAGE_SHIFT)) &&
+ bio_data_dir(bio) == WRITE)
+ dm_accept_partial_bio(bio, ((BIO_MAX_PAGES << PAGE_SHIFT) >> SECTOR_SHIFT));
+
io = dm_per_bio_data(bio, cc->per_bio_data_size);
crypt_io_init(io, cc, bio, dm_target_offset(ti, bio->bi_iter.bi_sector));
io->ctx.req = (struct skcipher_request *)(io + 1);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 114/184] pinctrl: pistachio: fix mfio pll_lock pinmux
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (108 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 113/184] dm crypt: fix error with too large bios Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 115/184] pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 Greg Kroah-Hartman
` (67 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, James Hartley, Sifan Naeem, Linus Walleij
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hartley <james.hartley@imgtec.com>
commit a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e upstream.
A previous patch attempted to fix the pinmuxes for mfio 84 - 89, but it
omitted a change to pistachio_pin_group pistachio_groups, which results
in incorrect pll_lock signals being routed.
Apply the correct mux settings throughout the driver.
fixes: cefc03e5995e ("pinctrl: Add Pistachio SoC pin control driver")
fixes: e9adb336d0bf ("pinctrl: pistachio: fix mfio84-89 function description and pinmux.")
Signed-off-by: James Hartley <james.hartley@imgtec.com>
Reviewed-by: Sifan Naeem <Sifan.Naeem@imgtec.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/pinctrl-pistachio.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/pinctrl/pinctrl-pistachio.c
+++ b/drivers/pinctrl/pinctrl-pistachio.c
@@ -809,17 +809,17 @@ static const struct pistachio_pin_group
PADS_FUNCTION_SELECT2, 12, 0x3),
MFIO_MUX_PIN_GROUP(83, MIPS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
PADS_FUNCTION_SELECT2, 14, 0x3),
- MFIO_MUX_PIN_GROUP(84, SYS_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
+ MFIO_MUX_PIN_GROUP(84, AUDIO_PLL_LOCK, MIPS_TRACE_DATA, USB_DEBUG,
PADS_FUNCTION_SELECT2, 16, 0x3),
- MFIO_MUX_PIN_GROUP(85, WIFI_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
+ MFIO_MUX_PIN_GROUP(85, RPU_V_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
PADS_FUNCTION_SELECT2, 18, 0x3),
- MFIO_MUX_PIN_GROUP(86, BT_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
+ MFIO_MUX_PIN_GROUP(86, RPU_L_PLL_LOCK, MIPS_TRACE_DATA, SDHOST_DEBUG,
PADS_FUNCTION_SELECT2, 20, 0x3),
- MFIO_MUX_PIN_GROUP(87, RPU_V_PLL_LOCK, DREQ2, SOCIF_DEBUG,
+ MFIO_MUX_PIN_GROUP(87, SYS_PLL_LOCK, DREQ2, SOCIF_DEBUG,
PADS_FUNCTION_SELECT2, 22, 0x3),
- MFIO_MUX_PIN_GROUP(88, RPU_L_PLL_LOCK, DREQ3, SOCIF_DEBUG,
+ MFIO_MUX_PIN_GROUP(88, WIFI_PLL_LOCK, DREQ3, SOCIF_DEBUG,
PADS_FUNCTION_SELECT2, 24, 0x3),
- MFIO_MUX_PIN_GROUP(89, AUDIO_PLL_LOCK, DREQ4, DREQ5,
+ MFIO_MUX_PIN_GROUP(89, BT_PLL_LOCK, DREQ4, DREQ5,
PADS_FUNCTION_SELECT2, 26, 0x3),
PIN_GROUP(TCK, "tck"),
PIN_GROUP(TRSTN, "trstn"),
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 115/184] pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (109 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 114/184] pinctrl: pistachio: fix mfio pll_lock pinmux Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 116/184] memory: omap-gpmc: allow probe of child nodes to fail Greg Kroah-Hartman
` (66 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Icenowy Zheng, Maxime Ripard, Linus Walleij
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Icenowy Zheng <icenowy@aosc.xyz>
commit 486095fae3a8a6b1ae07c51844699d9bd5cfbebc upstream.
PG8, PG9 is said to be the CTS/RTS pins for UART1 according to the A23/33
datasheets. However, the function is wrongly named "uart2" in the pinctrl
driver. This patch fixes this by modifying them to be named "uart1".
Signed-off-by: Icenowy Zheng <icenowy@aosc.xyz>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c | 4 ++--
drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c
@@ -485,12 +485,12 @@ static const struct sunxi_desc_pin sun8i
SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8),
SUNXI_FUNCTION(0x0, "gpio_in"),
SUNXI_FUNCTION(0x1, "gpio_out"),
- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */
+ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */
SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 8)), /* PG_EINT8 */
SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9),
SUNXI_FUNCTION(0x0, "gpio_in"),
SUNXI_FUNCTION(0x1, "gpio_out"),
- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */
+ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */
SUNXI_FUNCTION_IRQ_BANK(0x4, 2, 9)), /* PG_EINT9 */
SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10),
SUNXI_FUNCTION(0x0, "gpio_in"),
--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c
@@ -407,12 +407,12 @@ static const struct sunxi_desc_pin sun8i
SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 8),
SUNXI_FUNCTION(0x0, "gpio_in"),
SUNXI_FUNCTION(0x1, "gpio_out"),
- SUNXI_FUNCTION(0x2, "uart2"), /* RTS */
+ SUNXI_FUNCTION(0x2, "uart1"), /* RTS */
SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 8)), /* PG_EINT8 */
SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 9),
SUNXI_FUNCTION(0x0, "gpio_in"),
SUNXI_FUNCTION(0x1, "gpio_out"),
- SUNXI_FUNCTION(0x2, "uart2"), /* CTS */
+ SUNXI_FUNCTION(0x2, "uart1"), /* CTS */
SUNXI_FUNCTION_IRQ_BANK(0x4, 1, 9)), /* PG_EINT9 */
SUNXI_PIN(SUNXI_PINCTRL_PIN(G, 10),
SUNXI_FUNCTION(0x0, "gpio_in"),
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 116/184] memory: omap-gpmc: allow probe of child nodes to fail
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (110 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 115/184] pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 117/184] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Greg Kroah-Hartman
` (65 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Roger Quadros
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 23540d6e2f3193b946c4de43e3f9654fa6d23fe7 upstream.
A recent commit (inadvertently?) changed how failed probe of a gpmc
child node was handled. Instead of proceeding with setting up any other
children as before, a single error now aborts the whole process.
This change broke networking on some Overo boards due to probe failing
for an unrelated nand node. This second issue should obviously be
fixed, but let's restore the old behaviour of allowing child-node
probe to fail to avoid further similar breakage on other systems.
Fixes: d2d00862dfbb ("memory: omap-gpmc: Support general purpose input
for WAITPINs")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/omap-gpmc.c | 21 +++++++--------------
1 file changed, 7 insertions(+), 14 deletions(-)
--- a/drivers/memory/omap-gpmc.c
+++ b/drivers/memory/omap-gpmc.c
@@ -2250,7 +2250,7 @@ static int gpmc_probe_dt(struct platform
return 0;
}
-static int gpmc_probe_dt_children(struct platform_device *pdev)
+static void gpmc_probe_dt_children(struct platform_device *pdev)
{
int ret;
struct device_node *child;
@@ -2265,11 +2265,11 @@ static int gpmc_probe_dt_children(struct
else
ret = gpmc_probe_generic_child(pdev, child);
- if (ret)
- return ret;
+ if (ret) {
+ dev_err(&pdev->dev, "failed to probe DT child '%s': %d\n",
+ child->name, ret);
+ }
}
-
- return 0;
}
#else
static int gpmc_probe_dt(struct platform_device *pdev)
@@ -2277,9 +2277,8 @@ static int gpmc_probe_dt(struct platform
return 0;
}
-static int gpmc_probe_dt_children(struct platform_device *pdev)
+static void gpmc_probe_dt_children(struct platform_device *pdev)
{
- return 0;
}
#endif
@@ -2372,16 +2371,10 @@ static int gpmc_probe(struct platform_de
goto setup_irq_failed;
}
- rc = gpmc_probe_dt_children(pdev);
- if (rc < 0) {
- dev_err(gpmc->dev, "failed to probe DT children\n");
- goto dt_children_failed;
- }
+ gpmc_probe_dt_children(pdev);
return 0;
-dt_children_failed:
- gpmc_free_irq(gpmc);
setup_irq_failed:
gpmc_gpio_exit(gpmc);
gpio_init_failed:
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 117/184] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (111 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 116/184] memory: omap-gpmc: allow probe of child nodes to fail Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 118/184] crypto: cryptd - initialize child shash_desc on import Greg Kroah-Hartman
` (64 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Zijlstra, Alan Stern,
Will Deacon, Catalin Marinas
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream.
smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation
to a full barrier, such that prior stores are ordered with respect to
loads and stores occuring inside the critical section.
Unfortunately, the core code defines the barrier as smp_wmb(), which
is insufficient to provide the required ordering guarantees when used in
conjunction with our load-acquire-based spinlock implementation.
This patch overrides the arm64 definition of smp_mb__before_spinlock()
to map to a full smp_mb().
Cc: Peter Zijlstra <peterz@infradead.org>
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/spinlock.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/arm64/include/asm/spinlock.h
+++ b/arch/arm64/include/asm/spinlock.h
@@ -363,4 +363,14 @@ static inline int arch_read_trylock(arch
#define arch_read_relax(lock) cpu_relax()
#define arch_write_relax(lock) cpu_relax()
+/*
+ * Accesses appearing in program order before a spin_lock() operation
+ * can be reordered with accesses inside the critical section, by virtue
+ * of arch_spin_lock being constructed using acquire semantics.
+ *
+ * In cases where this is problematic (e.g. try_to_wake_up), an
+ * smp_mb__before_spinlock() can restore the required ordering.
+ */
+#define smp_mb__before_spinlock() smp_mb()
+
#endif /* __ASM_SPINLOCK_H */
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 118/184] crypto: cryptd - initialize child shash_desc on import
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (112 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 117/184] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 119/184] Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns Greg Kroah-Hartman
` (63 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Herbert Xu
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream.
When calling .import() on a cryptd ahash_request, the structure members
that describe the child transform in the shash_desc need to be initialized
like they are when calling .init()
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/cryptd.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -594,9 +594,14 @@ static int cryptd_hash_export(struct aha
static int cryptd_hash_import(struct ahash_request *req, const void *in)
{
- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
+ struct shash_desc *desc = cryptd_shash_desc(req);
- return crypto_shash_import(&rctx->desc, in);
+ desc->tfm = ctx->child;
+ desc->flags = req->base.flags;
+
+ return crypto_shash_import(desc, in);
}
static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 119/184] Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (113 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 118/184] crypto: cryptd - initialize child shash_desc on import Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 120/184] fuse: direct-io: dont dirty ITER_BVEC pages Greg Kroah-Hartman
` (62 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chris Mason
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@fb.com>
commit cbd60aa7cd17d81a434234268c55192862147439 upstream.
We use a btrfs_log_ctx structure to pass information into the
tree log commit, and get error values out. It gets added to a per
log-transaction list which we walk when things go bad.
Commit d1433debe added an optimization to skip waiting for the log
commit, but didn't take root_log_ctx out of the list. This
patch makes sure we remove things before exiting.
Signed-off-by: Chris Mason <clm@fb.com>
Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2851,6 +2851,7 @@ int btrfs_sync_log(struct btrfs_trans_ha
if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
blk_finish_plug(&plug);
+ list_del_init(&root_log_ctx.list);
mutex_unlock(&log_root_tree->log_mutex);
ret = root_log_ctx.log_ret;
goto out;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 120/184] fuse: direct-io: dont dirty ITER_BVEC pages
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (114 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 119/184] Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 121/184] xhci: fix null pointer dereference in stop command timeout function Greg Kroah-Hartman
` (61 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sheng Yang, Miklos Szeredi, Ashish Samant
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 8fba54aebbdf1f999738121922e74bf796ad60ee upstream.
When reading from a loop device backed by a fuse file it deadlocks on
lock_page().
This is because the page is already locked by the read() operation done on
the loop device. In this case we don't want to either lock the page or
dirty it.
So do what fs/direct-io.c does: only dirty the page for ITER_IOVEC vectors.
Reported-by: Sheng Yang <sheng@yasker.org>
Fixes: aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Sheng Yang <sheng@yasker.org>
Reviewed-by: Ashish Samant <ashish.samant@oracle.com>
Tested-by: Sheng Yang <sheng@yasker.org>
Tested-by: Ashish Samant <ashish.samant@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -540,13 +540,13 @@ void fuse_read_fill(struct fuse_req *req
req->out.args[0].size = count;
}
-static void fuse_release_user_pages(struct fuse_req *req, int write)
+static void fuse_release_user_pages(struct fuse_req *req, bool should_dirty)
{
unsigned i;
for (i = 0; i < req->num_pages; i++) {
struct page *page = req->pages[i];
- if (write)
+ if (should_dirty)
set_page_dirty_lock(page);
put_page(page);
}
@@ -1331,6 +1331,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr
loff_t *ppos, int flags)
{
int write = flags & FUSE_DIO_WRITE;
+ bool should_dirty = !write && iter_is_iovec(iter);
int cuse = flags & FUSE_DIO_CUSE;
struct file *file = io->file;
struct inode *inode = file->f_mapping->host;
@@ -1374,7 +1375,7 @@ ssize_t fuse_direct_io(struct fuse_io_pr
nres = fuse_send_read(req, io, pos, nbytes, owner);
if (!io->async)
- fuse_release_user_pages(req, !write);
+ fuse_release_user_pages(req, should_dirty);
if (req->out.h.error) {
err = req->out.h.error;
break;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 121/184] xhci: fix null pointer dereference in stop command timeout function
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (115 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 120/184] fuse: direct-io: dont dirty ITER_BVEC pages Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 122/184] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() Greg Kroah-Hartman
` (60 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit bcf42aa60c2832510b9be0f30c090bfd35bb172d upstream.
The stop endpoint command has its own 5 second timeout timer.
If the timeout function is triggered between USB3 and USB2 host
removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd)
the ->primary_hcd will be set to NULL at USB3 hcd removal.
Fix this by first checking if the PCI host is being removed, and
also by using only xhci_to_hcd() as it will always return the primary
hcd.
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-ring.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -840,6 +840,10 @@ void xhci_stop_endpoint_command_watchdog
spin_lock_irqsave(&xhci->lock, flags);
ep->stop_cmds_pending--;
+ if (xhci->xhc_state & XHCI_STATE_REMOVING) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ return;
+ }
if (xhci->xhc_state & XHCI_STATE_DYING) {
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"Stop EP timer ran, but another timer marked "
@@ -893,7 +897,7 @@ void xhci_stop_endpoint_command_watchdog
spin_unlock_irqrestore(&xhci->lock, flags);
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"Calling usb_hc_died()");
- usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
+ usb_hc_died(xhci_to_hcd(xhci));
xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
"xHCI host controller is dead.");
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 122/184] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (116 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 121/184] xhci: fix null pointer dereference in stop command timeout function Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 123/184] md-cluster: make md-cluster also can work when compiled into kernel Greg Kroah-Hartman
` (59 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daxing Guo, Hante Meuleman,
Pieter-Paul Giesberts, Franky Lin, Arend van Spriel, Kalle Valo
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream.
User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.
Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -4467,7 +4467,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
(u8 *)&settings->beacon.head[ie_offset],
settings->beacon.head_len - ie_offset,
WLAN_EID_SSID);
- if (!ssid_ie)
+ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
return -EINVAL;
memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 123/184] md-cluster: make md-cluster also can work when compiled into kernel
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (117 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 122/184] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 124/184] ath9k: fix using sta->drv_priv before initializing it Greg Kroah-Hartman
` (58 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marc Smith, NeilBrown, Guoqing Jiang,
Shaohua Li
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guoqing Jiang <gqjiang@suse.com>
commit 47a7b0d8888c04c9746812820b6e60553cc77bbc upstream.
The md-cluster is compiled as module by default,
if it is compiled by built-in way, then we can't
make md-cluster works.
[64782.630008] md/raid1:md127: active with 2 out of 2 mirrors
[64782.630528] md-cluster module not found.
[64782.630530] md127: Could not setup cluster service (-2)
Fixes: edb39c9 ("Introduce md_cluster_operations to handle cluster functions")
Reported-by: Marc Smith <marc.smith@mcc.edu>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/md.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -7599,16 +7599,12 @@ EXPORT_SYMBOL(unregister_md_cluster_oper
int md_setup_cluster(struct mddev *mddev, int nodes)
{
- int err;
-
- err = request_module("md-cluster");
- if (err) {
- pr_err("md-cluster module not found.\n");
- return -ENOENT;
- }
-
+ if (!md_cluster_ops)
+ request_module("md-cluster");
spin_lock(&pers_lock);
+ /* ensure module won't be unloaded */
if (!md_cluster_ops || !try_module_get(md_cluster_mod)) {
+ pr_err("can't find md-cluster module or get it's reference.\n");
spin_unlock(&pers_lock);
return -ENOENT;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 124/184] ath9k: fix using sta->drv_priv before initializing it
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (118 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 123/184] md-cluster: make md-cluster also can work when compiled into kernel Greg Kroah-Hartman
@ 2016-09-22 17:40 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 126/184] perf/x86/intel: Fix PEBSv3 record drain Greg Kroah-Hartman
` (57 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Kalle Valo
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
commit 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 upstream.
A station pointer can be passed to the driver on tx, before it has been
marked as associated. Since ath9k_sta_state was initializing the entry
too late, it resulted in some spurious crashes.
Fixes: df3c6eb34da5 ("ath9k: Use sta_state() callback")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath9k/main.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -1552,13 +1552,13 @@ static int ath9k_sta_state(struct ieee80
struct ath_common *common = ath9k_hw_common(sc->sc_ah);
int ret = 0;
- if (old_state == IEEE80211_STA_AUTH &&
- new_state == IEEE80211_STA_ASSOC) {
+ if (old_state == IEEE80211_STA_NOTEXIST &&
+ new_state == IEEE80211_STA_NONE) {
ret = ath9k_sta_add(hw, vif, sta);
ath_dbg(common, CONFIG,
"Add station: %pM\n", sta->addr);
- } else if (old_state == IEEE80211_STA_ASSOC &&
- new_state == IEEE80211_STA_AUTH) {
+ } else if (old_state == IEEE80211_STA_NONE &&
+ new_state == IEEE80211_STA_NOTEXIST) {
ret = ath9k_sta_remove(hw, vif, sta);
ath_dbg(common, CONFIG,
"Remove station: %pM\n", sta->addr);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 126/184] perf/x86/intel: Fix PEBSv3 record drain
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (119 preceding siblings ...)
2016-09-22 17:40 ` [PATCH 4.7 124/184] ath9k: fix using sta->drv_priv before initializing it Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 127/184] perf/x86/intel/cqm: Check cqm/mbm enabled state in event init Greg Kroah-Hartman
` (56 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alexander Shishkin,
Peter Zijlstra (Intel),
Arnaldo Carvalho de Melo, Jiri Olsa, Kan Liang, Linus Torvalds,
Stephane Eranian, Thomas Gleixner, Vince Weaver, Ingo Molnar
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 8ef9b8455a2a3049efa9e46e8a6402b972a3eb41 upstream.
Alexander hit the WARN_ON_ONCE(!event) on his Skylake while running
the perf fuzzer.
This means the PEBSv3 record included a status bit for an inactive
event, something that _should_ not happen.
Move the code that filters the status bits against our known PEBS
events up a spot to guarantee we only deal with events we know about.
Further add "continue" statements to the WARN_ON_ONCE()s such that
we'll not die nor generate silly events in case we ever do hit them
again.
Reported-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Tested-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kan Liang <kan.liang@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vince@deater.net>
Fixes: a3d86542de88 ("perf/x86/intel/pebs: Add PEBSv3 decoding")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/ds.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/arch/x86/events/intel/ds.c
+++ b/arch/x86/events/intel/ds.c
@@ -1274,18 +1274,18 @@ static void intel_pmu_drain_pebs_nhm(str
struct pebs_record_nhm *p = at;
u64 pebs_status;
- /* PEBS v3 has accurate status bits */
+ pebs_status = p->status & cpuc->pebs_enabled;
+ pebs_status &= (1ULL << x86_pmu.max_pebs_events) - 1;
+
+ /* PEBS v3 has more accurate status bits */
if (x86_pmu.intel_cap.pebs_format >= 3) {
- for_each_set_bit(bit, (unsigned long *)&p->status,
- MAX_PEBS_EVENTS)
+ for_each_set_bit(bit, (unsigned long *)&pebs_status,
+ x86_pmu.max_pebs_events)
counts[bit]++;
continue;
}
- pebs_status = p->status & cpuc->pebs_enabled;
- pebs_status &= (1ULL << x86_pmu.max_pebs_events) - 1;
-
/*
* On some CPUs the PEBS status can be zero when PEBS is
* racing with clearing of GLOBAL_STATUS.
@@ -1333,8 +1333,11 @@ static void intel_pmu_drain_pebs_nhm(str
continue;
event = cpuc->events[bit];
- WARN_ON_ONCE(!event);
- WARN_ON_ONCE(!event->attr.precise_ip);
+ if (WARN_ON_ONCE(!event))
+ continue;
+
+ if (WARN_ON_ONCE(!event->attr.precise_ip))
+ continue;
/* log dropped samples number */
if (error[bit])
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 127/184] perf/x86/intel/cqm: Check cqm/mbm enabled state in event init
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (120 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 126/184] perf/x86/intel: Fix PEBSv3 record drain Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 128/184] perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 Greg Kroah-Hartman
` (55 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yanqiu Zhang, Jiri Olsa,
Peter Zijlstra, Vikas Shivappa, Tony Luck, Thomas Gleixner
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@kernel.org>
commit 79d102cbfd2e9d94257fcc7c82807ef1cdf80322 upstream.
Yanqiu Zhang reported kernel panic when using mbm event
on system where CQM is detected but without mbm event
support, like with perf:
# perf stat -e 'intel_cqm/event=3/' -a
BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [<ffffffff8100d64c>] update_sample+0xbc/0xe0
...
<IRQ>
[<ffffffff8100d688>] __intel_mbm_event_init+0x18/0x20
[<ffffffff81113d6b>] flush_smp_call_function_queue+0x7b/0x160
[<ffffffff81114853>] generic_smp_call_function_single_interrupt+0x13/0x60
[<ffffffff81052017>] smp_call_function_interrupt+0x27/0x40
[<ffffffff816fb06c>] call_function_interrupt+0x8c/0xa0
...
The reason is that we currently allow to init mbm event
even if mbm support is not detected. Adding checks for
both cqm and mbm events and support into cqm's event_init.
Fixes: 33c3cc7acfd9 ("perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init")
Reported-by: Yanqiu Zhang <yanqzhan@redhat.com>
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Vikas Shivappa <vikas.shivappa@linux.intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1473089407-21857-1-git-send-email-jolsa@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/cqm.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/arch/x86/events/intel/cqm.c
+++ b/arch/x86/events/intel/cqm.c
@@ -458,6 +458,11 @@ static void __intel_cqm_event_count(void
static void init_mbm_sample(u32 rmid, u32 evt_type);
static void __intel_mbm_event_count(void *info);
+static bool is_cqm_event(int e)
+{
+ return (e == QOS_L3_OCCUP_EVENT_ID);
+}
+
static bool is_mbm_event(int e)
{
return (e >= QOS_MBM_TOTAL_EVENT_ID && e <= QOS_MBM_LOCAL_EVENT_ID);
@@ -1366,6 +1371,10 @@ static int intel_cqm_event_init(struct p
(event->attr.config > QOS_MBM_LOCAL_EVENT_ID))
return -EINVAL;
+ if ((is_cqm_event(event->attr.config) && !cqm_enabled) ||
+ (is_mbm_event(event->attr.config) && !mbm_enabled))
+ return -EINVAL;
+
/* unsupported modes and filters */
if (event->attr.exclude_user ||
event->attr.exclude_kernel ||
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 128/184] perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (121 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 127/184] perf/x86/intel/cqm: Check cqm/mbm enabled state in event init Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 129/184] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Greg Kroah-Hartman
` (54 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Matt Fleming, Peter Zijlstra,
Borislav Petkov, Linus Torvalds, Thomas Gleixner, Ingo Molnar
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Fleming <matt@codeblueprint.co.uk>
commit 080fe0b790ad438fc1b61621dac37c1964ce7f35 upstream.
While the Intel PMU monitors the LLC when perf enables the
HW_CACHE_REFERENCES and HW_CACHE_MISSES events, these events monitor
L1 instruction cache fetches (0x0080) and instruction cache misses
(0x0081) on the AMD PMU.
This is extremely confusing when monitoring the same workload across
Intel and AMD machines, since parameters like,
$ perf stat -e cache-references,cache-misses
measure completely different things.
Instead, make the AMD PMU measure instruction/data cache and TLB fill
requests to the L2 and instruction/data cache and TLB misses in the L2
when HW_CACHE_REFERENCES and HW_CACHE_MISSES are enabled,
respectively. That way the events measure unified caches on both
platforms.
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1472044328-21302-1-git-send-email-matt@codeblueprint.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/amd/core.c | 4 ++--
arch/x86/kvm/pmu_amd.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/arch/x86/events/amd/core.c
+++ b/arch/x86/events/amd/core.c
@@ -119,8 +119,8 @@ static const u64 amd_perfmon_event_map[P
{
[PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
[PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x0080,
- [PERF_COUNT_HW_CACHE_MISSES] = 0x0081,
+ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d,
+ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e,
[PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
[PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
[PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */
--- a/arch/x86/kvm/pmu_amd.c
+++ b/arch/x86/kvm/pmu_amd.c
@@ -23,8 +23,8 @@
static struct kvm_event_hw_type_mapping amd_event_mapping[] = {
[0] = { 0x76, 0x00, PERF_COUNT_HW_CPU_CYCLES },
[1] = { 0xc0, 0x00, PERF_COUNT_HW_INSTRUCTIONS },
- [2] = { 0x80, 0x00, PERF_COUNT_HW_CACHE_REFERENCES },
- [3] = { 0x81, 0x00, PERF_COUNT_HW_CACHE_MISSES },
+ [2] = { 0x7d, 0x07, PERF_COUNT_HW_CACHE_REFERENCES },
+ [3] = { 0x7e, 0x07, PERF_COUNT_HW_CACHE_MISSES },
[4] = { 0xc2, 0x00, PERF_COUNT_HW_BRANCH_INSTRUCTIONS },
[5] = { 0xc3, 0x00, PERF_COUNT_HW_BRANCH_MISSES },
[6] = { 0xd0, 0x00, PERF_COUNT_HW_STALLED_CYCLES_FRONTEND },
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 129/184] perf/x86/intel/pt: Fix an off-by-one in address filter configuration
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (122 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 128/184] perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 130/184] perf/x86/intel/pt: Fix kernel address filters offset validation Greg Kroah-Hartman
` (53 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Alexander Shishkin,
Peter Zijlstra, Arnaldo Carvalho de Melo,
Arnaldo Carvalho de Melo, Jiri Olsa, Linus Torvalds,
Peter Zijlstra, Stephane Eranian, Thomas Gleixner, Vince Weaver,
vince, Ingo Molnar
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit 95f60084acbcee6c466256cf26eb52191fad9edc upstream.
PT address filter configuration requires that a range is specified by
its first and last address, but at the moment we're obtaining the end
of the range by adding user specified size to its start, which is off
by one from what it actually needs to be.
Fix this and make sure that zero-sized filters don't pass the filter
validation.
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: vince@deater.net
Link: http://lkml.kernel.org/r/20160915151352.21306-2-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/pt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1081,7 +1081,7 @@ static int pt_event_addr_filters_validat
list_for_each_entry(filter, filters, entry) {
/* PT doesn't support single address triggers */
- if (!filter->range)
+ if (!filter->range || !filter->size)
return -EOPNOTSUPP;
if (!filter->inode && !kernel_ip(filter->offset))
@@ -1111,7 +1111,7 @@ static void pt_event_addr_filters_sync(s
} else {
/* apply the offset */
msr_a = filter->offset + offs[range];
- msr_b = filter->size + msr_a;
+ msr_b = filter->size + msr_a - 1;
}
filters->filter[range].msr_a = msr_a;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 130/184] perf/x86/intel/pt: Fix kernel address filters offset validation
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (123 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 129/184] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 131/184] perf/x86/intel/pt: Do validate the size of a kernel address filter Greg Kroah-Hartman
` (52 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Alexander Shishkin,
Peter Zijlstra, Arnaldo Carvalho de Melo,
Arnaldo Carvalho de Melo, Jiri Olsa, Linus Torvalds,
Peter Zijlstra, Stephane Eranian, Thomas Gleixner, Vince Weaver,
vince, Ingo Molnar
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit ddfdad991e55b65c1cc4ee29502f6dceee04455a upstream.
The kernel_ip() filter is used mostly by the DS/LBR code to look at the
branch addresses, but Intel PT also uses it to validate the address
filter offsets for kernel addresses, for which it is not sufficient:
supplying something in bits 64:48 that's not a sign extension of the lower
address bits (like 0xf00d000000000000) throws a #GP.
This patch adds address validation for the user supplied kernel filters.
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: vince@deater.net
Link: http://lkml.kernel.org/r/20160915151352.21306-3-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/pt.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1074,6 +1074,11 @@ static void pt_addr_filters_fini(struct
event->hw.addr_filters = NULL;
}
+static inline bool valid_kernel_ip(unsigned long ip)
+{
+ return virt_addr_valid(ip) && kernel_ip(ip);
+}
+
static int pt_event_addr_filters_validate(struct list_head *filters)
{
struct perf_addr_filter *filter;
@@ -1084,7 +1089,7 @@ static int pt_event_addr_filters_validat
if (!filter->range || !filter->size)
return -EOPNOTSUPP;
- if (!filter->inode && !kernel_ip(filter->offset))
+ if (!filter->inode && !valid_kernel_ip(filter->offset))
return -EINVAL;
if (++range > pt_cap_get(PT_CAP_num_address_ranges))
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 131/184] perf/x86/intel/pt: Do validate the size of a kernel address filter
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (124 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 130/184] perf/x86/intel/pt: Fix kernel address filters offset validation Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 132/184] Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel" Greg Kroah-Hartman
` (51 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Alexander Shishkin,
Peter Zijlstra, Arnaldo Carvalho de Melo,
Arnaldo Carvalho de Melo, Jiri Olsa, Linus Torvalds,
Peter Zijlstra, Stephane Eranian, Thomas Gleixner, Vince Weaver,
vince, Ingo Molnar
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit 1155bafcb79208abc6ae234c6e135ac70607755c upstream.
Right now, the kernel address filters in PT are prone to integer overflow
that may happen in adding filter's size to its offset to obtain the end
of the range. Such an overflow would also throw a #GP in the PT event
configuration path.
Fix this by explicitly validating the result of this calculation.
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: vince@deater.net
Link: http://lkml.kernel.org/r/20160915151352.21306-4-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/intel/pt.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/arch/x86/events/intel/pt.c
+++ b/arch/x86/events/intel/pt.c
@@ -1089,8 +1089,13 @@ static int pt_event_addr_filters_validat
if (!filter->range || !filter->size)
return -EOPNOTSUPP;
- if (!filter->inode && !valid_kernel_ip(filter->offset))
- return -EINVAL;
+ if (!filter->inode) {
+ if (!valid_kernel_ip(filter->offset))
+ return -EINVAL;
+
+ if (!valid_kernel_ip(filter->offset + filter->size))
+ return -EINVAL;
+ }
if (++range > pt_cap_get(PT_CAP_num_address_ranges))
return -EOPNOTSUPP;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 132/184] Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel"
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (125 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 131/184] perf/x86/intel/pt: Do validate the size of a kernel address filter Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 133/184] sched/core: Fix a race between try_to_wake_up() and a woken up task Greg Kroah-Hartman
` (50 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Johannes Berg
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 upstream.
This reverts commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724.
Ben Hutchings pointed out that the commit isn't safe since it assumes
that the structure used by the driver is iw_point, when in fact there's
no way to know about that.
Fortunately, the only driver in the tree that ever runs this code path
is the wilc1000 staging driver, so it doesn't really matter.
Clearly I should have investigated this better before applying, sorry.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Fixes: 3d5fdff46c4b ("wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/wext-core.c | 25 ++-----------------------
1 file changed, 2 insertions(+), 23 deletions(-)
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -958,29 +958,8 @@ static int wireless_process_ioctl(struct
return private(dev, iwr, cmd, info, handler);
}
/* Old driver API : call driver ioctl handler */
- if (dev->netdev_ops->ndo_do_ioctl) {
-#ifdef CONFIG_COMPAT
- if (info->flags & IW_REQUEST_FLAG_COMPAT) {
- int ret = 0;
- struct iwreq iwr_lcl;
- struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
-
- memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
- iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
- iwr_lcl.u.data.length = iwp_compat->length;
- iwr_lcl.u.data.flags = iwp_compat->flags;
-
- ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
-
- iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
- iwp_compat->length = iwr_lcl.u.data.length;
- iwp_compat->flags = iwr_lcl.u.data.flags;
-
- return ret;
- } else
-#endif
- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
- }
+ if (dev->netdev_ops->ndo_do_ioctl)
+ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
return -EOPNOTSUPP;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 133/184] sched/core: Fix a race between try_to_wake_up() and a woken up task
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (126 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 132/184] Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel" Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 134/184] ipv6: Dont unset flowi6_proto in ipxip6_tnl_xmit() Greg Kroah-Hartman
` (49 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Balbir Singh, Peter Zijlstra (Intel),
Benjamin Herrenschmidt, Alexey Kardashevskiy, Linus Torvalds,
Nicholas Piggin, Nicholas Piggin, Oleg Nesterov, Thomas Gleixner,
Ingo Molnar
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Balbir Singh <bsingharora@gmail.com>
commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf upstream.
The origin of the issue I've seen is related to
a missing memory barrier between check for task->state and
the check for task->on_rq.
The task being woken up is already awake from a schedule()
and is doing the following:
do {
schedule()
set_current_state(TASK_(UN)INTERRUPTIBLE);
} while (!cond);
The waker, actually gets stuck doing the following in
try_to_wake_up():
while (p->on_cpu)
cpu_relax();
Analysis:
The instance I've seen involves the following race:
CPU1 CPU2
while () {
if (cond)
break;
do {
schedule();
set_current_state(TASK_UN..)
} while (!cond);
wakeup_routine()
spin_lock_irqsave(wait_lock)
raw_spin_lock_irqsave(wait_lock) wake_up_process()
} try_to_wake_up()
set_current_state(TASK_RUNNING); ..
list_del(&waiter.list);
CPU2 wakes up CPU1, but before it can get the wait_lock and set
current state to TASK_RUNNING the following occurs:
CPU3
wakeup_routine()
raw_spin_lock_irqsave(wait_lock)
if (!list_empty)
wake_up_process()
try_to_wake_up()
raw_spin_lock_irqsave(p->pi_lock)
..
if (p->on_rq && ttwu_wakeup())
..
while (p->on_cpu)
cpu_relax()
..
CPU3 tries to wake up the task on CPU1 again since it finds
it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
after CPU2, CPU3 got it.
CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
the task is spinning on the wait_lock. Interestingly since p->on_rq
is checked under pi_lock, I've noticed that try_to_wake_up() finds
p->on_rq to be 0. This was the most confusing bit of the analysis,
but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
check is not reliable without this fix IMHO. The race is visible
(based on the analysis) only when ttwu_queue() does a remote wakeup
via ttwu_queue_remote. In which case the p->on_rq change is not
done uder the pi_lock.
The result is that after a while the entire system locks up on
the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
Reproduction of the issue:
The issue can be reproduced after a long run on my system with 80
threads and having to tweak available memory to very low and running
memory stress-ng mmapfork test. It usually takes a long time to
reproduce. I am trying to work on a test case that can reproduce
the issue faster, but thats work in progress. I am still testing the
changes on my still in a loop and the tests seem OK thus far.
Big thanks to Benjamin and Nick for helping debug this as well.
Ben helped catch the missing barrier, Nick caught every missing
bit in my theory.
Signed-off-by: Balbir Singh <bsingharora@gmail.com>
[ Updated comment to clarify matching barriers. Many
architectures do not have a full barrier in switch_to()
so that cannot be relied upon. ]
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/core.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -2015,6 +2015,28 @@ try_to_wake_up(struct task_struct *p, un
success = 1; /* we're going to change ->state */
cpu = task_cpu(p);
+ /*
+ * Ensure we load p->on_rq _after_ p->state, otherwise it would
+ * be possible to, falsely, observe p->on_rq == 0 and get stuck
+ * in smp_cond_load_acquire() below.
+ *
+ * sched_ttwu_pending() try_to_wake_up()
+ * [S] p->on_rq = 1; [L] P->state
+ * UNLOCK rq->lock -----.
+ * \
+ * +--- RMB
+ * schedule() /
+ * LOCK rq->lock -----'
+ * UNLOCK rq->lock
+ *
+ * [task p]
+ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
+ *
+ * Pairs with the UNLOCK+LOCK on rq->lock from the
+ * last wakeup of our task and the schedule that got our task
+ * current.
+ */
+ smp_rmb();
if (p->on_rq && ttwu_remote(p, wake_flags))
goto stat;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 134/184] ipv6: Dont unset flowi6_proto in ipxip6_tnl_xmit()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (127 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 133/184] sched/core: Fix a race between try_to_wake_up() and a woken up task Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 135/184] efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen Greg Kroah-Hartman
` (48 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eli Cooper, David S. Miller
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eli Cooper <elicooper@gmx.com>
commit ab34380162cbc9b5172afdadf5136643c687bb73 upstream.
Commit 8eb30be0352d0916 ("ipv6: Create ip6_tnl_xmit") unsets
flowi6_proto in ip4ip6_tnl_xmit() and ip6ip6_tnl_xmit().
Since xfrm_selector_match() relies on this info, IPv6 packets
sent by an ip6tunnel cannot be properly selected by their
protocols after removing it. This patch puts flowi6_proto back.
Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit")
Signed-off-by: Eli Cooper <elicooper@gmx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_tunnel.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1174,6 +1174,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, str
encap_limit = t->parms.encap_limit;
memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
+ fl6.flowi6_proto = IPPROTO_IPIP;
dsfield = ipv4_get_dsfield(iph);
@@ -1233,6 +1234,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str
encap_limit = t->parms.encap_limit;
memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
+ fl6.flowi6_proto = IPPROTO_IPV6;
dsfield = ipv6_get_dsfield(ipv6h);
if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 135/184] efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (128 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 134/184] ipv6: Dont unset flowi6_proto in ipxip6_tnl_xmit() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 136/184] efi/libstub: Allocate headspace in efi_get_memory_map() Greg Kroah-Hartman
` (47 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, lists, Vitaly Kuznetsov, Jiri Slaby,
Mark Rutland, Jan Beulich, Matt Fleming
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit d4c4fed08f31f3746000c46cb1b20bed2959547a upstream.
While commit 55f1ea15216 ("efi: Fix for_each_efi_memory_desc_in_map()
for empty memmaps") made an attempt to deal with empty memory maps, it
didn't address the case where the map field never gets set, as is
apparently the case when running under Xen.
Reported-by: <lists@ssl-mail.com>
Tested-by: <lists@ssl-mail.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
[ Guard the loop with a NULL check instead of pointer underflow ]
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/efi.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1005,7 +1005,7 @@ extern int efi_memattr_apply_permissions
/* Iterate through an efi_memory_map */
#define for_each_efi_memory_desc_in_map(m, md) \
for ((md) = (m)->map; \
- ((void *)(md) + (m)->desc_size) <= (m)->map_end; \
+ (md) && ((void *)(md) + (m)->desc_size) <= (m)->map_end; \
(md) = (void *)(md) + (m)->desc_size)
/**
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 136/184] efi/libstub: Allocate headspace in efi_get_memory_map()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (129 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 135/184] efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 137/184] efi/libstub: Introduce ExitBootServices helper Greg Kroah-Hartman
` (46 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeffrey Hugo, Ard Biesheuvel,
Mark Rutland, Leif Lindholm, Ingo Molnar, Matt Fleming
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeffrey Hugo <jhugo@codeaurora.org>
commit dadb57abc37499f565b23933dbf49b435c3ba8af upstream.
efi_get_memory_map() allocates a buffer to store the memory map that it
retrieves. This buffer may need to be reused by the client after
ExitBootServices() is called, at which point allocations are not longer
permitted. To support this usecase, provide the allocated buffer size back
to the client, and allocate some additional headroom to account for any
reasonable growth in the map that is likely to happen between the call to
efi_get_memory_map() and the client reusing the buffer.
Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/boot/compressed/eboot.c | 18 +++-
drivers/firmware/efi/libstub/efi-stub-helper.c | 96 +++++++++++++++++--------
drivers/firmware/efi/libstub/fdt.c | 17 +++-
drivers/firmware/efi/libstub/random.c | 12 ++-
include/linux/efi.h | 15 ++-
5 files changed, 110 insertions(+), 48 deletions(-)
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -1010,7 +1010,7 @@ static efi_status_t exit_boot(struct boo
void *handle, bool is64)
{
struct efi_info *efi = &boot_params->efi_info;
- unsigned long map_sz, key, desc_size;
+ unsigned long map_sz, key, desc_size, buff_size;
efi_memory_desc_t *mem_map;
struct setup_data *e820ext;
const char *signature;
@@ -1021,14 +1021,20 @@ static efi_status_t exit_boot(struct boo
bool called_exit = false;
u8 nr_entries;
int i;
+ struct efi_boot_memmap map;
- nr_desc = 0;
- e820ext = NULL;
- e820ext_size = 0;
+ nr_desc = 0;
+ e820ext = NULL;
+ e820ext_size = 0;
+ map.map = &mem_map;
+ map.map_size = &map_sz;
+ map.desc_size = &desc_size;
+ map.desc_ver = &desc_version;
+ map.key_ptr = &key;
+ map.buff_size = &buff_size;
get_map:
- status = efi_get_memory_map(sys_table, &mem_map, &map_sz, &desc_size,
- &desc_version, &key);
+ status = efi_get_memory_map(sys_table, &map);
if (status != EFI_SUCCESS)
return status;
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -41,6 +41,8 @@ static unsigned long __chunk_size = EFI_
#define EFI_ALLOC_ALIGN EFI_PAGE_SIZE
#endif
+#define EFI_MMAP_NR_SLACK_SLOTS 8
+
struct file_info {
efi_file_handle_t *handle;
u64 size;
@@ -63,49 +65,62 @@ void efi_printk(efi_system_table_t *sys_
}
}
+static inline bool mmap_has_headroom(unsigned long buff_size,
+ unsigned long map_size,
+ unsigned long desc_size)
+{
+ unsigned long slack = buff_size - map_size;
+
+ return slack / desc_size >= EFI_MMAP_NR_SLACK_SLOTS;
+}
+
efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg,
- efi_memory_desc_t **map,
- unsigned long *map_size,
- unsigned long *desc_size,
- u32 *desc_ver,
- unsigned long *key_ptr)
+ struct efi_boot_memmap *map)
{
efi_memory_desc_t *m = NULL;
efi_status_t status;
unsigned long key;
u32 desc_version;
- *map_size = sizeof(*m) * 32;
+ *map->desc_size = sizeof(*m);
+ *map->map_size = *map->desc_size * 32;
+ *map->buff_size = *map->map_size;
again:
- /*
- * Add an additional efi_memory_desc_t because we're doing an
- * allocation which may be in a new descriptor region.
- */
- *map_size += sizeof(*m);
status = efi_call_early(allocate_pool, EFI_LOADER_DATA,
- *map_size, (void **)&m);
+ *map->map_size, (void **)&m);
if (status != EFI_SUCCESS)
goto fail;
- *desc_size = 0;
+ *map->desc_size = 0;
key = 0;
- status = efi_call_early(get_memory_map, map_size, m,
- &key, desc_size, &desc_version);
- if (status == EFI_BUFFER_TOO_SMALL) {
+ status = efi_call_early(get_memory_map, map->map_size, m,
+ &key, map->desc_size, &desc_version);
+ if (status == EFI_BUFFER_TOO_SMALL ||
+ !mmap_has_headroom(*map->buff_size, *map->map_size,
+ *map->desc_size)) {
efi_call_early(free_pool, m);
+ /*
+ * Make sure there is some entries of headroom so that the
+ * buffer can be reused for a new map after allocations are
+ * no longer permitted. Its unlikely that the map will grow to
+ * exceed this headroom once we are ready to trigger
+ * ExitBootServices()
+ */
+ *map->map_size += *map->desc_size * EFI_MMAP_NR_SLACK_SLOTS;
+ *map->buff_size = *map->map_size;
goto again;
}
if (status != EFI_SUCCESS)
efi_call_early(free_pool, m);
- if (key_ptr && status == EFI_SUCCESS)
- *key_ptr = key;
- if (desc_ver && status == EFI_SUCCESS)
- *desc_ver = desc_version;
+ if (map->key_ptr && status == EFI_SUCCESS)
+ *map->key_ptr = key;
+ if (map->desc_ver && status == EFI_SUCCESS)
+ *map->desc_ver = desc_version;
fail:
- *map = m;
+ *map->map = m;
return status;
}
@@ -113,13 +128,20 @@ fail:
unsigned long get_dram_base(efi_system_table_t *sys_table_arg)
{
efi_status_t status;
- unsigned long map_size;
+ unsigned long map_size, buff_size;
unsigned long membase = EFI_ERROR;
struct efi_memory_map map;
efi_memory_desc_t *md;
+ struct efi_boot_memmap boot_map;
- status = efi_get_memory_map(sys_table_arg, (efi_memory_desc_t **)&map.map,
- &map_size, &map.desc_size, NULL, NULL);
+ boot_map.map = (efi_memory_desc_t **)&map.map;
+ boot_map.map_size = &map_size;
+ boot_map.desc_size = &map.desc_size;
+ boot_map.desc_ver = NULL;
+ boot_map.key_ptr = NULL;
+ boot_map.buff_size = &buff_size;
+
+ status = efi_get_memory_map(sys_table_arg, &boot_map);
if (status != EFI_SUCCESS)
return membase;
@@ -144,15 +166,22 @@ efi_status_t efi_high_alloc(efi_system_t
unsigned long size, unsigned long align,
unsigned long *addr, unsigned long max)
{
- unsigned long map_size, desc_size;
+ unsigned long map_size, desc_size, buff_size;
efi_memory_desc_t *map;
efi_status_t status;
unsigned long nr_pages;
u64 max_addr = 0;
int i;
+ struct efi_boot_memmap boot_map;
+
+ boot_map.map = ↦
+ boot_map.map_size = &map_size;
+ boot_map.desc_size = &desc_size;
+ boot_map.desc_ver = NULL;
+ boot_map.key_ptr = NULL;
+ boot_map.buff_size = &buff_size;
- status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size,
- NULL, NULL);
+ status = efi_get_memory_map(sys_table_arg, &boot_map);
if (status != EFI_SUCCESS)
goto fail;
@@ -230,14 +259,21 @@ efi_status_t efi_low_alloc(efi_system_ta
unsigned long size, unsigned long align,
unsigned long *addr)
{
- unsigned long map_size, desc_size;
+ unsigned long map_size, desc_size, buff_size;
efi_memory_desc_t *map;
efi_status_t status;
unsigned long nr_pages;
int i;
+ struct efi_boot_memmap boot_map;
+
+ boot_map.map = ↦
+ boot_map.map_size = &map_size;
+ boot_map.desc_size = &desc_size;
+ boot_map.desc_ver = NULL;
+ boot_map.key_ptr = NULL;
+ boot_map.buff_size = &buff_size;
- status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size,
- NULL, NULL);
+ status = efi_get_memory_map(sys_table_arg, &boot_map);
if (status != EFI_SUCCESS)
goto fail;
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -175,13 +175,21 @@ efi_status_t allocate_new_fdt_and_exit_b
unsigned long fdt_addr,
unsigned long fdt_size)
{
- unsigned long map_size, desc_size;
+ unsigned long map_size, desc_size, buff_size;
u32 desc_ver;
unsigned long mmap_key;
efi_memory_desc_t *memory_map, *runtime_map;
unsigned long new_fdt_size;
efi_status_t status;
int runtime_entry_count = 0;
+ struct efi_boot_memmap map;
+
+ map.map = &runtime_map;
+ map.map_size = &map_size;
+ map.desc_size = &desc_size;
+ map.desc_ver = &desc_ver;
+ map.key_ptr = &mmap_key;
+ map.buff_size = &buff_size;
/*
* Get a copy of the current memory map that we will use to prepare
@@ -189,8 +197,7 @@ efi_status_t allocate_new_fdt_and_exit_b
* subsequent allocations adding entries, since they could not affect
* the number of EFI_MEMORY_RUNTIME regions.
*/
- status = efi_get_memory_map(sys_table, &runtime_map, &map_size,
- &desc_size, &desc_ver, &mmap_key);
+ status = efi_get_memory_map(sys_table, &map);
if (status != EFI_SUCCESS) {
pr_efi_err(sys_table, "Unable to retrieve UEFI memory map.\n");
return status;
@@ -199,6 +206,7 @@ efi_status_t allocate_new_fdt_and_exit_b
pr_efi(sys_table,
"Exiting boot services and installing virtual address map...\n");
+ map.map = &memory_map;
/*
* Estimate size of new FDT, and allocate memory for it. We
* will allocate a bigger buffer if this ends up being too
@@ -218,8 +226,7 @@ efi_status_t allocate_new_fdt_and_exit_b
* we can get the memory map key needed for
* exit_boot_services().
*/
- status = efi_get_memory_map(sys_table, &memory_map, &map_size,
- &desc_size, &desc_ver, &mmap_key);
+ status = efi_get_memory_map(sys_table, &map);
if (status != EFI_SUCCESS)
goto fail_free_new_fdt;
--- a/drivers/firmware/efi/libstub/random.c
+++ b/drivers/firmware/efi/libstub/random.c
@@ -73,12 +73,20 @@ efi_status_t efi_random_alloc(efi_system
unsigned long random_seed)
{
unsigned long map_size, desc_size, total_slots = 0, target_slot;
+ unsigned long buff_size;
efi_status_t status;
efi_memory_desc_t *memory_map;
int map_offset;
+ struct efi_boot_memmap map;
- status = efi_get_memory_map(sys_table_arg, &memory_map, &map_size,
- &desc_size, NULL, NULL);
+ map.map = &memory_map;
+ map.map_size = &map_size;
+ map.desc_size = &desc_size;
+ map.desc_ver = NULL;
+ map.key_ptr = NULL;
+ map.buff_size = &buff_size;
+
+ status = efi_get_memory_map(sys_table_arg, &map);
if (status != EFI_SUCCESS)
return status;
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -118,6 +118,15 @@ typedef struct {
u32 imagesize;
} efi_capsule_header_t;
+struct efi_boot_memmap {
+ efi_memory_desc_t **map;
+ unsigned long *map_size;
+ unsigned long *desc_size;
+ u32 *desc_ver;
+ unsigned long *key_ptr;
+ unsigned long *buff_size;
+};
+
/*
* EFI capsule flags
*/
@@ -1430,11 +1439,7 @@ char *efi_convert_cmdline(efi_system_tab
efi_loaded_image_t *image, int *cmd_line_len);
efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg,
- efi_memory_desc_t **map,
- unsigned long *map_size,
- unsigned long *desc_size,
- u32 *desc_ver,
- unsigned long *key_ptr);
+ struct efi_boot_memmap *map);
efi_status_t efi_low_alloc(efi_system_table_t *sys_table_arg,
unsigned long size, unsigned long align,
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 137/184] efi/libstub: Introduce ExitBootServices helper
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (130 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 136/184] efi/libstub: Allocate headspace in efi_get_memory_map() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 138/184] efi/libstub: Use efi_exit_boot_services() in FDT Greg Kroah-Hartman
` (45 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeffrey Hugo, Ard Biesheuvel,
Mark Rutland, Leif Lindholm, Ingo Molnar, Matt Fleming
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeffrey Hugo <jhugo@codeaurora.org>
commit fc07716ba803483be91bc4b2344f9c84985e6f07 upstream.
The spec allows ExitBootServices to fail with EFI_INVALID_PARAMETER if a
race condition has occurred where the EFI has updated the memory map after
the stub grabbed a reference to the map. The spec defines a retry
proceedure with specific requirements to handle this scenario.
This scenario was previously observed on x86 - commit d3768d885c6c ("x86,
efi: retry ExitBootServices() on failure") but the current fix is not spec
compliant and the scenario is now observed on the Qualcomm Technologies
QDF2432 via the FDT stub which does not handle the error and thus causes
boot failures. The user will notice the boot failure as the kernel is not
executed and the system may drop back to a UEFI shell, but will be
unresponsive to input and the system will require a power cycle to recover.
Add a helper to the stub library that correctly adheres to the spec in the
case of EFI_INVALID_PARAMETER from ExitBootServices and can be universally
used across all stub implementations.
Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/libstub/efi-stub-helper.c | 73 +++++++++++++++++++++++++
include/linux/efi.h | 11 +++
2 files changed, 84 insertions(+)
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -740,3 +740,76 @@ char *efi_convert_cmdline(efi_system_tab
*cmd_line_len = options_bytes;
return (char *)cmdline_addr;
}
+
+/*
+ * Handle calling ExitBootServices according to the requirements set out by the
+ * spec. Obtains the current memory map, and returns that info after calling
+ * ExitBootServices. The client must specify a function to perform any
+ * processing of the memory map data prior to ExitBootServices. A client
+ * specific structure may be passed to the function via priv. The client
+ * function may be called multiple times.
+ */
+efi_status_t efi_exit_boot_services(efi_system_table_t *sys_table_arg,
+ void *handle,
+ struct efi_boot_memmap *map,
+ void *priv,
+ efi_exit_boot_map_processing priv_func)
+{
+ efi_status_t status;
+
+ status = efi_get_memory_map(sys_table_arg, map);
+
+ if (status != EFI_SUCCESS)
+ goto fail;
+
+ status = priv_func(sys_table_arg, map, priv);
+ if (status != EFI_SUCCESS)
+ goto free_map;
+
+ status = efi_call_early(exit_boot_services, handle, *map->key_ptr);
+
+ if (status == EFI_INVALID_PARAMETER) {
+ /*
+ * The memory map changed between efi_get_memory_map() and
+ * exit_boot_services(). Per the UEFI Spec v2.6, Section 6.4:
+ * EFI_BOOT_SERVICES.ExitBootServices we need to get the
+ * updated map, and try again. The spec implies one retry
+ * should be sufficent, which is confirmed against the EDK2
+ * implementation. Per the spec, we can only invoke
+ * get_memory_map() and exit_boot_services() - we cannot alloc
+ * so efi_get_memory_map() cannot be used, and we must reuse
+ * the buffer. For all practical purposes, the headroom in the
+ * buffer should account for any changes in the map so the call
+ * to get_memory_map() is expected to succeed here.
+ */
+ *map->map_size = *map->buff_size;
+ status = efi_call_early(get_memory_map,
+ map->map_size,
+ *map->map,
+ map->key_ptr,
+ map->desc_size,
+ map->desc_ver);
+
+ /* exit_boot_services() was called, thus cannot free */
+ if (status != EFI_SUCCESS)
+ goto fail;
+
+ status = priv_func(sys_table_arg, map, priv);
+ /* exit_boot_services() was called, thus cannot free */
+ if (status != EFI_SUCCESS)
+ goto fail;
+
+ status = efi_call_early(exit_boot_services, handle, *map->key_ptr);
+ }
+
+ /* exit_boot_services() was called, thus cannot free */
+ if (status != EFI_SUCCESS)
+ goto fail;
+
+ return EFI_SUCCESS;
+
+free_map:
+ efi_call_early(free_pool, *map->map);
+fail:
+ return status;
+}
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1470,4 +1470,15 @@ efi_status_t efi_setup_gop(efi_system_ta
unsigned long size);
bool efi_runtime_disabled(void);
+
+typedef efi_status_t (*efi_exit_boot_map_processing)(
+ efi_system_table_t *sys_table_arg,
+ struct efi_boot_memmap *map,
+ void *priv);
+
+efi_status_t efi_exit_boot_services(efi_system_table_t *sys_table,
+ void *handle,
+ struct efi_boot_memmap *map,
+ void *priv,
+ efi_exit_boot_map_processing priv_func);
#endif /* _LINUX_EFI_H */
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 138/184] efi/libstub: Use efi_exit_boot_services() in FDT
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (131 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 137/184] efi/libstub: Introduce ExitBootServices helper Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 139/184] x86/efi: Use efi_exit_boot_services() Greg Kroah-Hartman
` (44 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeffrey Hugo, Ard Biesheuvel,
Mark Rutland, Leif Lindholm, Ingo Molnar, Matt Fleming
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeffrey Hugo <jhugo@codeaurora.org>
commit ed9cc156c42ff0c0bf9b1d09df48a12bf0873473 upstream.
The FDT code directly calls ExitBootServices. This is inadvisable as the
UEFI spec details a complex set of errors, race conditions, and API
interactions that the caller of ExitBootServices must get correct. The
FDT code does not handle EFI_INVALID_PARAMETER as required by the spec,
which causes intermittent boot failures on the Qualcomm Technologies
QDF2432. Call the efi_exit_boot_services() helper intead, which handles
the EFI_INVALID_PARAMETER scenario properly.
Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/libstub/fdt.c | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -152,6 +152,27 @@ fdt_set_fail:
#define EFI_FDT_ALIGN EFI_PAGE_SIZE
#endif
+struct exit_boot_struct {
+ efi_memory_desc_t *runtime_map;
+ int *runtime_entry_count;
+};
+
+static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg,
+ struct efi_boot_memmap *map,
+ void *priv)
+{
+ struct exit_boot_struct *p = priv;
+ /*
+ * Update the memory map with virtual addresses. The function will also
+ * populate @runtime_map with copies of just the EFI_MEMORY_RUNTIME
+ * entries so that we can pass it straight to SetVirtualAddressMap()
+ */
+ efi_get_virtmap(*map->map, *map->map_size, *map->desc_size,
+ p->runtime_map, p->runtime_entry_count);
+
+ return EFI_SUCCESS;
+}
+
/*
* Allocate memory for a new FDT, then add EFI, commandline, and
* initrd related fields to the FDT. This routine increases the
@@ -183,6 +204,7 @@ efi_status_t allocate_new_fdt_and_exit_b
efi_status_t status;
int runtime_entry_count = 0;
struct efi_boot_memmap map;
+ struct exit_boot_struct priv;
map.map = &runtime_map;
map.map_size = &map_size;
@@ -257,16 +279,11 @@ efi_status_t allocate_new_fdt_and_exit_b
}
}
- /*
- * Update the memory map with virtual addresses. The function will also
- * populate @runtime_map with copies of just the EFI_MEMORY_RUNTIME
- * entries so that we can pass it straight into SetVirtualAddressMap()
- */
- efi_get_virtmap(memory_map, map_size, desc_size, runtime_map,
- &runtime_entry_count);
-
- /* Now we are ready to exit_boot_services.*/
- status = sys_table->boottime->exit_boot_services(handle, mmap_key);
+ sys_table->boottime->free_pool(memory_map);
+ priv.runtime_map = runtime_map;
+ priv.runtime_entry_count = &runtime_entry_count;
+ status = efi_exit_boot_services(sys_table, handle, &map, &priv,
+ exit_boot_func);
if (status == EFI_SUCCESS) {
efi_set_virtual_address_map_t *svam;
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 139/184] x86/efi: Use efi_exit_boot_services()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (132 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 138/184] efi/libstub: Use efi_exit_boot_services() in FDT Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 140/184] powerpc/32: Fix csum_partial_copy_generic() Greg Kroah-Hartman
` (43 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeffrey Hugo, Ard Biesheuvel,
Mark Rutland, Leif Lindholm, Ingo Molnar, Matt Fleming
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeffrey Hugo <jhugo@codeaurora.org>
commit d64934019f6cc39202e2f78063709f61ca5cb364 upstream.
The eboot code directly calls ExitBootServices. This is inadvisable as the
UEFI spec details a complex set of errors, race conditions, and API
interactions that the caller of ExitBootServices must get correct. The
eboot code attempts allocations after calling ExitBootSerives which is
not permitted per the spec. Call the efi_exit_boot_services() helper
intead, which handles the allocation scenario properly.
Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/boot/compressed/eboot.c | 134 +++++++++++++++++++--------------------
1 file changed, 66 insertions(+), 68 deletions(-)
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -1006,85 +1006,87 @@ static efi_status_t alloc_e820ext(u32 nr
return status;
}
+struct exit_boot_struct {
+ struct boot_params *boot_params;
+ struct efi_info *efi;
+ struct setup_data *e820ext;
+ __u32 e820ext_size;
+ bool is64;
+};
+
+static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg,
+ struct efi_boot_memmap *map,
+ void *priv)
+{
+ static bool first = true;
+ const char *signature;
+ __u32 nr_desc;
+ efi_status_t status;
+ struct exit_boot_struct *p = priv;
+
+ if (first) {
+ nr_desc = *map->buff_size / *map->desc_size;
+ if (nr_desc > ARRAY_SIZE(p->boot_params->e820_map)) {
+ u32 nr_e820ext = nr_desc -
+ ARRAY_SIZE(p->boot_params->e820_map);
+
+ status = alloc_e820ext(nr_e820ext, &p->e820ext,
+ &p->e820ext_size);
+ if (status != EFI_SUCCESS)
+ return status;
+ }
+ first = false;
+ }
+
+ signature = p->is64 ? EFI64_LOADER_SIGNATURE : EFI32_LOADER_SIGNATURE;
+ memcpy(&p->efi->efi_loader_signature, signature, sizeof(__u32));
+
+ p->efi->efi_systab = (unsigned long)sys_table_arg;
+ p->efi->efi_memdesc_size = *map->desc_size;
+ p->efi->efi_memdesc_version = *map->desc_ver;
+ p->efi->efi_memmap = (unsigned long)*map->map;
+ p->efi->efi_memmap_size = *map->map_size;
+
+#ifdef CONFIG_X86_64
+ p->efi->efi_systab_hi = (unsigned long)sys_table_arg >> 32;
+ p->efi->efi_memmap_hi = (unsigned long)*map->map >> 32;
+#endif
+
+ return EFI_SUCCESS;
+}
+
static efi_status_t exit_boot(struct boot_params *boot_params,
void *handle, bool is64)
{
- struct efi_info *efi = &boot_params->efi_info;
unsigned long map_sz, key, desc_size, buff_size;
efi_memory_desc_t *mem_map;
struct setup_data *e820ext;
- const char *signature;
__u32 e820ext_size;
- __u32 nr_desc, prev_nr_desc;
efi_status_t status;
__u32 desc_version;
- bool called_exit = false;
- u8 nr_entries;
- int i;
struct efi_boot_memmap map;
+ struct exit_boot_struct priv;
- nr_desc = 0;
- e820ext = NULL;
- e820ext_size = 0;
- map.map = &mem_map;
- map.map_size = &map_sz;
- map.desc_size = &desc_size;
- map.desc_ver = &desc_version;
- map.key_ptr = &key;
- map.buff_size = &buff_size;
-
-get_map:
- status = efi_get_memory_map(sys_table, &map);
+ map.map = &mem_map;
+ map.map_size = &map_sz;
+ map.desc_size = &desc_size;
+ map.desc_ver = &desc_version;
+ map.key_ptr = &key;
+ map.buff_size = &buff_size;
+ priv.boot_params = boot_params;
+ priv.efi = &boot_params->efi_info;
+ priv.e820ext = NULL;
+ priv.e820ext_size = 0;
+ priv.is64 = is64;
+ /* Might as well exit boot services now */
+ status = efi_exit_boot_services(sys_table, handle, &map, &priv,
+ exit_boot_func);
if (status != EFI_SUCCESS)
return status;
- prev_nr_desc = nr_desc;
- nr_desc = map_sz / desc_size;
- if (nr_desc > prev_nr_desc &&
- nr_desc > ARRAY_SIZE(boot_params->e820_map)) {
- u32 nr_e820ext = nr_desc - ARRAY_SIZE(boot_params->e820_map);
-
- status = alloc_e820ext(nr_e820ext, &e820ext, &e820ext_size);
- if (status != EFI_SUCCESS)
- goto free_mem_map;
-
- efi_call_early(free_pool, mem_map);
- goto get_map; /* Allocated memory, get map again */
- }
-
- signature = is64 ? EFI64_LOADER_SIGNATURE : EFI32_LOADER_SIGNATURE;
- memcpy(&efi->efi_loader_signature, signature, sizeof(__u32));
-
- efi->efi_systab = (unsigned long)sys_table;
- efi->efi_memdesc_size = desc_size;
- efi->efi_memdesc_version = desc_version;
- efi->efi_memmap = (unsigned long)mem_map;
- efi->efi_memmap_size = map_sz;
-
-#ifdef CONFIG_X86_64
- efi->efi_systab_hi = (unsigned long)sys_table >> 32;
- efi->efi_memmap_hi = (unsigned long)mem_map >> 32;
-#endif
-
- /* Might as well exit boot services now */
- status = efi_call_early(exit_boot_services, handle, key);
- if (status != EFI_SUCCESS) {
- /*
- * ExitBootServices() will fail if any of the event
- * handlers change the memory map. In which case, we
- * must be prepared to retry, but only once so that
- * we're guaranteed to exit on repeated failures instead
- * of spinning forever.
- */
- if (called_exit)
- goto free_mem_map;
-
- called_exit = true;
- efi_call_early(free_pool, mem_map);
- goto get_map;
- }
-
+ e820ext = priv.e820ext;
+ e820ext_size = priv.e820ext_size;
/* Historic? */
boot_params->alt_mem_k = 32 * 1024;
@@ -1093,10 +1095,6 @@ get_map:
return status;
return EFI_SUCCESS;
-
-free_mem_map:
- efi_call_early(free_pool, mem_map);
- return status;
}
/*
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 140/184] powerpc/32: Fix csum_partial_copy_generic()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (133 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 139/184] x86/efi: Use efi_exit_boot_services() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 141/184] powerpc/32: Fix again csum_partial_copy_generic() Greg Kroah-Hartman
` (42 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Michael Ellerman
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@c-s.fr>
commit 1bc8b816cb8058c31f61fe78442f10a43209e582 upstream.
Commit 7aef4136566b0 ("powerpc32: rewrite csum_partial_copy_generic()
based on copy_tofrom_user()") introduced a bug when destination
address is odd and initial csum is not null
In that (rare) case the initial csum value has to be rotated one byte
as well as the resulting value is
This patch also fixes related comments
Fixes: 7aef4136566b0 ("powerpc32: rewrite csum_partial_copy_generic() based on copy_tofrom_user()")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/lib/checksum_32.S | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/arch/powerpc/lib/checksum_32.S
+++ b/arch/powerpc/lib/checksum_32.S
@@ -127,8 +127,9 @@ _GLOBAL(csum_partial_copy_generic)
stw r7,12(r1)
stw r8,8(r1)
- andi. r0,r4,1 /* is destination address even ? */
- cmplwi cr7,r0,0
+ rlwinm r0,r4,3,0x8
+ rlwnm r6,r6,r0,0,31 /* odd destination address: rotate one byte */
+ cmplwi cr7,r0,0 /* is destination address even ? */
addic r12,r6,0
addi r6,r4,-4
neg r0,r4
@@ -237,7 +238,7 @@ _GLOBAL(csum_partial_copy_generic)
66: addze r3,r12
addi r1,r1,16
beqlr+ cr7
- rlwinm r3,r3,8,0,31 /* swap bytes for odd destination */
+ rlwinm r3,r3,8,0,31 /* odd destination address: rotate one byte */
blr
/* read fault */
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 141/184] powerpc/32: Fix again csum_partial_copy_generic()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (134 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 140/184] powerpc/32: Fix csum_partial_copy_generic() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 143/184] kconfig: tinyconfig: provide whole choice blocks to avoid warnings Greg Kroah-Hartman
` (41 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alessio Igor Bogani,
Christophe Leroy, Michael Ellerman
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@c-s.fr>
commit 8540571e01f973d321b0821f4f32ed6e9ae8263c upstream.
Commit 7aef4136566b0 ("powerpc32: rewrite csum_partial_copy_generic()
based on copy_tofrom_user()") introduced a bug when destination address
is odd and len is lower than cacheline size.
In that case the resulting csum value doesn't have to be rotated one
byte because the cache-aligned copy part is skipped so no alignment
is performed.
Fixes: 7aef4136566b0 ("powerpc32: rewrite csum_partial_copy_generic() based on copy_tofrom_user()")
Cc: stable@vger.kernel.org # v4.6+
Reported-by: Alessio Igor Bogani <alessio.bogani@elettra.eu>
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Tested-by: Alessio Igor Bogani <alessio.bogani@elettra.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/lib/checksum_32.S | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/arch/powerpc/lib/checksum_32.S
+++ b/arch/powerpc/lib/checksum_32.S
@@ -127,18 +127,19 @@ _GLOBAL(csum_partial_copy_generic)
stw r7,12(r1)
stw r8,8(r1)
- rlwinm r0,r4,3,0x8
- rlwnm r6,r6,r0,0,31 /* odd destination address: rotate one byte */
- cmplwi cr7,r0,0 /* is destination address even ? */
addic r12,r6,0
addi r6,r4,-4
neg r0,r4
addi r4,r3,-4
andi. r0,r0,CACHELINE_MASK /* # bytes to start of cache line */
+ crset 4*cr7+eq
beq 58f
cmplw 0,r5,r0 /* is this more than total to do? */
blt 63f /* if not much to do */
+ rlwinm r7,r6,3,0x8
+ rlwnm r12,r12,r7,0,31 /* odd destination address: rotate one byte */
+ cmplwi cr7,r7,0 /* is destination address even ? */
andi. r8,r0,3 /* get it word-aligned first */
mtctr r8
beq+ 61f
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 143/184] kconfig: tinyconfig: provide whole choice blocks to avoid warnings
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (135 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 141/184] powerpc/32: Fix again csum_partial_copy_generic() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 144/184] drm: atmel-hlcdc: Fix vertical scaling Greg Kroah-Hartman
` (40 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Josh Triplett,
Masahiro Yamada, Ingo Molnar, Andrew Morton, Linus Torvalds
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 236dec051078a8691950f56949612b4b74107e48 upstream.
Using "make tinyconfig" produces a couple of annoying warnings that show
up for build test machines all the time:
.config:966:warning: override: NOHIGHMEM changes choice state
.config:965:warning: override: SLOB changes choice state
.config:963:warning: override: KERNEL_XZ changes choice state
.config:962:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
.config:933:warning: override: SLOB changes choice state
.config:930:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
.config:870:warning: override: SLOB changes choice state
.config:868:warning: override: KERNEL_XZ changes choice state
.config:867:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
I've made a previous attempt at fixing them and we discussed a number of
alternatives.
I tried changing the Makefile to use "merge_config.sh -n
$(fragment-list)" but couldn't get that to work properly.
This is yet another approach, based on the observation that we do want
to see a warning for conflicting 'choice' options, and that we can
simply make them non-conflicting by listing all other options as
disabled. This is a trivial patch that we can apply independent of
plans for other changes.
Link: http://lkml.kernel.org/r/20160829214952.1334674-2-arnd@arndb.de
Link: https://storage.kernelci.org/mainline/v4.7-rc6/x86-tinyconfig/build.log
https://patchwork.kernel.org/patch/9212749/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/configs/tiny.config | 2 ++
kernel/configs/tiny.config | 8 ++++++++
2 files changed, 10 insertions(+)
--- a/arch/x86/configs/tiny.config
+++ b/arch/x86/configs/tiny.config
@@ -1 +1,3 @@
CONFIG_NOHIGHMEM=y
+# CONFIG_HIGHMEM4G is not set
+# CONFIG_HIGHMEM64G is not set
--- a/kernel/configs/tiny.config
+++ b/kernel/configs/tiny.config
@@ -1,4 +1,12 @@
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+# CONFIG_KERNEL_GZIP is not set
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
CONFIG_KERNEL_XZ=y
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
CONFIG_OPTIMIZE_INLINING=y
+# CONFIG_SLAB is not set
+# CONFIG_SLUB is not set
CONFIG_SLOB=y
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 144/184] drm: atmel-hlcdc: Fix vertical scaling
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (136 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 143/184] kconfig: tinyconfig: provide whole choice blocks to avoid warnings Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 146/184] drm: Only use compat ioctl for addfb2 on X86/IA64 Greg Kroah-Hartman
` (39 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Leupold, Boris Brezillon
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Leupold <leupold@rsi-elektrotechnik.de>
commit d31ed3f05763644840c654a384eaefa94c097ba2 upstream.
The code is applying the same scaling for the X and Y components,
thus making the scaling feature only functional when both components
have the same scaling factor.
Do the s/_w/_h/ replacement where appropriate to fix vertical scaling.
Signed-off-by: Jan Leupold <leupold@rsi-elektrotechnik.de>
Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support")
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
@@ -320,19 +320,19 @@ atmel_hlcdc_plane_update_pos_and_size(st
u32 *coeff_tab = heo_upscaling_ycoef;
u32 max_memsize;
- if (state->crtc_w < state->src_w)
+ if (state->crtc_h < state->src_h)
coeff_tab = heo_downscaling_ycoef;
for (i = 0; i < ARRAY_SIZE(heo_upscaling_ycoef); i++)
atmel_hlcdc_layer_update_cfg(&plane->layer,
33 + i,
0xffffffff,
coeff_tab[i]);
- factor = ((8 * 256 * state->src_w) - (256 * 4)) /
- state->crtc_w;
+ factor = ((8 * 256 * state->src_h) - (256 * 4)) /
+ state->crtc_h;
factor++;
- max_memsize = ((factor * state->crtc_w) + (256 * 4)) /
+ max_memsize = ((factor * state->crtc_h) + (256 * 4)) /
2048;
- if (max_memsize > state->src_w)
+ if (max_memsize > state->src_h)
factor--;
factor_reg |= (factor << 16) | 0x80000000;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 146/184] drm: Only use compat ioctl for addfb2 on X86/IA64
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (137 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 144/184] drm: atmel-hlcdc: Fix vertical scaling Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 147/184] svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation") Greg Kroah-Hartman
` (38 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Rob Clark, Kristian H. Kristensen,
Sean Paul, Dave Airlie
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kristian H. Kristensen <hoegsberg@gmail.com>
commit 47a66e45d7a7613322549c2475ea9d809baaf514 upstream.
Similar to struct drm_update_draw, struct drm_mode_fb_cmd2 has an
unaligned 64 bit field (modifier). This get packed differently between
32 bit and 64 bit modes on architectures that can handle unaligned 64
bit access (X86 and IA64). Other architectures pack the structs the
same and don't need the compat wrapper. Use the same condition for
drm_mode_fb_cmd2 as we use for drm_update_draw.
Note that only the modifier will be packed differently between compat
and non-compat versions.
Reviewed-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Kristian H. Kristensen <hoegsberg@chromium.org>
[seanpaul added not at bottom of commit msg re: modifier]
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1473801645-116011-1-git-send-email-hoegsberg@chromium.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_ioc32.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -1015,6 +1015,7 @@ static int compat_drm_wait_vblank(struct
return 0;
}
+#if defined(CONFIG_X86) || defined(CONFIG_IA64)
typedef struct drm_mode_fb_cmd232 {
u32 fb_id;
u32 width;
@@ -1071,6 +1072,7 @@ static int compat_drm_mode_addfb2(struct
return 0;
}
+#endif
static drm_ioctl_compat_t *drm_compat_ioctls[] = {
[DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
@@ -1104,7 +1106,9 @@ static drm_ioctl_compat_t *drm_compat_io
[DRM_IOCTL_NR(DRM_IOCTL_UPDATE_DRAW32)] = compat_drm_update_draw,
#endif
[DRM_IOCTL_NR(DRM_IOCTL_WAIT_VBLANK32)] = compat_drm_wait_vblank,
+#if defined(CONFIG_X86) || defined(CONFIG_IA64)
[DRM_IOCTL_NR(DRM_IOCTL_MODE_ADDFB232)] = compat_drm_mode_addfb2,
+#endif
};
/**
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 147/184] svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation")
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (138 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 146/184] drm: Only use compat ioctl for addfb2 on X86/IA64 Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 148/184] mmc: sdhci-st: Handle interconnect clock Greg Kroah-Hartman
` (37 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chuck Lever, J. Bruce Fields
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit bf2c4b6f9b74c2ee1dd3c050b181e9b9c86fbcdb upstream.
rsc_lookup steals the passed-in memory to avoid doing an allocation of
its own, so we can't just pass in a pointer to memory that someone else
is using.
If we really want to avoid allocation there then maybe we should
preallocate somwhere, or reference count these handles.
For now we should revert.
On occasion I see this on my server:
kernel: kernel BUG at /home/cel/src/linux/linux-2.6/mm/slub.c:3851!
kernel: invalid opcode: 0000 [#1] SMP
kernel: Modules linked in: cts rpcsec_gss_krb5 sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd btrfs xor iTCO_wdt iTCO_vendor_support raid6_pq pcspkr i2c_i801 i2c_smbus lpc_ich mfd_core mei_me sg mei shpchp wmi ioatdma ipmi_si ipmi_msghandler acpi_pad acpi_power_meter rpcrdma ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd nfs_acl lockd grace auth_rpcgss sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb mlx4_core ahci libahci libata ptp pps_core dca i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod
kernel: CPU: 7 PID: 145 Comm: kworker/7:2 Not tainted 4.8.0-rc4-00006-g9d06b0b #15
kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015
kernel: Workqueue: events do_cache_clean [sunrpc]
kernel: task: ffff8808541d8000 task.stack: ffff880854344000
kernel: RIP: 0010:[<ffffffff811e7075>] [<ffffffff811e7075>] kfree+0x155/0x180
kernel: RSP: 0018:ffff880854347d70 EFLAGS: 00010246
kernel: RAX: ffffea0020fe7660 RBX: ffff88083f9db064 RCX: 146ff0f9d5ec5600
kernel: RDX: 000077ff80000000 RSI: ffff880853f01500 RDI: ffff88083f9db064
kernel: RBP: ffff880854347d88 R08: ffff8808594ee000 R09: ffff88087fdd8780
kernel: R10: 0000000000000000 R11: ffffea0020fe76c0 R12: ffff880853f01500
kernel: R13: ffffffffa013cf76 R14: ffffffffa013cff0 R15: ffffffffa04253a0
kernel: FS: 0000000000000000(0000) GS:ffff88087fdc0000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 00007fed60b020c3 CR3: 0000000001c06000 CR4: 00000000001406e0
kernel: Stack:
kernel: ffff8808589f2f00 ffff880853f01500 0000000000000001 ffff880854347da0
kernel: ffffffffa013cf76 ffff8808589f2f00 ffff880854347db8 ffffffffa013d006
kernel: ffff8808589f2f20 ffff880854347e00 ffffffffa0406f60 0000000057c7044f
kernel: Call Trace:
kernel: [<ffffffffa013cf76>] rsc_free+0x16/0x90 [auth_rpcgss]
kernel: [<ffffffffa013d006>] rsc_put+0x16/0x30 [auth_rpcgss]
kernel: [<ffffffffa0406f60>] cache_clean+0x2e0/0x300 [sunrpc]
kernel: [<ffffffffa04073ee>] do_cache_clean+0xe/0x70 [sunrpc]
kernel: [<ffffffff8109a70f>] process_one_work+0x1ff/0x3b0
kernel: [<ffffffff8109b15c>] worker_thread+0x2bc/0x4a0
kernel: [<ffffffff8109aea0>] ? rescuer_thread+0x3a0/0x3a0
kernel: [<ffffffff810a0ba4>] kthread+0xe4/0xf0
kernel: [<ffffffff8169c47f>] ret_from_fork+0x1f/0x40
kernel: [<ffffffff810a0ac0>] ? kthread_stop+0x110/0x110
kernel: Code: f7 ff ff eb 3b 65 8b 05 da 30 e2 7e 89 c0 48 0f a3 05 a0 38 b8 00 0f 92 c0 84 c0 0f 85 d1 fe ff ff 0f 1f 44 00 00 e9 f5 fe ff ff <0f> 0b 49 8b 03 31 f6 f6 c4 40 0f 85 62 ff ff ff e9 61 ff ff ff
kernel: RIP [<ffffffff811e7075>] kfree+0x155/0x180
kernel: RSP <ffff880854347d70>
kernel: ---[ end trace 3fdec044969def26 ]---
It seems to be most common after a server reboot where a client has been
using a Kerberos mount, and reconnects to continue its workload.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/auth_gss/svcauth_gss.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -569,9 +569,10 @@ gss_svc_searchbyctx(struct cache_detail
struct rsc *found;
memset(&rsci, 0, sizeof(rsci));
- rsci.handle.data = handle->data;
- rsci.handle.len = handle->len;
+ if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
+ return NULL;
found = rsc_lookup(cd, &rsci);
+ rsc_free(&rsci);
if (!found)
return NULL;
if (cache_check(cd, &found->h, NULL))
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 148/184] mmc: sdhci-st: Handle interconnect clock
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (139 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 147/184] svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation") Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 149/184] genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers Greg Kroah-Hartman
` (36 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Griffin, Lee Jones, Ulf Hansson
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee.jones@linaro.org>
commit 3ae50f4512ce831e8b63eb54ad969417ff30ada7 upstream.
Some ST platforms contain interconnect (ICN) clocks which must be handed
correctly in order to obtain full functionality of a given IP. In this
case, if the ICN clocks are not handled properly by the ST SDHCI driver
MMC will break and the following output can be observed:
[ 13.916949] mmc0: Timeout waiting for hardware interrupt.
[ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)===========
[ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002
[ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001
[ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013
[ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011
[ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080
[ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07
[ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000
[ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b
[ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000
[ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000
[ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000
[ 13.992252] sdhci: Host ctl2: 0x00000000
[ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200
[ 14.001990] sdhci: ===========================================
[ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress.
A decent point was raised about minimising the use of a local variable that
we 'could' do without. I've chosen consistency over the possibility of
reducing the local variable count by 1. Thinking that it's more important
for the code to be grouped and authoured in a similar manner/style for
greater maintainability/readability.
Tested-by: Peter Griffin <peter.griffin@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-st.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci-st.c
+++ b/drivers/mmc/host/sdhci-st.c
@@ -28,6 +28,7 @@
struct st_mmc_platform_data {
struct reset_control *rstc;
+ struct clk *icnclk;
void __iomem *top_ioaddr;
};
@@ -353,7 +354,7 @@ static int sdhci_st_probe(struct platfor
struct sdhci_host *host;
struct st_mmc_platform_data *pdata;
struct sdhci_pltfm_host *pltfm_host;
- struct clk *clk;
+ struct clk *clk, *icnclk;
int ret = 0;
u16 host_version;
struct resource *res;
@@ -365,6 +366,11 @@ static int sdhci_st_probe(struct platfor
return PTR_ERR(clk);
}
+ /* ICN clock isn't compulsory, but use it if it's provided. */
+ icnclk = devm_clk_get(&pdev->dev, "icn");
+ if (IS_ERR(icnclk))
+ icnclk = NULL;
+
rstc = devm_reset_control_get(&pdev->dev, NULL);
if (IS_ERR(rstc))
rstc = NULL;
@@ -389,6 +395,7 @@ static int sdhci_st_probe(struct platfor
}
clk_prepare_enable(clk);
+ clk_prepare_enable(icnclk);
/* Configure the FlashSS Top registers for setting eMMC TX/RX delay */
res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
@@ -400,6 +407,7 @@ static int sdhci_st_probe(struct platfor
}
pltfm_host->clk = clk;
+ pdata->icnclk = icnclk;
/* Configure the Arasan HC inside the flashSS */
st_mmcss_cconfig(np, host);
@@ -422,6 +430,7 @@ static int sdhci_st_probe(struct platfor
return 0;
err_out:
+ clk_disable_unprepare(icnclk);
clk_disable_unprepare(clk);
err_of:
sdhci_pltfm_free(pdev);
@@ -442,6 +451,8 @@ static int sdhci_st_remove(struct platfo
ret = sdhci_pltfm_unregister(pdev);
+ clk_disable_unprepare(pdata->icnclk);
+
if (rstc)
reset_control_assert(rstc);
@@ -462,6 +473,7 @@ static int sdhci_st_suspend(struct devic
if (pdata->rstc)
reset_control_assert(pdata->rstc);
+ clk_disable_unprepare(pdata->icnclk);
clk_disable_unprepare(pltfm_host->clk);
out:
return ret;
@@ -475,6 +487,7 @@ static int sdhci_st_resume(struct device
struct device_node *np = dev->of_node;
clk_prepare_enable(pltfm_host->clk);
+ clk_prepare_enable(pdata->icnclk);
if (pdata->rstc)
reset_control_deassert(pdata->rstc);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 149/184] genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (140 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 148/184] mmc: sdhci-st: Handle interconnect clock Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 150/184] irqchip/atmel-aic: Fix potential deadlock in ->xlate() Greg Kroah-Hartman
` (35 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Boris Brezillon, Jason Cooper,
Marc Zyngier, Nicolas Ferre, Alexandre Belloni, Thomas Gleixner
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Brezillon <boris.brezillon@free-electrons.com>
commit ebf9ff753c041b296241990aef76163bbb2cc9c8 upstream.
Some irqchip drivers need to take the generic chip lock outside of the
irq context.
Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow
one to disable irqs while entering a critical section protected by
gc->lock.
Note that we do not provide optimized version of these helpers for !SMP,
because they are not called from the hot-path.
[ tglx: Added a comment when these helpers should be [not] used ]
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/irq.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/include/linux/irq.h
+++ b/include/linux/irq.h
@@ -933,6 +933,16 @@ static inline void irq_gc_lock(struct ir
static inline void irq_gc_unlock(struct irq_chip_generic *gc) { }
#endif
+/*
+ * The irqsave variants are for usage in non interrupt code. Do not use
+ * them in irq_chip callbacks. Use irq_gc_lock() instead.
+ */
+#define irq_gc_lock_irqsave(gc, flags) \
+ raw_spin_lock_irqsave(&(gc)->lock, flags)
+
+#define irq_gc_unlock_irqrestore(gc, flags) \
+ raw_spin_unlock_irqrestore(&(gc)->lock, flags)
+
static inline void irq_reg_writel(struct irq_chip_generic *gc,
u32 val, int reg_offset)
{
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 150/184] irqchip/atmel-aic: Fix potential deadlock in ->xlate()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (141 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 149/184] genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 151/184] fix iov_iter_fault_in_readable() Greg Kroah-Hartman
` (34 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Boris Brezillon, Marc Zyngier,
Jason Cooper, Nicolas Ferre, Alexandre Belloni, Thomas Gleixner
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Brezillon <boris.brezillon@free-electrons.com>
commit 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 upstream.
aic5_irq_domain_xlate() and aic_irq_domain_xlate() take the generic chip
lock without disabling interrupts, which can lead to a deadlock if an
interrupt occurs while the lock is held in one of these functions.
Replace irq_gc_{lock,unlock}() calls by
irq_gc_{lock_irqsave,unlock_irqrestore}() ones to prevent this bug from
happening.
Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers")
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Link: http://lkml.kernel.org/r/1473775109-4192-2-git-send-email-boris.brezillon@free-electrons.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-atmel-aic.c | 5 +++--
drivers/irqchip/irq-atmel-aic5.c | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/irqchip/irq-atmel-aic.c
+++ b/drivers/irqchip/irq-atmel-aic.c
@@ -176,6 +176,7 @@ static int aic_irq_domain_xlate(struct i
{
struct irq_domain_chip_generic *dgc = d->gc;
struct irq_chip_generic *gc;
+ unsigned long flags;
unsigned smr;
int idx;
int ret;
@@ -194,11 +195,11 @@ static int aic_irq_domain_xlate(struct i
gc = dgc->gc[idx];
- irq_gc_lock(gc);
+ irq_gc_lock_irqsave(gc, flags);
smr = irq_reg_readl(gc, AT91_AIC_SMR(*out_hwirq));
aic_common_set_priority(intspec[2], &smr);
irq_reg_writel(gc, smr, AT91_AIC_SMR(*out_hwirq));
- irq_gc_unlock(gc);
+ irq_gc_unlock_irqrestore(gc, flags);
return ret;
}
--- a/drivers/irqchip/irq-atmel-aic5.c
+++ b/drivers/irqchip/irq-atmel-aic5.c
@@ -258,6 +258,7 @@ static int aic5_irq_domain_xlate(struct
unsigned int *out_type)
{
struct irq_chip_generic *bgc = irq_get_domain_generic_chip(d, 0);
+ unsigned long flags;
unsigned smr;
int ret;
@@ -269,12 +270,12 @@ static int aic5_irq_domain_xlate(struct
if (ret)
return ret;
- irq_gc_lock(bgc);
+ irq_gc_lock_irqsave(bgc, flags);
irq_reg_writel(bgc, *out_hwirq, AT91_AIC5_SSR);
smr = irq_reg_readl(bgc, AT91_AIC5_SMR);
aic_common_set_priority(intspec[2], &smr);
irq_reg_writel(bgc, smr, AT91_AIC5_SMR);
- irq_gc_unlock(bgc);
+ irq_gc_unlock_irqrestore(bgc, flags);
return ret;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 151/184] fix iov_iter_fault_in_readable()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (142 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 150/184] irqchip/atmel-aic: Fix potential deadlock in ->xlate() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 152/184] microblaze: fix __get_user() Greg Kroah-Hartman
` (33 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Linus Torvalds
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@ZenIV.linux.org.uk>
commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab upstream.
... by turning it into what used to be multipages counterpart
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/uio.h | 2 +-
lib/iov_iter.c | 24 ++----------------------
2 files changed, 3 insertions(+), 23 deletions(-)
--- a/include/linux/uio.h
+++ b/include/linux/uio.h
@@ -76,7 +76,7 @@ size_t iov_iter_copy_from_user_atomic(st
struct iov_iter *i, unsigned long offset, size_t bytes);
void iov_iter_advance(struct iov_iter *i, size_t bytes);
int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes);
-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes);
+#define iov_iter_fault_in_multipages_readable iov_iter_fault_in_readable
size_t iov_iter_single_seg_count(const struct iov_iter *i);
size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
struct iov_iter *i);
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -302,33 +302,13 @@ done:
}
/*
- * Fault in the first iovec of the given iov_iter, to a maximum length
- * of bytes. Returns 0 on success, or non-zero if the memory could not be
- * accessed (ie. because it is an invalid address).
- *
- * writev-intensive code may want this to prefault several iovecs -- that
- * would be possible (callers must not rely on the fact that _only_ the
- * first iovec will be faulted with the current implementation).
- */
-int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
-{
- if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
- char __user *buf = i->iov->iov_base + i->iov_offset;
- bytes = min(bytes, i->iov->iov_len - i->iov_offset);
- return fault_in_pages_readable(buf, bytes);
- }
- return 0;
-}
-EXPORT_SYMBOL(iov_iter_fault_in_readable);
-
-/*
* Fault in one or more iovecs of the given iov_iter, to a maximum length of
* bytes. For each iovec, fault in each page that constitutes the iovec.
*
* Return 0 on success, or non-zero if the memory could not be accessed (i.e.
* because it is an invalid address).
*/
-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes)
+int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
{
size_t skip = i->iov_offset;
const struct iovec *iov;
@@ -345,7 +325,7 @@ int iov_iter_fault_in_multipages_readabl
}
return 0;
}
-EXPORT_SYMBOL(iov_iter_fault_in_multipages_readable);
+EXPORT_SYMBOL(iov_iter_fault_in_readable);
void iov_iter_init(struct iov_iter *i, int direction,
const struct iovec *iov, unsigned long nr_segs,
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 152/184] microblaze: fix __get_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (143 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 151/184] fix iov_iter_fault_in_readable() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 153/184] avr32: fix copy_from_user() Greg Kroah-Hartman
` (32 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/microblaze/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -227,7 +227,7 @@ extern long __user_bad(void);
#define __get_user(x, ptr) \
({ \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
/*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
long __gu_err; \
switch (sizeof(*(ptr))) { \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 153/184] avr32: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (144 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 152/184] microblaze: fix __get_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 154/184] microblaze: " Greg Kroah-Hartman
` (31 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream.
really ugly, but apparently avr32 compilers turns access_ok() into
something so bad that they want it in assembler. Left that way,
zeroing added in inline wrapper.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/avr32/include/asm/uaccess.h | 11 ++++++++++-
arch/avr32/kernel/avr32_ksyms.c | 2 +-
arch/avr32/lib/copy_user.S | 4 ++--
3 files changed, 13 insertions(+), 4 deletions(-)
--- a/arch/avr32/include/asm/uaccess.h
+++ b/arch/avr32/include/asm/uaccess.h
@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void
extern __kernel_size_t copy_to_user(void __user *to, const void *from,
__kernel_size_t n);
-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
+extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
__kernel_size_t n);
static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro
{
return __copy_user(to, (const void __force *)from, n);
}
+static inline __kernel_size_t copy_from_user(void *to,
+ const void __user *from,
+ __kernel_size_t n)
+{
+ size_t res = ___copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
+}
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
--- a/arch/avr32/kernel/avr32_ksyms.c
+++ b/arch/avr32/kernel/avr32_ksyms.c
@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
/*
* Userspace access stuff.
*/
-EXPORT_SYMBOL(copy_from_user);
+EXPORT_SYMBOL(___copy_from_user);
EXPORT_SYMBOL(copy_to_user);
EXPORT_SYMBOL(__copy_user);
EXPORT_SYMBOL(strncpy_from_user);
--- a/arch/avr32/lib/copy_user.S
+++ b/arch/avr32/lib/copy_user.S
@@ -25,11 +25,11 @@
.align 1
.global copy_from_user
.type copy_from_user, @function
-copy_from_user:
+___copy_from_user:
branch_if_kernel r8, __copy_user
ret_if_privileged r8, r11, r10, r10
rjmp __copy_user
- .size copy_from_user, . - copy_from_user
+ .size ___copy_from_user, . - ___copy_from_user
.global copy_to_user
.type copy_to_user, @function
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 154/184] microblaze: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (145 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 153/184] avr32: fix copy_from_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 155/184] fix minor infoleak in get_user_ex() Greg Kroah-Hartman
` (30 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/microblaze/include/asm/uaccess.h | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -373,10 +373,13 @@ extern long __user_bad(void);
static inline long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
+ unsigned long res = n;
might_fault();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
#define __copy_to_user(to, from, n) \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 155/184] fix minor infoleak in get_user_ex()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (146 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 154/184] microblaze: " Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 156/184] mn10300: failing __get_user() and get_user() should zero Greg Kroah-Hartman
` (29 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Linus Torvalds
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@ZenIV.linux.org.uk>
commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream.
get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak
(at most we are leaking uninitialized 64bit value off the kernel stack,
and in a fairly constrained situation, at that), but the fix is trivial,
so...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ This sat in different branch from the uaccess fixes since mid-August ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/uaccess.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -414,7 +414,11 @@ do { \
#define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
asm volatile("1: mov"itype" %1,%"rtype"0\n" \
"2:\n" \
- _ASM_EXTABLE_EX(1b, 2b) \
+ ".section .fixup,\"ax\"\n" \
+ "3:xor"itype" %"rtype"0,%"rtype"0\n" \
+ " jmp 2b\n" \
+ ".previous\n" \
+ _ASM_EXTABLE_EX(1b, 3b) \
: ltype(x) : "m" (__m(addr)))
#define __put_user_nocheck(x, ptr, size) \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 156/184] mn10300: failing __get_user() and get_user() should zero
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (147 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 155/184] fix minor infoleak in get_user_ex() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 157/184] m32r: fix __get_user() Greg Kroah-Hartman
` (28 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mn10300/include/asm/uaccess.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -166,6 +166,7 @@ struct __large_struct { unsigned long bu
"2:\n" \
" .section .fixup,\"ax\"\n" \
"3:\n\t" \
+ " mov 0,%1\n" \
" mov %3,%0\n" \
" jmp 2b\n" \
" .previous\n" \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 157/184] m32r: fix __get_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (148 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 156/184] mn10300: failing __get_user() and get_user() should zero Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 158/184] sh64: failing __get_user() should zero Greg Kroah-Hartman
` (27 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/m32r/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/m32r/include/asm/uaccess.h
+++ b/arch/m32r/include/asm/uaccess.h
@@ -219,7 +219,7 @@ extern int fixup_exception(struct pt_reg
#define __get_user_nocheck(x, ptr, size) \
({ \
long __gu_err = 0; \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
might_fault(); \
__get_user_size(__gu_val, (ptr), (size), __gu_err); \
(x) = (__force __typeof__(*(ptr)))__gu_val; \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 158/184] sh64: failing __get_user() should zero
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (149 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 157/184] m32r: fix __get_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 159/184] nios2: fix __get_user() Greg Kroah-Hartman
` (26 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream.
It could be done in exception-handling bits in __get_user_b() et.al.,
but the surgery involved would take more knowledge of sh64 details
than I have or _want_ to have.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sh/include/asm/uaccess_64.h | 1 +
1 file changed, 1 insertion(+)
--- a/arch/sh/include/asm/uaccess_64.h
+++ b/arch/sh/include/asm/uaccess_64.h
@@ -24,6 +24,7 @@
#define __get_user_size(x,ptr,size,retval) \
do { \
retval = 0; \
+ x = 0; \
switch (size) { \
case 1: \
retval = __get_user_asm_b((void *)&x, \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 159/184] nios2: fix __get_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (150 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 158/184] sh64: failing __get_user() should zero Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 160/184] score: fix __get_user/get_user Greg Kroah-Hartman
` (25 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 2e29f50ad5e23db37dde9be71410d95d50241ecd upstream.
a) should not leave crap on fault
b) should _not_ require access_ok() in any cases.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/nios2/include/asm/uaccess.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/nios2/include/asm/uaccess.h
+++ b/arch/nios2/include/asm/uaccess.h
@@ -139,7 +139,7 @@ extern long strnlen_user(const char __us
#define __get_user_unknown(val, size, ptr, err) do { \
err = 0; \
- if (copy_from_user(&(val), ptr, size)) { \
+ if (__copy_from_user(&(val), ptr, size)) { \
err = -EFAULT; \
} \
} while (0)
@@ -166,7 +166,7 @@ do { \
({ \
long __gu_err = -EFAULT; \
const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
- unsigned long __gu_val; \
+ unsigned long __gu_val = 0; \
__get_user_common(__gu_val, sizeof(*(ptr)), __gu_ptr, __gu_err);\
(x) = (__force __typeof__(x))__gu_val; \
__gu_err; \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 160/184] score: fix __get_user/get_user
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (151 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 159/184] nios2: fix __get_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 161/184] s390: get_user() should zero on failure Greg Kroah-Hartman
` (24 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream.
* should zero on any failure
* __get_user() should use __copy_from_user(), not copy_from_user()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/score/include/asm/uaccess.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -163,7 +163,7 @@ do { \
__get_user_asm(val, "lw", ptr); \
break; \
case 8: \
- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
+ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
__gu_err = 0; \
else \
__gu_err = -EFAULT; \
@@ -188,6 +188,8 @@ do { \
\
if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
__get_user_common((x), size, __gu_ptr); \
+ else \
+ (x) = 0; \
\
__gu_err; \
})
@@ -201,6 +203,7 @@ do { \
"2:\n" \
".section .fixup,\"ax\"\n" \
"3:li %0, %4\n" \
+ "li %1, 0\n" \
"j 2b\n" \
".previous\n" \
".section __ex_table,\"a\"\n" \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 161/184] s390: get_user() should zero on failure
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (152 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 160/184] score: fix __get_user/get_user Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 162/184] ARC: uaccess: get_user to zero out dest in cause of fault Greg Kroah-Hartman
` (23 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/asm/uaccess.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -209,28 +209,28 @@ int __put_user_bad(void) __attribute__((
__chk_user_ptr(ptr); \
switch (sizeof(*(ptr))) { \
case 1: { \
- unsigned char __x; \
+ unsigned char __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
sizeof(*(ptr))); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 2: { \
- unsigned short __x; \
+ unsigned short __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
sizeof(*(ptr))); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 4: { \
- unsigned int __x; \
+ unsigned int __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
sizeof(*(ptr))); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break; \
}; \
case 8: { \
- unsigned long long __x; \
+ unsigned long long __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
sizeof(*(ptr))); \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 162/184] ARC: uaccess: get_user to zero out dest in cause of fault
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (153 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 161/184] s390: get_user() should zero on failure Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 163/184] asm-generic: make get_user() clear the destination on errors Greg Kroah-Hartman
` (22 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Al Viro, Linus Torvalds,
linux-snps-arc, Vineet Gupta, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream.
Al reported potential issue with ARC get_user() as it wasn't clearing
out destination pointer in case of fault due to bad address etc.
Verified using following
| {
| u32 bogus1 = 0xdeadbeef;
| u64 bogus2 = 0xdead;
| int rc1, rc2;
|
| pr_info("Orig values %x %llx\n", bogus1, bogus2);
| rc1 = get_user(bogus1, (u32 __user *)0x40000000);
| rc2 = get_user(bogus2, (u64 __user *)0x50000000);
| pr_info("access %d %d, new values %x %llx\n",
| rc1, rc2, bogus1, bogus2);
| }
| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko
| Orig values deadbeef dead
| access -14 -14, new values 0 0
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-snps-arc@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arc/include/asm/uaccess.h | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/arch/arc/include/asm/uaccess.h
+++ b/arch/arc/include/asm/uaccess.h
@@ -83,7 +83,10 @@
"2: ;nop\n" \
" .section .fixup, \"ax\"\n" \
" .align 4\n" \
- "3: mov %0, %3\n" \
+ "3: # return -EFAULT\n" \
+ " mov %0, %3\n" \
+ " # zero out dst ptr\n" \
+ " mov %1, 0\n" \
" j 2b\n" \
" .previous\n" \
" .section __ex_table, \"a\"\n" \
@@ -101,7 +104,11 @@
"2: ;nop\n" \
" .section .fixup, \"ax\"\n" \
" .align 4\n" \
- "3: mov %0, %3\n" \
+ "3: # return -EFAULT\n" \
+ " mov %0, %3\n" \
+ " # zero out dst ptr\n" \
+ " mov %1, 0\n" \
+ " mov %R1, 0\n" \
" j 2b\n" \
" .previous\n" \
" .section __ex_table, \"a\"\n" \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 163/184] asm-generic: make get_user() clear the destination on errors
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (154 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 162/184] ARC: uaccess: get_user to zero out dest in cause of fault Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 164/184] frv: fix clear_user() Greg Kroah-Hartman
` (21 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.
both for access_ok() failures and for faults halfway through
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/asm-generic/uaccess.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -230,14 +230,18 @@ extern int __put_user_bad(void) __attrib
might_fault(); \
access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \
__get_user((x), (__typeof__(*(ptr)) *)__p) : \
- -EFAULT; \
+ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
})
#ifndef __get_user_fn
static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
{
- size = __copy_from_user(x, ptr, size);
- return size ? -EFAULT : size;
+ size_t n = __copy_from_user(x, ptr, size);
+ if (unlikely(n)) {
+ memset(x + (size - n), 0, n);
+ return -EFAULT;
+ }
+ return 0;
}
#define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 164/184] frv: fix clear_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (155 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 163/184] asm-generic: make get_user() clear the destination on errors Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 165/184] cris: buggered copy_from_user/copy_to_user/clear_user Greg Kroah-Hartman
` (20 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.
It should check access_ok(). Otherwise a bunch of places turn into
trivially exploitable rootholes.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/frv/include/asm/uaccess.h | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/arch/frv/include/asm/uaccess.h
+++ b/arch/frv/include/asm/uaccess.h
@@ -263,19 +263,25 @@ do { \
extern long __memset_user(void *dst, unsigned long count);
extern long __memcpy_user(void *dst, const void *src, unsigned long count);
-#define clear_user(dst,count) __memset_user(____force(dst), (count))
+#define __clear_user(dst,count) __memset_user(____force(dst), (count))
#define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
#define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))
#else
-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
+#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
#define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
#define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)
#endif
-#define __clear_user clear_user
+static inline unsigned long __must_check
+clear_user(void __user *to, unsigned long n)
+{
+ if (likely(__access_ok(to, n)))
+ n = __clear_user(to, n);
+ return n;
+}
static inline unsigned long __must_check
__copy_to_user(void __user *to, const void *from, unsigned long n)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 165/184] cris: buggered copy_from_user/copy_to_user/clear_user
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (156 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 164/184] frv: fix clear_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 166/184] blackfin: fix copy_from_user() Greg Kroah-Hartman
` (19 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jesper Nilsson, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream.
* copy_from_user() on access_ok() failure ought to zero the destination
* none of those primitives should skip the access_ok() check in case of
small constant size.
Acked-by: Jesper Nilsson <jesper.nilsson@axis.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/cris/include/asm/uaccess.h | 75 ++++++++++++++++++----------------------
1 file changed, 34 insertions(+), 41 deletions(-)
--- a/arch/cris/include/asm/uaccess.h
+++ b/arch/cris/include/asm/uaccess.h
@@ -194,30 +194,6 @@ extern unsigned long __copy_user(void __
extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
extern unsigned long __do_clear_user(void __user *to, unsigned long n);
-static inline unsigned long
-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_user(to, from, n);
- return n;
-}
-
-static inline unsigned long
-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
-{
- if (access_ok(VERIFY_READ, from, n))
- return __copy_user_zeroing(to, from, n);
- return n;
-}
-
-static inline unsigned long
-__generic_clear_user(void __user *to, unsigned long n)
-{
- if (access_ok(VERIFY_WRITE, to, n))
- return __do_clear_user(to, n);
- return n;
-}
-
static inline long
__strncpy_from_user(char *dst, const char __user *src, long count)
{
@@ -282,7 +258,7 @@ __constant_copy_from_user(void *to, cons
else if (n == 24)
__asm_copy_from_user_24(to, from, ret);
else
- ret = __generic_copy_from_user(to, from, n);
+ ret = __copy_user_zeroing(to, from, n);
return ret;
}
@@ -333,7 +309,7 @@ __constant_copy_to_user(void __user *to,
else if (n == 24)
__asm_copy_to_user_24(to, from, ret);
else
- ret = __generic_copy_to_user(to, from, n);
+ ret = __copy_user(to, from, n);
return ret;
}
@@ -366,26 +342,43 @@ __constant_clear_user(void __user *to, u
else if (n == 24)
__asm_clear_24(to, ret);
else
- ret = __generic_clear_user(to, n);
+ ret = __do_clear_user(to, n);
return ret;
}
-#define clear_user(to, n) \
- (__builtin_constant_p(n) ? \
- __constant_clear_user(to, n) : \
- __generic_clear_user(to, n))
-
-#define copy_from_user(to, from, n) \
- (__builtin_constant_p(n) ? \
- __constant_copy_from_user(to, from, n) : \
- __generic_copy_from_user(to, from, n))
-
-#define copy_to_user(to, from, n) \
- (__builtin_constant_p(n) ? \
- __constant_copy_to_user(to, from, n) : \
- __generic_copy_to_user(to, from, n))
+static inline size_t clear_user(void __user *to, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_clear_user(to, n);
+ else
+ return __do_clear_user(to, n);
+}
+
+static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_READ, from, n))) {
+ memset(to, 0, n);
+ return n;
+ }
+ if (__builtin_constant_p(n))
+ return __constant_copy_from_user(to, from, n);
+ else
+ return __copy_user_zeroing(to, from, n);
+}
+
+static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
+{
+ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+ return n;
+ if (__builtin_constant_p(n))
+ return __constant_copy_to_user(to, from, n);
+ else
+ return __copy_user(to, from, n);
+}
/* We let the __ versions of copy_from/to_user inline, because they're often
* used in fast paths and have only a small space overhead.
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 166/184] blackfin: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (157 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 165/184] cris: buggered copy_from_user/copy_to_user/clear_user Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 167/184] score: fix copy_from_user() and friends Greg Kroah-Hartman
` (18 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/blackfin/include/asm/uaccess.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/arch/blackfin/include/asm/uaccess.h
+++ b/arch/blackfin/include/asm/uaccess.h
@@ -171,11 +171,12 @@ static inline int bad_user_access_length
static inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long n)
{
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n))) {
memcpy(to, (const void __force *)from, n);
- else
- return n;
- return 0;
+ return 0;
+ }
+ memset(to, 0, n);
+ return n;
}
static inline unsigned long __must_check
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 167/184] score: fix copy_from_user() and friends
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (158 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 166/184] blackfin: fix copy_from_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 168/184] sh: fix copy_from_user() Greg Kroah-Hartman
` (17 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/score/include/asm/uaccess.h | 41 +++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 21 deletions(-)
--- a/arch/score/include/asm/uaccess.h
+++ b/arch/score/include/asm/uaccess.h
@@ -301,35 +301,34 @@ extern int __copy_tofrom_user(void *to,
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
+ unsigned long res = len;
- if (access_ok(VERIFY_READ, from, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_READ, from, len)))
+ res = __copy_tofrom_user(to, from, len);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
- return len;
+ if (unlikely(res))
+ memset(to + (len - res), 0, res);
+
+ return res;
}
static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long len)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, len))
- return __copy_tofrom_user(to, from, len);
+ if (likely(access_ok(VERIFY_WRITE, to, len)))
+ len = __copy_tofrom_user(to, from, len);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + len - TASK_SIZE;
- return __copy_tofrom_user(to, from, len - over) + over;
- }
return len;
}
-#define __copy_from_user(to, from, len) \
- __copy_tofrom_user((to), (from), (len))
+static inline unsigned long
+__copy_from_user(void *to, const void *from, unsigned long len)
+{
+ unsigned long left = __copy_tofrom_user(to, from, len);
+ if (unlikely(left))
+ memset(to + (len - left), 0, left);
+ return left;
+}
#define __copy_to_user(to, from, len) \
__copy_tofrom_user((to), (from), (len))
@@ -343,17 +342,17 @@ __copy_to_user_inatomic(void *to, const
static inline unsigned long
__copy_from_user_inatomic(void *to, const void *from, unsigned long len)
{
- return __copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}
-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
+#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
static inline unsigned long
copy_in_user(void *to, const void *from, unsigned long len)
{
if (access_ok(VERIFY_READ, from, len) &&
access_ok(VERFITY_WRITE, to, len))
- return copy_from_user(to, from, len);
+ return __copy_tofrom_user(to, from, len);
}
/*
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 168/184] sh: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (159 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 167/184] score: fix copy_from_user() and friends Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 169/184] sh: cmpxchg: fix a bit shift bug in big_endian os Greg Kroah-Hartman
` (16 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sh/include/asm/uaccess.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __us
__kernel_size_t __copy_size = (__kernel_size_t) n;
if (__copy_size && __access_ok(__copy_from, __copy_size))
- return __copy_user(to, from, __copy_size);
+ __copy_size = __copy_user(to, from, __copy_size);
+
+ if (unlikely(__copy_size))
+ memset(to + (n - __copy_size), 0, __copy_size);
return __copy_size;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 169/184] sh: cmpxchg: fix a bit shift bug in big_endian os
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (160 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 168/184] sh: fix copy_from_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 170/184] hexagon: fix strncpy_from_user() error return Greg Kroah-Hartman
` (15 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pan Xinhui, Michael S. Tsirkin, Rich Felker
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pan Xinhui <xinhui.pan@linux.vnet.ibm.com>
commit ff18143ceed3424b7d6cdb8659b9692fa734f0d8 upstream.
Correct bitoff in big endian OS.
Current code works correctly for 1 byte but not for 2 bytes.
Fixes: 3226aad81aa6 ("sh: support 1 and 2 byte xchg")
Signed-off-by: Pan Xinhui <xinhui.pan@linux.vnet.ibm.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Rich Felker <dalias@libc.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sh/include/asm/cmpxchg-xchg.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/sh/include/asm/cmpxchg-xchg.h
+++ b/arch/sh/include/asm/cmpxchg-xchg.h
@@ -21,7 +21,7 @@ static inline u32 __xchg_cmpxchg(volatil
int off = (unsigned long)ptr % sizeof(u32);
volatile u32 *p = ptr - off;
#ifdef __BIG_ENDIAN
- int bitoff = (sizeof(u32) - 1 - off) * BITS_PER_BYTE;
+ int bitoff = (sizeof(u32) - size - off) * BITS_PER_BYTE;
#else
int bitoff = off * BITS_PER_BYTE;
#endif
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 170/184] hexagon: fix strncpy_from_user() error return
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (161 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 169/184] sh: cmpxchg: fix a bit shift bug in big_endian os Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 171/184] mips: copy_from_user() must zero the destination on access_ok() failure Greg Kroah-Hartman
` (14 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Richard Kuo, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.
It's -EFAULT, not -1 (and contrary to the comment in there,
__strnlen_user() can return 0 - on faults).
Acked-by: Richard Kuo <rkuo@codeaurora.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/hexagon/include/asm/uaccess.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -103,7 +103,8 @@ static inline long hexagon_strncpy_from_
{
long res = __strnlen_user(src, n);
- /* return from strnlen can't be zero -- that would be rubbish. */
+ if (unlikely(!res))
+ return -EFAULT;
if (res > n) {
copy_from_user(dst, src, n);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 171/184] mips: copy_from_user() must zero the destination on access_ok() failure
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (162 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 170/184] hexagon: fix strncpy_from_user() error return Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 172/184] asm-generic: make copy_from_user() zero the destination properly Greg Kroah-Hartman
` (13 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/include/asm/uaccess.h | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/mips/include/asm/uaccess.h
+++ b/arch/mips/include/asm/uaccess.h
@@ -14,6 +14,7 @@
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/thread_info.h>
+#include <linux/string.h>
#include <asm/asm-eva.h>
/*
@@ -1170,6 +1171,8 @@ extern size_t __copy_in_user_eva(void *_
__cu_len = __invoke_copy_from_user(__cu_to, \
__cu_from, \
__cu_len); \
+ } else { \
+ memset(__cu_to, 0, __cu_len); \
} \
} \
__cu_len; \
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 172/184] asm-generic: make copy_from_user() zero the destination properly
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (163 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 171/184] mips: copy_from_user() must zero the destination on access_ok() failure Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 173/184] alpha: fix copy_from_user() Greg Kroah-Hartman
` (12 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.
... in all cases, including the failing access_ok()
Note that some architectures using asm-generic/uaccess.h have
__copy_from_user() not zeroing the tail on failure halfway
through. This variant works either way.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/asm-generic/uaccess.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -261,11 +261,13 @@ extern int __get_user_bad(void) __attrib
static inline long copy_from_user(void *to,
const void __user * from, unsigned long n)
{
+ unsigned long res = n;
might_fault();
- if (access_ok(VERIFY_READ, from, n))
- return __copy_from_user(to, from, n);
- else
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline long copy_to_user(void __user *to,
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 173/184] alpha: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (164 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 172/184] asm-generic: make copy_from_user() zero the destination properly Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 174/184] metag: copy_from_user() should zero the destination on access_ok() failure Greg Kroah-Hartman
` (11 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream.
it should clear the destination even when access_ok() fails.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/include/asm/uaccess.h | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con
return __cu_len;
}
-extern inline long
-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
-{
- if (__access_ok((unsigned long)validate, len, get_fs()))
- len = __copy_tofrom_user_nocheck(to, from, len);
- return len;
-}
-
#define __copy_to_user(to, from, n) \
({ \
__chk_user_ptr(to); \
@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void
#define __copy_to_user_inatomic __copy_to_user
#define __copy_from_user_inatomic __copy_from_user
-
extern inline long
copy_to_user(void __user *to, const void *from, long n)
{
- return __copy_tofrom_user((__force void *)to, from, n, to);
+ if (likely(__access_ok((unsigned long)to, n, get_fs())))
+ n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
+ return n;
}
extern inline long
copy_from_user(void *to, const void __user *from, long n)
{
- return __copy_tofrom_user(to, (__force void *)from, n, from);
+ if (likely(__access_ok((unsigned long)from, n, get_fs())))
+ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
+ else
+ memset(to, 0, n);
+ return n;
}
extern void __do_clear_user(void);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 174/184] metag: copy_from_user() should zero the destination on access_ok() failure
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (165 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 173/184] alpha: fix copy_from_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 175/184] parisc: fix copy_from_user() Greg Kroah-Hartman
` (10 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, James Hogan, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream.
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/metag/include/asm/uaccess.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -204,8 +204,9 @@ extern unsigned long __must_check __copy
static inline unsigned long
copy_from_user(void *to, const void __user *from, unsigned long n)
{
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n)))
return __copy_user_zeroing(to, from, n);
+ memset(to, 0, n);
return n;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 175/184] parisc: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (166 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 174/184] metag: copy_from_user() should zero the destination on access_ok() failure Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 176/184] openrisc: " Greg Kroah-Hartman
` (9 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit aace880feea38875fbc919761b77e5732a3659ef upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/uaccess.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -10,6 +10,7 @@
#include <asm-generic/uaccess-unaligned.h>
#include <linux/bug.h>
+#include <linux/string.h>
#define VERIFY_READ 0
#define VERIFY_WRITE 1
@@ -221,13 +222,14 @@ static inline unsigned long __must_check
unsigned long n)
{
int sz = __compiletime_object_size(to);
- int ret = -EFAULT;
+ unsigned long ret = n;
if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
ret = __copy_from_user(to, from, n);
else
copy_from_user_overflow();
-
+ if (unlikely(ret))
+ memset(to + (n - ret), 0, ret);
return ret;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 176/184] openrisc: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (167 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 175/184] parisc: fix copy_from_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 177/184] nios2: copy_from_user() should zero the tail of destination Greg Kroah-Hartman
` (8 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit acb2505d0119033a80c85ac8d02dccae41271667 upstream.
... that should zero on faults. Also remove the <censored> helpful
logics wrt range truncation copied from ppc32. Where it had ever
been needed only in case of copy_from_user() *and* had not been merged
into the mainline until a month after the need had disappeared.
A decade before openrisc went into mainline, I might add...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/openrisc/include/asm/uaccess.h | 33 ++++++++++-----------------------
1 file changed, 10 insertions(+), 23 deletions(-)
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void
static inline unsigned long
copy_from_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
+ unsigned long res = n;
- if (access_ok(VERIFY_READ, from, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
- return n;
+ if (likely(access_ok(VERIFY_READ, from, n)))
+ n = __copy_tofrom_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline unsigned long
copy_to_user(void *to, const void *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_WRITE, to, n))
- return __copy_tofrom_user(to, from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, from, n - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, to, n)))
+ n = __copy_tofrom_user(to, from, n);
return n;
}
@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void *
static inline __must_check unsigned long
clear_user(void *addr, unsigned long size)
{
-
- if (access_ok(VERIFY_WRITE, addr, size))
- return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
+ if (likely(access_ok(VERIFY_WRITE, addr, size)))
+ size = __clear_user(addr, size);
return size;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 177/184] nios2: copy_from_user() should zero the tail of destination
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (168 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 176/184] openrisc: " Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 178/184] mn10300: copy_from_user() should zero on access_ok() failure Greg Kroah-Hartman
` (7 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/nios2/include/asm/uaccess.h | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/arch/nios2/include/asm/uaccess.h
+++ b/arch/nios2/include/asm/uaccess.h
@@ -102,9 +102,12 @@ extern long __copy_to_user(void __user *
static inline long copy_from_user(void *to, const void __user *from,
unsigned long n)
{
- if (!access_ok(VERIFY_READ, from, n))
- return n;
- return __copy_from_user(to, from, n);
+ unsigned long res = n;
+ if (access_ok(VERIFY_READ, from, n))
+ res = __copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
}
static inline long copy_to_user(void __user *to, const void *from,
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 178/184] mn10300: copy_from_user() should zero on access_ok() failure...
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (169 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 177/184] nios2: copy_from_user() should zero the tail of destination Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 179/184] sparc32: fix copy_from_user() Greg Kroah-Hartman
` (6 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mn10300/lib/usercopy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/mn10300/lib/usercopy.c
+++ b/arch/mn10300/lib/usercopy.c
@@ -9,7 +9,7 @@
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
unsigned long
__generic_copy_to_user(void *to, const void *from, unsigned long n)
@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const
{
if (access_ok(VERIFY_READ, from, n))
__copy_user_zeroing(to, from, n);
+ else
+ memset(to, 0, n);
return n;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 179/184] sparc32: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (170 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 178/184] mn10300: copy_from_user() should zero on access_ok() failure Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 180/184] ppc32: " Greg Kroah-Hartman
` (5 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 917400cecb4b52b5cde5417348322bb9c8272fa6 upstream.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/include/asm/uaccess_32.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -263,8 +263,10 @@ static inline unsigned long copy_from_us
{
if (n && __access_ok((unsigned long) from, n))
return __copy_user((__force void __user *) to, from, n);
- else
+ else {
+ memset(to, 0, n);
return n;
+ }
}
static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 180/184] ppc32: fix copy_from_user()
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (171 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 179/184] sparc32: fix copy_from_user() Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 181/184] ia64: copy_from_user() should zero the destination on access_ok() failure Greg Kroah-Hartman
` (4 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 224264657b8b228f949b42346e09ed8c90136a8e upstream.
should clear on access_ok() failures. Also remove the useless
range truncation logics.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/uaccess.h | 21 ++-------------------
1 file changed, 2 insertions(+), 19 deletions(-)
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -308,30 +308,17 @@ extern unsigned long __copy_tofrom_user(
static inline unsigned long copy_from_user(void *to,
const void __user *from, unsigned long n)
{
- unsigned long over;
-
- if (access_ok(VERIFY_READ, from, n))
+ if (likely(access_ok(VERIFY_READ, from, n)))
return __copy_tofrom_user((__force void __user *)to, from, n);
- if ((unsigned long)from < TASK_SIZE) {
- over = (unsigned long)from + n - TASK_SIZE;
- return __copy_tofrom_user((__force void __user *)to, from,
- n - over) + over;
- }
++ memset(to, 0, n);
return n;
}
static inline unsigned long copy_to_user(void __user *to,
const void *from, unsigned long n)
{
- unsigned long over;
-
if (access_ok(VERIFY_WRITE, to, n))
return __copy_tofrom_user(to, (__force void __user *)from, n);
- if ((unsigned long)to < TASK_SIZE) {
- over = (unsigned long)to + n - TASK_SIZE;
- return __copy_tofrom_user(to, (__force void __user *)from,
- n - over) + over;
- }
return n;
}
@@ -422,10 +409,6 @@ static inline unsigned long clear_user(v
might_fault();
if (likely(access_ok(VERIFY_WRITE, addr, size)))
return __clear_user(addr, size);
- if ((unsigned long)addr < TASK_SIZE) {
- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
- return __clear_user(addr, size - over) + over;
- }
return size;
}
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 181/184] ia64: copy_from_user() should zero the destination on access_ok() failure
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (172 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 180/184] ppc32: " Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 182/184] iwlegacy: avoid warning about missing braces Greg Kroah-Hartman
` (3 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit a5e541f796f17228793694d64b507f5f57db4cd7 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/ia64/include/asm/uaccess.h | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -263,17 +263,15 @@ __copy_from_user (void *to, const void _
__cu_len; \
})
-#define copy_from_user(to, from, n) \
-({ \
- void *__cu_to = (to); \
- const void __user *__cu_from = (from); \
- long __cu_len = (n); \
- \
- __chk_user_ptr(__cu_from); \
- if (__access_ok(__cu_from, __cu_len, get_fs())) \
- __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
- __cu_len; \
-})
+static inline unsigned long
+copy_from_user(void *to, const void __user *from, unsigned long n)
+{
+ if (likely(__access_ok(from, n, get_fs())))
+ n = __copy_user((__force void __user *) to, from, n);
+ else
+ memset(to, 0, n);
+ return n;
+}
#define __copy_in_user(to, from, size) __copy_user((to), (from), (size))
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 182/184] iwlegacy: avoid warning about missing braces
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (173 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 181/184] ia64: copy_from_user() should zero the destination on access_ok() failure Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 183/184] genirq/msi: Fix broken debug output Greg Kroah-Hartman
` (2 subsequent siblings)
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Stanislaw Gruszka, Kalle Valo
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 2cce76c3fab410520610a7d2f52faebc3cfcf843 upstream.
gcc-6 warns about code in il3945_hw_txq_ctx_free() being
somewhat ambiguous:
drivers/net/wireless/intel/iwlegacy/3945.c:1022:5: warning: suggest explicit braces to avoid ambiguous 'else' [-Wparentheses]
This adds a set of curly braces to avoid the warning.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intel/iwlegacy/3945.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/intel/iwlegacy/3945.c
+++ b/drivers/net/wireless/intel/iwlegacy/3945.c
@@ -1019,12 +1019,13 @@ il3945_hw_txq_ctx_free(struct il_priv *i
int txq_id;
/* Tx queues */
- if (il->txq)
+ if (il->txq) {
for (txq_id = 0; txq_id < il->hw_params.max_txq_num; txq_id++)
if (txq_id == IL39_CMD_QUEUE_NUM)
il_cmd_queue_free(il);
else
il_tx_queue_free(il, txq_id);
+ }
/* free tx queue structure */
il_free_txq_mem(il);
^ permalink raw reply [flat|nested] 182+ messages in thread
* [PATCH 4.7 183/184] genirq/msi: Fix broken debug output
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (174 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 182/184] iwlegacy: avoid warning about missing braces Greg Kroah-Hartman
@ 2016-09-22 17:41 ` Greg Kroah-Hartman
2016-09-22 23:44 ` [PATCH 4.7 000/184] 4.7.5-stable review Guenter Roeck
2016-09-23 16:03 ` Shuah Khan
177 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-22 17:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Thomas Gleixner
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 4364e1a29be16b2783c0bcbc263f61236af64281 upstream.
virq is not required to be the same for all msi descs. Use the base irq number
from the desc in the debug printk.
Reported-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/irq/msi.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/irq/msi.c
+++ b/kernel/irq/msi.c
@@ -352,6 +352,7 @@ int msi_domain_alloc_irqs(struct irq_dom
ops->msi_finish(&arg, 0);
for_each_msi_entry(desc, dev) {
+ virq = desc->irq;
if (desc->nvec_used == 1)
dev_dbg(dev, "irq %d for MSI\n", virq);
else
^ permalink raw reply [flat|nested] 182+ messages in thread
* Re: [PATCH 4.7 000/184] 4.7.5-stable review
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (175 preceding siblings ...)
2016-09-22 17:41 ` [PATCH 4.7 183/184] genirq/msi: Fix broken debug output Greg Kroah-Hartman
@ 2016-09-22 23:44 ` Guenter Roeck
2016-09-23 8:15 ` Greg Kroah-Hartman
2016-09-23 16:03 ` Shuah Khan
177 siblings, 1 reply; 182+ messages in thread
From: Guenter Roeck @ 2016-09-22 23:44 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, torvalds, akpm, shuah.kh, patches, ben.hutchings, stable
On Thu, Sep 22, 2016 at 07:38:54PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.7.5 release.
> There are 184 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Sep 24 17:40:23 UTC 2016.
> Anything received after that time might be too late.
>
Build results:
total: 149 pass: 137 fail: 12
Failed builds:
avr32:defconfig
avr32:allnoconfig
avr32:merisc_defconfig
avr32:atngw100mkii_evklcd101_defconfig
powerpc:defconfig
powerpc:allmodconfig
powerpc:allnoconfig
powerpc:ppc6xx_defconfig
powerpc:mpc83xx_defconfig
powerpc:tqm8xx_defconfig
powerpc:85xx/sbc8548_defconfig
powerpc:83xx/mpc834x_mds_defconfig
Qemu test results:
total: 108 pass: 97 fail: 11
Failed tests:
openrisc:or1ksim_defconfig
powerpc:mac99:nosmp:ppc_book3s_defconfig
powerpc:g3beige:nosmp:ppc_book3s_defconfig
powerpc:mac99:smp:ppc_book3s_defconfig
powerpc:virtex-ml507:44x/virtex5_defconfig
powerpc:mpc8548cds:85xx/mpc85xx_cds_defconfig
powerpc:mpc8548cds:smpdev:85xx/mpc85xx_cds_defconfig
powerpc:bamboo:44x/bamboo_defconfig
powerpc:mac99:ppc64_book3s_defconfig:nosmp
powerpc:mac99:ppc64_book3s_defconfig:smp4
powerpc:pseries:pseries_defconfig
Failures pretty much match 4.4, so I won't go into specifics here.
Details are available at http://kerneltests.org/builders.
Guenter
^ permalink raw reply [flat|nested] 182+ messages in thread
* Re: [PATCH 4.7 000/184] 4.7.5-stable review
2016-09-22 23:44 ` [PATCH 4.7 000/184] 4.7.5-stable review Guenter Roeck
@ 2016-09-23 8:15 ` Greg Kroah-Hartman
0 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-23 8:15 UTC (permalink / raw)
To: Guenter Roeck
Cc: linux-kernel, torvalds, akpm, shuah.kh, patches, ben.hutchings, stable
On Thu, Sep 22, 2016 at 04:44:55PM -0700, Guenter Roeck wrote:
> On Thu, Sep 22, 2016 at 07:38:54PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.7.5 release.
> > There are 184 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat Sep 24 17:40:23 UTC 2016.
> > Anything received after that time might be too late.
> >
> Build results:
> total: 149 pass: 137 fail: 12
> Failed builds:
> avr32:defconfig
> avr32:allnoconfig
> avr32:merisc_defconfig
> avr32:atngw100mkii_evklcd101_defconfig
> powerpc:defconfig
> powerpc:allmodconfig
> powerpc:allnoconfig
> powerpc:ppc6xx_defconfig
> powerpc:mpc83xx_defconfig
> powerpc:tqm8xx_defconfig
> powerpc:85xx/sbc8548_defconfig
> powerpc:83xx/mpc834x_mds_defconfig
>
> Qemu test results:
> total: 108 pass: 97 fail: 11
> Failed tests:
> openrisc:or1ksim_defconfig
> powerpc:mac99:nosmp:ppc_book3s_defconfig
> powerpc:g3beige:nosmp:ppc_book3s_defconfig
> powerpc:mac99:smp:ppc_book3s_defconfig
> powerpc:virtex-ml507:44x/virtex5_defconfig
> powerpc:mpc8548cds:85xx/mpc85xx_cds_defconfig
> powerpc:mpc8548cds:smpdev:85xx/mpc85xx_cds_defconfig
> powerpc:bamboo:44x/bamboo_defconfig
> powerpc:mac99:ppc64_book3s_defconfig:nosmp
> powerpc:mac99:ppc64_book3s_defconfig:smp4
> powerpc:pseries:pseries_defconfig
>
> Failures pretty much match 4.4, so I won't go into specifics here.
Should all now be fixed up, sorry for the mess, it's on arches that I
don't do local test builds for :(
greg k-h
^ permalink raw reply [flat|nested] 182+ messages in thread
* Re: [PATCH 4.7 000/184] 4.7.5-stable review
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
` (176 preceding siblings ...)
2016-09-22 23:44 ` [PATCH 4.7 000/184] 4.7.5-stable review Guenter Roeck
@ 2016-09-23 16:03 ` Shuah Khan
2016-09-23 16:15 ` Greg Kroah-Hartman
177 siblings, 1 reply; 182+ messages in thread
From: Shuah Khan @ 2016-09-23 16:03 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-kernel
Cc: torvalds, akpm, linux, patches, ben.hutchings, stable, Shuah Khan
On 09/22/2016 11:38 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.7.5 release.
> There are 184 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Sep 24 17:40:23 UTC 2016.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.7.5-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.7.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
thanks,
-- Shuah
--
Shuah Khan
Sr. Linux Kernel Developer
Open Source Innovation Group
Samsung Research America(Silicon Valley)
shuah.kh@samsung.com
^ permalink raw reply [flat|nested] 182+ messages in thread
* Re: [PATCH 4.7 000/184] 4.7.5-stable review
2016-09-23 16:03 ` Shuah Khan
@ 2016-09-23 16:15 ` Greg Kroah-Hartman
0 siblings, 0 replies; 182+ messages in thread
From: Greg Kroah-Hartman @ 2016-09-23 16:15 UTC (permalink / raw)
To: Shuah Khan
Cc: linux-kernel, torvalds, akpm, linux, patches, ben.hutchings, stable
On Fri, Sep 23, 2016 at 10:03:45AM -0600, Shuah Khan wrote:
> On 09/22/2016 11:38 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.7.5 release.
> > There are 184 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat Sep 24 17:40:23 UTC 2016.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.7.5-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.7.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
>
> Compiled and booted on my test system. No dmesg regressions.
Great, thanks for testing both of these and letting me know!
greg k-h
^ permalink raw reply [flat|nested] 182+ messages in thread
* Re: [PATCH 4.7 004/184] drm/msm: protect against faults from copy_from_user() in submit ioctl
2016-09-22 17:38 ` [PATCH 4.7 004/184] drm/msm: protect against faults from copy_from_user() in submit ioctl Greg Kroah-Hartman
@ 2016-10-03 9:38 ` Vegard Nossum
0 siblings, 0 replies; 182+ messages in thread
From: Vegard Nossum @ 2016-10-03 9:38 UTC (permalink / raw)
To: Rob Clark; +Cc: LKML, Greg Kroah-Hartman, stable
On 22 September 2016 at 19:38, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> 4.7-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Rob Clark <robdclark@gmail.com>
>
> commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream.
>
> An evil userspace could try to cause deadlock by passing an unfaulted-in
> GEM bo as submit->bos (or submit->cmds) table. Which will trigger
> msm_gem_fault() while we already hold struct_mutex. See:
>
> https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c
>
> Signed-off-by: Rob Clark <robdclark@gmail.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
>
> ---
> drivers/gpu/drm/msm/msm_drv.h | 6 ++++++
> drivers/gpu/drm/msm/msm_gem.c | 9 +++++++++
> drivers/gpu/drm/msm/msm_gem_submit.c | 2 ++
> 3 files changed, 17 insertions(+)
>
> --- a/drivers/gpu/drm/msm/msm_drv.h
> +++ b/drivers/gpu/drm/msm/msm_drv.h
> @@ -148,6 +148,12 @@ struct msm_drm_private {
> } vram;
>
> struct msm_vblank_ctrl vblank_ctrl;
> +
> + /* task holding struct_mutex.. currently only used in submit path
> + * to detect and reject faults from copy_from_user() for submit
> + * ioctl.
> + */
> + struct task_struct *struct_mutex_task;
> };
>
> struct msm_format {
> --- a/drivers/gpu/drm/msm/msm_gem.c
> +++ b/drivers/gpu/drm/msm/msm_gem.c
> @@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct
> {
> struct drm_gem_object *obj = vma->vm_private_data;
> struct drm_device *dev = obj->dev;
> + struct msm_drm_private *priv = dev->dev_private;
> struct page **pages;
> unsigned long pfn;
> pgoff_t pgoff;
> int ret;
>
> + /* This should only happen if userspace tries to pass a mmap'd
> + * but unfaulted gem bo vaddr into submit ioctl, triggering
> + * a page fault while struct_mutex is already held. This is
> + * not a valid use-case so just bail.
> + */
> + if (priv->struct_mutex_task == current)
> + return VM_FAULT_SIGBUS;
> +
> /* Make sure we don't parallel update on a fault, nor move or remove
> * something from beneath our feet
> */
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -394,6 +394,7 @@ int msm_ioctl_gem_submit(struct drm_devi
> return -ENOMEM;
>
> mutex_lock(&dev->struct_mutex);
> + priv->struct_mutex_task = current;
>
> ret = submit_lookup_objects(submit, args, file);
> if (ret)
> @@ -479,6 +480,7 @@ out:
> submit_cleanup(submit);
> if (ret)
> msm_gem_submit_free(submit);
> + priv->struct_mutex_task = NULL;
> mutex_unlock(&dev->struct_mutex);
> return ret;
> }
Not a stable comment per se, but a comment on the patch itself:
It seems a bit fragile/hacky to me. For example, in all the rest of
the kernel we require that mmap_sem is not held when doing
copy_*_user(), which seems like a much simpler, intuitive, and robust
way to achieve the same kind of deadlock protection that is
implemented by this patch.
Is it not possible to 1) drop the mutex over the copy_from_user(), 2)
move the copy_from_user() out, 3) pin and pre-fault the underlying
pages, or 4) something else?
Thanks,
Vegard
^ permalink raw reply [flat|nested] 182+ messages in thread
end of thread, other threads:[~2016-10-03 9:38 UTC | newest]
Thread overview: 182+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CGME20160922174349uscas1p2c2b016dc9c367dda310785cb703014d2@uscas1p2.samsung.com>
2016-09-22 17:38 ` [PATCH 4.7 000/184] 4.7.5-stable review Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 001/184] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 003/184] fscrypto: require write access to mount to set encryption policy Greg Kroah-Hartman
2016-09-22 17:38 ` [PATCH 4.7 004/184] drm/msm: protect against faults from copy_from_user() in submit ioctl Greg Kroah-Hartman
2016-10-03 9:38 ` Vegard Nossum
2016-09-22 17:38 ` [PATCH 4.7 005/184] bpf: fix method of PTR_TO_PACKET reg id generation Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 006/184] ipv4: panic in leaf_walk_rcu due to stale node pointer Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 007/184] vti: flush x-netns xfrm cache when vti interface is removed Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 008/184] bpf: fix write helpers with regards to non-linear parts Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 009/184] net/irda: handle iriap_register_lsap() allocation failure Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 010/184] net/sctp: always initialise sctp_ht_iter::start_fail Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 011/184] net: ipv6: Do not keep IPv6 addresses when IPv6 is disabled Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 012/184] tipc: fix NULL pointer dereference in shutdown() Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 014/184] net/mlx5: Fix pci error recovery flow Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 015/184] net/mlx5: Added missing check of msg length in verifying its signature Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 016/184] net/mlx5e: Use correct flow dissector key on flower offloading Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 017/184] net sched: fix encoding to use real length Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 018/184] udp: fix poll() issue with zero sized packets Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 019/184] tcp: properly scale window in tcp_v[46]_reqsk_send_ack() Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 020/184] sctp: fix overrun in sctp_diag_dump_one() Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 021/184] tun: fix transmit timestamp support Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 022/184] net: dsa: bcm_sf2: Fix race condition while unmasking interrupts Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 023/184] Revert "phy: IRQ cannot be shared" Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 024/184] net: smc91x: fix SMC accesses Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 025/184] bridge: re-introduce fix parsing of MLDv2 reports Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 026/184] kcm: fix a socket double free Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 027/184] bonding: Fix bonding crash Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 028/184] Revert "af_unix: Fix splice-bind deadlock" Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 029/184] af_unix: split u->readlock into two: iolock and bindlock Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 030/184] ipv6: release dst in ping_v6_sendmsg Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 031/184] bnxt_en: Fix TX push operation on ARM64 Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 032/184] ipv6: addrconf: fix dev refcont leak when DAD failed Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 033/184] tcp: fastopen: avoid negative sk_forward_alloc Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 034/184] net/mlx5e: Fix parsing of vlan packets when updating lro header Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 035/184] tcp: cwnd does not increase in TCP YeAH Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 036/184] powerpc/tm: do not use r13 for tabort_syscall Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 037/184] powerpc/powernv : Drop reference added by kset_find_obj() Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 038/184] powerpc: sysdev: cpm: fix gpio save_regs functions Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 039/184] powerpc/mm: Dont alias user region to other regions below PAGE_OFFSET Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 040/184] powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 041/184] kernfs: dont depend on d_find_any_alias() when generating notifications Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 042/184] pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 043/184] pNFS: The client must not do I/O to the DS if its lease has expired Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 044/184] NFSv4.1: Fix Oopsable condition in server callback races Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 045/184] NFSv4.x: Fix a refcount leak in nfs_callback_up_net Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 046/184] nfsd: Close race between nfsd4_release_lockowner and nfsd4_lock Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 047/184] pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 048/184] NFSv4.1: Fix the CREATE_SESSION slot number accounting Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 049/184] kexec: fix double-free when failing to relocate the purgatory Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 050/184] mm, oom: prevent premature OOM killer invocation for high order request Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 051/184] mm, mempolicy: task->mempolicy must be NULL before dropping final reference Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 052/184] ahci: disable correct irq for dummy ports Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 053/184] rapidio/tsi721: fix incorrect detection of address translation condition Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 054/184] mm: introduce get_task_exe_file Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 055/184] audit: fix exe_file access in audit_exe_compare Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 056/184] dm flakey: fix reads to be issued if drop_writes configured Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 057/184] IB/hfi1,IB/qib: Fix qp_stats sleep with rcu read lock held Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 058/184] IB/uverbs: Fix race between uverbs_close and remove_one Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 059/184] IB/hfi1: Reset QSFP on every run through channel tuning Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 060/184] mm: fix cache mode of dax pmd mappings Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 062/184] x86/AMD: Apply erratum 665 on machines without a BIOS fix Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 063/184] KVM: s390: dont use current->thread.fpu.* when accessing registers Greg Kroah-Hartman
2016-09-22 17:39 ` [PATCH 4.7 064/184] kvm-arm: Unmap shadow pagetables properly Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 066/184] iio: accel: kxsd9: Fix raw read return Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 067/184] iio: sw-trigger: Fix config group initialization Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 068/184] iio: proximity: as3935: set up buffer timestamps for non-zero values Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 069/184] iio: adc: rockchip_saradc: reset saradc controller before programming it Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 070/184] iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 071/184] iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 072/184] iio:ti-ads1015: fix a wrong pointer definition Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 073/184] iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999 Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 074/184] iio: humidity: am2315: set up buffer timestamps for non-zero values Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 075/184] iio: adc: at91: unbreak channel adc channel 3 Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 076/184] iio: humidity: hdc100x: fix sensor data reads of temp and humidity Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 077/184] iio: accel: bmc150: reset chip at init time Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 078/184] iio: fix pressure data output unit in hid-sensor-attributes Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 079/184] iio: accel: kxsd9: Fix scaling bug Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 080/184] iio:core: fix IIO_VAL_FRACTIONAL sign handling Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 081/184] iio: ensure ret is initialized to zero before entering do loop Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 082/184] serial: 8250_mid: fix divide error bug if baud rate is 0 Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 083/184] serial: 8250: added acces i/o products quad and octal serial cards Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 084/184] USB: serial: simple: add support for another Infineon flashloader Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 085/184] usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 086/184] usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 087/184] usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 088/184] ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 089/184] USB: change bInterval default to 10 ms Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 090/184] devpts: return NULL pts priv entry for non-devpts nodes Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 091/184] cxl: use pcibios_free_controller_deferred() when removing vPHBs Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 092/184] net: thunderx: Fix OOPs with ethtool --register-dump Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 093/184] net: macb: Correct CAPS mask Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 094/184] cpuset: make sure new tasks conform to the current config of the cpuset Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 095/184] arm: dts: rockchip: add reset node for the exist saradc SoCs Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 096/184] ARM: AM43XX: hwmod: Fix RSTST register offset for pruss Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 097/184] ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 098/184] ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 099/184] ARM: kirkwood: ib62x0: fix size of u-boot environment partition Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 100/184] ARM: OMAP3: hwmod data: Add sysc information for DSI Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 101/184] ARM: dts: kirkwood: Fix PCIe label on OpenRD Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 102/184] ARM: dts: imx6qdl: Fix SPDIF regression Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 103/184] ARM: dts: armada-388-clearfog: number LAN ports properly Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 104/184] ARM: dts: overo: fix gpmc nand cs0 range Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 105/184] ARM: dts: overo: fix gpmc nand on boards with ethernet Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 106/184] ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 107/184] bus: arm-ccn: Fix PMU handling of MN Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 108/184] bus: arm-ccn: Do not attempt to configure XPs for cycle counter Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 109/184] bus: arm-ccn: Fix XP watchpoint settings bitmask Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 110/184] dm log writes: fix check of kthread_run() return value Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 111/184] dm crypt: fix free of bad values after tfm allocation failure Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 112/184] dm log writes: move IO accounting earlier to fix error path Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 113/184] dm crypt: fix error with too large bios Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 114/184] pinctrl: pistachio: fix mfio pll_lock pinmux Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 115/184] pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 116/184] memory: omap-gpmc: allow probe of child nodes to fail Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 117/184] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 118/184] crypto: cryptd - initialize child shash_desc on import Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 119/184] Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 120/184] fuse: direct-io: dont dirty ITER_BVEC pages Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 121/184] xhci: fix null pointer dereference in stop command timeout function Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 122/184] brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 123/184] md-cluster: make md-cluster also can work when compiled into kernel Greg Kroah-Hartman
2016-09-22 17:40 ` [PATCH 4.7 124/184] ath9k: fix using sta->drv_priv before initializing it Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 126/184] perf/x86/intel: Fix PEBSv3 record drain Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 127/184] perf/x86/intel/cqm: Check cqm/mbm enabled state in event init Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 128/184] perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 129/184] perf/x86/intel/pt: Fix an off-by-one in address filter configuration Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 130/184] perf/x86/intel/pt: Fix kernel address filters offset validation Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 131/184] perf/x86/intel/pt: Do validate the size of a kernel address filter Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 132/184] Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel" Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 133/184] sched/core: Fix a race between try_to_wake_up() and a woken up task Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 134/184] ipv6: Dont unset flowi6_proto in ipxip6_tnl_xmit() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 135/184] efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 136/184] efi/libstub: Allocate headspace in efi_get_memory_map() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 137/184] efi/libstub: Introduce ExitBootServices helper Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 138/184] efi/libstub: Use efi_exit_boot_services() in FDT Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 139/184] x86/efi: Use efi_exit_boot_services() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 140/184] powerpc/32: Fix csum_partial_copy_generic() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 141/184] powerpc/32: Fix again csum_partial_copy_generic() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 143/184] kconfig: tinyconfig: provide whole choice blocks to avoid warnings Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 144/184] drm: atmel-hlcdc: Fix vertical scaling Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 146/184] drm: Only use compat ioctl for addfb2 on X86/IA64 Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 147/184] svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation") Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 148/184] mmc: sdhci-st: Handle interconnect clock Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 149/184] genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 150/184] irqchip/atmel-aic: Fix potential deadlock in ->xlate() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 151/184] fix iov_iter_fault_in_readable() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 152/184] microblaze: fix __get_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 153/184] avr32: fix copy_from_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 154/184] microblaze: " Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 155/184] fix minor infoleak in get_user_ex() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 156/184] mn10300: failing __get_user() and get_user() should zero Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 157/184] m32r: fix __get_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 158/184] sh64: failing __get_user() should zero Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 159/184] nios2: fix __get_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 160/184] score: fix __get_user/get_user Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 161/184] s390: get_user() should zero on failure Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 162/184] ARC: uaccess: get_user to zero out dest in cause of fault Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 163/184] asm-generic: make get_user() clear the destination on errors Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 164/184] frv: fix clear_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 165/184] cris: buggered copy_from_user/copy_to_user/clear_user Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 166/184] blackfin: fix copy_from_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 167/184] score: fix copy_from_user() and friends Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 168/184] sh: fix copy_from_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 169/184] sh: cmpxchg: fix a bit shift bug in big_endian os Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 170/184] hexagon: fix strncpy_from_user() error return Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 171/184] mips: copy_from_user() must zero the destination on access_ok() failure Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 172/184] asm-generic: make copy_from_user() zero the destination properly Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 173/184] alpha: fix copy_from_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 174/184] metag: copy_from_user() should zero the destination on access_ok() failure Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 175/184] parisc: fix copy_from_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 176/184] openrisc: " Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 177/184] nios2: copy_from_user() should zero the tail of destination Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 178/184] mn10300: copy_from_user() should zero on access_ok() failure Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 179/184] sparc32: fix copy_from_user() Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 180/184] ppc32: " Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 181/184] ia64: copy_from_user() should zero the destination on access_ok() failure Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 182/184] iwlegacy: avoid warning about missing braces Greg Kroah-Hartman
2016-09-22 17:41 ` [PATCH 4.7 183/184] genirq/msi: Fix broken debug output Greg Kroah-Hartman
2016-09-22 23:44 ` [PATCH 4.7 000/184] 4.7.5-stable review Guenter Roeck
2016-09-23 8:15 ` Greg Kroah-Hartman
2016-09-23 16:03 ` Shuah Khan
2016-09-23 16:15 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).